IBM Tivoli Provisioning Manager 7.1 Security Aspects of TPM 7.1

IBM Software Group

© 2008 IBM Corporation

IBM Tivoli Provisioning Manager 7.1

Security Aspects of TPM 7.1

IBM Software Group | Tivoli software

© 2008 IBM CorporationTivoli Provisioning Manager 7.1

Lots of Security-related aspects for TPM 7.1…

Tivoli process automation engine Security– Security Groups, Users

– Data restrictions

– Conditional UI

– LDAP Synchronization and User/Group management

– Single Sign On, Launch in Context

Tivoli Provisioning Manager security– Out-of-the-box Security Groups

– MAXADMIN vs. TPADMIN

– Provisioning Objects/Group Restrictions

– Provisioning Permission Groups and Workflow Permissions



Security Groups and UsersSecurity Groups in Tpae provide a mechanism for defining role-specific application and functionaccess as well as other configuration. Configurable security group elements include…

Start Center assignment (one per Security Group) Application authorization and function access Data restrictions Site, location and other filtering for some types of objects Provisioning object/group



Security Groups and Users Continued…

“Users” can be members of one or more Security Groups. Functional aspects of Users withrespect to Security include…

Security Group access is “additive”—if a user is a member one or more Security Groups that do not have access to something, but are a member of at least one group that has the access, the user will have access.

One exception to this is qualified data restrictions, which applies additional filters for users regardless of access from other Security Groups.

User configuration can be defined by the user via the Profile functions or from the Users application (usually administrators only for the latter.)



Data restrictionsTpae provides general purpose data access management capabilities. Access can be controlledin many ways…

“Global” Data Restrictions can be defined against any objects in the systemUses general purpose query style filtering or custom java classes

Restricted items can be “masked”, hidden, or set as read-only

Can be defined for whole objects and/or individual attributes

Application specific data restrictions can be defined

Security Group-specific restrictions can be definedSimilar functions as above—only applied if the user is a member of a Security Group with the restriction



Conditional UI capabilitiesProvides capabilities to define custom configurations to modify the appearance and basic behaviorof UIs depending on Security Groups and “state” of data or other information.

Signature Option/Application Auth is one example of this—simple on/off access to fields, controls and menus depending on Security Group membership

Condition-based control-specific behavior can be defined…Can be used to show or hide particular fields, sections, tabs, etc. depending on state or other

“conditions” (data tests or custom java code)

Provides capability to change other attributes of controls such as color, labels, editing state, etc.

Conditional UI controls can be tied to Security Groups or applied for “EVERYONE” (regardless of Security Group)

– See the Application Developer Guide for additional information



LDAP Synchronization and User/Group Management

Quite a few customizable capabilities for user and group management are provided by Tpae…

All user/group synchronization is “one-way” into Tpae Although it’s possible to configure Tpae to do the user and group management, this doesn’t feed into

any LDAP-based systems

“VMM” (Websphere Virtual Member Manager)-based synchronization of users and groups is available

– This is the default deployment configuration

– Any external user system abstracted by Websphere can be utilized

Microsoft Active Directory LDAP synchronization is also available Manually configured post-installation



Single Sign-on/Launch in Context

Tpae provides configuration and enablement for single sign-on and launch in context for variousexternal applications and systems…

Tivoli Application Dependency and Discovery Manager (TADDM) Launch in Context

IBM Tivoli Monitoring/Tivoli Enterprise Portal Server

3rd-party/External System Launch in Context is possible

InfoCenter material and Redbook describing configuration for this is availablehttp://publib.boulder.ibm.com/infocenter/tivihelp/v10r1/topic/com.ibm.ccmdb.doc_7.1.1/security/c_sec_overview.html

http://www.redbooks.ibm.com/abstracts/SG247565.html



Out-of-the-box Security Groups for Provisioning Manager

Touched on in earlier sessions, TPM provides the following Security Groups and associatedconfiguration in the stock deployment...

– Provisioning Administrator (TPADMIN)

– Deployment Specialist (TPDEPLOYMENTSPECIALIST)

– Configuration Librarian (TPCONFIGURATIONLIBRARIAN)

– Compliance Analyst (TPCOMPLIANCEANALYST

– Automation Package Developer (TPDEVELOPER)

These are provided with a stock set of application access and Start Center configurations. (Reference spreadsheet or product docs for the definitions) These can be customized asneeded for your installation.



Out-of-the-box Security Groups Additional Notes…Some other notes on the stock Security Groups…

The MAXADMIN Security Group/maxadmin user doesn’t have access to the TPM applications by default.

With the initial installation, there are not any users configured as members of the TP* security groups. The quickest paths for adding user access for the Provisioning apps are…

– If VMM or LDAP sync isn’t enabled, simply log in as maxadmin and run the “AssignMAXADMIN_to_TP_Groups” Web Replay scenario (this scenario assigns maxadmin to all of the TP* Security Groups.)

– If VMM or LDAP sync are enabled, you can add these users and group assignments from any appropriate user management interface, e.g. if using VMM, can configure Users and Group assignment from the Websphere Admin Console.

The TPADMIN Security Group does not have general Security Group or configuration customization access for the deployment. (By design, Security configuration and general Provisioning application access are in separate roles.) It is possible to assign a user to be both a member of TPADMIN and MAXADMIN in order to have access to all of the applications available in these Security Groups.



Provisioning Objects and Group RestrictionsSimilar to functionality that was provided in TPM 5.1.1, it’s possible to define “read-only” or“hidden” access to particular DCM object sets based on Provisioning Group set definitions.

These definitions are associated with Tpae Security Groups. I.e., if a Provisioning Group data restriction is defined for a Security Group and a user is a member of that Security Group, the user will be restricted regarding which objects are visible or manageable.



Provisioning Permission Groups and Workflow Permissions

Provides fine-grained access control for executing particular Workflow/LDO operations. Oncedefined, can be associated with one or more Security and Provisioning Groups…

Documents

IBM Tivoli Provisioning Manager 7.1 Security Aspects of TPM 7.1