Overview of security sets

Security sets extend a SmartModel to include view, add, modify, and delete (VAMD) rights to commands inside a configuration. Once defined, you can reuse security sets for different SmartModels.

A security set is a tool that layers security on top of modeled configurations, thereby supporting security at the presentation layer. Security sets add view, add, modify, and delete permissions (that is, VAMD permissions) to the commands inside a configuration.
  • You create security sets as resources in the IBM Tivoli Netcool Configuration Manager GUI.
  • Security sets are applicable to any SmartModel, meaning that when you create one for one SmartModel, you can use it for any SmartModel.
  • Security sets are schema-specific, but you can use them across devices with the same vendor and type.
  • A security set must be in a realm where devices can resolve it.

Mapping a native configuration to XML hierarchy

When mapping a native configuration to XML, a hierarchy of data is created consisting of parent-child relationships, which are based on the indentation used by the native configuration. Commands that are indented are sub-commands to their parent. Using this XML configuration format, you can overlay security set metadata onto the XML structure, by for example defining VAMD rights on configuration nodes, which are then inherited down the configuration hierarchy.

Figure 1. Layering security sets onto a hierarchy example
Using the XML hierarchy for the configuration, the security set adds VAMD rights to the configuration and its subsequent nodes.
In this example, the base node of the XML configuration is 'Configuration'. VAMD rights are all set to false. If it is left this way and the security set is applied, the user sees nothing upon opening the configuration.

However, in subsequent nodes down the tree, the VAMD rights are modified. For example, the 'aaa' node of the configuration has all its VAMD rights set to true. If applied, the users see the 'aaa' node of the configuration.

The same is true for all the SNMP commands. VAMD rights are inherited down the configuration tree. For all other commands not shown in this example, their VAMD rights are all false.

In the 'IP' node of the configuration, the security set is designed so that users can see and modify any access lists under the 'IP' node of the tree. However, anything else under 'IP' is hidden.