IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Administrator's Guide > Use role-based authorization policies > Policy management scenarios

IBM Tivoli Monitoring, Version 6.3 Fix Pack 2

---

Create and assign administrator roles

When the Authorization Policy Server is installed, a Dashboard Application Services Hub administrative user is assigned to the predefined RoleAdministrators role. Typically, this is smadmin. You can add your own administrative users to the predefined RoleAdministrator role, or create your own custom roles with the same permissions.

A best practice is to create a user group in LDAP for your policy administrators and assign the user group to the roles that have permission to create and work with authorization policies. By taking this approach, you only update the group membership (and not the authorization policies) when you add or remove policy administrators.

Any roles that are used for role administration must have the following permission:

Role administration permission definition
Parameter	Value
Operation	'create', 'delete', 'modify', 'view', 'viewall'
Object Type	'role'
Resource Type	'rolegroup'
Resource	'default'

Procedure

• To assign a user or user group the predefine RoleAdministrator role, use the following steps:

  1. Define a user in LDAP, for example uid=JohnDoe,cn=itm,o=ibm or define a user group, for example, cn=Administrators,cn=itm,o=ibm. Then add the policy administrator user ID, such as uid=JohnDoe,cn=itm,o=ibm, to the group in LDAP.

  2. Add the user group to the predefined RoleAdministrator role using the following command:

     tivcmd addtorole --rolename RoleAdministrator
     --groups gid=Administrators,cn=itm,o=ibm

  3. Alternatively, add the user to the predefined RoleAdministrator role using the following command:

     tivcmd addtorole --rolename RoleAdministrator
     --users uid=JohnDoe,cn=itm,o=ibm

• To create a new role with the same permission as the RoleAdministrator role, use the following steps:

  1. Define a user in LDAP, for example uid=JohnDoe,cn=itm,o=ibm OR define a group in LDAP, for example cn=Administrators,cn=itm,o=ibm, and then add the policy administrator user IDs to the group in LDAP.

  2. Create a new role and add the permissions to create and work with authorization policies to the new role. Then assign the user or user group to the new role. The following example commands show that you can add users and groups to the custom role for policy administration:

     tivcmd createrole --rolename EastCoastAdministrators --description 
     "East Coast users with permission to manage roles and policies"
     
     tivcmd CLI> grant --rolename EastCoastAdministrators --resourcetype rolegroup 
     --resources default --objecttype role --operations create delete modify 
     view viewall
     
     tivcmd CLI> addtorole --rolename EastCoastAdministrators 
       --users uid=JohnDoe,cn=itm,o=ibm 
       --groups cn=Administrators,cn=itm,o=ibm

  3. Alternatively, you can duplicate the existing RoleAdministrator role and assign the new role to the user group using the following commands:

     tivcmd copyrole --fromrolename RoleAdministrator --torolename 
     EastCoastAdministrators --description "East Coast users allowed to 
     administer roles and policies for this authorization policy server"
     --permissionsonly
     
     tivcmd CLI> addtorole --rolename EastCoastAdministrators 
       --groups cn=Administrators,cn=itm,o=ibm

Parent topic:

Policy management scenarios

---

+

Search Tips   |   Advanced Search