IBM Tivoli Monitoring, Version 6.3 Fix Pack 2

Authorization policy concepts

An authorization policy either grants or excludes permission to a user or user group, acting in one of more roles, to perform an operation on an type of object, for a resource which is scoped by its resource type.

The elements of an authorization policy are described below:

User

Who initiates the operation.

User group

A set of users who can initiate the operation.

Role

A collection of permissions that can be assigned to users or user groups.

Operation

An action such as create, delete, modify, distribute, or view.

Object type

A categorization of the object that the operation is performed on. For example, monitoring data (attributegroup), event, or role.

Resource

The entity that the operation is being performed against such as a specific managed system group or managed system.

Resource type

A categorization of the resource. Managed system groups (managedsystemgroup), managed systems (managedsystem), and sets of roles (rolegroup) are the predefined resource types.

To create an authorization policy, perform the following tasks:

Create managed system groups that you want to control access to. Managed system groups are created using the Tivoli® Enterprise Portal client and tacmd createsystemlist command.
These can be the same managed system groups that you also use to distribute situations and historical collections.
Create user groups in LDAP that contain users that perform a similar job function.
Create a role that represents a job function within your organization.
For example, you can define a role called Eastern region Windows administrators to control the monitored resources that can be accessed by the Windows OS administrators at your eastern region data center.
Next you grant or exclude one or more permissions to the role.
- A grant permission specifies the operation that can be performed on a type of object for one or more resources of a specified type.
  For example, you can grant permission to view monitoring data for the managed system group EasternRegionWindowsComputers where the operation is view, the object type is attributegroup (which represents monitoring data), the resource is EasternRegionWindowsComputers, and the resource type is managedsystemgroup.
- An exclude permission allows you to restrict access to one or more members of a managed system group. You should create an exclude permission if you do not want a role to have access to all members of a managed system group. For example, the EasternRegionWindowsComputers managed system group might contain two or three computers that you do not want your eastern region Windows administrators to have access to. In this case, you can grant view permission for the EasternRegionWindowsComputers managed system group and exclude permission for specific managed systems. An exclude permission prevents any operation from being performed on objects of a managed system.
The final step is to assign the role to one or more users or user groups. Only users or user groups that have been assigned to an authorization policy role are able to access monitored resources in a dashboard. The user names and user group names are defined in the LDAP user registry that is shared by IBM® Dashboard Application Services Hub and the portal server.

You can also revoke permissions from a role if you later decide that you need to remove a grant or exclude permission from a role. Authorization policies are also used to control which users can create and work with roles.

The following table lists the supported resource types, their associated object types and operations, and the type of permission that can be assigned for resources of this type.

Table 1. Authorization policy resource types and their supported permissions and elements
Permission	Operation	Object type	Resource type	Description
grant	view	attributegroup	managedsystemgroup	Using this combination, you can grant permission to view monitoring data such as metrics or status for all managed systems in a managed system group.
grant	view	event	managedsystemgroup	Using this combination, you can grant permission to view situation events from all managed systems in a managed system group. Note: If you want to grant permission to view the monitoring data that triggered the situation event then you must grant permission to view monitoring data for the managed system group.
grant	view	attributegroup	managesystem	Using this combination, you can grant permission to view monitoring data such as metrics or status for a specific managed system.
grant	view	event	managedsystem	Using this combination, you can grant permission to view situation events from a specific managed system. Note: If you want to grant permission to view the monitoring data that triggered the situation event then you must grant permission to view monitoring data for the managed system group.
exclude			managedsystem	Using this combination, you can exclude permission to perform any operation for a specific managed system.
grant	create	role	rolegroup	Using this combination, you can grant permission to create roles or events for specific managed systems.
grant	delete	role	rolegroup	Using this combination, you can grant permission to delete roles.
grant	distribute	role	rolegroup	Using this combination, you can grant permission to distribute policies from the Authorization Policy Server to the Tivoli Enterprise Portal Server.
grant	modify	role	rolegroup	Using this combination, you can grant permission to modify roles.
grant	view	role	rolegroup	Using this combination, you can grant permission to view roles and permissions that you are assigned. This permission can be used if you have users who should be able to view their permissions but not permissions for other users.
grant	viewall	role	rolegroup	Using this combination, you can grant permission to view all roles and permissions.

When you are granted permission to view attribute groups (monitoring data) or events for a managed system group, you are granted permission to view the group and you are also granted permission to view all of the group members, unless there is an exclude permission for a group member.

In a large deployment of IBM Tivoli Monitoring, you might have multiple monitoring domains. A monitoring domain is defined as a collection of IBM Tivoli Monitoring components such as portal servers, monitoring servers, monitoring agents, and a Tivoli Data Warehouse that are centered around a particular hub monitoring server. In this type of deployment, you might have some authorization policies that are common across your monitoring domains as well as authorization policies that are specific to a particular domain. When you create permissions, the tivcmd CLI allows you to specify if the authorization policy applies to all domains (the default behavior) or to specific domains.

A role group is a set of roles that are shared across all the IBM Tivoli Monitoring domains using a single Authorization Policy Server. The Authorization Policy Server supports only one role group named default. It is specified as the resource name when creating permissions that perform operations on roles.

For information about working with authorization policies in a multi-domain deployment, see Working with multiple domains.

Feedback