Chapter 5. Programming 193
The attributes retrieved by the credential attributes entitlement service do not
necessarily have to be placed directly into a user credential. These name/value
pairs from the user registry are placed into an attribute list, which can then be
used for purposes other than adding information to a user credential.
This built-in registry attribute entitlement service is a generic entitlement service
that can be used by many resource managers.
High-level configuration steps are the following:
1. As with any entitlement service plug-in, credential attribute entitlement
services are declared in the configuration file (for example webseald.conf)
under the stanza entry [aznapi-entitlement-services]. The value for the
registry attribute retrieval service that is part of the Tivoli Access Manager
runtime environment is
2. Along with the ID definition of an entitlement service we need to define
automatic loading of the service. Services to be automatically called by
azn_id_get_creds2() must also be listed in the [aznapi-configuration]
stanza. Services listed under this stanza are enabled and called
automatically. To specify that the service ID refers to a credential attributes
entitlement service, use the keyword
3. At the end, we need to provide several stanzas that specify the attributes to
be added to the credential.
Dynamic ADI retrieval services
This class of entitlement service is designed to fulfill requests for access decision
information (ADI) that is needed for the Tivoli Access Manager authorization
engine to perform an authorization rule evaluation. To meet the classification of
attribute retrieval service the entitlement service needs to take a specific set of
inputs and return to the caller a specific set of outputs in XML format. Dynamic
ADI retrieval services are configured in the same way as other entitlement
services. To have the authorization rules evaluator call a dynamic ADI retrieval
service when ADI is required to complete a rule evaluation, you must specify the
service ID of the entitlement service as a value for the configuration file entry
dynamic-adi-entitlement-services or specified to the azn_initialize() application
interface using the initialization attribute
azn_init_dynamic_adi_entitlement_services. Multiple service IDs can be
specified in this way. They are called in the order in which they are specified in
the configuration setting or initialization parameter.
5.2.3 External Authorization Service (EAS)
The External Authorization Service (EAS) interface provides support for
application-specific extensions to the authorization engine. You can use an
194 Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0
external authorization service plug-in to force authorization decisions to be made
based on application-specific criteria that are not known to the Tivoli Access
Manager authorization service. Each external authorization service plug-in is a
standalone module that is dynamically loaded into the authorization service. This
enables system designers to supplement Access Manager authorization with
their own authorization models. The external authorization service allows you to
impose additional authorization controls and conditions that are dictated by a
separate, external, authorization service module.
An EAS is accessed via an authorization
callout, which is triggered by the
presence of a particular bit in the ACL that is attached to a protected object. The
callout is made directly by the Authorization Service.
In the current release of Access Manager, the EAS interface is supported via a
simple Authorization Service plug-in capability. This allows an EAS to be
constructed as a loadable shared library. The EAS architecture is summarized in
Figure 5-6.
Figure 5-6 EAS architecture
Implementing an EAS
Two general steps are required to set up an External Authorization Service:
1. Write an external resource manager service plug-in module with an
authorization interface that can be referenced during authorization decisions.
2. Register the external authorization service with the resource manager so that
the resource manager can load the plug-in service at initialization time.
EAS Shared
EAS Module
The EAS shared library provides the
application programming interface to
support the custom authentication
The custom EAS Module provides the
authentication-method-specific functions
to interface with the authentication target
system or registry.
The user sends a request for a resource
To Resource Manager
The authorization subsystem forwards
the access request for the resource to
the custom EAS module
Resource Manager asks the authorization
engine whether the user is permitted to
access the requested resource

Get Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0 now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.