122 Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0
4.4.2 Switch user authentication
The WebSEAL switch user function allows administrators to assume the identity
of a user who is a member of a Tivoli Access Manager secure domain. The
ability to assume a user’s identity can help an administrator in a Help Desk
environment to troubleshoot and diagnose problems. Switch user can also be
used to test a user’s access to resources and to perform application integration
The switch user implementation is similar to the su command in UNIX®
environments. In the WebSEAL environment, the administrator acquires the
user’s credentials and interacts with resources and back-end applications with
exactly the same abilities as the actual user. The administrator uses a special
HTML form to supply switch user information. WebSEAL processes the form and
calls a special authentication mechanism that returns the specified user’s
credential without the requirement of knowing the user’s password. WebSEAL
determines whether to allow the switch user request by performing the following
1. WebSEAL examines the membership of the Tivoli Access Manager
su-admins group to determine if the administrator has permission to invoke
the switch user function. Administrators requesting use of switch user
authentication must be members of the su-admins group. Membership in this
group must be configured before switch user can be used.
2. WebSEAL examines the membership of the Tivoli Access Manager
su-admins, securitygroup, and su-excluded groups to ensure that the user
identity supplied in the switch user form is not a member of one of these
groups. User identities that belong to any of these groups cannot be
accessed by the switch user function. The WebSEAL administrator must
configure memberships in these groups before administrators use the switch
For configuration instructions and more information on these groups refer to the
IBM Tivoli Access Manager for e-business Version 6.0 WebSEAL Administration
When WebSEAL decides to allow the switch user request, WebSEAL calls the
appropriate switch user module to perform the special switch user authentication.
WebSEAL supports a variety of authentication mechanisms. Each authentication
mechanism has a corresponding switch user authentication mechanism.
WebSEAL provides built-in modules that contain the special switch user function.
Before switch user authentication can be used, the WebSEAL administrator must
configure WebSEAL to use the appropriate modules.
When authentication of the designated user succeeds, the switch user module
returns a valid credential for the user—without requiring the user password for