120 likes | 301 Views
IBM Tivoli Provisioning Manager 7.1 Security Aspects of TPM 7.1. Lots of Security-related aspects for TPM 7.1…. Tivoli process automation engine Security Security Groups, Users Data restrictions Conditional UI LDAP Synchronization and User/Group management Single Sign On, Launch in Context
E N D
IBM Tivoli Provisioning Manager 7.1Security Aspects of TPM 7.1
Lots of Security-related aspects for TPM 7.1… • Tivoli process automation engine Security • Security Groups, Users • Data restrictions • Conditional UI • LDAP Synchronization and User/Group management • Single Sign On, Launch in Context • Tivoli Provisioning Manager security • Out-of-the-box Security Groups • MAXADMIN vs. TPADMIN • Provisioning Objects/Group Restrictions • Provisioning Permission Groups and Workflow Permissions
Security Groups and Users Security Groups in Tpae provide a mechanism for defining role-specific application and function access as well as other configuration. Configurable security group elements include… • Start Center assignment (one per Security Group) • Application authorization and function access • Data restrictions • Site, location and other filtering for some types of objects • Provisioning object/group
Security Groups and Users Continued… “Users” can be members of one or more Security Groups. Functional aspects of Users with respect to Security include… • Security Group access is “additive”—if a user is a member one or more Security Groups that do not have access to something, but are a member of at least one group that has the access, the user will have access. • One exception to this is qualified data restrictions, which applies additional filters for users regardless of access from other Security Groups. • User configuration can be defined by the user via the Profile functions or from the Users application (usually administrators only for the latter.)
Data restrictions Tpae provides general purpose data access management capabilities. Access can be controlled in many ways… • “Global” Data Restrictions can be defined against any objects in the system • Uses general purpose query style filtering or custom java classes • Restricted items can be “masked”, hidden, or set as read-only • Can be defined for whole objects and/or individual attributes • Application specific data restrictions can be defined • Security Group-specific restrictions can be defined • Similar functions as above—only applied if the user is a member of a Security Group with the restriction
Conditional UI capabilities Provides capabilities to define custom configurations to modify the appearance and basic behavior of UIs depending on Security Groups and “state” of data or other information. • Signature Option/Application Auth is one example of this—simple on/off access to fields, controls and menus depending on Security Group membership • Condition-based control-specific behavior can be defined… • Can be used to show or hide particular fields, sections, tabs, etc. depending on state or other “conditions” (data tests or custom java code) • Provides capability to change other attributes of controls such as color, labels, editing state, etc. • Conditional UI controls can be tied to Security Groups or applied for “EVERYONE” (regardless of Security Group) • See the Application Developer Guide for additional information
LDAP Synchronization and User/Group Management Quite a few customizable capabilities for user and group management are provided by Tpae… • All user/group synchronization is “one-way” into Tpae • Although it’s possible to configure Tpae to do the user and group management, this doesn’t feed into any LDAP-based systems • “VMM” (Websphere Virtual Member Manager)-based synchronization of users and groups is available • This is the default deployment configuration • Any external user system abstracted by Websphere can be utilized • Microsoft Active Directory LDAP synchronization is also available • Manually configured post-installation
Single Sign-on/Launch in Context Tpae provides configuration and enablement for single sign-on and launch in context for various external applications and systems… • Tivoli Application Dependency and Discovery Manager (TADDM) Launch in Context • IBM Tivoli Monitoring/Tivoli Enterprise Portal Server • 3rd-party/External System Launch in Context is possible • InfoCenter material and Redbook describing configuration for this is availablehttp://publib.boulder.ibm.com/infocenter/tivihelp/v10r1/topic/com.ibm.ccmdb.doc_7.1.1/security/c_sec_overview.htmlhttp://www.redbooks.ibm.com/abstracts/SG247565.html
Out-of-the-box Security Groups for Provisioning Manager Touched on in earlier sessions, TPM provides the following Security Groups and associated configuration in the stock deployment... • Provisioning Administrator (TPADMIN) • Deployment Specialist (TPDEPLOYMENTSPECIALIST) • Configuration Librarian (TPCONFIGURATIONLIBRARIAN) • Compliance Analyst (TPCOMPLIANCEANALYST • Automation Package Developer (TPDEVELOPER) These are provided with a stock set of application access and Start Center configurations. (Reference spreadsheet or product docs for the definitions) These can be customized as needed for your installation.
Out-of-the-box Security Groups Additional Notes… Some other notes on the stock Security Groups… • The MAXADMIN Security Group/maxadmin user doesn’t have access to the TPM applications by default. • With the initial installation, there are not any users configured as members of the TP* security groups. The quickest paths for adding user access for the Provisioning apps are… • If VMM or LDAP sync isn’t enabled, simply log in as maxadmin and run the “AssignMAXADMIN_to_TP_Groups” Web Replay scenario (this scenario assigns maxadmin to all of the TP* Security Groups.) • If VMM or LDAP sync are enabled, you can add these users and group assignments from any appropriate user management interface, e.g. if using VMM, can configure Users and Group assignment from the Websphere Admin Console. • The TPADMIN Security Group does not have general Security Group or configuration customization access for the deployment. (By design, Security configuration and general Provisioning application access are in separate roles.) It is possible to assign a user to be both a member of TPADMIN and MAXADMIN in order to have access to all of the applications available in these Security Groups.
Provisioning Objects and Group Restrictions Similar to functionality that was provided in TPM 5.1.1, it’s possible to define “read-only” or “hidden” access to particular DCM object sets based on Provisioning Group set definitions. • These definitions are associated with Tpae Security Groups. I.e., if a Provisioning Group data restriction is defined for a Security Group and a user is a member of that Security Group, the user will be restricted regarding which objects are visible or manageable.
Provides fine-grained access control for executing particular Workflow/LDO operations. Once defined, can be associated with one or more Security and Provisioning Groups… Provisioning Permission Groups and Workflow Permissions