Granting Users/User Groups Authorizations to Folders/Objects
On this page you grant or deny rights to access and/or work with Automation Engine objects, files, execution data, reports, etc.
This topic provides information on the following:
- Granting/Denying Authorizations
- Required Permissions for Predefined Automic Objects
- Defining Authorizations to Folders and their Contents
- Rights Applicable to Object Types
Granting/Denying Authorizations
Rights consist of access permissions and restrictions. The rights of a user are based on an authorization profile and the authorization profiles of all groups to which the user belongs. On this page you grant or deny rights to the user.
Here you can grant rights for the following:
| Field/Control | Description |
|---|---|
| Grp. |
This grants or denies access rights. The Automation Engine provides 9 authorization groups that you can use to combine multiple sets of access rights. Access rights of the same group are connected via a logical OR. Access rights of different groups are connected via a logical AND. NOT stands for access denial. It does not depend on an authorization group and applies in all cases. |
| Type |
This specifies the object type (short name) to which this set of access rights applies. The '*' wildcard character means that they apply to all object types. |
| Name |
This specifies the object and/or the folder to which the access rights apply. It can contain up to 200 characters. You have several possibilities here:
You can use the wildcard characters ("*" for any number of characters and "?" for exactly one character). Folder and subfolder paths must always start with a "\". When you create an object, the name of the object and/or folder you define here is compared with the name of the template object. If the names do not correspond, you are not able to create the object. |
| Agent* | Filters for Agent names (this might be relevant for Job execution, File Transfer sources, etc.).
Maximum: 200 characters You can use the following wildcard characters here:
This field can also include more than one filter. In this case, they must be separated by commas. |
| Login* |
Filter for names of Login objects (job execution, file transfer source, registered job output files). Maximum: 200 characters You can use the following wildcard characters here:
This field can also include more than one filter. In this case, they must be separated by commas. |
| File Name (S)* |
Filter for file names (file transfer source, registered job output files). Maximum: 255 characters You can use the following wildcard characters here:
This field can also include more than one filter. In this case, they must be separated by commas. |
| Agent (D)* | Filter for agent names (
file transfer destination).
Maximum: 200 characters You can use the following wildcard characters here:
This field can also include more than one filter. In this case, they must be separated by commas. |
| Login (D)* | Filter for names of Login objects (
file transfer destination).
Maximum: 200 characters The wildcard characters "*" and "?" can be used. This field can also include more than one filter. Several filters must be separated by commas. |
| File Name (D)* | Filter for file names (
file transfer destination).
Maximum: 255 characters You can use the following wildcard characters here:
This field can also include more than one filter. In this case, they must be separated by commas. |
| R | Grants Read rights.
Opening objects and folders is possible. See also Read rights to folders for additional information |
| W | Grants Write rights.
Modifying objects is possible. This right granted for folders has the effect that a user can create objects in it. |
| X | Grants Execute rights.
Executing objects is possible. |
| D | Grants Delete rights.
Deleting objects and folders is possible. Links are not objects. If a user intends to delete a link, s/he requires write access to the folder in which this link is stored. No deletion right is required. |
| C | Grants Cancel rights.
Canceling active objects is possible. |
| S | Grants access to execution data |
| P | Grants access to reports |
| M | Grants Modify to Runtime rights This allows the setting of trace options on Automation Engines or agents and the ending of RemoteTaskManager and Event objects. |
* These columns are not displayed by default. To see them, click 
on the header row to open the list of available columns. The visible ones are marked with a tick, the hidden ones are grayed out. Select the one you need to make it visible; click it again to hide it.
Note the following for using authorization filters for object attributes: If an object's attribute (such as Login) does not contain a value (""), the wildcard character * is used for comparison with filter lines. If an authorization line contains a particular filter for this attribute (Login), it is still checked.
Example
In the User object, you first define Grp. 1 to grant a user Read, Write, and Execution rights on all objects that contain TEST or PRE_PROD in their Name. Then you define Grp.2 to restrict these rights to Agent PSA only.
The user tries to execute the following Job Object (JOBS):
-
PRE_PROD.JOBS.NO.GRANT not on Agent PSA
-
TEST.JOBS.GRANT on Agent PSA
The user is denied access to the first job, while the second job ends normally on Agent PSA:
Required Permissions for Predefined Automic Objects
In order to execute certain predefined Automic objects, additional permissions have to be set for their internally referenced Include, PromptSet, and Variable objects. These objects' names all start with XC_, so you can give a user read access to them by adding XC_* in the Name field and checking the box in the R column as shown below:
Defining Authorizations to Folders and their Contents
Since Folders are also objects, you can use them to collect objects and grant/deny users and user groups permissions to them at folder level.
Take the following into account when defining folder authorizations:
-
A user who has read rights on a folder can also search for that folder. That is, to be able to search for a folder it is necessary to have at least read rights on that folder.
Conversely, if a user with no rights on a folder makes a search for it via the Global Search function, the folder will be displayed on the resulting dropdown list but the user will not be able to open it or access its contents..
-
To filter path names, the folder must be specified relative to the top folder of the client (Root).
The filter specification starts with a "\" character. Individual sub-folders must also be separated with this character unless the wildcard character"*" is used.
If the filter ends on a "*" character, the authorizations apply for the indicated folder and all sub folders in this structure.
If the filter ends on a "\", access is only granted to the sub folders of this structure.
Authorizations given to folders are not passed on to the objects they contain.
-
Filters that include identification, directories or path specifications are displayed in the File Name (Q) and File Name (Z) fields of File Transfer Objects (JOBF).
If "C:\TEMP\*" is specified in the File Name (Z) field , files of any name are transferred to this directory via file transfer.
-
Access modes can be determined in the fields following File Name (Z). They can also be deselected using the space bar or a mouse click.
Click Save to activate access rights or denials immediately.
Rights Applicable to Object Types
Each object type has different rights. For example, TimeZone objects cannot be executed, therefore the X-Execute right is ignored.
This table shows the rights you can use for the each object type:
| Object type | R | W | X | D | C | S | P | M |
|---|---|---|---|---|---|---|---|---|
| CALE |
|
|
|
|
||||
| CALL |
|
|
|
|
|
|
|
|
| CLNT |
|
|
|
|
|
|||
| CODE |
|
|
|
|||||
| CONN |
|
|
|
|
||||
| DASH |
|
|
|
|||||
| DOCU |
|
|
|
|||||
| EVNT |
|
|
|
|
|
|
|
|
| FILTER |
|
|
|
|||||
| FOLD |
|
|
|
|||||
| HOST |
|
|
|
|
|
|
|
|
| HOSTG |
|
|
|
|
|
|
|
|
| HSTA |
|
|
|
|||||
| JOBD |
|
|
|
|
|
|
|
|
| JOBF |
|
|
|
|
|
|
|
|
| JOBG |
|
|
|
|
|
|
|
|
| JOBI |
|
|
|
|
||||
| JOBP |
|
|
|
|
|
|
|
|
| JOBQ |
|
|
|
|
|
|
|
|
| JOBS |
|
|
|
|
|
|
|
|
| JSCH |
|
|
|
|
|
|
|
|
| LOGIN |
|
|
|
|
||||
| PERIOD |
|
|
|
|||||
| PRPT |
|
|
|
|||||
| QUEUE |
|
|
|
|
|
|
|
|
| REPORT |
|
|||||||
| SCRI |
|
|
|
|
|
|
|
|
| SERV |
|
|
|
|
|
|
|
|
| STORE |
|
|
|
|||||
| SYNC |
|
|
|
|
|
|
|
|
| TZ |
|
|
|
|||||
| USER |
|
|
|
|
|
|
||
| USRG |
|
|
|
|||||
| VARA |
|
|
|
|||||
| XLS |
|
|
|
See also: