50 Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0
whether access should be granted or denied to BEA WebLogic Server
resources. The access decision is made using the PDPermission classes that
are distributed with the Tivoli Access Manager Java runtime component.
Role Mapping Provider
Role Mapping Providers are used to supply an interface between BEA
WebLogic Server and the external authorization service that is being used to
manage roles. The Role Mapping Provider focuses on roles rather than on
policy, which is the responsibility of the Authorization Provider.
Policy and role deployment
Policy and roles can be defined in deployment descriptors or created through the
WebLogic console. Upon deployment of J2EE applications, roles and policy
defined within the application deployment descriptors are exported to the Tivoli
Access Manager protected object space.
Although possible, it is not expected that policy creation will be performed using
the Tivoli Access Manager administrative utility, pdadmin, or the Tivoli Access
Manager Web Portal Manager. Before starting a BEA WebLogic Server that is
using Tivoli Access Manager for WebLogic, some default policy must be created
in Tivoli Access Manager. This is performed during configuration of Tivoli Access
Manager for WebLogic.
Resources and roles
BEA WebLogic Server defines a number of different resource types, all of which
are supported by Tivoli Access Manager for WebLogic. All resource types are
considered the same within Tivoli Access Manager for WebLogic, so new
resource types, created for future releases of BEA WebLogic Server, will be
The policies and roles defined for all resource types are stored in the Tivoli
Access Manager protected object space in a uniform way.
Access Manager supports a number of application programming interfaces that
permit direct application interaction with its components. While these interfaces
support a rich set of functionality and are useful in many situations, it is important
to point out that there is substantial product function that does not require their
use. Initially, many organizations do not need to utilize these interfaces, allowing
rapid deployment of security components such as WebSEAL. However, as the
needs of the organization evolve, these interfaces allow for a high level of