Use this command to revoke one or more privilege classes
from an administrator.
You can also use this command to reduce the number of
policy domains to which a restricted policy administrator has authority
and the number of storage pools to which a restricted storage administrator
has authority.
If you use the REVOKE AUTHORITY command
without the CLASSES, DOMAINS, and STGPOOLS parameters, you will revoke
all privileges for the specified administrator.
At least one
administrator must have system privilege; therefore, if the administrator
is the only one with system privilege, you cannot revoke the authority.
Privilege class
To issue this command, you
must have system privilege.
Syntax
>>-REVoke AUTHority--admin_name--------------------------------->
>--+-------------------------------------+---------------------->
| .-,---------------. |
| (1) V | |
'-CLasses------=----+-SYstem------+-+-'
+-Policy------+
+-STorage-----+
+-Operator----+
'-Node--| A |-'
>--+-----------------------------+------------------------------>
| .-,-----------. |
| V | |
'-DOmains--=----domain_name-+-'
>--+--------------------------------+--------------------------><
| .-,---------. |
| (1) V | |
'-STGpools------=----pool_name-+-'
A
.-AUTHority--=--Access-----.
|--+--------------------------+--+-DOmains--=--domain_name-+----|
'-AUTHority--=--+-Access-+-' '-NOde--=--node_name------'
'-Owner--'
Notes:
- If all these parameters are omitted, all administrator
privileges will be revoked for this administrator.
Parameters
- admin_name (Required)
- Specifies the name of the administrator whose administrative privilege
is to be revoked or reduced.
- CLasses
- Specifies
one or more administrative privilege classes to be revoked. You can
specify more than one class by separating each with a comma.
- SYstem
- Indicates that system authority is to be revoked for this administrator.
If CLASSES=SYSTEM is specified, no other classes can be specified,
and the DOMAINS and STGPOOLS parameters cannot be specified.
- Policy
- Indicates that policy privilege is to be revoked for this administrator.
To revoke all policy privilege, specify CLASSES=POLICY and do not
specify the DOMAINS parameter.
- STorage
- Indicates that storage privilege is to be revoked for this administrator.
To revoke all storage privilege, specify CLASSES=STORAGE and do not
specify the STGPOOLS parameter.
- Operator
- Indicates that operator privilege is to be revoked for this administrator.
- Node
- Indicates that node privilege is to be revoked for this user.
- AUTHority
- Indicates the authority level to revoke for a user with node privilege.
This parameter is optional.
If an administrator already has system
or policy privilege to the policy domain to which the node belongs,
this command will not change the administrator's privilege.
Possible
authority levels are: - Access
- Indicates that client access authority is revoked. This is the
default when CLASSES=NODE is specified.
Note: A client node can set
the REVOKEREMOTEACCESS option to prevent access by
a user with node privilege and client access authority. If a user
with node privilege has client owner authority, or has system or policy
privileges to the policy domain to which the node belongs, that administrator
can still access the web backup-archive client.
- Owner
- Indicates that client owner authority is revoked.
- DOmains
- Indicates that you want to revoke an administrator's client access
or client owner authority to all clients in the specified policy domain.
This parameter cannot be used together with the NODE parameter.
- NOde
- Indicates that you want to revoke an administrator's client access
or client owner authority to the node. This parameter cannot be used
together with the DOMAIN parameter.
- DOmains
- When used with CLASSES=POLICY, specifies a list
of policy domains that can no longer be managed by a restricted policy
administrator. (The administrator was authorized to manage these domains
until the REVOKE command was issued.) This parameter
is optional. The items in the list are separated by commas, with no
intervening spaces. You can use wildcard characters to specify a name.
Authority for all matching domains is revoked. If DOMAINS is specified,
the parameter CLASSES=POLICY is optional.
- STGpools
- Specifies
a list of storage pools that can no longer be managed by a restricted
policy administrator. (The administrator had been authorized to manage
these storage pools until the REVOKE command was
issued.) This parameter is optional. The items in the list are separated
by commas, with no intervening spaces. You can use wildcard characters
to specify a name. Authority for all matching storage pools will be
revoked. If STGPOOLS is specified then the parameter CLASSES=STORAGE
is optional.
Usage notes
- To change an unrestricted storage administrator to a restricted
storage administrator, you must first use this command to revoke the
unrestricted privilege. Then, use the GRANT AUTHORITY command
to grant the administrator restricted storage privilege and to identify
the storage pools to which the administrator has authority.
To
revoke unrestricted storage privilege from an administrator, specify
the CLASSES=STORAGE parameter. You cannot use the STGPOOLS parameter
to revoke authority for selected storage pools from an unrestricted
storage administrator.
- To change an unrestricted policy administrator to a restricted
policy administrator, you must first use this command to revoke the
unrestricted privilege. Then, use the GRANT AUTHORITY command
to grant the administrator restricted policy privilege and to identify
the policy domains to which the administrator has authority.
To
revoke unrestricted policy privilege from an administrator, specify
the CLASSES=POLICY parameter. You cannot use the DOMAINS parameter
to revoke authority for selected domains from an unrestricted administrator.
Example: Revoke certain administrative privileges
Revoke
part of administrator CLAUDIA’s privileges. CLAUDIA has restricted
policy privilege for the policy domains EMPLOYEE_RECORDS and PROG1.
Restrict CLAUDIA’s policy privilege to the EMPLOYEE_RECORDS policy
domain.
revoke authority claudia classes=policy
domains=employee_records
Example: Revoke all administrative privileges
Administrator
LARRY currently has operator and restricted policy privilege. Revoke
all administrative privileges for administrator LARRY. To revoke all
administrative privileges for an administrator, identify the administrator,
but do not specify CLASSES, DOMAINS, or STGPOOLS. LARRY remains an
administrator but he can only use those commands that can be issued
by any administrator.
revoke authority larry
Example: Revoke node privilege
Help desk personnel
user CONNIE currently has node privilege with client owner authority
for client node WARD3. Revoke her node privilege with client owner
authority.
revoke authority connie classes=node
authority=owner node=ward3
Related commands
Table 1. Commands
related to REVOKE AUTHORITYCommand |
Description |
GRANT AUTHORITY |
Assigns privilege classes to an administrator. |
QUERY ADMIN |
Displays information about one or more Tivoli® Storage Manager administrators. |