IBM Tivoli Monitoring, Version 6.3

Using Tivoli Enterprise Portal user authorization

Every portal work session begins with a successful logon and connection to the Tivoli® Enterprise Portal. The logon user IDs and user groups are created and profiled through the Administer Users window.

Administer Users is a multi-tabbed two-paned window. The top frame has two tabs: Users tab Users and User Groups tab User Groups, that list the user IDs, distinguished names if the portal server is configured for authentication to an LDAP user registry, and the user groups that are stored on the portal server. The profile of the selected user or user group is reflected in the bottom frame:

The User Administration function enables you to maintain user IDs and user groups on the portal server, and provides varying degrees of access to the features and views of your monitored environment to accommodate any combination of job roles, such as operators who respond to alerts and direct them to the appropriate person for handling and administrators who plan, design, customize, and manage the monitoring environment.

In some managed enterprises one person might assume all of these roles. In larger enterprises, the roles are often divided. You can choose to assign roles by individual user or by user type or both.

Tivoli Enterprise Portal user IDs are also required for users who access monitoring dashboards in IBM Dashboard Application Services Hub. How you manage dashboard users depends on the type of authorization configured in the portal server and whether the dashboard users will also use the Tivoli Enterprise Portal client. There are two types of authorization that can be configured for controlling access to monitored resources in IBM Dashboard Application Services Hub:
Role-based authorization policies
These policies are created using the tivcmd Command-Line Interface for Authorization Policy. They provide more granular authorization than Tivoli Enterprise Portal monitoring application assignments. Using role-based authorization policies, you can assign a user permission to view specific managed system groups or managed systems. When role-based authorization policies are enabled in the portal server, dashboard users need a Tivoli Enterprise Portal user ID but do not require any Tivoli Enterprise Portal permissions or monitoring application assignments unless they are also Tivoli Enterprise Portal client users. In this case, role-based authorization policies control what resources they can access in the monitoring dashboards, and Tivoli Enterprise Portal permissions and monitoring application assignments control what they can access in the Tivoli Enterprise Portal client.
Tivoli Enterprise Portal authorization
This is the default authorization mechanism for dashboard users. A dashboard user must have a Tivoli Enterprise Portal user ID and be assigned the permissions and monitoring applications to control their access to resources in monitoring dashboards. If a dashboard user is also a Tivoli Enterprise Portal client user then they are assigned a single set of permissions that control what monitored resources they can access in both applications.
Configuring the portal server and Dashboard Application Services Hub to share an LDAP user registry is the best practice approach for having a federated set of dashboard users and Tivoli Enterprise Portal client users. In this scenario, the dashboard users login to the dashboard hub with their LDAP username and you must map their LDAP distinguished name to a Tivoli Enterprise Portal user ID with the required permissions.

Tivoli Enterprise Portal user IDs are automatically created with no permissions if a dashboard user requests monitoring data and does not have a user ID mapped to their distinguished name. See Notes on user administration for more details.



Feedback