Introduction
PolicyServer is a suite of components that provide management and evaluation of authorization rules. These authorization rules are typically context specific, and as such, PolicyServer defines the concept of a Policy to allow modeling of those context specific authorization rules.
An application will connect to PolicyServer to evaluate a Policy to determine a user’s authorization in the application. The outcome of the Policy evaluation is a set of Roles and Permissions to which the user has been assigned by the policy administrator. The application can then enforce authorization based on the returned Roles or Permissions.
Components
PolicyServer contains a suite of components. These include:
PolicyServer Management UI
PolicyServer Management API
PolicyServer Runtime API
PolicyServer Database
For some client platforms, PolicyServer client libraries are available to simplify connecting to the Management API and Runtime API.
PolicyServer Management UI
Policy administrators use the Management UI to create and manage application Policies.
PolicyServer Management API
The Management API is the main programming interface to create and manage policies, utilizes a database to persist the policies and associated data.
The Management API is a HTTP-based, hypermedia-driven (RESTful)
web service. The top level /management path returns the
top level navigation endpoints such as the following links:
{
"links": [
{
"rel": "license",
"href": "http://localhost:65471/management/license"
},
{
"rel": "policies",
"href": "http://localhost:65471/management/policies"
},
{
"rel": "add-policy",
"href": "http://localhost:65471/management/policies"
},
{
"rel": "tenants",
"href": "http://localhost:65471/management/tenants"
},
{
"rel": "add-tenant",
"href": "http://localhost:65471/management/tenants"
},
{
"rel": "search",
"href": "http://localhost:65471/management/search/users",
"name": "users"
},
{
"rel": "search",
"href": "http://localhost:65471/management/search/roles",
"name": "roles"
},
{
"rel": "validate",
"href": "http://localhost:65471/management/validate/expression",
"name": "expression"
}
]
}
The Management UI connects to the Management API to manage the underlying Policy data for one or more applications and tenants. Custom application and UI integrations can also be developed using the same Management API.
PolicyServer Runtime API
The Runtime API is the main programming interface for
client applications
to connect to and evaluate policies for a user.
It is a HTTP-based web service available at the relative path
/runtime.
The input to the Runtime API is the Policy to evaluate, and the set of claims that model the user (or identity). The output from to the Runtime API is the set of Roles and Permissions that have been assigned to the user based on that Policy.
PolicyServer Database
A relational database is required to store PolicyServer data including Policy, Role, and Permission definitions and the associated assignments.
PolicyServer includes a SQL script and instructions for how to configure the database using the configuration wizard. The following database platforms are supported:
SQL Server
PostreSQL
Deployment
PolicyServer components can be deployed to any environment that supports ASP.NET Core, including:
Windows Server 2016 R2 or later with IIS 8 or later
Environments that can run Windows or Linux based Docker containers
Client Libraries
For some programming environments we provide client libraries to connect to both the Management API and Runtime API. Currently libraries are provided for .NET, .NET Core, and ASP.NET Core.
Samples
PolicyServer samples illustrate working with various aspects of PolicyServer including:
Consuming the Runtime API to evaluate policy
Enforcing authorization in a client application
Consuming the Management API to create and manage policies
Currently samples are distributed for .NET, .NET Core, and ASP.NET Core. Contact us for additional samples.