User authentication may be enabled through either the hub Tivoli Enterprise Monitoring Server,
or the Tivoli Enterprise Portal Server.
If authentication is enabled through the hub monitoring server,
user IDs can be authenticated either by the local operating system
registry or by an external LDAP-enabled central registry. User IDs
that need to make SOAP Server requests (including user IDs that issue
tacmd CLI commands that invoke SOAP server methods) can be authenticated
only through the hub monitoring server.
If authentication is enabled through the Tivoli Enterprise Portal Server,
user IDs are authenticated against an external LDAP-enabled registry.
User IDs that require single sign-on (SSO) capability must be authenticated
through the portal server and
mapped to unique user identifiers in an LDAP registry shared by all
SSO-eligible Tivoli® applications.
If you are using Dashboard Application Services Hub with monitoring
applications such as IBM® Infrastructure
Management Dashboards for Servers, IBM Infrastructure
Management Dashboards for VMware, IBM Infrastructure
Management Capacity Planner for VMware, IBM Infrastructure
Management Capacity Planner for PowerVM® or
in custom dashboards, you should enable user authentication through
the portal server and configure single sign-on if you want to grant
your dashboard users different permissions for viewing monitored resources.
If you do not configure single sign-on, all dashboard users will see
the same set of monitored resources.
The Performance Monitoring service provider component of the Tivoli Enterprise Monitoring
Automation Server does not use the user registries configured for
the hub monitoring server or portal server to authenticate users.
If you want the Performance Monitoring service provider to authenticate
HTTP GET requests that it receives from OSLC client applications,
you must configure it to use the Security Services component of Jazz™ for Service Management. Security
Services is an optional Jazz for
Service Management component that enables non-WebSphere based applications
such as the Performance Monitoring service provider to participate
in LTPA based single sign-on. See Single sign-on capability for more details
on using Security Services with the Performance Monitoring service
provider.
User authentication should not be enabled until at least a basic
installation of Tivoli Management
Services components and IBM Tivoli Monitoring base agents
has been completed and tested. For instructions on enabling authentication,
see the IBM Tivoli Monitoring Administrator's
Guide.
Tivoli Enterprise Portal authorization
is controlled by user accounts defined to the portal server.
In addition to defining the user IDs that are authorized to log on
to the Tivoli Enterprise Portal,
these accounts define the permissions that determine the Tivoli Enterprise Portal features a user is
authorized to see and use, the monitored applications the user is
authorized to see, and the Navigator views (and the highest level
within a view) the user can access.
An initial sysadmin user ID with full administrator authority
is provided during installation so you can log in to the Tivoli Enterprise Portal and add more user
accounts. (For information on creating user accounts and setting user
permissions, see the Using Tivoli Enterprise
Portal user authorization chapter in the IBM Tivoli Monitoring Administrator's
Guide.)
No password is required to log on to the Tivoli Enterprise Portal,
unless user authentication is enabled.
You have two options for authorizing the monitoring resources that
can be viewed by users who are using dashboard applications such as
IBM Infrastructure Management
Dashboards for Servers or custom dashboards:
- Use the Tivoli Authorization
Policy Server and tivcmd Command Line Interface to create roles and
permissions, which are collectively called authorization policies.
These authorization policies control which managed systems and managed
system groups a dashboard user can view. Roles are created for job
functions and permissions to view specific managed systems or managed
system groups are assigned to roles. Users acquire permissions based
on the role (or roles) that the user belongs to. Users can be assigned
to roles directly or the user groups that they are members of can
be assigned to roles. The permissions also specify the type of object
that can be viewed for a managed system or managed system group. The
supported object types are event (for situation events) and attribute
group (for monitoring data retrieved from an agent).
The following
tasks must be performed to use authorization policies:
- Install the Tivoli Authorization
Policy Server into Dashboard Application Services Hub.
- Install the tivcmd Command Line Interface on systems accessible
to the administrators who will create and work with authorization
policies.
- Administrators use the tivcmd Command Line Interface to create
authorization policies for dashboard users or user groups.
- After the authorization policies have been created for the current
set of dashboard users, you must reconfigure the portal server to
enable authorization policies. This step causes the portal server
to retrieve the authorization policies from the Authorization Policy
Server and to start enforcing the authorization policies in the dashboard
data provider. If Tivoli Enterprise
Portal permissions and monitored application assignments are also
configured for the dashboard user, these permissions are ignored since
the authorization policies take precedence.
For more information on creating and working with authorization
policies, see
Role based authorization policy in the
IBM Tivoli Monitoring Administrator's
Guide.
- Use Tivoli Enterprise
Portal permissions and monitored application assignments for your
dashboard users. If authorization policies are not enabled in the
portal server configuration then the dashboard data provider defaults
to using Tivoli Enterprise
Portal permissions and monitoring application assignments for authorizing
dashboard user requests from Dashboard Application Services Hub.
With
this option, you create Tivoli Enterprise
Portal users for each of your dashboard users using the Tivoli Enterprise Portal User Administration
dialog. Using the same dialog, you can grant a user permission to
view events and assign the user one of more monitored applications
that they can view. These steps can also be performed using the tacmd
Command Line Interface. See the Using Tivoli Enterprise Portal user authorization chapter
in the IBM Tivoli Monitoring Administrator's
Guide and
the IBM Tivoli Monitoring Command Reference for
more details.
Tivoli Enterprise
Portal authorization is less granular than authorization policies.
While authorization policies allow you to grant a dashboard user permission
to view only specific managed systems or members of specific managed
system groups, Tivoli Enterprise
Portal authorization is at the monitored application level. In other
words, a user is assigned permission to view all managed systems of
a particular monitoring application type, for example all Windows OS agents.
When you are initially
setting up your monitoring and dashboard environment, it is recommended
that you start with Tivoli Enterprise
Portal permissions and monitored application assignments. After you
are able to see monitoring data in Dashboard Application Services
Hub and your administrators have created authorization policies, then
reconfigure the portal server if you want to start using authorization
policies.
If your dashboard users are also going to access the Tivoli Enterprise Portal client,
the set of monitored resources that they can view in dashboards might
be different than the monitored resources they can view in the Tivoli Enterprise Portal client.
This can occur if the permissions are inconsistent or the authorization
policies are more restrictive.
- Example of inconsistent permissions: Assume the user is granted
permission to view a subset of Windows OS
agents in Dashboard Application Services Hub using authorization policies
but the user is not assigned the Windows OS
monitoring application in their Tivoli Enterprise
Portal permissions. In this scenario, the user will see their authorized Windows OS agents in the dashboards
but they will not see any Windows OS
agents when they access the Tivoli Enterprise
Portal client.
- Example of more restrictive authorization policies: Assume the
user is granted permission to view a subset of Windows OS agents in Dashboard Application
Services Hub using authorization policies and the user is assigned
the Windows OS monitoring
application in their Tivoli Enterprise
Portal permissions. In this scenario, the user will see the authorized Windows OS agents in the dashboards
but they will see all Windows OS
agents when they access the Tivoli Enterprise
Portal client.
Dashboard user authorization is also affected by the configuration
of the dashboard data provider connection in Dashboard Application
Services Hub.
- If the connection is configured for single sign-on, the dashboard
users see the monitored resources that they have been authorized to
view using either authorization policies, when they are enabled, or Tivoli Enterprise Portal monitored
application assignments.
- If the connection is not configured for single sign-on, the Dashboard
Application Services Hub always passes the username configured for
the connection to the dashboard data provider. Therefore, authorization
is performed for the user configured for the connection and not the
user who is logged into Dashboard Application Services Hub. In this
case, all dashboard users will see the same set of monitored resources.
Because of this behavior, you should configure the dashboard
data provider connection for single sign-on if you want to grant different
permissions to your dashboard users. Single sign-on is not required
if you want all of your dashboard users to have the same authorizations.
See
Single sign-on capability for
more information on configuring Dashboard Application Services Hub
and the portal server for single sign-on support.