IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Administrator's Guide > Use role-based authorization policies

IBM Tivoli Monitoring, Version 6.3 Fix Pack 2

Prepare to enable authorization policies

Before enabling authorization policies, ensure you are prepared by reading and following the information provided in this topic.

When a Tivoli Enterprise Portal Server is installed, the authorization policy enforcement is disabled by default. There is an Enable authorization policies check box in the Tivoli Enterprise Portal Server configuration panels that controls this feature. If the box is unchecked, it means the dashboard data provider will not use authorization policies to control managed system group and managed system access. Instead it uses Tivoli Enterprise Portal authorization to control access to monitored resources in the dashboards.

Complete the following steps before enabling authorization policy enforcement:

  1. Identify which users will need to administer authorization policies.

    When the Authorization Policy Server is installed, the installation program prompts for an IBM Dashboard Application Services Hub administrative user ID and password. The installer assigns the user ID to the predefined RoleAdministrator role. To allow other users to create and work with roles and assign permissions, install the tivcmd CLI and use it to login to the Authorization Policy Server with the credentials that were specified during installation. Then use the tivcmd commands to add other policy administrators to the predefined RoleAdministrator role or create an equivalent role with similar permissions and add them to that role. For detailed steps, see Create and assign administrator roles.

    For details on installing the tivcmd CLI, see "Installing and configuring the Tivoli Authorization Policy Server and tivcmd Command-Line Interface for Authorization Policy" in the IBM Tivoli Monitoring Installation and Setup Guide.

  2. Assign at least one user to a role, typically the predefined PolicyDistributor role, that has the permission to distribute policies.

    The same user must be specified in the Tivoli Enterprise Portal Server configuration panel when you are ready to reconfigure the portal server to enable authorization policies.

    You must assign a user permission to distribute policies so that the dashboard data provider has the authority to retrieve policy updates from the Authorization Policy Server. For detailed steps, see Create and assign policy distributor roles.

  3. Create roles and permissions, or leverage predefined roles and permissions, for all existing managed system groups and managed systems that can be displayed in dashboard views, then add users or user groups to these roles. For detailed examples, see Policy management examples.

    The set of predefined roles and permissions are intended as a convenience to cover some, and perhaps even most of your security needs. However, you might have additional managed system groups and managed systems in your environment that require their own policy definitions. The information in Policy management scenarios is intended to help you better understand how to utilize the tivcmd CLI to create these additional policies.

  4. Determine how frequently the dashboard data provider should retrieve authorization policies from the Authorization Policy Server.

    To avoid time-consuming accesses across the network, the dashboard data provider retrieves its own local copy of the Authorization Policy Server's master policy store. The policy retrieval occurs once during startup of the dashboard data provider, and is then repeated at regular intervals, which defaults to 30 minutes. You can change the default through the Tivoli Enterprise Portal Server configuration panels when you enable authorization policies and can specify a value between 5 and 1440 minutes. Be aware that any policy changes made using the tivcmd CLI will not take effect at the dashboard data provider until its next successful policy store retrieval.

When you are ready to start using authorization policies, reconfigure the portal server to enable authorization policies and to specify the connection properties for the Authorization Policy Server. The connection properties include the user ID that has been assigned a role with permission to distribute policies.

For a list of tasks to perform before you enable authorization policies, see Set up a monitoring dashboard environment with single sign-on and with per user authorization controls.


Parent topic:

Use role-based authorization policies

+

Search Tips   |   Advanced Search