Completing the security configuration
Configuring the security file on the new backup master domain manager.
About this task
To complete the security configuration for the new environment, there are a few tasks to complete that can vary depending on whether you are using the default role-based security model, or the classic security model.
- Role-based security model
- Grant users access to all of the objects associated to the domain and to folders. For example,
to grant full access to all objects in the domain and on all folders, create an Access Control list
for the users to which you want to give access
- Grant users access to all of the objects associated to the domain and to objects in the root (/)
folder. For example, to grant full access to all objects in the domain and on all folders, create an
Access Control list for the users to which you want to give access:
- From the Dynamic Workload Console, open the Manage Workload Security panel and select Give access to users and groups.
- Select the group from the drop-down list and then select FULLCONTROL in the field Role.
- Select Domain and assign ALLOBJECTS.
- Click Save and create new.
- Select the group from the drop-down list and then select FULLCONTROL in the field Role.
- Select Folder and then assign the root by clicking /.
- Click Save.
- Grant users access to all of the objects associated to the domain and to objects in the root (/)
folder. For example, to grant full access to all objects in the domain and on all folders, create an
Access Control list for the users to which you want to give access:
- Classic security model
- If you use the classic security model and have specific security settings in your current
environment, these settings must be manually merged with the new settings before you build the final
security file to be used in your new environment. The statements you might have to add manually vary
depending on your specific security settings.To manually merge the new settings, complete the following procedure:
- Log in as TWS_user on your upgraded master domain manager and set the HCL Workload Automation environment.
- If you have centralized security enabled, extract the new security file on the master using the
command:
where sec_file is the text file created by the dumpsec command.dumpsec > sec_file
- Edit the sec_file, and insert the following statements in all of the stanzas in the file:
- Folder
-
FOLDER NAME=/ ACCESS=ADD,DELETE,DISPLAY,MODIFY,USE,LIST,UNLOCK, ACL
Folder access must be given to scheduling objects and access to the folder in which the workstation is defined must be given for the JOB, SCHEDULE, USEROBJ, RESOURCE, and PARAMETER objects:job cpu=@ + folder = / + cpufolder = / access=@ schedule cpu=@ + folder = / + cpufolder = / access=@ cpu cpu=@ + folder = / access=@ userobj cpu=@ + cpufolder = / access=@ resource cpu=@ + folder = / + cpufolder = / access=@ prompt + folder = / access=@ calendar + folder = / access=@ eventrule name=@ + folder = / access=add,delete,display,modify,list,unlock parameter cpu=@ + folder = / + cpufolder = / access=@ runcygrp name=@ + folder = / access=add,delete,display,modify,use,list,unlock vartable name=@ + folder = / access=add,delete,display,modify,use,list,unlock wkldappl name=@ + folder = / access=add,delete,display,modify,list,unlock
- Workload application
-
WKLDAPPL NAME=@ + FOLDER = / ACCESS=ADD,DELETE,DISPLAY,MODIFY,LIST,UNLOCK
- Run cycle group
-
RUNCYGRP NAME=@ + FOLDER = / ACCESS=ADD,DELETE,DISPLAY,MODIFY,USE,LIST,UNLOCK
- Centralized agent update
- Replace the statement:
with the following statement:CPU CPU=@ ACCESS=ADD,CONSOLE,DELETE,DISPLAY,FENCE,LIMIT,LINK,MODIFY,SHUTDOWN, START,STOP,UNLINK,LIST,UNLOCK,RUN,RESETFTA
CPU CPU=@ + FOLDER = / ACCESS=ADD,CONSOLE,DELETE,DISPLAY,FENCE,LIMIT,LINK,MODIFY,SHUTDOWN, START,STOP,UNLINK,LIST,UNLOCK,RUN,RESETFTA,MANAGE
- Adding members to workstation class
- Following the upgrade, to create or modify workstation classes, you must add
USE access to CPU objects that are members, or that will be added as members to a
workstation
class.
CPU CPU=@ + FOLDER = / ACCESS=ADD,CONSOLE,DELETE,DISPLAY,FENCE,LIMIT,LINK,MODIFY,SHUTDOWN, START,STOP,UNLINK,LIST,UNLOCK,RUN,RESETFTA,MANAGE,USE
- Check that the user permissions of the new statements are correct and, if necessary, add the user of your old master domain manager to the security file of the master you just upgraded.
- Due to new support of the UPN Windows user, if you have Windows domain users that
are defined in the logon fields as
domain\username
, insert the escape character '\' before the '\' character in the domain\username value.For example, if you use the MYDOMAIN\user1 value in the logon field, after the upgrade, in the Security file you must update the line in following way:.............. logon=MYDOMAIN\\user1 ...............
- Save your changes to the sec_file.
- Build your final security file for your new master domain manager using the
makesec command:
makesec sec_file
- If you have centralized security enabled, distribute the security file.
Run JnextPlan -for 0000 to distribute the Symphony file to the agents.
Note: Ensure that the optman cf option is set to all or only the unfinished job streams are carried forward. - Restore the previous setting of the optman cf option, if necessary.