Example

The following examples demonstrate how to restrict access to specific folders. Even with access to a folder, a user still needs additional rights to work with the objects defined in it. When submitting a job or job stream defined in a folder, use access is required on the workstation (cpu) where the job is defined, in addition to access to the folder and the objects it contains.

HCL Workload Automation administrator can grant administrator permissions to a user on a folder, ACL, so that the user can freely assign access control lists to other users on the same folder or any sub-folders. Users can then access the objects in the folder or sub-folders. For more information about delegating administrator access to users and groups on a folder, see Granting administrator permissions to a user on a folder.

Examples

Tim the HCL Workload Automation administrator, delegates Linda, the app1_admin user, permissions on the folder /PRD/APP1 and any sub-folders, by assigning her the ACL access on the folder. With this access, Linda can create access control lists to grant access to the folder or sub-folders to other users with a predefined role. The following is the security file for Linda, the app1_admin user:
###########################################################
#     Sample Security File
###########################################################
USER APPADMINofPRDAPP1  cpu=JUPITER+LOGON=app1_admin
begin
#  OBJECT     ATTRIBUTES                         ACCESS CAPABILITIES
# ----------  ------------                       -------------------
job           cpu=JUPITER  + folder = "/PRD/APP1","/PRD/APP1/"  
                  access=add,delete,display,modify,use,list,unlock
schedule      cpu=JUPITER  + folder = "/PRD/APP1","/PRD/APP1/"  
                  access=add,delete,display,modify,use,list,unlock
folder        name="/PRD/APP1","/PRD/APP1/"                     
                  access=add,delete,display,modify,use,list,unlock,acl
User jsmith is granted unrestricted access to jobs and job streams defined in the folder named APPS and on the workstation named JUPITER, specify:
###########################################################
#     Sample Security File
###########################################################
user  jsmith  cpu=JUPITER
begin
#  OBJECT     ATTRIBUTES                      ACCESS CAPABILITIES
# ----------  ------------                    -------------------
job           cpu=JUPITER  + folder = /APPS/  access=@
schedule      cpu=JUPITER  + folder = /APPS/  access=@
cpu           cpu=JUPITER+LOGON=jsmith        access=use
folder        name=/APPS/                     access=add,delete,display,
                                              modify,use,list,unlock,acl
To allow a user to have the specified rights on any folder, the root folder and any sub-folders, specify:
folder   name=/      access=add,delete,display,modify,use,list,unlock

To grant a user access only to the root folder (/), you can omit specifying the folder object in the security file. This is the same behavior as in security files for releases prior to Version 9.5. After upgrading to Version 9.5, all of the objects are moved to the root folder, so if you continue to use your old security file which does not include the v95fp1 attribute or object (for example, for jobs, JOB CPU=@ ACCESS=ADD,ADDDEP,…,RERUN,SUBMIT,USE,LIST,UNLOCK, then users have access to only the root (/) folder by default.

To allow a user to have the specified rights only on the "APPS" folder, specify:
folder   name=/APPS/      access=add,delete,display,modify,use,list,unlock
To allow a user to have the specified rights on the folder "APPS" and its sub-folders, specify:
folder   name=/APPS        access=add,delete,display,modify,use,list,unlock
To allow a user to have the specified rights only on folder "APP1" and its sub-folders, specify:
folder   name=/APPS/APP1        access=add,delete,display,modify,use,list,unlock
To allow a user to have all rights on the folder "APPS" and on the folder "APP2" and its sub-folder, but no rights on APP1, specify:
folder   name=/APPS/                 access=@
folder   name=/APPS/APP1/APP2        access=@