Technical Note: Sun Java System Access Manager ACI Guide

Access Manager 7 2005Q4 Realm Mode


Realm-based architecture provides an independent tree structure to store the Organization Configuration data and User Management data.

To avoid the ACI-related performance issues and to make delegation easy to understand, in a Realm Mode installation of Access Manager 7 2005Q4, access control for the Identity Repository (IdRepo) framework and Service Management is based on the new Policy Management delegation model.

In Access Manager 7 2005Q4, the Realm Mode Policy infrastructure is created in a Realm instead of in an Organization.

Policy Management delegation uses the existing Policy Authorization mechanism, thus replacing the ACIs to determine the accessibilities of Realms and Policies. Policies are used to control the Realm and Policy delegations.

When a Realm gets created, a Policy for this Service is created for the access privileges of the Realm. The Subjects defined in the Policy, determine who is able to manage the Realm and Policies, and in what manner. Based on the Policy Conditions defined, restrictions are applied on the accessibilities of the users to the Realms and Polices.

The new Policy delegation model has introduced the concepts of the Realm Admin and Realm Policy Admin:

At the time of creating a Realm in the Access Manager Console, the user needs to specify which Subjects will be used as the Realm Admin and which Subjects will be used as the Realm Policy Admin. Optionally, the user can specify some Conditions to further restrict the management of the Realm and the Policies. Default delegation Policies are described in a delegation service. (For more information, see the /etc/opt/SUNWam/config/request/defaultDelegationPolicies.xml file.)

SM (Service Management) in Access Manager 7 2005Q4 Realm Mode, enforces Policies and Privileges for Realm access control. A Privilege is an Access Control mechanism for the resources within Access Manager, for example: service-configuration data and user data.

For the Identity Repository (IdRepo) framework, delegation is provided for pre-defined roles like Top-level Admin Role, Organization Admin Role and Help Desk Admin Role.

The new delegation model in Access Manager 7 2005Q4 Realm Mode serves the purpose of Access Manager being datastore-agnostic. The new Access Control model/delegation is managed from the Access Manager Console. Assuming a fresh Directory Server instance, that Access Manager 7 2005Q4 is installed into, there are equal number of ACIs loaded into the Directory Server instance, both in Legacy Mode and Realm Mode. The ACIs are loaded from either install.ldif or installExisting.ldif as described in the Introduction.

There is a performance tuning script to eliminate the unnecessary or unused ACIs installated in Access Manager. For more information, see under Running the amtune-directory Script to Remove Unnecessary ACIs in Realm Mode.