Securing Introscope

Introscope security, which consists of authentication and authorization, allows individual users and user groups (groups), which are specified sets of users (such as application administrators, system administrators, or analysts), to securely log into Introscope. Permissions allow users and groups to perform specific Introscope tasks.
For more background about Introscope security, see CA APM security summary.
About Introscope domains and security
Introscope uses domains to partition agents and management logic to define which users can see what information. You map agents to a domain using a Perl5 regular expression in the domains.xml file.
After you map agents to domains, you define and grant domains permissions. During the authorization process, Introscope performs permissions checks.
To set up Introscope domains, see Define and Configure Introscope Domains.
About configuring Introscope permissions
In Introscope, permissions determine what tasks users or groups can perform including configuring monitoring logic in the Workstation and handling Enterprise Manager administration tasks. You define Introscope permissions for domains and the Enterprise Manager. Then you grant users and groups permissions to either domains or the Enterprise Manager or both.
Domain permissions and the Investigator tree
The Investigator tree looks different to users or groups having different domain permissions:
  • Users or groups with at least read rights for the SuperDomain permission can view the contents of all defined domains in the Investigator tree.
  • Users or groups with permissions for multiple domains will see domain information for those domains in the Investigator tree.
  • Users or groups must have at least read permission for at least one domain, otherwise they will not be able to log into the Workstation or WebView to view the Investigator tree and console.
You configure permissions for Local authorization using domains.xml and server.xml and configure permissions for CA EEM authorization using the Safex tool or the CA EEM user interface. For more information about setting permissions, see these topics:
Introscope’s default security configuration
Introscope provides a default security configuration in the realms.xml file. Local XML files (located in the in the
config directory), which are used for both authentication and authorization, are Introscope’s default security realm. To use the default security configuration, see Securing Introscope using Local security.
If Introscope’s default security configuration does not meet your requirements, you can configure realms.xml to use CA EEM, LDAP, or an appropriate combination of the supported realms for authentication and authorization.
You may want to configure Introscope security for example by: