ITM Enhancement: Clear offline entry permission

Body

A small enhancement to IBM Tivoli Monitoring (ITM) is being released in 6.3.0 Fix Pack 6. A new permission is being added to the user administration dialog in the Tivoli Enterprise Portal (TEP) client  to allow an administrator to grant or deny the ability to remove an offline managed system from the physical navigator. This blog post describes the new feature, how to enable it, and some considerations to take into account.

Current Behavior

In the portal client, a user can remove an offline managed system from either the physical navigator or the Manged System Status workspace on the Enterprise node of the physical navigator. To remove the offline managed system, the user needs to right-click on the offline node or row, then select the "Clear offline entry" menu item in the resulting pop-up menu, as seen in the following screen shots:

There is currently no way to restrict the ability to remove an offline managed system. Any portal client user has the ability to remove an offline system from either the navigator or the Managed System Status workspace.

Installing and Enabling the New Permission

The new permission is part of ITM 6.3.0 Fix Pack 6 for the Tivoli Enterprise Portal and Tivoli Enterprise Portal Server. It is delivered under APAR IV71473. Please apply this fix pack to the portal server and any desktop portal clients before continuing.

Once the fix pack are applied, the new feature is not enabled by default. If you go to the User Administration dialog, you will not see a "Clear offline entry" check box, and all users will have the ability to remove an offline managed system. To turn on the new feature, you must add a new environment variable to the portal server environment file:

Windows: Edit the file %CANDLE_HOME%\CNPS\KFWENV

Linux/AIX: Edit the file $CANDLEHOME/config/cq.ini

Add the following environment variable to the bottom of the file:

KFW_AUTHORIZATION_CLEAR_OFFLINE_ENABLED=Y

Save the file and restart the portal server. Now, when you open the User Administration dialog, you will see the "Clear offline entry" permission on the Agent Management node, as shown in the following screen shot:

Users who do not have the new permission checked will not see the "Clear offline entry" item in the pop-up menu on the physical navigator or the Managed Systems Status workspace, as seen in the following screen shot:

Note that once enabled, the default setting for the "clear offline entry" permission is unchecked. The consequence of this is that now, all users and groups (except sysadmin) do not have permission to clear an offline entry. An ITM administrator can now begin checking the new permission for any users who should be allowed to remove an offline managed system.

If instead you would rather have the permission enabled for all users and groups, and you have a large number of users and groups which would make manually modifying them via the User Administration dialog time consuming, we have provided a new script that will enable the "clear offline entry" permission for all users and groups. The script is located in the following directories:

Windows: %CANDLE_HOME%\CNPS\modify-clearoffline-permission.bat

Linux/AIX: $CANDLEHOME/<arch>/cq/bin/modify-clearoffline-permission.sh

This script uses the portal server utility KfwSQLClient and the ITM CLI tool tacmd tool to select all users and groups and set the "clear offline entry" permission to checked. Execute the command as shown below:

Windows: modify-clearoffline-permission.bat <admin_id> <admin_password>

Linux/AIX: itmcmd execute cq "modify-clearoffline-permission.sh <admin_id> <admin_password>"

Where <admin_id> is the login ID of an ITM administrator with permission to modify user accounts, and <admin_password> is that user's password. After you execute the above command, the script will prompt you to confirm that you wish to modify the "clear offline entry" permission for all users and groups. Then it will first start modifying individual users. You will see messages like the following indicating that a user was modified successfully:

  username: user40  KUICEU001I Validating user credentials...  KUICEU002I The user user40 has been successfully edited on the TEPS located at http://localhost:15200.

You may also see a message similar to the following:

  username: user41  KUICEU001I Validating user credentials...  KUICEU013E The editUser command failed because you are trying to modify a permission that is inherited from group. Please refer to the /opt/IBM/ITM/logs/UserAndGroupCLI_0.log for details.     The inherited group permissions cannot be modified.     Verify that the permission you are trying to edit is not inherited from a group, then run the editUser command again.

This message means that the user it is attempting to modify has inherited the permission value from a group assignment. These messages are normal and not a cause for concern. Next the script will begin modifying groups. Depending on the number of users and groups, and the processor speed of the machine, the script may take some time to complete. For example, during development, the script was observed to take about 25 minutes to process approximately 120 users and groups. Once the script is finished, there is no need to execute it again, including after applying subsequent fix packs or patches.

Note that the <Default User> also has the "clear offline entry" permission checked by default, so any new users you create will automatically have the ability to remove an offline managed system. If you would rather have the permission unchecked for new users, simply edit the <Default User> and uncheck the "clear offline entry" permission.

Finally, after enabling this new feature, if for some reason you no longer wish to use it, you may remove the KFW_AUTHORIZATION_CLEAR_OFFLINE_ENABLED environment variable from the portal server environment file. After restarting the portal server, behavior will revert back to the original behavior, meaning all users will have the ability to remove an offline managed system. The User Administration dialog will not display a check box for "Clear offline entry" on the Agent Management node.

We hope you find this new feature useful.