Re: Location of NetView icon.

[lclark@us.ibm.com]

Ok, so I got dressed and drove into the office just to check this out. I
have a clean
install of V6.0, and a non-root user with its own Desktop with only the
NoticeBoard and
the NetViewServer icons on it. As root, when I use the context menu to look
at the
Administrator, I have:
Properties:  Label= Leslie_NV; User Login Name= root; Group Name=bin
TMR Roles: senior only
Resource Roles: none set in any of them
Logins: lclark@igloo
Notice Group subscriptions: none.

Logging in as lclark and launching this desktop, using the context menu,
I could:  change netmon parameters, clear the database, restart all
daemons, start map.
I could do none of these except start the map from the commandline.
>From the map launched from the tivoli context menu (ie it is running as
root without me
needing to know the root password), I could:
Launch and use serversetup to configure things, which I could not do from
the cmdline.

Other functions available to me on the Desktop? I did not seem to have
enough
permissions to do anything.  So on the simplest level, this is a way to
give the
network administrator some power over Netview without giving him full root
access,
and without making it easy for him to mess up the rest of Tivoli.

Of course Martin is right, there are Tivoli commands you can execute via
the CLI with
the Senior role that could get you into trouble.  (Not as many as with
Admin, tho.)  And having
the server icon in a Policy Region (V5) did give you another layer of
control. You cannot,
I found, copy it into a Policy Region.  So if you intend to use Tivoli
policies as your security
mechanism, you will not be happy. If you feel strongly about having it
moved back,
you could make your case via the requirements mechanism (ie your Tivoli
rep).

I'm sure the reason the product developers do not pay more attention to
this move
is because, as far as they know, Netview is generally used directly, from
outside of the
Tivoli environment. And because, as James has reminded us here before, you
need
root access to a lot more stuff than just what you find under serversetup
to run this
thing.  And you don't need any Tivoli roles at all to do any of this.  I
only use the method
above with those customers who severely restrict access to root on all
machines. This
method cuts down on the calls to their Unix administrators some, once the
initial install,
configuration, and verification are completed.


Cordially,

Leslie A. Clark
IBM Global Services - Systems Mgmt & Networking
Detroit


Martin Walder <martin.walder@itmasters.com>@tkg.com on 07/05/2000 07:56:29
PM

Please respond to IBM NetView Discussion <nv-l@tkg.com>

Sent by:  owner-nv-l@tkg.com


To:   IBM NetView Discussion <nv-l@tkg.com>
cc:
Subject:  Re: [NV-L] Location of NetView icon.



Leslie

If someone has a role but no icon on the desktop, then surely they can drop
to
a CLI and issue w-commands which may be undesirable?

--
Martin Walder
Tivoli Certified Enterprise Consultant

IT Masters (UK) Ltd
Unit 5, CNC House,
Grand Union Office Park,
Packet Boat Lane,
Uxbridge UB8 2GH

Tel:     +44 (0) 1895 909 500
Mobile:  +44 (0) 771 315 8548
Fax:     +44 (0) 1895 909 501
Internet http://www.itmasters.com

lclark@us.ibm.com wrote:

> Understood. But if there is nothing on the desktop other than the Netview
> Server,
> I figure it does not matter what privileges he has as he cannot use them
on
> anything
> you don't put on the desktop. ( In V5, the required role was Senior, not
> Admin.)
> Yes, this may mean that a person with more than one job may need more
than
> one
> desktop. Not ideal.  Hint:  You will probably see a  move away from the
> Tivoli context
> menu for Netview administration in the future anyway. You should probably
> focus on
>  the serversetup application as your main means of administering Netview.
>
> Cordially,
>
> Leslie A. Clark
> IBM Global Services - Systems Mgmt & Networking
> Detroit
>
> Dave_Finn@computacenter.com@tkg.com on 07/05/2000 09:21:07 AM
>
> Please respond to IBM NetView Discussion <nv-l@tkg.com>
>
> Sent by:  owner-nv-l@tkg.com
>
> To:   IBM NetView Discussion <nv-l@tkg.com>
> cc:
> Subject:  Re: [NV-L] Location of NetView icon.
>
> Hi Leslie,
>
> Yes you are correct about the setup and yes I have installed the Patch on
> the NT
> TMR server and the UNIX managed node.
>
> The problem of security is more of the other way round, for the NetView
> administrator to access NetView he needs to have at least "admin" global
> rights
> to the TMR.  Which gives them too much access to the other functions
within
> the
> TMR.
>
> With the Noticeboard you can at least restrict them to which notices they
> receive and you can have multiple Remote Control objects, within
different
> Policy Regions, each with the ability to control selective machines.
>
> Thanks for you reply
>
> Cheers
>
> Dave
>
> lclark@us.ibm.com on 05/07/2000 13:34:28
>
> Please respond to IBM NetView Discussion <nv-l@tkg.com>
>
> To:   NV-L@tkg.com
> cc:    (bcc: Dave Finn/COSS/CCenter)
> Subject:  Re: [NV-L] Location of NetView icon.
>
> If I understand your environment, you have an NT TMR Server with Netview
on
> a Unix Managed Node.  I have not seen this particular arrangement. The
> Netview
> Framework patch is on both the TMR server and the managed node, right?
>
> In V6, I  think of the NetView Server object as more like the
Noticeboard,
> or the
> RemoteControll object. You should be able to copy it from one desktop to
> another.
> Rather than controlling it by policy region, control it by which Admin
> Desktop it is
> on.  The Netview administrator gets his own desktop with the Netview icon
> on it.
>
> Cordially,
>
> Leslie A. Clark
> IBM Global Services - Systems Mgmt & Networking
> Detroit
>
> Dave_Finn@computacenter.com@tkg.com on 07/04/2000 08:47:37 AM
>
> Please respond to IBM NetView Discussion <nv-l@tkg.com>
>
> Sent by:  owner-nv-l@tkg.com
>
> To:   nv-l@tkg.com
> cc:
> Subject:  [NV-L] Location of NetView icon.
>
> Hi,
>
> I am installed NetView 6.0 for UNIX on Framework version 3.6.2 running on
> NT
>
> I installed the Tivoli NetView Framework Patch, then installed the
NetView
> Server.  The icon for the NetView Server appeared in the Desktop for the
> Root
> Administrator.  And for a Tivoli Administrator to access the NetView
Client
> they
> need to have global "admin" rights to the TMR server.
>
> What I would like to do is move the NetView Server icon into a separate
> Policy
> Region, so I can give the NetView administrator, "user" global rights and
> the
> "admin" rights to the new Policy Region.
>
> Firstly, is this possible.
>
> And secondly, how do I move the NetView Server icon into a new Policy
> Region.  I
> know the NetView Framework Patch 5.1 used to add two new Managed
Resources,
> but
> the version 6 of this patch hasn't, is this right or has something gone
> wrong
> with the installation.
>
> Cheers
>
> Dave
>
> _________________________________________________________________________
> NV-L List information and Archives: http://www.tkg.com/nv-l
>
> _________________________________________________________________________
> NV-L List information and Archives: http://www.tkg.com/nv-l
>
> _________________________________________________________________________
> NV-L List information and Archives: http://www.tkg.com/nv-l
>
> _________________________________________________________________________
> NV-L List information and Archives: http://www.tkg.com/nv-l

_________________________________________________________________________
NV-L List information and Archives: http://www.tkg.com/nv-l