Predefined roles and permissions

IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Administrator's Guide > Use role-based authorization policies
IBM Tivoli Monitoring, Version 6.3 Fix Pack 2

Predefined roles and permissions

The Tivoli Authorization Policy Server provides predefined roles and permissions to help you get started. The predefined roles are also called core roles. These roles cannot be modified or deleted, but they can be copied to create new roles.
The following roles and permissions are predefined:

RoleAdministrator

The main security administrator role with the authority to manage all roles and policies.
When the Authorization Policy Server is installed, the installation program prompts for an IBM Dashboard Application Services Hub administrative user ID and password. The installer assigns the user ID to the RoleAdministrator role. To allow other users to create and work with roles and assign permissions, install the tivcmd CLI and use it to login to the Authorization Policy Server with the credentials that were specified during installation. Then use the tivcmd commands to assign other users to the RoleAdminisrator role or a custom role. See Create and assign administrator roles.

RoleAdministrator permissions

Operation Object type Resource type Resource
view attributegroup managedsystemgroup any
view event managedsystemgroup any
view attributegroup managedsystem any
view event managedsystem any
create, delete, modify, view, viewall role rolegroup default

PolicyDistributor

The role with permission to download authorization policies.
This role, or a custom role with the same permission, must be assigned to the user ID that is specified when authorization policies are enabled in the portal server. The portal server uses the specified user ID and other connection properties to periodically connect to the Authorization Policy Server and download the latest policies. When the Authorization Policy Server receives a request for authorization policies, it verifies that the user who sent the request has been granted permission to distribute policies.

PolicyDistributor permissions

Operation Object type Resource type Resource
distribute role rolegroup default

LinuxOperator

A role that has attribute group and event viewing permissions for all Linux agents.

UNIXOperator

A role that has attribute group and event viewing permissions for all UNIX agents.

WindowsOperator

A role that has attribute group and event viewing permissions for all Windows agents.

LinuxOperator, UNIXOperator, and WindowsOperator permissions

Role Operation Object type Resource type Resource
LinuxOperator view attributegroup and event managedsystemgroup *LINUX_SYSTEM
UNIXOperator view attributegroup and event managedsystemgroup *ALL_UNIX
WindowsOperator view attributegroup and event managedsystemgroup *NT_SYSTEM

VCenterOperator

A role that has access to all VMWARE Virtual Centers and ESX Servers.

VCenterOperator permissions

Operation Object type Resource type Resource
view attributegroup managedsystemgroup *VMWARE_VI_AGENT
*VMWARE_VI
view event managedsystemgroup *VMWARE_VI_AGENT
*VMWARE_VI

Parent topic:
Use role-based authorization policies

+
Search Tips | Advanced Search

Operation	Object type	Resource type	Resource
view	attributegroup	managedsystemgroup	any
view	event	managedsystemgroup	any
view	attributegroup	managedsystem	any
view	event	managedsystem	any
create, delete, modify, view, viewall	role	rolegroup	default

Role	Operation	Object type	Resource type	Resource
LinuxOperator	view	attributegroup and event	managedsystemgroup	*LINUX_SYSTEM
UNIXOperator	view	attributegroup and event	managedsystemgroup	*ALL_UNIX
WindowsOperator	view	attributegroup and event	managedsystemgroup	*NT_SYSTEM