Configure Tivoli Access Manager groups

Configure Tivoli Access Manager groups

+
Search Tips | Advanced Search

Overview
The WAS administrative console can be used to specify security policies for applications that run in the WAS environment. The WAS administrative console can also specify security policies for other Web resources, based on the entities that are stored in the registry.
Tivoli Access Manager adds the accessGroup object class to the registry. TAM administrators can use the pdadmin utility (available only on the policy server host in the PD.RTE fileset) to create new groups. These new groups are added to the registry as the accessGroup object class.
The administrative console is not configured by default to recognize objects of the accessGroup class as user registry groups. One can configure the administrative console to add this object class to the list of object classes that represent user registry groups. To do this configuration, complete the following instructions:

Procedure

From the administrative console, access the advanced settings for configuring security by clicking...
Security | Global security | LDAP | Advanced LDAP user registry settings

Modify the Group Filter field. Add the following entry:
(objectclass=accessGroup)

The Group Filter field then looks like the following example:

(&(cn=%w)(|(objectclass=groupOfNames)
(objectclass=groupOfUniqueNames)
(objectclass=accessGroup)))

Modify the Group Member ID Map field. Add the following entry:
accessGroup:member

The Group Member ID Map field then looks like the following example:

groupOfNames:member;groupOfUniqueNames:uniqueMember;
accessGroup:member

Stop and restart WAS.

See Also
Role-based security with embedded Tivoli Access Manager

Tivoli is a trademark of the IBM Corporation in the United States, other countries, or both.