IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Installation Guides > Installation Guide > Introduction > Components of the monitoring architecture
IBM Tivoli Monitoring, Version 6.3 Fix Pack 2
Tivoli Authorization Policy Server
The Authorization Policy Server allows you to define roles and permissions, which control the access that dashboard users have to managed systems and managed system groups displayed in monitoring dashboards of the IBM Dashboard Application Services Hub.
The Authorization Policy support consists of two installable components:
- Tivoli Authorization Policy Server
- tivcmd CLI for Authorization Policy
The Authorization Policy Server must be installed on the same system as an IBM Dashboard Application Services Hub. The tivcmd CLI is used by administrators to create and work with roles and permissions. It can be installed on the same system as the Authorization Policy Server, or it can be installed on an administrator's computer and communicate via HTTP or HTTPS to the Authorization Policy Server.
The Authorization Policy Server and the tivcmd CLI follow the role-based access control (RBAC) standard. According to this standard, roles are created for job functions, and permissions are assigned to roles. RBAC simplifies common security administration functions such as adding users or changing a user's department because individual users are not assigned permissions directly. Instead, a user acquires permissions based on the role (or roles) that user belongs to.
The Authorization Policy Server provides more granular access control than Tivoli Enterprise Portal user management permissions and application assignments. For example, Tivoli Enterprise Portal user management allows you to assign application types such as Windows OS to users or user groups. This assignment allows those users or user groups to view all Windows OS agent managed systems in the Tivoli Enterprise Portal client or in the Dashboard Application Services Hub. However, the Authorization Policy Server can be used to create roles and permissions that allow users or user groups to view data from either specific managed systems or from any managed system in specific managed system groups. For example, you can use Tivoli Enterprise Portal or tacmd CLI to create a managed system group called easternregion that only contains Windows OS agents at your eastern region data center. Then you can use the tivcmd CLI to create a role that has permission to view the managed systems in the easternregion managed system group. When users or user groups are assigned to this role then they will only see the easternregion managed system group and its members in the Dashboard Application Services Hub.
Enforcement of authorization policies occurs in the dashboard data provider component of the Tivoli Enterprise Portal Server whenever a dashboard user attempts to view a situation event, or to display attribute data from a monitoring agent or managed system group. To avoid delays caused by querying the master policy file store across the network, the dashboard data provider downloads its own local copy of the policy file store from the Authorization Policy Server and uses it for authorization checking.
When a V6.3 Tivoli Enterprise Portal Server is installed, authorization policy enforcement is disabled by default. When it is disabled, the dashboard data provider uses Tivoli Enterprise Portal user management permissions and application assignments to determine what agent types the dashboard users are allowed to view. At a later time, after your dashboard environment is working and your administrators have defined an appropriate set of roles and permissions, you can enable authorization policy enforcement by reconfiguring the Tivoli Enterprise Portal Server. Once authorization policy enforcement is enabled in the portal server, the dashboard data provider uses the authorization policies instead of Tivoli Enterprise Portal permissions and application assignments to determine what monitoring resources a dashboard user can access.
Authorization policies only control what monitoring resources a user can access in Dashboard Application Services Hub. If a dashboard user also uses the Tivoli Enterprise Portal, they might see a different set of resources because the portal client uses Tivoli Enterprise Portal user management permissions and application assignments to determine what resources a user can access.
Parent topic:
Components of the monitoring architecture