Security Principles

Every user possesses a security principle. In the web interface, the banner contains the principle for the current authenticated user.

For example:

Figure 1. Banner

By default, the user that starts the Monitor instance is granted the ADMIN security principle and all other authenticated users possess the USER principle. The ADMIN security principle is required for a user to access the Admin tab of the web interface. To change the security principle for a user, modify the licmon.swd/security.tcl file. The syntax for the security configuration line is:

# This is licmon.swd/security.tcl
vtk_security <username>|-group <vovusergroup> <principle> <hostlist>

Available principles are USER and ADMIN. The hostlist can be a single host name, a list of hosts, or a + wildcard character to represent all hosts. The host specification controls which hosts the user is allowed to have the associated security principle from. With regards to the web interface, this will always be the Monitor server machine. The CLI, however, allows for remote connectivity that can be used to perform Monitor system administration. The host specification provides granular control over the user/host combinations that are allowed to perform CLI administration commands.

In addition to users, VovUserGroups that exist in the system may be specified in the security.tcl file. These groups are managed with the vovusergroup utility, and can be derived from unix groups, LDAP, or user lists. More information about them can be found on the VovUserGroups page. In the below example, the VovUserGroup called "queuemgrs" is given admin rights when logging in from the IP address range shown.

# This is licmon.swd/security.tcl
vtk_security cadmgr    ADMIN +
vtk_security joe       ADMIN +
vtk_security -group queuemgrs ADMIN 192.168.10.1-192.168.10.55
vtk_security +         USER  +

Windows Domain Accounts

If the user who starts the Monitor instance is a domain account, the security configuration may need to be adjusted to specify the domain account as part of the user name. For example, if the authentication domain is "MYDOMAIN" for user "joe", the security configuration for ADMIN would need to resemble:

# This is the security.tcl file.
vtk_security "MYDOMAIN/joe" ADMIN +

The same should be applied for all other security principle assignments for Windows domain accounts.

Register Security Changes

When changes are made to the security configuration, the server must be instructed to read in the changes. This is accomplished by resetting Monitor via the System page under the Admin tab or with the following CLI commands:

% vovproject enable licmon
% vovproject reread
% vovproject sanity