Thursday, March 6, 2008

ITCAM 6.0 security model is strange

The security model implemented in ITCAM 6.0 is different from any other product from Tivoli. It is a WAS application, but for declarative security, there is just one generic role, "user", defined, which is granted to all authenticated users. The more granular roles are assigned and enforced via programmatic security using a home-grown mechanism.

Read on for my opinions on this ...

This appears to be a departure from all of the standards that IBM/Tivoli is espousing for developers. In dealing with WAS and the Tivoli products, it seems like Tivoli instructs developers to use declarative security in WAS apps, or to at very least use a common authorization engine (IBM Tivoli Access Manager, for example). However, in one of their own applications (which, BTW, previously used WAS declarative security for its authorization), they are ignoring these very same recommendations.To set the record straight, I think this new version of the application (previously named ITMTP) is a definite improvement, and I even like the functionality of the security model they're using. One feature that I'm happy is there is the fact that you no longer have to bounce WAS after making authorization changes. However, I have absolutely no idea why Tivoli would allow one of their own development teams to completely disregard the development guidelines that they advocating to other companies.

No comments: