Authorization policies are used when you want to protect a resource based on criteria other than authentication, and you want Access Manager to enforce the access restrictions. Authorization policies are enforced when a user requests data from a resource.
The Access Manager supports three types of Authorization policies:
Access Gateway Authorization policies for protecting resources of the Access Gateway
Web Authorization policies for protecting Java applications on a J2EE server
Enterprise JavaBean Authorization policies for protecting the Enterprise JavaBeans of a J2EE application
The first step in creating an Authorization policy is determining the criteria for restricting access. The second step is translating those criteria into rules and conditions for a policy. This section describes the policy elements, but your resource and your security requirements determine which elements to use when creating the policy.