Example: Managing Authorizations and Privileges

This scenario shows you how to grant a new user authorizations and privileges in the Automation Engine, and folder authorizations and permissions in CDA.

This page includes the following:

What Will You Learn?

  • Which types of permissions should be granted to a new user
  • How to grant Automation Engine authorizations and privileges.
  • How to grant Release Automation folder authorizations, permissions and approval rights.
  • How to grant administrator rights to a CDA user.

Prerequisites

  • You have administrator rights to manage users.
  • A user has already been created and is available in your CDA system.

Permission Types

A new CDA user should be granted the following types of rights and permissions:

Graphic depicting permission types

Granting Automation Engine and CDA Permissions

As an Administrator, you want to grant the necessary permissions and authorizations to Steve, a new user you have just created. To do so, you follow the steps below:

  1. Grant Automation Engine authorizations
  2. Grant Automation Engine privileges
  3. Grant Release Automation folder authorizations
  4. Grant Release Automation permissions
  5. Grant Release Automation approval requests

To Access the User

  1. Log in to the CDA system.
  2. Open the Administration perspective.
  3. Double-click the user Steve from the Users list.

Automation Engine Authorizations

Important!

Restricting the use of AE objects to CDA users via AE authorizations is possible but not recommended.

Although the underlying object model is the same for CDA and the Automation Engine (a CDA Workflow has the same configuration logic as an Automation Engine Workflow), the functional object model is different (AE = workload objects, CDA = entities).

Therefore, we advise you to enable all authorizations to all AE objects and use CDA's authorization model to secure the CDA environment.

For the purpose of this use case, however, we assume that, as an Administrator, you want to grant or deny Steve rights to specific Automation Engine objects (for example: Jobs - JOBS, Workflows - JOBP...), files, execution data, reports, etc.

The Automation Engine Authorizations are configured as a matrix-based system. It uses up to 9 Groups and Boolean logic. Note that the negating boolean (NOT) is available and can be selected as a group.

Image showing automation engine authorizations

To grant Steve authorizations to objects:

  1. Specify objects, type of objects (for example, Jobs) or groups of objects.
  2. Select the individual rights he should have. The following rights can be set: 
    • READ: See objects
    • WRITE: Create / Update
    • EXECUTE: Executable objects (like CDA Workflows) – No effect on non-executable
    • DELETE: Delete
    • CANCEL: Interrupt an executing object (or, „active Task“, such as a Job in mid-execution)
    • EXECUTIONS: Access executions for the executed object (formerly known as Statistics)
    • OPEN REPORT: Open any report for the executed object
    • MODIFY AT RUNTIME: Set trace options on Automation Engine or agents

For example, if you do not want to allow Steve to delete any objects in the system, you should configure the matrix as follows:

Image showing automation engine authorizations

For more information, see: Granting Automation Engine Authorizations

Automation Engine Privileges

On this page, you allow/deny access to specific folders and objects, and grant CRUD rights and privileges to functions. For example: Explorer folders, admin functions, perspectives, and messages.

Make sure you grant Steve access to the Release Automation perspective, among others.

For more information, see: Granting Automation Engine Privileges

Release Automation Folder Authorizations

On this page, you grant Steve Read, Use, Write, Delete, and Execute rights to Release Automation folders, which contain, CDA entities (Applications, Component, Workflows...).

  1. In the Release Automation section, select the Folder Authorizations tab.
  2. For this use case, you select the appropriate checkboxes to grant Steve read, use and write permissions to the entities saved in the DEV, QA and STAGING folders.

    Image showing release automation folder authorizations

For more information, see: Granting Release Automation (CDA) Folder Authorizations

Release Automation Permissions

On this page, you can grant Steve permissions to create main types and custom types in CDA.

Important! You can also assign him an Administrator role to grant him permissions to create all types.

Image showing release automation permissions

For more information, see: Assigning Release Automation (CDA) Permissions

Release Automation Approval Requests

On this page, you add subscriptions and within them condition parameters to determine which types of requests Steve is entitled to approve.

In this case, you want him to be able to approve requests for workflows of type install, but only for the DemoApp Application. To configure this, you do the following:

  1. In the Release Automation section, select the Approval Request tab.
  2. Click Add Subscription.
  3. Create and IF condition with the following settings:
    • Main Type: Workflow
    • Type property: Custom Type
    • Comparison operator: is equal to
    • Value: Install

  4. Create an AND condition with the following settings:

    • Main Type: Application
    • Type property: Name
    • Comparison operator: is equal to
    • Value: DemoApp

graphic depicting approval request process

For more information, see: Managing Approval Requests in CDA

See also: