ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamz_5.4.0.1/rzamzauthorization.htm

137 lines
9.4 KiB
HTML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Authorization" />
<meta name="abstract" content="This information explains the process of authorization, some different authorization methods, and the role it plays in a single signon solution." />
<meta name="description" content="This information explains the process of authorization, some different authorization methods, and the role it plays in a single signon solution." />
<meta name="DC.Relation" scheme="URI" content="rzamzconcepts.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzamzauthorization" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Authorization</title>
</head>
<body id="rzamzauthorization"><a name="rzamzauthorization"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Authorization</h1>
<div><p>This information explains the process of authorization, some different
authorization methods, and the role it plays in a single signon solution.</p>
<p>Authorization is a process in which a user is granted access to a network
or system resource. Most enterprises use a two-stage process to allow users
to access network assets. The first stage of this process is <a href="rzamzauthentication.htm#rzamzauthentication">authentication</a>. Authentication is a process in which
a user identifies themselves to the enterprise. Typically this requires the
user to provide an identifier and a password to the security component of
the enterprise. The security component verifies the information that it receives.
After a successful authentication, the user is issued a process they can
use, a credential, or a ticket to use to demonstrate that they have already
authenticated to the enterprise. An example of a user authentication is the
ID and password challenge on an <span class="keyword">iSeries™ Navigator</span> connection.
After successful authentication, the user is assigned a job that runs under
their user ID. The second stage is authorization. It is important to know
the distinction between authentication and authorization.</p>
<p>Authorization is the process of determining if an entity or person has
the authority to access an asset within an enterprise. Authorization checks
are done after a user has authenticated to the enterprise, because authorization
requires that the enterprise knows who is trying to gain access. Authorization
checking is mandatory and occurs as part of the system. Users are typically
unaware that authorization checks occur unless their access is denied. An
example of authorization occurs when a user uses the command <samp class="codeph">CRTSRCPF
QGPL/MYFILE</samp>. The system performs authorization checks on the command <samp class="codeph">CRTSRCPF</samp> and
the library <samp class="codeph">QGPL</samp>. If the user does not have the authority
to access the command and the library, the user's request fails.</p>
<div class="p">An enterprise that has implemented the <span class="keyword">i5/OS™</span> single
signon solution uses <a href="../rzalv/rzalvmst.htm">Enterprise
Identity Mapping (EIM)</a> to manage user access to enterprise assets.
While EIM does not perform authorization checks, the identity mapping establishes
the local identities for users that have successfully authenticated into the
enterprise. The source (or user) receives access and privileges on the target
system through the local ID. For example, assume you have the following simple
enterprise environment:
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><thead align="left"><tr><th align="center" valign="top" width="17.31958762886598%" id="d0e51">Employee Name (EIM Identity)</th>
<th align="center" valign="top" width="17.31958762886598%" id="d0e53">Source Users (EIM Source)</th>
<th align="center" valign="top" width="15.670103092783505%" id="d0e55">Target users for System
A (EIM Target) </th>
<th align="center" valign="top" width="17.11340206185567%" id="d0e57">Employee Responsibility</th>
<th align="center" valign="top" width="32.577319587628864%" id="d0e59">System A User Comments</th>
</tr>
</thead>
<tbody><tr><td valign="top" width="17.31958762886598%" headers="d0e51 ">Susan Doe</td>
<td valign="top" width="17.31958762886598%" headers="d0e53 ">SusanD</td>
<td valign="top" width="15.670103092783505%" headers="d0e55 ">SecOfficer</td>
<td valign="top" width="17.11340206185567%" headers="d0e57 ">IT Security Officer</td>
<td valign="top" width="32.577319587628864%" headers="d0e59 ">All special authority. Has access to all files and information.</td>
</tr>
<tr><td valign="top" width="17.31958762886598%" headers="d0e51 ">Fred Ray</td>
<td valign="top" width="17.31958762886598%" headers="d0e53 ">FredR</td>
<td valign="top" width="15.670103092783505%" headers="d0e55 ">PrimeAcnt</td>
<td valign="top" width="17.11340206185567%" headers="d0e57 ">Lead Accountant</td>
<td valign="top" width="32.577319587628864%" headers="d0e59 ">No special authority. Has access to all payroll information.</td>
</tr>
<tr><td valign="top" width="17.31958762886598%" headers="d0e51 ">Nancy Me</td>
<td valign="top" width="17.31958762886598%" headers="d0e53 ">NancyM</td>
<td valign="top" width="15.670103092783505%" headers="d0e55 ">PrimePGM</td>
<td valign="top" width="17.11340206185567%" headers="d0e57 ">IT Application Team Leader</td>
<td valign="top" width="32.577319587628864%" headers="d0e59 ">No special authority. Has access to all company application
source files.</td>
</tr>
<tr><td valign="top" width="17.31958762886598%" headers="d0e51 ">Brian Fa</td>
<td valign="top" width="17.31958762886598%" headers="d0e53 ">BrianF</td>
<td valign="top" width="15.670103092783505%" headers="d0e55 ">GenAcnt1</td>
<td valign="top" width="17.11340206185567%" headers="d0e57 ">Accountant</td>
<td valign="top" width="32.577319587628864%" headers="d0e59 ">No special authority. Has access to some payroll information.</td>
</tr>
<tr><td valign="top" width="17.31958762886598%" headers="d0e51 ">Tracy So</td>
<td valign="top" width="17.31958762886598%" headers="d0e53 ">TracyS</td>
<td valign="top" width="15.670103092783505%" headers="d0e55 ">ITPgm2</td>
<td valign="top" width="17.11340206185567%" headers="d0e57 ">IT Programmer</td>
<td valign="top" width="32.577319587628864%" headers="d0e59 ">No special authority. Has access to some company application
source files.</td>
</tr>
<tr><td valign="top" width="17.31958762886598%" headers="d0e51 ">Daryl La</td>
<td valign="top" width="17.31958762886598%" headers="d0e53 ">DarylL</td>
<td valign="top" width="15.670103092783505%" headers="d0e55 ">ITPgm3</td>
<td valign="top" width="17.11340206185567%" headers="d0e57 ">IT Programmer</td>
<td valign="top" width="32.577319587628864%" headers="d0e59 ">No special authority. Has access to some company application
source files.</td>
</tr>
<tr><td valign="top" width="17.31958762886598%" headers="d0e51 ">Sherry Te</td>
<td valign="top" width="17.31958762886598%" headers="d0e53 ">SherryT</td>
<td valign="top" width="15.670103092783505%" headers="d0e55 ">PrimeMKT</td>
<td valign="top" width="17.11340206185567%" headers="d0e57 ">Marketing Representative</td>
<td valign="top" width="32.577319587628864%" headers="d0e59 ">No special authority. Has access to all marketing data.</td>
</tr>
</tbody>
</table>
</div>
</div>
<p>It is important that all of the associations between users and resources
are set up correctly. If the associations are incorrect, users
will have access to data outside the scope of their responsibilities, which
is a security concern for most enterprises. System administrators need to
be very careful when creating the EIM mappings and ensure that they map users
to the correct local registry IDs. For example if you mapped the IT Programmer,
Daryl La, to the SecOfficer ID instead of Susan Doe, you could compromise
the security of the system. This reinforces the fact that security administrators
must still take care in securing the target systems within the enterprise.</p>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamzconcepts.htm" title="Use this information to learn about the underlying concepts for single signon for a better understanding of how you can plan to use single signon in your enterprise.">Concepts</a></div>
</div>
</div>
</body>
</html>