User Access Control

As an administrator, you can control the users' access to domains and agents in the Monitoring Console, by specifying the access rights in a configuration file.

The configuration file is stored at the following location on the LogLogic LMI appliance:

/loglogic/logu/hawkconsolenode/conf/monitoring_console_user_access_list.cfg

In this file, you must specify the access rights for each user on a separate line. Similarly, if the same user has multiple access rights, then you must specify each access right on a separate line. The access rights must be specified in the following format:

<username> <access_rights>

When specifying the access rights, consider the following points:

An exclamation mark (!) at the beginning of the row indicates an access restriction, whereas omitting the exclamation mark (!) indicates an access permission.
<username>: This is the LogLogic LMI user. To indicate all users, you can use asterisk (*) as a wildcard.
<access_rights>: You can specify one or more of the values - agent name, agent DNS, and domain name - as required.
- If you specify multiple values, then the values must be in this sequence: agent name, agent DNS, and domain name. These values must be separated either by a space or colon (:), and must be enclosed in double quotes (" ").
  For example: "agent1 DNS1 domain1" or "agent1:DNS1:domain1"
- To indicate all agents, or all DNS, or all domains, you can use asterisk (*) as a wildcard.

For sample scenarios and the corresponding entries in the configuration file, see the Examples section.

Procedure

Edit the monitoring_console_user_access_list.cfg file to add the permissions and restrictions.
Restart Monitoring Console by running the following command:
```
mtask -s engine_lldaemon restart
```

Examples

Consider that you want to configure the access control scenarios for admin, user-1, and user-2. The corresponding entries for those access rights are listed in the following table.

User Required access rights Entry in the .cfg file

admin

Allow access to all domains

User	Required access rights	Entry in the `.cfg` file
admin	Allow access to all domains	admin *
user-1	Allow access to `agent-1` in `lmi_domain` with `dns-1`, and to all agents in `lmi_domain-2`	user-1 "agent-1 dns-1 lmi_domain" user-1 "* * lmi_domain-2"
user-2	Allow access to `agent-2` of any domain, but no access to the `lmi_domain-2` domain	user-2 agent-2 !user-2 "* * lmi_domain-2"

admin   *

user-1

Allow access to agent-1 in lmi_domain with dns-1, and to all agents in lmi_domain-2

user-1  "agent-1 dns-1 lmi_domain"

user-1  "* * lmi_domain-2"

user-2

Allow access to agent-2 of any domain, but no access to the lmi_domain-2 domain

user-2  agent-2

!user-2 "* * lmi_domain-2"

Therefore, make the following entries in the monitoring_console_user_access_list.cfg file:

admin   *
user-1  "agent-1 dns-1 lmi_domain"
user-1  "* * lmi_domain-2"
user-2  agent-2
!user-2 "* * lmi_domain-2"

For detailed information about user-based access control, see TIBCO® Operational Intelligence Hawk® RedTail 7.1.0 Installation, Configuration, and Administration.

Limitations

The access control list is applicable to Hawk domains that conform to the Trusted security policy.
- For information about domain settings, see Configuring a Hawk domain.
- For information about security policies, see the "Authorization at the REST API Layer" section in TIBCO® Operational Intelligence Hawk® RedTail Installation, Configuration, and Administration
In the classic Hawk console of TIBCO® Operational Intelligence Hawk® RedTail, you can use this mechanism to control access up to the node microagent and node methods; but not in LogLogic LMI. In the monitoring_console_user_access_list.cfg file of LogLogic LMI Monitoring Console, even if you specify access rights at the microagent or method levels, those lines in the file are ignored.