IBM Tivoli Access Manager for e-business: WebSEAL Administration ...
IBM Tivoli Access Manager for e-business: WebSEAL Administration ...
IBM Tivoli Access Manager for e-business: WebSEAL Administration ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
When<br />
a<br />
user<br />
successfully<br />
authenticates<br />
to<br />
<strong>WebSEAL</strong>,<br />
a<br />
set<br />
of<br />
identification<br />
in<strong>for</strong>mation—known<br />
as<br />
a<br />
credential—is<br />
created<br />
<strong>for</strong><br />
that<br />
user.<br />
The<br />
credential<br />
contains<br />
the<br />
user<br />
identity,<br />
any<br />
group<br />
memberships,<br />
and<br />
any<br />
special<br />
(″extended″)<br />
security<br />
attributes.<br />
The<br />
<strong>Tivoli</strong><br />
<strong>Access</strong><br />
<strong>Manager</strong><br />
authorization<br />
service<br />
en<strong>for</strong>ces<br />
security<br />
policies<br />
by<br />
comparing<br />
a<br />
user’s<br />
authentication<br />
credentials<br />
with<br />
the<br />
policy<br />
permissions<br />
assigned<br />
to<br />
the<br />
requested<br />
resource.<br />
The<br />
resulting<br />
recommendation<br />
is<br />
passed<br />
to<br />
the<br />
resource<br />
manager<br />
(<strong>for</strong><br />
example,<br />
<strong>WebSEAL</strong>),<br />
which<br />
completes<br />
the<br />
response<br />
to<br />
the<br />
original<br />
request.<br />
The<br />
user<br />
credential<br />
is<br />
essential<br />
<strong>for</strong><br />
full<br />
participation<br />
in<br />
the<br />
secure<br />
domain.<br />
The<br />
protected<br />
object<br />
space<br />
The<br />
protected<br />
object<br />
space<br />
is<br />
a<br />
hierarchical<br />
portrayal<br />
of<br />
resources<br />
belonging<br />
to<br />
a<br />
<strong>Tivoli</strong><br />
<strong>Access</strong><br />
<strong>Manager</strong><br />
secure<br />
domain.<br />
The<br />
virtual<br />
objects<br />
that<br />
appear<br />
in<br />
the<br />
hierarchical<br />
object<br />
space<br />
represent<br />
the<br />
actual<br />
physical<br />
network<br />
resources.<br />
v<br />
System<br />
resource<br />
–<br />
the<br />
actual<br />
physical<br />
file<br />
or<br />
application.<br />
v<br />
Protected<br />
object<br />
–<br />
the<br />
logical<br />
representation<br />
of<br />
an<br />
actual<br />
system<br />
resource<br />
used<br />
by<br />
the<br />
authorization<br />
service,<br />
the<br />
Web<br />
Portal<br />
<strong>Manager</strong>,<br />
and<br />
other<br />
<strong>Tivoli</strong><br />
<strong>Access</strong><br />
<strong>Manager</strong><br />
management<br />
utilities.<br />
Policy<br />
templates<br />
can<br />
be<br />
attached<br />
to<br />
objects<br />
in<br />
the<br />
object<br />
space<br />
to<br />
provide<br />
protection<br />
of<br />
the<br />
resource.<br />
The<br />
authorization<br />
service<br />
makes<br />
authorization<br />
decisions<br />
based<br />
these<br />
templates.<br />
The<br />
following<br />
object<br />
space<br />
categories<br />
are<br />
used<br />
by<br />
<strong>Tivoli</strong><br />
<strong>Access</strong><br />
<strong>Manager</strong>:<br />
v<br />
Web<br />
objects<br />
Web<br />
objects<br />
represent<br />
any<br />
resource<br />
that<br />
can<br />
be<br />
addressed<br />
by<br />
an<br />
HTTP<br />
URL.<br />
This<br />
includes<br />
static<br />
Web<br />
pages<br />
and<br />
dynamic<br />
URLs<br />
that<br />
are<br />
converted<br />
to<br />
database<br />
queries<br />
or<br />
some<br />
other<br />
type<br />
of<br />
application.<br />
The<br />
<strong>WebSEAL</strong><br />
server<br />
is<br />
responsible<br />
<strong>for</strong><br />
protecting<br />
Web<br />
objects.<br />
v<br />
<strong>Tivoli</strong><br />
<strong>Access</strong><br />
<strong>Manager</strong><br />
management<br />
objects<br />
Management<br />
objects<br />
represent<br />
the<br />
management<br />
activities<br />
that<br />
can<br />
be<br />
per<strong>for</strong>med<br />
through<br />
the<br />
Web<br />
Portal<br />
<strong>Manager</strong>.<br />
The<br />
objects<br />
represent<br />
the<br />
tasks<br />
necessary<br />
to<br />
define<br />
users<br />
and<br />
set<br />
security<br />
policy.<br />
<strong>Tivoli</strong><br />
<strong>Access</strong><br />
<strong>Manager</strong><br />
supports<br />
delegation<br />
of<br />
management<br />
activities<br />
and<br />
can<br />
restrict<br />
an<br />
administrator’s<br />
ability<br />
to<br />
set<br />
security<br />
policy<br />
to<br />
a<br />
subset<br />
of<br />
the<br />
object<br />
space.<br />
v<br />
User-defined<br />
objects<br />
User-defined<br />
objects<br />
represent<br />
customer-defined<br />
tasks<br />
or<br />
network<br />
resources<br />
protected<br />
by<br />
applications<br />
that<br />
access<br />
the<br />
authorization<br />
service<br />
through<br />
the<br />
<strong>Tivoli</strong><br />
<strong>Access</strong><br />
<strong>Manager</strong><br />
authorization<br />
API.<br />
Defining<br />
and<br />
applying<br />
ACL<br />
and<br />
POP<br />
policies<br />
Security<br />
administrators<br />
protect<br />
<strong>Tivoli</strong><br />
<strong>Access</strong><br />
<strong>Manager</strong><br />
system<br />
resources<br />
by<br />
defining<br />
rules,<br />
known<br />
as<br />
ACL<br />
and<br />
POP<br />
policies,<br />
and<br />
applying<br />
these<br />
policies<br />
to<br />
the<br />
object<br />
representations<br />
of<br />
those<br />
resources<br />
in<br />
the<br />
protected<br />
object<br />
space.<br />
The<br />
<strong>Tivoli</strong><br />
<strong>Access</strong><br />
<strong>Manager</strong><br />
authorization<br />
service<br />
per<strong>for</strong>ms<br />
authorization<br />
decisions<br />
based<br />
on<br />
the<br />
policies<br />
applied<br />
to<br />
these<br />
objects.<br />
When<br />
a<br />
requested<br />
operation<br />
on<br />
a<br />
protected<br />
object<br />
is<br />
permitted,<br />
the<br />
application<br />
responsible<br />
<strong>for</strong><br />
the<br />
resource<br />
implements<br />
this<br />
operation.<br />
One<br />
policy<br />
can<br />
dictate<br />
the<br />
protection<br />
parameters<br />
of<br />
many<br />
objects.<br />
Any<br />
change<br />
to<br />
the<br />
rule<br />
will<br />
affect<br />
all<br />
objects<br />
to<br />
which<br />
the<br />
template<br />
is<br />
attached.<br />
Chapter<br />
1.<br />
<strong>IBM</strong><br />
<strong>Tivoli</strong><br />
<strong>Access</strong><br />
<strong>Manager</strong><br />
<strong>WebSEAL</strong><br />
overview<br />
3