Thursday, April 27, 2006

Interesting Command Update In TSM

I found this interesting update on the Tivoli website about the enhancements to the DISABLE/ENABLE SESSIONS command. Basically it discusses the change to the commands in TSM 5.3.1.0 and how the command now disables sessions not only for client sessions, but admin and server-to-server sessions also. This would not be problem had a customer not revoked system authority from his SERVER_CONSOLE ID. This locked the customer out of his server entirely and his only recourse was to either rollback to 5.3.0 or to restore a DB Backup from before the disable was issued. Have many of you revoked SERVER_CONSOLE privileges? I never would consider it since it is a fail-safe in the event something bad happens. I understand security but if the person can get onto the server and start the program in the foreground you have bigger problems than the SERVER_CONSOLE ID having system authority.

2 comments:

  1. The first time I found a customer that had done this, I asked them about it and they had no idea that they had effectively locked themselves out of the foreground server which we all use to recover from various TSM server issues. I agree with TSMExpert, strongly suggesting leaving the SERVER_CONSOLE ID with system access. It will only cause you pain if you play with it.

    ReplyDelete
  2. I can't find the original link.
    Could you repost that?
    Thanks.

    ReplyDelete