...
Some roles have permissions for specific functions that can be assigned individually. For example, a user that has been assigned the ops_agent_cluster_admin role has permission to perform all functions associated with Agent Clusters. A user that has not been assigned the ops_agent_cluster_admin role still can be given permission to perform individual functions associated with Agent Clusters via the Agent Cluster Permissions.
Conversely, since there is no role associated with Agents, permissions for a user to perform functions associated with Agents must be assigned specific Agent Permissions.
Note | ||
---|---|---|
| ||
The ops_admin role assigns a user permission to perform all functions. |
Anchor | ||||
---|---|---|---|---|
|
...
Each role is a predefined collection of administrative functions (see Description of Roles, below). By assigning a role to a user or group, you automatically give that user or group all functions associated with that role.
Note | ||
---|---|---|
| ||
You cannot add new roles to the Controller; you must assign administrative functions to groups or users using the predefined roles. |
...
To assign roles to a user or group:
Step 1 | Open a Adding a User or Users and Groups#Adding a Group record. |
---|---|
Step 2 | For a User, click the User Roles tab. A list of Roles assigned to the User displays. |
Step 3 | Click Edit. An Edit Members pop-up displays that allows you to assign Roles to the User / Group. For example:
|
Step 4 | To filter the Users/Groups listed in the Collection window, enter characters in the text field above the Name column. Only Users/Groups containing that sequence of characters will display in the list. |
Step 5 | To assign a Role to the User / Group, move the Role from the Collection window to the Roles window:
To unassign a Role to the User / Group, move the Role from the Roles window to the Collection window:
|
Step 6 | Click Save. |
...
Role Name | Available Functions | Contains Roles | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| All functions; this is the Universal Controller administrator role. The easiest way to assign full permissions to a user is to add the user to the Administrator Group, which by default is assigned the ops_admin role.
| The ops_admin role contains all other roles. | |||||||||||
| Create, read, update, and delete agent clusters Agent Clusters. | ||||||||||||
| Read all Audits.
| ||||||||||||
|
(Also see Bundle Permissions and Promotion Target Permissions, below.) | ||||||||||||
| Create, update, and delete Dashboard Details with Everyone visibility; updating includes updating Dashboard visibility. | ||||||||||||
| Create, update, and delete Dashboard Details that are visible for a group in which this user is a member; updating includes updating Dashboard visibility. | ||||||||||||
| Create, update, delete Database Connections. | ||||||||||||
| Create, read, update, delete Email Connections. | ||||||||||||
| Create Filters with Everyone visibility. | ||||||||||||
| Create Filters that belong to a group of which this user is a member. | ||||||||||||
| Read Displaying Trigger Forecast Information#Forecast Calendar, Forecasts Displaying Trigger Forecast Information#Forecasts List, and Displaying Trigger Forecast Information#Forecast Details.
| ||||||||||||
| |||||||||||||
| Modify the JCL contents and update it. |
| |||||||||||
| Submit the JCL view request to the agent and view the contents of it. | ||||||||||||
| Read and update LDAP Settings. | ||||||||||||
| |||||||||||||
| Create, update, and delete OMS Servers. | ||||||||||||
| Create, read, update, and delete PeopleSoft Connections. | ||||||||||||
| Accept bundles being promoted to a target server. (The Accept Bundle command is executed on the target server automatically as part of the Promote and Promote Bundle commands and does not involve user interaction.) | ||||||||||||
|
|
| |||||||||||
| Read, update, and delete Universal Properties#Universal Controller system propertiesSystem Properties and Password Settings. | ||||||||||||
|
The Strict Properties#Strict Report Create Constraints Universal Controller system property specifies whether or not to restrict report creation only to users with the ops_admin, ops_report_admin, ops_report_group, or ops_report_global role. |
| |||||||||||
| Create global reports Report Details. | ||||||||||||
| Create reports Report Details that belong to a group to which this user is a member. | ||||||||||||
| Publish reports Report Details. (This role was applicable only to the Controller 5.x release.) | ||||||||||||
| Restore Records#Restoring Old Versions of Records old versions of records. | ||||||||||||
| Create, read, update, and delete SAP Connections. | ||||||||||||
| Run Server Operations. | ||||||||||||
|
| ||||||||||||
| Create, read, update, and delete SNMP Managers, to which the Controller sends SNMP notificationsNotification Actions. | ||||||||||||
| Read and update Single Sign-On Settings. | ||||||||||||
| Create, read, update, and delete Universal Event Templates. |
| |||||||||||
| Read Universal Event Templates. | ||||||||||||
| Create, read, update, and delete Creating a Universal TemplatesTemplate (including Universal Template Event Templates). |
| |||||||||||
| Read Creating a Universal TemplatesTemplate (including Universal Template Event Templates). | ||||||||||||
| Create, read, update, and delete users Users and groupsGroups. |
| |||||||||||
| Allows an authenticated user to impersonate another user by using the X-Impersonate-User HTTP header on a Web Service request. | ||||||||||||
ops_webhook_admin |
| ||||||||||||
ops_webhook_view | Read Webhooks. | ||||||||||||
| Create, update, and delete Widgets. |
...
You can further narrow down which records each permission applies to by specifying either name parameters or Business Services. For example, a given permission might apply only to tasks whose name begins with "SF," or a permission might apply only to tasks that have been assigned to a specific Business ServiceServices or to tasks that do not belong to any Business Services. See General Permissions Field Descriptions, below, for more details.
To add permissions to a user or group:
Step 1 | Open a Users and Groups#Adding a User or Users and Groups#Adding a Group record. | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
Step 2 | Click the Permissions tab. A list of permissions assigned to the User / Group displays.
| |||||||||||
Step 3 | Click New. The Permissions Details pop-up displays. | |||||||||||
Step 4 | Select permissions for the selected user or group.
|
...
The following fields of information and buttons display in the Permissions Details for all Permission types Types of Permissions:
Field Name | Description | ||||||
---|---|---|---|---|---|---|---|
Details | This section contains detailed information about the permission. | ||||||
| Applies this permission to records whose name matches the string specified here. Wildcards and Regular Expressions#Wildcards are supported. | ||||||
| Applies this permission both to records that belong to any Business Service and to records that do not belong to any Business Service. | ||||||
| Applies this permission to records that do not belong to any Business Service. If this option is enabled, the user / user group will have the defined permissions on all records that do not belong to any Business Service. | ||||||
| Applies this permission to records that are members of the selected Business Service(s)Services. Click the lock icon to unlock the field and select Selecting Business Services. | ||||||
Metadata | This section contains Records#Record Details Metadata information about this record. | ||||||
UUID | Universally Unique Identifier of this record. | ||||||
Updated By | Name of the user that last updated this record. | ||||||
Updated | Date and time that this record was last updated. | ||||||
Created By | Name of the user that created this record. | ||||||
Created | Date and time that this record was created. | ||||||
Buttons | This section identifies the buttons displayed above and below the Permissions Details that let you perform various actions. | ||||||
Save | Saves a new record in the Controller database. | ||||||
Save & New | Saves a new record in the Controller database and redisplays empty Details so that you can create another new record. | ||||||
Update |
| ||||||
Delete |
| ||||||
Refresh | Refreshes any dynamic data displayed in the Details. | ||||||
Close | For pop-up view only; closes the pop-up view of this record. |
...
Options | Description | ||
---|---|---|---|
Read | Grants permission to read an Agent definition.
| ||
Update | Grants permission to update an Agent definition. (Only certain fields can be updated.) | ||
Delete | Grants permission to delete an Agent. | ||
Execute | Grants permission to execute a task on an Agent. | ||
Commands |
|
...
(You also can assign Agent Cluster Permissions to a user by assigning the ops_agent_cluster_admin role to the user.)
Options | Description | ||
---|---|---|---|
Create | Grants permission to create a new Agent Cluster. | ||
Read | Grants permission to read an Agent Cluster definition.
| ||
Update | Grants permission to update an Agent Cluster definition. (Only certain fields can be updated.) | ||
Delete | Grants permission to delete an Agent Cluster. | ||
Commands |
|
...
(You also can assign Bundle Permissions to a user by assigning the ops_bundle_admin role to the user.)
Options | Description |
---|---|
Create | Grants permission to create a Bundle matching both the specified name wildcard and business service membership, including the use of the Create Bundle By Date and Create Bundle By Business Service commands. |
Read | Grants permission to read a Bundle matching both the specified name wildcard and business service membership.
|
Update | Grants permission to update a Bundle matching both the specified name wildcard and business service membership, including the use of the Add To Bundle command. |
Delete | Grants permission to delete a Bundle matching both the specified name wildcard and business service membership. |
Commands |
For the ALL or Promote Bundle command:
|
...
Options | Description |
---|---|
Create | Grants permission to create a new Calendar. |
Read | Grants permission to read a Calendar. |
Update | Grants permission to update a Calendar. |
Delete | Grants permission to delete a Calendar. |
Commands |
|
...
Options | Description |
---|---|
Create | Grants permission to create a new Credential. |
Read | Grants permission to read a Credential. |
Update | Grants permission to update a Credential. |
Delete | Grants permission to delete a Credential. |
Execute | Grants permission to execute a task that requires a Credential. |
Commands | N/A |
...
(You also can assign Database Connection Permissions to a user by assigning the ops_dba role to the user.)
Options | Description |
---|---|
Create | Grants permission to create a new Database Connection. |
Read | Grants permission to read a Database Connection. |
Update | Grants permission to update a Database Connection. |
Delete | Grants permission to delete a Database Connection. |
Execute | Grants permission to execute a task that requires a Database Connection. (Displays only if the Strict Properties#Strict Connection Execute Constraints Universal Controller system property is true.) |
Commands |
|
...
(You also can assign Email Connection Permissions to a user by assigning the ops_email_admin role to the user.)
Options | Description |
---|---|
Create | Grants permission to create a new Email Connection. |
Read | Grants permission to read an Email Connection. |
Update | Grants permission to update an Email Connection. |
Delete | Grants permission to delete an Email Connection. |
Execute | Grants permission to execute a task that requires an Email Connection. (Displays only if the Strict Properties#Strict Connection Execute Constraints Universal Controller system property is true.) |
Commands |
|
...
Options | Description |
---|---|
Create | Grants permission to create a new Email Template. |
Read | Grants permission to read an Email Template. |
Update | Grants permission to update an Email Template. |
Delete | Grants permission to delete an Email Template. |
Commands |
|
...
(You also can assign OMS Server Permissions to a user by assigning the ops_oms_admin role to the user.)
Options | Description |
---|---|
Create | Grants permission to create a new OMS Server. |
Read | Grants permission to read an OMS Server. |
Update | Grants permission to update an OMS Server. |
Delete | Grants permission to delete an OMS Server. |
Commands |
|
...
(You also can assign PeopleSoft Connection Permissions to a user by assigning the ops_peoplesoft_admin role to the user.)
Options | Description |
---|---|
Create | Grants permission to create a new PeopleSoft Connection. |
Read | Grants permission to read a PeopleSoft Connection. |
Update | Grants permission to update a PeopleSoft Connection. |
Delete | Grants permission to delete a PeopleSoft Connection. |
Execute | Grants permission to execute a task that requires a PeopleSoft Connection. (Displays only if the Strict Properties#Strict Connection Execute Constraints Universal Controller system property is true.) |
Commands |
|
...
(You also can assign Promotion Target Permissions to a user by assigning the ops_promotion_admin role to the user.)
Options | Description |
---|---|
Create | Grants permission to create a Promotion Target matching both the specified name wildcard and business service membership. |
Read | Grants permission to read a Promotion Target matching both the specified name wildcard and business service membership. |
Update | Grants permission to update a Promotion Target matching both the specified name wildcard and business service membership. |
Delete | Grants permission to delete a Promotion Target matching both the specified name wildcard and business service membership |
Execute | Grants permission to promote a Bundle using a Promotion Target matching both the specified name wildcard and business service membership, assuming the user has both Read permission and Promote Bundle command permission for the Bundle. |
Commands |
|
...
(You also can assign SAP Connection Permissions to a user by assigning the ops_sap_admin role to the user.)
Options | Description |
---|---|
Create | Grants permission to create a new SAP Connection. |
Read | Grants permission to read an SAP Connection. |
Update | Grants permission to update an SAP Connection. |
Delete | Grants permission to delete an SAP Connection. |
Execute | Grants permission to execute a task that requires an SAP Connection. (Displays only if the Strict Properties#Strict Connection Execute Constraints Universal Controller system property is true.) |
Commands |
|
...
(You also can assign SNMP Manager Permissions to a user by assigning the ops_snmp_admin role to the user.)
Options | Description |
---|---|
Create | Grants permission to create a new SNMP Manager. |
Read | Grants permission to read an SNMP Manager. |
Update | Grants permission to update an SNMP Manager. |
Delete | Grants permission to delete an SNMP Manager. |
Execute | Grants permission to execute a task that requires an SNMP Manager. (Displays only if the Strict Properties#Strict Connection Execute Constraints Universal Controller system property is true.) |
Commands |
|
...
Options | Description | |||||
---|---|---|---|---|---|---|
Create | Grants permission to publish or push Universal Events. | |||||
Read | Grants permission to monitor Universal Events.
| |||||
Commands | -- None -- |
...
By default, enhanced global variable security is enabled; the Variable Properties#Variable Security Enabled Universal Controller system property is set to true.
This controls global variable access the following ways:
- Users with the ops_admin role have full access to all global variables.the ops_admin
- Users with the ops_promotion_admin role have Read access to all global variables.
- Create, Read, Update, and Delete permissions must be assigned to users explicitly if those permissions are not granted through the ops_admin or ops_promotion_admin role.
- Only those global variables for which a user has Read permission will be visible from the Variables list User-Defined Variables#Defining a New Variable.
- Only those global variables for which the Execution User of a task instance has Read permission will be available within the variable scope of a task instance.
- A Set Variable actionActions for a global variable will require appropriate global variable Create or Update permission.
- CLI and Web Services APIs will require appropriate global variable permissions depending on whether the command will Read, Create, or Update a global variable.
- Create Bundle By Bundles and Promotion Overview#Creating a Bundle Based on Date command will only add a global variable to the bundle if the:
- Global variable qualifies for the specified date.
- User invoking the command has Read permission for that global variable.
All defined Variable permissions will be enforced unless enhanced global variable security has been disabled by setting Variable Properties#Variable Security Enabled to false. This allows all global variables to be managed and used by any valid Universal Controller user.
...
Options | Description |
---|---|
Create | Grants permission to create a virtual resource. |
Read | Grants permission to read a virtual resource. |
Update | Grants permission to update a virtual resource. |
Delete | Grants permission to delete a virtual resource. |
Execute | Grants permission to execute a virtual resource. |
Commands |
|
...
By default, enhanced virtual resource security is enabled; the Virtual Properties#Virtual Resource Security Enabled Universal Controller system property is set to true.
...
- All users will have Read access to virtual resources.
- Users with the ops_admin role will have full access to all virtual resources.
- Create, Update, Delete, and Execution permissions must be explicitly assigned to users if those permissions are not granted through the ops_promotion_admin role.
- Only those virtual resources for which the Execution User of the task instance has Execute permission can be requested by the task instance. Any virtual resource requested by task instances with an Execution User that does not have Execute permission for that virtual resource will result in the task instance going into Start Displaying Task Instance Status#Start Failure status, with status description Execution for virtual resource "resource-name" prohibited due to security constraints.
- Set Virtual Resource Limit System Operation actionActions will require appropriate virtual resource Update permission.
- CLI and Web Services APIs will require appropriate virtual resource permissions: Updating a virtual resource limit through the CLI and Web Services APIs will require virtual resource Update permission.
All defined Virtual Resource permissions will be enforced unless enhanced virtual resource security has been disabled by setting Virtual Properties#Virtual Resource Security Enabled to false. This allows all virtual resources to be managed and used by any valid Universal Controller user.
...
The Controller lets you export user groups and their permissions, which then can be imported into another Controller system. Only the permissions listed under the Permissions tab for each group will be exported.
Step 1 | From the Administration Services#Administration navigation pane, select Security > Groups. The Groups list displays. |
---|---|
Step 2 | As desired, filter Record Lists#Filtering the list to select the group(s) whose permissions you want to export. When you perform the export, all groups matching the filter will be exported. |
Step 3 | Access the Action menuMenus and select Export > Permissions For Group. |
...
To export or import the Permissions For Group XML, you must have the ops_admin role or the ops_imex and ops_user_admin roles.
If the groups do not exist on the import system, they (and their Permissions) will be created there.
...