IBM Tivoli Storage Manager, Version 7.1

REVOKE AUTHORITY (Remove administrator authority)

Use this command to revoke one or more privilege classes from an administrator.

You can also use this command to reduce the number of policy domains to which a restricted policy administrator has authority and the number of storage pools to which a restricted storage administrator has authority.

If you use the REVOKE AUTHORITY command without the CLASSES, DOMAINS, and STGPOOLS parameters, you will revoke all privileges for the specified administrator.

At least one administrator must have system privilege; therefore, if the administrator is the only one with system privilege, you cannot revoke the authority.

Privilege class

To issue this command, you must have system privilege.

Syntax

Read syntax diagramSkip visual syntax diagram
>>-REVoke AUTHority--admin_name--------------------------------->

>--+-------------------------------------+---------------------->
   |                 .-,---------------. |   
   |         (1)     V                 | |   
   '-CLasses------=----+-SYstem------+-+-'   
                       +-Policy------+       
                       +-STorage-----+       
                       +-Operator----+       
                       '-Node--| A |-'       

>--+-----------------------------+------------------------------>
   |             .-,-----------. |   
   |             V             | |   
   '-DOmains--=----domain_name-+-'   

>--+--------------------------------+--------------------------><
   |                  .-,---------. |   
   |          (1)     V           | |   
   '-STGpools------=----pool_name-+-'   

A

   .-AUTHority--=--Access-----.                                
|--+--------------------------+--+-DOmains--=--domain_name-+----|
   '-AUTHority--=--+-Access-+-'  '-NOde--=--node_name------'   
                   '-Owner--'                                  
Notes:
  1. If all these parameters are omitted, all administrator privileges will be revoked for this administrator.

Parameters

admin_name (Required)
Specifies the name of the administrator whose administrative privilege is to be revoked or reduced.
CLasses
Specifies one or more administrative privilege classes to be revoked. You can specify more than one class by separating each with a comma.
SYstem
Indicates that system authority is to be revoked for this administrator. If CLASSES=SYSTEM is specified, no other classes can be specified, and the DOMAINS and STGPOOLS parameters cannot be specified.
Policy
Indicates that policy privilege is to be revoked for this administrator. To revoke all policy privilege, specify CLASSES=POLICY and do not specify the DOMAINS parameter.
STorage
Indicates that storage privilege is to be revoked for this administrator. To revoke all storage privilege, specify CLASSES=STORAGE and do not specify the STGPOOLS parameter.
Operator
Indicates that operator privilege is to be revoked for this administrator.
Node
Indicates that node privilege is to be revoked for this user.
AUTHority
Indicates the authority level to revoke for a user with node privilege. This parameter is optional.

If an administrator already has system or policy privilege to the policy domain to which the node belongs, this command will not change the administrator's privilege.

Possible authority levels are:
Access
Indicates that client access authority is revoked. This is the default when CLASSES=NODE is specified.
Note: A client node can set the REVOKEREMOTEACCESS option to prevent access by a user with node privilege and client access authority. If a user with node privilege has client owner authority, or has system or policy privileges to the policy domain to which the node belongs, that administrator can still access the web backup-archive client.
Owner
Indicates that client owner authority is revoked.
DOmains
Indicates that you want to revoke an administrator's client access or client owner authority to all clients in the specified policy domain. This parameter cannot be used together with the NODE parameter.
NOde
Indicates that you want to revoke an administrator's client access or client owner authority to the node. This parameter cannot be used together with the DOMAIN parameter.
DOmains
When used with CLASSES=POLICY, specifies a list of policy domains that can no longer be managed by a restricted policy administrator. (The administrator was authorized to manage these domains until the REVOKE command was issued.) This parameter is optional. The items in the list are separated by commas, with no intervening spaces. You can use wildcard characters to specify a name. Authority for all matching domains is revoked. If DOMAINS is specified, the parameter CLASSES=POLICY is optional.
STGpools
Specifies a list of storage pools that can no longer be managed by a restricted policy administrator. (The administrator had been authorized to manage these storage pools until the REVOKE command was issued.) This parameter is optional. The items in the list are separated by commas, with no intervening spaces. You can use wildcard characters to specify a name. Authority for all matching storage pools will be revoked. If STGPOOLS is specified then the parameter CLASSES=STORAGE is optional.

Usage notes

  1. To change an unrestricted storage administrator to a restricted storage administrator, you must first use this command to revoke the unrestricted privilege. Then, use the GRANT AUTHORITY command to grant the administrator restricted storage privilege and to identify the storage pools to which the administrator has authority.

    To revoke unrestricted storage privilege from an administrator, specify the CLASSES=STORAGE parameter. You cannot use the STGPOOLS parameter to revoke authority for selected storage pools from an unrestricted storage administrator.

  2. To change an unrestricted policy administrator to a restricted policy administrator, you must first use this command to revoke the unrestricted privilege. Then, use the GRANT AUTHORITY command to grant the administrator restricted policy privilege and to identify the policy domains to which the administrator has authority.

    To revoke unrestricted policy privilege from an administrator, specify the CLASSES=POLICY parameter. You cannot use the DOMAINS parameter to revoke authority for selected domains from an unrestricted administrator.

Example: Revoke certain administrative privileges

Revoke part of administrator CLAUDIA’s privileges. CLAUDIA has restricted policy privilege for the policy domains EMPLOYEE_RECORDS and PROG1. Restrict CLAUDIA’s policy privilege to the EMPLOYEE_RECORDS policy domain.
revoke authority claudia classes=policy 
domains=employee_records

Example: Revoke all administrative privileges

Administrator LARRY currently has operator and restricted policy privilege. Revoke all administrative privileges for administrator LARRY. To revoke all administrative privileges for an administrator, identify the administrator, but do not specify CLASSES, DOMAINS, or STGPOOLS. LARRY remains an administrator but he can only use those commands that can be issued by any administrator.
revoke authority larry

Example: Revoke node privilege

Help desk personnel user CONNIE currently has node privilege with client owner authority for client node WARD3. Revoke her node privilege with client owner authority.
revoke authority connie classes=node 
authority=owner node=ward3

Related commands

Table 1. Commands related to REVOKE AUTHORITY
Command Description
GRANT AUTHORITY Assigns privilege classes to an administrator.
QUERY ADMIN Displays information about one or more Tivoli® Storage Manager administrators.
Parent topic: REVOKE commands

Feedback