Topic
8 replies Latest Post - ‏2012-05-28T20:56:26Z by SystemAdmin
Butters15
Butters15
5 Posts
ACCEPTED ANSWER

Pinned topic tlmsrv- Access rights

‏2012-05-10T15:25:12Z |
What are all the access rights needed for tlmsrv on the "TLMA" database?
Updated on 2012-05-28T20:56:26Z at 2012-05-28T20:56:26Z by SystemAdmin
  • BartekM
    BartekM
    18 Posts
    ACCEPTED ANSWER

    Re: tlmsrv- Access rights

    ‏2012-05-11T13:24:31Z  in response to Butters15
    the tlmsrv account does not need to have any right in OS - in particular, it does not need to belong to any particular group

    All the required permissions inside the tlma database are granted by installation wizard during creation/upgrade of the tlma database
    • Butters15
      Butters15
      5 Posts
      ACCEPTED ANSWER

      Re: tlmsrv- Access rights

      ‏2012-05-11T13:36:59Z  in response to BartekM
      Ok what are the rights granted by the installation wizard during creation or upgrade?

      I am currently are version 7.2.2.2, if it is verion dependant.
      • BartekM
        BartekM
        18 Posts
        ACCEPTED ANSWER

        Re: tlmsrv- Access rights

        ‏2012-05-11T13:52:17Z  in response to Butters15
        Assuming it is installed in /opt/IBM/LMT

        grep -i 'tlmsrv' -r /opt/IBM/LMT/admin/db/*
        • Butters15
          Butters15
          5 Posts
          ACCEPTED ANSWER

          Re: tlmsrv- Access rights

          ‏2012-05-11T17:57:34Z  in response to BartekM
          what would that command do?

          I need what are reuired by the "tlmsrv" user than what exactly is created by the installer? Our auidt might have changed the permissions.

          There was a technote at here at some point in the past fot the same information, but this link no longer works.

          http://www-01.ibm.com/support/docview.wss?uid=swg21426963
          • SystemAdmin
            SystemAdmin
            340 Posts
            ACCEPTED ANSWER

            Re: tlmsrv- Access rights

            ‏2012-05-11T21:48:48Z  in response to Butters15
            Hello Butters15,

            Please mind, you are not supposed to touch tlmsrv user rights. Such funcitonality is not exposed to the ILMT users. This is a part of internal ILMT implementation. Any changes in this subject may cause unpredicted failure to ILMT functionality. Moreover this implementation, as it is internal, may be protected by law. Please explain this fact to your audit as this is serious matter.
            Bartek gave you workaround how to see all the GRANT commands. When you follow his hint, you will see how they may be spied in a very tricky way. But this is just for your information, not to perform any changes!

            Thank you for your understanding.

            PS. I'm not aware of the technote you've mentioned
            http://www-01.ibm.com/support/docview.wss?uid=swg21426963
            I will check this out. If I find anything that fits your request better than Bartek hint, I will post to this thread.

            Regards,
            Michał Klak


            The postings on this site are my own and don't necessarily represent IBM's positions, strategies or opinions.
            • SystemAdmin
              SystemAdmin
              340 Posts
              ACCEPTED ANSWER

              Re: tlmsrv- Access rights

              ‏2012-05-17T16:21:18Z  in response to SystemAdmin
              Ok thanks a lot for the response.

              Can you please brief out the functions of "tlmsrv"? I tried to find an appropriate document but could not.
              • SystemAdmin
                SystemAdmin
                340 Posts
                ACCEPTED ANSWER

                Re: tlmsrv- Access rights

                ‏2012-05-28T20:47:19Z  in response to SystemAdmin
                Hello avatar939,

                http://pic.dhe.ibm.com/infocenter/tivihelp/v53r1/topic/com.ibm.lmt75.doc/com.ibm.license.mgmt.planinconf.doc/r_security_considerations.html:
                Database user IDs
                During the installation process, you must specify a password for the tlmsrv user ID. This user is supposed to perform DB2® administrative tasks, such as creating and dropping database elements.

                Very short, very accurate. There is no need to write separate document for it. ILMT uses TLMA database. TLMA database is run by DB2. There must be some user with appropriate rights in DB@ to create TLMA. tlmsrv is the one.

                Please let me know if my post answers your question.

                Regards,
                Michał Klak
                ILMT Central Team


                The postings on this site are my own and do not necessarily represent IBM's positions, strategies or opinions.
                Please contact product support if you need IBM's official advice.

                If you want to extend your knowledge of ILMT, you may check this site:
                https://www.ibm.com/developerworks/mydeveloperworks/wikis/home/wiki/IBM+License+Metric+Tool
            • SystemAdmin
              SystemAdmin
              340 Posts
              ACCEPTED ANSWER

              Re: tlmsrv- Access rights

              ‏2012-05-28T20:56:26Z  in response to SystemAdmin
              Hi,
              I found the author of the technote. The note simply has expired. It was written for very specific issue in 7.2. The issue was fixed and no more appeared. After specified time, the technote became out of date and was automatically deleted.

              I believe you referred to this part:
              Minimum set of permission for TLMSRV user are:

              Direct SYSADM authority = NO
              Direct SYSCTRL authority = NO
              Direct SYSMAINT authority = NO
              Direct DBADM authority = NO
              Direct CREATETAB authority = YES
              Direct BINDADD authority = YES
              Direct CONNECT authority = YES
              Direct CREATE_NOT_FENC authority = NO
              Direct IMPLICIT_SCHEMA authority = NO
              Direct LOAD authority = NO
              Direct QUIESCE_CONNECT authority = NO
              Direct CREATE_EXTERNAL_ROUTINE authority = NO
              Direct SYSMON authority = NO
              .
              Indirect SYSADM authority = NO
              Indirect SYSCTRL authority = NO
              Indirect SYSMAINT authority = NO
              Indirect DBADM authority = NO
              Indirect CREATETAB authority = NO
              Indirect BINDADD authority = NO
              Indirect CONNECT authority = NO
              Indirect CREATE_NOT_FENC authority = NO
              Indirect IMPLICIT_SCHEMA authority = NO
              Indirect LOAD authority = NO
              Indirect QUIESCE_CONNECT authority = NO
              Indirect CREATE_EXTERNAL_ROUTINE authority = NO
              Indirect SYSMON authority = NO

              I'm not sure how accurate it is now, but maybe it will still be helpful for you.

              Regards,
              Michał Klak
              ILMT Central Team


              The postings on this site are my own and do not necessarily represent IBM's positions, strategies or opinions.
              Please contact product support if you need IBM's official advice.

              If you want to extend your knowledge of ILMT, you may check this site:
              https://www.ibm.com/developerworks/mydeveloperworks/wikis/home/wiki/IBM+License+Metric+Tool