Tivoli Access Manager Authorization API (aznAPI)

The Access Manager aznAPI provides a standard programming and

management model for integrating authorization requests and decisions with applications. Use of the aznAPI enables applications to utilize fine-grained access control for application-controlled resources.

Application-specific resources may be individually defined and added to the protected object space, and maintained in the authorization database in the same manner that WebSEAL and other standard Access Manager blades define their respective resources. ACLs, POPs, and authorization rules can be attached to these application objects, and aznAPI calls can then be used to access the Access Manager Authorization Service to obtain authorization decisions.

The authorization API provides common initialization and shutdown interface calls for use by the service plug-ins. The authorization API also provides additional interfaces that are specific to each of the service plug-ins.

Authorization service plug-ins

The Tivoli Access Manager authorization API supports a service plug-in model.

This model enables developers to write plug-in modules that extend the capabilities of the Tivoli Access Manager authorization service. Developers of third party applications can use authorization API functions that access the service plug-in interface to perform authorization operations that are specific to the Tivoli Access Manager secure domain.

Authorization service plug-ins are shared libraries written by application developers. Developers create these libraries to implement a domain-specific task for the domain-specific application. The types of data passed between the service plug-in and the application are also domain-specific. This means that the only restrictions on the data types are the parameter definitions in the

authorization API service functions. The data can be in a format that is unknown to the Tivoli Access Manager authorization server. The data is passed

unchanged through the authorization service dispatcher to the authorization service plug-ins.

Authorization service plug-ins are identified by a unique identification number (ID). The service dispatcher uses the unique ID number to load the service plug-in. The service dispatcher can optionally pass initialization parameters to the service plug-in. The service plug-in can optionally return service information, such as the plug-in version number, to the service dispatcher.

This modular plug-in authorization service architecture is shown on Figure 2-10 on page 53. The authorization service plug-in architecture features the following major objects:

򐂰 Authorization service plug-in dispatcher

򐂰 Service plug-in modules

򐂰 Calling applications

When an external application needs authorization information, it sends a request to the service dispatcher. The service dispatcher vectors the request to the appropriate service plug-in.

Figure 2-10 Authorization service plug-in architecture

Figure 2-10 shows that the authorization service supports these types of service plug-ins:

򐂰 Entitlement service

򐂰 Credentials modification service

򐂰 Privilege attribute certificate (PAC) service

򐂰 Administration service

򐂰 External authorization service

Entitlement services

An entitlement service plug-in enables domain-specific authorization API applications to retrieve the entitlements for a user from a domain-specific policy repository. The application can use this entitlements information as needed. For example:

򐂰 An application can allow or deny a user request for access to a protected action or protected resource, based on the user’s entitlements.

򐂰 A graphical user interface application can use entitlements information to construct a graphical view of the Tivoli Access Manager secure domain that contains only those protected objects that the user is authorized to view.

Tivoli Access Manager also supports two sub-classes of entitlement service known as:

򐂰 The dynamic ADI retrieval service

򐂰 The credential attribute service Credentials modification service

A credentials modification service plug-in enables domain-specific authorization API applications to perform modifications on a Tivoli Access Manager credential.

Then, the credentials modification service can return this modified credential for use by the calling application. Applications can use this service to add additional information to a user’s credential. For example, this additional information could include the user’s credit card number and the user’s credit limit.

Privilege attribute certificate service

A privilege attribute certificate (PAC) service plug-in gives domain-specific authorization API applications the ability to move Tivoli Access Manager

credentials back and forth between the native Tivoli Access Manager credentials format and an alternate format called privilege attribute certificates (PAC).

Applications can convert user credentials to PACs for use within other authorization domains. Applications can then pass the PACs to a server in another authorization domain and perform an operation. For example, customers can write a PAC service implementation to transform the attributes in Tivoli Access Manager credentials into a SAML assertion, an attribute certificate, or some other standardized PAC format used by other elements of the business model.

Administration service

An administration service plug-in enables applications to perform

application-specific administration tasks on protected object resources that are secured in the Tivoli Access Manager secure domain. The administration service provides functions that enable a plug-in to obtain the contents of a defined

define application-specific administration tasks, and to return commands that perform those tasks.

The administration service plug-in is accessed by a calling application that sends Tivoli Access Manager administration API calls. The calling application can be either an administrative utility such as the Tivoli Access Manager pdadmin command or the Tivoli Access Manager Web Portal Manager, or it can be a custom-built application. The administration service maps the administration API calls to the corresponding administration service API calls, and carries out the requested action.

External authorization service

An external authorization service plug-in is an optional extension of the Tivoli Access Manager authorization service that allows you to impose additional authorization controls and conditions. You can use an external authorization service plug-in to force authorization decisions to be made based on application-specific criteria that are not known to the Tivoli Access Manager authorization service.