Web Service Policies are permission policies (query and modify) that govern how identity providers share end-user data with service providers. Administrators and policy owners (users) can control whether private information is always allowed to be given, never allowed, or must be requested.
As an administrator, you can configure this information for the policy owner, for specific service providers, or globally for all service providers. You can also specify what policies are displayed for the end user in the User Portal, and whether users are allowed to edit them.
In the Administration Console, click Edit >
> > >Click the
link next to the service name.Click the category you want to edit.
All Trusted Providers: Policies that are defined by the service provider’s ability to query and modify the particular Liberty attributes or groups of attributes for the Web service. When All Trusted Providers permissions are established, and a service provider needs data, the system first looks here to determine whether user data is allowed, never allowed, or must be asked for. If no solution is found in All Trusted Providers, the system examines the permissions established within the specific service provider.
Owners: Policies that limit the end user’s ability to modify or query data from his or her own profile. The settings you specify in the
group are reflected on the My Profile page in the User Portal. Portal users have the authority to modify the data items in their profiles. The data items include Liberty and LDAP attributes for personal identity, employment, and any customized attributes defined in the Identity Server configuration. Any settings you specify in the Administration Console override what is displayed in the User Portal. Overrides are displayed in the column.If you want the user to have Write permission for a given data item, and that data item is used in an LDAP Attribute Map, then you must configure the LDAP Attribute Map with Write permission.
On the All Service Policy page, select the policy’s check box, then click
.This lets you modify the parent service policy attribute. Any selections you specify on this page are inherited by child policies.
Query Policy: Allows the service provider to query for the data on a particular attribute. This is similar to read access to a particular piece of data.
Modify Policy: Allows the service provider to modify a particular attribute. This is similar to write access to a particular piece of data.
Query and Modify: Allows you to set both options at once.
To edit child attributes of the parent, click the policy.
In the following example, child attributes are inheriting Ask Me permission from the parent
attribute. The attribute, however, is modified to never allow permission for sharing.If you click the
attribute, all of its child attributes have inherited the setting. You can specify different permission attributes for (for example), but the inherited policy still overrides changes made at the child level, as shown below.The interface allows these changes in order to simplify switching between configurations if, for example, you want to remove an inherited policy.
Inherited: Specifies the settings inherited from the parent attribute policy, when you view a child attribute. In the User Portal, settings displayed under
are not modifiable by the user. At the top-level policy in the User Portal, the values are inherited from the settings in the Administration Console. Thereafter, inheritance can come from the service policy or the parent data item’s policy.Ask Me: Specifies that the service provider requests from the user what action to take.
Always Allow: Specifies that the identity provider always allows the attribute data to be sent to the service provider.
Never Allow: Specifies that the identity provider never allows the attribute data to be sent to the service provider.
When a request for data is received, the Identity Server examines policies to determine what action to take. For example, if a service provider like DigitalAirlines.com requires a postal address for the user, the Identity Server performs the following actions:
Checks the settings specified in
.If no solution is found, checks for the policy settings configured for the service provider.
Click
until the Web Service Provider page is displayed.Click
, then update the Identity Server as prompted.