Limitations of the non root security setup
The following list summarizes the limitations of the
non root security setup:
- A regular user cannot view the contents of the RMC resource manager
trace file (for example, the trace of the
IBM.RecoveryRMddaemon).All RMC Resource Manager daemons use the RMC framework library utility to create trace files and core images under the
/var/ct/<cluster>directory. Since these resource managers can be started only by a superuser (user IDroot) through the /usr/bin/startsrc command, the files that are created belong to the user IDroot.All non root users cannot collect debug and trace information by using the /usr/sbin/rsct/bin/ctsnap command.
To allow non root users to collect traces or
ctsnapdebug data or both, a mechanism likesudo
must be implemented for these users and commands. - The following commands can be started only with
rootauthority because they use Tivoli logging, which works properly only if the log files are maintained withrootrights:- The sampolicy command.
- The samadapter command to start the end-to-end automation adapter.
- The samlicm command to install or upgrade a license.
- The granularity of the ACL objects is based on resource classes, not on resources. This means that a regular user is either allowed to modify resources of a resource class or not, but it is not possible to grant or deny permissions on a resource basis, for example, a database administrator cannot be authorized only for database resources.
- The
sa_operator
role can modify resources by changing attribute values for the resources. This is a result of thes
permission, which is needed for issuing System Automation for Multiplatforms requests. Without thes
permission, users who have this role would not be able to perform any useful task. With thes
permission they are allowed to set and change attributes.
The following table shows which role or authority is
required to perform typical System Automation for Multiplatforms tasks.
| Task | Authority | Roles | Permissions |
|---|---|---|---|
| Product and product license installation | root | System Administrator | Installing and upgrading System Automation for Multiplatforms and the product license. |
| Cluster management | root / sa_admin | System Administrator / System Automation for Multiplatforms Administrator | Defining, starting, stopping, and monitoring clusters and individual RMC Resource Managers |
| Resource definition and System Automation for Multiplatforms policy definition | root / sa_admin | System Administrator / System Automation for Multiplatforms Administrator | Defining, removing, changing resources, and setting up automation policies |
| Automation operation | root / sa_admin / sa_operator | System Administrator / System Automation for Multiplatforms Administrator and Operator | Issuing Online and Offline request, and resetting and monitoring resource groups and individual resources |
| Collecting trace and debug data for problem determination | root | System Administrator | Access to all system and application trace (log) files. (see the list of limitations) |
| Security setup | root | System Administrator | Defining, changing, and removing the security setup that is described in this section. |
| Adapter setup | root / sa_admin | System Administrator / System Automation for Multiplatforms Administrator | Defining, changing, and removing the configuration of the end-to-end automation |