Topic
  • 15 replies
  • Latest Post - ‏2013-09-17T13:17:19Z by GER_MCC
techFanatic
techFanatic
32 Posts

Pinned topic Selective Service view in TBSM 6.1

‏2013-08-26T07:09:59Z |

Hi,

I have created 10 services in TBSM 6.1.These services are based on 3 types of technology-A,B,C.
Users belonging to technology A must be able to view only services related to technology A,
Users belonging to technology B must be able to view only services related to technology B and similarly is the case for technology C.
How do I implement this in TBSM,what roles and permissions do I need to assign for selective service viewing?

From my knowledge of user permissions,we can assign read-only,edit and admin permissions as a whole to all services,Can it be done on individual service basis too?

Regards,
techFanatic

  • randybrown
    randybrown
    59 Posts

    Re: Selective Service view in TBSM 6.1

    ‏2013-08-26T13:48:41Z  

    Hi,

    Yes, you can assign security roles that limit users and/or groups to specific capabilities by service or by template. The Service Editor and Template Editor in the TBSM Console have a Security tab for granting these permissions.

    For example, in your scenario, if you have a specific template or set of templates associated with each technology (A, B, C), you can set permissions on the template so that only certain groups have access to the services tagged with the template(s). You can also do individual users and individual services, but generally speaking it is better to work with groups and templates as convenient aggregations.

    Be careful that the users and groups don't have global roles that override what you are trying to accomplish with the TBSM object level security settings.

    You should be able to find more information in the TBSM Service Configuration Guide in the section Granting user and group permissions to templates and services.

    Hope this helps...

     

    Randy Brown

  • techFanatic
    techFanatic
    32 Posts

    Re: Selective Service view in TBSM 6.1

    ‏2013-09-11T12:13:04Z  

    Hi Randy

    Thanks for your reply. But I tried to set roles to service as you had mentioned in your reply.
    I Chose a group (G1) and selected tbsmViewService Role for a particular Service(eg A) using security tab.
    But Still the user who is not a member of group G1 can view this service.
    So please let me know if I am doing it in correct way or am I missing anything.
    Please suggest if there is any other alternative.

    Regards,
    techFanatic

  • randybrown
    randybrown
    59 Posts

    Re: Selective Service view in TBSM 6.1

    ‏2013-09-11T12:55:58Z  

    Hi Randy

    Thanks for your reply. But I tried to set roles to service as you had mentioned in your reply.
    I Chose a group (G1) and selected tbsmViewService Role for a particular Service(eg A) using security tab.
    But Still the user who is not a member of group G1 can view this service.
    So please let me know if I am doing it in correct way or am I missing anything.
    Please suggest if there is any other alternative.

    Regards,
    techFanatic

    Hi,

    It sounds like there are global roles that allow the other user to view TBSM services. Any global role for the user, or any group the user belongs to would take precedence over any security settings for the specific service.

    As an administrative user, you should be able to use functions in the Users and Groups folder to check if the user has TBSM roles assigned. Most likely the user is in a group that has these TBSM roles assigned, so you would need to check the roles for each group the user belongs to as well.

    Also, for any template tagged to the service, roles can be set for the template to allow viewing tagged services. This too would take precedence over any security settings for the specific service.

    If you have cleared all of these possible "global" and "template" security settings from the other user, then that user should not see the service with the specific user security settings.

    Hopefully this information helps...

     

    Randy Brown

  • techFanatic
    techFanatic
    32 Posts

    Re: Selective Service view in TBSM 6.1

    ‏2013-09-12T07:19:34Z  

    Hi,

    It sounds like there are global roles that allow the other user to view TBSM services. Any global role for the user, or any group the user belongs to would take precedence over any security settings for the specific service.

    As an administrative user, you should be able to use functions in the Users and Groups folder to check if the user has TBSM roles assigned. Most likely the user is in a group that has these TBSM roles assigned, so you would need to check the roles for each group the user belongs to as well.

    Also, for any template tagged to the service, roles can be set for the template to allow viewing tagged services. This too would take precedence over any security settings for the specific service.

    If you have cleared all of these possible "global" and "template" security settings from the other user, then that user should not see the service with the specific user security settings.

    Hopefully this information helps...

     

    Randy Brown

    Hi Randy,

    Thanks for your reply. I removed the tbsmViewService role globally from the group and then applied the same role individually to the template.

    Now, I have templates with autopopulation rules in it, to populate child service. When I changed security setting for the templates associated with parent and child services I could not see the child service populated in the service viewer when I logged in from the Group to whom I had given role to view service(tbsmViewService). I am not able to rectify what could be problem in this case.Please tell me If I am missing something.

    Also, I have given tbsmReadOnlyUser which gives access to view the Service Availability page.
    In Service Availablity page, 'Service details' portlet is not displayed. Only Service Tree, Service Viewer and Urgent Services portlets can be seen.
    We want all 4 portlets to be seen in Service availablity.

    Regards,
    techFanatic

  • randybrown
    randybrown
    59 Posts

    Re: Selective Service view in TBSM 6.1

    ‏2013-09-12T14:02:46Z  

    Hi Randy,

    Thanks for your reply. I removed the tbsmViewService role globally from the group and then applied the same role individually to the template.

    Now, I have templates with autopopulation rules in it, to populate child service. When I changed security setting for the templates associated with parent and child services I could not see the child service populated in the service viewer when I logged in from the Group to whom I had given role to view service(tbsmViewService). I am not able to rectify what could be problem in this case.Please tell me If I am missing something.

    Also, I have given tbsmReadOnlyUser which gives access to view the Service Availability page.
    In Service Availablity page, 'Service details' portlet is not displayed. Only Service Tree, Service Viewer and Urgent Services portlets can be seen.
    We want all 4 portlets to be seen in Service availablity.

    Regards,
    techFanatic

    Hi,

    For the autopopulation issue, the most likely problem would seem to be that the service is not assigned to the correct parent service. By default, the service will be given a parent called "DefaultAutopopParent", and your group will not have the roles to see that service and thus will not see its dependents. The other problem would be that the autopopulated service did not get the right template assigned, but unless you changed the rule, the template containing the autopopulation rule will be tagged to the created service by default.

    When defining the autopopulation rule, you can set the parent, if the templates are configured correctly. If there is no template depending on the template tagged to the child services, then the rule will not have a way for you to set the parent and you will get the "DefaultAutopopParent".

    For the question about Service Details, it requires at least the role "ncw_user" in order to be seen. The Service Details is provided for TBSM from an embedded copy of WebGUI, and this product has its own roles.

    I hope this helps...

     

    Randy Brown

  • techFanatic
    techFanatic
    32 Posts

    Re: Selective Service view in TBSM 6.1

    ‏2013-09-13T06:50:35Z  

    Hi,

    For the autopopulation issue, the most likely problem would seem to be that the service is not assigned to the correct parent service. By default, the service will be given a parent called "DefaultAutopopParent", and your group will not have the roles to see that service and thus will not see its dependents. The other problem would be that the autopopulated service did not get the right template assigned, but unless you changed the rule, the template containing the autopopulation rule will be tagged to the created service by default.

    When defining the autopopulation rule, you can set the parent, if the templates are configured correctly. If there is no template depending on the template tagged to the child services, then the rule will not have a way for you to set the parent and you will get the "DefaultAutopopParent".

    For the question about Service Details, it requires at least the role "ncw_user" in order to be seen. The Service Details is provided for TBSM from an embedded copy of WebGUI, and this product has its own roles.

    I hope this helps...

     

    Randy Brown

    Hi Randy,

    Thanks a lot for your valuable inputs.
    After giving ncw_user role to group we could view all four portlets of Service availability.
    A,B,C are the templates and a,b,c are services respectively.
    We have 2 level autopopulation hierarchy formed in service viewer.
    eg. A-> B-> C
    Where At A and B level we have autopopulation rules and services associated with B and C template are autopopulated services.('b' service populated on basis of 'a' and 'c' populated on basis of 'b')

    When we log in using tipadmin, we can see the 2 level parent-child hierarchy correctly formed in service viewer('b' populated due to parent 'a' and 'c' populated due to parent 'b'). But when we give role to templates associated with this autopopulated parent-child service to group (eg G1), user belonging to that group is unable to view 2nd level autopopulated services.
    eg. user1 belonging to Group G1 is able to view a->b
    But We want a->b->c  to be viewed in service viewer.

    Regards,
    techFanatic

  • randybrown
    randybrown
    59 Posts

    Re: Selective Service view in TBSM 6.1

    ‏2013-09-13T14:13:46Z  

    Hi Randy,

    Thanks a lot for your valuable inputs.
    After giving ncw_user role to group we could view all four portlets of Service availability.
    A,B,C are the templates and a,b,c are services respectively.
    We have 2 level autopopulation hierarchy formed in service viewer.
    eg. A-> B-> C
    Where At A and B level we have autopopulation rules and services associated with B and C template are autopopulated services.('b' service populated on basis of 'a' and 'c' populated on basis of 'b')

    When we log in using tipadmin, we can see the 2 level parent-child hierarchy correctly formed in service viewer('b' populated due to parent 'a' and 'c' populated due to parent 'b'). But when we give role to templates associated with this autopopulated parent-child service to group (eg G1), user belonging to that group is unable to view 2nd level autopopulated services.
    eg. user1 belonging to Group G1 is able to view a->b
    But We want a->b->c  to be viewed in service viewer.

    Regards,
    techFanatic

    Hi,

    I am not able to visualize exactly what you are doing with the autopopulation rules. Would it be possible to export the top level template using tbsm_export and send me the files?

    Perhaps if I can load at least the template definitions on my system I could see where the problem might be.

    Thanks...

     

    Randy Brown

  • techFanatic
    techFanatic
    32 Posts

    Re: Selective Service view in TBSM 6.1

    ‏2013-09-13T14:22:04Z  

    Hi,

    I am not able to visualize exactly what you are doing with the autopopulation rules. Would it be possible to export the top level template using tbsm_export and send me the files?

    Perhaps if I can load at least the template definitions on my system I could see where the problem might be.

    Thanks...

     

    Randy Brown

    Hi Randy,

    Sorry I cannot export and share the files.We have a two level auto population,and all the services are visible correctly under tipadmin but not under the new users created having the same access roles.

    Regards,

    techFanatic

  • randybrown
    randybrown
    59 Posts

    Re: Selective Service view in TBSM 6.1

    ‏2013-09-13T14:33:49Z  

    Hi Randy,

    Sorry I cannot export and share the files.We have a two level auto population,and all the services are visible correctly under tipadmin but not under the new users created having the same access roles.

    Regards,

    techFanatic

    Hi,

    Since you can see the complete service hierarchy from tipadmin, the services are created and given the parent service that you expect.

    Next would be to confirm that each service a, b, c is tagged with the template(s) that you expect when the service is created by autopopulation. Maybe there are multiple templates, but I think the role is only required for any one of the templates.

    Finally, if each template then has the tbsmViewService role for the correct group as set on the Security tab of the template, then it would seem you have done it correctly. The Security tab allows setting on a per user, per group basis, so please make sure you have set the role for the right user/group. Sorry, I am sure you have done this already.

    You may need to report the problem to IBM support, as it sounds like there may be a problem in how the product is implementing the security.

    Regards...

     

    Randy Brown