IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Administrator's Guide > Use role-based authorization policies > Policy management scenarios

IBM Tivoli Monitoring, Version 6.3 Fix Pack 2

---

Create and assign policy distributor roles

When you setup a new dashboard environment, user IDs must be created in the LDAP user registry for each dashboard user and policy administrator. You also need a user ID that is granted permission to distribute policies. This user ID must be specified when enabling authorization policies in the portal server. The portal server includes that user ID in the requests that it sends to the Authorization Policy Server to download the latest authorization policies. The Authorization Policy Server verifies that the user has permission to retrieve the policies. IBM Tivoli Monitoring provides the predefined PolicyDistributor role that has this permission already. Administrators can create new roles with this permission, or use the predefined role.

Any roles that are used for policy distribution must have the following permission:

Policy distribution permission definition
Parameter	Value
Operation	'distribute'
Object Type	'role'
Resource Type	'rolegroup'
Resource	'default'

Procedure

• To assign a user the predefined PolicyDistributor role, use the following steps:

  1. Define a user in LDAP, for example uid=PolicyAdmin,cn=itm,o=ibm.

  2. Add the user to the predefined PolicyDistributor role using the following command:

     tivcmd addtorole --rolename PolicyDistributor 
         --users uid=PolicyAdmin,cn=itm,o=ibm 

• To create a new role with the same permission as the PolicyDistributor role, use the following steps:

  1. Define a user in LDAP, for example uid=PolicyAdmin,cn=itm,o=ibm

  2. Create a new role with the policy distribute permission and assign it to the user using the following commands:

     tivcmd createrole --rolename EastCoastDistributor --description 
     "East Coast user IDs for downloading policy"
     
     tivcmd CLI> grant --rolename EastCoastDistributor --resourcetype rolegroup 
     --resources default --objecttype role --operations distribute
     
     tivcmd CLI> addtorole --rolename EastCoastDistributor 
     --users uid=PolicyAdmin,cn=itm,o=ibm

  3. Alternatively, you can duplicate the existing PolicyDistributor role using the following commands:

     tivcmd copyrole --fromrolename PolicyDistributor --torolename 
     EastCoastDistributor --description "East Coast user IDs to 
     download policy" --permissionsonly
     
     tivcmd CLI> addtorole --rolename EastCoastDistributor 
         --users uid=PolicyAdmin,cn=itm,o=ibm

Parent topic:

Policy management scenarios

---

+

Search Tips   |   Advanced Search