This information explains the process of authorization, some different authorization methods, and the role it plays in a single signon solution.
Authorization is a process in which a user is granted access to a network or system resource. Most enterprises use a two-stage process to allow users to access network assets. The first stage of this process is authentication. Authentication is a process in which a user identifies themselves to the enterprise. Typically this requires the user to provide an identifier and a password to the security component of the enterprise. The security component verifies the information that it receives. After a successful authentication, the user is issued a process they can use, a credential, or a ticket to use to demonstrate that they have already authenticated to the enterprise. An example of a user authentication is the ID and password challenge on an iSeries™ Navigator connection. After successful authentication, the user is assigned a job that runs under their user ID. The second stage is authorization. It is important to know the distinction between authentication and authorization.
Authorization is the process of determining if an entity or person has the authority to access an asset within an enterprise. Authorization checks are done after a user has authenticated to the enterprise, because authorization requires that the enterprise knows who is trying to gain access. Authorization checking is mandatory and occurs as part of the system. Users are typically unaware that authorization checks occur unless their access is denied. An example of authorization occurs when a user uses the command CRTSRCPF QGPL/MYFILE. The system performs authorization checks on the command CRTSRCPF and the library QGPL. If the user does not have the authority to access the command and the library, the user's request fails.
| Employee Name (EIM Identity) | Source Users (EIM Source) | Target users for System A (EIM Target) | Employee Responsibility | System A User Comments |
|---|---|---|---|---|
| Susan Doe | SusanD | SecOfficer | IT Security Officer | All special authority. Has access to all files and information. |
| Fred Ray | FredR | PrimeAcnt | Lead Accountant | No special authority. Has access to all payroll information. |
| Nancy Me | NancyM | PrimePGM | IT Application Team Leader | No special authority. Has access to all company application source files. |
| Brian Fa | BrianF | GenAcnt1 | Accountant | No special authority. Has access to some payroll information. |
| Tracy So | TracyS | ITPgm2 | IT Programmer | No special authority. Has access to some company application source files. |
| Daryl La | DarylL | ITPgm3 | IT Programmer | No special authority. Has access to some company application source files. |
| Sherry Te | SherryT | PrimeMKT | Marketing Representative | No special authority. Has access to all marketing data. |
It is important that all of the associations between users and resources are set up correctly. If the associations are incorrect, users will have access to data outside the scope of their responsibilities, which is a security concern for most enterprises. System administrators need to be very careful when creating the EIM mappings and ensure that they map users to the correct local registry IDs. For example if you mapped the IT Programmer, Daryl La, to the SecOfficer ID instead of Susan Doe, you could compromise the security of the system. This reinforces the fact that security administrators must still take care in securing the target systems within the enterprise.