An administrator can control access to the server by registering and granting authority to administrators, renaming or removing an administrator, or by locking and unlocking an administrator from the server.
| Task | Required Privilege Class |
|---|---|
| Register an administrator or update information about other administrators | System |
| Update information about yourself | Any administrator |
| Rename an administrator user ID
Remove other administrators from the server Temporarily prevent other administrators from accessing the system | System |
To register an administrator, specify a user ID and password. You also can provide contact information such as the user name and telephone number. Contact information is displayed when you query administrator information (FORMAT=DETAILED).
To register the administrator with a user ID of DAVEHIL and the password of birds, enter the REGISTER ADMIN command:
register admin davehil birds contact='backup team'
| Note: | At installation, the server console is defined with a special user ID, which
is named SERVER_CONSOLE. This name is reserved and cannot be used by
another administrator. At installation, the SERVER_CONSOLE user ID can
be used to register other administrators and grant system privilege.
An administrator with system privilege can revoke or grant new privileges to the SERVER_CONSOLE user ID. However, you cannot update, lock, rename, or remove the SERVER_CONSOLE user ID from ADSM. The SERVER_CONSOLE user ID does not have a password. Therefore, you cannot use the user ID from an administrative client unless you set authentication off. |
If as an administrator you forget your password, you can reset the password by issuing the UPDATE ADMINISTRATOR command. For example, the administrator DAVEHIL changes his password to ganymede, by issuing the following command:
update admin davehil ganymede
| Task | Required Privilege Class |
|---|---|
| Grant authority to other administrators | System |
After administrators are registered, they can make queries and request command-line help. To perform other ADSM functions, they must be granted authority by being assigned one or more administrative privilege classes.
This section describes the privilege classes, which are illustrated in Figure 35. An administrator with system privilege can perform any ADSM function. Administrators with policy, storage, operator, or analyst privileges can perform subsets of ADSM functions.
Figure 35. Administrative Privilege Classes
|
An administrator with system privilege can perform any ADSM administrative task.
The following tasks can be performed only by administrators with system privilege:
To grant the system privilege class to administrator KACZ, enter:
grant authority kacz classes=system
An administrator with unrestricted policy privilege can manage the backup and archive services for client nodes assigned to any policy domain. When new policy domains are defined to the server, an administrator with unrestricted policy privilege is automatically authorized to manage the new policy domains.
An administrator with unrestricted policy privilege can:
| Note: | System privilege is required to copy, define, or delete the policy domains themselves. |
To grant unrestricted policy privilege to administrator SMITH, enter:
grant authority smith classes=policy
An administrator with restricted policy privilege can perform the same operations as an administrator with unrestricted policy privilege but only for specified policy domains.
An administrator with restricted policy privilege can:
To grant restricted policy privilege over the policy domain named ENGPOLDOM, to administrator JONES enter:
grant authority jones domains=engpoldom
An administrator with unrestricted storage privilege has the authority to manage the database, recovery log, and all storage pools.
An administrator with unrestricted storage privilege can:
| Note: | However, an administrator with unrestricted storage privilege cannot define or delete storage pools. |
To grant unrestricted storage privilege to administrator COYOTE, enter:
grant authority coyote classes=storage
Administrators with restricted storage privilege can manage only those storage pools to which they are authorized. They cannot manage the database or recovery log.
For those authorized storage pools, administrators with restricted storage privilege can:
For example, assume that you have these tape storage pools: TAPEPOOL1, TAPEPOOL2, and TAPEPOOL3. To grant restricted storage privilege for these storage pools to administrator HOLLAND, you could enter:
grant authority holland stgpools=tape*
HOLLAND is restricted to managing storage pools beginning with "TAPE" that existed when the authority was granted. HOLLAND is not authorized to manage any storage pools that are defined after authority has been granted.
To add a new storage pool, TAPEPOOL4, to HOLLAND's authority, enter:
grant authority holland stgpools=tapepool4
Administrators with operator privilege control the immediate operation of the ADSM server and the availability of storage media.
An administrator with operator privilege can:
To grant operator privilege to administrator BILL, enter:
grant authority bill classes=operator
An administrator with analyst privilege can issue commands that reset the counters that track server statistics.
To grant analyst privilege to administrator MARYSMITH, enter:
grant authority marysmith classes=analyst
| Task | Required Privilege Class |
|---|---|
| Rename an administrator user ID | System |
You can rename an administrator ID when an employee wants to be identified by a new ID, or you want to assign an existing administrator ID to another person. You cannot rename an administrator ID to one that already exists on the system.
For example, if administrator HOLLAND leaves your organization, you can assign administrative privilege classes to another user by completing the following steps:
rename admin holland waynesmith
By renaming the administrator's ID, you remove HOLLAND as a registered administrator from the server. In addition, you register WAYNESMITH as an administrator with the password, contact information, and administrative privilege classes previously assigned to HOLLAND.
update admin waynesmith new_password contact="development"
| Note: | The administrator SERVER_CONSOLE cannot be renamed. |
| Task | Required Privilege Class |
|---|---|
| Extend, revoke, or reduce administrative privilege classes | System |
You can extend, revoke or reduce another administrator's authority.
Granting authority to an administrator adds to any existing privilege classes; it does not override those classes.
For example, JONES has restricted policy privilege for policy domain ENGPOLDOM.
Enter the following command to extend JONES' authority to policy domain MKTPOLDOM and add operator privilege:
grant authority jones domains=mktpoldom classes=operator
You can revoke part of an administrator's authority by specifying the administrator's ID and one or more privilege classes.
Assume that rather than revoking all of the privilege classes for administrator JONES you wished only to revoke his operator authority and his policy authorization to policy domain MKTPOLDOM.
You would enter:
revoke authority jones classes=operator domains=mktpoldom
JONES still has policy privilege to the ENGPOLDOM policy domain.
To revoke all administrative privilege classes, do not specify any privilege classes, policy domains, or storage pools. For example, to revoke both the storage and operator privilege classes from administrator JONES enter:
revoke authority jones
You can reduce an administrator's authority simply by revoking one or more privilege classes and granting one or more other classes.
For example, administrator HOGAN has system authority. To reduce HOGAN to the operator privilege class do the following:
revoke authority hogan classes=system
grant authority hogan classes=operator
| Task | Required Privilege Class |
|---|---|
| Remove other administrators from the server | System |
You can remove administrators from the server so that they no longer have access to administrator functions. For example, to remove registered administrator ID SMITH, enter:
remove admin smith
Notes:
| Task | Required Privilege Class |
|---|---|
| Temporarily prevent other administrators from accessing the system | System |
You can lock out administrators to temporarily prevent them from accessing ADSM.
For example, administrator MARYSMITH takes a leave of absence from your business. You can lock her out by entering:
lock admin marysmith
When she returns, any system administrator can unlock her administrator ID by entering:
unlock admin marysmith
MARYSMITH can now access ADSM to complete administrative tasks.
| Note: | You cannot lock or unlock the SERVER_CONSOLE ID from the server. |
| Task | Required Privilege Class |
|---|---|
| Display administrator information | Any administrator |
Any administrator can query the server to view administrator information. You can also query all administrators authorized with a specific privilege class.
For example, to query the system for a detailed report on administrator ID DAVEHIL, issue the QUERY ADMIN command:
query admin davehil format=detailed
Figure 36 displays a detailed report.
Figure 36. A Detailed Administrator Report
+--------------------------------------------------------------------------------+ | | | Administrator Name: DAVEHIL | | Last Access Date/Time: 1997.06.04 16.34.59 | | Days Since Last Access: <1 | | Password Set Date/Time: 1997.05.09 23.54.20 | | Days Since Password Set: 26 | | Invalid Sign-on Count: 0 | | Locked?: No | | Contact: | | System Privilege: Yes | | Policy Privilege: ** Included with system privilege ** | | Storage Privilege: ** Included with system privilege ** | | Analyst Privilege: ** Included with system privilege ** | | Operator Privilege: ** Included with system privilege ** | | Registration Date/Time: 1997.05.09 23.54.20 | |Registering Administrator: SERVER_CONSOLE | | | +--------------------------------------------------------------------------------+