IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Installation Guides > Installation Guide > Prepare for installation > Security options
IBM Tivoli Monitoring, Version 6.3 Fix Pack 2
Authorization and authentication
User authentication can be enabled through either the hub Tivoli Enterprise Monitoring Server, or the Tivoli Enterprise Portal Server.
If authentication is enabled through the hub monitoring server, user IDs can be authenticated either by the local operating system registry or by an external LDAP-enabled central registry. User IDs that need to make SOAP server requests (including user IDs that issue tacmd CLI commands that invoke SOAP server methods) can be authenticated only through the hub monitoring server.
If authentication is enabled through the Tivoli Enterprise Portal Server, user IDs are authenticated against an external LDAP-enabled registry. User IDs that require single sign-on (SSO) capability must be authenticated through the portal server and mapped to unique user identifiers in an LDAP registry shared by all SSO-eligible Tivoli applications.
If you are using Dashboard Application Services Hub with monitoring applications such as...
- IBM Infrastructure Management Dashboards for Servers
- IBM Infrastructure Management Dashboards for VMware
- IBM Infrastructure Management Capacity Planner for VMware
- IBM Infrastructure Management Capacity Planner for PowerVM
- custom dashboards
...you should enable user authentication through the portal server and configure single sign-on if you want to grant your dashboard users different permissions for viewing monitored resources.
If you do not configure single sign-on, all dashboard users will see the same set of monitored resources.
The Performance Monitoring service provider component of the Tivoli Enterprise Monitoring Automation Server does not use the user registries configured for the hub monitoring server or portal server to authenticate users. If you want the Performance Monitoring service provider to authenticate HTTP GET requests that it receives from OSLC client applications, you must configure it to use the Security Services component of Jazz for Service Management. Security Services is an optional Jazz for Service Management component that enables non-WebSphere based applications such as the Performance Monitoring service provider to participate in LTPA based single sign-on.
User authentication should not be enabled until at least a basic installation of Tivoli Management Services components and IBM Tivoli Monitoring base agents has been completed and tested. For instructions on enabling authentication, see the IBM Tivoli Monitoring Administrator's Guide.
Tivoli Enterprise Portal authorization is controlled by user accounts defined to the portal server. In addition to defining the user IDs that are authorized to log on to the Tivoli Enterprise Portal, these accounts define the permissions that determine the Tivoli Enterprise Portal features a user is authorized to see and use, the monitored applications the user is authorized to see, and the Navigator views (and the highest level within a view) the user can access.
An initial sysadmin user ID with full administrator authority is provided during installation so you can log in to the Tivoli Enterprise Portal and add more user accounts. (For information on creating user accounts and setting user permissions, see the Using Tivoli Enterprise Portal user authorization chapter in the IBM Tivoli Monitoring Administrator's Guide.) No password is required to log on to the Tivoli Enterprise Portal, unless user authentication is enabled.
You have two options for authorizing the monitoring resources that can be viewed by users who are using dashboard applications such as IBM Infrastructure Management Dashboards for Servers or custom dashboards:
- Use the Tivoli Authorization Policy Server and tivcmd CLI to create roles and permissions, which are collectively called authorization policies.
These authorization policies control which managed systems and managed system groups a dashboard user can view. Roles are created for job functions and permissions to view specific managed systems or managed system groups are assigned to roles. Users acquire permissions based on the role (or roles) that the user belongs to. Users can be assigned to roles directly or the user groups that they are members of can be assigned to roles. The permissions also specify the type of object that can be viewed for a managed system or managed system group. The supported object types are event (for situation events), and attribute group (for monitoring data retrieved from an agent).
The following tasks must be performed to use authorization policies:
- Install the Tivoli Authorization Policy Server into Dashboard Application Services Hub.
- Install the tivcmd CLI on systems accessible to the administrators who will create and work with authorization policies.
- Administrators use the tivcmd CLI to create authorization policies for dashboard users or user groups.
- After the authorization policies have been created for the current set of dashboard users, you must reconfigure the portal server to enable authorization policies.
This step causes the portal server to retrieve the authorization policies from the Authorization Policy Server and to start enforcing the authorization policies in the dashboard data provider. If Tivoli Enterprise Portal permissions and monitored application assignments are also configured for the dashboard user, these permissions are ignored since the authorization policies take precedence.
For more information on creating and working with authorization policies, see Role based authorization policy in the IBM Tivoli Monitoring Administrator's Guide.
- Use Tivoli Enterprise Portal permissions and monitored application assignments for your dashboard users.
If authorization policies are not enabled in the portal server configuration then the dashboard data provider defaults to using Tivoli Enterprise Portal permissions and monitoring application assignments for authorizing dashboard user requests from Dashboard Application Services Hub.
With this option, you create Tivoli Enterprise Portal users for each of your dashboard users using the Tivoli Enterprise Portal User Administration dialog. Using the same dialog, you can grant a user permission to view events and assign the user one of more monitored applications they can view. These steps can also be performed using the tacmd Command Line Interface. See the Using Tivoli Enterprise Portal user authorization chapter in the IBM Tivoli Monitoring Administrator's Guide and the Command Reference for more details.
Tivoli Enterprise Portal authorization is less granular than authorization policies.
While authorization policies allow you to grant a dashboard user permission to view only specific managed systems or members of specific managed system groups, Tivoli Enterprise Portal authorization is at the monitored application level. In other words, a user is assigned permission to view all managed systems of a particular monitoring application type, for example all Windows OS agents.
When you are initially setting up your monitoring and dashboard environment, IBM recommends starting with Tivoli Enterprise Portal permissions and monitored application assignments. After you are able to see monitoring data in Dashboard Application Services Hub, and your administrators have created authorization policies, then reconfigure the portal server to start using authorization policies.
If your dashboard users are also going to access the Tivoli Enterprise Portal client, the set of monitored resources they can view in dashboards might be different than the monitored resources they can view in the Tivoli Enterprise Portal client. This can occur if the permissions are inconsistent or the authorization policies are more restrictive.
- Example of inconsistent permissions: Assume the user is granted permission to view a subset of Windows OS agents in Dashboard Application Services Hub using authorization policies but the user is not assigned the Windows OS monitoring application in their Tivoli Enterprise Portal permissions.
In this scenario, the user will see their authorized Windows OS agents in the dashboards but they will not see any Windows OS agents when they access the Tivoli Enterprise Portal client.
- Example of more restrictive authorization policies: Assume the user is granted permission to view a subset of Windows OS agents in Dashboard Application Services Hub using authorization policies, and the user is assigned the Windows OS monitoring application in their Tivoli Enterprise Portal permissions. In this scenario, the user will see the authorized Windows OS agents in the dashboards but they will see all Windows OS agents when they access the Tivoli Enterprise Portal client.
Dashboard user authorization is also affected by the configuration of the dashboard data provider connection in Dashboard Application Services Hub.
- If the connection is configured for single sign-on, the dashboard users see the monitored resources they have been authorized to view using either authorization policies, when they are enabled, or Tivoli Enterprise Portal monitored application assignments.
- If the connection is not configured for single sign-on, the Dashboard Application Services Hub always passes the username configured for the connection to the dashboard data provider. Therefore, authorization is performed for the user configured for the connection, and not the user who is logged into Dashboard Application Services Hub. In this case, all dashboard users will see the same set of monitored resources.
Because of this behavior, you should configure the dashboard data provider connection for single sign-on if you want to grant different permissions to your dashboard users. Single sign-on is not required if you want all of your dashboard users to have the same authorizations.
Parent topic:
Security options