Tivoli Header
Administrator's Reference
Use this command to revoke one or more privilege classes from an
administrator. You can also use this command to reduce:
- the number of policy domains to which a restricted policy administrator
has authority.
- the number of storage pools to which a restricted storage administrator
has authority.
If you use the REVOKE AUTHORITY command without the CLASSES, DOMAINS, and
STGPOOLS parameters, you will revoke all privileges for the specified
administrator.
At least one administrator must have system privilege; therefore, if
the administrator is the only one with system privilege, you cannot revoke the
authority.
Privilege Class
To issue this command, you must have system privilege.
Syntax
>>-REVoke AUTHority--admin_name--------------------------------->
>--+--------------------------------------+--------------------->
| .-,---------------. |
| (1) V | |
'-CLasses-------=----+-SYstem------+-+-'
+-Policy------+
+-STorage-----+
+-Operator----+
+-Analyst-----+
'-Node--| A |-'
>--+----------------------------------+------------------------->
| .-,-----------. |
| (1) V | |
'-DOmains-------=----domain_name-+-'
>--+---------------------------------+-------------------------><
| .-,---------. |
| (1) V | |
'-STGpools-------=----pool_name-+-'
A
.-AUTHority--=--Access-----.
|--+--------------------------+--+-DOmains=domain_name-+--------|
'-AUTHority--=--+-Access-+-' '-NOde=node_name------'
'-Owner--'
Notes:
- If all these parameters are omitted, all administrator privileges will be
revoked for this administrator.
Parameters
- admin_name (Required)
- Specifies the name of the administrator whose administrative privilege is
to be revoked or reduced.
- CLasses
-
Specifies one or more administrative privilege classes to be revoked.
You can specify more than one class by separating each with a comma.
- SYstem
- Indicates that system authority is to be revoked for this
administrator. If CLASSES=SYSTEM is specified, no other classes can be
specified, and the DOMAINS and STGPOOLS parameters cannot be specified.
- Policy
- Indicates that policy privilege is to be revoked for this
administrator. To revoke all policy privilege, specify CLASSES=POLICY
and do not specify the DOMAINS parameter.
- STorage
- Indicates that storage privilege is to be revoked for this
administrator. To revoke all storage privilege, specify CLASSES=STORAGE
and do not specify the STGPOOLS parameter.
- Operator
- Indicates that operator privilege is to be revoked for this
administrator.
- Analyst
- Indicates that analyst privilege is to be revoked for this
administrator.
- Node
- Indicates that node privilege is to be revoked for this user.
- AUTHority
- Indicates the authority level to revoke for a user with node
privilege. This parameter is optional.
If an administrator already has system or policy privilege to the policy
domain to which the node belongs, this command will not change the
administrator's privilege. Possible authority levels are:
- Access
- Indicates that client access authority is revoked. This is the
default when CLASSES=NODE is specified.
- Note:
- A client node can set the REVOKEREMOTEACCESS option to prevent access by a
user with node privilege and client access authority. If a user with
node privilege has client owner authority, or has system or policy privileges
to the policy domain to which the node belongs, that administrator can still
access the web backup-archive client.
- Owner
- Indicates that client owner authority is revoked.
- DOmains
- Indicates that you want to revoke an administrator's client access or
client owner authority to all clients in the specified policy domain.
This parameter cannot be used together with the NODE parameter.
- NOde
- Indicates that you want to revoke an administrator's client access or
client owner authority to the node. This parameter cannot be used
together with the DOMAIN parameter.
- DOmains
- Specifies a list of policy domains that can no longer be managed by a
restricted policy administrator. (The administrator had been authorized
to manage these domains until the REVOKE command was issued.) This
parameter is optional. The items in the list are separated by commas,
with no intervening spaces. You can use wildcard characters to specify
a name. Authority for all matching domains will be revoked. If
DOMAINS is specified, the parameter CLASSES=POLICY is optional.
- STGpools
-
Specifies a list of storage pools that can no longer be managed by a
restricted policy administrator. (The administrator had been authorized
to manage these storage pools until the REVOKE command was issued.)
This parameter is optional. The items in the list are separated by
commas, with no intervening spaces. You can use wildcard characters to
specify a name. Authority for all matching storage pools will be
revoked. If STGPOOLS is specified then the parameter CLASSES=STORAGE is
optional.
Usage Notes
- To change an unrestricted storage administrator to a restricted storage
administrator, you must first use this command to revoke the unrestricted
privilege. Then, use the GRANT AUTHORITY command to grant the
administrator restricted storage privilege and to identify the storage pools
to which the administrator has authority.
To revoke unrestricted storage privilege from an administrator, specify the
CLASSES=STORAGE parameter. You cannot use the STGPOOLS parameter to
revoke authority for selected storage pools from an unrestricted storage
administrator.
- To change an unrestricted policy administrator to a restricted policy
administrator, you must first use this command to revoke the unrestricted
privilege. Then, use the GRANT AUTHORITY command to grant the
administrator restricted policy privilege and to identify the policy domains
to which the administrator has authority.
To revoke unrestricted policy privilege from an administrator, specify the
CLASSES=POLICY parameter. You cannot use the DOMAINS parameter to
revoke authority for selected domains from an unrestricted
administrator.
Examples
Task 1
Revoke part of administrator CLAUDIA's privileges. CLAUDIA has
restricted policy privilege for the policy domains EMPLOYEE_RECORDS and
PROG1. Restrict CLAUDIA's policy privilege to the EMPLOYEE_RECORDS
policy domain.
- Command:
-
revoke authority claudia classes=policy
domains=employee_records
Task 2
Administrator LARRY currently has operator, analyst, and restricted policy
privilege. Revoke all administrative privileges for administrator
LARRY. To revoke all administrative privileges for an administrator,
identify the administrator, but do not specify CLASSES, DOMAINS, or
STGPOOLS. LARRY remains an administrator but he can only use those
commands that can be issued by any administrator.
- Command:
- revoke authority larry
Task 3
Help desk personnel user CONNIE currently has node privilege with client
owner authority for client node WARD3. Revoke her node privilege with
client owner authority.
- Command:
-
revoke authority connie classes=node
auth=owner node=ward3
Related Commands
Table 247. Commands Related to REVOKE AUTHORITY
Command
| Description
|
GRANT AUTHORITY
| Assigns privilege classes to an administrator.
|
QUERY ADMIN
| Displays information about one or more Tivoli Storage Manager
administrators.
|
[ Top of Page | Previous Page | Next Page | Table of Contents | Index ]