ITM Enhancement: Clear offline entry permission
rproffit 12000095Y4 Comment (1) Visits (8891)
A small enhancement to IBM Tivoli Monitoring (ITM) is being released in 6.3.0 Fix Pack 6. A new permission is being added to the user administration dialog in the Tivoli Enterprise Portal (TEP) client to allow an administrator to grant or deny the ability to remove an offline managed system from the physical navigator. This blog post describes the new feature, how to enable it, and some considerations to take into account.
In the portal client, a user can remove an offline managed system from either the physical navigator or the Manged System Status workspace on the Enterprise node of the physical navigator. To remove the offline managed system, the user needs to right-click on the offline node or row, then select the "Clear offline entry" menu item in the resulting pop-up menu, as seen in the following screen shots:
There is currently no way to restrict the ability to remove an offline managed system. Any portal client user has the ability to remove an offline system from either the navigator or the Managed System Status workspace.
Installing and Enabling the New Permission
The new permission is part of ITM 6.3.0 Fix Pack 6 for the Tivoli Enterprise Portal and Tivoli Enterprise Portal Server. It is delivered under APAR IV71473. Please apply this fix pack to the portal server and any desktop portal clients before continuing.
Once the fix pack are applied, the new feature is not enabled by default. If you go to the User Administration dialog, you will not see a "Clear offline entry" check box, and all users will have the ability to remove an offline managed system. To turn on the new feature, you must add a new environment variable to the portal server environment file:
Windows: Edit the file %CAN
Linux/AIX: Edit the file $CAN
Add the following environment variable to the bottom of the file:
Save the file and restart the portal server. Now, when you open the User Administration dialog, you will see the "Clear offline entry" permission on the Agent Management node, as shown in the following screen shot:
Users who do not have the new permission checked will not see the "Clear offline entry" item in the pop-up menu on the physical navigator or the Managed Systems Status workspace, as seen in the following screen shot:
Note that once enabled, the default setting for the "clear offline entry" permission is unchecked. The consequence of this is that now, all users and groups (except sysadmin) do not have permission to clear an offline entry. An ITM administrator can now begin checking the new permission for any users who should be allowed to remove an offline managed system.
If instead you would rather have the permission enabled for all users and groups, and you have a large number of users and groups which would make manually modifying them via the User Administration dialog time consuming, we have provided a new script that will enable the "clear offline entry" permission for all users and groups. The script is located in the following directories:
This script uses the portal server utility KfwSQLClient and the ITM CLI tool tacmd tool to select all users and groups and set the "clear offline entry" permission to checked. Execute the command as shown below:
Linux/AIX: itmcmd execute cq "mod
Where <admin_id> is the login ID of an ITM administrator with permission to modify user accounts, and <admin_password> is that user's password. After you execute the above command, the script will prompt you to confirm that you wish to modify the "clear offline entry" permission for all users and groups. Then it will first start modifying individual users. You will see messages like the following indicating that a user was modified successfully:
username: user40 KUICEU001I Validating user credentials... KUICEU002I The user user40 has been successfully edited on the TEPS located at http
You may also see a message similar to the following:
username: user41 KUICEU001I Validating user credentials... KUICEU013E The editUser command failed because you are trying to modify a permission that is inherited from group. Please refer to the /opt
This message means that the user it is attempting to modify has inherited the permission value from a group assignment. These messages are normal and not a cause for concern. Next the script will begin modifying groups. Depending on the number of users and groups, and the processor speed of the machine, the script may take some time to complete. For example, during development, the script was observed to take about 25 minutes to process approximately 120 users and groups. Once the script is finished, there is no need to execute it again, including after applying subsequent fix packs or patches.
Note that the <Default User> also has the "clear offline entry" permission checked by default, so any new users you create will automatically have the ability to remove an offline managed system. If you would rather have the permission unchecked for new users, simply edit the <Default User> and uncheck the "clear offline entry" permission.
Finally, after enabling this new feature, if for some reason you no longer wish to use it, you may remove the KFW_
We hope you find this new feature useful.