The protected object space

 

+

Search Tips   |   Advanced Search

 

The protected object space is a hierarchical portrayal of resources belonging to an Access Manager secure domain. The virtual objects that appear in the hierarchical object space represent the actual network resources in the domain. They could be system resources - the actual file or application, and protected objects - the logical representation of an actual system resource used by the authorization service and other Access Manager management components.

Policy templates can be attached to objects in the object space to provide protection of the resources. The authorization service makes authorization decisions based on these templates.

These rules can be explicitly attached or inherited. The Access Manager protected object space supports inheritance of the security policies or rules. This is an important consideration for the security administrator who manages the object space. The administrator needs to apply explicit policies only at points in the hierarchy where the rules must change.

Figure 10-3 Tivoli Access Manager object space

The following object space categories are used by Access Manager:

Web objects

Web objects represent any resource that can be addressed by a URL, including static and dynamic contents. The WebSEAL server is a component of Access Manager, responsible for protecting Web resources.

Access Manager management objects

Management objects represent the management activities that can be performed through the Web Portal Manager. The objects represent the tasks necessary to define users and set security policy. Access Manager supports delegation of management activities and can restrict an administrator's ability to set security policy to a subset of the object space. An example of an Access Manager management object will be a defined group for example /Management/Groups/boardmembers; ACLs could be attached to the object to restrict who can add members to that group.

User-defined objects

User-defined objects represent customized tasks or network resources protected by applications that access the authorization service through the Access Manager authorization API, for instance in library application you could map actions to objects and allow everyone access to the object /library/book/summary but only allow authenticated access users to the object /library/book/reservation.

 


 

 

Tivoli is a trademark of the IBM Corporation in the United States, other countries, or both.