Access control with IBM Tivoli access manager

Abstract

Web presence has become a key consideration for the majority of companies and other organizations. Besides being an essential information delivery tool, the Web is increasingly being regarded as an extension of the organization itself, directly integrated with its operating processes. As this transformation takes place, security grows in importance. IBM Tivoli Access Manager offers a shared infrastructure for authentication and access management, technologies that have begun to emerge in the commercial marketplace. This paper describes the Authorization Service provided by IBM Tivoli Access Manager for e-business (AM) and its use by AM family members as well as third-party applications. Policies are defined over a protected object namespace and stored in a database, which is managed via a management console and accessed through an Authorization API. The protected object namespace abstracts from heterogeneous systems and thus enables the definition of consistent policies and their centralized management. ACL inheritance and delegated management allow these policies to be managed efficiently. The Authorization API allows applications with their own access control requirements to decouple authorization logic from application logic. Policy checking can be externalized by using either a proxy that sits in front of the Web servers and application servers or a plug-in that examines the request. Thus, AM familiy members establish a single entry point to enforce enterprise policies that regulate access to corporate data.