Chapter 4. Configuration and customization 111
Action groups
Tivoli Access Manager provides 18 predefined permissions for immediate use.
These permissions are stored in the predefined action group named
Each permission is associated with an action bit. These predefined permissions
are described in “Using ACL policies with the authorization service” on page 101
As additional resource managers are installed, additional action groups might be
created. A domain administrator can create additional action groups and add
new actions to previously created action groups as needed.
Resource manager software typically contains one or more operations that are
performed on protected resources. Tivoli Access Manager requires these
applications to make calls into the authorization service before the requested
operation is allowed to progress. This call is made through the authorization
application programming interface (authorization API) for both Tivoli Access
Manager services and other applications.
The authorization service uses the information contained in the ACL to provide a
simple yes or no response to the question: Does this user (group) have the r
permission (for example) to view the requested resource?
The authorization service has no knowledge about the operation requiring the r
permission. It is merely noting the presence, or not, of the r permission in the
ACL entry of the requesting user or group. The authorization service is
completely independent of the operations being requested. This is why it is easy
to extend the benefits of the authorization service to other applications.
4.1.5 Default security policy
When initially installed, Tivoli Access Manager establishes a predefined default
set of ACL policies to protect all objects in a domain. Those policies are placed
on different parts of the default protected object space tree shown in Figure 4-2
on page 95. A typical object space begins with a single explicit security policy
attached to the root container object. The root ACL must always exist and can
never be removed. Normally, this is an ACL with very little restriction. All objects
located in the object space inherit this ACL. Table 4-3 shows default ACL policies
and their positions in the object space.
Table 4-3 Default ACLs
ACL policy Permissions Position in object space
default-root group iv-admin TcmdbvaBR
any-other T
unauthenticated T
/ (root)
112 Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0
This table shows that the /Management region of the protected object space
contains multiple container objects that each require a specific set of
permissions. If you want to modify default permissions you need to be aware of
the impact of ACL options on the /Management region in the object space. For
example, if you want users who are members of the PolicyAudit group to have
permission to find where the ACL “salary” is placed in the object tree, they need
permission to execute the following command:
pdadmin > acl find salary
This command can only be executed if the PolicyAudit group has the v
permission on the /Management/ACL object space. If this group needs to be
allowed to create and modify ACLs, then the additional permission m needs to
be assigned to this group.
Table 4-3 shows that there is no default ACL policy, but the inherited
default-management policy describes that, by default, members of the iv-admin
group have permission to manipulate ACLs.
default-management group iv-admin TcmdbsvaBtNWAR
group ivmgrd-servers Ts
any-other Tv
default-replica group iv-admin TcbvaBR
group ivmgrd-servers m
group secmgrd-servers mdv
group ivacld-servers md
default-config Group iv-admin TcmdbsvaBR
Any-other Tv
Unauthenticated Tv
default-gso group iv-admin TcmdbvaBNR
any-other Tv
unauthenticated Tv
default-policy group iv-admin TcmdbvaBNR
any-other Tv
unauthenticated Tv
default-domain group iv-admin TcmdbvaBNR
group ivmgrd-servers v
default-management-proxy group iv-admin Tcbv
group ivmgrd-servers Tg
ACL policy Permissions Position in object space

Get Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0 now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.