IBM Tivoli Composite Application Manager for Application Diagnostics, Version 7.1.0.1

Authorization and composite requests

Authorization is enforced in ITCAM for Application Diagnostics in two ways: by feature and by server. Feature-based authorization limits access to top-level features based on the role assigned to a user. Assuming that a user has access to a feature, the server-based authorization might further limit access to data about servers based on which group a server is assigned to, and which groups the user has authority to view.

Since composite requests involve more than one server, the effects of server-based authorization play out in the following scenario.

The home request of a composite request is on server A (which is in group A) and invokes a participating request on server B (which is in group B). There are two users who need to investigate this composite request. User A has access to servers in group A but not group B, and user B has access to servers in group B but not group A.

Assuming that each user uses In-Flight Request Search to locate the requests, the results for each user are different. The results are different because the In-Flight Request Search limits results to those requests executing on servers in groups the user has access to. This means that user A sees only request A and user B sees only request B.

In both cases, the Composite Request Indicator appears next to the request, and links to a similar Composite Request Detail page. However, the contents of the Composite Request Detail page are different for each user.

Both users see the complete composite request, including the Home Request on server A and the Participating Request on server B. However, the users do not have access to the Request Detail pages of all requests: User A has access to the Home Request on server A (the request name is linked), but not to the Participating Request on server B (the request name is not linked). User B does not have access to the Home Request on server A (the request name is not linked) but has access to the Participating Request on server B (the request name is linked).


Parent topic:

View composite requests