Tivoli Storage Manager for Sun Solaris Administrator's Reference
Use this command to grant an administrator one or more administrative
privilege classes, and authority to access client nodes.
You cannot grant restricted privilege to an unrestricted policy or
unrestricted storage administrator. You must use the REVOKE AUTHORITY
command to remove the administrator's unrestricted privilege, then use
this command to grant restricted privilege to the administrator.
Privilege Class
To issue this command, you must have system privilege.
Syntax
>>-GRant AUTHority--admin_name---------------------------------->
.-,-----------------.
(1) V |
>----CLasses-------=----+-SYstem-------+--+--------------------->
+-Policy-------+
+-STorage------+
+-Operator-----+
+-Analyst------+
'-Node--| A |--'
>-----+--------------------------------------+------------------>
| .-,--------------. |
| (1) V | |
'-DOmains-------=-----domain_name---+--'
>-----+-------------------------------------+------------------><
| .-,------------. |
| (1) V | |
'-STGpools-------=-----pool_name---+--'
A
.-AUTHority--=--Access-----.
|---+--------------------------+---+-DOmains=domain_name-+------|
'-AUTHority--=--+-Access-+-' '-NOde=node_name------'
'-Owner--'
Notes:
- You must specify one or more of these parameters.
Parameters
- admin_name (Required)
- Specifies the name of the administrator being granted an administrative
privilege class.
- CLasses
- Specifies one or more privilege classes to grant to an
administrator. This parameter is required, except when you specify the STGPOOLS
parameter. You can specify more than one privilege class by separating each
with a comma. Possible classes are:
- SYstem
- Specifies that you want to grant system privilege to an
administrator. A system administrator has the highest level of
authority in TSM. A system administrator can issue any administrative
command and has authority to manage all policy domains and all storage
pools. Do not specify additional privilege classes or the DOMAINS or
STGPOOLS parameters when granting system privilege to an administrator.
Only a system administrator can grant authority to other
administrators.
- Policy
- Specifies that you want to grant policy privilege to an
administrator. If you do not specify the DOMAINS parameter,
unrestricted policy privilege is granted. An unrestricted policy
administrator can issue commands that affect all existing policy domains as
well as any policy domains that are defined in the future. An
unrestricted policy administrator cannot define, delete, or copy policy
domains. Use the GRANT AUTHORITY command with CLASSES=POLICY and no
DOMAINS parameter to upgrade a restricted policy administrator to an
unrestricted policy administrator.
- STorage
- Specifies that you want to grant storage privilege to an
administrator. If the STGPOOLS parameter is not specified, unrestricted
storage privilege is granted. An unrestricted storage administrator can
issue all commands that allocate and control storage resources for the
server. An unrestricted storage administrator can issue commands that
affect all existing storage pools as well as any storage pools that are
defined in the future. An unrestricted storage administrator cannot
define or delete storage pools. Using the GRANT AUTHORITY command with
CLASSES=STORAGE and no STGPOOLS parameter upgrades a restricted storage
administrator to an unrestricted storage administrator.
- Operator
- Specifies that you want to grant operator privilege to an
administrator. An administrator with operator privilege can issue
commands that control the immediate operation of the server and the
availability of storage media.
- Analyst
- Specifies that you want to grant analyst privilege to an
administrator. An administrator with analyst privilege can issue
commands that reset the counters which track server statistics.
- Node
- Specifies that you want to grant a node privilege to a user. A user
with client node privilege can remotely access a web backup-archive client
with an administrative user ID and password if they have been given owner
authority or access authority. Access authority is the default for a
node privilege class.
Note: | When you specify the node privilege class, you must also specify either the
DOMAIN parameter or the NODE parameter, but not both.
|
- AUTHority
- Specifies the authority level of a user with node privilege. This
parameter is optional.
If an administrator already has system or policy privilege to the policy
domain to which the node belongs, this command will not change the
administrator's privilege. Possible authority levels are:
- Access
- Specifies that you want to grant client access authority to a user with
the node privilege class. This is the default when CLASSES=NODE is
specified. A user with client access authority can access a web
backup-archive client and perform backup and restore actions on that
client.
Note: | A user with client access authority cannot access that client from another
system by using the -NODENAME parameter.
A client node can set the REVOKEREMOTEACCESS option to restrict a user that
has node privilege with client access authority from accessing a client
workstation that is running a web client. This option does not apply to
administrators with client owner authority, system privilege, or policy
privilege to the policy domain to which the node belongs.
|
- Owner
- Specifies that you want to grant client owner authority to a user with the
node privilege class. A user with client owner authority can access a
web backup-archive client through the web client interface and also access
their data from another client using the -NODENAME parameter.
- DOmains
- Specifies that you want to grant to the administrator client access or
client owner authority to all clients in the specified policy domain.
You cannot use this parameter together with the NODE parameter.
- NOde
- Specifies that you want to grant the administrator client access or client
owner authority to the node. You cannot use this parameter together
with the DOMAIN parameter.
- DOmains
- Specifies that you want to grant restricted policy privilege to an
administrator.
Restricted policy privilege permits an administrator to issue a subset of
the policy commands for the domains to which the administrator is
authorized. You can use this parameter to grant additional policy
domain authority to a restricted policy administrator. This parameter
is optional. You can specify more than one policy domain by delimiting
each policy domain name with a comma.
You can use wildcard characters to specify a name. Authority for all
matching policy domains is granted.
- STGpools
- Specifies that you want to grant restricted storage privilege to an
administrator. If the STGPOOLS parameter is specified, then
CLASSES=STORAGE is optional.
Restricted storage privilege permits you to issue a subset of the storage
commands for the storage pools to which the administrator is
authorized. You can use this parameter to grant additional storage pool
authority to a restricted storage administrator. This parameter is
optional. You can specify more than one storage pool by delimiting each
storage pool name with a comma.
You can use wildcard characters to specify a name. Authority for all
matching storage pools is granted.
Examples
Task 1
Grant system privilege to administrator LARRY.
- Command:
- grant authority larry classes=system
Task 2
Specify additional policy domains that the restricted policy administrator
CLAUDIA can manage.
- Command:
-
grant authority claudia
domains=employee_records,prog1
Task 3
Provide administrator TOM with unrestricted storage privilege and
restricted policy privilege for the domains whose names start with EMP.
- Command:
- grant authority tom classes=storage domains=emp*
Task 4
Grant node privilege to user HELP so that help desk personnel can assist
the client node LABCLIENT in backing up or restoring data without having other
higher-level TSM privileges.
- Command:
- grant authority help classes=node node=labclient
Related Commands
Table 132. Commands Related to GRANT AUTHORITY
Command
| Description
|
QUERY ADMIN
| Displays information about one or more TSM administrators.
|
REVOKE AUTHORITY
| Revokes one or more privilege classes or restricts access to policy
domains and storage pools.
|
[ Top of Page | Previous Page | Next Page | Table of Contents | Index ]