IBM Tivoli Access Manager security model
The security policy for a Tivoli Access Manager secure domain is maintained and governed by two key security structures:
- User registry
- Policy database
User registry
The user registry (such as LDAP, Lotus Domino, or Microsoft Active Directory) contains all users and groups who are allowed to participate in the Tivoli Access Manager secure domain. In the example used in this book, the IBM Tivoli Directory Server LDAP directory contains the user registry shared by Tivoli Access Manager and WebSphere Application Server.
Master authorization (policy) database
The authorization database contains a representation of all resources in the domain (the protected object space). The security administrator can dictate any level of security by applying rules, known as access control list (ACL) policies, protected object policies (POP) and authorization rules, to those resources requiring protection
The Tivoli Access Manager authorization service enforces security policies by comparing a user's authentication credentials with the policy permissions assigned to the requested resource. The resulting recommendation is passed to the resource manager (for example, WebSEAL or WebSphere Application Server), which completes the response to the original request. The user credential is essential for full participation in the secure domain.