IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Administrator's Guide
IBM Tivoli Monitoring, Version 6.3 Fix Pack 2
Use role-based authorization policies
The Tivoli Authorization Policy Server feature provides you with role-based access control capabilities to protect your monitoring resources from unauthorized access by dashboard users of IBM Dashboard Application Services Hub.
Use authorization policies provides the following capabilities:
- The ability to restrict access for dashboard users to specific managed system groups and to individual managed systems.
- The ability to assign role-based policies to users and user groups in a federated LDAP user registry to simplify policy management.
- A new command-line interface that is highly automatable.
- Central management of authorization policies for multiple IBM Tivoli Monitoring environments, also called domains.
Tivoli Enterprise Portal permissions are the default authorization method for controlling access to resources in monitoring dashboards. They are also the mechanism used to authorize Tivoli Enterprise Portal client users. However, authorization policies provide greater control over resource access. With authorization policies, you can grant a dashboard user permission to view data from specific managed system groups or managed systems as compared to Tivoli Enterprise Portal authorization which assigns view permission for monitoring applications (monitoring agents). In other words, with Tivoli Enterprise Portal authorization, a user is assigned permission to view all managed systems of a particular agent application type, for example all Windows OS agents.
To use the role-based access control provided by authorization policies, install the Tivoli Authorization Policy Server and the tivcmd CLI> Command-Line Interface for Authorization Policy. The Authorization Policy Server is installed with IBM Dashboard Application Services Hub along with monitoring dashboard applications such as Infrastructure Management Dashboards for Servers or custom dashboards. The tivcmd CLI is installed on computers used by authorization policy administrators and provides the command-line interface for creating and working with authorization policies. It sends HTTP or HTTPS requests to the Authorization Policy Server which maintains the master policy store. For installation information, see "Installing and configuring the Tivoli Authorization Policy Server and tivcmd Command-Line Interface for Authorization Policy" in the IBM Tivoli Monitoring Installation and Setup Guide.
After successful installation of these two packages, you can execute tivcmd CLI commands as required to create and work with roles, grant permissions, exclude permissions, revoke permissions, and assign users and user groups to a role. For a complete list of tivcmd CLI commands, see the Command Reference.
Once the initial set of authorization policies have been created, you enable authorization policy checking in the Tivoli Enterprise Portal Server. The portal server periodically downloads the authorization policies from the Authorization Policy Server application. When a dashboard user requests monitoring data, IBM Dashboard Application Services Hub forwards the request to the dashboard data provider component of the portal server. The dashboard data provider uses the authorization policies to determine which monitored resources the user is allowed to access.
Because both the Dashboard Application Services Hub and the portal server must have knowledge of the dashboard user, a typical dashboard environment includes a federated user registry provided by an LDAP server and single sign-on. For detailed information on the set of tasks involved in setting up a dashboard environment that uses authorization policies, see Set up a monitoring dashboard environment with single sign-on and with per user authorization controls.
See
- Authorization policy concepts
- Predefined roles and permissions
- Prepare to enable authorization policies
- Policy management scenarios
- Enable authorization policies in the portal server
- Authorization policy auditing
- Change the Authorization Policy Server configuration properties after installation and configuration
- Manage the authorization policy store
- Work with multiple domains