Notes on user administration
Read these notes to understand the user ID contribution to Cloud Pak System Software Monitoring Portal functions and modes.
Workspace administration mode
Any changes you make to workspaces, links, and terminal host session scripts in the Cloud Pak System Software Monitoring Portal are available only to your user ID. The exception is while Workspace Administration Mode is enabled.
Workspace administration mode enables you to customize and add workspaces, links, and terminal emulator scripts that are shared with all users connected to the same Cloud Pak System Software Monitoring Portal Server. See Starting workspace administration mode.
SYSADMIN logon ID
The Cloud Pak System Software Monitoring Portal requires your logon ID whenever you start a work session. Every ID must first have been registered on the portal server. You can log onto the portal server with SYSADMIN and register other user IDs through the Administer Users window. The initial user ID, SYSADMIN, has full access and complete administrator authority. The system administrator registers additional users and sets their access privileges and authority.
User ID and groups
- The user name
- Job description
- Permissions for viewing or modifying Cloud Pak System Software Monitoring Portal functions
- Assigned Navigator views and which Navigator item in each view appears as the root (default is the first item)
- Access to specific monitoring applications
- The user groups the user belongs to and indicators to signify when a permission has been granted to the user by a user group
Default user
The first user ID in the list is <Default User> and is used as the template ID for users created with Create New User. Edit this user ID if you want to change any of the default settings. The initial defaults enable all the functions listed under Cloud Pak System Software Monitoring Portal Authorities, except the Modify permission for User Administration. Any changes you make to <Default User> ID apply to users created from this point on; they will not affect any existing user ID settings.
Granting access to a user
You set the authority privileges for each user when you create their user IDs. Giving users access to operational areas and customization options takes planning. Consider the job responsibilities of each user and the company security requirements when specifying authority privileges.
Important: Anyone with permission to create custom queries obtains access to all of the ODBC data source names (DSNs) created at the Cloud Pak System Software Monitoring Portal Server. Add database user IDs, to be used in the DSN, to your database software, making sure to restrict user access to only those tables, columns, and so on, allowed by your organization's security policies.
Validating user access
The Cloud Pak System Software Monitoring Portal Server verifies user IDs whenever users log on. If a job description changes and the user requires different access to the portal server, you must review and perhaps change the user's permissions.
- User Accounts on the Windows system
- Password file on the UNIX system
- RACF or ACF/2 host security system on the z/OS system
As well, the monitoring server must be configured to Validate User. When users log on to the portal server, the hub monitoring server makes a request to the domain or the operating system to validate the user ID and password.
- Start the Manage Tivoli® Monitoring
Services program:
- Start → Programs →Cloud Pak System Software Monitoring Server → Manage Tivoli Monitoring Services.
- Change to the Install_dir/bin directory and run the following command: ./itmcmd manage [-h Install_dir] where Install_dir is the installation directory (default is opt/IBM/ITM).
- Right-click the Cloud Pak System Software Monitoring Server row for TEMS1 (hub) and select Reconfigure.
- In theCloud Pak System Software
Monitoring Server Configuration
window, observe the setting of the Security:
Validate User check box.
When this option is selected, the password is required whenever a user logs on to the portal server; when it is cleared, the user name is required to log on but no password is required.
Launching into the portal from other applications
In addition to any security requirements for launching into the Tivoli Enterprise Portal (such as single sign-on requirements), the Tivoli Enterprise Portal user ID that receives control after a launch from an external application must be pre-authorized to access the target managed system and workspaces. The user ID also must be authorized to issue any required take action commands.User ID for Take Action commands
- On-demand: user ID currently logged on
- Situation action: user ID of the last person to update the situation
- Workflow action: user ID of the last person to update the policy
- Command prefix
- When a command prefix is present in the Take Action, the agent
passes the command to the application handler rather than executing
the command. The syntax of the prefix and take action command is productcode:CNPuserID:command and
the agent routes it to the application for execution. The application
is free to execute the command with whatever user ID is appropriate.
In the case of OMEGAMON XE for WebSphere MQ on z/OS, the Cloud Pak System Software
Monitoring Portal user ID is used.
If the special prefix is missing, the agent executes the command with the user ID under which the agent is running.
Most monitoring products do not employ a command prefix. Tivoli Monitoring for WebSphere MQ does and, in fact, adds a prefix to any on-demand Take Action commands with a hidden MQ:CNPuserID: prefix, although you cannot see it.
- UNIX setuid command
- In addition to the command prefix and security exit, UNIX offers another option: a setuid command, which causes the process to dynamically change its userid. Thus, the agent could be changed to set the ID to the value passed as a parameter, issue the command, then change the user ID back again after the command is issued.