Information Technology Reference
In-Depth Information
IAM, Protect Thyself
One of the interesting side-effects of building an IAM system using web
technology (especially the user administration screens and REST services) is
that it can be elegantly secured using its own authentication and
authorisation mechanism. No special measures are necessary.
Tip 1 : Define a role called “Administrator” under an application called “IAM”
in the database, and associate specific users with this application role
With this, an interceptor sitting in front of the IAM Administration module
will work exactly the same way as interceptors that sit in front of business
applications (i.e., by restricting access to this application to only authorised
administrators).
Tip 2 : Build security for REST services in the same manner as for a web app
The same principle holds true for the REST services. Since these are HTTP
calls, they can also be intercepted in exactly the same way as requests for
web pages. Applications that invoke REST services will need to use HTTP
Basic Authentication and send their system account names and passwords as
part of the service call (over SSL, of course). IAM will authenticate these
credentials against its directory just as it does for human users. There are
standard ways to encrypt and store system account passwords on the
respective application servers such that they are not accessible or usable by
developers or other staff who happen to have access to the servers. Consult
your system administrators to implement these measures.
Tip 3 : Build support for delegated user administration using exactly the same
code base as for regular user administration
CAS can retrieve any required user attributes from the database and pass
them into an application. The organisation that a user belongs to can be one
of these attributes. The IAM administration module can implement a level of
fine-grained access control by modifying the content of user management
screens based on the organisation that the logged-in user belongs to.
If the logged-in user belongs to your own organisation, you can assume that
they are your own administrators and are to be given access to user
management functions across your organisation as well as those of business
partners. User management screens can have dropdowns allowing the user
 
 
Search WWH ::




Custom Search