Configuring TAM for authorization using TFIM V6.1
This topic describes how to configure Tivoli® Access Manager (TAM) to enable authorization using Tivoli Federated Identity Manager (TFIM) V6.1.
About this task
Procedure
- Check that the action group used by
the TFIM authorization module is available. The action group used is WebService:
action group listIf WebService is not listed, create it:
action group create WebService - Display the action in the action group
used by the TFIM authorization module. The action used is "i":
action list WebServiceIf action "i" <label> 0 is not listed, create it. The value of <label> can vary:
action create i <label> 0 WebService - Create the Access Control List (ACL) that will be used
to grant access to one or more message flows. First, create the ACL and give the administrators access to it. In this example,
iv-adminis the administration group andsec_masteris the main administrator:acl create <AclName> acl modify <AclName> set Group iv-admin TcmdbsvaBRxl[WebService]i acl modify <AclName> set User sec_master TcmdbsvaBRxl[WebService]i - Grant access to all authenticated users, or specific groups,
by adding them to the ACL. Grant any authenticated identity access:
acl modify <AclName> set Any-other Trx[WebService]iTo add a specific group:
acl modify <AclName> set group <GroupName> Trx[WebService]i - Define protected object spaces in TAM for authorization
of message flows:
- Create the application container object as
the root of the protected object space. This is the name that is used to link an instance of a TFIM AuthorizationSTSModule (within a module chain) into the TAM object space. The container object name is specified to match the Web Service protected object name parameter on a TFIM Authorization module.
objectspace create /<ContainerObjectName> <Description> 14 - Create the container objects in the tree for each integration
node message flow that is being authorized. The message flow name is used by TFIM to locate a point in the TAM Object Space tree for Authorization, through the attached ACL. The message flow name is passed as the PortType in the WS-Trust request to TFIM. Use the following command to create the object tree node representing each flow to be authorized:
object create /<ContainerObjectName>/<FlowName> <Description> 11 ispolicyattachable yesThe ispolicyattachable parameter applies to all levels, so you can attach an ACL at any level.
- Create the leaf object that represents the authorized
object to grant access to the message flow. This is the fixed string MessageFlowAccess, which the integration node sends to TFIM through the TFIM OperationName extension to the WS-Trust request. A fixed name (MessageFlowAccess) is used instead of a true operation name, because the integration node does not necessarily know at the input node which operation a flow is going to perform. The command syntax is:
object create /<ContainerObjectName>/<FlowName>/MessageFlowAccess <Description> 12 ispolicyattachable yeswhere <FlowName> has been created in a previous step.
- Create the application container object as
the root of the protected object space.
- Attach the ACL to the relevant node in the protected object
space tree. Each node in the object space inherits ACLs from its parent, and a lower level ACL can override a higher level one. Use the following command syntax to attach an ACL to a node in the object space:
acl attach /<ObjectSpacePath> <AclName>To attach an ACL to the leaf node:
acl attach /<ContainerObjectName>/<FlowName>/MessageFlowAccess <AclName>