
ITM Agent Access Authorization Group Profile (AAGP)The Agent Service Interface feature delivered with ITM 6.2.2 was designed to provide human and programmatic clients visibility and control over agent data, commands, and configuration directly without requiring a TEP or tacmd. Access is provided via an XML over http interface exposed from the http service associated with a particular agent application. To find the service, point your browser to http The Centralized Configuration Server feature delivered with ITM 6.2.2 FP2 allowed administrators to perform large scale agent configuration to autonomous agents by making an https server or the Agent Service Interface of a 6.2.2 FP2 agent available to other agents as a configuration file server. Additionally, it allowed administrative users of an agent’s Agent Service Interface to issue requests that would cause the agent to download a file from the Centralized Configuration Server to its file system on demand. To limit access of the file download request to authorized users, the Access Authorization Group Profile (AAGP) facility was developed and included with FP2 levels of the Agent Service Interface. It is an XML document structured way of associating groups of users or individual users with the services provided by the Agent Service Interface. The following are the default product-provided default AAGP groups that are automatically loaded upon agent start up: A. Restricted Group – The default group. The Service Interface category in this group consists of services that provide system information, operation configuration, workload monitoring, and historical data reporting capabilities. All users are in this group even those that are not specifically defined. B. Operation Group - This group includes Restricted Group category services and Service Interface services that provide operation control, configuration management, and application customized access capabilities. C. Administrative Group - This group has access to all Service Interface capabilities and especially File Object (downloading configuration files on demand) and dynamically updating AAGP. To create your own custom settings, simply create a new AAGP file and make it available from the agent’s configured Centralized Configuration Server. The agent will periodically poll for an updated AAGP, download the document, parse it, and load the settings into memory; remember it does not store the file locally. The format of the file is as follows:
The Restricted group definition is required. If it is not include in the AAGP specification, then the product-provided default specification defined above will be in effect. The keyword *NONE specified for a component category prohibits all non-explicit users from accessing that component‘s services. For example, <SIA If the AAGP specification contains no <AAGROUP> element, then the product-provided default group definitions defined above will be in effect where the valid groups are RE, OP, and AD. There is no need to define R (restricted) group users since all users are automatically assigned to restricted group unless otherwise defined by AAGP. Here is an example of an custom AAGP specification: <AAGP> <AAGROUP> <GRO <SIA <SIA <SIA <SIA <SIA <SIA <SIA <SIA <SIA </AAGROUP> <AAGROUP> <GRO <INC <SIA <SIA <SIA <SIA <SIA <SIA </AAGROUP> <AAGROUP> <GRO <INC <SIA <SIAPI>AAGP</SIAPI> </AAGROUP> <AAUSER> <ID>dyang</ID> <ASSIGN>OP</ASSIGN> </AAUSER> <AAUSER> <ID>ksmith</ID> <ASSIGN>OP</ASSIGN> </AAUSER> <AAUSER> <ID>jmlake</ID> <ASSIGN>AD</ASSIGN> </AAUSER> <AAUSER> <ID>tcharris</ID> <ASSIGN>OP</ASSIGN> </AAUSER> <AAUSER> <ID>acwills</ID> <ASS </AAUSER> </AAGP> |