IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Administrator's Guide > Use role-based authorization policies
IBM Tivoli Monitoring, Version 6.3 Fix Pack 2
Manage the authorization policy store
The Tivoli Authorization Policy Server stores the policies in multiple files on the file system. Review the details below to understand how to manage the policy store.
- High availability
- The Authorization Policy Server does not have built-in high availability mechanisms and does not support load balancing. Therefore, if you setup multiple Dashboard Application Services Hub severs for load balancing, you can only install the Authorization Policy Server with one of the Dashboard Application Services Hub servers. Also, when enabling authorization policies in the portal server in the IBM Tivoli Monitoring environment, you must configure the location of the single Dashboard Application Services Hub server where the authorization policy server package is installed and configured. The tivcmd CLI users must also specify the hostname and port number of the Dashboard Application Services Hub with the Authorization Policy Server instead of the hostname and port number of the load balancing HTTP server.
- Because the portal server has its own copy of the authorization policies, it is able to enforce the policies even if the Authorization Policy Server is not available. You can configure the maximum amount of time the portal server can utilize its local policy store after the last update. If the Authorization Policy Server cannot be accessed for the time interval specified by this parameter, all subsequent requests for dashboard data will fail with an authorization error until the Authorization Policy Server is available again. The default value is 7 days.
- Migration and backup
- The Authorization Policy Server does not offer migration, backup, or export and import tools for the policy file store. Over time, you might create many policy definitions. If the policy store became damaged or inadvertently deleted, recreating your policy definitions would not be easy.
- Best practice is for you to implement periodic backups, which can be done with zip or tar utilities. The files comprising the policy store are maintained in the /xacml subdirectory under the directory where your Authorization Policy Server was installed. For example, assume you installed the Authorization Policy Server into the following directory on Windows: C:\Program Files\IBM\JazzSM\AuthPolicyServer. Zipping up all files in the C:\Program Files\IBM\JazzSM\AuthPolicyServer\PolicyServer\xacml directory effectively backs up the entire policy store. You can later use this zip file to help with migration, for example, from a test to production Authorization Policy Server. Unzipping the file on a new production system will create and populate the /xacml subdirectory with all of the policy roles and permissions you previously had defined on the test system. These unzipped files can be used as-is by the production Authorization Policy Server.
Parent topic:
Use role-based authorization policies