No.3 Summer 2005

IBM Tivoli Inventory is an excellent toolfor gathering hardware and softwareinformation but keeping the data up todate can prove difficult withoutspending considerable time performingmanual distributions or writing largesuites of scripts.

Even if you opt for one of these options,

reporting the success rate of the scans

can start to be extremely time consuming,

especially where the number of endpoints

runs in to the thousands.

However using Odyssey 3.1 the setup,

maintenance and subsequent reporting of

the scans can actually now be extremely

simple. The configuration I created for this

article took less than 30 minutes, hence

the title.

Resource GroupsA new concept in Odyssey 3.1 is the

Resource Group. This is a virtual set of

systems that is only populated at

execution, allowing for wild cards and

lookups to be performed to create the

target list. In the case of an inventory scan

it is likely that with a large number of

systems you will have unique policies for

different types of systems. For example

you might choose to scan workstations at

a less frequent interval to servers or scan

Unix systems differently to Windows

systems.

In the example I have used for this article

I have created a Resource Group called

Workstations that creates a virtual list of

systems beginning with wrk (^wrk.*) and

excludes all systems containing dev in the

name however you can use any script you

want to populate the list. Another option

might be to always choose the thirty

oldest systems to be scanned.

Even if your policy is to scan all of your

endpoints every day, a resource group will

still be needed to ensure that if an

endpoint is updated, added or removed

the scan list is always accurate. This is not

always the case with a conventional

ProfileManager based subscription list.

WizardsThe Odyssey Wizards are powerful tools

that perform multiple parallel actions on

large numbers of resources such as

Endpoints or Users. The processing can be

automatically throttled and queued to

ensure that the Tivoli environment does not

get overloaded.

There are a range of customisable action

types such as command execution, Tivoli

tasks, HTTP interactions, perl and shell

script execution and remote actions. For

News in a Minute

Is Configuration ManagementDatabase important to your organisation?

Role mining: a quick route toRole Based Access Control

IBM Tivoli Education – News

Tips for writing ResourceModels using VBA Script

Inside3

4

5

7

8

continued on p2

Defining a Resource Group

An Active Inventory Schedule

Creating an Inventory Schedulein 30 minutes by Simon Barnes

Scheduling Using Resource Groups

Message Broker No.3 Summer 2005

2

this scenario I have chosen to run three

actions:

1. An action to test the age of the last scan

is older that 7 days. This is slightly

modified version of the standard

Odyssey action called Last Scan Agewhich reports the last scan age in days.

This action could alternatively be

incorporated into the Resource Group.

2. A test to ensure the endpoint is running.

This is supplied as a standard action

called Status. This ensures any system

that is targeted is up and running.

3. An Inventory Distribution Action. This

action type allows you to choose any

existing InventoryConfig profile, the

batch size of the distribution (i.e. how

many systems you want to distribute to

at once) and a delay between

distributions. You can also configure

retries but in this instance I have not

done this.

These three actions are joined together to

form an Action group called ScheduledWorkstation Scan.

SchedulerNew in version 3.1 is the Odyssey

scheduler. This does not use either the

Operating System or IBM Tivoli Schedulers

and therefore allows complete

independence from underlying tools to

schedule actions. For this example I have

used it to schedule the defined resource

group so that at a selected interval it runs

the chosen Scheduled Workstation Scanaction group. As shown below I have

chosen to schedule a workstation scan

every 1 week.

By simply pressing OK the Inventory

schedule will be created. There is no longer

a need for scripts or manual intervention.

Viewing a Running orCompleted Session

During the Wizard’s execution, or after it

has finished, you may wish to check the

progress of the scan. Without Odyssey

this would mean command line interaction

but with it you can view and sort each

target to find what state it is in.

ReportingOnce the scheduled routine has been

created the temptation would then be to

forget about it and hope that it is

successful. Using Odyssey it is simple to

report on the success or failure of any

Wizard session. Not only do you have the

sortable table view shown on page 1, but

also on completion each wizard creates a

Inventory Report

Last Scan Inventory Report

web-based report that will show a

summary of the success and failure rate.

Lastly in addition to the standard reports

it is possible to click on any column in

Odyssey and create a Pie Chart Summary.

This is particularly useful for the

Inventory Scan as it can be used on the

Last Scan Age Column to create a neat

summary of the age of all endpoint scans.

If you would like to evaluate Odyssey 3.1or take a look at some of its otherpowerful features it offers go to the website athttp://www.orb-data.com/Odyssey

Alternatively if you would like furtherinformation on this or any aspect ofOdyssey please contact Julia Knight on+44 (0)1753 705015 or sales@orb-data.com

Message Broker No.3 Summer 2005

3

Computer Associates is to cutanother 5 percent of its workforcedespite having announcedsignificantly increased annualrevenue estimates in July.The company, which is emerging fromcivil and criminal inquiries into itsaccounting, said that cutting the extrajobs on top of the 800 reductionsannounced in September will generatesavings of $75m a year. New CEO, JohnSwainson, who replaced former chiefexecutive Sanjay Kumar when he wasindicted on securities fraud charges said,"CA is very much a work in process."

The world's largest video rentalchain Blockbuster has suffered afall in profits due to increasedcompetition from fast-growingonline rental specialists such asNetflix.Blockbuster's shares fell 11% after itrevealed the disappointing figures. Thecompany are putting some of the revenueloss to the scrapping of late fees at halfits US stores and some other regionshowever in the UK they still apply.Blockbuster insisted it would be able to

recoup the income from late fees fromextra business and would return toprofitability in 2006. "As the decline instore-based video rental industrycontinues, stores will have to close," saidchief executive John Antioco.

Apple has broken with 20 years ofsingle-button tradition andunveiled a mouse that has a 360-degree scroll ball and fourprogrammable buttons.Two of the buttons are programmabletouch sensors, whilst pressing the scrollball and squeezing its sides can activatethe other two buttons. For people whostill want the old single button mouse,Apple states that while the device hasmulti-button functionality, it can alsowork in single-button mode. It’s priced at£35 and has already started shipping.

About 1,500 jobs will be lost afterthe UK's largest computer makerGranville Technology Group, whichproduces Tiny and Time PCs, wentinto administration and closed its80 shops.The Lancashire based company has beenmaking monthly losses of up to £2m

News in a Minutesince the start of the year. All directors ofthe company, except its non-executivechairman, left ahead of theannouncement. Customers, especiallythose who have paid for goods but areyet to receive their goods, face aworrying few weeks. AdministratorsGrant Thornton said they will maintain acustomer support operation and plan tomake a further announcement soon. TheGMB union said the job cuts were"devastating”.

A South Korean man has died afterreportedly playing an onlinecomputer game for 50 hours.The 28-year-old man started playingStarcraft on 3 August and only paused togo to the toilet, said the police. "Wepresume the cause of death was heartfailure stemming from exhaustion”.Online gaming in South Korea isextremely popular thanks to its fast andwidespread broadband network. Gamesare televised and professional playersare treated and paid, like sports stars.Professional gamers there attract hugesums in sponsorship and can make morethan $100,000 a year.

Orb Data Launches New Web SiteAfter months of development, we arepleased to say, the new Orb Data website is now up and running athttp://www.orb-data.com.

It's now bigger and better than ever, with

specific sections devoted to Enterprise

Systems Management, Security

Management, Service Management and

Infrastructure.

The ever popular technical section has

been expanded to include a new FAQ

section. Here you'll find 200 or so

frequently asked questions, not only

about ESM related subjects but also

databases, security and others. We hope

you find the new site useful and visit it

regularly in the future.

To use the new technical section you will

have to reregister at:

http://www.orb-data.com/register

Message Broker No.3 Summer 2005

4

Is a Configuration Management Databaseimportant to your organisation? by Steve Lawrence

There has been a lot of interest recentlyfrom analysts and vendors alike, inproducts that meet the need toimplement a Configuration ManagementDatabase (CMDB) as described in theITIL (IT Infrastructure Library)framework.

The question is, are you, the potentialcustomers for such a product, as excitedabout the CMDB as the analysts think youshould be, and if not, then why not?

Even if your answer to this question is anemphatic “No”, you should read on, asyou may change your mind…

Before we address the question, it isimportant to be clear about what a CMDBreally is, as defined by ITIL. There are aconfusing number of offerings in themarketplace, most of which fail to meetmore than a sub-set of ITIL’s description ofa CMDB.

The CMDB should hold details of, andrelationships between, all Service andSystem components (e.g. Hardware,Software, Network Infrastructureetc.).

Most Inventory or Asset databases canmeet the need to record details ofindividual systems, with informationpertaining to their configuration. However,these do not in themselves meet ITIL’sCMDB definition, as they are typicallyunable to define and maintain therelationships between systems and otherCIs (Configuration Items) that make up aBusiness Service.

It is the ability to view IT assets in thecontext of the Service and users that theysupport which is pivotal in the fulladoption of the ITIL process framework.Without this, it is incredibly difficult tounderstand the business impact, and thusthe relative priority, of issues or changesto your IT Estate.

The CMDB should also hold details ofthe following records, which areproduced as a result of ServiceManagement processes, together withtheir relationships to system

components

• Incidents

• Problems

• Known Errors

• Changes

• Releases

• Service Level Agreements

The accurate recording of these details ina CMDB will significantly improve theeffectiveness of the ITIL Processimplementation in an organisation. Forexample, when a Service Desk Analystrecords an Incident against a system, theywill immediately be able to see theBusiness Services that are affected by theissue.

This helps in determining the relativepriority of incoming incidents, and thusthe way in which IT staff allocate theireffort. Furthermore, associated SLAs forthe Service will determine the targetresponse time for each incident.

The CMDB can also be used to storecorporate data about employees,locations, business units, suppliers,maintenance agreements, andlicenses.

By recording corporate information aboutorganisational structure and employees, itbecomes possible to rapidly establish theuser community affected by Incidents,Problems, or Changes etc. This is becausewe can not only determine the BusinessService impacted by a system, but alsothe users of that Service, and the SLAdetermining maintenance windows,service restoration targets, etc.

Details of suppliers and maintenanceagreements that are in effect will allowreasonable expectations of 3rd partyperformance to be set, and facilitateverification that SLAs can be met withinthe terms of Underpinning Contracts.

Finally, ITIL recommends that adefinitive software anddocumentation library is alsomaintained within the CMDB, andsubjected to formal change control.

Returning to the question posed at thebeginning of this article – is a CMDBimportant to your organisation? – I wouldsuggest that consideration of the benefitsidentified above should lead to the answer“Yes”.

Clearly many organisations do not have acomprehensive CMDB as described byITIL, and yet they are able to function, butdo they do so efficiently?

Most companies have a sub-set of theinformation required, possibly inproprietary databases, spreadsheets, oreven manual records, so there isrecognition that this information isvaluable

However, to truly release the power andefficiency promised by ITIL, theinformation needs to be accurate,comprehensive, up-to-date, andintegrated with the processes.

It is therefore impractical, if notimpossible, to reach this goal withoutsoftware tools to help you, and thereinlies the rub. There is a multitude ofproducts available: Inventory tools, AssetManagement tools, Helpdesk tools, andsome of them are even positioned asCMDB solutions.

But, ask yourself if they deliver thecapabilities described in this article, and ifthey do not, how can they be a CMDB inmore than name?

Orb Data has chosen to partner withFrontRange Solutions to provide a ServiceDesk solution (ITSM) that includes aCMDB component to meet therequirements of ITIL.

We believe that by integrating thissolution with IBM Tivoli ESM technology,we can help our customers to take asignificant step towards adoption of thefull ITIL framework

For further details of our offering in thisarea, please contact Steve Lawrence(Business Development Manager) atsteve.lawrence@orb-data.com.

Message Broker No.3 Summer 2005

5

Role mining: a quick route to Role BasedAccess Control by Colin Miles

The value of rolesRole Based Access Control (RBAC)systems provide an efficient andeffective method for controlling accessto corporate resources.

By enforcing security according to a well

defined and closely managed set of logical

role definitions, organisations can

discover a number of associated benefits.

These include:

• The complexity and cost of day-to-day

security administration can be reduced.

• An improved auditing capability can be

delivered in order to help meet

regulatory requirements.

• Business processes can be streamlined

to align with logical role functions.

• Security can be provided for an ever

growing number of employees, business

partners & customers much more easily

(without a corresponding exponential

growth in the number of required access

rights)

The basis of an RBAC control model is

simple. A user is assigned to one or more

roles according to his/her position or level

of responsibility within the enterprise.

Access rights to all IT resources are then

assigned at a role level. The process of

role assignment thereby automatically

confers the correct access privileges upon

the user. For many organisations however

this simple model represents an elusive

utopia as defining a comprehensive and

accurate set of role definitions for their

business in the first place can be a

deceptively complex task.

The problem – howare roles defined?

Often system access patterns for an

organisation have evolved over a long

period of time without any clearly defined

structure or policy helping to determine

just “who” gets access to “what”. When

each new system or application is

integrated into the overall infrastructure

security may be deployed on an ad-hoc

basis leading to an increasingly confused

overall picture over time. In such cases

assignment of access privileges for a new

employee, business partner or customer

can often be determined by bad practice

methods such as ‘copying’ the account

settings of users who are perceived to be

similar to the new user. Such methods

quickly propagate inaccuracies across

systems and can introduce worrying

security flaws.

The challenge for organisations therefore

is to derive new role definitions by making

sense of access patterns across all of their

systems. One solution to this is to

undertake a full role engineering project

by committing to an in-depth analysis of

business processes. Experience has

shown that such projects are

painstakingly complex and laborious (with

a high dependency on manual methods),

and can take months to complete. For

example, consider that such a project will

need to address a huge range of

organisational factors and often will

require engaging sys admins, managers

and other stakeholders across all

departments within the organisation.

Furthermore, it is important not to forget

that organisational role definitions are not

static. Over time infrastructure changes,

organisation shuffles or shifting business

pressures are all likely to require that role

definitions are revisited and reworked

where necessary.

Role mining withEurekify Sage

An alternative solution to the challenge of

role engineering is to start with the

assumption that the definition of roles in

the organisation already exist in the

underlying privileges that are deployed

across the systems. With this assumption

it then becomes a case of extracting and

refining this information to derive a role

model for ongoing use.

The Sage product from Eurekify offers a

unique tool in this respect. Using Sage it

is possible to analyse existing user access

patterns from any number of systems, and

through automated pattern matching

algorithms reverse-engineer the roles

that are required by the business. Sage

works by importing user and access

information from any number of existing

enterprise systems (either through out-of-

continued on p6Data flow : role mining with Eurekify Sage

Message Broker No.3 Summer 2005

6

the-box interfaces or via an easily

customised bespoke process) and then

combining and analysing the data to carry

out a “bottom up” discovery of roles. This

process can be repeated many times with

search and pattern parameters amended

by the administrator on each pass as

required. By this iterative process Sage

allows for role definitions to be discovered

and refined to evolve a best fit logical role

set that is closely tied to both the

organisations current access rights as well

as future requirements.

All Sage operations are carried out via a

separate configuration database that

allows all analysis to be conducted “off-

line” without impacting any productive

systems. Once a satisfactory role

definition has been derived using Sage

options exist for importing role data back

to the source systems for operational use.

Role set definitions may also prove

invaluable as an accompanying step to a

user provisioning or full Identity

Management implementation. In such

projects it is often the case that the

adoption of an RBAC model, whilst not an

essential first step, still allows for the

maximum benefit from the new solution to

be derived.

As well as role mining Sage functionality

also provides the ability for organisations

to:

• map existing privileges to new roles

• detect out-of-pattern role members

• reveal privilege ‘collectors’ and other

exceptions or deviations from expected

usage

• detect duplicate roles or privileges

• audit existing (known) role definitions

SummaryAn accurate set of role definitions for the

enterprise can be an invaluable asset

when it comes to providing secure IT

services. Using a role mining tool such as

Eurekify Sage allows roles to be mined

from existing enterprise data much more

quickly and with greater accuracy than by

comparable manual methods. This in turn

helps provide a speedier route to ROI on

IT deployments across the enterprise.

Sage Survey –understanding rolesin 5 days Orb Data is currently offeringcustomers the opportunity to run a 5day mini-project to better understandrole definitions within theirorganisation. The project utilisesEurekify Sage to analyse currentaccess privileges from selectedsystems with the aim to:

• explore current privileges and runinvestigative queries

• identify & quantify excessive andout-of-pattern privileges

• identity & quantify duplicate &overlapping group definitions

• “reverse” engineer a set of roledefinitions from existing patterns

• assess the needs and build a casefor a full RBAC or IdentityManagement project

To find out more about how our SageSurvey can help your organisationimprove your ability to control accessto IT resources please contact us atsales@orb-data.com.

Do you monitor the health of your Tivoli solution?

Orb Data has developed a package of ITM Resource Models which monitor and report on the health of a Tivoli Infrastructure.This solution helps you to identify and resolve problems with your TMR, TEC and Gateways before these issues impactfunctionality.

TMR ServerOserv_Status checks if the object dispatcher is running.Epmgr_Status reports if the endpoint manager has failed or hung.TMR_Hanging_Methods monitors for a hanging object.

GatewaysGateway_Status monitors the gateway to check if it is down, hung or if there is a problem with the oserv. It additionallymonitors for the number of jobs waiting to run.

TECTEC_Status checks that the Event Server is running. TEC_Stats monitors the status of the TEC for:

• Queued_Events• Waiting_Events • Parse_Failed events

TEC_LastEvent sends an alert if an event has not been received in a given number of minutes.

DatabaseRIM_Status checks that any database can be connected to via RIM.

For a limited period, we are offering this resource model pack free of charge to customers who take advantage of our TivoliAudit offering. To find out more, visit http://www.orb-data.com/ESMReview. Alternatively you can buy this pack directly bycontacting sales@orb-data.com

Message Broker No.3 Summer 2005

7

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30

September

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30

October

November

Odyssey 3.1 Operations (Half Day)

Odyssey 3.1 Advanced Users

Tivoli Management Framework 4.1 and 4.1.1 Update

IBM Tivoli Monitoring 5.1.2

Resource Model Development

IBM Tivoli Configuration Manager 4.2.1 - Introduction for Users

IBM Tivoli Configuration Manager 4.2.1 - Software Package Editor

IBM Tivoli Configuration Manager 4.2.1 - Administration & Troubleshooting (2 Days)

IBM Tivoli Education - News

Orb Data has introduced two new

classroom-based training courses to

coincide with the release of version 3.1 of

its software product, Odyssey. The first

new course is a half-day class teaching

the basic aspects of Odyssey’s use to aid

the operation of a Tivoli Management

Environment (TME). The second course is

aimed at Advanced Users wishing to

harness the full power of Odyssey to help

simplify the support and administration of

their TME’s.

For more information, bookinginstructions and other courses visithttp://www.orb-data.com/TrainingCourses.

August

• Managing DistributionOperations

• Linking ESM functions tobusiness value

• ITIL and best practice – learningfrom others mistakes

• News in a Minute• Security – Why wait to comply?• Increasing the reliability of your

Tivoli Environment?• Technical Corner: Using Tracing

in Resource Models

Issue 2Issue 1

Did you miss a previous issue?

Don’t worry, you can download them here: http://www.orb-data.com/message-broker

• Companies Spend to Solve theIdentity Conundrum

• ‘Just in Case’ Computing• News in a Minute• Data, data everywhere - Orb

Data Reporting Application• Hotfix Deployment Comes of Age• Technical Corner: Rules Based

on Time

If you have any comments or would like to subscribe or change your details please email message-broker@orb-data.com.

A full schedule of all our courses is below.

Message Broker No.3 Summer 2005

8

IntroductionThe default language for authoringResource Models that only run on aWindows platform is VBA script. This is aneasy language to grasp and learning itshould not prove difficult for a TivoliAdministrator familiar with PERL or ShellScripting. However, there are few quirkspeculiar to VBA and this article intends tohighlight some of these, as well show howcommon tasks can best be performed in aVBA Script.

Option KeywordBy default VBA Script allows variables tobe defined on an improvised basis. Forexample, the following code defines twovariables, explicit and improv:

It is worth noting that these variables arenot the same: explict is an Integer andso can only store integer values; improv –like all undeclared variables – has theVariant data type meaning that it can storeany type of data.

Whilst not needing to explicitly definevariables can be convenient, it can lead toproblems in more complex ResourceModels. Consider the following loop:

Due to the typo in the code, this loop willrun forever. The compiler encounterscoumt and assumes that this is a newvariable to be defined meaning thatcount is never incremented. Suchproblems can be very difficult to identifyas the successful compilation “hides” themistake in the code.

It is possible to force the compiler to onlyallow explicitly defined variables, whichwill prevent problems like these. To do so,add the statement Option Explicit atthe top of the VBA source.

There are other options that can be usedin this way. One – Option Base – can be

used to change the index of the firstelement of an array from 0 to 1. However,it is recommended that this option isnever used to ensure consistency in thecode for all custom Resource Models.

String ComparisonsAnother use of Option alters the waystring comparisons are performed. Bydefault string comparisons in Visual Basicare case sensitive, which is to say:

will evaluate to False. SpecifyingOption Compare Text at the top of thecode makes string comparison caseinsensitive, causing the above expressionto become True. It is also possible toperform a particular type of stringcomparison at any time using theStrComp function:

The relevant values for compareOptionare:

The values return by StrComp are asfollows:

So StrComp is likely to be used in a waysimilar to the following:

More String ParsingThere are several more string parsingfunctions available in Visual Basic. Thefollowing code and accompanying table isan example of some:

From the above it is clear that Left,Right, and Mid are used to extractsubstrings for a string value. It is worthnoting that, unlike PERL for example, thefirst character in a string has an index of 1not 0.

Split behaves similarly to the PERLsplit function but the specified delimiteris a fixed string and not a regularexpression. In this case the first elementof the array returned does have an indexof 0 (unless changed by Option Base asdiscussed above).

Static VariablesOften it is desirable to store values so thatthey can be compared between cycles of aResource Model. A simple way to do thisis to use Static variables available inVBA Script.

As VBA is not an object-oriented languageStatic does not refer to object classes orinstances. Instead it means something farsimpler: a Static variable maintains itsvalue between different calls of a sub-routine. So for example, a delta for thechange in a monitored value betweencycles can be simply calculated using thefollowing code:

It is also possible to add the Statickeyword to a Function or Sub definition,which will make all the values of all theprocedure’s local variables preservedbetween calls. This is to be used withcaution as it can easily produceunintended results.

Dim explict As Integerexplict = 3improv = 4

Dim words As String

Dim stringArray() As String

words = "The quick brown foxjumps over the lazy dog."

stringArray = Split(words," ")

count = 0

While count < 5MsgBox "Count is " & countcount = coumt + 1

Wend

"STRING" = "string"

result = StrComp(string1,string2,compareOption)

If StrComp(value,hostname,vbTextCompare) = 0 Then

'Send EventEnd If

'value already contains thiscycle's value

Static oldValue As Double

Dim delta As Double

delta = value – oldValue

oldValue = value

Published by Orb Data Limited, Royal Albert House, Sheet Street, Windsor, Berkshire, SL4 1BE Telephone: +44 (0) 1753 705015IBM and Tivoli are trademarks of International Business Machines Corporation in the United States, other countries, or both.

C0nstant Value Meaning

vbUseComp -1 Compare the string using theareOption method specified by Option

Compare

vbBinary 0 Do a case sensitive comparisonCompare

vbText 1 Do a case insensitive Compare comparison

Case Return value

string1 = string2 0

string1 < string2 -1

string1 > string2 1

string1 = Nullor string2 = Null Null

Expression Value

Left(words,9) The quick

Mid(words,11,9) brown fox

Right(words,4) dog.

stringArray(0) The

stringArray(3) fox

Tips for writing Resource Models using VBA Scriptby David Webb