Configure data security

IBM Business Monitor, V8.0.1 > Securing your environment
Configure data security

Using the administrative console, you can configure security for your monitor models by setting data access permissions.
You can add a new resource group or delete an existing resource group, add models to or delete models from a resource group, and add roles to or remove roles from a resource group. You must have administrative privileges to perform IBM Business Monitor data security administrative tasks.
You can group IBM Business Monitor models into resource groups to allow easy administration of data access permissions. Permissions must be assigned to a resource group by way of a three-way binding. This binding consists of a resource group, a role, and a user or group of users.
IBM Business Monitor data security always has a root resource group defined. All resource groups other than root are considered children of root. All resources are visible to the root resource group. By default, all models are deployed to the root resource group unless they are added to a different resource group during model lifecycle deployment. A model can be a member of only one resource group. If the model is added to a resource group other than root, it is visible to the root resource group and the specified child resource group. If multiple versions of a model exist or if the model schema is not deleted when a model is uninstalled, the model is not removed from its resource group. Otherwise, when a model is uninstalled, it is automatically removed from its associated resource group.
You can assign roles to a user or group within a resource group, as defined by IBM Business Monitor. The following table shows the roles and the actions that you can complete for each role:

Role name Role description
KPI-Administrator This role gives users all the authority associated with KPI and alert administration. Users of this role can create both shared (public) and non-shared (personal) KPIs and alerts. In addition, KPI-Administrators can change the ownership of any KPI or alert.
Public-KPI-Administrator This role gives users the authority to create shared (public) or non-shared (personal) KPIs and alerts. Shared (public) KPIs and alertscan be used and viewed by other users. Only the owner or a KPI-Administrator can make changes to a shared (public) KPI or alert.
Personal-KPI-Administrator This role gives users the authority to create non-shared (personal) KPIs and alerts. The created KPI or alert can be viewed and updated only by the owner and a KPI-Administrator.
Business-Manager This role provides basic read-only access to public (shared) KPIs and alerts within a resource group.

You can assign a user or a user group to a role in a resource group in the following ways.

Assign a role directly to a user.
Assign a role indirectly by assigning the role to one of the user groups that the user belongs to, which assigns the role to all users in the user group.
Assign a role to the user for the root resource group or the parent resource group of the resource group.
Assign a role to one of the user groups the user belongs to for the root resource group or parent resource group of the resource group.
Designate the user as a SuperUser, which grants the user full access privileges for all models. You must grant the SuperUser role using the scripting environment. You cannot grant a SuperUser role by using the administrative console.

Work with resource groups
A resource group is a logical grouping of resources, such as monitor models. The sole purpose of this grouping is to allow easy administration of data access permissions. Instead of assigning permissions to individual resources one at a time, you use a resource group to enable management of data access permissions on a large number of resources. This section describes how to create a resource group, add a role to that resource group, and perform other administrative tasks that ensure security for your monitor model data.
Adding and removing users or groups from roles in a resource group

You use the administrative console to add a user or group to a role (for example, Business-Manager) within a resource group.
You can also use the administrative console to delete a user or group from a role.
Determining the models a user can access
Perform administrative data security functions for a particular model. From the Diagnose tab, you can determine the monitor models a user has access to and the roles that user has within each model.
You can search the repository for a user or a group of users.
Applying data security to IBM Cognos BI packages

You apply data security to IBM Cognos BI packages by setting permissions based on users and groups. The data access permissions are generated into the cube package and published along with the cube package.

Securing your environment

Related concepts:
Configure fine-grained security

Role name	Role description
KPI-Administrator	This role gives users all the authority associated with KPI and alert administration. Users of this role can create both shared (public) and non-shared (personal) KPIs and alerts. In addition, KPI-Administrators can change the ownership of any KPI or alert.
Public-KPI-Administrator	This role gives users the authority to create shared (public) or non-shared (personal) KPIs and alerts. Shared (public) KPIs and alertscan be used and viewed by other users. Only the owner or a KPI-Administrator can make changes to a shared (public) KPI or alert.
Personal-KPI-Administrator	This role gives users the authority to create non-shared (personal) KPIs and alerts. The created KPI or alert can be viewed and updated only by the owner and a KPI-Administrator.
Business-Manager	This role provides basic read-only access to public (shared) KPIs and alerts within a resource group.