The company may wish to restrict the lists of machines available to an Approver for picking, or to an End user running Remote Terminal or Password Vault. Administrators with knowledge of Tivoli Profile manager subscription hierarchies will find this familiar, except that ForestSafe also allows pattern matching on the hostname. E.g. if a company has a team that manages MQ Series machines, and host naming convention dictates that MQ machines can be told through their hostname, then once the container is set up, new MQ Series machines will automatically appear in the supports teams list.
ForestSafe will recursively descend hierarchies of Host Containers, so hierarchies of nested host names can be configured. It supports pattern matching rules such as *.
Moreover the container may all be a Group or Member Of for matching Windows Domain Active directory entries. The system also stores a Group or MemberOf for all non Windows computers. Companies may wish to adopt the flexibility of configuring containers based on Active Directly group memberships.
Here is an example of setting up SAP access. A company has a pool of SAP systems on a Windows Domain that are occasionally replaced with new systems. They are managed by a small team of staff that change roles occasionally and move to other departments. The company want to allow the team to accesses the SAP* password on these servers and set the policy in stone and never change it.
1. Create Active directory group SAP Support
2. Make SAP support staff members of this group. If any leave or join the team, this group must be kept updated in AD.
3. Make all SAP Computers members of the group.
4. Using Host containers create a new Host Container SAP Support and map it to MembersOf SAP Support
5. Create a new ForestSafe Group called ForestSafe SAP Support, map their container against SAP Support and give them access to SAP* through password vault.
The policy is set and will never require changing.
