Example: Managing Authorizations and Privileges
This scenario shows you how to grant a new user authorizations and privileges in the Automation Engine, and folder authorizations and permissions in CDA.
This page includes the following:
What Will You Learn?
- Which types of permissions should be granted to a new user
- How to grant Automation Engine authorizations and privileges.
- How to grant Release Automation folder authorizations, permissions and approval rights.
- How to grant administrator rights to a CDA user.
Prerequisites
- You have administrator rights to manage users.
- A user has already been created and is available in your CDA system.
Permission Types
A new CDA user should be granted the following types of rights and permissions:
Granting Automation Engine and CDA Permissions
As an Administrator, you want to grant the necessary permissions and authorizations to Steve, a new user you have just created. To do so, you follow the steps below:
- Grant Automation Engine authorizations
- Grant Automation Engine privileges
- Grant Release Automation folder authorizations
- Grant Release Automation permissions
- Grant Release Automation approval requests
To Access the User
- Log in to the CDA system.
- Open the Administration perspective.
- Double-click the user Steve from the Users list.
Automation Engine Authorizations
Important!
Restricting the use of AE objects to CDA users via AE authorizations is possible but not recommended.
Although the underlying object model is the same for CDA and the Automation Engine (a CDA Workflow has the same configuration logic as an Automation Engine Workflow), the functional object model is different (AE = workload objects, CDA = entities).
Therefore, we advise you to enable all authorizations to all AE objects and use CDA's authorization model to secure the CDA environment.
For the purpose of this use case, however, we assume that, as an Administrator, you want to grant or deny Steve rights to specific Automation Engine objects (for example: Jobs - JOBS, Workflows - JOBP...), files, execution data, reports, etc.
The Automation Engine Authorizations are configured as a matrix-based system. It uses up to 9 Groups and Boolean logic. Note that the negating boolean (NOT) is available and can be selected as a group.
To grant Steve authorizations to objects:
- Specify objects, type of objects (for example, Jobs) or groups of objects.
- Select the individual rights he should have. The following rights can be set:
- READ: See objects
- WRITE: Create / Update
- EXECUTE: Executable objects (like CDA Workflows) – No effect on non-executable
- DELETE: Delete
- CANCEL: Interrupt an executing object (or, „active Task“, such as a Job in mid-execution)
- EXECUTIONS: Access executions for the executed object (formerly known as Statistics)
- OPEN REPORT: Open any report for the executed object
- MODIFY AT RUNTIME: Set trace options on Automation Engine or agents
For example, if you do not want to allow Steve to delete any objects in the system, you should configure the matrix as follows:
For more information, see: Granting Automation Engine Authorizations
Automation Engine Privileges
On this page, you allow/deny access to specific folders and objects, and grant CRUD rights and privileges to functions. For example: Explorer folders, admin functions, perspectives, and messages.
Make sure you grant Steve access to the Release Automation perspective, among others.
For more information, see: Granting Automation Engine Privileges
Release Automation Folder Authorizations
On this page, you grant Steve Read, Use, Write, Delete, and Execute rights to Release Automation folders, which contain, CDA entities (Applications, Component, Workflows...).
- In the Release Automation section, select the Folder Authorizations tab.
- For this use case, you select the appropriate checkboxes to grant Steve read, use and write permissions to the entities saved in the DEV, QA and STAGING folders.
For more information, see: Granting Release Automation (CDA) Folder Authorizations
Release Automation Permissions
On this page, you can grant Steve permissions to create main types and custom types in CDA.
Important! You can also assign him an Administrator role to grant him permissions to create all types.
For more information, see: Assigning Release Automation (CDA) Permissions
Release Automation Approval Requests
On this page, you add subscriptions and within them condition parameters to determine which types of requests Steve is entitled to approve.
In this case, you want him to be able to approve requests for workflows of type install, but only for the DemoApp Application. To configure this, you do the following:
- In the Release Automation section, select the Approval Request tab.
- Click Add Subscription.
- Create and IF condition with the following settings:
- Main Type: Workflow
- Type property: Custom Type
- Comparison operator: is equal to
- Value: Install
-
Create an AND condition with the following settings:
- Main Type: Application
- Type property: Name
- Comparison operator: is equal to
- Value: DemoApp
For more information, see: Managing Approval Requests in CDA
See also: