Editing Web Service Policies

Web Service policies are permission policies (query and modify) that govern how identity providers share end-user data with service providers. Administrators and policy owners (users) can control whether private information is always allowed to be given, never allowed, or must be requested.

As an administrator, you can configure this information for the policy owner, for specific service providers, or globally for all service providers. You can also specify what policies are displayed for the end user in the User Portal, and whether users are allowed to edit them.

  1. Click Devices > Identity Servers > Edit > Liberty > Web Service Provider.

  2. Click the Policy link next to the service name.

  3. Click the category you want to edit.

    All Trusted Providers: Policies that are defined by the service provider’s ability to query and modify the particular Liberty attributes or groups of attributes for the web service. When All Trusted Providers permissions are established, and a service provider needs data, the system first looks here to determine whether user data is allowed, never allowed, or must be asked for. If no solution is found in All Trusted Providers, the system examines the permissions established within the specific service provider.

    Owners: Policies that limit the end user’s ability to modify or query data from his or her own profile. The settings you specify in the Owner group are reflected on the My Profile page in the User Portal. Portal users have the authority to modify the data items in their profiles. The data items include Liberty and LDAP attributes for personal identity, employment, and any customized attributes defined in Identity Server configuration. Any settings you specify in Administration Console override what is displayed in the User Portal. Overrides are displayed in the Inherited column.

    If you want the user to have Write permission for a given data item, and that data item is used in an LDAP Attribute Map, then you must configure the LDAP Attribute Map with Write permission.

  4. On the All Service Policy page, select the policy’s check box, then click Edit Policy.

    This lets you modify the parent service policy attribute. Any selections you specify on this page are inherited by child policies.

    Query Policy: Allows the service provider to query for the data on a particular attribute. This is similar to read access to a particular piece of data.

    Modify Policy: Allows the service provider to modify a particular attribute. This is similar to write access to a particular piece of data.

    Query and Modify: Allows you to set both options at the same time.

  5. To edit child attributes of the parent, click the policy.

    In the following example, child attributes are inheriting Ask Me permission from the parent Entire Personal Identity attribute. The Postal Address attribute, however, is modified to never allow permission for sharing.

    If you click the Postal Address attribute, you can see that all of its child attributes have inherited the Never Allow setting. You can specify different permission attributes for Address Type (for example), but the inherited policy still overrides changes made at the child level.

    The interface allows these changes to simplify switching between configurations if, for example, you want to remove an inherited policy.

    Inherited: Specifies the settings inherited from the parent attribute policy, when you view a child attribute. In the User Portal, settings displayed under Inherited are not modifiable by the user. At the top-level policy in the User Portal, the values are inherited from the settings in Administration Console. Thereafter, inheritance can come from the service policy or the parent data item’s policy.

    Ask Me: Specifies that the service provider requests from the user what action to take.

    Always Allow: Specifies that the identity provider always allows the attribute data to be sent to the service provider.

    Never Allow: Specifies that the identity provider never allows the attribute data to be sent to the service provider.

    When a request for data is received, Identity Server examines policies to determine what action to take. For example, if a service provider requires a postal address for the user, Identity Server performs the following actions:

    • Checks the settings specified in All Service Providers.

    • If no solution is found, checks for the policy settings configured for the service provider.

  6. Click OK > OK.

  7. Update Identity Server.