IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Administrator's Guide > Use role-based authorization policies > Policy management scenarios

IBM Tivoli Monitoring, Version 6.3 Fix Pack 2

Policy management examples

The objective of authorization policies is to give you granular control over your monitored resources. When you setup a new dashboard environment, the dashboard user IDs must be created in the LDAP user repositories. Best practice is to also setup LDAP groups that contain the set of users that are assigned to authorization policy roles. This makes policy management easier, rather than assigning each individual user ID to a role. Use the examples in this topic to help you get started with your policies.

You use the tivcmd CLI> Command-Line Interface for Authorization Policy commands to managed your policies. For detailed information about the commands, see the Command Reference.

This example assumes there is an existing role named West Coast Administrators, and that you want to grant this role the ability to view all attribute group data and events for the managed system group called West_Coast_DataCenter_Systems and another managed system group called West_Coast_Regional_Systems and assign this role to the user group cn=westcoastadmins,cn=itm,o=ibm.

This example assumes you want to prevent members of the user group cn=westcoastadmins,cn=itm,o=ibm from viewing attribute group data and events for the Primary:server1:NT managed system. In this scenario, Primary:server1:NT is a member of the West_Coast_DataCenter_Systems managed system group that the user group was granted permission to view in the previous example.

This example assumes you want to remove the grant permissions to view attribute group data and events for managed system group West_Coast_DataCenter_Systems and the exclude permission for the Primary:server1:NT managed system from the West Coast Administrators role but leave the grant permissions for the West_Coast_Regional_Systems managed system group.

In this example, you are an IBM Tivoli Monitoring administrator who wants to control dashboard access to the managed systems belonging to three geographic regions: Eastern, Central, and Western. The monitoring server has managed system group definitions for EasternRegionSystems, CentralRegionSystems, and WesternRegionSystems, which contain managed systems for the respective geographic regions. You want access to the managed systems in all three regions, but want the operator named Annette to only have access to Western region systems. This example assumes the local LDAP user registry includes user groups called EasternRegionOperators, CentralRegionOperators, and WesternRegionOperators and that Annette is a member of the WesternRegionOperators group.

  1. Login to the Authorization Policy Server: 

      tivcmd login --username <user> --password <password>

  2. Create three new roles, one for each geographic region: 

      tivcmd createrole --rolename EasternRegionOperator --description 
"A role to govern access to data for Eastern Region Systems"

tivcmd CLI> createrole --rolename CentralRegionOperator --description 
"A role to govern access to data for Central Region Systems"

tivcmd CLI> createrole --rolename WesternRegionOperator --description 
"A role to govern access to data for Western Region Systems"

  3. Confirm that the new roles were created: 

      tivcmd listroles --rolename EasternRegionOperator --showdescription

tivcmd CLI> listroles --rolename CentralRegionOperator --showdescription

tivcmd CLI> listroles --rolename WesternRegionOperator --showdescription

  4. Display the usage rules for tivcmd CLI> grant command: 

      tivcmd grant -?

  5. Issue grant commands allowing the EasternRegionOperator role to have view access to attribute data and events for EasternRegionSystems: 

      tivcmd grant --rolename EasternRegionOperator --resourcetype managedsystemgroup 
--resources EasternRegionSystems --objecttype attributegroup --operations view 
tivcmd CLI> grant --rolename EasternRegionOperator --resourcetype managedsystemgroup 
--resources EasternRegionSystems --objecttype event --operations view

  6. Confirm that the EasternRegionOperator role has the correct permissions: 

      tivcmd listroles --rolename EasternRegionOperator --showpermissions

  7. Repeat the commands to grant the other two roles the same permissions to their respective geographic regions: 

      tivcmd grant --rolename CentralRegionOperator --resourcetype managedsystemgroup 
--resources CentralRegionSystems --objecttype attributegroup --operations view 
tivcmd CLI> grant --rolename CentralRegionOperator --resourcetype managedsystemgroup 
--resources CentralRegionSystems --objecttype event --operations view 
tivcmd CLI> grant --rolename WesternRegionOperator --resourcetype managedsystemgroup 
--resources WesternRegionSystems --objecttype attributegroup --operations view 
tivcmd CLI> grant --rolename WesternRegionOperator --resourcetype managedsystemgroup 
--resources WesternRegionSystems --objecttype event --operations view

  8. Display the usage rules for tivcmd CLI> addtorole command: 

      tivcmd addtorole -?

  9. Associate each LDAP user group to its corresponding role: 

      tivcmd addtorole --rolename EasternRegionOperator --groups 
cn=EasternRegionOperators,cn=itm,o=tivoli

tivcmd CLI> addtorole --rolename CentralRegionOperator --groups 
cn=CentralRegionOperators,cn=itm,o=tivoli

tivcmd CLI> addtorole --rolename WesternRegionOperator --groups 
cn=WesternRegionOperators,cn=itm,o=tivoli

  10. Display the membership of each role to confirm that the user group associations were completed properly: 

      tivcmd listroles --rolename EasternRegionOperator --showmembership

tivcmd CLI> listroles --rolename CentralRegionOperator --showmembership

tivcmd CLI> listroles --rolename WesternRegionOperator --showmembership

  11. Ensure that you have access to systems in all three regions. This can be accomplished by adding your user ID to each of the three new roles: 

      tivcmd addtorole --rolename EasternRegionOperator --users 
uid=<userid>,cn=itm,o=tivoli

tivcmd CLI> addtorole --rolename CentralRegionOperator --users 
uid=<userid>,cn=itm,o=tivoli

tivcmd CLI> addtorole --rolename WesternRegionOperator --users 
uid=<userid>,cn=itm,o=tivoli

  12. Add your user ID to the predefined PolicyDistributor role. This command ensures that your ID can be used by the dashboard data provider to download policy file store updates from the Authorization Policy Server: 

      tivcmd addtorole --rolename PolicyDistributor 
--users uid=<userid>,cn=itm,o=tivoli

  13. Display all of the roles that your user ID belongs to: 

      tivcmd listroles --username uid=<userid>,cn=itm,o=tivoli

The security setup is now complete.


Parent topic:

Policy management scenarios

+

Search Tips   |   Advanced Search