Tool Mentor: TAM – Operate Security Protection Mechanisms
TM020 – How to operate security protection mechanisms
Tool: IBM Tivoli Access Manager
Relationships
Related Elements
Main Description

Context

Tool mentors explain how a tool can perform tasks, which are part of ITUP processes and activities. The tasks are listed as Related Elements in the Relationships section.

You can see the details of how processes and activities are supported by this tool mentor, by clicking the links next to the icons:

Details

IBM® Tivoli® Access Manager (TAM) provides a secure, policy-based resource access management solution that enables businesses to address the authentication and authorization of users who are attempting to access resources throughout their environment. TAM has the facilities to provide these security access controls through the use of access control lists, protected object policies, and authentication policies.

Through centralized control, TAM grants organizations the ability to provide security protection mechanisms by dictating what users should be allowed to access on which resources. By defining a set of access control lists (ACLs), TAM grants or denies access to groups as well as individual users. Resources within the organization are organized into a tree, throughout which these defined rights cascade hierarchically. This organization allows for security protection mechanisms to be implemented throughout the environment quickly and efficiently. In case there are security breaches, all access to protected resources within an organization can be locked off to minimize potential risk. See Chapter 8: "Access Control List Management" in the IBM Tivoli Access Manager Base Administration Guide, version 5.1.

Another security protection mechanism is implemented through the use of Protected Object Policies (POPs). Protected object policies are assigned to specific objects within the resource hierarchy, and they apply security restrictions to objects regardless of which user is attempting to access them. The purpose of a POP is to impose access conditions on an object that is based on the time of the access and to indicate whether the access request should be audited. POPs also allow for varying levels of authentication depending on the method or origin of the authentication request by the user. If the origin of the request, for example, is located outside of a trusted network space, stronger authentication might be required for that particular access. Access of specific resources or objects can be set to be an auditable action or not through the use of POPs, which allows for fine-grain monitoring of the use of secured resources. See Chapter 9: "Protected Object Policy Management" in the IBM Tivoli Access Manager Base Administration Guide, version 5.1.

When the security protection mechanism relies on user attributes or on environmental factors, then IBM Tivoli Access Manager utilizes authorization rules. Authorization rules provide security protection mechanisms that are based on the attributes of a person or object and the context and environment surrounding the access decision. For example, an authorization rule can implement a time-of-day policy that depends on the user or group. Businesses can also use a rule to extend the security protection mechanism that ACLs can provide by implementing a more advanced policy, such as one based on quotas. While an ACL can grant a group permission to write to a resource, a rule can go a step further by examining if a group has exceeded a specific quota for a given week before permitting that group to write to a resource. See Chapter 10: "Authorization Rules Management" in the IBM Tivoli Access Manager Base Administration Guide, version 5.1.

The combination of access control lists, protected object policies, and authorization rules can create a comprehensive security access control for the entire environment. These controls would be effective on both the macro and fine-grained levels. All ACLs, POPs, and authorization rules that apply to an object or resource must be satisfied for access to be granted to a user. Multiple levels of overlapping restrictions provide for robust security access controls to be created easily within the enterprise. See Chapter 3: subsection: "Security Policy" in the IBM Tivoli Access Manager Administration Guide version 5.1

For more information

For more information about this tool, see the IBM Tivoli Access Manager tool.

©Copyright IBM Corp. 2005, 2008. All Rights Reserved.