Chapter 2. Planning 31
Note that in a real situation this authorization process can be more complex. One
of the major differences is that WebSEAL caches an authorization database
replica locally and does not query the Policy Server for every user request.
2.2.1 User registry
Access Manager requires a user registry to support the operation of its
authorization functions. Specifically, it provides:
A database of the user identities that are known to Access Manager.
A representation of groups in Access Manager that users have membership
A data store of metadata required to support additional functions.
While it can be used to authenticate users, this is not the primary purpose of the
user registry. Access Manager can authenticate a user via a variety of methods
(ID/password, certificate, and so on), and then map the authenticated identity to
one defined in the user registry. For example, consider a user John who
authenticates himself to Access Manager using a certificate as dn=john123.
Access Manager can be configured to programatically map the distinguished
name (DN) in the certificate to a pre-defined value for many to one (n:1)
mappings, or an algorithm can be applied to manipulate the username based on
external attributes or data. When making subsequent authorization decisions,
the internal Access Manager user identity is passed between the application and
other components using various mechanisms, including a special credential
known as a Privilege Attribute Certificate (PAC).
User registry structure
The default user registry is LDAP-based, and Access Manager consolidates its
registry support around a number of LDAP directory products. Access Manager
can use the following directory products for its user registry:
IBM Tivoli Directory Server
Sun™ Java™ System Directory Server
Microsoft® Active Directory
IBM Lotus® Domino Server
IBM z/OS® LDAP Server
The IBM Tivoli Directory Server is included with Access Manager and is the
default LDAP directory for implementing the user registry. For the latest list of
supported user registries refer to the IBM Tivoli Access Manager for e-business
Version 6.0 Release Notes, SC32-1702.