Chapter 4. Configuration and customization 111
Action groups
Tivoli Access Manager provides 18 predefined permissions for immediate use.
These permissions are stored in the predefined action group named
primary.
Each permission is associated with an action bit. These predefined permissions
are described in “Using ACL policies with the authorization service” on page 101
As additional resource managers are installed, additional action groups might be
created. A domain administrator can create additional action groups and add
new actions to previously created action groups as needed.
Resource manager software typically contains one or more operations that are
performed on protected resources. Tivoli Access Manager requires these
applications to make calls into the authorization service before the requested
operation is allowed to progress. This call is made through the authorization
application programming interface (authorization API) for both Tivoli Access
Manager services and other applications.
The authorization service uses the information contained in the ACL to provide a
simple yes or no response to the question: Does this user (group) have the r
permission (for example) to view the requested resource?
The authorization service has no knowledge about the operation requiring the r
permission. It is merely noting the presence, or not, of the r permission in the
ACL entry of the requesting user or group. The authorization service is
completely independent of the operations being requested. This is why it is easy
to extend the benefits of the authorization service to other applications.
4.1.5 Default security policy
When initially installed, Tivoli Access Manager establishes a predefined default
set of ACL policies to protect all objects in a domain. Those policies are placed
on different parts of the default protected object space tree shown in Figure 4-2
on page 95. A typical object space begins with a single explicit security policy
attached to the root container object. The root ACL must always exist and can
never be removed. Normally, this is an ACL with very little restriction. All objects
located in the object space inherit this ACL. Table 4-3 shows default ACL policies
and their positions in the object space.
Table 4-3 Default ACLs
ACL policy Permissions Position in object space
default-root group iv-admin TcmdbvaBR
any-other T
unauthenticated T
/ (root)