100 Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0
access should be permitted to these resources. Finally, you must apply the
proper security policy on these resources to ensure that only the right users can
access them (we already explained that resources are represented as objects in
the Policy Server object space).
Access to objects within a domain is controlled by applying a security policy to
the container and resource objects in the protected object space. To secure
network resources in a protected object space, each object must be protected by
a security policy. A security policy can be explicitly applied to an object or
inherited from objects above it in the hierarchy. You need to apply an explicit
security policy in the protected object space only at those points in the hierarchy
where the rules must change.
Adopting an inherited security scheme can greatly reduce the administration
tasks for a domain. The power of security policy inheritance is based on the
following principle:
Any object without an explicitly attached security policy inherits the policy of
its nearest container object with an explicitly set security policy. The
inheritance chain is broken when an object has an explicitly attached security
policy.
Security policy inheritance simplifies the task of setting and maintaining access
controls on a large protected object space. In a typical object space, you need to
attach only a few security policies at key locations to secure the entire object
space. Therefore, it is called a
sparse security policy model.
Security policy is defined using a combination of:
Access control lists (ACLs)
An access control list specifies the predefined actions that a set of users and
groups can perform on an object. For example, a specific set of groups or
users can be granted
read access to the object.
Protected object policies (POPs)
A protected object policy specifies access conditions associated with an
object that affect all users and groups. For example, a
time-of-day restriction
can be placed on the object that excludes all users and groups from
accessing the object during the specified time.
Authorization rules
An authorization rule specifies a complex condition that is evaluated to
determine whether access will be permitted. The data used to make this
decision can be based on the context of the request, the current environment,
or other external factors. For example, a request to modify an object
more
than five times in an 8-hour period
could be denied.