Assigning and Unassigning Trigger Execution Users

Overview

The Execution User of a task instance determines the security context under which the task instance runs.

How the task (from which the task instance was derived) is launched or triggered determines the Execution User:

  • If a task is launched manually, via the Launch command, the Execution User of the task instance is the user who issued the Launch command.
  • If a task is triggered when an Enabled trigger fires at its Next Scheduled Time, the trigger will launch the task under the context of the user that enabled the trigger (the Enabled By user), or, if the Execution User is assigned on the trigger - via the Assign Execution User... command - the trigger will launch the task under the context of the trigger's Execution User.
     

Note

If a user is referenced by an Enabled trigger in the Enabled By field of the trigger, you can delete that user if the trigger is assigned a different Execution User.

If you attempt to unassign an Execution User from an Enabled trigger, and the Enabled By field of the trigger references an invalid user (see above), the command will fail with the following error:

      Enabled By user "<user-name>" is no longer a valid username; you must disable the trigger prior to unassigning the execution user.

Determining Minimum Permissions for Assigned Execution User

When a trigger is assigned an Execution User, that Execution User becomes the user (or security context) under which all task instances launched by the Trigger run.

There are a number of Universal Controller definitions that require run-time security constraint validation, as shown in the following table. Understanding which of these definitions your task instances have a dependency on will help in determining the minimum permissions required for the Execution User; without these permissions, the task instances will transition into a Start Failure.

For tasks launched by a trigger, or tasks contained in a Workflow launched by a trigger, the following requirements apply:
 

Tasks needing to read a Global Variable

Execution User requires Read permission for that Global Variable.

Tasks requiring a Connection

Execution User requires Execute permission for that required Connection (Email Connection, Database Connection, SAP Connection, PeopleSoft Connection, SNMP Manager).

Tasks requiring a Credential

Execution User requires Execute permission for that Credential. (References to Credentials can exist for both non agent-based and agent-based task types. Furthermore, agents can specify default Credentials, even if the Credentials are not directly defined on the task.)

Tasks requiring an Email Template

Execution User requires Read permission for that Email Template.

Tasks requiring a Virtual Resource

Execution User requires Execute permission for that Virtual Resource.

Tasks running a Script

Execution User requires Execute permission for that Script.

Tasks running on an Agent

Execution User requires Execute permission for that Agent.

Assigning an Execution User to One or More Triggers

To assign an Execution User to a trigger, you must have the Assign Execution User Trigger permission.

Additionally, users that do not have the ops_admin role must provide Execution User login credentials (User ID and Password) in order to assign the Execution User to the trigger.

You can assign an execution user to:

Assigning an Execution User to a Single Trigger 

Step 1

Open the trigger.

Step 2

Right-click the trigger Details and, in the Action menu that displays, click Assign Execution User.... An Assign Execution User dialog displays.
 

Users with ops_admin Role

 

 

Users without ops_admin Role

 

Step 3

Enter the user ID of the user that you want to assign as the Execution User for the task instances to be launched by this trigger. If you do not have the ops_admin Role, also enter the Password of the user.

Step 4

Click Submit. The Execution User field displays in the General Information section of the trigger Details, identifying the user you selected in the Assign Execution User dialog.

Assigning an Execution User to Multiple Triggers

Step 1

Display the triggers list from which you want to assign an execution user to multiple triggers.

Step 2Ctrl+click the triggers that you want to assign an execution user.

Step 3

Right-click any of the selected triggers and, in the Action menu that displays, click Assign Execution User.... An Assign Execution User dialog displays.
 

Users with ops_admin Role

 

 

Users without ops_admin Role

 

Step 4

Enter the user ID of the user that you want to assign as the Execution User for the task instances to be launched by these triggers. If you do not have the ops_admin Role, also enter the Password of the user.

Step 5

Click Submit. The Execution User field displays in the General Information section of each trigger Details, identifying the user you selected in the Assign Execution User dialog.

Unassigning an Execution User

To unassign an Execution User from a trigger, you must have the Assign Execution User Trigger permission.
 

Step 1

Open the trigger. The Execution User field should display in the General Information section of the trigger Details, identifying the currently defined Execution User for this trigger.

Step 2

Right-click the trigger Details and, in the Action menu that displays, click Unassign Execution User.... The Execution User identified in the Execution User field is unassigned as the Execution User for this trigger, and the Execution User field is removed from the trigger Details.