Automic Workload Automation

Expand all | Collapse all

Authorization System, Access Rights

  • 1.  Authorization System, Access Rights

    Posted 03-11-2016 12:28 PM

    Currently we have three clients used for production bound objects that application developers have only read access to.  The object developers in these clients, the group I work in, rigorously follow standards of usage so have not needed anything but the most basic folder type security.

    We are investigating the creation of a client for shared use by application developers.  We wish to segregate the various development groups based upon the object’s name.  We currently prefix all objects with a two character “system code”; i.e. xx_SOME_OBJECT_NAME, and they exist in a like named folder structure.  The developers would have full access to create, modify and execute objects within their system’s folders.

    We are at a loss of how to create a viable and secure client where one group of developers cannot execute or affect another group’s objects.  Folder security has a huge hole with regards to the following documented method of operation:

     Nevertheless, specifying folder rights does not prevent access to objects stored in them. A user who is not allowed to access a particular folder could still access an object in this folder (such as if it is used in a workflow. The command "Edit" is available from almost anywhere, therefore, also in workflows).

    Using individual Object Authorization via its Properties is very precise but its method of implementation does not appear to be in any way applicable to our desired requirements.

    Our basic desire is to ensure that developers can only affect objects in specific folders and restrict the name of any new or renamed object to match the system code of the Folder in which it is being created.

    I was wondering how others do this or something similar as I feel that I'm overlooking something very basic.  Thank you for any assistance or insight that you can provide.

  • 2.  Authorization System, Access Rights

    Posted 03-11-2016 12:54 PM
    Can't you use 2 entries in the user group Mark?

    1 for access to the folder, but a 2nd that only allows the edit access to objects with AA_*?

    I'll have to go back and test it a little more heavily, but that had been my plan and initially it seemed to be working.

  • 3.  Authorization System, Access Rights

    Posted 03-15-2016 11:42 AM
    Laura Albrecht

    Thanks for the reply.  I have passed this information on to our security staff and hopefully they will be able to make something that provides the appropriate level of protection.

    As I said, "I'm overlooking something very basic"!   ;) 

  • 4.  Authorization System, Access Rights

    Posted 03-15-2016 12:21 PM
    I did a little more testing and it seems to work.  I had a user group set up have R & W access to a certain folder (Group = 1, Type = FOLD, Name = \BAXALTA\JDE_OTC*).  And then also set up to allow RWXDCSPM access to all objects (Group = 1, Type = *, Name = JDE_OTC*).  I have a few other entries in there, but that's the important stuff.

    When I test with a user in this group - I cannot go into any other folders in the Windows Explorer.  I can't search on any other object names (anything that isn't JDE_OTC* doesn't show up in the list).

    Now you CAN still see the other queues in the Activites Window.  I have for example an ESP queue and a JDE_OTC queue.  So you can see them, and you can see the objects in those other queues, but you can't do anything.  Can't monitor workflows or pull up statistics or edit those objects from there either.

    Let me know if you discover a hole or need more info.  I've always tried to keep security as simple as possible, but I am having to learn more about this with my new company / requirements.

  • 5.  Authorization System, Access Rights

    Posted 05-26-2016 03:39 PM
    Revisiting this thread because it now looks like I will be setting up the same security that Mark was initially asking about.  I went back and tried the security settings I responded back with and now it's not working!!   :'(

    Has anyone else implemented this successfully and/or would be willing to share the contents of the Authorizations tab?  I know I had this working previously.  Now I'm wondering if I've hit a bug and/or a Java problem, etc.  It's very weird.  I'm trying to do the same thing as above - limit access to objects by the folder structure and the object name and it's not working.