Axway PassPort user access management

Overview

One of the roles of Axway PassPort is to provide user identity and access management services for Axway products.

To supply these services, PassPort relies on a dedicated access management server, a database and an API.

Administrators perform access management tasks in PassPort via the PassPort user interface. User access management involves attributing roles and permissions to users and groups of users.

When a user attempts an action on a product that requires authorization (for example, logging on), the product sends a request message to PassPort via the API. PassPort approves or denies the request and responds. The user can either perform the action or is blocked.

The following figure illustrates PassPort access management architecture and the relative roles of administrator and users.

Configuring PassPort

Component Security Descriptor files

For each Axway product, PassPort AM uses an XML-format Component Security Descriptor (CSD) file. Each CSD file contains access definitions relating to a specific Axway product.

You must retrieve this file from the product installation directory and import it into PassPort in order to use PassPort as the access management tool for that product.

You can then assign various product access rights to individual users or user groups in PassPort.

Configuring products

Typically, you configure Axway products for use with PassPort access management services during the product installation procedure. In many cases, you can manage the configuration after installation. There may also be additional configuration operations to perform on the product to fully implement interoperability with PassPort.

For details about implementing interoperability between the different Axway products and PassPort access management, follow the links in the related topics section, below.

Managing multiple product instances

You may want to integrate more than one instance of a product with PassPort AM when, for example, you require separate environments for testing and for production.

Axway products identify themselves to PassPort AM via values for four properties:

Product (component) name (for example "Sentinel")
Product (component) version (for example "*V3.2")
Product (component) group (default = "Synchrony")
Instance name (default = "default")

PassPort AM derives three of these values (name, version, group) when it imports the product CSD file. When PassPort imports the CSD file, it creates an object that represents the product instance and sets the "Instance name" value to default.

On the product side, when you install the product and select to use PassPort AM as the access manager, the product contains a file that the describes PassPort AM connection attributes. One of the attributes in this file is an attribute that defines the name of the product instance. This attribute is automatically given the value default unless overridden with another value during installation. For a product to be able to connect to PassPort AM, the identity of the instance that is specified in the product's PassPort AM connection properties file, and the Instance Name value you set in PassPort, must be identical.

If the values do not match in PassPort and in the connection properties file, the product cannot communicate with PassPort AM.

When you connect two instances of a product with PassPort AM, the second instance must have a different instance name value than the first instance. This means that before you start the server for the second instance, you must do two things:

In the product installation directory, locate the PassPort AM connection properties file and change the value of the attribute that specifies the product instance name.
View list of PassPort AM properties files for each product
In PassPort, create a component instance object, and set the Instance Name value to the same name as the component instance name.