Security role definition

In the role-based security model, a security role represents a certain level of authorization and includes the set of actions that users or groups can perform. You can include multiple security role definitions in the same text file, along with security domain definitions and access control list definitions.

Each security role definition has the following format and arguments:

Syntax

securityrole security_role_name
   [description "description"]
      object_type access[=action[,action]...]
      [object_type access[=action[,action]...]]...
   end

[securitydomain ...]

[accesscontrollist ...]

Arguments

securityrolesecurityrolename: Specifies the name of the security role. The name must start with a letter, and can contain alphanumeric characters, dashes, and underscores. It can contain up to 16 characters.
description ”description”: Provides a description of the security role. The description can contain up to 120 alphanumeric characters. The text must be enclosed within double quotes.
object_type access[=action[,action]...]: For each object type, specifies a list of actions that users or groups can perform on that specific object type.

Security object types shows the different object types and how they are referenced with composer and with the Dynamic Workload Console:

Table 1. Security object types
Object type - composer	Object type - Dynamic Workload Console	Description
action	Actions	Actions defined in scheduling event rules
calendar	Calendars	User calendars
cpu	Workstations	Workstations, domains, and workstation classes
event	Events	Event conditions in scheduling event rules
eventrule	Event Rules	Scheduling event rule definitions
file	Files	HCL Workload Automation database files
folder	Folders	The folder within which jobs and job streams are defined.
job	Jobs	Scheduled jobs and job definitions
lob	HCL Application Lab	HCL Application Lab
parameter	Parameters	Local parameters
prompt	Prompts	Global prompts
report	Reports	The following reports in Dynamic Workload Console: RUNHIST Job Run History RUNSTATS Job Run Statistics WWS Workstation Workload Summary WWR Workstation Workload Runtimes SQL Custom SQL ACTPROD Actual production details (for current and archived plans) PLAPROD Planned production details (for trial and forecast plans)
resource	Resources	Scheduling resources
runcygrp	Run Cycle Groups	Run cycle groups
schedule	Job Streams	Job streams
userobj	User Objects	User objects
vartable	Variable Tables	Variable tables
wkldappl	Workload Application	Workload application

Actions that users or groups can perform on the different objects shows the actions that users or groups can perform on the different objects.

Table 2. Actions that users or groups can perform on the different objects
Actions that users or groups can perform on the different objects
acl	deldep	modify	stop
add	delete	release	submit
adddep	display	reply	submitdb
altpass	fence	rerun	unlink
altpri	kill	resetfta	unlock
build	limit	resource	use
cancel	link	run
confirm	list	shutdown
console	manage	start

For the actions that users or groups can perform on a specific object type, for each of the HCL Workload Automation task, see Managing security roles.

Examples

The following example defines security role SECROLE1 and security role SECROLE2:


SECURITYROLE SECROLE1
	DESCRIPTION "Sample Security Role"
	SCHEDULE    ACCESS=ADD,ADDDEP,ALTPRI,CANCEL,DELDEP,DELETE,
                                    DISPLAY,LIMIT,MODIFY,
  RELEASE
       RESOURCE          ACCESS=ADD,DELETE,DISPLAY,MODIFY,RESOURCE,USE,LIST,UNLOCK
       PROMPT            ACCESS=ADD,DELETE,DISPLAY,MODIFY,REPLY,USE,LIST,UNLOCK
       FILE              ACCESS=BUILD,DELETE,DISPLAY,MODIFY,UNLOCK
       FOLDER            ACCESS=ADD,DELETE,DISPLAY,MODIFY,USE,LIST,UNLOCK,ACL
       CPU               ACCESS=LIMIT,LINK,MODIFY,SHUTDOWN,START,STOP,UNLINK,LIST,UNLOCK,RUN
       PARAMETER         ACCESS=ADD,DELETE,DISPLAY,MODIFY,LIST,UNLOCK
       CALENDAR          ACCESS=ADD,DELETE,DISPLAY,MODIFY,USE,LIST,UNLOCK
       REPORT            ACCESS=DISPLAY
       EVENTRULE         ACCESS=ADD,DELETE,DISPLAY,MODIFY,LIST,UNLOCK
       ACTION            ACCESS=DISPLAY,SUBMIT,USE,LIST
       EVENT             ACCESS=USE
       VARTABLE          ACCESS=ADD,DELETE,DISPLAY,MODIFY,USE,LIST,UNLOCK
       WKLDAPPL          ACCESS=ADD,DELETE,DISPLAY,MODIFY,LIST,UNLOCK
       RUNCYGRP          ACCESS=ADD,DELETE,DISPLAY,MODIFY,USE,LIST,UNLOCK
       LOB               ACCESS=USE
END  

SECURITYROLE SECROLE2
	DESCRIPTION "Sample Security Role"
	SCHEDULE          ACCESS=ADD,ADDDEP,ALTPRI,CANCEL,DELDEP,DELETE,
                              DISPLAY,LIMIT,MODIFY,
  RELEASE
	RESOURCE          ACCESS=ADD,DELETE,DISPLAY,MODIFY,RESOURCE,USE,LIST,UNLOCK
	PROMPT            ACCESS=ADD,DELETE,DISPLAY,MODIFY,REPLY,USE,LIST,UNLOCK
END

The following example defines a new security role APP_ADMIN, for the user APP1_ADMIN and assigns administrator permissions on the folder hierarchy /PRD/APP1/, so that the APP1_ADMIN user can create access control lists to give other users access to the objects in this folder or its sub-folders:

Security role definition

SECURITYROLE APP_ADMIN
  DESCRIPTION "Security Role"
  JOB  ADD,MODIFY,SUBMITDB,USE,ADDDEP,RUN,RELEASE,REPLY,DELETE,DISPLAY,
       CANCEL,SUBMIT,CONFIRM,RERUN,LIST,DELDEP,KILL,UNLOCK,ALTPRI
  SCHEDULE ADD,ADDDEP,ALTPRI,CANCEL,DELDEP,DELETE,DISPLAY,LIMIT,MODIFY,RELEASE
  FOLDER   ADD,DELETE,DISPLAY,MODIFY,USE,LIST,UNLOCK,ACL

Security file

USER APP_ADMINofAPP1
  CPU=@+LOGON="APP_ADMIN"
BEGIN
  JOB    FOLDER="/PRD/APP1/","/PRD/APP1" + CPUFOLDER = / ACCESS=ADD,ADDDEP,
         ALTRPRI,CANCEL,SUBMIT,
         CONFIRM,RERUN,LIST,DELDEP,KILL,UNLOCK,ALTPRI
  SCHEDULE  FOLDER="/PRD/APP1/","/PRD/APP1" + CPUFOLDER = / ACCESS=ADD,ADDDEP,
         ALTPRI,CANCEL,DELDEP,
         DELETE,DISPLAY,LIMIT,MODIFY,RELEASE
  FOLDER NAME="/PRD/APP1/","PRD/APP1"   ACCESS=ADD,DELETE,DISPLAY,MODIFY,USE,
         LIST,UNLOCK,ACL