Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Authorizing access to resources > Authorization technology > Authorization providers
Role-based security with embedded Tivoli Access Manager
The Java EE role-based authorization model uses the concepts of roles and resources.
Roles getBalance deposit closeAccount Teller granted granted Cashier granted Supervisor granted
A principal, within WAS is a person or a process. Groups are logical collections of principals. Roles can be mapped to principals, groups, or both.
In the previous example, the principal Frank, can invoke the getBalance and the closeAccount methods, but cannot invoke the deposit method because this method is not granted either the Cashier or the Supervisor role.
Roles Principal/Group Teller Cashier Supervisor TellerGroup Invoke CashierGroup Invoke SupervisorGroup Frank: A principal who is not a member of any of the previous groups Invoke Invoke
At the time of application deployment, the JACC provider of TAM populates the TAM-protected object space with any security policy information contained in the application deployment descriptor and or annotations. This security information is used to determine access whenever the WAS resource is requested.
By default, the TAM access check is performed using the role name, the cell name, the application name, and the module name.
TAM access control lists (ACLs) determine which application roles are assigned to a principal. ACLs are attached to the applications in the TAM-protected object space at the time of application deployment.
Principal-to-role mappings are managed from the console and are never modified using TAM. Direct updates to ACLs are performed for administrative security users only.
The following sequence of events occur:
- During application deployment, policy information is sent to the JACC provider of TAM . This policy information contains permission-to-role mappings and role-to-principal and role-to-group mapping information.
- The JACC provider of TAM converts the information into the required format, and passes this information to the TAM policy server.
- The policy server adds entries to the TAM-protected object space to represent the roles that are defined for the application and the permission-to-role mappings. A permission is represented as a TAM-protected object and the role that is granted to this object is attached as an extended attribute.
Related
Authorization providers
Administer security users and roles with TAM
Configure TAM groups