User registry and master authorization database

The user registry and the master authorization database govern the security policy of a secure domain.

• The user registry, such as IBM Tivoli Directory Server or Microsoft Active Directory, contain users and groups who can participate in the ISAM environment.

• The authorization database contains a representation of all resources in the domain. The security administrator applys access control list (ACL) policies and protected object policies (POPs).

The process of authentication proves the identity of a user to WebSEAL. A user can participate in the secure domain as authenticated or unauthenticated. Authenticated users must have an account in the user registry. Using ACLs and POPs, the security administrator can ensure:

• Certain resources are publicly available to unauthenticated users
• Other resources are available only to certain authenticated users

When a user successfully authenticates, WebSEAL creates a set of identification information that is known as a credential. The credential contains the user identity, any group memberships, and any special extended security attributes. A user requires a credential to fully participate in the secure domain. The ISAM authorization service enforces security policies by comparing a user's authentication credentials with the policy permissions assigned to the requested resource. The authorization service passes the resulting recommendation to the resource manager, for example, WebSEAL, which completes the response to the original request.

Parent topic: Security concepts for a WebSEAL deployment