Objective 1: Limit user access

The bank identified roles to control access to IBM® Sterling Control Center Monitor.

The roles that the bank identified and developed are shown in the following list:

IBM Sterling Control Center Monitor Admin

A super user who is responsible for installing, configuring, and maintaining IBM Sterling Control Center Monitor, including startup and shutdown of the engine and defining subordinate administrator roles.

File Transfer Operations Admin

A subordinate role that has “manage” access to configure Sterling Connect:Direct® nodes and Sterling B2B Integrator adapters, and can create SLCs, rules, and reports.

File Transfer Monitoring Staff

A subordinate role that has “view only” access for monitoring file transfers and cannot edit artifacts or objects. The role can view artifacts or objects. Uses in this role have view only access to objects necessary to their monitoring responsibilities. For example, users in this role do not need to view SLC or rule configuration.

To show the relationships between these roles, the bank developed the following role hierarchy and then defined the roles in IBM Sterling Control Center Monitor:
This image shows a sample roles hierarchy for this scenario. The SCCAdmin user is a superuser with all permissions on all servers. There are 4 operations admin users reporting to the SCC admin who have manage all permissions that can only manage the servers in their server group CD1, CD2, CD3, or CD4. Reporting to the operations administrators, there are 4 monitoring users who have view only permissions for servers, server groups, processes, and alerts in those same server groups.

The SCCAdmin - Superuser role has all permissions that are enabled to "manage" for all servers. The Operations Admin CD1 role has all permissions that are enabled for all servers in the CD1 group. The Monitoring CD1 role has permissions to view servers and groups, processes, and alerts for all servers in the CD1 group. There are similar Operations Admin and Monitoring roles for the CD2 and CD3 groups. The Operations Admin SI1 role has all permissions that are enabled for all servers in the SI group. The Monitoring SI1 role has permissions to view servers and groups, processes, and alerts for all servers in the SI group.

When the IBM Sterling Control Center Monitor admin configured users who are allowed access to the IBM Sterling Control Center Monitor console, an appropriate role was assigned to each user. As a result, when a user logs on to the console, they have access to the servers and functions that are associated with their role.

All of the IBM Sterling Control Center Monitor console users run the console on a Microsoft Windows operating system. The bank does not require IBM Sterling Control Center Monitor to maintain any passwords in its user file and uses the signed on user and the Microsoft Windows domain as the credentials to allow signon to IBM Sterling Control Center Monitor.