IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Administrator's Guide
IBM Tivoli Monitoring, Version 6.3 Fix Pack 2
Use Tivoli Enterprise Portal user authorization
Every portal work session begins with a successful logon and connection to the Tivoli Enterprise Portal. The logon user IDs and user groups are created and profiled through the Administer Users window.
Administer Users is a multi-tabbed two-paned window. The top frame has two tabs: Users and User Groups, that list the user IDs, distinguished names if the portal server is configured for authentication to an LDAP user registry, and the user groups that are stored on the portal server. The profile of the selected user or user group is reflected in the bottom frame:
- Permissions has a list of the portal features in the Authorities box. On the right are the possible operations for the selected feature. A selected check box means the selected user or user group has permission to perform that operation; a indicator next to the check box means the permission was added to a user group the user belongs to.
- Applications shows all the applications being monitored and that are available for assigning to the user or user group. One user or user group, for example, can be profiled to see only the OMEGAMON applications, another to see only Linux and Oracle, middleware, and another to see all applications.
- Navigator Views shows all the Navigator views that are on the portal server and that are available for assigning to the user or user group. The user or user group can be restricted to seeing only a certain branch of a Navigator view rather than the entire hierarchy.
- Member of, when the Users tab is selected, or Members, when the User Groups tab is selected, is a list of the groups the user belongs to or the user names in the group.
The User Administration function enables you to maintain user IDs and user groups on the portal server, and provides varying degrees of access to the features and views of your monitored environment to accommodate any combination of job roles, such as operators who respond to alerts and direct them to the appropriate person for handling and administrators who plan, design, customize, and manage the monitoring environment.
In some managed enterprises one person might assume all of these roles. In larger enterprises, the roles are often divided. You can choose to assign roles by individual user or by user type or both.
Tivoli Enterprise Portal user IDs are also required for users who access monitoring dashboards in IBM Dashboard Application Services Hub. How you manage dashboard users depends on the type of authorization configured in the portal server and whether the dashboard users will also use the Tivoli Enterprise Portal client. There are two types of authorization that can be configured for controlling access to monitored resources in IBM Dashboard Application Services Hub:
Configuring the portal server and Dashboard Application Services Hub to share an LDAP user registry is the best practice approach for having a federated set of dashboard users and Tivoli Enterprise Portal client users. In this scenario, the dashboard users login to the dashboard hub with their LDAP username and you must map their LDAP distinguished name to a Tivoli Enterprise Portal user ID with the required permissions.
- Role-based authorization policies
- These policies are created using the tivcmd CLI> Command-Line Interface for Authorization Policy. They provide more granular authorization than Tivoli Enterprise Portal monitoring application assignments. Using role-based authorization policies, you can assign a user permission to view specific managed system groups or managed systems. When role-based authorization policies are enabled in the portal server, dashboard users need a Tivoli Enterprise Portal user ID but do not require any Tivoli Enterprise Portal permissions or monitoring application assignments unless they are also Tivoli Enterprise Portal client users. In this case, role-based authorization policies control what resources they can access in the monitoring dashboards, and Tivoli Enterprise Portal permissions and monitoring application assignments control what they can access in the Tivoli Enterprise Portal client.
- Tivoli Enterprise Portal authorization
- This is the default authorization mechanism for dashboard users. A dashboard user must have a Tivoli Enterprise Portal user ID and be assigned the permissions and monitoring applications to control their access to resources in monitoring dashboards. If a dashboard user is also a Tivoli Enterprise Portal client user then they are assigned a single set of permissions that control what monitored resources they can access in both applications.
Tivoli Enterprise Portal user IDs are automatically created with no permissions if a dashboard user requests monitoring data and does not have a user ID mapped to their distinguished name. See Notes on user administration for more details.
- Administer Users
Your user ID and the user groups you are a member of are profiled with a set of permissions that determines which Tivoli Enterprise Portal features you are authorized to see and use, a list of monitored applications you are authorized to see, and a list of Navigator views (and the highest level within a view) you can access.
- Manage user IDs
Managing user IDs begins with planning the authorities to grant to users and whether they will belong to user groups.
- Manage user groups
User groups enable the administrator to authorize the same set of functional permissions, applications, and Navigator views to multiple users at one time. Management of user authorization can be done by groups as well as individually.
- Notes on user administration
Read these notes to understand the user ID contribution to Tivoli Enterprise Portal functions and modes.
- Troubleshooting logon error messages
Logon prompts and progress messages are displayed in the Logon window status bar. If a user cannot log on, a message is displayed.