Hi all,
I'm designing a managed configuration of TSM servers. Our management structure
here is a central TSM with level2/3 support functions, and some district
offices that will have their own TSM servers, plus some remote TSM servers in
their remote locations.
central ->[many districts]->[many satellites]
I'd like to manage as much of this centrally as possible.
Now I intend to set up adminstrator profiles on the configuration manager, and
all TSM Servers in a given district will subscribe to that district's profile,
so any admin in a district will be able to administer any server in that
district, and only that district. This means that they have to log into the
config manager to update their passwords.
Now for operational reasons, theys guys will need unrestricted policy privilege
to do their work. They won't be able to change any of the policies that are
subscribed from the config manager on their local TSM, but what is to stop them
from logging on to the config manager directly and changing policies there?
I could stop them from logging on to the config manager by locking the ids
there, since lock status is not distributed, but, then they can't log in to
change their passwords.
Have I missed something? How do others handle this.
Regards
Steve Harris
AIX and TSM Admin
Queensland Health,
Brisbane Australia
***********************************************************************************
This email, including any attachments sent with it, is confidential and for the
sole use of the intended recipient(s). This confidentiality is not waived or
lost, if you receive it and you are not the intended recipient(s), or if it is
transmitted/received in error.
Any unauthorised use, alteration, disclosure, distribution or review of this
email is prohibited. It may be subject to a statutory duty of confidentiality
if it relates to health service matters.
If you are not the intended recipient(s), or if you have received this email in
error, you are asked to immediately notify the sender by telephone or by return
email. You should also delete this email and destroy any hard copies produced.
***********************************************************************************
|