Automic Workload Automation

Hi.

A fresh UC4 installation seemingly requires permissions to (what I presume are built-in) basic objects, mostly Includes. Otherwise users can't even do basic things despite having Privileges and other object rights. These permissons were, at least to my knowledge, not shipped as a loadable database file. Stuff like:

JOBI Header.*
JOBI Restart.*
JOBI REGISTER.OUTPUTFILE.UNIX
JOBI REGISTER.OUTPUTFILE.WINDOWS
and various Object Types with names starting with "XC_".

I can only assume that these rules were initially supplied to us by a consultant.

Does anyone know where one can find a comprehensive list of these, by AE version? I could not find anything thus far.

I ask especially because we transfered our well-known list of "special permissions" into a new AE V12 installation, and while the Java client worked fine, the web client did not. We then discovered by scouring Java exceptions a new variable called "UC_CUSTOM_ATTRIBUTES" (which only exists in Client 0). All users need read access to this variable in V12 for the web client to work, otherwise no tabs such as "Process Assembly" will be shown despite the privileges being granted.

With the discovery of such stuff which does not seem to be in the installation guide either, I really wonder what else we might be missing. Anyone got a list of these essential permissions?

Best,
Carsten

 

And it goes on:

The Java Client for V12 will happily display all the tabs for a UNIX job without the user having extra rights to UC_SHELLS_UNIX.

The AWI web client, on the other hand, requires the logged in user to have explicit reading rights to a variable called "UC_SHELLS_UNIX". Otherwise, not only will the UNIX tab not be displayed, but a broken tab with a really broken name will be displayed instead.

This is new, the web client seems to enforce new things that the Java client did not.

Just a quick Info regarding your Objects and permissions:

JOBI Header.*
JOBI Restart.*
are default objects in Client 0 (for every OS)

JOBI REGISTER.OUTPUTFILE.UNIX
JOBI REGISTER.OUTPUTFILE.WINDOWS
must be something tailormade, thats are no default objects

XC_* Credentials are necessary for performing some kinds of pre- and postconditions (as far as I remember)

There is one hint in community regarding this (in German) that could help
https://community.automic.com/discussion/7410/workflow-bleibt-auf-aktiv-stehen-im-ecc

and here in documentation - but I assume you know thsi section....
https://docs.automic.com/documentation/WEBHELP/English/AWA/11.2/AE/11.2/All%20Guides/help.htm#ucabes.htm?Highlight=XC_

hope this helps a bit...

Hi Wolfgang,

thanks for the info and the link - in fact I didn't know about that particular paragraph. I had searched the installation guide and some of the manual, but had not found that part.

And if someone from Automic is reading this:

While this does help, i'd still like to see a full list from Automic, which is all the more needed with the seemingly stronger enforcement in "AWI". For instance, if we were to upgrade our "real" systems at present time instead of just toying with a dev system, we'd have missed a bunch of things (such as UC_SHELLS_UNIX and who knows what else).

Thanks again,
Carsten

You 're welcome :-)

This is quite interesting, and I believe an incident to support should be opened, as this could be a bug.

I tried searching some of the bug fixes, but could not find anything.
What I found was a similar incident (INC00130021), but related to ARA. In this one, the user can access some Statistics in the Java GUI, but not on the browser.

There are usually 2 ways to define the authorizations:

• First allowing all and then restricting what's not needed

          1        VARA * Read, Write, ...
          NOT VARA UC_*SETTINGS Read, Write, ...

• Only allowing what's needed.

          1        VARA MYVAR_* Read, Write, ...

So, in the first case there would be no apparent error, because of the generic rule first.

Hi Roney,

> and I believe an incident to support should be opened

I'll allow a little more time for others to possibly comment, and unless something to the contrary turns up, I'll report this to Automic Support over the "official" channels :)

To whom it may concern:

I opened an incident for UC_CUSTOM_ATTRIBUTES and UC_SHELLS_UNIX.

Both issues are apparently known to Automic and are scheduled to be fixed in version 12.0.2 (end of may) and 12.1 (end of june). It's not clear to me from the response which issue will be addressed in which release or how they will be addressed, but by 12.1 both _should_ be.

Great! Good to know!

In addition to Carsten_Schmitz_7883 findings, I did some more tests.

I've turned SECURITY_AUDIT_FAILURE for object access and logged in with a User with a few Privileges (Dashboards, Process Monitoring, Service Catalog) that would be useful for monitoring the system in AWI.

I did a summary below.

• Access to Variables:

Vara UC_CUSTOM_ATTRIBUTES R ->  As pointed by Carsten, without this, the User is not able to see and select the perspective buttons on the top of the page. (Will be fixed on newer versions)

Vara UC_CLIENT_SETTINGS R -> I could not notice any problems when the User didn't have this authorization, but the error message showed up when the User logs in.

Vara UC_SYSTEM_SETTINGS R -> This also appeared on the audit messages, while the User logs into AWI, but I'm not sure what's the effect on not having this permission.

5/10/2017 14:12:49          U00004519 Access violation details: Used filter: 'VARA/UC_SYSTEM_SETTINGS//////' .
5/10/2017 14:12:49          U00004506 Access violation: User: 'AUTO.USER/TEST' Object: 'UC_SYSTEM_SETTINGS' Access: 'R' Reason: No right found in authorization group '1'.

• Needed for execution of an example Windows Job:

Jobi HEADER.* X
Jobi TRAILER.* X
Jobi ATTRDIA.* X
Jobi RESTART.* X

Documented:

"...execute certain predefined Automic objects..."
Jobi XC_* R
Prpt XC_* R
Vara XC_* R

• When trying to load the available Catalog in the Service Catalog perspective:

User [YourOwnUser] R -> This is kind of tricky. Apparently, if I open the Catalogs with USER_A, it needs to read which User Groups are assigned to its own USER_A, and then, based on these User Groups, it will be able to read the links to the Objects you can see on your screen.

• Another error returned upon login is related to the plugins:

Store UC_ECC_PLUGINS R -> In my example I have loaded the FTP RA solution, so seems that every time AWI starts it will lookup on this Store object which plugins are available to be loaded.

If there is no authorization, the User Interface for the plugins will not be loaded: 
"Rapid Automation FTP Sheet Plugin 4.0.0.hf1-build.34 (unavailable for this user)"
But, even if the status of the FTP Sheet Plugin was unavailable, I could still open the Objects. Maybe this is related to some browser or tomcat cache, but I didn't do further investigation.


Finally, not all doubts were cleared, but at least I could find a few things that I haven't noticed before.
I hope it helps! Cheers!

P.S: I haven't tested the Dashboards, but I assume you would need at least the DASH object that user will use.