Default users and groups
The TMTM Application Service controls access to the TrueSight Middleware and Transaction Monitor (TMTM) Monitor Console and the Services. Using the Monitor Console's Security tab, you control who has access to the product and what functions they can access. The TMTM Application Service controls and enforces over 70 different TMTM and WebSphere MQ actions. (TMTM also enforces WebSphere MQ security through the Agent, which can also be secured.)
Access rights are based on user memberships in groups. The security administrator can enable or disable users or groups.
When passwords travel over the network, they are always protected by SSL encryption.
During the TMTM product installation, the following default TMTM users and groups are created and appear in the user and groups list on the Security tab, in the Security tab. Following integration with TrueSight Middleware Administrator (TSMA), the integration user groups and users are added to the lists.
TMTM users and groups
|Monitor Console Administrators||Group|
The installation program creates this group, which contains the default, SA, and BrowserService users. See System administrator (SA) User.
The Monitor Console Administrator group has full rights by default. Therefore, all users in that group have full rights.
This group provides database connection information. Every user must belong to this group or must have database information associated with the user in some other way if the user uses a utility command requiring user validation, such as the
Note: If users do not belong to the database_login group (or otherwise have valid database access credentials), at login, they might see a message indicating that access to the database has failed and their login fails. To remedy this problem, add the user to the database_login group from a working account Monitor Console Administrator group or any other group with the same permissions, and try logging in again.
Monitor Console Services
|Group||This group is for the internal use of BMC services.|
|BTM Administrators||Group||This group gives the user the ability to manage BTM Profiles, enable live updates, and unlock any orphaned locks of other users left from accessing the BTM tab when something abnormal happens, such as a network outage. Each BTM profile allows for setting additional Access Control so that you can better define who has the ability to create and modify BTM models and who may deploy the configuration. See Working with profiles. In high volume environments, live updates should be disabled to avoid overloading the Application Service and Monitor Console. Take care when using users that belong to this group as they have the permission to enable live updates for any model.|
|System administrator (SA)||User|
The SA account should not be used for normal operations. The default password for SA is BMCSOFTWARE. For security reasons, this password should be changed immediately after installation. To change the SA password you must be logged in as a member of the Monitor Console Administrator group or any other group with the same permissions.
The SA account is like any other user account. It can be disabled or removed as long as there is at least one enabled user with Security Manager capabilities in the group. To change the name of the SA account, copy the account, make the required name change to the copied version and delete the original. See "To duplicate a user" in Duplicating, editing, and deleting users and groups.
|Services||User||The TMTM Browser Service and Report Service (components of TMTM Application Service), TMTM Topic Service, TMTM Client Gateway Service, TMTM History Service, and TMTM Event Service are considered to be users by and of TMTM. A services user should not be deleted.|
TSMA integration users and groups
User that is created during the configuration of the TMTM integration with TSMA, including the TSMA Integration Configuration and TSMA Project Access permissions.
This user can use the mqtool utility, use the three TSMA options in the Object Repository Tab and execute the Create WMQ Connection policy action. Also, all groups with this permission are added as a TSMA Administrator when the TSMA integration is configured or reconfigured.
If you need to reconfigure the integration, see Managing the integration with TSMA with the CLI. The credentials for a single user with this permission are preserved in the TMTM services.cfg file, enabling this user to log into and configure TSMA.
If you must change the user's credentials, BMC recommends that you use the mqtool utility to do so.
You can change this user’s password during logon to the Monitor Console or from the Security tab. However, do not use mqsusertool, because it updates the password directly in the security service. When using Active Directory, you should first change the password in Active Directory. Between the time that you change the password in Active Directory and when you execute the mqtool utility, any attempts to add or update WMQ Connections or synchronize groups will fail.
Group that enables TMTM users to access the TSMA project.
During the TMTM upgrade, groups that had permission to run the Configuration Manager are granted the “TSMA Project Access” permission.
Single user that enables TSMA to access the security server to authenticate users and retrieve user and group information.
This user requires no permission for other activities in TMTM and does not need to belong to a group. The credentials for a single user with this permission are preserved in the TMTM services.cfg file, enabling this user to log into and configure TSMA.
If you must change this user’s credentials, BMC recommends that you use the mqtool utility to do so.
You can change this user’s password during logon to the Monitor Console or from the Security tab. However, do not use mqsusertool, because it updates the password directly in the security service. When using Active Directory, you must first use the mqtool utility to change the user or password and then change the user’s password in Active Directory. Between the time that the mqtool utility is executed and the password is changed in Active Directory, users are unable to log into TSMA.