![]() |
![]() |
Administrators can perform the following activities when managing Tivoli
Storage Manager security.
Task |
---|
Managing administrators |
Managing levels of administrative authority |
Managing administrator access to the server and clients |
Managing passwords password login procedures |
Managing the server console |
The administrator is responsible for registering other administrators,
granting levels of authority, renaming or removing administrators, or for
locking and unlocking administrators from the server.
Task | Required Privilege Class |
---|---|
Registering an administrator | System |
Granting administrative authority | System |
Updating information about other administrators | System |
Updating information about yourself | Any administrator |
Displaying information about administrators | Any administrator |
Renaming an administrator user ID | System |
Removing administrators | System |
Locking or unlocking administrators from the server | System |
At installation, the server console is defined with a special user ID, which is named SERVER_CONSOLE. This name is reserved and cannot be used by another administrator.
An administrator with system privilege can revoke or grant new privileges to the SERVER_CONSOLE user ID. However, an administrator cannot update, lock, rename, or remove the SERVER_CONSOLE user ID. The SERVER_CONSOLE user ID does not have a password. Therefore, you cannot use the user ID from an administrative client unless you set authentication off.
The administrator registers other administrators with the REGISTER ADMIN command.
To register the administrator with a user ID of DAVEHIL and the password of birds, and a password expiration period of 120 days, enter the REGISTER ADMIN command:
register admin davehil birds passexp=120 contact='backup team'
After administrators are registered, they can make queries and request command-line help. To perform other server functions, they must be granted authority by being assigned one or more administrative privilege classes.
This section describes the privilege classes, which are illustrated in Figure 46. An administrator with system privilege can perform any server function. Administrators with policy, storage, operator, analyst, or node privileges can perform subsets of server functions.
When an administrator accesses the administrative Web interface, only the tasks that correspond to the administrator's privilege class are displayed.
Figure 46. Administrative Privilege Classes
Privilege classes, and examples of how to set privilege classes, can be
summarized as follows:
Privilege Class | Responsibilities |
---|---|
System
grant authority rocko classes=system |
Can perform any server administrative task.
|
Unrestricted Policy
grant authority smith classes=policy |
Can manage the backup and archive services for nodes assigned to any policy domain.
|
Restricted Policy
grant authority jones domains=engpoldom | Same responsibilities as unrestricted policy except authority is limited to specific policy domains. |
Unrestricted Storage
grant authority coyote classes=storage |
Can manage server storage, but cannot define or delete storage pools.
|
Restricted Storage
grant authority holland stgpools=tape* | Can manage server storage but is limited to specific storage
pools.
|
Operator
grant authority bill classes=operator |
Can control the immediate operation of the server and the availability of storage media.
|
Node
grant authority help1 classes=node node=labclient | Can access a Web backup-archive client to perform backup and restore operations. |
Analyst
grant authority marysmith classes=analyst | Can reset the counters that track Tivoli Storage Manager server statistics. |
An administrator can reset another administrator's password with the UPDATE ADMINISTRATOR command. For example, administrator DAVEHIL changes his password to ganymede, by issuing the following command:
update admin davehil ganymede
You can rename an administrator ID when an employee wants to be identified by a new ID, or you want to assign an existing administrator ID to another person. You cannot rename an administrator ID to one that already exists on the system.
For example, if administrator HOLLAND leaves your organization, you can assign administrative privilege classes to another user by completing the following steps:
rename admin holland waynesmith
By renaming the administrator's ID, you remove HOLLAND as a registered administrator from the server. In addition, you register WAYNESMITH as an administrator with the password, contact information, and administrative privilege classes previously assigned to HOLLAND.
update admin waynesmith new_password contact="development"
You can remove administrators from the server so that they no longer have access to administrator functions. For example, to remove registered administrator ID SMITH, enter:
remove admin smith
Notes:
Any administrator can query the server to display administrator information. You can also query all administrators authorized with a specific privilege class.
For example, to query the system for a detailed report on administrator ID DAVEHIL, issue the QUERY ADMIN command:
query admin davehil format=detailed
Figure 47 displays a detailed report.
Figure 47. A Detailed Administrator Report
+--------------------------------------------------------------------------------+ | | | Administrator Name: DAVEHIL | | Last Access Date/Time: 1998.06.04 17.10.52 | | Days Since Last Access: <1 | | Password Set Date/Time: 1998.06.04 17.10.52 | | Days Since Password Set: 26 | | Invalid Sign-on Count: 0 | | Locked?: No | | Contact: | | System Privilege: Yes | | Policy Privilege: **Included with system privilege** | | Storage Privilege: **Included with system privilege** | | Analyst Privilege: **Included with system privilege** | | Operator Privilege: **Included with system privilege** | | Client Access Privilege: **Included with system privilege** | | Client Owner Privilege: **Included with system privilege** | | Registration Date/Time: 05/09/1998 23:54:20 | | Registering Administrator: SERVER_CONSOLE | | Managing profile: | |Password Expiration Period: 90 Day (s) | | | +--------------------------------------------------------------------------------+
Administrators can prevent other administrators from accessing the server by locking and unlocking their administrative privilege classes. For details, see Locking and Unlocking Administrators from the Server.
A privilege class is a level of authority granted to an administrator. The privilege class determines which administrative tasks the administrator can perform. See Granting an Administrator Privilege Class Authority and Administrator's Reference about the activities that administrators can perform with each privilege class.
You can perform the following activities when managing other
administrators' levels of authority:
Task | Required Privilege Class |
---|---|
Modifying administrators level of authority | System |
Locking and unlocking administrators from the server | System |
You may need to modify other administrators levels of authority as more clients and administrators are added to the Tivoli Storage Manager environment. If a person already has some level of authority, granting additional authority adds to any existing privilege classes; it does not override those classes.
You can grant and extend authority with the GRANT AUTHORITY command. For example, JONES has restricted policy privilege for policy domain ENGPOLDOM. Enter the following command to extend JONES' authority to policy domain MKTPOLDOM and add operator privilege:
grant authority jones domains=mktpoldom classes=operator
As an additional example, assume that three tape storage pools exist: TAPEPOOL1, TAPEPOOL2, and TAPEPOOL3. To grant restricted storage privilege for these storage pools to administrator HOLLAND, you can enter the previous command:
grant authority holland stgpools=tape*
HOLLAND is restricted to managing storage pools beginning with TAPE that existed when the authority was granted. HOLLAND is not authorized to manage any storage pools that are defined after authority has been granted.
To add a new storage pool, TAPEPOOL4, to HOLLAND's authority, enter:
grant authority holland stgpools=tapepool4
You can revoke part of an administrator's authority with the REVOKE AUTHORITY command and specifying the administrator's ID and one or more privilege classes.
Assume that rather than revoking all of the privilege classes for administrator JONES you wished only to revoke his operator authority and his policy authorization to policy domain MKTPOLDOM. You would enter:
revoke authority jones classes=operator domains=mktpoldom
JONES still has policy privilege to the ENGPOLDOM policy domain.
You can reduce an administrator's authority simply by revoking one or more privilege classes and granting one or more other classes.
For example, administrator HOGAN has system authority. To reduce HOGAN to the operator privilege class do the following:
revoke authority hogan classes=system
grant authority hogan classes=operator
You can revoke an administrator's authority with the REVOKE AUTHORITY command. To revoke all administrative privilege classes, do not specify any privilege classes, policy domains, or storage pools. For example, to revoke both the storage and operator privilege classes from administrator JONES enter:
revoke authority jones
You can lock out other administrators to temporarily prevent them from accessing Tivoli Storage Manager with the LOCK ADMIN command.
For example, administrator MARYSMITH takes a leave of absence from your business. You can lock her out by entering:
lock admin marysmith
When she returns, any system administrator can unlock her administrator ID by entering:
unlock admin marysmith
MARYSMITH can now access the server to complete administrative tasks.
You cannot lock or unlock the SERVER_CONSOLE ID from the server. See About the Server Console for details.
An administrator can control access to the server by registering and granting authority to administrators, renaming or removing an administrator, or by locking and unlocking an administrator from the server.
By default, a system or policy administrator over a specified client's domain can create a backup set from a client node's latest active files. For more information, see Chapter 17, Managing Schedules for Client Nodes.
You can prevent clients from establishing administrative sessions with the server. For details, see Locking and Unlocking Client Nodes.
You can prevent other administrators from establishing administrative sessions with the server. For details, see Locking and Unlocking Administrators from the Server.
You can prevent clients from establishing sessions with the server. This effectively locks the nodes from the server. For details, see Disabling or Enabling Access to the Server.
By default, Tivoli Storage Manager requires authorized administrators and nodes to identify themselves to the server with a password.
Administrators can perform the following activities when managing passwords
login procedures:
Task | Required Privilege Class |
---|---|
Modifying the default timeout period for the administrative Web interface
Modifying the default password expiration period Setting the limit for invalid password attempts Setting the minimum limit for passwords Disabling the default password authentication Enabling the unified logon for clients | System |
At installation, the timeout default value for the administrative Web interface is 10 minutes. When the timeout period expires, the user of the Web interface is required to reauthenticate by logging on and specifying a password. The following example shows how to set the timeout value to 20 minutes:
set webauthtimeout 20
You can specify a value from 0 to 9999 minutes. If the minimum value is 0, there is no timeout period for the administrative Web interface. To help ensure the security of an unattended browser, it is recommended that you set the timeout value higher than zero.
By default, the server sets a password expiration of 90 days. The expiration period begins when an administrator or client node is first registered to the server. If a user password is not changed within this period, the server prompts the user to change the password the next time the user tries to access the server.
To set the password expiration period for selected administrators or client nodes, you must specify the administrator or node names with the ADMIN or NODE parameter with the SET PASSEXP command. If you set the expiration period only for selected users, you may set the expiration period from 0-9999 days. A value of 0 means that user's password never expires. For example, to set the expiration period of client node LARRY to 120 days, issue the following command:
set passexp 120 node=larry
By default, Tivoli Storage Manager does not check the number of times a user attempts to log in with an invalid password. You can set a limit on consecutive invalid password attempts for all client nodes. When the limit is exceeded, the server locks the node. The following example sets a system-wide limit of three consecutive invalid password attempts:
set invalidpwlimit 3
The default value at installation is 0. A value of 0 means that invalid password attempts are not checked. You can set the value from 0 to 9999 attempts.
If you initially set a limit of 4 and then change the limit to a lower number, some clients may fail verification during the next login attempt.
After a client node has been locked, only a storage administrator with proper authority can unlock the node. For information about unlocking a client or administrator node, see Locking and Unlocking Client Nodes and Locking and Unlocking Administrators from the Server.
An administrator can also force a client to change their password on the next login by specifying the FORCEPWRESET=YES parameter on the UPDATE NODE or UPDATE ADMIN command. For more information, refer to Administrator's Reference.
By default, Tivoli Storage Manager does not check the minimum length of a password. The administrator can specify a minimum password length that is required for Tivoli Storage Manager passwords. The following example shows how to set the minimum password length to eight characters:
set minpwlength 8
The default value at installation is 0. A value of 0 means that password length is not checked. You can set the length value from 0 to 64.
By default, the server automatically sets password authentication on. With password authentication set to on, all users must enter a password when accessing the server. To allow administrators and client nodes to access the server without entering a password, issue the following command:
set authentication off
Attention: Setting password authentication off reduces data security.
The Tivoli Storage Manager unified logon feature allows the Tivoli Storage Manager server to use the Windows user account database instead of the Tivoli Storage Manager node database when authenticating a backup-archive client logon. With this feature, a user can log on to a Windows machine and access the backup-archive client without having to enter another password. When unified logon is enabled, the server continues to use its normal authentication methods for protocols other than Named Pipes.
The procedure described below assumes that the Tivoli Storage Manager server machine and all the Tivoli Storage Manager client machines are in the same Windows domain. A Windows domain is a way of allowing the Windows Domain Controller to manage the user accounts for all members of the domain. The Tivoli Storage Manager unified logon procedure takes advantage of the convenience of allowing the Windows domain to manage user accounts.
To enable unified logon, you must have the following:
Complete the following steps to enable unified logon.
Step 1: From the Windows Domain Controller
Authorize Tivoli Storage Manager users by creating a Windows global group and adding users:
Step 2: From the TSM Server Machine
adsmgroupname tsmserver commmethod namedpipe namedpipename \\.\pipe\server1 securepipes yes
Step 3: From Each Client Machine
commmethod namedpipe namedpipename \\server_name\pipe\server1 nodename username passwordaccess generate
Notes: