Configuring Policies for Monitoring and Administering Event Stream Processor

Edit the Project, Node, and Cluster policies in the policy.xml file to grant SCC monitoring and administrative access to a native OS, preconfigured login, LDAP, or SAP Business Intelligence (BI) group. Do not edit the policy.xml file if you are using Kerberos or RSA authentication for ESP as you are automatically granted SCC monitoring and administrative access.

The policy.xml file must be identical on every node in a cluster. In a multinode cluster where nodes are installed on different hosts, this is often accomplished by placing the ESP security directory on a shared drive. If your cluster’s policy.xml file does not reside on a shared drive, make this change to the policy.xml for each node in the cluster.

  1. Open ESP-5_1\security\policy.xml.
  2. In the <Role> element, specify the group to which you wish to grant monitoring and administrative access and verify that the following is present:

    The sample below grants monitoring and administrative access to a group called "sybase".

    <Policies>

        <Policy type="Project">
                <Subjects>
                        <Role>sybase</Role>
                </Subjects>
                <Resources>
						<!--The group has "read" privileges for "any" project resource, including meta-data streams and other project streams-->
						<Resource>*any</Resource>
                </Resources>
                <Actions>
                        <Action>read</Action>
                </Actions>
        </Policy>

        <Policy type="Node">
                <Subjects>
                        <Role>sybase</Role>
                </Subjects>
                <Resources>
                        <Resource>Node</Resource>
                </Resources>
                <Actions>
                        <Action>read</Action>
						<Action>stop</Action>
                </Actions>
        </Policy>

        <Policy type="Cluster">
                <Subjects>
                        <Role>sybase</Role>
                </Subjects>
                <Resources>
                        <Resource>Security</Resource>
                        <Resource>Node</Resource>
                        <Resource>Workspace</Resource>
                        <Resource>Application</Resource>
                </Resources>
                <Actions>
                        <Action>read</Action>
						<!--This privilege is required for write operations, such as reload policy, add workspace/project, and so on-->
                        <Action>write</Action>
						<!--This privilege is required for stop operations-->
                        <Action>stop</Action>
						<!--The privilege is required for start operations-->
						<Action>start</Action>
                </Actions>
        </Policy>
</Policies>

    To enable users within the group you specified in the policy.xml file to monitor and administer ESP, map this group to the espMonitorRole and espAdminRole roles.

Parent topic: Configure ESP for Sybase Control Center