Automic Workload Automation

Hello,

  We are a fairly small operation with less than 1500 workflows and jobs scheduled. Currently running 21.0.11. We have three developer teams who generate jobs for different parts of the business. in AWI we only have one client and security prevents the developers from seeing and executing each others jobs. One team recently has requested access to the REST API which we haven't used before. In my initial testing with a developer user account I can execute my users jobs and the other teams jobs no problem. I have been unable to find documentation on locking down what an api user can execute. I have found information on locking down the rest api with reverse proxy and firewall rules but once a user is in it seems they can execute whatever JOBS they want. Has this been everyone else's experience? should we restructure the teams into different clients? Thanks for any info you can give.

Ben

Hi Ben,

there is no difference between a user login in via AWI and via REST API. The same defined security restrictions apply.

Please make sure that you did not only protect folders, so users in AWI can't look into the folders, but also protect the objects in those folders. 
https://docs.automic.com/documentation/webhelp/english/ALL/components/DOCU/21.0.9/Automic%20Automation%20Guides/Content/AWA/AdministrationPerspective/obj_user_defining_AEAuth.htm#Folders

Regards, Markus

Hello,

  We are a fairly small operation with less than 1500 workflows and jobs scheduled. Currently running 21.0.11. We have three developer teams who generate jobs for different parts of the business. in AWI we only have one client and security prevents the developers from seeing and executing each others jobs. One team recently has requested access to the REST API which we haven't used before. In my initial testing with a developer user account I can execute my users jobs and the other teams jobs no problem. I have been unable to find documentation on locking down what an api user can execute. I have found information on locking down the rest api with reverse proxy and firewall rules but once a user is in it seems they can execute whatever JOBS they want. Has this been everyone else's experience? should we restructure the teams into different clients? Thanks for any info you can give.

Ben

Hi Marcus,

this will be a bit irrelevant question, but I wanted to ask because the subject came up. 

In v12, in the past, when we restricted only the folder, you could see and execute the objects in that folder from the java userinterface search section, this was a situation we did not want. But I think this was fixed after AWI v21. in v21, when you restrict only the folder, you cannot access the objects in it in any way, including search. is that right?

Thanks.

Hi Ben,

there is no difference between a user login in via AWI and via REST API. The same defined security restrictions apply.

Please make sure that you did not only protect folders, so users in AWI can't look into the folders, but also protect the objects in those folders. 
https://docs.automic.com/documentation/webhelp/english/ALL/components/DOCU/21.0.9/Automic%20Automation%20Guides/Content/AWA/AdministrationPerspective/obj_user_defining_AEAuth.htm#Folders

Regards, Markus

Hello,

  We are a fairly small operation with less than 1500 workflows and jobs scheduled. Currently running 21.0.11. We have three developer teams who generate jobs for different parts of the business. in AWI we only have one client and security prevents the developers from seeing and executing each others jobs. One team recently has requested access to the REST API which we haven't used before. In my initial testing with a developer user account I can execute my users jobs and the other teams jobs no problem. I have been unable to find documentation on locking down what an api user can execute. I have found information on locking down the rest api with reverse proxy and firewall rules but once a user is in it seems they can execute whatever JOBS they want. Has this been everyone else's experience? should we restructure the teams into different clients? Thanks for any info you can give.

Ben

Hi Marcus,

this will be a bit irrelevant question, but I wanted to ask because the subject came up. 

In v12, in the past, when we restricted only the folder, you could see and execute the objects in that folder from the java userinterface search section, this was a situation we did not want. But I think this was fixed after AWI v21. in v21, when you restrict only the folder, you cannot access the objects in it in any way, including search. is that right?

Thanks.

Hi Ben,

there is no difference between a user login in via AWI and via REST API. The same defined security restrictions apply.

Please make sure that you did not only protect folders, so users in AWI can't look into the folders, but also protect the objects in those folders. 
https://docs.automic.com/documentation/webhelp/english/ALL/components/DOCU/21.0.9/Automic%20Automation%20Guides/Content/AWA/AdministrationPerspective/obj_user_defining_AEAuth.htm#Folders

Regards, Markus

Hello,

  We are a fairly small operation with less than 1500 workflows and jobs scheduled. Currently running 21.0.11. We have three developer teams who generate jobs for different parts of the business. in AWI we only have one client and security prevents the developers from seeing and executing each others jobs. One team recently has requested access to the REST API which we haven't used before. In my initial testing with a developer user account I can execute my users jobs and the other teams jobs no problem. I have been unable to find documentation on locking down what an api user can execute. I have found information on locking down the rest api with reverse proxy and firewall rules but once a user is in it seems they can execute whatever JOBS they want. Has this been everyone else's experience? should we restructure the teams into different clients? Thanks for any info you can give.

Ben

Hi Olgun,
The behavior is still the same in V24.x: if a user has no read right to a folder he can still execute objects located in that folder e.g. with activate_uc_object or delete objects with remove_object

Hi Marcus,

this will be a bit irrelevant question, but I wanted to ask because the subject came up. 

In v12, in the past, when we restricted only the folder, you could see and execute the objects in that folder from the java userinterface search section, this was a situation we did not want. But I think this was fixed after AWI v21. in v21, when you restrict only the folder, you cannot access the objects in it in any way, including search. is that right?

Thanks.

Hi Ben,

there is no difference between a user login in via AWI and via REST API. The same defined security restrictions apply.

Please make sure that you did not only protect folders, so users in AWI can't look into the folders, but also protect the objects in those folders. 
https://docs.automic.com/documentation/webhelp/english/ALL/components/DOCU/21.0.9/Automic%20Automation%20Guides/Content/AWA/AdministrationPerspective/obj_user_defining_AEAuth.htm#Folders

Regards, Markus

Hello,

  We are a fairly small operation with less than 1500 workflows and jobs scheduled. Currently running 21.0.11. We have three developer teams who generate jobs for different parts of the business. in AWI we only have one client and security prevents the developers from seeing and executing each others jobs. One team recently has requested access to the REST API which we haven't used before. In my initial testing with a developer user account I can execute my users jobs and the other teams jobs no problem. I have been unable to find documentation on locking down what an api user can execute. I have found information on locking down the rest api with reverse proxy and firewall rules but once a user is in it seems they can execute whatever JOBS they want. Has this been everyone else's experience? should we restructure the teams into different clients? Thanks for any info you can give.

Ben

Hi Olgun,
The behavior is still the same in V24.x: if a user has no read right to a folder he can still execute objects located in that folder e.g. with activate_uc_object or delete objects with remove_object

Hi Marcus,

this will be a bit irrelevant question, but I wanted to ask because the subject came up. 

In v12, in the past, when we restricted only the folder, you could see and execute the objects in that folder from the java userinterface search section, this was a situation we did not want. But I think this was fixed after AWI v21. in v21, when you restrict only the folder, you cannot access the objects in it in any way, including search. is that right?

Thanks.

Hi Ben,

there is no difference between a user login in via AWI and via REST API. The same defined security restrictions apply.

Please make sure that you did not only protect folders, so users in AWI can't look into the folders, but also protect the objects in those folders. 
https://docs.automic.com/documentation/webhelp/english/ALL/components/DOCU/21.0.9/Automic%20Automation%20Guides/Content/AWA/AdministrationPerspective/obj_user_defining_AEAuth.htm#Folders

Regards, Markus

Hello,

  We are a fairly small operation with less than 1500 workflows and jobs scheduled. Currently running 21.0.11. We have three developer teams who generate jobs for different parts of the business. in AWI we only have one client and security prevents the developers from seeing and executing each others jobs. One team recently has requested access to the REST API which we haven't used before. In my initial testing with a developer user account I can execute my users jobs and the other teams jobs no problem. I have been unable to find documentation on locking down what an api user can execute. I have found information on locking down the rest api with reverse proxy and firewall rules but once a user is in it seems they can execute whatever JOBS they want. Has this been everyone else's experience? should we restructure the teams into different clients? Thanks for any info you can give.

Ben

Hi Olgun,

this behaviour was also there with 12.3, no changes in V21 or V24. Or are you referring to an even older release?

Regards, Markus

Hi Olgun,
The behavior is still the same in V24.x: if a user has no read right to a folder he can still execute objects located in that folder e.g. with activate_uc_object or delete objects with remove_object

Hi Marcus,

this will be a bit irrelevant question, but I wanted to ask because the subject came up. 

In v12, in the past, when we restricted only the folder, you could see and execute the objects in that folder from the java userinterface search section, this was a situation we did not want. But I think this was fixed after AWI v21. in v21, when you restrict only the folder, you cannot access the objects in it in any way, including search. is that right?

Thanks.

Hi Ben,

there is no difference between a user login in via AWI and via REST API. The same defined security restrictions apply.

Please make sure that you did not only protect folders, so users in AWI can't look into the folders, but also protect the objects in those folders. 
https://docs.automic.com/documentation/webhelp/english/ALL/components/DOCU/21.0.9/Automic%20Automation%20Guides/Content/AWA/AdministrationPerspective/obj_user_defining_AEAuth.htm#Folders

Regards, Markus

Hello,

  We are a fairly small operation with less than 1500 workflows and jobs scheduled. Currently running 21.0.11. We have three developer teams who generate jobs for different parts of the business. in AWI we only have one client and security prevents the developers from seeing and executing each others jobs. One team recently has requested access to the REST API which we haven't used before. In my initial testing with a developer user account I can execute my users jobs and the other teams jobs no problem. I have been unable to find documentation on locking down what an api user can execute. I have found information on locking down the rest api with reverse proxy and firewall rules but once a user is in it seems they can execute whatever JOBS they want. Has this been everyone else's experience? should we restructure the teams into different clients? Thanks for any info you can give.

Ben