Chapter 5. Programming 189
5.2 Authorization API overview
Using the Tivoli Access Manager authorization application programming
interface (aznAPI), you can program Tivoli Access Manager applications and
third-party applications to query the Tivoli Access Manager authorization service
for authorization decisions. The Tivoli Access Manager authorization API is the
interface between the server-based resource manager and the authorization
service; it provides a standard model for coding authorization requests and
decisions. The aznAPI lets you make standardized calls to the centrally
managed authorization service from any developed application. The aznAPI
supports two implementation modes:
Remote cache mode
In remote cache mode, you use the aznAPI to call the Tivoli Access Manager
authorization server, which performs authorization decisions on behalf of the
application. The authorization server maintains its own cache of the replica
authorization policy database.
Local cache mode
In local cache mode, you use the aznAPI to download a local replica of the
authorization policy database. In this mode, the application can perform all
authorization decisions locally.
The aznAPI shields you from the complexities of the authorization service
mechanism. Issues of management, storage, caching, replication, credentials
format, and authentication methods are all hidden behind the aznAPI. The
aznAPI works independently from the underlying security infrastructure, the
credential format, and the evaluating mechanism. The aznAPI makes it possible
to request an authorization check and get a simple yes or no recommendation in
5.2.1 Configuration of an aznAPI application
The aznAPI application must establish its own authenticated identity within the
IBM Tivoli Access Manager (Tivoli Access Manager) secure domain in order to
request authorization decisions from the Tivoli Access Manager authorization
service. Before you run the aznAPI application for the first time, you must create
a unique identity for the application in the Tivoli Access Manager secure domain.
In order for the authenticated identity to perform API checks, the application must
be a member of at least one of the following groups:
ivacld-servers This group membership is needed for applications using
local cache mode.
remote-acl-users This group membership is needed for applications using
remote cache mode.