96 Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0
Again, only WPM can be used to import and export objects from the object
4.1.3 Users and groups
Tivoli Access Manager maintains information about Tivoli Access Manager users
and groups in the user registry. Users and groups that already exist in the user
registry can be imported into Tivoli Access Manager. If a user or group does not
already exist in the user registry, it can be created directly within Tivoli Access
When a user is authenticated to Tivoli Access Manager, a user credential is
returned. This credential is used by other Tivoli Access Manager functions to
uniquely identify the user making the request.
Tivoli Access Manager supports different types of users. When a domain is
created, a special user known as the
domain administrator is created. For the
management domain, the domain administrator is
sec_master. The sec_master
user and associated password are created during the configuration of the Tivoli
Access Manager Policy Server. For other domains, the user ID and password of
the domain administrator are established when the domain is created. The
domain administrator has nearly complete control of the domain. The domain
administrator is added as a member of the Tivoli Access Manager
group within the domain. The iv-admin group represents those users with domain
administration privileges. When adding users to the iv-admin group, ensure that
you do not compromise the security of your domain. Another predefined group,
ivmgrd-servers contains the Policy Servers and the Policy Proxy Servers. By
default, members of this group are authorized to delegate requests to other Tivoli
Access Manager servers on behalf of the requestor.
There are two more predefined (built-in) Access Manager groups:
any-other Represents all authenticated users.
unauthenticated Represents all users who have not been authenticated by
Those two groups have a very important role in defining and applying ACLs, as
described in “Evaluating an ACL” on page 103.