Centralized security usage notes

The following are some considerations to be aware of if centralized security management is enabled in your HCL Workload Automation environment.

When centralized security is enabled (enCentSec / ts = YES), and you plan to start using the folder feature to define or move scheduling objects into dedicated folders, then you must first update or upgrade all of the fault-tolerant agents in your environment to version 9.5 Fix Pack 2 or later. If centralized security management is not enabled (enCentSec / ts = NO), all stanzas that reference CPU are automatically updated to include folder access, for example, CPU CPU=@+FOLDER="/", unless you use wildcard characters (@) as matching criteria in your stanzas, for example, CPU CPU=@HR. In this case, if you want to be able to move these CPUs into folders, then you need to manually update those stanzas to include access to all folders, CPU CPU=@HR+FOLDER="/".

In a network with centralized security management, two workstations are unable to establish a connection if one of them has enCentSec turned off in its Symphony file or if their security file information does not match.

The only exception to the security file matching criteria introduced by the centralized security management mechanism is that a workstation must always accept incoming connections from its domain manager, regardless of the result of the security file matching process.

Centralized security does not apply to HCL Workload Automation operations for which the Symphony file is not required. Commands that do not require the Symphony file to run use the local security file. For example, the parms command, used to modify or display the local parameters database, continues to work according to the local security file, even if centralized security is active and the local security file differs from the centralized security rules.

If a workstation's security file is deleted and re-created, the checksum of the new security file will not match the value in the Symphony file. In addition, a run-number mechanism associated with the creation process of the Symphony file ensures prevention from tampering with the file.