Securing the solution

Security is important in IBM® Intelligent Operations Center because the solution is central to essential operations. To ensure security, it is important that you are aware of the default settings and that you manage users of the solution to give all users the correct level of access.

Default passwords

Your first task in securing the solution is to ensure that all default passwords are changed. A basic user registry is deployed with IBM Intelligent Operations Center that defines sample users and groups. The password for default and sample users is configured in the ioc.sample.users.pwd property that is in the installation properties file at /ioc_install/cfg/ioc.install.properties.

Note: Do not use an exclamation mark (!) as your first password character, and do not use the hash character (#) as the first character for any password in the installation properties file.

Secure connection

IBM Intelligent Operations Center is HTTPS enabled by default. Any change to the HTTPS setting for an individual service must be accompanied by an update to the corresponding port setting.

User authentication

User authentication is associated with authorization rights that give the user access to the appropriate features. IBM Intelligent Operations Center supports integration to the existing security infrastructure for single sign-on.

Configure user permissions in an external Lightweight Directory Access Protocol (LDAP) registry by using your chosen tools and processes. Then, configure IBM Intelligent Operations Center to use your LDAP registry.

Consider that accommodating many user groups, roles, and permissions can lead to a security regime that is difficult to manage. It is recommended that administrators restrict the number of groups and permissions.

User roles and permissions

Membership of a role-based user group provides a way of controlling access to the IBM Intelligent Operations Center. The users in a group have access only to the features of the solution that correspond to their role. Being a member of a role-based user group also helps users to focus on the appropriate tasks. The standard roles that you might want to configure are system administrators, solution administrators, and operators.

Use the following guidelines when you add a user to IBM Intelligent Operations Center:

Choose a group that is appropriate to the role of the user in the organization, and make the user a member of that group.
Complete a profile for the user and include at least the user ID, name, and password.

The deployment assigns default users to each of the following default groups that are configured in the GroupList system property.

SystemAdmins
SolutionAdmins
Operators

For IBM Intelligent Operations Center to operate correctly, at least one user must be assigned to each of the default groups. It is recommended that you retain the default administrative users. If you add groups or you define a new administrative user, you must configure the appropriate system properties. For more information, see the User roles and access topic.

Page and taskbar access

An administrator can determine which groups and users can access each view and each feature in the IBM Intelligent Operations Center user interface.

Data sources and permissions

Access to a feature in IBM Intelligent Operations Center does not mean that a user can view all the data sources that it contains. To ensure that users see only the appropriate data, an administrator determines access during the configuration of individual data sources. An administrator can assign access to a data source to both user groups, and to individual users.

User roles and access
IBM Intelligent Operations Center implements security by limiting access to features based on groups.
Managing users, user groups, and roles
If your system is configured to work with a Lightweight Directory Access Protocol (LDAP) user registry, as a platform administrator you can manage the users and groups in your solution in the User Management view. In version 5.1.0.12 or later, you can also manage roles in this view.
Managing tenants
As a platform administrator, manage the tenants in your solution. Multitenancy provides the capability to support multiple customers or organizations, called tenants, by using a single deployment of an application while ensuring that each tenant user can access only the data that they are authorized to use. A hierarchy of tenants exists, with the super tenant at the apex, and each tenant can be mapped to one or more user groups. With Device Management Enablement, tenancies enable the administrators of your environment to limit access to assets to users in one or more user groups. Each asset is associated with a tenant, and so users can access only those assets that are associated with their tenants, or with any tenants below their tenants in the hierarchy.
Configuring an LDAP user registry
A basic user registry is installed by default after initial solution installation. However, the basic user registry does not have support for password policies, password length, password expiration dates, or user lockout. Configure the solution to work with a Lightweight Directory Access Protocol (LDAP) user registry. An LDAP user registry performs better than other user registry configurations, and is more scalable.
Configuring the password reset feature
You can configure the password reset feature if your solution is integrated with a Lightweight Directory Access Protocol (LDAP) user registry. The password reset feature is then available on the login window. However, for security reasons, users who are members of the SystemAdmins group cannot use the password reset feature.
Configuring page access
Define which groups can access each view in the IBM Intelligent Operations Center user interface, such as the Operations view.
Configuring access to geospatial maps
Define which groups can access geospatial maps.
Configuring access to filter panes
Define which groups can access dynamic filter panes.
Configuring taskbar access
In the Operations view, users can access features, such as the KPI dashboard and the analytics tool, through buttons that are on the taskbar. If you are an administrator, you can configure which features users can access by configuring taskbar access privileges for groups.
Configuring access to customized actions
Configure the access privileges that are needed to make a customized action available on a data item's preview card. By default, the customized action is available on the preview card for users that have read or write access to the data source.
Standard operating procedure roles
The standard operating procedure component obtains the current authentication credentials to determine what actions each user is authorized to do. Each user is authorized to do standard operating procedure actions that are based on the LDAP roles that the user is assigned to. A user must match the distinguished name (DN) that is used in association with the standard operating procedure objects.
Importing SSL certificates for HTTPS connections
If any of the servers in the solution require the presence of SSL certificates for communication, import the required SSL certificates into the WebSphere® Application Server Liberty Profile default keystore.
Device Management Enablement securing
Complete the following steps to secure Device Management Enablement.

Related tasks:

Configuring system properties

Securing your data source