Restricting Tivoli Storage Manager access to a user group

When you install the Tivoli® Storage Manager Backup-Archive Client, any user can use Tivoli Storage Manager. You can restrict access to Tivoli Storage Manager by non-administrative users (users other than root) by creating a user group and allowing only users in that group to perform Backup-Archive Client operations.

Before you begin

Before using this procedure, log on as root and set the client passwordaccess option to generate. Setting passwordaccess to generate stores the password locally so users in the group that you create can log on without needing to know the node password.

While logged on as root, create a user group to contain all users (other than root) that you want to allow to perform Backup-Archive Client operations. See the documentation for the operating system for instructions to create user groups.

This procedure uses a user group called trustedusers as the name of the user group that contains all accounts that can perform backup-archive operations. When you perform this procedure in your environment, specify a valid group name.

About this task

Perform the following steps to limit access to Tivoli Storage Manager client operations to select users.

Procedure

Change the ownership of dsmtca to include the trustedusers group. Type chgrp trustedusers dsmtca.
Set the execute (x) bit for the group so anyone in the trustedusers group can run dsmtca. Type chmod 750 dsmtca.
Set the SUID bit for dsmtca so that users in the group can run it with elevated privileges. Type chmod u+s dsmtca.
Verify that the group has the execute bit set for the dsmtca file. Type ls -l dsmtca.
The output from ls -l dsmtca should show that the SUID (s) bit set for dsmtca in the user field, and the execute bit set in the group field.

-rwsr-x--- 1 root trustedusers 13327961 2011-05-19 08:34 dsmtca

Results

After performing this procedure, users who are not included in the user group cannot use the client to perform backup or archive operations.