IBM Tivoli Storage Manager, Version 7.1

GRANT AUTHORITY (Add administrator authority)

Use this command to grant an administrator one or more administrative privilege classes, and authority to access client nodes.

You cannot grant restricted privilege to an unrestricted policy or unrestricted storage administrator. You must use the REVOKE AUTHORITY command to remove the administrator's unrestricted privilege, then use this command to grant restricted privilege to the administrator.

Privilege class

To issue this command, you must have system privilege.

Syntax

Read syntax diagramSkip visual syntax diagram
>>-GRant AUTHority--admin_name---------------------------------->

                   .-,---------------.   
           (1)     V                 |   
>--CLasses------=----+-SYstem------+-+-------------------------->
                     +-Policy------+     
                     +-STorage-----+     
                     +-Operator----+     
                     '-Node--| A |-'     

>--+-----------------------------+------------------------------>
   |             .-,-----------. |   
   |             V             | |   
   '-DOmains--=----domain_name-+-'   

>--+--------------------------------+--------------------------><
   |                  .-,---------. |   
   |          (1)     V           | |   
   '-STGpools------=----pool_name-+-'   

A

   .-AUTHority--=--Access-----.                                
|--+--------------------------+--+-DOmains--=--domain_name-+----|
   '-AUTHority--=--+-Access-+-'  '-NOde--=--node_name------'   
                   '-Owner--'                                  
Notes:
  1. You must specify one or more of these parameters.

Parameters

admin_name (Required)
Specifies the name of the administrator being granted an administrative privilege class.
CLasses
Specifies one or more privilege classes to grant to an administrator. This parameter is required, except when you specify the STGPOOLS parameter. You can specify more than one privilege class by separating each with a comma. Possible classes are:
SYstem
Specifies that you want to grant system privilege to an administrator. A system administrator has the highest level of authority in Tivoli® Storage Manager. A system administrator can issue any administrative command and has authority to manage all policy domains and all storage pools. Do not specify additional privilege classes or the DOMAINS or STGPOOLS parameters when granting system privilege to an administrator. Only a system administrator can grant authority to other administrators.
Policy
Specifies that you want to grant policy privilege to an administrator. If you do not specify the DOMAINS parameter, unrestricted policy privilege is granted. An unrestricted policy administrator can issue commands that affect all existing policy domains as well as any policy domains that are defined in the future. An unrestricted policy administrator cannot define, delete, or copy policy domains. Use the GRANT AUTHORITY command with CLASSES=POLICY and no DOMAINS parameter to upgrade a restricted policy administrator to an unrestricted policy administrator.
STorage
Specifies that you want to grant storage privilege to an administrator. If the STGPOOLS parameter is not specified, unrestricted storage privilege is granted. An unrestricted storage administrator can issue all commands that allocate and control storage resources for the server. An unrestricted storage administrator can issue commands that affect all existing storage pools as well as any storage pools that are defined in the future. An unrestricted storage administrator cannot define or delete storage pools. Using the GRANT AUTHORITY command with CLASSES=STORAGE and no STGPOOLS parameter upgrades a restricted storage administrator to an unrestricted storage administrator.
Operator
Specifies that you want to grant operator privilege to an administrator. An administrator with operator privilege can issue commands that control the immediate operation of the server and the availability of storage media.
Node
Specifies that you want to grant a node privilege to a user. A user with client node privilege can remotely access a web backup-archive client with an administrative user ID and password if they have been given owner authority or access authority. Access authority is the default for a node privilege class.
Attention: When you specify the node privilege class, you must also specify either the DOMAIN parameter or the NODE parameter, but not both.
AUTHority
Specifies the authority level of a user with node privilege. This parameter is optional.

If an administrator already has system or policy privilege to the policy domain to which the node belongs, this command will not change the administrator's privilege.

Possible authority levels are:
Access
Specifies that you want to grant client access authority to a user with the node privilege class. This is the default when CLASSES=NODE is specified. A user with client access authority can access a web backup-archive client and perform backup and restore actions on that client.
Attention: A user with client access authority cannot access that client from another system by using the -NODENAME or -VIRTUALNODENAME parameter.

A client node can set the REVOKEREMOTEACCESS option to restrict a user that has node privilege with client access authority from accessing a client workstation that is running a web client. This option does not apply to administrators with client owner authority, system privilege, or policy privilege to the policy domain to which the node belongs.

Owner
Specifies that you want to grant client owner authority to a user with the node privilege class. A user with client owner authority can access a web backup-archive client through the web client interface and also access their data from another client using the -NODENAME or -VIRTUALNODENAME parameter.
DOmains
Specifies that you want to grant to the administrator client access or client owner authority to all clients in the specified policy domain. You cannot use this parameter together with the NODE parameter.
NOde
Specifies that you want to grant the administrator client access or client owner authority to the node. You cannot use this parameter together with the DOMAIN parameter.
DOmains
When used with CLASSES=POLICY, specifies that you want to grant restricted policy privilege to an administrator.

Restricted policy privilege permits an administrator to issue a subset of the policy commands for the domains to which the administrator is authorized. You can use this parameter to grant additional policy domain authority to a restricted policy administrator. This parameter is optional. You can specify more than one policy domain by delimiting each policy domain name with a comma.

You can use wildcard characters to specify a name. Authority for all matching policy domains is granted.

STGpools
Specifies that you want to grant restricted storage privilege to an administrator. If the STGPOOLS parameter is specified, then CLASSES=STORAGE is optional.

Restricted storage privilege permits you to issue a subset of the storage commands for the storage pools to which the administrator is authorized. You can use this parameter to grant additional storage pool authority to a restricted storage administrator. This parameter is optional. You can specify more than one storage pool by delimiting each storage pool name with a comma.

You can use wildcard characters to specify a name. Authority for all matching storage pools is granted.

Example: Grant system privilege to an administrator

Grant system privilege to administrator Larry.
grant authority larry classes=system

Example: Grant access to additional policy domains

Specify additional policy domains that the restricted policy administrator CLAUDIA can manage.
grant authority claudia domains=employee_records,prog1

Example: Provide an administrator with unrestricted storage privilege and restricted policy privilege

Provide administrator TOM with unrestricted storage privilege and restricted policy privilege for the domains whose names start with EMP.
grant authority tom classes=storage domains=emp*

Example: Grant an administrator authority restricted to a specific node

Grant node privilege to user HELP so that help desk personnel can assist the client node LABCLIENT in backing up or restoring data without having other higher-level Tivoli Storage Manager privileges.
grant authority help classes=node node=labclient

Related commands

Table 1. Commands related to GRANT AUTHORITY
Command Description
QUERY ADMIN Displays information about one or more Tivoli Storage Manager administrators.
REVOKE AUTHORITY Revokes one or more privilege classes or restricts access to policy domains and storage pools.
Parent topic: GRANT commands

Feedback