IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Administrator's Guide > Use role-based authorization policies > Work with multiple domains

IBM Tivoli Monitoring, Version 6.3 Fix Pack 2

Create policies for specific IBM Tivoli Monitoring domains

In a multi-domain deployment, best practice is to create policies for users through roles that differentiates access by the domain.

Any policies that are used for specific IBM Tivoli Monitoring domains must have the following permission:

Managed System Group or Managed System permission definition
Parameter Value
Domain 'any' or a specific domain name

Specifying a value of 'any' or omitting the domain parameter, indicates the permission applies to all domains.

Operation 'view'
Object Type 'attributegroup', 'event'
Resource Type 'managedsystemgroup', 'managedsystem'
Resource managed_system_name or managed_system_group_name


Example: Creating common policies and domain specific policies

This example demonstrates how to grant a user access to all the UNIX OS agents from one particular domain but not those of another domain. The *ALL_UNIX managed system group is an created automatically and managed by each hub monitoring server. In addition, an administrator is granted access to all UNIX OS systems across all domains.

The following managed system groups are used in this example:

Managed System Groups
Type Domain Name
managedsystemgroup itm.eastcoast *ALL_UNIX
managedsystemgroup itm.westcoast *ALL_UNIX

The following roles are used in this example:

  1. Define a user in LDAP, for example uid=John,cn=itm,o=ibm and define a group in LDAP, for example cn=EastCoastMachineUsers,cn=itm,o=ibm, and then add the user ID to the group in LDAP.

  2. Define a user in LDAP, for example uid=Jane,cn=itm,o=ibm and define a group in LDAP, for example cn=WestCoastMachineUsers,cn=itm,o=ibm, and then add the user ID to the group in LDAP.

  3. Define a user in LDAP, for example uid=Joe,cn=itm,o=ibm and define a group in LDAP, for example cn=SuperAdministratorUsers,cn=itm,o=ibm, and then add the user ID to the group in LDAP.

  4. Create new roles: 

      tivcmd createrole --rolename EastCoastOperators --description 
"East Coast users with permission to access the east coast machine 
ITM Domain"

tivcmd CLI> createrole --rolename WestCoastOperators --description
"West Coast users with permission to access the west  coast machines 
for the itm.westcoast domain"

tivcmd CLI> createrole --rolename SuperAdministrator --description
"Users with permission to access machines from all domains"

  5. Grant attribute group and event access to the *ALL_UNIX managed system group for the itm.eastcoast domain to the EastCoastOperators role: 

      tivcmd grant --rolename EastCoastOperators --resourcetype 
managedsystemgroup --resources "*ALL_UNIX" 
--objecttype attributegroup --operations view --domain itm.eastcoast

tivcmd CLI> grant --rolename EastCoastOperators --resourcetype 
managedsystemgroup --resources "*ALL_UNIX" 
--objecttype event --operations view --domain itm.eastcoast

  6. Grant attribute group and event access to the *ALL_UNIX managed system group for the itm.westcoast domain to the WestCoastOperators role: 

      tivcmd grant --rolename WestCoastOperators --resourcetype
managedsystemgroup --resources "*ALL_UNIX" --objecttype 
attributegroup --operations view --domain itm.westcoast

tivcmd CLI> grant --rolename WestCoastOperators --resourcetype
managedsystemgroup --resources "*ALL_UNIX" --objecttype event 
--operations view --domain itm.westcoast

  7. Grant attribute group and event access to the *ALL_UNIX managed system group for all domains to the SuperAdministrator role: 

      tivcmd grant --rolename SuperAdministrator --resourcetype
managedsystemgroup --resources "*ALL_UNIX"
--objecttype attributegroup --operations view  --domain any 

tivcmd CLI> grant --rolename SuperAdministrator --resourcetype
managedsystemgroup --resources "*ALL_UNIX"
--objecttype event --operations view --domain any

  8. Assign the user groups to the new roles: 

      tivcmd addtorole --rolename EastCoastOperators --groups 
cn=EastCoastMachineUsers,cn=itm,o=ibm

tivcmd CLI> addtorole --rolename WestCoastOperators --groups 
cn=WestCoastMachineUsers,cn=itm,o=ibm

tivcmd CLI> addtorole --rolename SuperAdministrator --groups 
cn=SuperAdministrator,cn=itm,o=ibm

When a user in the EastCoastOperators group accesses the Server Dashboards page in the Dashboard Application Services Hub for the itm.eastcoast domain, they see the *ALL_UNIX managed system group and its members for this domain. If the same user logs into the Dashboard Application Services Hub for the itm.westcoast domain, they will not see the *ALL_UNIX managed system group.

When a user in the WestCoastOperators group accesses the Server Dashboards page in the Dashboard Application Services Hub for the itm.westcoast domain, they see the *ALL_UNIX managed system group and its members for this domain. If the same user logs into the Dashboard Application Services Hub for the itm.eastcoast domain, they will not see the *ALL_UNIX managed system group.

When a user in the SuperAdministrator group accesses the Server Dashboards page in the Dashboard Application Services Hub for either domain, they see the *ALL_UNIX managed system group and its members for domain connected to the dashboard server.


Example: Creating authorization policies for common managed system groups

If you have the same managed system group names in multiple domains and you want dashboard users to view data from those managed system groups for all domains, create a role and grant permissions as shown in the example commands below:

Because the --domain argument is not specified on the grant command example above, the authorization policy applies to all domains. As a result, any user or user group assigned to the WindowsAdministrators role can view data from the DataCenterServers managed system group in all domains.


Example: Using a common role to manage domain-specific resources

If you do not have the same managed system group names in multiple domains, but you have users or user groups that perform the same role for multiple domains, you can create a common role with domain-specific permissions as shown in the example commands below:

In this case, any user or user group assigned to the LinuxRegionalOperators role can view data from the managed system group SeattleServers when they are logged into the Dashboard Application Services Hub for the itm.HUB_west domain and can view the data from the managed system group BostonServers when they are logged into the Dashboard Application Services Hub for the itm.HUB_east domain.


Example: Creating a domain specific authorization policy

For those roles that are not common across domains, you can create a role that only has permissions for a single domain as shown in the example commands below:

In this scenario, a user or user group assigned to the ChicagoDataCenterOperators role can only view data from a managed system group in a single domain.


Parent topic:

Work with multiple domains

+

Search Tips   |   Advanced Search