Configuring application access
Be sure to include these considerations as you configure which security groups can open each application.
One of the important steps in configuring security is deciding which groups of users can open each application. You must set up your security groups and determine which applications can be used by members of each group. Here are some tips about specific precautions you should take.
Controlling access to the CI Lifecycles application
When configuring your security groups, do not give any of your customer-specific security groups access to the CI Lifecycles application. Only your global administrator groups (that have access to all of your CIs) should have access to the CI Lifecycles application. A non-global user can attempt to make changes that fail or succeed partially. For example, a non-global user can change the default lifecycle for a classification of CIs. If any CIs of that classification exist for which that user does not have authorization, the change fails. Creating and modifying CI lifecycles should be restricted to global administrators.
Using the correct set of applications
In Control Desk, IBM® Tivoli® Change Management for Internal Service Providers, and IBM Tivoli Change Management for Service Providers, there is a set of applications for which two copies are provided, one with (SP) at the end of the name. The applications with (SP) at the end of their names are for use by customers who have purchased one of the Change Management for Service Providers products. You must ensure that the correct versions of these applications are available to your users. Follow these guidelines to ensure that your users will see the correct versions of these applications:
If you have purchased and installed one of the Change Management for Service Providers products, enable access to the applications whose names end with (SP). Disable access to the corresponding non-SP versions of these applications. There is one exception to this: always enable the non-SP version of the Changes application. The Changes (SP) application is for customers who have not purchased any of the Control Desk products.
If you have purchased Control Desk, enable the versions of each application that do not end in (SP), and disable access to all the applications that end in (SP).
There is only one version of the Response Plans application. It shows customer-related actions that are appropriate only for Service Provider environment. If you have purchased Control Desk, disable access to these actions.
Disable launch in context to TADDM
Users can launch from the Actual CIs application to the Tivoli Application Dependency Discovery Manager (TADDM) user interface to view details about a configuration item. The TADDM user interface does not restrict access to CIs based on customer associations. You should disable access to the launch in context function for all users except those whom you want to be able to work with all CIs regardless of customer associations.