Role-Based Security with eEM Access Policies
You can use CA Embedded Entitlements Manager (eEM) to control AAI authentication and data access. To do this, you need to prepare eEM and then add an eEM user domain in AAI that you can use for user authentication and data access control.
To add the AAI application and its access policy classes to eEM
If you want to be able to use eEM to control AAI user access to data in your schedulers, you must add the AAI application to the eEM installation and then add the AAI access policy classes to eEM. Use the following steps to do so.
- Go to your AAI installation, and locate the file <Automic Automation Intelligence Installation>\scripts\eEM\JAWSCreate.xml
- Copy the file anywhere onto your eEM server. Note:
eEM can be installed on the same server as AAI or a different one.
- Add the AAI access policy classes and default policy settings to eEM
To do this, from your eEM installation folder, run the following command either from your command line interface or from within a script:
safex – u <username> –p <password> –f JAWSCreate.xml.Where the username and password are those of the eEM admin user.
Now you can use eEM to grant specific users access to AAI objects in the policy classes as you want.
The eEM Access Policies
The following topics provide details about eEM Access Policies:
- Custom Action Access Policy
- Application Access Policy
- Property Access Policy
- Report Criteria Access Policy
- Job Scheduler Access Policy
- User Access Policy
- User Domain Access Policy
- AutoSys Security Policies
- AutoSys Versions Supported
AAI does not restrict access to which jobs that a specific user can use to create jobstreams. If a user has the right to create jobstreams, the user can use any job as the target job for a new jobstream. Restricting job access interferes with building jobstreams correctly and with calculating jobstream run predictions accurately.
You can define eEM policies to control only who can view, edit, or delete existing jobstreams (by name or Business Area, or both).
To change the JAWS domain to AAI for eEM when upgrading to AAI 6.4.4 or higher
Use these steps only if you upgrade an AAI installation to release 6.4.4 or higher from any prior release. The steps will update the application name for AAI in eEM from its previous name "JAWS" to "AAI" so that it is easily identifiable in eEM.
You do this only once with any upgrade to 6.4.4 or higher, after which the changes are kept in future upgrades.
Please note, that if you do these steps, you will end up deleting all your custom access policies in eEM for AutoSys to AAI. At the end, only the default access policies will be applied.
The only advantage of doing these steps is purely cosmetic, that is, you will see "AAI" rather than "JAWS" as the Application Name in eEM and in AAI domain definitions. For information, see Configuring the eEM Domain.
If you have a lot of custom access policies defined for AutoSys in eEM, you might prefer to continue to see JAWS as an application name rather than redefine custom access policies.
You must start this procedure before upgrading to AAI 6.4.4 or higher!
If you are upgrading to a higher release and have done this in a previous release, you do not need to repeat the procedure. The changes from before will be kept in future upgrades.
- In eEM, unregister the JAWS application.
- Either from the command line interface or from within a script on the eEM server, go to the eEM installation folder and run the following command to delete the JAWS objects from eEM:
safex -f JAWSDestroy.xml. - On the AAI server, upgrade to AAI to release 6.4.4 or higher.
- Register AAI in eEM and add the AAI access policy classes and default policy settings to eEM.
- Go to your upgraded AAI installation, and locate the file <Automic Automation Intelligence Installation>\scripts\eEM\JAWSCreate.xml
- Copy the file to your eEM installation.
- Add the AAI access policy classes and default policy settings to eEM.
To do this, from your eEM installation folder, run the following command either from your command line interface or from within a script:
safex – u <username> –p <password> –f JAWSCreate.xml.Where the username and password are those of the eEM admin user.
- Now you can use eEM to grant specific users access to AAI objects in the policy classes as you want.