GRANT AUTHORITY (Add administrator authority)
Use this command to grant an administrator one or more administrative privilege classes, and authority to access client nodes.
You cannot grant restricted privilege to an unrestricted policy or unrestricted storage administrator. You must use the REVOKE AUTHORITY command to remove the administrator's unrestricted privilege, then use this command to grant restricted privilege to the administrator.
Privilege class
To issue this command, you must have system privilege.
Syntax
>>-GRant AUTHority--admin_name----------------------------------> .-,---------------. (1) V | >--CLasses------=----+-SYstem------+-+--------------------------> +-Policy------+ +-STorage-----+ +-Operator----+ '-Node--| A |-' >--+-----------------------------+------------------------------> | .-,-----------. | | V | | '-DOmains--=----domain_name-+-' >--+--------------------------------+-------------------------->< | .-,---------. | | (1) V | | '-STGpools------=----pool_name-+-' A .-AUTHority--=--Access-----. |--+--------------------------+--+-DOmains--=--domain_name-+----| '-AUTHority--=--+-Access-+-' '-NOde--=--node_name------' '-Owner--'
- You must specify one or more of these parameters.
Parameters
- admin_name (Required)
- Specifies the name of the administrator being granted an administrative privilege class.
- CLasses
- Specifies
one or more privilege classes to grant to an administrator. This
parameter is required, except when you specify the STGPOOLS parameter. You
can specify more than one privilege class by separating each with
a comma. Possible classes are:
- SYstem
- Specifies that you want to grant system privilege to an administrator. A system administrator has the highest level of authority in IBM Spectrum Protect™. A system administrator can issue any administrative command and has authority to manage all policy domains and all storage pools. Do not specify additional privilege classes or the DOMAINS or STGPOOLS parameters when granting system privilege to an administrator. Only a system administrator can grant authority to other administrators.
- Policy
- Specifies that you want to grant policy privilege to an administrator. If you do not specify the DOMAINS parameter, unrestricted policy privilege is granted. An unrestricted policy administrator can issue commands that affect all existing policy domains as well as any policy domains that are defined in the future. An unrestricted policy administrator cannot define, delete, or copy policy domains. Use the GRANT AUTHORITY command with CLASSES=POLICY and no DOMAINS parameter to upgrade a restricted policy administrator to an unrestricted policy administrator.
- STorage
- Specifies that you want to grant storage privilege to an administrator. If the STGPOOLS parameter is not specified, unrestricted storage privilege is granted. An unrestricted storage administrator can issue all commands that allocate and control storage resources for the server. An unrestricted storage administrator can issue commands that affect all existing storage pools as well as any storage pools that are defined in the future. An unrestricted storage administrator cannot define or delete storage pools. Using the GRANT AUTHORITY command with CLASSES=STORAGE and no STGPOOLS parameter upgrades a restricted storage administrator to an unrestricted storage administrator.
- Operator
- Specifies that you want to grant operator privilege to an administrator. An administrator with operator privilege can issue commands that control the immediate operation of the server and the availability of storage media.
- Node
- Specifies that you want to grant a node privilege to a user. A
user with client node privilege can remotely access a web backup-archive
client with an administrative user ID and password if they have been
given owner authority or access authority. Access authority is the
default for a node privilege class. Attention: When you specify the node privilege class, you must also specify either the DOMAIN parameter or the NODE parameter, but not both.
- AUTHority
- Specifies
the authority level of a user with node privilege. This
parameter is optional.
If an administrator already has system or policy privilege to the policy domain to which the node belongs, this command will not change the administrator's privilege.
Possible authority levels are:- Access
- Specifies that
you want to grant client access authority to a
user with the node privilege class. This is the default when CLASSES=NODE
is specified. A user with client access authority can access a web
backup-archive client and perform backup and restore actions on that
client. Attention: A user with client access authority cannot access that client from another system by using the -NODENAME or -VIRTUALNODENAME parameter.
A client node can set the REVOKEREMOTEACCESS option to restrict a user that has node privilege with client access authority from accessing a client workstation that is running a web client. This option does not apply to administrators with client owner authority, system privilege, or policy privilege to the policy domain to which the node belongs.
- Owner
- Specifies that you want to grant client owner authority to a user with the node privilege class. A user with client owner authority can access a web backup-archive client through the web client interface and also access their data from another client using the -NODENAME or -VIRTUALNODENAME parameter.
- DOmains
- Specifies that you want to grant to the administrator client access or client owner authority to all clients in the specified policy domain. You cannot use this parameter together with the NODE parameter.
- NOde
- Specifies that you want to grant the administrator client access or client owner authority to the node. You cannot use this parameter together with the DOMAIN parameter.
- DOmains
- When used with CLASSES=POLICY, specifies that you
want to grant restricted policy privilege to an administrator.
Restricted policy privilege permits an administrator to issue a subset of the policy commands for the domains to which the administrator is authorized. You can use this parameter to grant additional policy domain authority to a restricted policy administrator. This parameter is optional. You can specify more than one policy domain by delimiting each policy domain name with a comma.
You can use wildcard characters to specify a name. Authority for all matching policy domains is granted.
- STGpools
- Specifies
that you want to grant restricted storage privilege to an administrator.
If the STGPOOLS parameter is specified, then CLASSES=STORAGE is optional.
Restricted storage privilege permits you to issue a subset of the storage commands for the storage pools to which the administrator is authorized. You can use this parameter to grant additional storage pool authority to a restricted storage administrator. This parameter is optional. You can specify more than one storage pool by delimiting each storage pool name with a comma.
You can use wildcard characters to specify a name. Authority for all matching storage pools is granted.
Example: Grant system privilege to an administrator
Grant system privilege to administrator Larry.grant authority larry classes=system
Example: Grant access to additional policy domains
Specify additional policy domains that the restricted policy administrator CLAUDIA can manage.grant authority claudia domains=employee_records,prog1
Example: Provide an administrator with unrestricted storage privilege and restricted policy privilege
Provide administrator TOM with unrestricted storage privilege and restricted policy privilege for the domains whose names start with EMP.grant authority tom classes=storage domains=emp*
Example: Grant an administrator authority restricted to a specific node
Grant node privilege to user HELP so that help desk personnel can assist the client node LABCLIENT in backing up or restoring data without having other higher-level IBM Spectrum Protect privileges.grant authority help classes=node node=labclient
Related commands
Command | Description |
---|---|
QUERY ADMIN | Displays information about one or more IBM Spectrum Protect administrators. |
REVOKE AUTHORITY | Revokes one or more privilege classes or restricts access to policy domains and storage pools. |