IBM Tivoli Monitoring, Version 6.3 Fix Pack 2

Notes on user administration

Read these notes to understand the user ID contribution to Tivoli® Enterprise Portal functions and modes.

Workspace administration mode

Any changes you make to workspaces, links, and terminal host session scripts in the Tivoli Enterprise Portal are available only to your user ID. The exception is while Workspace Administration Mode is enabled.

Workspace administration mode enables you to customize and add workspaces, links, and terminal emulator scripts that are shared with all users connected to the same Tivoli Enterprise Portal. See "Starting workspace administration mode".


The Tivoli Enterprise Portal requires your logon ID whenever you start a work session. Every ID must first have been registered on the portal server. You can log onto the portal server with SYSADMIN and register other user IDs through the Administer Users window. The initial user ID, SYSADMIN, has full access and complete administrator authority. The system administrator registers additional users and sets their access privileges and authority.

User ID and groups

Each user ID is stored at the Tivoli Enterprise Portal Server and contains:
  • The user name
  • Job description
  • Permissions for viewing or modifying Tivoli Enterprise Portal functions
  • Assigned Navigator views and which Navigator item in each view appears as the root (default is the first item)
  • Access to specific monitoring applications
  • The user groups the user belongs to and indicators to signify when a permission has been granted to the user by a user group
Each user group is also stored at the portal server and has the same contents as for individual user IDs. But, instead of a list of user groups, it has a list of the user IDs assigned to the group.

Default user

The first user ID in the list is <Default User> and is used as the template ID for users created with Create New User. Edit this user ID if you want to change any of the default settings. The initial defaults enable all the functions listed under Tivoli Enterprise Portal Authorities, except the Modify permission for User Administration. Any changes you make to <Default User> ID apply to users created from this point on; they will not affect any existing user ID settings.

Granting access to a user

You set the authority privileges for each user when you create their user IDs. Giving users access to operational areas and customization options takes planning. Consider the job responsibilities of each user and the company security requirements when specifying authority privileges.

Important: Anyone with permission to create custom queries obtains access to all of the ODBC data source names (DSNs) created at the Tivoli Enterprise Portal Server. Add database user IDs, to be used in the DSN, to your database software, making sure to restrict user access to only those tables, columns, and so on, allowed by your organization's security policies.

Automatic Tivoli Enterprise Portal user ID creation

The first time a new user accesses a monitoring dashboard in IBM® Dashboard Application Services Hub, a Tivoli Enterprise Portal user ID is automatically created and mapped to the user's LDAP distinguished name if a Tivoli Enterprise Portal user ID does not already exist for the user. The Tivoli Enterprise Portal user ID is a randomly generated string. If you need to assign Tivoli Enterprise Portal permissions and monitoring applications to a dashboard user and their Tivoli Enterprise Portal user ID was automatically created, you can either assign the permissions to the randomly generated user ID or perform these steps:
  1. Delete the Tivoli Enterprise Portal user ID that was automatically created.
  2. Create a new user Tivoli Enterprise Portal user ID, map it to the LDAP distinguished name for the user, and then assign it permissions and monitoring applications.

Validating user access

The Tivoli Enterprise Portal Server verifies user IDs whenever users log on. If a job description changes and the user requires different access to the portal server, you must review and perhaps change the user's permissions.

The user ID for logging on to the portal server might include a password. You do not establish passwords in the portal. Instead, you must define a matching user ID with password to the network domain user accounts or to the operating system where the Tivoli Enterprise Monitoring Server resides:
  • User Accounts on the Windows system
  • Password file on the UNIX system
  • RACF® or ACF/2 host security system on the z/OS® system

As well, the monitoring server must be configured to Validate User. When users log on to the portal server, the hub monitoring server makes a request to the domain or the operating system to validate the user ID and password.

If the monitoring server has been installed on a distributed system, you can check if it has been configured to Validate User:
  1. Start the Manage Tivoli Enterprise Monitoring Services program:
    • Windows system Start → Programs → IBM Tivoli MonitoringManage Tivoli Enterprise Monitoring Services.
    • UNIX system Change to the install_dir/bin directory and run the following command: ./itmcmd manage [-h install_dir] where install_dir is the installation directory (default is opt/IBM/ITM).
  2. Right-click the Tivoli Enterprise Monitoring Server row for TEMS1 (hub) and select Reconfigure.
  3. In the Tivoli Enterprise Monitoring Server Configuration window, observe the setting of the Security: Validate User check box.

    When this option is selected, the password is required whenever a user logs on to the portal server; when it is cleared, the user name is required to log on but no password is required.

Note: Be aware that passwords must follow the security requirements for your organization. If this includes periodic password changes, you might get a Logon password has expired message while attempting to log on to the portal server. Should this happen, you must change your system password before you can log on. For example, on Windows this means changing the password through the Administrative Tools User Accounts.

Launching into the portal from other applications

In addition to any security requirements for launching into the Tivoli Enterprise Portal (such as single sign-on requirements), the Tivoli Enterprise Portal user ID that receives control after a launch from an external application must be pre-authorized to access the target managed system and workspaces. The user ID also must be authorized to issue any required take action commands.

User ID for Take Action commands

When the Tivoli Enterprise Portal sends a Take Action command to a managed system, the user ID might or might not be checked for authority to perform the action. In the simplest case, the command is sent to the managed system and executed using the user ID under which the agent is running. TheTivoli Enterprise Portal user ID is sent along with the action command in these contexts:
  • On-demand: user ID currently logged on
  • Situation action: user ID of the last person to update the situation
  • Workflow action: user ID of the last person to update the policy
However, the ID is ignored by the managed system unless told otherwise by a command prefix. These are command handlers implemented in the IBM Tivoli Monitoring products to control whether the Tivoli Enterprise Portal user ID should be validated before passing the command to the agent for execution.
Command prefix
When a command prefix is present in the Take Action, the agent passes the command to the application handler rather than executing the command. The syntax of the prefix and take action command is productcode:CNPuserID:command and the agent routes it to the application for execution. The application is free to execute the command with whatever user ID is appropriate. In the case of OMEGAMON® XE for WebSphere® MQ on z/OS, the Tivoli Enterprise Portal user ID is used.

If the special prefix is missing, the agent executes the command with the user ID under which the agent is running.

Most monitoring products do not employ a command prefix. IBM Tivoli Monitoring for WebSphere MQ does and, in fact, prepends any on-demand Take Action commands with a hidden MQ:CNPuserID: prefix, although you cannot see it.

UNIX setuid command
In addition to the command prefix and security exit, UNIX offers another option: a setuid command, which causes the process to dynamically change its userid. Thus, the agent could be changed to set the ID to the value passed as a parameter, issue the command, then change the user ID back again after the command is issued.