Use this command to grant an administrator one or more
administrative privilege classes, and authority to access client nodes.
You cannot grant restricted privilege to an unrestricted
policy or unrestricted storage administrator. You must use the REVOKE
AUTHORITY command to remove the administrator's unrestricted
privilege, then use this command to grant restricted privilege to
the administrator.
Privilege class
To issue this command, you
must have system privilege.
Syntax
>>-GRant AUTHority--admin_name---------------------------------->
.-,---------------.
(1) V |
>--CLasses------=----+-SYstem------+-+-------------------------->
+-Policy------+
+-STorage-----+
+-Operator----+
'-Node--| A |-'
>--+-----------------------------+------------------------------>
| .-,-----------. |
| V | |
'-DOmains--=----domain_name-+-'
>--+--------------------------------+--------------------------><
| .-,---------. |
| (1) V | |
'-STGpools------=----pool_name-+-'
A
.-AUTHority--=--Access-----.
|--+--------------------------+--+-DOmains--=--domain_name-+----|
'-AUTHority--=--+-Access-+-' '-NOde--=--node_name------'
'-Owner--'
Notes:
- You must specify one or more of these parameters.
Parameters
- admin_name (Required)
- Specifies the name of the administrator being granted an administrative
privilege class.
- CLasses
- Specifies
one or more privilege classes to grant to an administrator. This
parameter is required, except when you specify the STGPOOLS parameter. You
can specify more than one privilege class by separating each with
a comma. Possible classes are:
- SYstem
- Specifies that you want to grant system privilege to an administrator.
A system administrator has the highest level of authority in Tivoli® Storage
Manager. A system
administrator can issue any administrative command and has authority
to manage all policy domains and all storage pools. Do not specify
additional privilege classes or the DOMAINS or STGPOOLS parameters
when granting system privilege to an administrator. Only a system
administrator can grant authority to other administrators.
- Policy
- Specifies that you want to grant policy privilege to an administrator.
If you do not specify the DOMAINS parameter, unrestricted policy privilege
is granted. An unrestricted policy administrator can issue commands
that affect all existing policy domains as well as any policy domains
that are defined in the future. An unrestricted policy administrator
cannot define, delete, or copy policy domains. Use the GRANT
AUTHORITY command with CLASSES=POLICY and no DOMAINS parameter
to upgrade a restricted policy administrator to an unrestricted policy
administrator.
- STorage
- Specifies that you want to grant storage privilege to an administrator.
If the STGPOOLS parameter is not specified, unrestricted storage privilege
is granted. An unrestricted storage administrator can issue all commands
that allocate and control storage resources for the server. An unrestricted
storage administrator can issue commands that affect all existing
storage pools as well as any storage pools that are defined in the
future. An unrestricted storage administrator cannot define or delete
storage pools. Using the GRANT AUTHORITY command
with CLASSES=STORAGE and no STGPOOLS parameter upgrades a restricted
storage administrator to an unrestricted storage administrator.
- Operator
- Specifies that you want to grant operator privilege to an administrator.
An administrator with operator privilege can issue commands that control
the immediate operation of the server and the availability of storage
media.
- Node
- Specifies that you want to grant a node privilege to a user. A
user with client node privilege can remotely access a web backup-archive
client with an administrative user ID and password if they have been
given owner authority or access authority. Access authority is the
default for a node privilege class.
Attention: When you
specify the node privilege class, you must also specify either the
DOMAIN parameter or the NODE parameter, but not both.
- AUTHority
- Specifies the authority level of a user with node privilege. This
parameter is optional.
If an administrator already has system or
policy privilege to the policy domain to which the node belongs, this
command will not change the administrator's privilege.
Possible
authority levels are: - Access
- Specifies that you want to grant client access authority to a
user with the node privilege class. This is the default when CLASSES=NODE
is specified. A user with client access authority can access a web
backup-archive client and perform backup and restore actions on that
client.
Attention: A user with client access authority
cannot access that client from another system by using the -NODENAME
or -VIRTUALNODENAME parameter.
A client node can set the REVOKEREMOTEACCESS option
to restrict a user that has node privilege with client access authority
from accessing a client workstation that is running a web client.
This option does not apply to administrators with client owner authority,
system privilege, or policy privilege to the policy domain to which
the node belongs.
- Owner
- Specifies that you want to grant client owner authority to a user
with the node privilege class. A user with client owner authority
can access a web backup-archive client through the web client interface
and also access their data from another client using the -NODENAME
or -VIRTUALNODENAME parameter.
- DOmains
- Specifies that you want to grant to the administrator client access
or client owner authority to all clients in the specified policy domain.
You cannot use this parameter together with the NODE parameter.
- NOde
- Specifies that you want to grant the administrator client access
or client owner authority to the node. You cannot use this parameter
together with the DOMAIN parameter.
- DOmains
- When used with CLASSES=POLICY, specifies that you
want to grant restricted policy privilege to an administrator.
Restricted
policy privilege permits an administrator to issue a subset of the
policy commands for the domains to which the administrator is authorized.
You can use this parameter to grant additional policy domain authority
to a restricted policy administrator. This parameter is optional.
You can specify more than one policy domain by delimiting each policy
domain name with a comma.
You can use wildcard characters to
specify a name. Authority for all matching policy domains is granted.
- STGpools
- Specifies
that you want to grant restricted storage privilege to an administrator.
If the STGPOOLS parameter is specified, then CLASSES=STORAGE is optional.
Restricted
storage privilege permits you to issue a subset of the storage commands
for the storage pools to which the administrator is authorized. You
can use this parameter to grant additional storage pool authority
to a restricted storage administrator. This parameter is optional.
You can specify more than one storage pool by delimiting each storage
pool name with a comma.
You can use wildcard characters to specify
a name. Authority for all matching storage pools is granted.
Example: Grant system privilege to an administrator
Grant
system privilege to administrator Larry.
grant authority larry classes=system
Example: Grant access to additional policy domains
Specify
additional policy domains that the restricted policy administrator
CLAUDIA can manage.
grant authority claudia domains=employee_records,prog1
Example: Provide an administrator with unrestricted
storage privilege and restricted policy privilege
Provide administrator
TOM with unrestricted storage privilege and restricted policy privilege
for the domains whose names start with EMP.
grant authority tom classes=storage domains=emp*
Example: Grant an administrator authority restricted
to a specific node
Grant node privilege to user HELP so that
help desk personnel can assist the client node LABCLIENT in backing
up or restoring data without having other higher-level
Tivoli Storage
Manager privileges.
grant authority help classes=node node=labclient
Related commands
Table 1. Commands
related to GRANT AUTHORITYCommand |
Description |
QUERY ADMIN |
Displays information about one or more Tivoli Storage Manager administrators. |
REVOKE AUTHORITY |
Revokes one or more privilege classes or restricts
access to policy domains and storage pools. |