Plan for security
Security planning includes choosing a security option, deciding which users work with each Control Desk application, and, optionally, which users can work with which configuration items.
Each service management process defines its own roles. If you install more process managers, additional roles for those processes are added.
These process roles are based on roles defined in the Information Technology Infrastructure Library (ITIL). IBM® implements ITIL using IBM Tivoli® Unified Process.
You must decide whether to use the roles defined by the service management processes, or define your own.
The roles defined by the processes are implemented as security groups. You can assign each defined user to one or more security groups. The users can then perform the responsibilities assigned to those roles. You can modify the applications that members of each security group can use in the Security Groups application.
Choosing a security option
Control Desk offers three options for managing your users and their memberships in security groups.
When you install Control Desk, you must choose one of three options for managing users and groups. This choice applies to all products that you install together. If you are installing Control Desk with another product already installed, the choice you made when installing the first product is used for Control Desk.
The security option you choose determines how your system performs authentication and authorization:
- Authentication is the validation of a user signing in to Control Desk
- Authorization uses security groups to control which users can work with each application.
- Use WebSphere® application security for authentication and authorization
- This option was required on previous releases of Control Desk.
With this option, you create all your users and security groups in
your directory (LDAP) server. This information is then updated in
your Maximo® database using
a cron task.
When you install Control Desk, if you choose automatic configuration of your directory server, the roles for change management and configuration management are defined.
The directory server containing the user and group definitions is configured to work with Virtual Member Manager within WebSphere Application Server.
- Use WebSphere application security for authentication only
- With this option, you create all your users in your directory server. However, you manage their membership using the security groups in the base services Security Groups application.
- Use Maximo security for authentication and authorization
- With this option, a directory server is not required. You create
and manage users and groups in the base services Users and Security
Groups applications, separately from any corporate user data you might
have.
This security option is the only available option if you are using WebLogic for your J2EE server.
With this option, you cannot configure single sign-on to launch in context to the TADDM interface without providing credentials. You have to define users in TADDM as well as in Control Desk and make sure that you coordinate their maintenance. When you launch in context to the TADDM interface, you always have to provide credentials that TADDM recognizes. You cannot synchronize access collection definitions between Control Desk and TADDM using this option.
Controlling access to configuration items
By default, any authenticated user can work with any configuration item (CI), using any application to which the user's role gives access. If you want, you can control which users can work with selected configuration items. You do this by organizing the configuration items into access collections.
Configuring security
You configure your security environment by creating users and assigning them to security groups, defining the applications that members of each security group can use, and optionally by creating access collections, after you finish installing Control Desk.