Completing the security configuration
About this task
After updating the master domain manager and backup master domain manager with the fix pack, complete the security configuration. There are a few tasks to complete that can vary depending on whether you are using the default role-based security model, or the classic security model.
- Role-based security model
- To quickly and easily update your security file with the latest changes introduced with folders, open any access control list
definition and make a small change. A single change propagates an update to the entire file. The
following is an example of a small change that propagates an update to the entire file:
- From the Dynamic Workload Console, click .
- In Access Control List, select Manage accesses.
- Select the TWSUSER access control list and click Edit.
- Remove the FULLCONTROL role, then add it back again.
- Click Save and Exit.
- Classic security model
- If you use the classic security model and have specific security settings in your current
environment, these settings must be manually merged with the new settings before you build the final
security file to be used in your new environment. The statements you might have to add manually vary
depending on your specific security settings.To manually merge the new settings, complete the following procedure:
- Log in as TWS_user on your upgraded master domain manager and set the HCL Workload Automation environment.
- If you have centralized security enabled, extract the new security file on the master using the
command:
where sec_file is the text file created by the dumpsec command.dumpsec > sec_file
- Edit the sec_file, and insert the following statements in all of the stanzas in the file:
- Folder
-
FOLDER NAME=/ ACCESS=ADD,DELETE,DISPLAY,MODIFY,USE,LIST,UNLOCK, ACL
Folder access must be given to scheduling objects and access to the folder in which the workstation is defined must be given for the JOB, SCHEDULE, USEROBJ, RESOURCE, and PARAMETER objects:job cpu=@ + folder = / + cpufolder = / access=@ schedule cpu=@ + folder = / + cpufolder = / access=@ cpu cpu=@ + folder = / access=@ userobj cpu=@ + cpufolder = / access=@ resource cpu=@ + folder = / + cpufolder = / access=@ prompt + folder = / access=@ calendar + folder = / access=@ eventrule name=@ + folder = / access=add,delete,display,modify,list,unlock parameter cpu=@ + folder = / + cpufolder = / access=@ runcygrp name=@ + folder = / access=add,delete,display,modify,use,list,unlock vartable name=@ + folder = / access=add,delete,display,modify,use,list,unlock wkldappl name=@ + folder = / access=add,delete,display,modify,list,unlock
- Workload application
-
WKLDAPPL NAME=@ + FOLDER = / ACCESS=ADD,DELETE,DISPLAY,MODIFY,LIST,UNLOCK
- Run cycle group
-
RUNCYGRP NAME=@ + FOLDER = / ACCESS=ADD,DELETE,DISPLAY,MODIFY,USE,LIST,UNLOCK
- Centralized agent update
- Replace the statement:
with the following statement:CPU CPU=@ ACCESS=ADD,CONSOLE,DELETE,DISPLAY,FENCE,LIMIT,LINK,MODIFY,SHUTDOWN, START,STOP,UNLINK,LIST,UNLOCK,RUN,RESETFTA
CPU CPU=@ + FOLDER = / ACCESS=ADD,CONSOLE,DELETE,DISPLAY,FENCE,LIMIT,LINK,MODIFY,SHUTDOWN, START,STOP,UNLINK,LIST,UNLOCK,RUN,RESETFTA,MANAGE
- Adding members to workstation class
- Following the upgrade, to create or modify workstation classes, you must add
USE access to CPU objects that are members, or that will be added as members to a
workstation
class.
CPU CPU=@ + FOLDER = / ACCESS=ADD,CONSOLE,DELETE,DISPLAY,FENCE,LIMIT,LINK,MODIFY,SHUTDOWN, START,STOP,UNLINK,LIST,UNLOCK,RUN,RESETFTA,MANAGE,USE
- Check that the user permissions of the new statements are correct and, if necessary, add the user of your old master domain manager to the security file of the master you just upgraded.
- Due to new support of the UPN Windows user, if you have Windows domain users that
are defined in the logon fields as
domain\username
, insert the escape character '\' before the '\' character in the domain\username value.For example, if you use the MYDOMAIN\user1 value in the logon field, after the upgrade, in the Security file you must update the line in following way:.............. logon=MYDOMAIN\\user1 ...............
- Save your changes to the sec_file.
- Build your final security file for your new master domain manager using the
makesec command:
makesec sec_file
- If you have centralized security enabled, distribute the security file.
Run JnextPlan -for 0000 to distribute the Symphony file to the agents.
Note: Ensure that the optman cf option is set to all or only the unfinished job streams are carried forward. - Restore the previous setting of the optman cf option, if necessary.