Allow Users to Only Execute Certain Jobs in WCC Using … · Allow Users to Only Execute Certain...
Transcript of Allow Users to Only Execute Certain Jobs in WCC Using … · Allow Users to Only Execute Certain...
Allow Users to Only Execute Certain Jobs in WCC Using EEM Policies
1
Created By: Jameela Hudson
Scenario: You have two groups of WCC users: administrators and schedulers. You want administrators to have full permissions on all AE jobs. You want schedulers to have restricted permissions on AE jobs - based upon their global user group, they should only be able to execute jobs that start with a particular string of characters.
Solution: Use Workload Automation AE polices in EEM to grant full permissions to the administrators and restricted permissions to the schedulers.
Objectives:
(1) create a read and execute as-job policy, (2) perform a permission check to verify policies work as expected, and (3) check the WCC GUI to see if users can execute certain jobs.
=====================================================================================
Create an as-job Policy with Read and Execute Permissions
1. Log into the EEM GUI under the <WorkloadAutomationAE> Application.
2. Click on the ‘Manage Access Policies’ tab. On the left-hand side navigation panel, under ‘Access Policies’, click on
the ‘as-job’ policy link.
Allow Users to Only Execute Certain Jobs in WCC Using EEM Policies
2
Created By: Jameela Hudson
3. Create a new as-job policy by clicking on the icon (inside the red circle) next to the ‘as-job’ policy link.
Under the General Heading, give the policy a name. Leave all other fields with their default settings. Add a
description of the policy, if needed. (This is helpful if you plan on creating and using multiple policies for multiple
global user groups.
4. Under ‘Identities’, add the global user group(s). Under ‘Type’ [red box], select ‘Global Group’ from the dropdown
box and click ‘Search Identities’. Select the global user group(s) and click the blue arrow to add them to the
‘Selected Identities’ list.
NOTE: If you are using LDAP/Active Directory, type the name or partial name of the global user group in the
Value field and then click the Search Button. Clicking on the Search Button without entering a name or partial
name will cause latency because EEM is searching for every global user group in LDAP/Active Directory.
Allow Users to Only Execute Certain Jobs in WCC Using EEM Policies
3
Created By: Jameela Hudson
5. Under ‘Access Policy Configuration’, for ‘Actions’, check off ‘Read’ and ‘Execute’ [pink box]. For ‘Resources’,
under ‘Add resource:’, type the 3-letter Autosys instance name with a period and asterisk [brown box] and then
click the plus sign .
NOTE: If you have more than one instance of AutoSys that users should have access to, add those additional
instances as resources.
6. Click on the ‘Add Filter’ button and select/type the information below:
a. In the red box, select ‘request’ from the dropdown menu.
b. In the red box, select ‘resource’ from the dropdown menu.
c. In the purple box, leave ‘STRING’ set in the dropdown menu.
d. In the purple box, select ‘STARTSWITH --*’ from the dropdown menu.
e. In the blue box, select ‘value’ from the dropdown menu.
f. In the blue box, type the 3-letter instance name, followed by a period (.), followed by a string of characters
associated with the job name that you want users to be able to see and execute. The string is CASE
SENSITIVE.
g. In the brown box, select ‘global user group’ from the dropdown menu.
h. In the brown box, select ‘Name’ from the dropdown menu.
i. In the pink box, leave ‘STRING’ set in the dropdown menu.
j. In the pink box, select ‘EQUAL ==’ set in the dropdown menu.
k. In the green box, select ‘value’ from the dropdown menu.
l. In the green box, type the name of the global user group that should be able to see the view specified in the
filter.
If there is more than one group of jobs that users should be able to execute, you can add multiple rows in the
filter [turquoise box].
Allow Users to Only Execute Certain Jobs in WCC Using EEM Policies
4
Created By: Jameela Hudson
Summation of Filter: The global user group, ‘AE_Schedulers’, will be able to execute sendevent commands on all
jobs that have been defined under the DCE Autosys instance, that being with the string ‘ASG’ or ‘GV’. If a job has
been defined under another Autosys instance that is not DCE or does not begin with the string ‘ASG’ or ‘GV’,
then the global user group will not be able to execute those jobs.
NOTE: Be mindful of the logic operators and parentheses placement. If you use the wrong operator or if there
are too many/not enough parentheses, the logic for the filter may not be evaluated correctly.
7. Click Save – this is what the completed policy looks like:
Allow Users to Only Execute Certain Jobs in WCC Using EEM Policies
5
Created By: Jameela Hudson
Allow Users to Only Execute Certain Jobs in WCC Using EEM Policies
6
Created By: Jameela Hudson
Create an as-job Policy with Full Permissions (Admin Policy)
NOTE: This policy is for all users who should have all permissions on all jobs for a specific Autosys instance.
1. Click on the ‘Manage Access Policies’ tab. On the left-hand side navigation panel, under ‘Access Policies’, click on
the ‘as-job’ policy link.
2. Create a new as-job policy by clicking on the icon (inside the red circle) next to the ‘as-job’ policy link.
3. Under the General Heading, give the policy a name. Leave all other fields with their default settings. Add a
description of the policy, if needed. (This is helpful if you plan on creating and using multiple policies for multiple
global user groups.)
4. Under ‘Identities’, add the global user group(s). Under ‘Type’ [red box], select ‘Global Group’ from the dropdown
box and click ‘Search Identities’. Select the global user group(s) and click the blue arrow to add them to the
‘Selected Identities’ list.
Allow Users to Only Execute Certain Jobs in WCC Using EEM Policies
7
Created By: Jameela Hudson
NOTE: If you are using LDAP/Active Directory, type the name or partial name of the global user group in the
Value field and then click the Search Button. Clicking on the Search Button without entering a name or partial
name will cause latency because EEM is searching for every global user group in LDAP/Active Directory.
5. For ‘Actions’, leave [All Actions] checked off. For ‘Resources’, under ‘Add resource:’, type the 3-letter Autosys
instance name with a period and asterisk and then clicked the plus sign .
NOTE: If you have more than one instance of AutoSys that users should have access to, add those additional
instances as resources.
6. Click Save – this what the completed policy looks like:
Allow Users to Only Execute Certain Jobs in WCC Using EEM Policies
8
Created By: Jameela Hudson
7. On the left-hand side navigation panel, under ‘Access Policies’, click on the ‘as-job’ policy link.
8. Click on the Default Job Policy link associated with the 3-letter Autosys instance specified in your custom policy.
9. Check off the checkbox next to ‘Disabled’ - then save the policy.
10. To confirm that the default policy was disabled, click on the ‘as-job’ policy link and look under the ‘Options’
column – the policy should be disabled.
NOTE: If you do not disable the Default Job Policy, any user who has access to the AE server where that instance
has been defined, can create/view/edit/delete/execute any and all jobs.
NOTE: Any user(s) or global user group(s) not specified in any of the created as-job policies will not be able to
view or execute jobs in the WCC GUI.
Allow Users to Only Execute Certain Jobs in WCC Using EEM Policies
9
Created By: Jameela Hudson
Perform a Permission Check
Perform a permission check to see if the policies are set up correctly.
1. Under the ‘Manage Access Policies’ tab, click the ‘Permission Check’ link.
2. This permission check will be on the as-job policies:
a. For the ‘Resource Class’, select ‘as-job’ from the dropdown menu.
b. For ‘Action, select ‘execute’ from the dropdown menu.
c. For ‘Resource, type the 3-letter Autosys instance name with a period and asterisk.
d. For ‘Identity’, type the name of a user. (For testing, choose a user who should have read and execute only
permissions.)
NOTE: For the ‘Identity’ field, you must enter an individual username. You cannot enter global user group or
dynamic user group names.
3. Click the ‘Run Permission Check’ button.
The permission check results should show DENY. This is expected because the user specified in the ‘Identity’
field does have execute permissions, however, they do have execute permissions only on jobs that begin ‘ASG’
or ‘GV’.
Allow Users to Only Execute Certain Jobs in WCC Using EEM Policies
10
Created By: Jameela Hudson
4. Change the ‘Resource’ to include a string of characters that represent a job name.
5. Click ‘Run Permission Check’ button.
The permission check results should show ALLOW. This is expected because the user specified in the ‘Identity’
field has execute permissions on jobs that begin with ‘ASG’. The Permission Check tells me what Policy granted
the permission [blue box].
Allow Users to Only Execute Certain Jobs in WCC Using EEM Policies
11
Created By: Jameela Hudson
Check WCC to For Job Execution Results
Login to the WCC GUI as a user who should only be able execute jobs that begin with ‘ASG’ or ‘GV’.
Go to the QuickView tab, place a wildcard character in the Search field and click Go to bring up all the jobs defined on
the AE server. Another option is to go to the Monitoring tab and access the jobs you want users to execute.
NOTE: Because all WCC users have access to the backend server (Autosys), they will be able to see all of the jobs defined
on the server.
Allow Users to Only Execute Certain Jobs in WCC Using EEM Policies
12
Created By: Jameela Hudson
In this example, the user was able to start ‘ASG_job’ and ‘GV_job’ successfully.
Allow Users to Only Execute Certain Jobs in WCC Using EEM Policies
13
Created By: Jameela Hudson
When the user tried to start ‘displaydb’, they were denied permission to start this job. They are not allowed to execute
jobs that do not begin with ‘ASG’ or ‘GV’.
NOTE: Strings ‘ASG’ and ‘asg’ are not equal. If you want jobs that begin with ‘asg’, then the logic filters in the EEM as-job
policy must be adjusted to include ‘asg’ and any other variation of the string (‘Asg’, ‘aSg’, etc…. )