Access control for end-users (authorization)

To manage access control Airlock IAM and Airlock Gateway must be integrated and configured correctly.

Access control is important both for the protection of target applications and for the protection of internal services i.e. protected self-services.

Role-based access control

For role-based access control, Airlock IAM needs to propagate role information to Airlock Gateway if a user successfully completed an authentication flow.

  • To make this work. Airlock IAM and Airlock Gateway interact in this manner:
  • Airlock Gateway determines if a user has already acquired all the roles required to access a particular backend application. Airlock Gateway will redirect the user to a particular authentication flow in Airlock IAM if roles are missing.
  • Airlock IAM will authenticate the user using the chosen authentication flow. If the flow completes successfully, Airlock IAM will propagate role information to Airlock Gateway and Identity Information for the backend application and redirect the user to the particular backend application.

See also our role-based access control example.

Protected self-service access control

The Airlock IAM Loginapp provides protected self-services to end-users. These services require the end-user to be authenticated.

  • Examples of protected self-services:
  • Password change self-service.
  • Airlock 2FA token management self-service.
  • User profile self-service.

To control access to internal services, Airlock IAM supports two mechanisms that can be configured on every individual internal service flow.

  • Access control for protected self-services:
  • Access Conditions are used to determine if an end-user is permitted to use this particular flow. A long list of plugins is provided for the configuration of access conditions.
    Example: A user that does not have a particular authentication means does not need to be able to order an activation letter for such a device.
  • Authorization Conditions are used to determine if an end-user is sufficiently authenticated to use this flow. Tags are used to verify these conditions.
    Example: A user that was only authenticated with a username and password should not be able to use a user profile self-service.

Further information and links