Allow Users to Only Execute Certain Jobs in WCC Using … · Allow Users to Only Execute Certain...

Allow Users to Only Execute Certain Jobs in WCC Using EEM Policies

1

Created By: Jameela Hudson

Scenario: You have two groups of WCC users: administrators and schedulers. You want administrators to have full permissions on all AE jobs. You want schedulers to have restricted permissions on AE jobs - based upon their global user group, they should only be able to execute jobs that start with a particular string of characters.

Solution: Use Workload Automation AE polices in EEM to grant full permissions to the administrators and restricted permissions to the schedulers.

Objectives:

(1) create a read and execute as-job policy, (2) perform a permission check to verify policies work as expected, and (3) check the WCC GUI to see if users can execute certain jobs.

=====================================================================================

Create an as-job Policy with Read and Execute Permissions

1. Log into the EEM GUI under the <WorkloadAutomationAE> Application.

2. Click on the ‘Manage Access Policies’ tab. On the left-hand side navigation panel, under ‘Access Policies’, click on

the ‘as-job’ policy link.


2


3. Create a new as-job policy by clicking on the icon (inside the red circle) next to the ‘as-job’ policy link.

Under the General Heading, give the policy a name. Leave all other fields with their default settings. Add a

description of the policy, if needed. (This is helpful if you plan on creating and using multiple policies for multiple

global user groups.

4. Under ‘Identities’, add the global user group(s). Under ‘Type’ [red box], select ‘Global Group’ from the dropdown

box and click ‘Search Identities’. Select the global user group(s) and click the blue arrow to add them to the

‘Selected Identities’ list.

NOTE: If you are using LDAP/Active Directory, type the name or partial name of the global user group in the

Value field and then click the Search Button. Clicking on the Search Button without entering a name or partial

name will cause latency because EEM is searching for every global user group in LDAP/Active Directory.


3


5. Under ‘Access Policy Configuration’, for ‘Actions’, check off ‘Read’ and ‘Execute’ [pink box]. For ‘Resources’,

under ‘Add resource:’, type the 3-letter Autosys instance name with a period and asterisk [brown box] and then

click the plus sign .

NOTE: If you have more than one instance of AutoSys that users should have access to, add those additional

instances as resources.

6. Click on the ‘Add Filter’ button and select/type the information below:

a. In the red box, select ‘request’ from the dropdown menu.

b. In the red box, select ‘resource’ from the dropdown menu.

c. In the purple box, leave ‘STRING’ set in the dropdown menu.

d. In the purple box, select ‘STARTSWITH --*’ from the dropdown menu.

e. In the blue box, select ‘value’ from the dropdown menu.

f. In the blue box, type the 3-letter instance name, followed by a period (.), followed by a string of characters

associated with the job name that you want users to be able to see and execute. The string is CASE

SENSITIVE.

g. In the brown box, select ‘global user group’ from the dropdown menu.

h. In the brown box, select ‘Name’ from the dropdown menu.

i. In the pink box, leave ‘STRING’ set in the dropdown menu.

j. In the pink box, select ‘EQUAL ==’ set in the dropdown menu.

k. In the green box, select ‘value’ from the dropdown menu.

l. In the green box, type the name of the global user group that should be able to see the view specified in the

filter.

If there is more than one group of jobs that users should be able to execute, you can add multiple rows in the

filter [turquoise box].


4


Summation of Filter: The global user group, ‘AE_Schedulers’, will be able to execute sendevent commands on all

jobs that have been defined under the DCE Autosys instance, that being with the string ‘ASG’ or ‘GV’. If a job has

been defined under another Autosys instance that is not DCE or does not begin with the string ‘ASG’ or ‘GV’,

then the global user group will not be able to execute those jobs.

NOTE: Be mindful of the logic operators and parentheses placement. If you use the wrong operator or if there

are too many/not enough parentheses, the logic for the filter may not be evaluated correctly.

7. Click Save – this is what the completed policy looks like:


5



6


Create an as-job Policy with Full Permissions (Admin Policy)

NOTE: This policy is for all users who should have all permissions on all jobs for a specific Autosys instance.

1. Click on the ‘Manage Access Policies’ tab. On the left-hand side navigation panel, under ‘Access Policies’, click on

the ‘as-job’ policy link.

2. Create a new as-job policy by clicking on the icon (inside the red circle) next to the ‘as-job’ policy link.

3. Under the General Heading, give the policy a name. Leave all other fields with their default settings. Add a

description of the policy, if needed. (This is helpful if you plan on creating and using multiple policies for multiple

global user groups.)

4. Under ‘Identities’, add the global user group(s). Under ‘Type’ [red box], select ‘Global Group’ from the dropdown

box and click ‘Search Identities’. Select the global user group(s) and click the blue arrow to add them to the

‘Selected Identities’ list.


7


NOTE: If you are using LDAP/Active Directory, type the name or partial name of the global user group in the

Value field and then click the Search Button. Clicking on the Search Button without entering a name or partial

name will cause latency because EEM is searching for every global user group in LDAP/Active Directory.

5. For ‘Actions’, leave [All Actions] checked off. For ‘Resources’, under ‘Add resource:’, type the 3-letter Autosys

instance name with a period and asterisk and then clicked the plus sign .

NOTE: If you have more than one instance of AutoSys that users should have access to, add those additional

instances as resources.

6. Click Save – this what the completed policy looks like:


8


7. On the left-hand side navigation panel, under ‘Access Policies’, click on the ‘as-job’ policy link.

8. Click on the Default Job Policy link associated with the 3-letter Autosys instance specified in your custom policy.

9. Check off the checkbox next to ‘Disabled’ - then save the policy.

10. To confirm that the default policy was disabled, click on the ‘as-job’ policy link and look under the ‘Options’

column – the policy should be disabled.

NOTE: If you do not disable the Default Job Policy, any user who has access to the AE server where that instance

has been defined, can create/view/edit/delete/execute any and all jobs.

NOTE: Any user(s) or global user group(s) not specified in any of the created as-job policies will not be able to

view or execute jobs in the WCC GUI.


9


Perform a Permission Check

Perform a permission check to see if the policies are set up correctly.

1. Under the ‘Manage Access Policies’ tab, click the ‘Permission Check’ link.

2. This permission check will be on the as-job policies:

a. For the ‘Resource Class’, select ‘as-job’ from the dropdown menu.

b. For ‘Action, select ‘execute’ from the dropdown menu.

c. For ‘Resource, type the 3-letter Autosys instance name with a period and asterisk.

d. For ‘Identity’, type the name of a user. (For testing, choose a user who should have read and execute only

permissions.)

NOTE: For the ‘Identity’ field, you must enter an individual username. You cannot enter global user group or

dynamic user group names.

3. Click the ‘Run Permission Check’ button.

The permission check results should show DENY. This is expected because the user specified in the ‘Identity’

field does have execute permissions, however, they do have execute permissions only on jobs that begin ‘ASG’

or ‘GV’.


10


4. Change the ‘Resource’ to include a string of characters that represent a job name.

5. Click ‘Run Permission Check’ button.

The permission check results should show ALLOW. This is expected because the user specified in the ‘Identity’

field has execute permissions on jobs that begin with ‘ASG’. The Permission Check tells me what Policy granted

the permission [blue box].


11


Check WCC to For Job Execution Results

Login to the WCC GUI as a user who should only be able execute jobs that begin with ‘ASG’ or ‘GV’.

Go to the QuickView tab, place a wildcard character in the Search field and click Go to bring up all the jobs defined on

the AE server. Another option is to go to the Monitoring tab and access the jobs you want users to execute.

NOTE: Because all WCC users have access to the backend server (Autosys), they will be able to see all of the jobs defined

on the server.


12


In this example, the user was able to start ‘ASG_job’ and ‘GV_job’ successfully.


13


When the user tried to start ‘displaydb’, they were denied permission to start this job. They are not allowed to execute

jobs that do not begin with ‘ASG’ or ‘GV’.

NOTE: Strings ‘ASG’ and ‘asg’ are not equal. If you want jobs that begin with ‘asg’, then the logic filters in the EEM as-job

policy must be adjusted to include ‘asg’ and any other variation of the string (‘Asg’, ‘aSg’, etc…. )

Allow Users to Only Execute Certain Jobs in WCC Using … · Allow Users to Only Execute Certain...

Documents

Transcript of Allow Users to Only Execute Certain Jobs in WCC Using … · Allow Users to Only Execute Certain...