Tuesday, March 11, 2008

ITM 6.1 Security Issues - oh my...

In ITM 6.1, I can specifiy a user only has rights to view certain types of agents. For example - User ID "billy" has been assigned "Windows OS" agents in the "Application" tab of the User Administrator from the TEP.

The problem is - these security rights do NOT pass through to the command line. I can successfully login using the tacmd command, issue a tacmd listsystems and see all agents connected to the HUB TEMS. Going one step farther, I was able to successfully issue a "tacmd restartAgent" against a DB2 agent.

Workaround? Well, you can restrict access to the tacmd binary to only a specific user group. But there is another problem. I can still write a SOAP method to connect to the SOAP and restart agents, stop agents, write messages to the UMC and much much more.

This happens whether or not Security is turned on at the HUB TEMS.

Granted - I still have to login and authenticate against the HUB TEMS - but the point is don't get caught with a false sense of security - because if the user can login - they see everything, one way or another.

No comments: