User authentication and permissions
The TrueSight Middleware and Transaction Monitor (TMTM) product supports the following authentication modes:
- Internal Security – local authentication that uses the distributed directory information service
- Active Directory Delegate Mode – combines Active Directory Authentication (user identification and password checking) and Internal LDAP authorization
The TMTM product uses LDAP as the underlying security protocol for all user authentication. All references to LDAP in the documentation refer to the underlying security method and not an external LDAP directory service, otherwise known as a Directory System Agent. Connecting to a Directory System Agent is not supported.
Users, user groups, and permissions
Regardless of your user authentication mode, user permission is handled using the concept of user groups. A user is a member of at least one user group. Permissions are granted to the groups and, by extension, to the members of the group.
All users in a group have identical permissions. Changes applied to one user in a group are applied to all user in the group. Users can be added to and removed from groups as required.
A user can belong to more than one group. When a user belongs to groups with different permissions, the user is granted the union of all permissions.
Internal Security mode
User authenticated is handled by an internal Apache Directory Server.
Active Directory Delegate Mode
Active Directory Delegate Mode Security allows for configuring TrueSight Middleware and Transaction Monitor security to authenticate a user via their Active Directory credentials and group memberships while allowing for TrueSight Middleware and Transaction Monitor user and group authorization and configuration information to be stored in its internal database.
This mode alleviates the need to modify the Active Directory schema. It might require the Active Directory administrator to set up Groups and User associations that are used to dictate a user's level of authority. Internal users (such as TopicService, etc.) are maintained in the internal TrueSight Middleware and Transaction Monitor database, and are not required in the Active Directory domain.
In TrueSight Middleware and Transaction Monitor, access permission is granted at a group level. Members of the group inherit all permissions granted to the group. Changes to a group's permissions are applied to all users in the group. Users in more than one group inherit the union of permissions from all the groups in which they are members.
You can use the default TMTM Application Service security or you can use Active Directory security.
The TMTM Application Service enforces default security. The component of the TMTM Application Service that enforces security is ApacheDS. Because the default password for ApacheDS is publicly available, BMC recommends that you change it as soon as possible.
TrueSight Middleware and Transaction Monitor security enables you to create user accounts and security groups to manage user access to TrueSight Middleware and Transaction Monitor functionality. For a full review of the security options, see the Administering section.