Automic strongly recommends that you thoroughly plan your authorization system in a first step. Who actually requires access to the AE system and which actions are required. Write down your findings - doing so makes a lot easier to create users and user groups.
![]() |
1. |
Creating user groups |
---|
You can assign right to users and user groups. By using user groups you can reduce your administrative efforts. User groups provide a clear overview from a central point and also increase security within your AE system.
|
2. |
---|
The various functions of the UserInterfaceThis is the Automation Engine's graphical user interface. [Formerly called the "Rich Client", "RichGUI" and "Dialog Client."] can only be used with the appropriate privileges. With newly created users or user groups, all privileges are inactive.
Be careful when you assign privileges because some functions affect the processing of an AE system or access security-relevant data.
A listShows entities in a grid view of all privileges is provided in the UserGroup objectAutomation Engine controlled activities and processes are structured in the form of objects. See also: Task's tab of the same name. Here you can activate all or only specific particular privileges.
Privileges given to a particular userIn the Automation Engine, a user is an instance of a User object, and generally the user is a specific person who works with Automic products. The User object is assigned a user ID and then a set of access rights to various parts of the Automation Engine system and product suite. These access rights come in the form of Automation Engine authorizations and privileges, Decision user roles and EventBase rights and ARA web application object rights. You can manage all these centrally in the ECC user management functions. See also, Unified user management. and the corresponding user groups accumulate. Users are granted access to all the functions of the UserInterface that have been activated for them and the groups they belong to.
For example:
User Smith is granted access to the Recycle Bin and to the Transport Case.
Because he was granted the privilege "Logon via CallAPIA programming interface that processes a script in the Automation Engine system. It can be called directly from within the program itself or from a different program." in one of the user groups he belongs, he can also use CallAPIs.
|
3. |
Assigning rights |
---|
Access to folders, statisticsThis is a list of a task's previous runs., reports and objects is subject to authorizations. Note that servers and agents are also objects. Again, newly created users and user groups do not have any rights.
Be careful when you assign authorizations. You can also define access denials!
Authorizations can be allocated in the UserGroup object's tab of the same name. Authorization groups or denials (NOT) can be assigned in the very first column. Same numbers stand for the same authorization groupAn Automation Engine object type that integrates tasks so that they can be processed together. and the keyword NOT stands for a denial.
Rights assigned to a user and the corresponding user groups accumulate.
For example:
User Smith is allowed to read and execute all objects whose names start
with "MM" and to call their statistics. Because the access rights write and delete were additionally defined for
these "MM" objects in one of his UserGroups, he is also allowed to write and
delete them.
For the sake of completeness, this document also describe how you can use different authorization groups. Nevertheless, Automic recommends using this functionality only in exceptional cases!
Whenever you define different authorization groups, the user is only granted the rights that are granted in all of the groups.
Take the same example as described above:
User Smith is allowed to read and execute all objects whose names start
with "MM" and call their statistics. In one of the user groups
he belongs to, the access rights read, execute, write and delete have
been defined for these objects. In total, user Smith can only read and
execute these objects (logical AND connection).
Denials ("Not") are always given preferential attention. If an access denial applies to a user or one of the corresponding user groups, access to the particular section is not granted. The authorization groups are irrelevant.
For example:
User Smith is authorized to execute jobs on all hosts. One of the user groups he belongs to contains a "Not" for accessing
the agentA program that enables the de-centralized execution of processes (such as deployments) on target systems (computers or business solutions) or a service that provides connectivity to a target system (such as for databases or middleware). An agent is also an object type in the Automation Engine. [Formerly called "Executor."] See also: host UNIX01. Therefore, user Smith can not use
this agent in order to execute tasks.
Specify denials in the Authorizations tab with the authorization group "NOT".
|
4. |
Creating Users |
---|
After having specified user groups, you can create your individual users. User object names are composed of the user nameName of the Automation Engine user. and departmentDepartment name to which the Automation Engine user belongs., both of which are separated by a slash (such as SMITH/DEV). A maximum of 200 characters is allowed.
Now fill in the User tab. You can also define that logging on is only allowed at a particular time of the day (such as between 08:00 am and 06:00 pm).
Only active users can log on to the AE system. You can set users active by checking the checkbox in the upper right half of the UserInterface. Removing this flag sets them inactive.
|
5. |
Allocating users to UserGoups |
---|
There are two ways of assigning users to user groups. You can either select the groups to which a user should belong to from within a user, or determine members from within a user groupA group of users who have a common profile of rights. A particular object type in the Automation Engine. User groups are an organizing construct to help you better manage users because you can grant user groups access rights the same way that you grant various access rights to a single user. All users in the user group are automatically given those access rights. This makes managing users not only more efficient but also more secure because working with user groups gives you a better overview of what rights are assigned.. Both options are accessible through the UserGroup tab.
|
6. |
Access Trace Function |
---|
You can use the variableIt stores or retrieves values dynamically at runtime. An individual Automation Engine object type. UC_CLIENT_SETTINGS to activate the Access Trace Function and decide upon what it should cover. You can define the category of access monitoring that should be activated - log on, object access, hostComputer, target system. access and/or privilege. Additionally, you can also specify whether access denials and/or access authorizations should be logged to the security messages of the System Overview.
Automic Documentation - Tutorials - Automic Blog - Resources - Training & Services - Automic YouTube Channel - Download Center - Support |
Copyright © 2016 Automic Software GmbH |