Tivoli Enterprise Management Framework, User Administration and Security Management
Tivoli Enterprise, also known as Tivoli 3.6, features two principal components for distributed user and resource management. Security Management defines system resources and organizational groupings and marries them through security policies. User Administration performs user, group and host management. This version reworks the physical relationship between the processes found in earlier versions of Tivoli TME 10, addressing scalability issues that surfaced in some installations.

Security and user management only make up a small part of Tivoli's feature-rich management framework--in fact, it's more likely to be used for general network/systems management and software distribution than it is for security. But its optional functions create an incredibly powerful security management environment. For its broad platform support, flexible architecture, functional depth and clear adoption methodology, Tivoli earns Network Computing's Editor's Choice award.

Tivoli's suite does not attempt to expand on the native security found in NT or NetWare. For example, you won't be able to apply advanced password-construction rules, such as requiring both alphabetic and numeric characters whenever users change passwords in Windows NT. But this also means that, except for Unix management, you don't have to move in lockstep with your systems management vendor when it comes time to upgrade user systems.

To address various fundamental security management problems in native Unix systems, Tivoli offers TACF, which is conceptually similar to IBM's mainframe-based RACF. Based on MEMCO Software's SeOS (now PLATINUM AutoSecure Access Control for Unix), TACF is invoked immediately upon operating system initialization and uses well-established system hooks to redirect security requests to Tivoli. TACF can be used with Security Management to compare user requests against the security profile database, replacing any access control list mechanisms in the native OS.

Tivoli's security functions do not stand apart from the management framework, unlike the PLATINUM and even the CA offerings, which can be installed without a sweeping commitment to the entire product line. These functions are installed on top of an existing Tivoli Management Framework, assuming Tivoli Management Regions (TMRs) have been established.

Physically, Tivoli Enterprise has three tiers. First, it organizes systems into the groups it calls TMRs. Instead of having a server that distributes all code directly to every endpoint in the enterprise, each TMR executes an Endpoint Manager process that drives tasks out to the Endpoint Gateways, which distribute them to final Endpoints. Deeper hierarchies can be established by layering TMRs upon each other.

The Tivoli Management Gateway stores all the necessary code (or object "methods") for the Tivoli Endpoints and sends them as needed; they are cached for future reuse. This process maintains current agent code, and incurs network load only during code updates. According to Tivoli, this approach means a single TMR can support 200 gateways that fan out to 10,000 endpoints.

Defining Policies, Groups Among Tivoli's many logical structures layered on top of the physical architecture are policy regions (a collection of resources that share a policy) and profile managers (which control the distribution of profiles, such as user profiles). Authorization roles define the tasks that individual administrators can perform, from creating new TMRs to the daily operational tasks of running systems.