Topic
  • 8 replies
  • Latest Post - ‏2012-05-28T20:56:26Z by SystemAdmin
Butters15
Butters15
5 Posts

Pinned topic tlmsrv- Access rights

‏2012-05-10T15:25:12Z |
What are all the access rights needed for tlmsrv on the "TLMA" database?
  • BartekM
    BartekM
    18 Posts

    Re: tlmsrv- Access rights

    ‏2012-05-11T13:24:31Z  
    the tlmsrv account does not need to have any right in OS - in particular, it does not need to belong to any particular group

    All the required permissions inside the tlma database are granted by installation wizard during creation/upgrade of the tlma database
  • Butters15
    Butters15
    5 Posts

    Re: tlmsrv- Access rights

    ‏2012-05-11T13:36:59Z  
    • BartekM
    • ‏2012-05-11T13:24:31Z
    the tlmsrv account does not need to have any right in OS - in particular, it does not need to belong to any particular group

    All the required permissions inside the tlma database are granted by installation wizard during creation/upgrade of the tlma database
    Ok what are the rights granted by the installation wizard during creation or upgrade?

    I am currently are version 7.2.2.2, if it is verion dependant.
  • BartekM
    BartekM
    18 Posts

    Re: tlmsrv- Access rights

    ‏2012-05-11T13:52:17Z  
    • Butters15
    • ‏2012-05-11T13:36:59Z
    Ok what are the rights granted by the installation wizard during creation or upgrade?

    I am currently are version 7.2.2.2, if it is verion dependant.
    Assuming it is installed in /opt/IBM/LMT

    grep -i 'tlmsrv' -r /opt/IBM/LMT/admin/db/*
  • Butters15
    Butters15
    5 Posts

    Re: tlmsrv- Access rights

    ‏2012-05-11T17:57:34Z  
    • BartekM
    • ‏2012-05-11T13:52:17Z
    Assuming it is installed in /opt/IBM/LMT

    grep -i 'tlmsrv' -r /opt/IBM/LMT/admin/db/*
    what would that command do?

    I need what are reuired by the "tlmsrv" user than what exactly is created by the installer? Our auidt might have changed the permissions.

    There was a technote at here at some point in the past fot the same information, but this link no longer works.

    http://www-01.ibm.com/support/docview.wss?uid=swg21426963
  • SystemAdmin
    SystemAdmin
    340 Posts

    Re: tlmsrv- Access rights

    ‏2012-05-11T21:48:48Z  
    • Butters15
    • ‏2012-05-11T17:57:34Z
    what would that command do?

    I need what are reuired by the "tlmsrv" user than what exactly is created by the installer? Our auidt might have changed the permissions.

    There was a technote at here at some point in the past fot the same information, but this link no longer works.

    http://www-01.ibm.com/support/docview.wss?uid=swg21426963
    Hello Butters15,

    Please mind, you are not supposed to touch tlmsrv user rights. Such funcitonality is not exposed to the ILMT users. This is a part of internal ILMT implementation. Any changes in this subject may cause unpredicted failure to ILMT functionality. Moreover this implementation, as it is internal, may be protected by law. Please explain this fact to your audit as this is serious matter.
    Bartek gave you workaround how to see all the GRANT commands. When you follow his hint, you will see how they may be spied in a very tricky way. But this is just for your information, not to perform any changes!

    Thank you for your understanding.

    PS. I'm not aware of the technote you've mentioned
    http://www-01.ibm.com/support/docview.wss?uid=swg21426963
    I will check this out. If I find anything that fits your request better than Bartek hint, I will post to this thread.

    Regards,
    Michał Klak


    The postings on this site are my own and don't necessarily represent IBM's positions, strategies or opinions.
  • SystemAdmin
    SystemAdmin
    340 Posts

    Re: tlmsrv- Access rights

    ‏2012-05-17T16:21:18Z  
    Hello Butters15,

    Please mind, you are not supposed to touch tlmsrv user rights. Such funcitonality is not exposed to the ILMT users. This is a part of internal ILMT implementation. Any changes in this subject may cause unpredicted failure to ILMT functionality. Moreover this implementation, as it is internal, may be protected by law. Please explain this fact to your audit as this is serious matter.
    Bartek gave you workaround how to see all the GRANT commands. When you follow his hint, you will see how they may be spied in a very tricky way. But this is just for your information, not to perform any changes!

    Thank you for your understanding.

    PS. I'm not aware of the technote you've mentioned
    http://www-01.ibm.com/support/docview.wss?uid=swg21426963
    I will check this out. If I find anything that fits your request better than Bartek hint, I will post to this thread.

    Regards,
    Michał Klak


    The postings on this site are my own and don't necessarily represent IBM's positions, strategies or opinions.
    Ok thanks a lot for the response.

    Can you please brief out the functions of "tlmsrv"? I tried to find an appropriate document but could not.
  • SystemAdmin
    SystemAdmin
    340 Posts

    Re: tlmsrv- Access rights

    ‏2012-05-28T20:47:19Z  
    Ok thanks a lot for the response.

    Can you please brief out the functions of "tlmsrv"? I tried to find an appropriate document but could not.
    Hello avatar939,

    http://pic.dhe.ibm.com/infocenter/tivihelp/v53r1/topic/com.ibm.lmt75.doc/com.ibm.license.mgmt.planinconf.doc/r_security_considerations.html:
    Database user IDs
    During the installation process, you must specify a password for the tlmsrv user ID. This user is supposed to perform DB2® administrative tasks, such as creating and dropping database elements.

    Very short, very accurate. There is no need to write separate document for it. ILMT uses TLMA database. TLMA database is run by DB2. There must be some user with appropriate rights in DB@ to create TLMA. tlmsrv is the one.

    Please let me know if my post answers your question.

    Regards,
    Michał Klak
    ILMT Central Team


    The postings on this site are my own and do not necessarily represent IBM's positions, strategies or opinions.
    Please contact product support if you need IBM's official advice.

    If you want to extend your knowledge of ILMT, you may check this site:
    https://www.ibm.com/developerworks/mydeveloperworks/wikis/home/wiki/IBM+License+Metric+Tool
  • SystemAdmin
    SystemAdmin
    340 Posts

    Re: tlmsrv- Access rights

    ‏2012-05-28T20:56:26Z  
    Hello Butters15,

    Please mind, you are not supposed to touch tlmsrv user rights. Such funcitonality is not exposed to the ILMT users. This is a part of internal ILMT implementation. Any changes in this subject may cause unpredicted failure to ILMT functionality. Moreover this implementation, as it is internal, may be protected by law. Please explain this fact to your audit as this is serious matter.
    Bartek gave you workaround how to see all the GRANT commands. When you follow his hint, you will see how they may be spied in a very tricky way. But this is just for your information, not to perform any changes!

    Thank you for your understanding.

    PS. I'm not aware of the technote you've mentioned
    http://www-01.ibm.com/support/docview.wss?uid=swg21426963
    I will check this out. If I find anything that fits your request better than Bartek hint, I will post to this thread.

    Regards,
    Michał Klak


    The postings on this site are my own and don't necessarily represent IBM's positions, strategies or opinions.
    Hi,
    I found the author of the technote. The note simply has expired. It was written for very specific issue in 7.2. The issue was fixed and no more appeared. After specified time, the technote became out of date and was automatically deleted.

    I believe you referred to this part:
    Minimum set of permission for TLMSRV user are:

    Direct SYSADM authority = NO
    Direct SYSCTRL authority = NO
    Direct SYSMAINT authority = NO
    Direct DBADM authority = NO
    Direct CREATETAB authority = YES
    Direct BINDADD authority = YES
    Direct CONNECT authority = YES
    Direct CREATE_NOT_FENC authority = NO
    Direct IMPLICIT_SCHEMA authority = NO
    Direct LOAD authority = NO
    Direct QUIESCE_CONNECT authority = NO
    Direct CREATE_EXTERNAL_ROUTINE authority = NO
    Direct SYSMON authority = NO
    .
    Indirect SYSADM authority = NO
    Indirect SYSCTRL authority = NO
    Indirect SYSMAINT authority = NO
    Indirect DBADM authority = NO
    Indirect CREATETAB authority = NO
    Indirect BINDADD authority = NO
    Indirect CONNECT authority = NO
    Indirect CREATE_NOT_FENC authority = NO
    Indirect IMPLICIT_SCHEMA authority = NO
    Indirect LOAD authority = NO
    Indirect QUIESCE_CONNECT authority = NO
    Indirect CREATE_EXTERNAL_ROUTINE authority = NO
    Indirect SYSMON authority = NO

    I'm not sure how accurate it is now, but maybe it will still be helpful for you.

    Regards,
    Michał Klak
    ILMT Central Team


    The postings on this site are my own and do not necessarily represent IBM's positions, strategies or opinions.
    Please contact product support if you need IBM's official advice.

    If you want to extend your knowledge of ILMT, you may check this site:
    https://www.ibm.com/developerworks/mydeveloperworks/wikis/home/wiki/IBM+License+Metric+Tool