The Tivoli® Authorization Policy Server feature provides you with role-based access control capabilities to protect your monitoring resources from unauthorized access by dashboard users of IBM® Dashboard Application Services Hub.
Tivoli Enterprise Portal permissions are the default authorization method for controlling access to resources in monitoring dashboards. They are also the mechanism used to authorize Tivoli Enterprise Portal client users. However, authorization policies provide greater control over resource access. With authorization policies, you can grant a dashboard user permission to view data from specific managed system groups or managed systems as compared to Tivoli Enterprise Portal authorization which assigns view permission for monitoring applications (monitoring agents). In other words, with Tivoli Enterprise Portal authorization, a user is assigned permission to view all managed systems of a particular agent application type, for example all Windows OS agents.
If you want to use the role-based access control provided by authorization policies, you must install the Tivoli Authorization Policy Server and the tivcmd Command-Line Interface for Authorization Policy. The Authorization Policy Server is installed with IBM Dashboard Application Services Hub along with monitoring dashboard applications such as Infrastructure Management Dashboards for Servers or custom dashboards. The tivcmd CLI is installed on computers used by authorization policy administrators and provides the command-line interface for creating and working with authorization policies. It sends HTTP or HTTPS requests to the Authorization Policy Server which maintains the master policy store. For installation information, see "Installing and configuring the Tivoli Authorization Policy Server and tivcmd Command-Line Interface for Authorization Policy" in the IBM Tivoli Monitoring Installation and Setup Guide.
After successful installation of these two packages, you can execute tivcmd CLI commands as required to create and work with roles, grant permissions, exclude permissions, revoke permissions, and assign users and user groups to a role. For a complete list of tivcmd CLI commands, see the IBM Tivoli Monitoring Command Reference.
Once the initial set of authorization policies have been created, you enable authorization policy checking in the Tivoli Enterprise Portal Server. The portal server periodically downloads the authorization policies from the Authorization Policy Server application. When a dashboard user requests monitoring data, IBM Dashboard Application Services Hub forwards the request to the dashboard data provider component of the portal server. The dashboard data provider uses the authorization policies to determine which monitored resources the user is allowed to access.
Because both the Dashboard Application Services Hub and the portal server must have knowledge of the dashboard user, a typical dashboard environment includes a federated user registry provided by an LDAP server and single sign-on. For detailed information on the set of tasks involved in setting up a dashboard environment that uses authorization policies, see Setting up a monitoring dashboard environment with single sign-on and with per user authorization controls.