Chapter 5. Programming 193
The attributes retrieved by the credential attributes entitlement service do not
necessarily have to be placed directly into a user credential. These name/value
pairs from the user registry are placed into an attribute list, which can then be
used for purposes other than adding information to a user credential.
This built-in registry attribute entitlement service is a generic entitlement service
that can be used by many resource managers.
High-level configuration steps are the following:
1. As with any entitlement service plug-in, credential attribute entitlement
services are declared in the configuration file (for example webseald.conf)
under the stanza entry [aznapi-entitlement-services]. The value for the
registry attribute retrieval service that is part of the Tivoli Access Manager
runtime environment is
azn_ent_cred_attrs.
2. Along with the ID definition of an entitlement service we need to define
automatic loading of the service. Services to be automatically called by
azn_id_get_creds2() must also be listed in the [aznapi-configuration]
stanza. Services listed under this stanza are enabled and called
automatically. To specify that the service ID refers to a credential attributes
entitlement service, use the keyword
cred-attribute-entitlement-services.
3. At the end, we need to provide several stanzas that specify the attributes to
be added to the credential.
Dynamic ADI retrieval services
This class of entitlement service is designed to fulfill requests for access decision
information (ADI) that is needed for the Tivoli Access Manager authorization
engine to perform an authorization rule evaluation. To meet the classification of
attribute retrieval service the entitlement service needs to take a specific set of
inputs and return to the caller a specific set of outputs in XML format. Dynamic
ADI retrieval services are configured in the same way as other entitlement
services. To have the authorization rules evaluator call a dynamic ADI retrieval
service when ADI is required to complete a rule evaluation, you must specify the
service ID of the entitlement service as a value for the configuration file entry
dynamic-adi-entitlement-services or specified to the azn_initialize() application
interface using the initialization attribute
azn_init_dynamic_adi_entitlement_services. Multiple service IDs can be
specified in this way. They are called in the order in which they are specified in
the configuration setting or initialization parameter.
5.2.3 External Authorization Service (EAS)
The External Authorization Service (EAS) interface provides support for
application-specific extensions to the authorization engine. You can use an