Chapter 2. Planning 45
2.4.2 Authorization service
The foundation of Access Manager is its authorization service, which permits or
denies access to protected objects (resources) based on the user’s credentials
and the access controls placed on the objects.
The Policy Server provides an authorization service that may be leveraged by
applications and other Access Manager components that use the IBM Tivoli
Access Manager Authorization Application Programming Interface (aznAPI).
Optionally, additional Authorization Servers may be installed to offload these
authorization decisions from the Policy Server and provide for higher availability
of authorization functions. The Policy Server provides updates for authorization
database replicas maintained on each Authorization Server.
The Access Manager authorization service can also be embedded directly within
an application. In this case, the functions of an Authorization Server are
contained in the application itself.
2.4.3 Access Manager Session Management Server
Access Manager Session Management Server (SMS) is an optional Tivoli Access
Manager component that runs as an IBM WebSphere Application Server service.
It manages user sessions across complex clusters of Tivoli Access Manager
security servers, ensuring that session policy remains consistent across the
participating servers. Using the Session Management Server allows Access
Manager WebSEAL and Access Manager Plug-in for Web Servers to share a
unified view of all current sessions and permits an authorized user to monitor and
administer user sessions. The Session Management Server permits the sharing
of session information, makes session statistics available, and provides secure
and high-performance failover and single sign-on capabilities for clustered
The Session Management Server provides a user interface from which
authorized persons can administer and monitor user sessions. Administration of
the Session Management Server is performed using either the pdadmin
command line utility, or the Session Management Server Web-based graphical
user interface that is run from within the Web Portal Manager.
Figure 2-8 on page 46 shows how multiple security servers can achieve a single
session by using a common Session Management Server that provides a unified
backing store for session data. Each Web security server maintains a local copy
of the session data in its own session cache for performance reasons. A backup
or master copy is also maintained on the Session Management Server and this
data can be accessed by other Web security servers when necessary. The Web
security servers work with the Session Management Server to create, retrieve,