Access Policy Manager® provides several benefits when it comes to authenticating and authorizing your users.
|Policy component||Administrators are able to add various types of supported authentication methods as basic components to their access policy.|
|Flexibility||Administrators can combine multiple authentication mechanisms in an arbitrary manner for a single access policy.|
|Performance||Administrators should see high optimization (approximately 250 logins/sec.)|
|Extensible||Administrators can set up to retrieve user's credentials from multiple sources (for example, client certificate fields) as input to an authentication subsystem.|
|Customizable input||Administrators can customize logon page input and add the customized logon page to their access policy.|
|Generic output||Administrators can use the results from an authentication subsystem as input for various other functionality, for instance, resource assignments.|
These illustrations depict the use of authentication as an access policy component. It also shows how various authentication schemas are combined together within a single access policy, and the result from authentication is used for assigning the appropriate resources to a user.
There are two types of authentication that pertain only to Active Directory and LDAP authentications, and they use two separate access policy items.
The auth and query methods are independent of each other, and you do not necessarily need to have them configured within the same access policy.
The nested group feature is used to identify all groups that the user belongs to. Access Policy Manager stores all such groups in the memberOf session variable. For example, if user1 is a member of group1 and group2, and group1 is a member of group3 and group4, then user1 belongs to all four of these groups. In addition, group3 and group4 privileges are nested by user1 through group1.
If the nested group feature is disabled on the Access Policy Manager, then the memberOf session variable contains only groups that the user belongs to directly, for instance, group1 and group2.
If the nested group feature is enabled on the Access Policy Manager, then the memberOf session variable contains all groups the users belongs to, which includes group1, group2, group3, and group4.