48 Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0
򐂰 User-to-role mapping via an Access Manager authorization check of an object
in the Access Manager protected object space that represents the role
Access Manager for Microsoft .NET also provides for Web services security in
one of two ways:
򐂰 Client-side authorization and identity propagation via HTTP headers
򐂰 Server-side authentication and authorization via HTTP header or SOAP
WS-Security header (Username Token)
There are two APIs that are exposed to .NET applications:
򐂰 .NET Assembly for Tivoli Access Manager Administration Services
򐂰 .NET Assembly for Tivoli Access Manager Authorization Services
Access Manager for Microsoft .NET allows for a user to change their role
dynamically without restarting the user’s session or the application. In addition,
Access Manager can use any directory for the security information that is
supported by the core components.
2.4.5 WebSphere Application Server integration
Starting with WebSphere Application Server 5.1.1 and above, WebSphere
Application Server ships with all the Access Manager Java Runtime Environment
and .jar files required for integration into a secure domain. This is not a separate
product, but an integration point between Access Manager and WebSphere that
can be used to centralize security for J2EE applications in one location, Access
Manager. In addition, a J2EE-to-Access Manager user/role migration utility is
provided to assist customers in populating the Access Manager policy database
with users and roles.
This enables enterprises to use a common security model across WebSphere
and non-WebSphere resources, leveraging common user identity and profiles,
Access Manager-based authorization, and using Access Manager’s Web Portal
Manager to leverage a single point of security management across J2EE and
non-J2EE resources.
Note: While the user-to-role mapping via group membership is the simpler of
the two models, it does have some limitations. Advanced authorization
policies, such as Protected Object Policies (POPs) and Authorization Rules
(Rules) cannot be used. Also, any change to a policy will not be effective until
the next time the user logs in. If a more advanced and dynamic security policy
is required, the user-to-role mapping via an Access Manager authorization
check should be used.

Get Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0 now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.