Re: Seperation of NetView administrator and root administrator

2001-11-09 13:56:14
Subject: Re: Seperation of NetView administrator and root administrator
From: "Leslie Clark" <lclark AT us.ibm DOT com>
To: nv-l AT lists.tivoli DOT com
Date: Fri, 9 Nov 2001 13:56:14 -0500
There are really two issues: the Netview admin vs the users,
and the Netview admin vs root user.
There are several approaches available.

The method Mike refers to is the most basic: Allow the
Administrator to login (or su to) root, and he can do everything.
The non-root user is more limited. Then use the map permissions
to further limit access to maps. That is under serversetup and is
based on unix groups. If you run that with permission 644, and
make root the owner, and do it once with yes and once with no
on the global question, root will be the only one who can make
maps, and the only one who can get the map r/w.  So this is
basic security: root vs non-root, plus map permissions.

Some sites set up an administrator id that has a uid of 0. That
works pretty well, too. This is another variation of the 'root vs
everyone else' scenario, but the administrator does not know
the root password. Not much of a restriction, really.

Then there is the Tivoli Framework security. You can set up a
Tivoli Administrator (say a non-root user) that executes as root.
So this non-root user can launch the Netview interface as root
without knowing the root password. Any functions that can be
done from the gui can be done by this user. Other users will not
have those functions since they are not root.  And the administrator
can not get into too much trouble elsewhere on the box.

Then there is Netview Security. That allows you to determine which
users can do which functions. You still have to deal with the map
permissions. And this only applies to the Motif interface. Netview
security is disabled by default. It is a little tricky to set up at first,
but is well documented in the Admin Guide. There are still things
that the admin must be root (or uid 0) to do.

In V7.1 there is a whole new scheme offered, and it is aimed at
the web client. The idea is that soon all users will be web users
except for the Administrator. The Administrator will still need to use
the Motif interface (eg for cutting and pasting, and for admin functions),
but web users, who so far have no access to administrative functions,
can further be restricted by what they can see in the map, and what
they can do to the things they can see.  The administrator would
still need some sort of root access to do many of the admin


Leslie A. Clark
IBM Global Services - Systems Mgmt & Networking

                    Mike Walsh                                                  
                    <[email protected]       To:     IBM NetView Discussion <nv-l 
AT tkg DOT com> 
                    astar.com>             cc:                                  
                    Sent by:               Subject:     Re: [NV-L] Seperation 
of NetView 
                    [email protected]        administrator and root 
                    11/09/01 08:25                                              
                    Please respond                                              
                    to IBM NetView                                              


We have much the same situation.  In our case we use a "PowerBuilder" app
that assigns a psuedo root access to the administrator so that the netview
admin can perform those functions that require root.  All others have only
user (read only) access to netview and the server files.

You might look into this.


anand anupam wrote:

     Hi All,

     We are having NetView 6.0.2 on AIX 4.3.3.

     We wanted to have separate OS administrator and NetView administrator.

     We had installed NetView on a Managed node through root login which is
     a prerequisites. After this, we created one user with system group.
     But, this user is not able to perform NetView administration.

     NetView has been planned to be integrated with other Tivoli modules
     like TSD/TDS/Inventory etc.

     Any idea what additional admin rights have to be assigned to this
     user.? Or it is not possible to sepatate OS administrator and NetView

     Thanks in advance,



<Prev in Thread] Current Thread [Next in Thread>