Configuring TAM for authorization using TFIM V6.2

Configure Tivoli® Access Manager (TAM) to enable authorization using Tivoli Federated Identity Manager (TFIM) V6.2.

About this task

To configure TAM for a TFIM V6.2 TAMAuthorizationSTSModule, complete the following steps using the pdadmin utility.

Procedure

  1. Check that the action group used by the TFIM authorization module is available.
    The action group used is WebService:
    
action group list

    If WebService is not listed, create it:

    
action group create WebService
  2. Display the action in the action group used by the TFIM authorization module.
    The action used is "i":
    
action list WebService

    If action "i" <label> 0 is not listed, create it. The value of <label> can vary:

    
action create i <label> 0 WebService
  3. Create the Access Control List (ACL) that will be used to grant access to one or more message flows.
    First, create the ACL and give the administrators access to it. In this example, iv-admin is the administration group and sec_master is the main administrator:
    
acl create <AclName>
acl modify <AclName> set Group iv-admin TcmdbsvaBRxl[WebService]i
acl modify <AclName> set User sec_master TcmdbsvaBRxl[WebService]i
  4. Grant access to all authenticated users, or specific groups, by adding them to the ACL. Grant any authenticated identity access: 
    
acl modify <AclName> set Any-other Trx[WebService]i

    To add a specific group:

    
acl modify <AclName> set group <GroupName> Trx[WebService]i

    In these strings, each occurrence of Trx[ ] is an action, and corresponds to the value of the stsuser Action context attribute that is passed into the TAMAuthorizationSTSModule. For more information, see Authentication, mapping, and authorization with TFIM V6.2 and TAM.

  5. Create a protected object space path in TAM to correspond to the value of the stsuser ObjectName context attribute that is passed into the TAMAuthorizationSTSModule using the following command syntax: 
    objectspace create /<ObjectName>
    For more information, see Authentication, mapping, and authorization with TFIM V6.2 and TAM.
  6. Attach the ACL to the protected object space path that you have created.
    Each node in the object space inherits ACLs from its parent, and a lower level ACL can override a higher level one. Use the following command syntax to attach an ACL to a node in the object space path:
    
acl attach /<ObjectSpacePath> <AclName>