The Access Control component, along with its Admin UI subcomponent, protects the system from the unauthorized use. Access Control provides the functionality to authorize a user to access the system or services provided by the system. Admin UI provides the functionality to administer the security objects which are used by Access Control. For authorization, it verifies that a user has the authority to access individual security services. It grants this authorization only if the user's profile holds that service's set of required security rights at the time of the access request. For example, when a user requests to reset the password of another user, Access Control verifies that the requesting user has the proper right.
There are four basic objects in the Access Control system:
▪ Right
A right is a "key" or a "ticket" that is used by authorization to determine what services or security APIs the user can access. The right has no special functionality or attributes of its own, and it is simply a name that is used by Access Control for authorization purposes. Rights can be assigned to services, which can restrict the access to those services only to the users who have (at least) those rights. Rights can also be assigned to roles.
▪ Role
A role, such as the administrator or the teller, can be used to assign a group of rights to a user. A set of rights is associated with a role, and the role is associated with the user who is granted all the rights which are associated with the role. Roles can contain subroles. When a role is associated with a user, the user is recursively granted all the rights of any subrole which is associated with that role. Besides, roles which are held by a user's profile can be restricted to certain time intervals, and only the roles that are active at the time of the access request are valid for authorization.
▪ User
The user information is stored in a database that Access Control references when security services are requested. The authorization process verifies that the internal Security User object corresponds to an external identity which has been granted approval to access the system and the access right mechanism restricts the access only to those security services that have been approved for use by this identity.
▪ Service
A Security Service, from the point of view of Access Control, is the object which represents an operation that can be authorized. It can be one or more functions that are made available to an authorized user through a client application. Access Control controls the access to a security service by associating (using Admin UI) rights (instances of SecurityRight) with it. The profile (SecurityUser) of a user attempting to access a security service must have all the required rights for that security service before the Access Control component permits the access.
The following figure illustrates the relationship between the objects.
There are four types of relationships among the objects:
▪ User-Role
Represents the role what a user has.
▪ Role-subRole
A role can contain subroles and is capable of all the rights of its subroles.
▪ Role-Right
Represents the right set what a role has.
▪ Service-Right
Represents the necessary right set access or execute a service.
In a Role-Based Access Control (RBAC) system,
▪ A user has one or more roles.
▪ A user has all the rights entitled by the user's roles.
▪ A service has one or more rights that are necessary to access or execute the service.
▪ A user can execute the service when the user has all the rights needed by the service.
There are three parts in the UDTT Access Control:
▪ Security Objects Access (DAO) interface
▪ Authorization interface
▪ Administration User Interface (UI)
The Lightweight Directory Access Protocol (LDAP) is supported by the Access Control. LDAP is an open industry standard, which defines a standard method for accessing and updating information in a directory. When Access Control is combined with the LDAP server, Access Control only provides the authorization function, and the user is authenticated by the LDAP server. All the information required by the authorization is stored by Access Control, and all the user information is stored by the LDAP server. Therefore, to combine Access Control with LDAP, the user authorization information should synchronize with the user authentication information, and Access Control should be able to use the authentication function of the LDAP server. See the Reference section for more details about how to synchronize Access Control with the LDAP server, and how to enable Access Control to use the authentication function of the LDAP server.
The Security Objects Access (DAO) interface is composed of the following items:
▪ jar:
▪ bttbcaccommon.jar
▪ bttbcac.jar
▪ Interface:
▪ ISecurityObjectManager
This interface defines how to manage the security objects in the system.
▪ IDAOFactory
This interface defines how to construct and get the DAO objects.
▪ ISecurityRightDAO
This interface defines how to access the Right object in the system.
▪ ISecurityRoleDAO
This interface defines how to access the Role object in the system.
▪ ISecurityServiceDAO
This interface defines how to access the Service object in the system.
▪ ISecurityUserDAO
This interface defines how to access the User object in the system.
Besides, the following four Java classes are provided to represent the security objects in Java. These Java classes have the corresponding data field and the simple set or get method.
▪ jar:
▪ bttbcac.jar
▪ Class:
▪ SecurityRight
▪ SecurityRole
▪ SecurityService
▪ SecurityUser
Two ways are provided by UDTT Access Control for DAO implementation.
▪ XML DAO implementation
Located at the com.ibm.btt.bc.ac.dao.xml package. The default names of the four repository files are listed as follows. You can provide the four blank XML files, and tell Access Control about the location of the files.
▪ right.xml
▪ service.xml
▪ user.xml
▪ role.xml
▪ DB2/Oracle/SQLServer 2000/SQLServer 2005 DAO implementation
Located at the com.ibm.btt.bc.ac.dao.db2 package. The following diagram illustrates the schema definitions of the security object in the database. In the diagram, PK stands for primary key; FK stands for foreign key; the arrow specifies the foreign key dependency. The definitions are database-specific. DB2, Oracle and SqlServer are supported by UDTT Access Control in the release. You can find the different DDL file of the DB file in the ${BTTInstallPackaging}/lib/dbtools/Windows/ :
An Eclipse plug-in (com.ibm.btt.bc.ac.rcp) is provided by UDTT Access Control to manage the security objects in the system.
This plug-in is designed as the com.ibm.btt.bc.common.activity.BCActivity. The definition of this business component activity is different from the definitions of other activities. You should specify not only the composite class for this user interface (UI), but also the initialize object ID for the UI. The initialize object ID is in the element factory definition file.
The following figure displays an example of how to define a business component activity. Use the semicolon to separate two parameters in the parameter field.
