Sun Java System Access Manager 7 2005Q4 Technical Overview

Access Control Realms

In Access Manager an access control realm is a group of authentication properties and authorization policies you can associate with a user or group of users. Realm data is stored in a proprietary information tree that Access Manager creates within a data store you specify. The Access Manager framework aggregates policies and properties contained in each realm within the Access Manager information tree.

By default, Access Manager automatically inserts the Access Manager information tree as a special branch in Sun Java Enterprise System Directory Server, apart from the user data.

Figure 1–4 Default Configuration for Access Manager Information Tree

Both the identity repository and the Access Manager information
tree can be installed on the same instance of Directory Server.

You can use access control realms while using any user database. The following figure illustrates the Access Manager information tree configured in a separate data store from the identity repository.

Figure 1–5 Access Manager Information Tree Configured in Second Data Store

The identity repository can reside in one data store, and the
Access Manager information tree can reside in a different data store.

When a user logs into an application, Access Manager plug-ins retrieve all user information and access information that Access Manager needs to form a temporary, virtual user identity. Authentication service and Policy service use the virtual user identity to authenticate the user and to enforce authorization policies. The virtual user identity is destroyed when the user’s session ends.