Automic Workload Automation

Hello All, 

I need to create a new user who will be able to trigger a single worklfow. Is it possible to assign privileges to account to allow trigger only a single workflow or at least allow access to single directly ? 

Can You help me on this ? 

Regards, Krystian

Hi,

Can you tell us the scheduler or manager you are referring to?

Is this dSeries or AutoSys?

Thank you,

Nitin Pande

CA Technologies

hi, Sorry. I'm not sure what dSeries or AutoSys means. My question is related to the Automic UC4 scheduler tool. 

Regards, Krystian

If your question is concerning CAWA DE scheduler, and so by the 'workflows' you meant the DE events, then there are two permission types - the EVENT and the EVENTX, which could be set for either all events or a group of events by using wild characters, and for a particular event by specifying its literal name.

These permissions, being assigned to either a user and/or a group, would regulate the events triggering.

Hi Krystian,

do you currently use a permission system ?

If not you can put all executable objects on the NOT list and only the one JOBF to the allow list.

and you should specify the Workflow as allowed.

cheers, Wolfgang

Two small remarks to the fine answer by Wolfgang:

• "not" permissions still (afaik) have issues in Automic V12, so I would avoid them. But since the default is "no permissions", if you have a user that has permissions only to the explicitly named things he shall execute (i.e. that workflow and the included items, see below), then this achives the same thing.
• Again afaik, the user needs execute permissions to the workflow AND the included objects. So you have to make multiple rules and give execute rights to the explicitly and unambigously named workflow, plus the contained objects.

Hth,

Hi Wolfgang, Thanks for Your response. 

I'm not sure if our environment is setup to permission system. How can I detect this ? Can You advise ? 

Until now I can edit dedicated user account and see the following tabs (Header, User, Authorizations, Privileges, UserGroups and Documentation). We are having a few groups that users are assigned with different privileges. I don't see the options here from User perspective or Group perspective that I can assign someone to have ability to modifiy only a single workflow. 

Can You give more info how to achieve this ? 

Regards, Krystian

I'm not sure if our environment is setup to permission system. How can I detect this ? Can You advise ?

I believe what Wolfgang was saying is not so much "do you have the permission system on or off", but "do you make structured use of the existing permission system at this time"

You can, afaik, not not use use the permission system in the Automic AE/UC4 server in terms of totally disabling it, and there are no alternative mechanisms that would replace the permission system. You can, however, chose to not use fine grained permissions and give everyone permissions to everything in the existing permission system. It's not wise, but one could.

In so far I believe Wolfgang was asking whether you're already in a good position to use the permission system as a means to solving your issue, by having a fine-grained permission structure in place.

None of this changes the nature of the answer though, it'll just be more or less effort to implement depending on how your current setup of the permissions within the permission system are arranged.

Hth.

Hi

Thanks, Carsten, you know what I mean :-)

Sorry for being to fuzzy in my answer....

Yeah if you do not make use of permissions and naming concept at the moment its a bit tricky but should be no problem.

A good start is reding the documentation starting here: Automic 

The most basics: you must assign rights for the folder and the objects in it seperately

NOT overrrules all others

you must assign rights for all contained objects of the workflow

I would suggest creating a test Workflow with 2 testjobs and playing a bit with the credentials with a test user.

Plan B: If yo user should only be able to start one dedicated workflow, you could install a CALL API (WIN ode Linux) that starts this workflow. Using this method the user does not need to login to AWI or JAVAui but simply doubeclicks on an icon on his (WIN) desktop.

cheers, Wolfgang

hi Wolfgang, 

I tried setup access to single workflow but it is a quite complex. I haven't achieved a good solution for this.

I'd like to create a CALL API for Windows to user to double click on icon on his desktop. Can You give more info how to achieve this ? 

Regards, Krystian

I have one customer that can log on and can only execute a single job.  To do this with the user security system I did the following;

1. Attached the user to the USER_GROUP that provides read-only access to the system.

2. Also attached the user to the USER_GROUP that provides submit rights to the desired workflow.

Setting up the second user group was a trial-and-error process for me. It wound up needing these 5 grants;

1. HOSTG <name> - to authorize him to run things on the desired agent group.

2. JOBI "*' - to authorize him to execute includes

3. JOBS <name> - to authorize him to execute the job in question

4. PRPT <name> - to authorize him to execute the attached promptsets

5. QUEUE <name> - to authorize him to run objects in the target queue

Hi Pete

Could you please send me screenshots of how you setup the security, if its feasible. I am trying to achieve this for a workflow which has multiple workflows and jobs in it . Very much appreciated.

Thanks

Shravani

This is the custom set of grants I spoke of.  I've never done this for a workflow, only for this one job called "CLEARDBCACHE" that I needed to allow our DBA staff to execute;

Even if you don't use any includes (JOBI) in your scripts, I believe you still need a JOBI grant because Automic executes client-0000 includes as part of its framework processes.

Thank you so much!. I will test by changing my settings.