Automic strongly recommends that you thoroughly plan your authorization system in a first step. Who actually requires access to the AE system and which actions are required. Write down your findings - doing so makes a lot easier to create users and user groups.
1. |
Creating user groups |
---|
You can assign right to users and user groups. By using user groups you can reduce your administrative efforts. User groups provide a clear overview from a central point and also increase security within your AE system.
|
2. |
Assigning privileges |
---|
The various functions of the UserInterface can only be used with the appropriate privileges. With newly created users or user groups, all privileges are inactive.
Be careful when you assign privileges because some functions affect the processing of an AE system or access security-relevant data.
A list of all privileges is provided in the UserGroup object's tab of the same name. Here you can activate all or only specific particular privileges.
Privileges given to a particular user and the corresponding user groups accumulate. Users are granted access to all the functions of the UserInterface that have been activated for them and the groups they belong to.
For example:
User Smith is granted access to the Recycle Bin and to the Transport Case.
Because he was granted the privilege "Logon via CallAPI" in one of the user groups he belongs, he can also use CallAPIs.
|
3. |
Assigning rights |
---|
Access to folders, statistics, reports and objects is subject to authorizations. Note that servers and agents are also objects. Again, newly created users and user groups do not have any rights.
Be careful when you assign authorizations. You can also define access denials!
Authorizations can be allocated in the UserGroup object's tab of the same name. Authorization groups or denials (NOT) can be assigned in the very first column. Same numbers stand for the same authorization group and the keyword NOT stands for a denial.
Rights assigned to a user and the corresponding user groups accumulate.
For example:
User Smith is allowed to read and execute all objects whose names start
with "MM" and to call their statistics. Because the access rights write and delete were additionally defined for
these "MM" objects in one of his UserGroups, he is also allowed to write and
delete them.
For the sake of completeness, this document also describe how you can use different authorization groups. Nevertheless, Automic recommends using this functionality only in exceptional cases!
Whenever you define different authorization groups, the user is only granted the rights that are granted in all of the groups.
Take the same example as described above:
User Smith is allowed to read and execute all objects whose names start
with "MM" and call their statistics. In one of the user groups
he belongs to, the access rights read, execute, write and delete have
been defined for these objects. In total, user Smith can only read and
execute these objects (logical AND connection).
Denials ("Not") are always given preferential attention. If an access denial applies to a user or one of the corresponding user groups, access to the particular section is not granted. The authorization groups are irrelevant.
For example:
User Smith is authorized to execute jobs on all hosts. One of the user groups he belongs to contains a "Not" for accessing
the agent UNIX01. Therefore, user Smith can not use
this agent in order to execute tasks.
Specify denials in the Authorizations tab with the authorization group "NOT".
|
4. |
Creating Users |
---|
After having specified user groups, you can create your individual users. User object names are composed of the user nameName of the Automation Engine user. and departmentDepartment name to which the Automation Engine user belongs., both of which are separated by a slash (such as SMITH/DEV). A maximum of 200 characters is allowed.
Now fill in the User tab. You can also define that logging on is only allowed at a particular time of the day (such as between 08:00 am and 06:00 pm).
Only active users can log on to the AE system. You can set users active by checking the checkbox in the upper right half of the UserInterface. Removing this flag sets them inactive.
|
5. |
Allocating users to UserGoups |
---|
There are two ways of assigning users to user groups. You can either select the groups to which a user should belong to from within a user, or determine members from within a user group. Both options are accessible through the UserGroup tab.
|
6. |
Access Trace Function |
---|
You can use the variable UC_CLIENT_SETTINGS to activate the Access Trace Function and decide upon what it should cover. You can define the category of access monitoring that should be activated - log on, object access, host access and/or privilege. Additionally, you can also specify whether access denials and/or access authorizations should be logged to the security messages of the System Overview.