IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Administrator's Guide > Use role-based authorization policies
IBM Tivoli Monitoring, Version 6.3 Fix Pack 2
Policy management scenarios
In the Tivoli Authorization Policy Server, there is no universal permission that may be assigned to a role which gives a user access to everything. Roles must be given explicit access to specific managed system groups or managed systems. Also a dashboard user can only see resources in monitoring dashboards if they are assigned to a role with access to managed system groups or managed systems.
- Best practices for creating authorization policies
Review the best practices for creating authorization policies in your environment.
- Create and assign administrator roles
When the Authorization Policy Server is installed, a Dashboard Application Services Hub administrative user is assigned to the predefined RoleAdministrators role. Typically, this is smadmin. You can add your own administrative users to the predefined RoleAdministrator role, or create your own custom roles with the same permissions.
- Create and assign policy distributor roles
When you setup a new dashboard environment, user IDs must be created in the LDAP user registry for each dashboard user and policy administrator. You also need a user ID that is granted permission to distribute policies. This user ID must be specified when enabling authorization policies in the portal server. The portal server includes that user ID in the requests that it sends to the Authorization Policy Server to download the latest authorization policies. The Authorization Policy Server verifies that the user has permission to retrieve the policies. IBM Tivoli Monitoring provides the predefined PolicyDistributor role that has this permission already. Administrators can create new roles with this permission, or use the predefined role.
- Policy management examples
The objective of authorization policies is to give you granular control over your monitored resources. When you setup a new dashboard environment, the dashboard user IDs must be created in the LDAP user repositories. Best practice is to also setup LDAP groups that contain the set of users that are assigned to authorization policy roles. This makes policy management easier, rather than assigning each individual user ID to a role. Use the examples in this topic to help you get started with your policies.
Parent topic:
Use role-based authorization policies