Planning for security

You must choose a security option and decide which system users work with applications in Control Desk. Optionally, you can configure which system users can work with which configuration items.

Each service management process defines its own roles. If you install more process managers, additional roles for those processes are added.

The roles are based on roles defined in the Information Technology Infrastructure Library (ITIL). IBM® implements ITIL by using IBM Tivoli® Unified Process. Refer to the IBM Tivoli Unified Process content for more detailed information about roles and their responsibilities.

You must decide whether to use the roles defined by the service management processes, or define your own.

The roles defined by the processes are implemented as security groups. You can assign each user to one or more security groups, which enables the user to perform the responsibilities assigned to those roles. You can modify the applications that members of each security group can use in the Security Groups application.

Control Desk can be configured to manage system users and their memberships in security groups. The following user information is required:

Maximo administration user: The product administrator user that is used for initial configuration and for adding users. By default, the value is maxadmin.
Maximo system registration user: The user that is used for the self-registration of users. By default, the value is maxreg.
Maximo system integration user: The user that is used with enterprise adapters. By default, the value is maxintadm.

Default users are created and stored in the Maximo® database. You can log in to Control Desk by using the default users or you can modify the users to suit your security requirements.

When you install Control Desk, you must choose a method for managing users and groups. This method applies to all products that you install together. If you are installing Control Desk with another product that is already installed, the choice you made when installing the first product is used for Control Desk as well.

If you are using Oracle WebLogic Server, Control Desk internal authentication is used as the default security option and a directory server is not required. You create and manage users and groups in the Users and Security Groups applications, separately from any corporate user data.

Choosing a security option

The security option you choose determines how your system performs authentication and authorization. Authentication is the validation of a user signing in to Control Desk. Authorization uses security groups to control which users can work with each application.

Choose one of the following security options:

Use J2EE application security for authentication and user and group management: With this option, you create all your users and security groups in your directory (LDAP) server. The information from the directory server is updated in your Maximo database by using a cron task. With this option, you can create additional security groups and assign group memberships in Maximo. All users must be added in the directory - adding users is not allowed in Maximo. Information entered in Maximo is never propagated to your directory.
Use J2EE application security for authentication and user management: With this option, you can create your users and groups in the directory (LDAP) server or in Maximo. The information from the directory server is updated in your Maximo database by using a cron task. With this option, you can create additional users, security groups and assign group memberships in Maximo. Information entered in Maximo is never propagated to your directory.
Use Maximo internal authentication: With this option, a directory server is not required. Use the default users that are provided or manage users and groups in the Users and Security Groups applications. Configure the users and groups to protect any corporate user data you might have.
With this option, you cannot configure single sign-on to launch in context to the TADDM interface without providing credentials. You have to define users in TADDM as well as in Control Desk and make sure that you coordinate their maintenance. When you launch in context to the TADDM interface, you always have to provide credentials that TADDM recognizes. You cannot synchronize access collection definitions between Control Desk and TADDM using this option.

Controlling access to configuration items

By default, any authenticated user can work with any configuration item (CI), by using any application to which the role gives access. If you want, you can control which users can work with selected configuration items. You control access by organizing the configuration items into access collections.

Configuring security

You configure your security environment by creating users and assigning them to security groups. You then define the applications that members of each security group can use, and optionally create access collections after you have finished installing Control Desk. Read the topics under Security in the information center for more information.