test

Sun Java System Access Manager 7 2005Q4 Administration Guide

Chapter 5 Managing Realms

An access control realm is a group of authentication properties and authorization policies you can associate with a user or group of users. Realm data is stored in a proprietary information tree that Access Manager creates within a data store you specify. The Access Manager framework aggregates policies and properties contained in each realm within the Access Manager information tree. By default, Access Manager 7 automatically inserts the Access Manager information tree as a special branch in Sun Java Enterprise System Directory Server, apart from the user data. You can use access control realms while using any LDAPv3 database.

For more information on realms, see the Sun Java System Access Manager 7 2005Q4 Technical Overview.

In the Realms tab, you can configure the following properties for access control:

Creating and Managing Realms

This section describes how to create and manage realms.

ProcedureTo Create a New Realm

  1. Select New from the Realms list under the Access Control tab.

  2. Define the following general attributes:

    Name

    Enter a name for the Realm.

    Parent

    Defines the location of the realm that you are creating. Select the parent realm under which the new realm will exist.

  3. Define the following realm attributes:

    Realm Status

    Choose a status of active or inactive. The default is active. This can be changed at any time during the life of the realm by selecting the Properties icon. Choosing inactive disables user access when logging in.

    Realm/DNS Aliases

    Allows you to add alias names for the DNS name for the realm. This attribute only accepts “real” domain aliases (random strings are not allowed).

  4. Click OK to save or Cancel to return to the previous page.

General Properties

The General Properties page displays the basic attributes for a realm. To modify these properties, click the realm from the Realm Names list under the Access Control tab. Then, edit the following properties:

Realm Status

Choose a status of active or inactive. The default is active. This can be changed at any time during the life of the realm by selecting the Properties icon. Choosing inactive disables user access when logging in.

Realm/DNS Aliases

Allows you to add alias names for the DNS name for the realm. This attribute only accepts “real” domain aliases (random strings are not allowed).

Once you edit the properties, click Save.

Authentication

The general authentication service must be registered as a service to a realm before any user can log in using the other authentication modules. The core authentication service allows the Access Manager 7 administrator to define default values for a realm's authentication parameters. These values can then be used if no overriding value is defined in the specified authentication module. The default values for the Core Authentication Service are defined in the amAuth.xml file and stored in Directory Server after installation.

For more information, see Chapter 7, Managing Authentication

Services

In Access Manager, a service is a group of attributes that are managed together by the Access Manager console. The attributes can be just bits of related information such as an employee's name, job title, and email address. But attributes are typically used as configuration parameters for a software module such as a mail application or payroll service.

Through the Services tab, you can add and configure a number of Access Manager default services to a realm. You can add the following services:

Note –

Access Manager enforces that required attributes in service .xml files have some default values. If you have services with required attributes with no values, you need to add default values and reload the service.

ProcedureTo Add a Service to a Realm

  1. Click the name of the realm for which you wish to add a new service.

  2. Select the Services tab.

  3. Click Add in the Services list.

  4. Select the service you wish to add for the realm.

  5. Click Next.

  6. Configure the service by defining the realm attributes. See Configuration in the online help for a description of the service attributes.

  7. Click Finish.

  8. To edit the properties of a service, click the name in the Service list.

Privileges

Privileges define the access permissions to roles or groups that exist within a realm. The roles or groups are used as policy subject definitions for the Access Manager Identity Subject type. To assign or modify privileges, click the name of the role or group you wish to edit. The privileges you can assign are: