User Guide > Objects > Alphabetical Listing > Authorizations Tab

Authorizations Tab

The Authorizations tab is object-specific and is only available in User and UserGroup objects. It can be used to define access rights for objects, files, statistics and reports. These rights are an integral part of AE's authorization system.

Object: User
Object class:
System object
Object type (short name):
USER

Changes concerning authorizations become immediately effective when the User object is stored.

Field/Control Descriptions

Rights consist of access permissions and restrictions. The rights of a user are based on an authorization profile and the authorization profiles of all groups to which he or she belongs.

Access rights and restrictions are defined in a table.

There is a maximum number of characters that can be used for filter specifications. Automic recommends creating a separate line for each filter in order to keep a clear overview.

Field/Control Description
Grp.

The Grp. (authorization groups) column is where access rights or denials can be defined.

Access rights are expressed in the authorization groups 1 to 9. These groups are all on the same level. The numbers are only used to distinguish the particular groups.

All access rights of the same authorization groups are connected to each other via a logical OR. Access rights defined for an authorization group thus sum up. All access rights of different authorization groups are connected via a logical AND. Only accesses for which access authorization was granted in all authorization groups are allowed.

"NOT" stands for access denial. It does not depend on an authorization group and applies in all cases.

Type

The particular authorizations for object types (short name) can be specified in the column Type.

Exception: EXTREP does not refer to an object type but to the external output of jobs.

Valid object types can be directly selected from a list. If the wildcard character "*" is used, the authorizations apply for all objects and files.

Write access (W) is required for Folder (FOLD) objects where favorites will be added.

Name Filter for object name and folder path.

maximum 200 characters

The wildcard characters "*" and "?" can be used. "?" stands for exactly one, while "*" stands for any number of characters. This field can also include more than one filter. Several filters must be separated by commas.

Folder and subfolder paths must always start with a "\".
Example: "\PRODUCTION\MATERIAL.HANDLING"

When an object is created the filter is compared with the name of the template object. If the name of the filter doesn't correspond with the template the user is not able to create the object.

Host Filters for agent names (job execution, file transfer source).

Maximum 200 characters

The wildcard characters "*" and "?" can be used. This field can also include more than one filter. Several filters must be separated by commas.

Login

Filter for names of Login objects (job execution, file transfer source, registered job output files).

Maximum 200 characters

The wildcard characters "*" and "?"  can be used. This field can also include more than one filter. Several filters must be separated by commas.

File Name (S)

Filter for file names (file transfer source, registered job output file).

Maximum 255 characters

The wildcard characters "*" and "?" can be used. This field can also include more than one filter. Several filters must be separated by commas.

Host (D) Filter for agent names (file transfer destination).

Maximum 200 characters

The wildcard characters "*" and "?" can be used. This field can also include more than one filter. Several filters must be separated by commas.

Login (D) Filter for names of Login objects (file transfer destination).

Maximum 200 characters

The wildcard characters "*" and "?" can be used. This field can also include more than one filter. Several filters must be separated by commas.

File Name (D) Filter for file names (file transfer destination).

Maximum 255 characters

The wildcard characters "*" and "?" can be used. This field can also include more than one filter. Several filters must be separated by commas.

R Access method: Read

Opening objects and folders is possible.

W Access method: Write

Modifying objects is possible. This right granted for folders has the effect that a user can create objects in it.

X Access method: Execute

Executing objects is possible.

D Access method: Delete

Deleting objects and folders is possible.

Links are not objects. If a user intends to delete a link, s/he requires write access to the folder in which this link is stored. No deletion right is required.

C Access method: Cancel

Canceling active objects is possible.

S Access to statistics
P Access to reports
M Access method: Modify at runtime
This access method permits the setting of trace options on Automation Engines or agents and the ending of  RemoteTaskManager and Event objects.
L

Allows Service Orchestrator (SVO) users to define Automation Engine SLAs for objects with the allowed object types.

The allowed object types are CALL, EVNT (all four kinds: EVNT.FILE, EVT.TIME, EVNT.DB, EVNT.CONS), JOBF, JOBP, JOBS, SCRI.

In SVO only objects of these types appear in the list for selecting an object for an SLA.

Note the following for using authorization filters for object attributes:
If an object's attribute (such as Login) does not contain a value (""), the wildcard character * is used for comparison with filter lines. If an authorization line contains a particular filter for this attribute (Login), it is still checked.     
 

For example: The object "JOBS.TEST" does not contain a Login object. The following lines are still used in the authorization check:

Grp Type Name Host Login File name (S) Host (D) Login (D) File name (D)
1 JOBS JOBS.TEST * LOGIN.* * * * *
1 JOBS JOBS.TEST * LOGIN.TEST.* * * * *

Required Permissions for Certain Predefined Automic Objects

In order to execute certain predefined Automic objects, additional permissions have to be set for their internally referenced Include, PromptSet, and Variable objects. These objects' names all start with XC_, so you can give a user read access to them by adding XC_* in the Name field and checking the box in the R column as shown below.

Definition of Rights

Depending on the selected type, entry fields in the table's columns are opened or closed. For each field, a small tooltip text (help) is displayed in the table's heading when the mouse pointer stops on it.

Several specifics apply for access rights to folders: To filter path names, the folder must be specified relative to the top folder of the client (Root). The filter specification starts with a "\" character. Individual sub-folders must also be separated with this character unless the wildcard character"*" is used. If the filter ends on a "*" character, the authorizations apply for the indicated folder and all sub-folders in this structure. If the filter ends on a "\", access is only granted to the sub-files of this structure. Authorizations given to folders are not passed on to the objects they contain.

Filters that include identification, directories or path specifications are displayed in the fields File Name (Q) and File Name (Z) of FileTransfer objects. If "C:\TEMP\*" is specified in the field File Name (Z) , files of any name are transferred to this directory via file transfer.

Access modes can be determined in the fields following the "File Name (Z)". They can also be deselected using the space bar or a mouse click. Click Save tab in the toolbar in order to activate access rights or denials immediately.

Each object type has different rights. TimeZone objects, for example, cannot be executed. Therefore, the X right is ignored. The following illustration shows the rights that can be used for the particular object types.

The object type API refers to the CallAPI utility.

Object type R W X D C S P M
API            
BU            
CALE        
CALL
CITC          
CLNT      
CODE          
CONN          
CPIT
DOCU          
EVNT
EXTREP              
FILTER          
FOLD          
HOST  
HOSTG
HSTA          
JOBD
JOBF
JOBG
JOBI        
JOBP
JOBQ
JOBS
JSCH
LOGIN        
PRPT          
QUEUE  
REPORT              
SCRI
SERV  
SLA            
SYNC  
TZ          
USER    
USRG          
VARA          
XLS          

Service Orchestrator

The Service Orchestrator is an independent product that uses the authorization and user system of the Automation Engine. There are specific authorizations and types that are explained below:

Authorization Object type Name / Filter for the names Description
L CALL, JOBF, JOBP, JOBS, SCRI Object name Users require the L right to be able to define SLAs for objects. The particular objects can be determined in User and UserGroup objects.
R BU Name of a Business Unit Viewing SLAs that belong to the specified Business Unit in monitoring and reporting view.
W BU Name of a Business Unit Editing SLAs that belong to the specified Business Unit.
R SLA SLA name Viewing SLAs in monitoring and reporting view.
W SLA SLA name Editing SLAs (SLA management)