Ibm tivoli provisioning manager 7 1 security aspects of tpm 7 1
This presentation is the property of its rightful owner.
Sponsored Links
1 / 12

IBM Tivoli Provisioning Manager 7.1 Security Aspects of TPM 7.1 PowerPoint PPT Presentation


  • 112 Views
  • Uploaded on
  • Presentation posted in: General

IBM Tivoli Provisioning Manager 7.1 Security Aspects of TPM 7.1. Lots of Security-related aspects for TPM 7.1…. Tivoli process automation engine Security Security Groups, Users Data restrictions Conditional UI LDAP Synchronization and User/Group management Single Sign On, Launch in Context

Download Presentation

IBM Tivoli Provisioning Manager 7.1 Security Aspects of TPM 7.1

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Ibm tivoli provisioning manager 7 1 security aspects of tpm 7 1

IBM Tivoli Provisioning Manager 7.1Security Aspects of TPM 7.1


Lots of security related aspects for tpm 7 1

Lots of Security-related aspects for TPM 7.1…

  • Tivoli process automation engine Security

    • Security Groups, Users

    • Data restrictions

    • Conditional UI

    • LDAP Synchronization and User/Group management

    • Single Sign On, Launch in Context

  • Tivoli Provisioning Manager security

    • Out-of-the-box Security Groups

      • MAXADMIN vs. TPADMIN

    • Provisioning Objects/Group Restrictions

    • Provisioning Permission Groups and Workflow Permissions


Security groups and users

Security Groups and Users

Security Groups in Tpae provide a mechanism for defining role-specific application and function

access as well as other configuration. Configurable security group elements include…

  • Start Center assignment (one per Security Group)

  • Application authorization and function access

  • Data restrictions

  • Site, location and other filtering for some types of objects

  • Provisioning object/group


Security groups and users continued

Security Groups and Users Continued…

“Users” can be members of one or more Security Groups. Functional aspects of Users with

respect to Security include…

  • Security Group access is “additive”—if a user is a member one or more Security Groups that do not have access to something, but are a member of at least one group that has the access, the user will have access.

    • One exception to this is qualified data restrictions, which applies additional filters for users regardless of access from other Security Groups.

  • User configuration can be defined by the user via the Profile functions or from the Users application (usually administrators only for the latter.)


Data restrictions

Data restrictions

Tpae provides general purpose data access management capabilities. Access can be controlled

in many ways…

  • “Global” Data Restrictions can be defined against any objects in the system

    • Uses general purpose query style filtering or custom java classes

    • Restricted items can be “masked”, hidden, or set as read-only

    • Can be defined for whole objects and/or individual attributes

    • Application specific data restrictions can be defined

  • Security Group-specific restrictions can be defined

    • Similar functions as above—only applied if the user is a member of a Security Group with the restriction


Conditional ui capabilities

Conditional UI capabilities

Provides capabilities to define custom configurations to modify the appearance and basic behavior

of UIs depending on Security Groups and “state” of data or other information.

  • Signature Option/Application Auth is one example of this—simple on/off access to fields, controls and menus depending on Security Group membership

  • Condition-based control-specific behavior can be defined…

    • Can be used to show or hide particular fields, sections, tabs, etc. depending on state or other “conditions” (data tests or custom java code)

    • Provides capability to change other attributes of controls such as color, labels, editing state, etc.

    • Conditional UI controls can be tied to Security Groups or applied for “EVERYONE” (regardless of Security Group)

    • See the Application Developer Guide for additional information


Ldap synchronization and user group management

LDAP Synchronization and User/Group Management

Quite a few customizable capabilities for user and group management are provided by Tpae…

  • All user/group synchronization is “one-way” into Tpae

    •  Although it’s possible to configure Tpae to do the user and group management, this doesn’t feed into any LDAP-based systems

  • “VMM” (Websphere Virtual Member Manager)-based synchronization of users and groups is available

    • This is the default deployment configuration

    • Any external user system abstracted by Websphere can be utilized

  • Microsoft Active Directory LDAP synchronization is also available

    •  Manually configured post-installation


Single sign on launch in context

Single Sign-on/Launch in Context

Tpae provides configuration and enablement for single sign-on and launch in context for various

external applications and systems…

  • Tivoli Application Dependency and Discovery Manager (TADDM) Launch in Context

  • IBM Tivoli Monitoring/Tivoli Enterprise Portal Server

  • 3rd-party/External System Launch in Context is possible

  • InfoCenter material and Redbook describing configuration for this is availablehttp://publib.boulder.ibm.com/infocenter/tivihelp/v10r1/topic/com.ibm.ccmdb.doc_7.1.1/security/c_sec_overview.htmlhttp://www.redbooks.ibm.com/abstracts/SG247565.html


Out of the box security groups for provisioning manager

Out-of-the-box Security Groups for Provisioning Manager

Touched on in earlier sessions, TPM provides the following Security Groups and associated

configuration in the stock deployment...

  • Provisioning Administrator (TPADMIN)

  • Deployment Specialist (TPDEPLOYMENTSPECIALIST)

  • Configuration Librarian (TPCONFIGURATIONLIBRARIAN)

  • Compliance Analyst (TPCOMPLIANCEANALYST

  • Automation Package Developer (TPDEVELOPER)

    These are provided with a stock set of application access and Start Center configurations.

    (Reference spreadsheet or product docs for the definitions) These can be customized as

    needed for your installation.


Out of the box security groups additional notes

Out-of-the-box Security Groups Additional Notes…

Some other notes on the stock Security Groups…

  • The MAXADMIN Security Group/maxadmin user doesn’t have access to the TPM applications by default.

  • With the initial installation, there are not any users configured as members of the TP* security groups. The quickest paths for adding user access for the Provisioning apps are…

    • If VMM or LDAP sync isn’t enabled, simply log in as maxadmin and run the “AssignMAXADMIN_to_TP_Groups” Web Replay scenario (this scenario assigns maxadmin to all of the TP* Security Groups.)

    • If VMM or LDAP sync are enabled, you can add these users and group assignments from any appropriate user management interface, e.g. if using VMM, can configure Users and Group assignment from the Websphere Admin Console.

  • The TPADMIN Security Group does not have general Security Group or configuration customization access for the deployment. (By design, Security configuration and general Provisioning application access are in separate roles.) It is possible to assign a user to be both a member of TPADMIN and MAXADMIN in order to have access to all of the applications available in these Security Groups.


Provisioning objects and group restrictions

Provisioning Objects and Group Restrictions

Similar to functionality that was provided in TPM 5.1.1, it’s possible to define “read-only” or

“hidden” access to particular DCM object sets based on Provisioning Group set definitions.

  • These definitions are associated with Tpae Security Groups. I.e., if a Provisioning Group data restriction is defined for a Security Group and a user is a member of that Security Group, the user will be restricted regarding which objects are visible or manageable.


Provisioning permission groups and workflow permissions

Provides fine-grained access control for executing particular Workflow/LDO operations. Once

defined, can be associated with one or more Security and Provisioning Groups…

Provisioning Permission Groups and Workflow Permissions


  • Login