IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Administrator's Guide > Use role-based authorization policies > Policy management scenarios
IBM Tivoli Monitoring, Version 6.3 Fix Pack 2
Policy management examples
The objective of authorization policies is to give you granular control over your monitored resources. When you setup a new dashboard environment, the dashboard user IDs must be created in the LDAP user repositories. Best practice is to also setup LDAP groups that contain the set of users that are assigned to authorization policy roles. This makes policy management easier, rather than assigning each individual user ID to a role. Use the examples in this topic to help you get started with your policies.
You use the tivcmd CLI> Command-Line Interface for Authorization Policy commands to managed your policies. For detailed information about the commands, see the Command Reference.
This example assumes there is an existing role named West Coast Administrators, and that you want to grant this role the ability to view all attribute group data and events for the managed system group called West_Coast_DataCenter_Systems and another managed system group called West_Coast_Regional_Systems and assign this role to the user group cn=westcoastadmins,cn=itm,o=ibm.
tivcmd grant --rolename "West Coast Administrators" --resourcetype managedsystemgroup --resources "West_Coast_DataCenter_Systems" --objecttype attributegroup --operations view tivcmd CLI> grant --rolename "West Coast Administrators" --resourcetype managedsystemgroup --resources "West_Coast_DataCenter_Systems" --objecttype event --operations view tivcmd CLI> grant --rolename "West Coast Administrators" --resourcetype managedsystemgroup --resources "West_Coast_Regional_Systems" --objecttype attributegroup --operations view tivcmd CLI> grant --rolename "West Coast Administrators" --resourcetype managedsystemgroup --resources "West_Coast_Regional_Systems" --objecttype event --operations view tivcmd CLI> addtorole --rolename "West Coast Administrators" --groups cn=westcoastadmins,cn=itm,o=ibm
This example assumes you want to prevent members of the user group cn=westcoastadmins,cn=itm,o=ibm from viewing attribute group data and events for the Primary:server1:NT managed system. In this scenario, Primary:server1:NT is a member of the West_Coast_DataCenter_Systems managed system group that the user group was granted permission to view in the previous example.
tivcmd exclude --rolename "West Coast Administrators" --resourcetype managedsystem --resources Primary:server1:NT
This example assumes you want to remove the grant permissions to view attribute group data and events for managed system group West_Coast_DataCenter_Systems and the exclude permission for the Primary:server1:NT managed system from the West Coast Administrators role but leave the grant permissions for the West_Coast_Regional_Systems managed system group.
tivcmd revoke --rolename "West Coast Administrators" --resourcetype managedsystemgroup --resources "West_Coast_DataCenter_Systems" --objecttype attributegroup --operations view --grantcommand tivcmd CLI> revoke --rolename "West Coast Administrators" --resourcetype managedsystemgroup --resources "West_Coast_DataCenter_Systems" --objecttype event --operations view --grantcommand tivcmd CLI> revoke --rolename "West Coast Administrators" --resourcetype managedsystem --resources Primary:server1:NT --excludecommand
In this example, you are an IBM Tivoli Monitoring administrator who wants to control dashboard access to the managed systems belonging to three geographic regions: Eastern, Central, and Western. The monitoring server has managed system group definitions for EasternRegionSystems, CentralRegionSystems, and WesternRegionSystems, which contain managed systems for the respective geographic regions. You want access to the managed systems in all three regions, but want the operator named Annette to only have access to Western region systems. This example assumes the local LDAP user registry includes user groups called EasternRegionOperators, CentralRegionOperators, and WesternRegionOperators and that Annette is a member of the WesternRegionOperators group.
- Login to the Authorization Policy Server:
tivcmd login --username <user> --password <password>
- Create three new roles, one for each geographic region:
tivcmd createrole --rolename EasternRegionOperator --description "A role to govern access to data for Eastern Region Systems" tivcmd CLI> createrole --rolename CentralRegionOperator --description "A role to govern access to data for Central Region Systems" tivcmd CLI> createrole --rolename WesternRegionOperator --description "A role to govern access to data for Western Region Systems"
- Confirm that the new roles were created:
tivcmd listroles --rolename EasternRegionOperator --showdescription tivcmd CLI> listroles --rolename CentralRegionOperator --showdescription tivcmd CLI> listroles --rolename WesternRegionOperator --showdescription
- Display the usage rules for tivcmd CLI> grant command:
tivcmd grant -?
- Issue grant commands allowing the EasternRegionOperator role to have view access to attribute data and events for EasternRegionSystems:
tivcmd grant --rolename EasternRegionOperator --resourcetype managedsystemgroup --resources EasternRegionSystems --objecttype attributegroup --operations view tivcmd CLI> grant --rolename EasternRegionOperator --resourcetype managedsystemgroup --resources EasternRegionSystems --objecttype event --operations view
- Confirm that the EasternRegionOperator role has the correct permissions:
tivcmd listroles --rolename EasternRegionOperator --showpermissions
- Repeat the commands to grant the other two roles the same permissions to their respective geographic regions:
tivcmd grant --rolename CentralRegionOperator --resourcetype managedsystemgroup --resources CentralRegionSystems --objecttype attributegroup --operations view tivcmd CLI> grant --rolename CentralRegionOperator --resourcetype managedsystemgroup --resources CentralRegionSystems --objecttype event --operations view tivcmd CLI> grant --rolename WesternRegionOperator --resourcetype managedsystemgroup --resources WesternRegionSystems --objecttype attributegroup --operations view tivcmd CLI> grant --rolename WesternRegionOperator --resourcetype managedsystemgroup --resources WesternRegionSystems --objecttype event --operations view
- Display the usage rules for tivcmd CLI> addtorole command:
tivcmd addtorole -?
- Associate each LDAP user group to its corresponding role:
tivcmd addtorole --rolename EasternRegionOperator --groups cn=EasternRegionOperators,cn=itm,o=tivoli tivcmd CLI> addtorole --rolename CentralRegionOperator --groups cn=CentralRegionOperators,cn=itm,o=tivoli tivcmd CLI> addtorole --rolename WesternRegionOperator --groups cn=WesternRegionOperators,cn=itm,o=tivoli
- Display the membership of each role to confirm that the user group associations were completed properly:
tivcmd listroles --rolename EasternRegionOperator --showmembership tivcmd CLI> listroles --rolename CentralRegionOperator --showmembership tivcmd CLI> listroles --rolename WesternRegionOperator --showmembership
- Ensure that you have access to systems in all three regions. This can be accomplished by adding your user ID to each of the three new roles:
tivcmd addtorole --rolename EasternRegionOperator --users uid=<userid>,cn=itm,o=tivoli tivcmd CLI> addtorole --rolename CentralRegionOperator --users uid=<userid>,cn=itm,o=tivoli tivcmd CLI> addtorole --rolename WesternRegionOperator --users uid=<userid>,cn=itm,o=tivoli
- Add your user ID to the predefined PolicyDistributor role. This command ensures that your ID can be used by the dashboard data provider to download policy file store updates from the Authorization Policy Server:
tivcmd addtorole --rolename PolicyDistributor --users uid=<userid>,cn=itm,o=tivoli
- Display all of the roles that your user ID belongs to:
tivcmd listroles --username uid=<userid>,cn=itm,o=tivoli
The security setup is now complete.
- Annette is only a member of the WesternRegionOperators user group.
- The WesternRegionOperators user group is only assigned to the WesternRegionOperator role.
- The WesternRegionOperator role is only granted access to the WesternRegionSystems managed system group.
- Annette can only view attribute data and events for managed systems belonging to WesternRegionSystems.
Parent topic:
Policy management scenarios