|
UserGroup Tab |
UserGroup |
Privileges Tab |
|
Authorizations TabThe Authorizations tab is an object type-specific tab that is only available in UserGroup and User objects. It can be used to define access rights to objects, files, statistics and reports. These rights are an integral part of AE's authorization system.
Object: UserGroup
Object class: System object
Object type
(short name): USRG
Changes concerning authorizations become immediately effective when the User object is stored.
Rights are composed of access permissions and restrictions. User rights are based on an authorization profile and the authorization profiles of all groups to which a user belongs.
Access rights and denials are defined in a table.
There is a maximum number of characters that can be used for filter specifications. Automic recommends creating a separate line for each filter in order to keep a clear overview.
| Field/Control | Description |
|---|---|
| Grp. |
The Grp. (authorization groups) column is where access rights or denials are defined. Access rights are expressed in the authorization groups 1 to 9. These authorization groups are all on the same level. The numbers are only used to distinguish the particular groups. Access rights of the same authorization groups are connected to each other via a logical OR. Access rights that have been defined for an authorization group sum up. All access rights of different authorization groups are connected via a logical AND. Access is only allowed if access authorization has been granted in all authorization groups. "NOT" stands for access denial. It does not depend on authorization group and applies in all cases. |
| Type |
The particular authorization for object types (short name) can be specified in the column Type. Exception: EXTREP does not refer to an object type but to the external output of the job. Valid object types can be directly selected from a list. If the wildcard character "*" is used, the authorizations apply for all objects and files. |
| Name | Filter for object name and folder path.
Maximum 200 characters The wildcard characters "*" and "?" can be used. "?" stands for exactly one, while "*" stands for any number of characters. This field can also include more than one filter. Several filters must be separated by commas. Folder and subfolder paths must always start with
a "\". When an object is created the filter is compared with the name of the template object. If the name of the filter does not comply with the template, the user cannot create the object. |
| Host | Filter for agent names (job execution,
file transfer source).
Maximum 200 characters The wildcard characters "*" and "?" can be used. This field can also include more than one filter. Several filters must be separated by commas. |
| Login |
Filter for names of Login objects (job execution, file transfer source, registered job output files. Maximum 200 characters The wildcard characters "*" and "?" can be used. This field can also include more than one filter. Several filters must be separated by commas. |
| File Name (S) | Filter for file names (file transfer
source, registered job output file). Maximum 255 characters The wildcard characters "*" and "?" can be used. This field can also include more than one filter. Several filters must be separated by commas. |
| Host (D) | Filter for agent names (file transfer
destination).
Maximum 200 characters The wildcard characters "*" and "?" can be used. This field can also include more than one filter. Several filters must be separated by commas. |
| Login (D) | Filter for names of Login objects (file transfer
destination).
Maximum 200 characters The wildcard characters "*" and "?" can be used. This field can also include more than one filter. Several filters must be separated by commas. |
| File Name (D) | Filter for file names (file transfer
destination).
Maximum 255 characters The wildcard characters "*" and "?" can be used. This field can also include more than one filter. Several filters must be separated by commas. |
| R | Read access
Allows opening objects and folders. |
| W | Write access
Allows modifying objects. When this authoriThis right used in folders has the effect that a user can create objects in it. |
| X | Access method: Execute
Executing objects is possible. |
| D | Access method: Delete
Deleting objects and folders is possible. Links are not objects. If a user intends to delete a link, s/he requires a write right for the folder in which the link is stored but no deletion right. |
| C | Access method: Cancel
Note that you can also cancel active objects. |
| S | Access to statistics |
| P | Access to reports |
| M | Access method: Modify at runtime This access method permits the setting of trace options on Automation Engines or agents and the ending of RemoteTaskManager and Event objects. |
| L |
Allows Service Orchestrator (SVO) users to define Automation Engine SLAs for objects with the allowed object types. The allowed object types are CALL, EVNT (all four kinds: EVNT.FILE, EVT.TIME, EVNT.DB, EVNT.CONS), JOBF, JOBP, JOBS, SCRI. In SVO only objects of these types appear in the list for selecting an object for an SLA. |
Note the following for using authorization filters for object attributes:
If an object's attribute (such as Login) does not contain a value (""), the wildcard character * is used for comparison with filter lines. If an authorization line contains a particular filter for this attribute (Login), it is still checked.
For example: The object JOBS.TEST does not contain a Login object. The following lines are still used in the authorization check:
| Grp | Type | Name | Host | Login | File name (S) | Host (D) | Login (D) | File name (D) |
|---|---|---|---|---|---|---|---|---|
| 1 | JOBS | JOBS.TEST | * | LOGIN.* | * | * | * | * |
| 1 | JOBS | JOBS.TEST | * | LOGIN.TEST.* | * | * | * | * |
Definition of Rights
Depending on the selected type, entry fields in the table's columns are open or closed. For each field, a small tooltip text (help) is displayed in the table's heading when the mouse pointer stops on it.
Several specifics apply for access rights to folders: When you filter path names, the folder must be specified in a way that corresponds to the top folder of the client (Root). The filter specification starts with a "\" character. Individual sub-folders must also be separated with this character unless the wildcard character "*" is used. If the filter ends with "*" (asterisk), the authorizations apply to the folder and all its sub-folders. If the filter ends with "\" (back-slash), access is granted only to the sub-folders of this structure. Authorizations to folders are not passed on to the objects they contain.
Filters that include identification, directories or path specifications are displayed in the fields "File Name (Q)" and "File Name (Z)" of FileTransfer objects. If "C:\TEMP\*" is specified in the "File Name (Z)", files of any required names can be transferred to this directory via file transfer.
Access modes can be determined in the fields following the "File Name (Z)". They can also be deselected using the space bar or with a mouse click. Press Save in the toolbar to immediately activate access rights or denials.
Each object type has different rights. TimeZone objects cannot be executed, for example. Therefore, the right "X" is ignored. The following illustration shows the rights that can be used for the individual object types.
The object type API refers to the CallAPI utility.
| Object type | R | W | X | D | C | S | P | M |
|---|---|---|---|---|---|---|---|---|
| API |
|
|
||||||
| BU |
|
|
||||||
| CALE |
|
|
|
|
||||
| CALL |
|
|
|
|
|
|
|
|
| CITC |
|
|
|
|||||
| CLNT |
|
|
|
|
|
|||
| CODE |
|
|
|
|||||
| CONN |
|
|
|
|||||
| CPIT |
|
|
|
|
|
|
|
|
| DASH |
|
|
|
|||||
| DOCU |
|
|
|
|||||
| EVNT |
|
|
|
|
|
|
|
|
| FILTER |
|
|
|
|||||
| FOLD |
|
|
|
|||||
| HOST |
|
|
|
|
|
|
|
|
| HOSTG |
|
|
|
|
|
|
|
|
| HSTA |
|
|
|
|||||
| JOBD |
|
|
|
|
|
|
|
|
| JOBF |
|
|
|
|
|
|
|
|
| JOBG |
|
|
|
|
|
|
|
|
| JOBI |
|
|
|
|
||||
| JOBP |
|
|
|
|
|
|
|
|
| JOBQ |
|
|
|
|
|
|
|
|
| JOBS |
|
|
|
|
|
|
|
|
| JSCH |
|
|
|
|
|
|
|
|
| LOGIN |
|
|
|
|
||||
| PRPT |
|
|
|
|
||||
| QUEUE |
|
|
|
|
|
|
|
|
| REPORT |
|
|||||||
| SCRI |
|
|
|
|
|
|
|
|
| SERV |
|
|
|
|
|
|
|
|
| SLA |
|
|
||||||
| SYNC |
|
|
|
|
|
|
|
|
| TZ |
|
|
|
|||||
| USER |
|
|
|
|
|
|
||
| USRG |
|
|
|
|||||
| VARA |
|
|
|
|||||
| XLS |
|
|
|
Service Orchestrator
The Service Orchestrator is an independent product that uses the authorization and user system of the Automation Engine. There are specific authorizations and types that are explained below:
| Authorization | Object type | Name / Filter for the names | Description |
|---|---|---|---|
| L | CALL, JOBF, JOBP, JOBS, SCRI | Object name | Users require the L right to be able to define SLAs for objects. The particular objects can be determined in User and UserGroup objects. |
| R | BU | Name of a Business Unit | Viewing SLAs that belong to the specified Business Unit in monitoring and reporting view. |
| W | BU | Name of a Business Unit | Editing SLAs that belong to the specified Business Unit. |
| R | SLA | SLA name | Viewing SLAs in monitoring and reporting view. |
| W | SLA | SLA name | Editing SLAs (SLA management) |