How You Create Additional Users Without Administrator Privileges (Ingres Databases)

Only nsmadmin and the install user (usually Administrator) can run Discovery after CA NSM is installed. You may want to give other users authority to run Discovery without giving them administrator privileges.

To create a user without administrator privileges, follow these steps:

1. Manually create a Windows user and add it to the TNDUsers group.
2. Manually create an Ingres user VisualDBA with uniadmin as its default group.
3. Modify the security permissions of the Program Files\CA\SharedComponents\CCS\Discovery folder to allow users of the TNDUsers group to modify, read and execute, list folder contents, and to have read and write access.
4. Run the modp command using the nsmadmin user and password.

Note: For more information about the modp command, see the online CA Reference.

WorldView Security

The topics that follow explain WorldView security considerations.

Set up Read-Only Windows-Authenticated Users (Microsoft SQL Server Databases)

You can set up read-only users for the WorldView tables in the MDB. A read-only user is not permitted to perform any operations in Unicenter MCC or the WorldView Classic GUI that may update the WorldView MDB data.

Note: Using this procedure to apply read-only access affects only WorldView data in the MDB. It does not affect DSM, Enterprise Management, or other data providers.

To set up read-only Windows-authenticated users

1. Create a Windows group called TNDReadOnly with only two operating system rights: Logon as a Batch Job, and Replace a Process Level Token.

   Note: Use the Local Security Policy GUI to set up the operating systems rights.

2. Define the TNDReadOnly group to Microsoft SQL Server using the Enterprise Manager, and assign the wvuser role to this group.
3. Add any Windows users that you want to have read-only permissions for Unicenter MCC to the TNDReadOnly group.

   Important! Do not add these Windows users to the TNDUsers group.

   The user has read-only permission for WorldView data.

Set Up Read-Only Microsoft SQL Users for WorldView

You can set up read-only users for the WorldView tables in the MDB. A read-only user is not permitted to perform any operations in Unicenter MCC or the WorldView Classic GUI that may update the WorldView MDB data.

Note: Using this procedure to apply read-only access affects only WorldView data in the MDB. It does not affect DSM, Enterprise Management, or other data providers.

To set up read-only Microsoft SQL Server users

1. Create a Microsoft SQL Server user that will be the WorldView read-only user, for example, wvreadonly.
2. Assign the Microsoft SQL Server user to the database role of wvuser.

   The user has read-only permission for WorldView data.

Set Up Read-Only Users for WorldView (Ingres Databases)

You can set up read-only users in Ingres for the WorldView tables in the MDB when Data Scoping is not active. A read-only user is not permitted to perform any operations in the Management Command Center and the WorldView Classic GUI that may update the WorldView MDB data.

Note: Using this procedure to apply read-only access affects only WorldView data in the MDB. It does not apply the same access to DSM, Enterprise Management, or other data providers.

To set up read-only users for WorldView

1. Create an operating system user that will be the WorldView read-only user, for example, wvreadonly.
2. (Windows only) Assign the operating system user to the TNDUsers operating system group if you want the user to have access to WorldView data using the Management Command Center.
3. Add an Ingres user of the same name (that is, wvreadonly) to Ingres and assign it to the default group of wvuser.

   Note: On UNIX/Linux, you can use the add_ingres_user script in the $CAIGLBL0000/wv/script directory to do this automatically.

   The user has read-only permission for WorldView data.

Note: Do not use the database security permissions of a particular user for implementing read-only users when Data Scoping is active.

Connect Remotely to Another MDB Using WorldView Classic (Windows)

To connect remotely to another MDB using WorldView Classic, you must connect to a logical repository. If a logical repository does not exist, you must first define one. See Define a Logical Repository.

To connect remotely to another MDB

1. Click Start, Programs, CA, Unicenter, NSM, WorldView, and select the name of the component you want to start (2D Map, Object Browser, Class Browser, and so forth.)

   The Select Repository dialog appears.

2. Select the name of the logical repository you want to connect to.

   Note: If the name does not appear in the drop-down, click Find and select the name, or type the name of the logical repository.

   You are connected to the logical repository, and the WorldView Classic GUI component opens.

   Note: When you start the 2D Map using the catng2d command, use the /R parameter to specify the logical repository. Do not use the /U and /P parameters for Ingres connections if you are using an Ingres database.

Connect to a Remote Repository

You may be responsible for managing multiple installations of CA NSM and may need to connect to a remote MDB to run CA NSM applications that update the remote MDB.

To connect to a remote repository

1. From the CA NSM client computer, define a logical repository for the MDB.

   Note: When creating the logical repository you must know the Administrator account for the remote server that was defined, in addition to the password.

2. (Windows only) If you installed management components, run the modp command using the Administrator account and password for the remote server and the name of the logical repository that you defined:

   modp -r repository_name -u userid -n password
   

Example: Connect to a Remote Repository

Unixp is a CA NSM client computer, and uswv01 is the name of the WorldView server where the MDB resides. On unixp, define a logical repository named uswv01a to associate with the MDB on uswv01 using the nsmadmin user ID and password for uswv01. If unixp contains CA NSM management components, run modp to define the nsmadmin user ID and password for uswv01. You can now connect to uswv01a and run WorldView and Discovery applications (Discovery is a management component) from unixp and the data is stored in the MDB on uswv01.

Define a Logical Repository (Windows)

Before you can connect remotely to an MDB, you must define a logical repository.

To define a logical repository

1. Click Start, Programs, CA, Unicenter, NSM, WorldView, Define Logical Repository.

   The CA NSM Repository Creation wizard appears.

   Note: You can also run the iirepdef command or click Define on the Select Repository dialog to start the CA NSM Repository Creation wizard.

2. Enter a logical name to associate with the MDB on the server to which you want to connect, and click Next.

   The Access Type page appears.

3. Select CA Ingres (Ingres Databases) or SQL Server (Microsoft SQL Server databases) and click Next.

   The Server Name page appears.

4. Enter information in the following fields, and click Next.

   Server Name

   Specifies the name of the MDB server, which must already exist.

   Server User (Ingres databases only)

   Specifies the name of the CA NSM user ID for access to the MDB.

   Server Password (Ingres databases only)

   Specifies the password for the Server User.

   Server Installation Code (Ingres databases only)

   Specifies the name of the Ingres Installation ID used when the MDB was installed. The default is EI.

   Instance Name (Microsoft SQL Server databases only)

   Specifies the name of the Microsoft SQL Server instance used when the MDB was installed.

5. Click Define Repository, and click Finish.

   You are connected to the MDB, and the logical repository is defined.

   Note: If the connection to the MDB fails, you receive an error and the wizard reappears. Typically, this signifies that you do not have the proper credentials to connect to the MDB. For the proper credentials, see your CA NSM administrator.

Define a Logical Repository (UNIX/Linux)

Before you can connect remotely to an MDB, you must define a logical repository.

To define a logical repository, run the iirepdef command. For more information about the iirepdef command, see the online CA Reference.

Management Command Center Security

The topics that follow explain Management Command Center security.

Access to the Management Command Center

In a typical installation of CA NSM, the Management Command Center is run remotely from a client computer. Since the MCC is accessing information about Unicenter Manager servers, you must supply a user ID and password for that type of manager before you can access any of the network information using the Management Command Center. The following is a list of things to consider when assigning user IDs to access Management Command Center:

• For the Topology and Tools navigation left hand pane, the TNDUsers group (on the WorldView Manager server) is used to authenticate Windows user IDs when you use the Management Command Center remotely.

  The TNDUsers group is added automatically to your Windows computer when you install CA NSM (specifically, the WorldView Manager component) on the MDB server. If you use a Windows user ID in the login security dialog to log on to the Management Command Center, that Windows user ID must be a member of the TNDUsers group on the computer that contains the MDB. You can use the Windows User Manager to add this user ID to the Windows Group TNDUsers.

• Domain and local groups are supported when using the Management Command Center on Windows for the Topology and the Tools navigation left hand pane.

  You must enter the domain account in the form “Domain1\User1” in the Management Command Center login security dialog, regardless of where Management Command Center is running. The domain of the computer where the MDB resides must be the same domain or trust the domain of the domain account used for authentication. For example, if you enter "Domain1\User1" in the Management Command Center login security dialog, the computer that contains the MDB must be logged into Domain1, or DomainX, where DomainX trusts Domain1. If you enter the account in the form “User1,” then it is considered a local user account defined to the computer where Management Command Center is running. The domain user must be a member of the TNDUsers group, either directly or indirectly through a domain group.

• Different domains with the same user ID are considered the same for Ingres (Ingres databases only).

  For example, if a user logged into the client computer as DomainA\joe, the user is authenticated to Ingres as joe, not DomainA\joe because Ingres does not support domain accounts.

• You must always use a local operating system user ID to authenticate to an Ingres database.

  This account can be defined to an Ingres server using the accessdb utility. This operating system ID must also have access to the MDB. You can do this on the server where the Ingres database resides.

  Each Ingres user must be defined to a default user group. For WorldView access that has full authorization, assign the default group of wvadmin (or uniadmin for all CA NSM tables). For users that should only have only read authorization, assign the default group of wvuser (or uniuser for all product tables).

• You must always use an SQL Server user ID or Windows-authenticated user ID to authenticate to an SQL Server database.

  This account can be defined to SQL Server using the SQL Enterprise Manager utility. This user ID must also have access to the MDB. You can do this on the server where the SQL Server database resides.

  Each SQL Server user must be defined to a default user role. For WorldView access that has full authorization, assign the default role of wvadmin (or uniadmin for all CA NSM tables). For users that should only have only read authorization, assign the default role of wvuser (or uniuser for all product tables).