Sun Java System Access Manager 7.1 Technical Overview

SPIs and Plug-ins

The Access Manager SPIs work with plug-ins to provide customer data to the framework for back-end processing. Some customer data comes from external data base applications such as identity repositories while other customer data comes from the Access Manager plug-ins themselves. You can develop additional custom plug-ins to work with the Access Manager SPIs. For a complete listing of Access Manager SPIs, see the Sun Java System Access Manager 7.1 Java API Reference. The following sections contain brief descriptions of the plug-ins installed with Access Manager.

Authentication Plug-in

The Authentication Plug-in accesses user data in a specified identity repository to determine if a user’s credentials are valid.

Delegation Plug-in

The Delegation plug-in aggregates policies and roles to determine the scope of a network administrator’s authority. The Authentication Service and the Policy Service then use the aggregated data to perform authentication and authorization processes. The Delegation plug-in works together with the Identity Repository Management plug-in (where default administrator roles are defined) to form rules that describe the scope of privileges for each network administrator, and specifies the roles to which these rules apply. The following is a list of roles defined by the Identity Repository Management plug-in, and the default rule the Delegation plug-in applies to each.

Table 1–4 Access Manager Administrator Roles and Scope of Privileges

Administrator Role 

Delegation Rule 

Realm Administrator

Can access all data in all realms of the Access Manager information tree. 

Subrealm Administrator

Can access all data within a specific realm of the Access Manager information tree. 

Policy Administrator

Can access all policies in all realms of the Access Manager information tree. 

Policy Realm Administrator

Can access policies only within the specific realm of the Access Manager information tree. 

Note –

The Delegation plug-in code is not public in Access Manager.

Identity Repository Management Plug-in

The Identity Repository Management plug-in returns identity information such as user attributes and membership status for purposes of authentication.

Policy Plug-in

The Policy plug-in aggregates policies and rules to determine whether a user is authorized to access a protected resource.

Service Configuration Plug-in

The Service Configuration plug-in stores and manages configuration data required by the core components and other Access Manager plug-ins. In previous versions of Access Manager, the functionality provided by the Service Configuration plug-in was known as the Service Management Service (SMS).

AM SDK Plug-in

The AM SDK plug-in creates and modifies users and stores information in the user branch of the identity repository. It implements the user management APIs used in previous Access Manager releases.