Posted: 31 Mar 2016 11:44 EDT Last activity: 28 Apr 2016 10:01 EDT
AES - How-to disable administrative operations on nodes that are monitored by AES?
In the Enterprise Health console AES 7.1 (and 7.1.7) offers a number of administrative operations on the monitored nodes. For example stop/interrupt requestors, start/stop agents, start listeners, and so on. This is true for both the AESManager access group and for the AESUser access group.
For security reasons this type of administrative operations is not allowed for certain AES user groups (e.g. internal developers or a system integrator) on production nodes that are monitored by AES. Nevertheless it makes sense to grant the mentioned user groups (i.e. internal developers or a system integrator) read access to AES for a production environment to analyse performance problems (i.e. alerts) and/or errors (i.e. exceptions).
So my question is how can we disable all administrative operations on nodes that are monitored by AES for certain AES user groups?
Currently there is an option to restrict aesuser from doing start/stop operation on agents and listener.
For that to work the DSS 'AES/Security/ClusterResources/StartStopAccess' should be made as true.
At a more granular level if this global DSS 'AES/Security/ClusterResources/StartStopAccess' is true and if a user does not have CanStartStopListener or CanStartStopAgent they will not have access to start or stop agents or listeners.
I have tested the DSS setting on our AES test environment (AES 7.1.7). For agents it seems to work as expected. The menu items in the context menu to change an agent (i.e. "Start", "Stop", "Restart", "Delay") are greyed out for a user who belongs to the "AESUser" access group. But for listeners it is not working correctly. The big button "Start Listener" is greyed out resp. deactivated. So far so good. But the menu items in the context menu to change a listener (i.e. "Stop", "Restart") are not deactivated and can still be used. I assume this is a kind of bug. Shall I raise an SR to get a hotfix for this or is a hotfix for this already available?
Unfortunately the DSS setting has no effect on requestors. It is still possible to stop or interrupt any requestor on a node that is monitored by AES.
I think the requirement to disable all administrative operations on nodes that are monitored by AES for a certain AES user group is something comprehensible. Do you have any plans to add something like this to AES in the near future? If yes, when can we expect this?
I have created the SR-A23021 - "DSS 'AES/Security/ClusterResources/StartStopAccess' not working (as expected)" now to get a hotfix for the misbehavior related to listeners described above.
I have sent John Aliberti a private message how to raise an AES product enhancement request for the requirement to disable all administrative operations on nodes that are monitored by AES for a certain AES user group.