Airlock IAM as Policy Decision Point (PDP)

Airlock IAM acts as a Policy Decision Point​ and Policy Information Point for access control decisions. It provides the necessary information to Airlock Gateway , which acts as a Policy Enforcement Point.

Policy decisions

  • To make policy decisions, Airlock IAM needs to have the following information:
  • Target Applications
    • The target application determines which authentication flow and which authorization flow will be used by Airlock IAM.
    • The target application also determines the Airlock Gateway Roles that will be sent to Airlock Gateway.
  • Tags
    • Tags are used during the flow to determine whether steps should be executed. Certain steps in the current flow might be skipped if a user acquired a tag during a previous authentication flow.
      The tag Weak Authentication Tag is granted after successfully checking username and password. The condition Has Weak Authentication Tag is used to determine, if the username and password step may be skipped.

Applied to the above example scenario, Airlock IAM roughly holds the following access policy user information:


Granted Roles




customer + admin





Sources of roles

A user's access roles - in the above example, these are admin and customer - may originate from different sources.



Persisted roles

Roles can be loaded from the configured user store.

E.g., a database or an LDAP directory.

Transformed roles

It is possible to transform roles before adding them to Airlock Gateway.

E.g., the roles London, Paris, Zurich could be transformed to the back office since all back office employees are allowed to access this particular target application.

Static roles

Static roles can be added. This avoids the necessity to add all the roles to the user store.

Tag-based roles

Roles can be derived from tags.

E.g., the tag Strong Authentication Tag could be transformed to a role strong and be propagated both to Airlock Gateway for access control and to the target application.


  • Roles: 
  • Role assignments are persisted in the User Store (typically the IAM database) and can be modified in the Adminapp by an administrator (typically a helpdesk user).
  • Available roles are part of the configuration under
    Adminapp >> Users >> Section User Details Page - General >> Available User Roles
  • Target applications:
  • To be configured under
    Loginapp >> Applications and Authentication
  • Tag configuration:
  • Tags are not persisted. They are only available during the user session.

  • Tags are configured as part of the configuration of flow steps.