Automic Workload Automation

Hello.  I struggled initially to enable this permission.  I would receive a Missing Privilege on adding the permission to a user or a group.

Here is how I managed to enable this:

1. Log on as UC/UC on client 0
2. Enable Token access and token creation on the UC user
3. From Client 0 as UC open the admin user in the client where you want to enable this.  This will reset all the permissions checkboxes on that user to the ones displayed in Client 0.  
4. From the target client, log in as the admin user and enable Token access and token creation for the target group.
5. You can now remove token creation on UC in client 0, and the specific client user if it is covered by the usergroup

@Leon Carroll, you have discovered a new undocumented feature introduced in AE v24.2.

@Martin Uferbach described the new feature to us during a call last month. My understanding is that that the authorization mechanism was changed in v24.2 so that users may no longer grant privileges they do not already have. Any attempt to do so will result in the Missing privilege error message. (This change was likely introduced in conjunction with the addition of new APIs for working with authorizations.)

The Token access and token creation privilege is completely new in AE v24.2, so no user or group will initially have this privilege assigned. This means that existing users will not be able to grant themselves (or others) the new privilege.

We opened a support ticket about this on 20 September, and Broadcom quickly acknowledged it as a bug. The work-around you discovered is what Broadcom recommended. The UC/UC user in client 0 may grant any privilege to any user.

We found that UC/UC cannot grant privileges it does not already have to user groups. For a while, we thought the only way to grant the Token access and token creation privilege to a user group would be to make the change directly to the database. (This is what prompted my investigation into USR_Privilege a couple of weeks ago.)

But this did not turn out to be necessary. As you found, once a user in the non-0 client has the Token access and token creation privilege, this user may grant the privilege to user groups.

The additional authorization check is still not mentioned in the list of new features in v24.2, nor in the documentation page on Granting Automation Engine Privileges. It probably should be. Ping @Gabi Oberreiter, @Gabi Oberreiter.

In the list of changes between v24.1 and v24.2, I found this related bug fix:

Thanks, I realised that it was for any privileges yesterday trying to create another user on a support call to Tricise using UC that was missing a different privilege.

Now it makes sense. Thanks

I think if Broadcom update the what's new page to add that step to grant it to UC first then it should be clearer.

Hi Michael,

This feature was introduced in 24.1.0 and the description can be found here

BR,

Oana

Thanks for the information, @Oana Botez. Perhaps I misunderstood Martin's description.

I suggest adding a description of this to the documentation page on Granting Automation Engine Privileges.

Thank you for your feedback, we will include this information also on the Privileges page.

BR,
Oana