Granting Automation Engine Privileges
As an administrator, when you set up the system you can create and configure User objects, both through AWI and through the REST API. In AWI, User objects have various definition pages. On the Automation Engine> Privileges page you specify the AWI areas, functions, folders and some system object objects to which the User will have access. For information about how to set the Privileges though the REST API, see AE REST API - Granting Authorizations and Privileges.
This topic describes the privileges that you can assign to Users. The name of the privileges vary between AWI and the REST API. The sections in this topic provide tables that map the names of the privileges in both.
Important! You can only assign privileges that your own User definition contains; an internal check guarantees that this restriction is honored system-wide, no matter whether you create or modify Users through AWI, the REST API, through an XML import or through the Java API. If you want to create or modify Users with more privileges that the ones that you have, you must have your own User definition modified first. You can use the AE DB Load Utility to grant Automic Automation administrator Users all available privileges. Using the UC/UC/UC User for this purpose is NOT recommended; this User always has all privileges and is available upon installation to help you configure the system for the first time. Broadcom strongly discourages from using this User for other purposes.
For more information, see AE DB Load.
This page includes the following:
Access to Explorer Folders
This table describes the Access to Explorer Folders privileges and maps their names in AWI and in the REST API:
| AWI | REST API | Description |
|---|---|---|
| Access to <No Folder> | ACCESS_TO_NO_FOLDER |
Restored and transported objects are available here. This right gives users access to those objects. |
| Access to Recycle Bin | RECYCLE_BIN |
Deleted objects are in the Recycle Bin. This right allows users to restore deleted objects. Restored objects are available in the <No Folder> folder. |
| Access to Transport Case | TRANSPORT_CASE |
Users with this privilege can open objects that are in the Transport Case to be transported to a different Client or system. They can also delete objects from the Transport Case. |
| Access to Version Management | ACCESS_TO_VERSION_MANAGEMENT_FOLDER |
Users with this privilege can access the Version Management folder and open (in read-only mode), restore and delete saved object versions. Execution data and reports are also available in this folder. |
Access to Administrative Functions
This table describes the Administration privileges and maps their names in AWI and in the REST API:
| AWI | REST API | Description |
|---|---|---|
| Create diagnostic information | CREATE_DIAGNOSTIC_INFORMATION |
Right to the following:
To be able to work with the Quarantine, users also need the Modify right on server processes. |
| Database Maintenance | DB_MAINTENANCE |
Right to perform database maintenance activities (archive operational data, cancel archiving tasks, download archive files, etc.). |
| Enable/Disable automatic processing (STOP/GO) | AUTOMATIC_PROCESSING |
Right to change the status of the system and interrupt automatic processing. |
| ILM actions | ILM_ACTIONS |
Right to access the ILM pages (Partitions and History) and to configure ILM. For more information, see ILM - Information Lifecycle Management. |
| Manage favorites on User Group level | MANAGE_FAVORITES_ON_USERGROUP_LEVEL |
Right to configure the User Catalog. The user can configure User Groups and add them to the User Catalog folder in the Process Assembly perspective. This way, the users included in a User Group will have rights to the objects to which the User Group gives access. These objects are the available in their My Catalog dashboard. For more information, see Example: Configuring the User Catalog. |
| SAP Criteria Manager | SAP_CRITERIA_MANAGER |
Access to the SAP Criteria Manager via the Form page of SAP jobs. |
| Upgrade Agents (CAU) | EXECUTE_AGENT_UPGRADES |
Right to perform automatic Agent upgrades using the CAU solution. For more information, see Centralized Agent Upgrade (CAU). |
| Upgrade system, start and stop processes | EXECUTE_SYSTEM_UPGRADES |
Right to upgrade the system and to start and stop processes, both from AWI (on the Automation Engine Management > Processes and Utilization page in the Administration perspective), through the REST API and though script functions (:SHUTDOWN, :TERMINATE and MODIFY_SYSTEM). |
AWI Access Control
This table describes the AWI Access Control privileges that let you grant access to specific areas of AWI. It also maps their names in AWI and in the REST API:
| AWI | REST API | Description |
|---|---|---|
|
Access to Administration |
ACCESS_TO_ADMINISTRATION | Right to access the Administration perspective. |
|
Access to Analytics |
ACCESS_TO_ANALYTICS | Right to access the Analytics plug in. |
|
Access to Analytics for all clients |
ACCESS_TO_ANALYTICS_FOR_ALL_CLIENTS | Right to access the Analytics plug in on all the Clients in your system. |
|
Access to Dashboards |
ACCESS_TO_DASHBOARDS | Right to access the Home or Dashboards perspective. |
|
Access to Messages |
ACCESS_TO_MESSAGES | Right to access the Messages pane and read their content. |
|
Access to My Catalog |
ACCESS_TO_SERVICE_CATALOG | Right to access the My Catalog perspective. |
|
Access to Process Assembly |
ACCESS_TO_PROCESS_ASSEMBLY | Right to access the Process Assembly perspective. |
|
Access to Process Monitoring |
ACCESS_TO_PROCESS_MONITORING | Right to access the Process Monitoring perspective. |
Access to Advanced Editing
This table describes the Advanced Editing privileges that let you grant access to advanced administration tasks. It also maps their names in AWI and in the REST API:
| AWI | REST API | Description |
|---|---|---|
|
Create and modify Backend variables |
CREATE_AND_MODIFY_BACKEND_VARIABLES |
Right to create and edit Defining BACKEND VARA Objects. Users who do not have this privilege can open these variables only in read-only mode. |
|
Create and modify SQL-Internal variables |
CREATE_AND_MODIFY_SQL_INTERNAL_VARIABLES |
Right to create and modify SQL variables, both Secure and Internal (see SEC_SQL VARA Objects and SEC_SQLI VARA Objects) Prerequisite: The value in SQLVAR_INTERNAL must be YES (see UC_SYSTEM_SETTINGS - Systemwide Settings . If this privilege is not available, the variable type SQLI is not available for selection when creating variables. Internal SQL variables always open in read-only mode. |
|
Object properties: allow manually reset of 'Edit Hint' |
OBJECT_PROPERTIES_ALLOW_MANUAL_RESET_OF_EDIT_HINT |
If a user opens an object for editing, the object is marked. If a program interruption occurs during the editing process, the object keeps this tag even if the Automic Web Interface is restarted. Privileged users can remove this tag. |
Right to View Messages
This table describes the View Messages privileges that let you grant access to specific messages. It also maps their names in AWI and in the REST API:
| AWI | REST API | Description |
|---|---|---|
| Dump memory trace | DUMP_MEMORY_TRACE |
If granted, the Force memory trace dump button on the Messages pane is displayed, see Understanding the Messages Console. |
| View all messages from accorded client | VIEW_ALL_MESSAGESFROM_ACCORDED_CLIENT |
Right to see all messages that are addressed to the Client in which the User is defined. |
| View messages from own user group | VIEW_MESSAGES |
Right to see all messages that are addressed to the User Group of which the User is a member. |
| View messages to administrators | VIEW_ADMINISTRATORS_MESSAGES |
Right to see messages that are addressed to administrators. They are not assigned to any specific User or Client and inform about system-wide actions (such as a Server start). |
| View security messages | VIEW_SECURITY_MESSAGES |
Right to see security messages. These messages are not assigned to a specific User. They are created through the access check of the Authorization System. |
Access Control
This table describes the Access Control privileges that let you grant access to specific messages. It also maps their names in AWI and in the REST API:
| AWI | REST API | Description |
|---|---|---|
| Access to AutoForecast | ACCESS_TO_AUTOFORECAST |
Right to access the Auto Forecast function (automatic calculation of forecast data for tasks that will run within a specified period of time). For more information, see Autoforecast. |
| Access to deactivated tasks | ACCESS_TO_SELECTIVE_STATISTICS |
Right to filter for deactivated tasks. |
| Access to System Overview | ACCESS_SYSTEMOVERVIEW |
This privilege is selected and grayed out by default when you activate the Access to Administration privilege in the AWI Access Control section. It corresponds to a legacy privilege available in older versions of the Automation Engine and it is necessary to make upgrading from older versions of the Automation Engine possible. |
| Access to the metrics endpoint of Automation REST API | ACCESS_METRICS_ENDPOINT | Right to access the REST API endpoint that provides data about product usage (telemetry) and that is also used for performance monitoring. |
| Deal with authorizations at object level | DEAL_WITH_AUTHORIZATIONS_AT_OBJECT_LEVEL |
Right to specify or change exclusive access rights to objects. This right should be combined with write access (W) to the object. This is define at object level, see Defining the Authorizations Page. |
| FileEvents: Start without Login object specified | FILEEVENTS_START_WITHOUT_LOGIN_OBJECT_SPECIFIED |
Right to start FILE Events without using a Login object, that is, without entering specific user credentials. Granting or refusing this privilege affects the execution of FILE Events where the definition of a Login object is optional. |
| FileTransfer: Start without Login object specified | FILETRANSFER_START_WITHOUT_LOGIN_OBJECT_SPECIFIED |
Right to start File Transfers without using a Login object, that is, without entering specific user credentials. The Agent uses the credentials of the user who started it. Whether the Agent is allowed to process File Transfers without Login object is specified in the UC_HOSTCHAR_DEFAULT variable, key ANONYMOUS_FT, see UC_HOSTCHAR_DEFAULT - Host Characteristics. |
| Logon via CallAPI | LOGON_VIA_CALLAPI |
Right to access the Automation Engine system via the Call Interface. This allows users to start tasks from within their own programs or via the utility. |
| Modify the status of a task manually | MODIFY_THE_STATUS_OF_A_TASK_MANUALLY |
Right to change the status of tasks. The system does not check if the new status is a logical status. If status >= 1800 is set, the task ends. |
| Take over task | TAKE_OVER_TASK |
Tasks run under the user who has started them. Users need this privilege to be able to assume a task started by another User. The corresponding command is then displayed in the context menu. For more information, see Taking Over Ownership. |
| Token access and token creation | TOKEN_ACCESS_AND_TOKEN_CREATION |
Right to view and generate user tokens. If granted, the Tokens section in the User object definition is visible and the User can generate tokens. If not granted, this section is not visible. For more information, see Defining Users . |
| View server utilization of all clients | VIEW_SERVER_USAGE_OF_ALL_CLIENTS |
Right to view the server process workload in the individual Clients. |
See also:
- User Groups (USRG)
- Defining Users
- Granting Automation Engine Authorizations
- Minimum Required Authorizations
-
User Management: Defining and Managing the Authorization System
-
User Management: Watch the Videos
These videos explain Automic Automation's user management concept (user administration, their passwords and their access to Clients, as well as with the actions they can perform and the functions they have access to).