Automic Workload Automation

  • Private Community
 View Only

  • 1.  USR_Privilege

    Posted Oct 02, 2024 11:44 AM
    Edited by Michael A. Lowry Mar 31, 2025 02:47 AM

    Today I did some investigation into the USR_Privilege column and its relationship to the PrivList element in an XML export of a USR object.

    In the USR table, there's a bigint column called USR_Privilege. This column stores information about the Automation Engine Privileges assigned to a user. In an XML export of a user, the PrivList element contains one child element for each privilege. The value is 1 for assigned privileges and 0 for unassigned ones. Below is an example from a user with all privileges assigned.

    <PrivList>
<B1>1</B1>
<B2>1</B2>
<B4>1</B4>
<B8>1</B8>
<B16>1</B16>
<B32>1</B32>
<B64>1</B64>
<B128>1</B128>
<B256>1</B256>
<B512>0</B512>
<B1024>1</B1024>
<B2048>0</B2048>
<B4096>1</B4096>
<B8192>1</B8192>
<B16384>1</B16384>
<B32768>1</B32768>
<B65536>1</B65536>
<B131072>0</B131072>
<B262144>1</B262144>
<B524288>1</B524288>
<B1048576>1</B1048576>
<B2097152>1</B2097152>
<B4194304>1</B4194304>
<B8388608>1</B8388608>
<B16777216>1</B16777216>
<B33554432>1</B33554432>
<B67108864>1</B67108864>
<B134217728>1</B134217728>
<B268435456>0</B268435456>
<B536870912>1</B536870912>
<B1073741824>1</B1073741824>
<B2147483648>1</B2147483648>
<B4294967296>0</B4294967296>
<B8589934592>0</B8589934592>
<B17179869184>0</B17179869184>
<B34359738368>1</B34359738368>
<B68719476736>1</B68719476736>
<B137438953472>1</B137438953472>
<B274877906944>0</B274877906944>
<B549755813888>1</B549755813888>
<B1099511627776>1</B1099511627776>
<B2199023255552>1</B2199023255552>
<B4398046511104>1</B4398046511104>
<B8796093022208>1</B8796093022208>
<B17592186044416>1</B17592186044416>
<B35184372088832>1</B35184372088832>
<B70368744177664>1</B70368744177664>
</PrivList>

    The tag names are the capital letter B following by increasing powers of 2 — 20, 21, 22, and so on.

    XML tag Power of 2 Value
    B1 0 1
    B2 1 2
    B4
    		 2 4
    B8
    		 3 8
    B16
    		 4 16
    ...
    		 ... ..
    B35184372088832 45 35184372088832
    B70368744177664 46 70368744177664

    If you add up all the numbers in the names of the elements whose content is 1, you'll get the value stored in USR_Privilege1. USR_Privilege stores the decimal representation of a 46-bit binary number, where each bit represents an individual privilege. Not all bits in USR_Privilege are documented2.

    You can also find this value by exporting the USER object to JSON. It's in the privilege element.

          "user_attributes" : {
        "is_active" : 1,
        "last_session" : "2024-10-02T15:08:57Z",
        "eh_refresh_interval" : 90,
        "privilege" : 281169765463551,
        "privileges_set" : [ "automatic_processing", "access_systemoverview", "recycle_bin", "transport_case", "view_messages", "view_administrators_messages", "view_all_messagesfrom_accorded_client", "view_security_messages", "execute_system_upgrades", "access_to_selective_statistics", "create_and_modify_backend_variables", "deal_with_authorizations_at_object_level", "modify_the_status_of_a_task_manually", "object_properties_allow_manual_reset_of_edit_hint", "filetransfer_start_without_login_object_specified", "view_server_usage_of_all_clients", "access_to_no_folder", "logon_via_callapi", "sap_criteria_manager", "access_to_version_management_folder", "access_to_autoforecast", "create_diagnostic_information", "ilm_actions", "create_and_modify_sql_internal_variables", "manage_favorites_on_usergroup_level", "access_to_service_catalog", "access_to_process_monitoring", "access_to_process_assembly", "access_to_administration", "access_to_dashboards", "access_to_messages", "fileevents_start_without_login_object_specified", "access_to_analytics", "dump_memory_trace", "access_to_analytics_for_all_clients", "access_metrics_endpoint", "execute_agent_upgrades", "take_over_task", "token_access_and_token_creation" ],
        "usr_type" : "DEFAULT ",
        "password_never_expires" : true,
        "password_change_at_next_login" : false
      }

    Note that the set of privileges is also listed in the JSON export in a more user-readable format, as an array of strings3. These labels correspond to the names listed in the REST API column on the documentation page Automation Engine Privileges.

    Does anyone have a mapping between the XML tags (USR_Privilege bit numbers) and the corresponding privilege names used in JSON exports & the REST API?

    Update 2024.10.03 9:37 CEST: I created a mapping table. I also wrote an SQL query to list users' privileges.

    Update 2025.04.01 8:46 CEST: See this updated mapping table and SQL query. (The original mapping contained some mistakes.)

    Notes

    1. If you take the USR_Privilege value (e.g., 281169765463551) and convert it to binary, it'll be easier to see which bits are set.

    111111111011110011101111111111011111010111111111

    The least significant bit (B1 or 20) is rightmost.

    2. Even if all privileges are assigned to a user, some tags will be set to 0 in an XML export of the user:
    B512, B2048, B131072, B268435456, B4294967296, B8589934592, and B274877906944.

    These bits probably correspond to deprecated or undocumented privileges.

    Update 2024.10.03 9:39 CEST: Three of the unlisted privileges have been identified as old privileges that have since been deprecated. See the mapping table below.

    3. Does anyone know why the XML schema was designed in this way? I understand that the privileges are stored as a sum of bits in the database. But is there a reason the PrivList child elements in the XML schema were not labeled based on powers of two (0, 1, 2, etc.), or better yet, given descriptive names? 



  • 2.  RE: USR_Privilege

    Posted Oct 03, 2024 02:10 AM

    Hi Michael,

    UC_ACLB maps privilege-bitcodes to message-ids.

    You can look up the messages for the ids in the uc.msl file (between V10 and V11.2, they were in the table MSGTX, but not anymore).

    If you're on Oracle, 
    and if you create a function dec_to_bin to convert decimals to bitarrays, 
    and if you fill the table MSGTX with the correct data for your AE-version (sorry for the many IFs)
    then this will give you all Users and their privs:

    WITH PRIVS as (
        select uc_aclb.*, lpad(dec_to_bin(ACLB_Bitcode),44,'0') as BITPOSITION, MSGTX_TEXT
        from uc_aclb left join MSGTX
        on aclb_helpidc=msgtx_msg_idnr
        where aclb_type = 'PRV' and MSGTX_MSGL_Short='E'
    )
    select OH_Client, OH_Name, MSGTX_TEXT
    from OH
    inner join USR on OH_IDNR = USR_OH_IDNR
    cross join PRIVS
    where OH_Client > 0
    and OH_Deleteflag = 0
    and BITAND(ACLB_Bitcode,Usr_Privilege) != 0
    and ACLB_HelpIDC != 0
    order by OH_Client, OH_Name, ACLB_Bitcode;

    Cheers,

    Philipp



    ------------------------------
    Philipp Elmer

    Become a member!
    https://membership.philippelmer.com
    ------------------------------

    Original Message


  • 3.  RE: USR_Privilege

    Posted Oct 03, 2024 03:32 AM
    Edited by Michael A. Lowry Mar 31, 2025 02:56 AM

    Here is a query that does not depend on custom functions or non-standard tables.

    (Original query removed due to mistakes.)

    Update 2025.04.01 8:52 CEST: See the comment below for an updated mapping table and SQL query.



  • 4.  RE: USR_Privilege

    Posted Oct 03, 2024 02:17 AM
    Edited by Michael A. Lowry Mar 31, 2025 02:59 AM

    Generating the mapping table was easier than expected. The REST API returns the list of privileges in order from least significant to most significant bit. Insert empty rows for the undocumented privileges, and the table is complete. I also added descriptions for three deprecated privileges, based on information from UC_ACLB and uc.msl.

    (Original table removed due to mistakes.)

    Update 2025.04.01 8:57 CEST: See this comment below for an updated mapping table and SQL query.



  • 5.  RE: USR_Privilege

    Posted Oct 03, 2024 04:51 AM
    Edited by Michael A. Lowry Oct 16, 2024 05:22 AM

    The uc.msl file includes some messages that might correspond to some of the other unlisted privileges.

    00909908 Access to client 0
00909909 Access to client 99
00909911 Access to PasswordContainer
00909932 Access to Service Orchestrator
08190030 Access to Explorer Folders
08220042 Access to Host
08241144 Access to Infrastructure Manager.

    The first two appear to have dedicated columns in USR: USR_AccessC0 and USR_AccessC99. (These do not appear to be used anymore, and I guess that they date from the very early days of the product, perhaps before USR_Privilege was added to the table.)

    The remaining 5 are candidates though.



  • 6.  RE: USR_Privilege

    Posted Mar 26, 2025 10:15 AM
    Edited by Roney.Uba Mar 26, 2025 10:16 AM

    Hi Michael,

    after some trial and error with 24.3.0 there is an additional privilege (db-maintenance) and some have shifted.

    Not sure in which position, but for example CAU is 2^45 instead of 2^44 (001000000000000000000000000000000000000000000000).

    ...
    2^43 -> Access to Analytics for all Clients
    2^44 -> Access to the metrics endpoint of the Automic REST API
    2^45 -> Upgrade Agents (CAU)
    2^46 -> Token access and token creation
    2^47 -> Database maintenance

    Also, new privileges can only be added by users that already possess them, but during an upgrade no one will have it already.
    The docu mentions the workaround of DB-Load (recommended) or UC/UC (not recommended).

    https://docs.automic.com/documentation/webhelp/english/ALL/components/DOCU/24.4/Automic%20Automation%20Guides/Content/AWA/AdministrationPerspective/obj_user_defining_AEPriv.htm

    With DB-Load you can convert the full list of enabled privileges to decimal: 

    111111111011100011101111111111011111010111111111 -> 281169765463551

    and manually edit the field below in the .txt:

    TUSR
    F021+000281169765463551

    Regards,
    Roney


    Original Message


  • 7.  RE: USR_Privilege
    Best Answer

    Posted Mar 28, 2025 06:27 AM
    Edited by Michael A. Lowry Apr 03, 2025 02:44 AM

    Thanks for the information, @Roney.Uba.

    I have identified all of the bits in USR_Privilege in Automic Automation v24.3.

    It seems that the field currently encompasses 48 bits. This means that 249 - 1 = 281474976710655 would be the value of USR_Privilege that has all privileges enabled, including the deprecated and undocumented ones. The corresponding line in a transport case file would be:

    F021+000281474976710655

    The Automation Engine REST API provides names for all but three privileges. (Export a USER object to JSON, and the assigned privileges are listed.)

    n Decimal 2n-1
    		 Msg. number
    		 AWI label or uc.msl message JSON label v24.3
    1 1 909900 Enable / Disable automatic processing (STOP / GO) automatic_processing
    2 2 909901 Access to System Overview access_systemoverview
    3 4 909902 Access to Recycle Bin recycle_bin
    4 8 909903 Access to Transport Case transport_case
    5 16 909904 View messages from own user group view_messages
    6 32 909905 View messages to administrators view_administrators_messages
    7 64 909906 View all messages from accorded client view_all_messagesfrom_accorded_client
    8 128 909907 View security messages view_security_messages
    9 256 909942 Upgrade system, start and stop processes execute_system_upgrades
    10 512 909909 Access to client 99
    11 1024 909910 Access to deactivated tasks access_to_selective_statistics
    12 2048 909911 Access to PasswordContainer
    13 4096 909912 Create and modify Backend variables create_and_modify_backend_variables
    14 8192 909913 Deal with authorizations at object level deal_with_authorizations_at_object_level
    15 16384 909914 Modify the status of a task manually modify_the_status_of_a_task_manually
    16 32768 909915 Object properties: allow manually reset of 'Edit Hint' object_properties_allow_manual_reset_of_edit_hint
    17 65536 909916 FileTransfer: Start without Login object specified filetransfer_start_without_login_object_specified
    18 131072 909917 Administrate Users / Groups
    19 262144 909918 View server utilization of all clients view_server_usage_of_all_clients
    20 524288 909919 Access to <No Folder> access_to_no_folder
    21 1048576 909920 Logon via CallAPI logon_via_callapi
    22 2097152 909921 SAP Criteria Manager sap_criteria_manager
    23 4194304 909922 Access to Version Management access_to_version_management_folder
    24 8388608 909923 Access to AutoForecast access_to_autoforecast
    25 16777216 909924 Create diagnostic information create_diagnostic_information
    26 33554432 909815 Take over task take_over_task
    27 67108864 909925 ILM actions ilm_actions
    28 134217728 909926 Create and modify SQL-Internal variables create_and_modify_sql_internal_variables
    29 268435456 909928 Work in Runbook Mode work_in_runbook_mode
    30 536870912 909927 Manage favorites on User Group level manage_favorites_on_usergroup_level
    31 1073741824 909930 Access to My Catalog access_to_service_catalog
    32 2147483648 909931 Access to Process Monitoring access_to_process_monitoring
    33 4294967296 909932 Access to Service Orchestrator ecc_service_level_govenor
    34 8589934592 909933 Manage SLAs and Business Units in Service Orchestrator ecc_manage_sla_and_bu
    35 17179869184 909934 Access to Policy Orchestrator access_to_policy_orchestrator
    36 34359738368 909935 Access to Process Assembly access_to_process_assembly
    37 68719476736 909936 Access to Administration access_to_administration
    38 137438953472 909937 Access to Dashboards access_to_dashboards
    39 274877906944 909939 Access to Predictive Analytics access_to_predictive_analytics
    40 549755813888 909938 Access to Messages access_to_messages
    41 1099511627776 909940 FileEvents: Start without Login object specified fileevents_start_without_login_object_specified
    42 2199023255552 909941 Access to Analytics access_to_analytics
    43 4398046511104 909811 Dump memory trace dump_memory_trace
    44 8796093022208 909943 Access to Analytics for all clients access_to_analytics_for_all_clients
    45 17592186044416 909813 Access to the metrics endpoint of Automation REST API access_metrics_endpoint
    46 35184372088832 909814 Upgrade Agents (CAU) execute_agent_upgrades
    47 70368744177664 909816 Token access and token creation token_access_and_token_creation
    48 140737488355328 909817 Database maintenance db_maintenance

    The values of ACLB_HelpIDC in purple were guessed because they are adjacent to other similar messages.

    The messages in red correspond to deprecated or undocumented privileges. They do not appear in the AWI.

    The JSON labels in blue are returned by the REST API out-of-order, at the end after db_maintenance.

    Update 2025.03.29 9:15 CET: I corrected the table. Some privileges were out-of-order, and many were shifted down by one. The following privilege was removed from the table because it does not appear to correspond to any of the bits of USR_Privilege.

    909929 Configure User Catalog through User Groups

    The table should now be 100% correct. I wrote a script to create 48 users, each with exactly one bit set in USR_Privilege. I then exported these users to JSON to confirm which privilege was associated with each bit of USR_Privilege.

    For what it’s worth, I also confirmed that a user with all 48 privileges (even deprecated or undocumented ones) is able to import users with any privilege. However, the only way to grant all privileges in the first place is by modifying USR_Privilege directly in the DB. (Using a transport case file is a quick and safe way to do this.) If the deprecated/undocumented privileges do anything else, I was not able to observe it.

    Update 2025.03.31 8:41 CEST

    Here is an (Oracle) SQL query that will list the privileges assigned to users.

    WITH User_privileges AS (SELECT OH_CLIENT, OH_NAME,-- USR_AccessC0, USR_AccessC99, USR_Privilege,
CASE WHEN BITAND(USR_Privilege,1) = 1 THEN 1 ELSE 0 END AS automatic_processing,                                     
CASE WHEN BITAND(USR_Privilege,2) = 2 THEN 1 ELSE 0 END AS access_systemoverview,
CASE WHEN BITAND(USR_Privilege,4) = 4 THEN 1 ELSE 0 END AS recycle_bin,
CASE WHEN BITAND(USR_Privilege,8) = 8 THEN 1 ELSE 0 END AS transport_case,
CASE WHEN BITAND(USR_Privilege,16) = 16 THEN 1 ELSE 0 END AS view_messages,
CASE WHEN BITAND(USR_Privilege,32) = 32 THEN 1 ELSE 0 END AS view_administrators_messages,
CASE WHEN BITAND(USR_Privilege,64) = 64 THEN 1 ELSE 0 END AS view_all_messagesfrom_accorded_client,
CASE WHEN BITAND(USR_Privilege,128) = 128 THEN 1 ELSE 0 END AS view_security_messages,
CASE WHEN BITAND(USR_Privilege,256) = 256 THEN 1 ELSE 0 END AS execute_system_upgrades,
CASE WHEN BITAND(USR_Privilege,512) = 512 THEN 1 ELSE 0 END AS access_to_client_99,
CASE WHEN BITAND(USR_Privilege,1024) = 1024 THEN 1 ELSE 0 END AS access_to_selective_statistics,
CASE WHEN BITAND(USR_Privilege,2048) = 2048 THEN 1 ELSE 0 END AS access_to_password_container,
CASE WHEN BITAND(USR_Privilege,4096) = 4096 THEN 1 ELSE 0 END AS create_and_modify_backend_variables,
CASE WHEN BITAND(USR_Privilege,8192) = 8192 THEN 1 ELSE 0 END AS deal_with_authorizations_at_object_level,
CASE WHEN BITAND(USR_Privilege,16384) = 16384 THEN 1 ELSE 0 END AS modify_the_status_of_a_task_manually,
CASE WHEN BITAND(USR_Privilege,32768) = 32768 THEN 1 ELSE 0 END AS object_properties_allow_manual_reset_of_edit_hint,
CASE WHEN BITAND(USR_Privilege,65536) = 65536 THEN 1 ELSE 0 END AS filetransfer_start_without_login_object_specified,
CASE WHEN BITAND(USR_Privilege,131072) = 131072 THEN 1 ELSE 0 END AS administrate_users_and_groups,
CASE WHEN BITAND(USR_Privilege,262144) = 262144 THEN 1 ELSE 0 END AS view_server_usage_of_all_clients,
CASE WHEN BITAND(USR_Privilege,524288) = 524288 THEN 1 ELSE 0 END AS access_to_no_folder,
CASE WHEN BITAND(USR_Privilege,1048576) = 1048576 THEN 1 ELSE 0 END AS logon_via_callapi,
CASE WHEN BITAND(USR_Privilege,2097152) = 2097152 THEN 1 ELSE 0 END AS sap_criteria_manager,
CASE WHEN BITAND(USR_Privilege,4194304) = 4194304 THEN 1 ELSE 0 END AS access_to_version_management_folder,
CASE WHEN BITAND(USR_Privilege,8388608) = 8388608 THEN 1 ELSE 0 END AS access_to_autoforecast,
CASE WHEN BITAND(USR_Privilege,16777216) = 16777216 THEN 1 ELSE 0 END AS create_diagnostic_information,
CASE WHEN BITAND(USR_Privilege,33554432) = 33554432 THEN 1 ELSE 0 END AS take_over_task,
CASE WHEN BITAND(USR_Privilege,67108864) = 67108864 THEN 1 ELSE 0 END AS ilm_actions,
CASE WHEN BITAND(USR_Privilege,134217728) = 134217728 THEN 1 ELSE 0 END AS create_and_modify_sql_internal_variables,
CASE WHEN BITAND(USR_Privilege,268435456) = 268435456 THEN 1 ELSE 0 END AS work_in_runbook_mode,
CASE WHEN BITAND(USR_Privilege,536870912) = 536870912 THEN 1 ELSE 0 END AS manage_favorites_on_usergroup_level,
CASE WHEN BITAND(USR_Privilege,1073741824) = 1073741824 THEN 1 ELSE 0 END AS access_to_service_catalog,
CASE WHEN BITAND(USR_Privilege,2147483648) = 2147483648 THEN 1 ELSE 0 END AS access_to_process_monitoring,
CASE WHEN BITAND(USR_Privilege,4294967296) = 4294967296 THEN 1 ELSE 0 END AS ecc_service_level_govenor,
CASE WHEN BITAND(USR_Privilege,8589934592) = 8589934592 THEN 1 ELSE 0 END AS ecc_manage_sla_and_bu,
CASE WHEN BITAND(USR_Privilege,17179869184) = 17179869184 THEN 1 ELSE 0 END AS access_to_policy_orchestrator,
CASE WHEN BITAND(USR_Privilege,34359738368) = 34359738368 THEN 1 ELSE 0 END AS access_to_process_assembly,
CASE WHEN BITAND(USR_Privilege,68719476736) = 68719476736 THEN 1 ELSE 0 END AS access_to_administration,
CASE WHEN BITAND(USR_Privilege,137438953472) = 137438953472 THEN 1 ELSE 0 END AS access_to_dashboards,
CASE WHEN BITAND(USR_Privilege,274877906944) = 274877906944 THEN 1 ELSE 0 END AS access_to_predictive_analytics,
CASE WHEN BITAND(USR_Privilege,549755813888) = 549755813888 THEN 1 ELSE 0 END AS access_to_messages,
CASE WHEN BITAND(USR_Privilege,1099511627776) = 1099511627776 THEN 1 ELSE 0 END AS fileevents_start_without_login_object_specified,
CASE WHEN BITAND(USR_Privilege,2199023255552) = 2199023255552 THEN 1 ELSE 0 END AS access_to_analytics,
CASE WHEN BITAND(USR_Privilege,4398046511104) = 4398046511104 THEN 1 ELSE 0 END AS dump_memory_trace,
CASE WHEN BITAND(USR_Privilege,8796093022208) = 8796093022208 THEN 1 ELSE 0 END AS access_to_analytics_for_all_clients,
CASE WHEN BITAND(USR_Privilege,17592186044416) = 17592186044416 THEN 1 ELSE 0 END AS access_metrics_endpoint,
CASE WHEN BITAND(USR_Privilege,35184372088832) = 35184372088832 THEN 1 ELSE 0 END AS execute_agent_upgrades,
CASE WHEN BITAND(USR_Privilege,70368744177664) = 70368744177664 THEN 1 ELSE 0 END AS token_access_and_token_creation,
CASE WHEN BITAND(USR_Privilege,140737488355328) = 140737488355328 THEN 1 ELSE 0 END AS db_maintenance
FROM OH,USR
WHERE OH_Idnr=USR_OH_Idnr
--AND OH_Client = 0
AND OH_DeleteFlag = 0),
Assigned_privileges AS (
SELECT OH_Client,OH_Name, RTRIM(XMLAGG(XMLELEMENT(E,
CASE WHEN automatic_processing = 1 THEN ' automatic_processing, ' END ||
CASE WHEN access_systemoverview = 1 THEN ' access_systemoverview, ' END ||
CASE WHEN recycle_bin = 1 THEN ' recycle_bin, ' END ||
CASE WHEN transport_case = 1 THEN ' transport_case, ' END ||
CASE WHEN view_messages = 1 THEN ' view_messages, ' END ||
CASE WHEN view_administrators_messages = 1 THEN ' view_administrators_messages, ' END ||
CASE WHEN view_all_messagesfrom_accorded_client = 1 THEN ' view_all_messagesfrom_accorded_client, ' END ||
CASE WHEN view_security_messages = 1 THEN ' view_security_messages, ' END ||
CASE WHEN execute_system_upgrades = 1 THEN ' execute_system_upgrades, ' END ||
CASE WHEN access_to_client_99 = 1 THEN ' access_to_client_99, ' END ||
CASE WHEN access_to_selective_statistics = 1 THEN ' access_to_selective_statistics, ' END ||
CASE WHEN access_to_password_container = 1 THEN ' access_to_password_container, ' END ||
CASE WHEN create_and_modify_backend_variables = 1 THEN ' create_and_modify_backend_variables, ' END ||
CASE WHEN deal_with_authorizations_at_object_level = 1 THEN ' deal_with_authorizations_at_object_level, ' END ||
CASE WHEN modify_the_status_of_a_task_manually = 1 THEN ' modify_the_status_of_a_task_manually, ' END ||
CASE WHEN object_properties_allow_manual_reset_of_edit_hint = 1 THEN ' object_properties_allow_manual_reset_of_edit_hint, ' END ||
CASE WHEN filetransfer_start_without_login_object_specified = 1 THEN ' filetransfer_start_without_login_object_specified, ' END ||
CASE WHEN administrate_users_and_groups = 1 THEN ' administrate_users_and_groups, ' END ||
CASE WHEN view_server_usage_of_all_clients = 1 THEN ' view_server_usage_of_all_clients, ' END ||
CASE WHEN access_to_no_folder = 1 THEN ' access_to_no_folder, ' END ||
CASE WHEN logon_via_callapi = 1 THEN ' logon_via_callapi, ' END ||
CASE WHEN sap_criteria_manager = 1 THEN ' sap_criteria_manager, ' END ||
CASE WHEN access_to_version_management_folder = 1 THEN ' access_to_version_management_folder, ' END ||
CASE WHEN access_to_autoforecast = 1 THEN ' access_to_autoforecast, ' END ||
CASE WHEN create_diagnostic_information = 1 THEN ' create_diagnostic_information, ' END ||
CASE WHEN take_over_task = 1 THEN ' take_over_task, ' END ||
CASE WHEN ilm_actions = 1 THEN ' ilm_actions, ' END ||
CASE WHEN create_and_modify_sql_internal_variables = 1 THEN ' create_and_modify_sql_internal_variables, ' END ||
CASE WHEN work_in_runbook_mode = 1 THEN ' work_in_runbook_mode, ' END ||
CASE WHEN manage_favorites_on_usergroup_level = 1 THEN ' manage_favorites_on_usergroup_level, ' END ||
CASE WHEN access_to_service_catalog = 1 THEN ' access_to_service_catalog, ' END ||
CASE WHEN access_to_process_monitoring = 1 THEN ' access_to_process_monitoring, ' END ||
CASE WHEN ecc_service_level_govenor = 1 THEN ' ecc_service_level_govenor, ' END ||
CASE WHEN ecc_manage_sla_and_bu = 1 THEN ' ecc_manage_sla_and_bu, ' END ||
CASE WHEN access_to_policy_orchestrator = 1 THEN ' access_to_policy_orchestrator, ' END ||
CASE WHEN access_to_process_assembly = 1 THEN ' access_to_process_assembly, ' END ||
CASE WHEN access_to_administration = 1 THEN ' access_to_administration, ' END ||
CASE WHEN access_to_dashboards = 1 THEN ' access_to_dashboards, ' END ||
CASE WHEN access_to_predictive_analytics = 1 THEN ' access_to_predictive_analytics, ' END ||
CASE WHEN access_to_messages = 1 THEN ' access_to_messages, ' END ||
CASE WHEN fileevents_start_without_login_object_specified = 1 THEN ' fileevents_start_without_login_object_specified, ' END ||
CASE WHEN access_to_analytics = 1 THEN ' access_to_analytics, ' END ||
CASE WHEN dump_memory_trace = 1 THEN ' dump_memory_trace, ' END ||
CASE WHEN access_to_analytics_for_all_clients = 1 THEN ' access_to_analytics_for_all_clients, ' END ||
CASE WHEN access_metrics_endpoint = 1 THEN ' access_metrics_endpoint, ' END ||
CASE WHEN execute_agent_upgrades = 1 THEN ' execute_agent_upgrades, ' END ||
CASE WHEN token_access_and_token_creation = 1 THEN ' token_access_and_token_creation, ' END ||
CASE WHEN db_maintenance = 1 THEN ' db_maintenance, ' END
).EXTRACT('//text()') ORDER BY OH_Name).GetClobVal(), ', ') AS Privileges
FROM User_privileges
GROUP BY OH_Client,OH_Name)
SELECT * FROM Assigned_privileges
WHERE 1=1
--AND OH_Name IN ('UC/UC', 'ADMIN/ADMIN', 'AUTOMIC/AUTOMIC')
ORDER BY OH_CLIENT, OH_NAME;

    Enjoy!



  • 8.  RE: USR_Privilege

    Posted Apr 03, 2025 02:44 AM
    Edited by Michael A. Lowry Apr 03, 2025 02:43 AM
      |   view attached

    For those who are interested, here is a JSON export of the user objects I used to perform my tests.

    Attachment(s)

    json
    USR_PRIVILEGE testing users.json   47 KB 1 version


  • 9.  RE: USR_Privilege

    Posted Apr 07, 2025 07:38 AM

    Thanks for this, i've used it to track down and clean up some older accounts that I had.  I notice that the following are sometimes assigned when the user no rights available in the UI
     ecc_service_level_govenor,  ecc_manage_sla_and_bu,  access_to_policy_orchestrator,  access_to_predictive_analytics
    I guess these are from an older implementation of Automic, such as Automic v10.

    Thanks again


    Original Message