Security role definition
In the role-based security model, a security role represents a certain level of authorization and includes the set of actions that users or groups can perform. You can include multiple security role definitions in the same text file, along with security domain definitions and access control list definitions.
Each security role definition has the following format and arguments:
Syntax
securityrole security_role_name
[description "description"]
object_type access[=action[,action]...]
[object_type access[=action[,action]...]]...
end
[securitydomain ...]
[accesscontrollist ...]
Arguments
- securityrolesecurityrolename
- Specifies the name of the security role. The name must start with a letter, and can contain alphanumeric characters, dashes, and underscores. It can contain up to 16 characters.
- description ”description”
- Provides a description of the security role. The description can contain up to 120 alphanumeric characters. The text must be enclosed within double quotes.
- object_type access[=action[,action]...]
- For each object type, specifies a list of actions that users or groups can perform on that specific object type.
Object type - composer | Object type - Dynamic Workload Console | Description |
---|---|---|
action | Actions | Actions defined in scheduling event rules |
calendar | Calendars | User calendars |
cpu | Workstations | Workstations, domains, and workstation classes |
event | Events | Event conditions in scheduling event rules |
eventrule | Event Rules | Scheduling event rule definitions |
file | Files | HCL Workload Automation database files |
folder | Folders | The folder within which jobs and job streams are defined. |
job | Jobs | Scheduled jobs and job definitions |
lob | HCL Application Lab | HCL Application Lab |
parameter | Parameters | Local parameters |
prompt | Prompts | Global prompts |
report | Reports | The following reports in Dynamic Workload Console:
|
resource | Resources | Scheduling resources |
runcygrp | Run Cycle Groups | Run cycle groups |
schedule | Job Streams | Job streams |
userobj | User Objects | User objects |
vartable | Variable Tables | Variable tables |
wkldappl | Workload Application | Workload application |
Actions that users or groups can perform on the different objects | |||
---|---|---|---|
acl | deldep | modify | stop |
add | delete | release | submit |
adddep | display | reply | submitdb |
altpass | fence | rerun | unlink |
altpri | kill | resetfta | unlock |
build | limit | resource | use |
cancel | link | run | |
confirm | list | shutdown | |
console | manage | start |
For the actions that users or groups can perform on a specific object type, for each of the HCL Workload Automation task, see Managing security roles.
Examples
SECROLE1
and security role
SECROLE2
:
SECURITYROLE SECROLE1
DESCRIPTION "Sample Security Role"
SCHEDULE ACCESS=ADD,ADDDEP,ALTPRI,CANCEL,DELDEP,DELETE,
DISPLAY,LIMIT,MODIFY,
RELEASE
RESOURCE ACCESS=ADD,DELETE,DISPLAY,MODIFY,RESOURCE,USE,LIST,UNLOCK
PROMPT ACCESS=ADD,DELETE,DISPLAY,MODIFY,REPLY,USE,LIST,UNLOCK
FILE ACCESS=BUILD,DELETE,DISPLAY,MODIFY,UNLOCK
FOLDER ACCESS=ADD,DELETE,DISPLAY,MODIFY,USE,LIST,UNLOCK,ACL
CPU ACCESS=LIMIT,LINK,MODIFY,SHUTDOWN,START,STOP,UNLINK,LIST,UNLOCK,RUN
PARAMETER ACCESS=ADD,DELETE,DISPLAY,MODIFY,LIST,UNLOCK
CALENDAR ACCESS=ADD,DELETE,DISPLAY,MODIFY,USE,LIST,UNLOCK
REPORT ACCESS=DISPLAY
EVENTRULE ACCESS=ADD,DELETE,DISPLAY,MODIFY,LIST,UNLOCK
ACTION ACCESS=DISPLAY,SUBMIT,USE,LIST
EVENT ACCESS=USE
VARTABLE ACCESS=ADD,DELETE,DISPLAY,MODIFY,USE,LIST,UNLOCK
WKLDAPPL ACCESS=ADD,DELETE,DISPLAY,MODIFY,LIST,UNLOCK
RUNCYGRP ACCESS=ADD,DELETE,DISPLAY,MODIFY,USE,LIST,UNLOCK
LOB ACCESS=USE
END
SECURITYROLE SECROLE2
DESCRIPTION "Sample Security Role"
SCHEDULE ACCESS=ADD,ADDDEP,ALTPRI,CANCEL,DELDEP,DELETE,
DISPLAY,LIMIT,MODIFY,
RELEASE
RESOURCE ACCESS=ADD,DELETE,DISPLAY,MODIFY,RESOURCE,USE,LIST,UNLOCK
PROMPT ACCESS=ADD,DELETE,DISPLAY,MODIFY,REPLY,USE,LIST,UNLOCK
END
APP_ADMIN
, for the user APP1_ADMIN
and assigns
administrator permissions on the folder hierarchy /PRD/APP1/, so that the
APP1_ADMIN
user can create access control lists to give other users access to the
objects in this folder or its sub-folders:- Security role definition
-
SECURITYROLE APP_ADMIN DESCRIPTION "Security Role" JOB ADD,MODIFY,SUBMITDB,USE,ADDDEP,RUN,RELEASE,REPLY,DELETE,DISPLAY, CANCEL,SUBMIT,CONFIRM,RERUN,LIST,DELDEP,KILL,UNLOCK,ALTPRI SCHEDULE ADD,ADDDEP,ALTPRI,CANCEL,DELDEP,DELETE,DISPLAY,LIMIT,MODIFY,RELEASE FOLDER ADD,DELETE,DISPLAY,MODIFY,USE,LIST,UNLOCK,ACL
- Security file
-
USER APP_ADMINofAPP1 CPU=@+LOGON="APP_ADMIN" BEGIN JOB FOLDER="/PRD/APP1/","/PRD/APP1" + CPUFOLDER = / ACCESS=ADD,ADDDEP, ALTRPRI,CANCEL,SUBMIT, CONFIRM,RERUN,LIST,DELDEP,KILL,UNLOCK,ALTPRI SCHEDULE FOLDER="/PRD/APP1/","/PRD/APP1" + CPUFOLDER = / ACCESS=ADD,ADDDEP, ALTPRI,CANCEL,DELDEP, DELETE,DISPLAY,LIMIT,MODIFY,RELEASE FOLDER NAME="/PRD/APP1/","PRD/APP1" ACCESS=ADD,DELETE,DISPLAY,MODIFY,USE, LIST,UNLOCK,ACL