Privilege classes

Privileges are granted to an administrator through thegrant authoritycommand.

You need system privilege to issue this command.

Figure 71 shows the hierarchy of administrative privilege classes. Each box represents a privilege that could be given to an administrator.

Figure 71. Administrative privileges

Thepolicyprivilege can be assigned for all domains (unrestricted privilege) or for one or more of the defined domains (restricted privilege). Thestorageprivilege can be assigned for all storage pools (unrestricted privilege) or for one or more of the defined storage pools (restricted privilege). Thenodeprivilege can be assigned on an individual client basis.

8.1.3.1 System

An administrator with system privilege can perform any Tivoli Storage Manager administrative task. All other privileges are included when an administrator is assigned system privilege.

8.1.3.2 Policy

An administrator can have either unrestricted or restricted policy privilege.

An administrator with unrestricted policy privilege can manage the backup and archive policy definitions (for example, management classes, copygroups and schedules) for client nodes assigned to any policy domain. When new policy domains are defined to the server, an administrator with unrestricted policy privilege is automatically authorized to manage the new policy domains.

System

Operator Analyst

Policy

Domain

Storage

Storage Pool

Node

Client

User management 107 An administrator with restricted policy privilege can perform the same operations as an administrator with unrestricted policy privilege but only for specified policy domains.

8.1.3.3 Storage

An administrator can have either unrestricted or restricted storage privilege.

An administrator with unrestricted storage privilege has the authority to manage the Tivoli Storage Manager database, recovery log, and all storage pools. An administrator with unrestricted storage privilege cannot define or delete storage pools as this requires system privilege.

Administrators with restricted storage privilege can manage only those storage pools to which they are authorized. They cannot manage the Tivoli Storage Manager database or recovery log.

8.1.3.4 Operator

Administrators with operator privilege control the immediate operation of the Tivoli Storage Manager server and the availability of storage media.

8.1.3.5 Analyst

An administrator with analyst privilege can issue commands that reset the counters that track server statistics, but otherwise can perform only query commands.

8.1.3.6 Node

Administrators with node privilege can remotely access a Web backup-archive client and perform backup and restore actions on that client using an

administrative user ID and password. The privilege can be for specific node/s or all client nodes in a domain.

Client Owner Authority

A user with client owner authority is able to access the client and its data from either a remote Web client or the native backup client so that data can be restored either to the original client or to another client.

Client Access Authority

A user with client access authority can access the client and its data from the remote Web client and can only restore the client data back to the original client.

Figure 72 on page 108 demonstrates client access and owner authority.

Figure 72. Client Access Authority and Client Owner Authority

8.1.4 Operations

There are a number of operations that you can perform with administrators. This section deals with those operations and some related considerations.

8.1.4.1 Renaming an administrator

An administrator is renamed through therename admincommand. You require system privilege to issue this command.

You can rename an administrator ID when an administrator wants to be identified by a new ID, or you want to assign an existing administrator ID to another person.

You cannot rename an administrator ID to one that already exists on the system.

8.1.4.2 Changing administrative authority

You can extend, revoke or reduce another administrator's authority through the grant authorityandrevoke authoritycommands. You require system privilege to issue these commands.

Granting authority to an administrator adds to any existing privilege classes; it does not override those classes. You can reduce an administrator's authority simply by revoking one or more privilege classes and granting other classe as needed.

8.1.4.3 Removing an administrator

You can remove administrators from the server so that they no longer have access to administrator functions through theremove admincommand. You require system privilege to issue this command.

Where there is an administrator ID with the same name as a client node,

removing the client node also causes the administrator id to be removed. This is

Web

User management 109 the reverse behavior as when a client node is created with default creation of administrative userid.

You cannot remove the last system administrator or the SERVER_CONSOLE administrative ID from the system.

8.1.4.4 Locking and unlocking an administrator

You can lock out administrators to temporarily prevent them from accessing Tivoli Storage Manager through thelock adminandunlock admincommands. You require system privilege to issue these commands.

You use the^{lock admin}command to prevent an administrator from accessing the server. The administrator is locked out until a system administrator uses the unlock admin command to reestablish access for the administrator.

You cannot issue thelock admincommand against the SERVER_CONSOLE administrative ID.

8.1.4.5 Requesting information about administrators

You can query the server to view administrator information through the^query admincommand. Any administrator can issue this command. You can request for information for one or more administrators. You can also query all administrators authorized with a specific privilege class.

8.1.5 Security

Authentication of administrators in a Tivoli Storage Manager environment is optional. The default is that authentication is required.

With password authentication set to on, all administrators must enter a password when accessing the server. With password authentication set to off,

administrators can access Tivoli Storage Manager without entering a password.

Authentication is controlled by theset authentication command.

When security authentication is in effect, there are a number of security options that can be specified to implement a security policy. These options are related to the use of passwords. They are explained in the remainder of this section.

8.1.5.1 Maximum logon attempts

You can set the maximum number of logon attempts allowed before an administrator is locked. The server maintains a count of successive invalid password attempts. When that count reaches the maximum, that administrator is locked out until another system administrator uses theunlock admin command to reestablish access for that administrator. When a successful logon occurs, the count of invalid password attempts is reset to zero.

This maximum number of logon attempts option is controlled by the^set invalidpwlimitcommand and it is a global setting.

8.1.5.2 Password expiry

You can set the number of days that a password is valid. When that period expires, an administrator or node will be prompted for a new password when he or she next attempts to logon.

The password expiration option is controlled by the set passexpcommand.

Password expiration can be set for nodes, administrators or both.

8.1.5.3 Minimum password length

You can set the minimum length of a password. When specifying a new password or creating an administrator, you must specify a password that contains at least the number of characters specified by this option. You can also specify that there is no minimum password length.

The minimum password length option is controlled by theset minpwlength command and its a global setting.

8.1.5.4 Web authentication timeout

You can set the timeout interval for the Web administrative interface. After that interval has elapsed, an administrator must re-enter the administrator name and password to continue the session. The installed default is 10 minutes. You can also specify that there is no timeout value.

The Web authentication timeout option is a global setting and is controlled by the set webauthtimeout command.

8.1.6 Auditing

All commands issued by all administrators are logged to the server activity log.

This cannot be removed or altered in any way.

The information is written to the log as a message. The message contains the name of the administrator who issued the command and the full text of the command. The command is logged regardless of whether it was valid or not. Any passwords in the command are replaced by the special string?****?.