Roles and Permissions

Owned by Stonebranch
Last updated: Jan 23, 2024
21 min read

Overview

Roles control user and group access to administrative functions within Universal Controller. A user or group that has been assigned a role has permission to perform any function defined for that role.

Permissions control user and group access to specific functions for specific types of Controller records.

Some roles have permissions for specific functions that can be assigned individually. For example, a user that has been assigned the ops_agent_cluster_admin role has permission to perform all functions associated with Agent Clusters. A user that has not been assigned the ops_agent_cluster_admin role still can be given permission to perform individual functions associated with Agent Clusters via the Agent Cluster Permissions.

Conversely, since there is no role associated with Agents, permissions for a user to perform functions associated with Agents must be assigned specific Agent Permissions.
 

Note

The ops_admin role assigns a user permission to perform all functions.

Assigning Roles to Users or Groups

Roles control user access to functions that include:

  • Setting up security.
  • Creating reports, filters, and gauges.
  • Creating Agent Clusters, SNMP Managers.
  • Creating Email Connections, Database Connections, PeopleSoft Connections, and SAP Connections.
  • Creating and promoting bundles of records.

Each role is a predefined collection of administrative functions (see Description of Roles, below). By assigning a role to a user or group, you automatically give that user or group all functions associated with that role.

Note

You cannot add new roles to the Controller; you must assign administrative functions to groups or users using the predefined roles.


To assign roles to a user or group:

Step 1

Open a User or Group record.

Step 2

For a User, click the User Roles tab. A list of Roles assigned to the User displays.
 

 
For a Group, click the Group Roles tab. A list of Roles assigned to the Group displays.


Step 3

Click Edit. An Edit Members pop-up displays that allows you to assign Roles to the User / Group. For example:
 

 

  • The Collection window displays all Roles that have not been assigned to this User / Group.
  • The Roles List window displays all Roles that have been assigned to this User / Group.

Step 4

To filter the Users/Groups listed in the Collection window, enter characters in the text field above the Name column. Only Users/Groups containing that sequence of characters will display in the list.

Step 5

To assign a Role to the User / Group, move the Role from the Collection window to the Roles window:

  • To move a single Role, double-click it or click it once and then click the > arrow.
  • To move multiple Roles, Ctrl-click them and then click the > arrow.
  • To move all Roles, click the >> arrow.

To unassign a Role to the User / Group, move the Role from the Roles window to the Collection window:

  • To move a single Role, double-click it or click it once and then click the < arrow.
  • To move multiple Roles, Ctrl-click them and then click the < arrow.
  • To move all Roles, click the << arrow.

Step 6

Click Save.

Description of Roles

The following table summarizes the roles available in the Controller.

Role Name

Available Functions

Contains Roles

ops_admin

All functions; this is the Universal Controller administrator role. The easiest way to assign full permissions to a user is to add the user to the Administrator Group, which by default is assigned the ops_admin role.
 

Note

The ops_admin role contains all other roles. If a user is assigned the ops_admin role, no other roles need to be assigned to that user, and unassigning any other role from the user will not revoke that role.

  • ops_agent_cluster_admin
  • ops_audit_view
  • ops_bundle_admin
  • ops_dba
  • ops_email_admin
  • ops_filter_global
  • ops_filter_group
  • ops_forecast_view
  • ops_imex
  • ops_ldap_admin
  • ops_multi_update
  • ops_oms_admin
  • ops_peoplesoft_admin
  • ops_promotion_admin
  • ops_property_admin
  • ops_report_admin
  • ops_restore_version
  • ops_sap_admin
  • ops_server_operation_admin
  • ops_service
  • ops_snmp_admin
  • ops_sso_admin
  • ops_universal_event_template_admin
  • ops_universal_template_admin
  • ops_user_admin
  • ops_webhook_admin
  • ops_widget_admin

ops_agent_cluster_admin

Create, read, update, and delete agent clusters.
 
(Also see Agent Cluster Permissions, below.)


ops_audit_view

Read all Audits

If  Audit Owner Read Permitted system property  = true, users can view their own audits without having either the ops_admin role or the ops_audit_view role.


ops_bundle_admin

(Also see Bundle Permissions and Promotion Target Permissions, below.)


ops_dashboard_global

Create, update, and delete Dashboard Details with Everyone visibility; updating includes updating Dashboard visibility.


ops_dashboard_group

Create, update, and delete Dashboard Details that are visible for a group in which this user is a member; updating includes updating Dashboard visibility.


ops_dba

Create, update, delete Database Connections.
 
(Also see Database Connection Permissions, below.)


ops_email_admin

Create, read, update, delete Email Connections.
 
(Also see Email Connection Permissions, below.)


ops_filter_global

Create Filters with Everyone visibility.


ops_filter_group

Create Filters that belong to a group of which this user is a member.


ops_forecast_view

Read Forecast Calendar, Forecasts List, and Forecast Details.
 

Note

Users also can read forecast information, without being assigned this role, if they have Read permission for the Task specified in the Forecast Details.


ops_imex

List Import/Export XML.


ops_ldap_admin

Read and update LDAP Settings.


ops_multi_update

Update multiple records.


ops_oauth_adminCreate, read, update, and delete OAuth Clients

ops_oms_admin

Create, update, and delete OMS Servers.


ops_peoplesoft_admin

Create, read, update, and delete PeopleSoft Connections.
 
(Also see PeopleSoft Connection Permissions, below.)


ops_promotion_accept_bundle

Accept bundles being promoted to a target server. (The Accept Bundle command is executed on the target server automatically as part of the Promote and Promote Bundle commands and does not involve user interaction.)


ops_promotion_admin

Note

By default, the ops_promotion_admin role also grants Read permission for any type of definition that can be added to a Bundle, given the expectation that a promotion administrator would review the content of a Bundle before promoting it. To change this default behaviour, see the Promotion Read Permission Required Universal Controller property.

 
(Also see Bundle Permissions and Promotion Target Permissions, below.)

  • ops_promotion_accept_bundle

ops_property_admin

Read, update, and delete Universal Controller system properties and Password Settings.


ops_report_admin

  • Create, read, update, and delete any report, regardless of visibility, in addition to the roles granted by the ops_widget_admin role.
  • Create, update, and delete Dashboard Details with Everyone visibility and Dashboard Details that are visible for a group in which this user is a member; updating includes updating Dashboard visibility.

The Strict Report Create Constraints Universal Controller system property specifies whether or not to restrict report creation only to users with the ops_admin, ops_report_admin, ops_report_group, or ops_report_global role.
 
The Strict Dashboard Create Constraints Universal Controller system property specifies whether or not to restrict Dashboard creation only to users with the ops_admin, ops_report_admin, ops_dashboard_group, or ops_dashboard_global role.

  • ops_dashboard_global
  • ops_dashboard_group
  • ops_report_global
  • ops_report_group
  • ops_report_publish
  • ops_widget_admin

ops_report_global

Create global reports.


ops_report_group

Create reports that belong to a group to which this user is a member.


ops_report_publish

Publish reports. (This role was applicable only to the Controller 5.x release.)


ops_restore_version

Restore old versions of records.


ops_sap_admin

Create, read, update, and delete SAP Connections.
 
(Also see SAP Connection Permissions, below.)


ops_server_operation_admin

Run Server Operations.


ops_service


ops_simulation_viewRead Simulation records.

ops_snmp_admin

Create, read, update, and delete SNMP Managers, to which the Controller sends SNMP notifications.
 
(Also see SNMP Manager Permissions, below.)


ops_sso_admin

Read and update Single Sign-On Settings.


ops_universal_event_template_admin

Create, read, update, and delete Universal Event Templates.
  • ops_universal_event_template_view

ops_universal_event_template_view

Read Universal Event Templates.

ops_universal_template_admin

Create, read, update, and delete Universal Templates (including Universal Template Event Templates).

  • ops_universal_template_view

ops_universal_template_view

Read Universal Templates (including Universal Template Event Templates).


ops_user_admin

Create, read, update, and delete users and groups.

  • ops_user_impersonate
ops_user_impersonate

Allows an authenticated user to impersonate another user by using the X-Impersonate-User HTTP header on a Web Service request.


ops_webhook_admin
  • Create, read, update, and delete Webhooks.
  • Enable, Disable, and Assign Execution User for  Webhooks.
  • ops_webhook_view
ops_webhook_viewRead Webhooks.

ops_widget_admin

Create, update, and delete Widgets.


Assigning Permissions to Users or Groups

Permissions control user access to specific types of Controller records, such as task or trigger, and the types of functions that can be performed for those record types, such as create or delete.

You can further narrow down which records each permission applies to by specifying either name parameters or Business Services. For example, a given permission might apply only to tasks whose name begins with "SF," or a permission might apply only to tasks that have been assigned to a specific Business Service or to tasks that do not belong to any Business Services. See General Permissions Field Descriptions, below, for more details.

To add permissions to a user or group:

Step 1

Open a User or Group record.

Step 2

Click the Permissions tab. A list of permissions assigned to the User / Group displays.
 
For Example:
 

 

Note

The Business Services column represents a virtual field whose value is determined by data from both the Member of Business Services field and the Member of Any Business Service or Unassigned field. If you want to apply a sort relating to the data in Business Services, you have to add either or both Member of Business Services and Member of Any Business Service or Unassigned fields as columns and apply the desired sort on either or both of them.

Step 3

Click New. The Permissions Details pop-up displays.
 

Step 4

Select permissions for the selected user or group.
 
The permissions available differ depending on the Type of permission that you select. Available permissions are Create, Read, Update, Delete, and Execute. For some record types, additional Commands are available. If the permission does not apply to the record type in the Type drop-down, the permission does not appear in the display.
 
These permissions automatically include other permissions:

  • Create permission includes Read and Update permissions.
  • Update permission includes Read permission.
  • Delete permission includes Read permission.

General Permissions Field Descriptions

The following fields of information and buttons display in the Permissions Details for all Permission types:

Field Name

Description

Details

This section contains detailed information about the permission.

Name

Applies this permission to records whose name matches the string specified here. Wildcards are supported.

Member of Any Business Service or Unassigned

Applies this permission both to records that belong to any Business Service and to records that do not belong to any Business Service.

Unassigned to Business Service

Applies this permission to records that do not belong to any Business Service. If this option is enabled, the user / user group will have the defined permissions on all records that do not belong to any Business Service.

Member of Business Services

Applies this permission to records that are members of the selected Business Service(s). Click the lock icon to unlock the field and select Business Services.

Metadata

This section contains Metadata information about this record.

UUID

Universally Unique Identifier of this record.

Updated By

Name of the user that last updated this record.

Updated

Date and time that this record was last updated.

Created By

Name of the user that created this record.

Created

Date and time that this record was created.

Buttons

This section identifies the buttons displayed above and below the Permissions Details that let you perform various actions.

Save

Saves a new record in the Controller database.

Save & New

Saves a new record in the Controller database and redisplays empty Details so that you can create another new record.

Update

Saves updates to the record.

Delete

Deletes the current record.

Refresh

Refreshes any dynamic data displayed in the Details.

Close

For pop-up view only; closes the pop-up view of this record.

Types of Permissions

This section identifies the different types of permissions that you can add to a user or group.

Agent Permissions


 

Options

Description

Read

Grants permission to read an Agent definition. 

The Read check box will be checked automatically if the Business Service Visibility Restricted Universal Controller system property is false.

Update

Grants permission to update an Agent definition. (Only certain fields can be updated.)

Delete

Grants permission to delete an Agent.

Execute

Grants permission to execute a task on an Agent.

Commands

  • ALL: Grants permission to suspend and resume Agents.
  • Resume Agent: Grants permission to resume the ability of a suspended Agent to run tasks.
  • Suspend Agent: Grants permission to suspend the ability of an Agent to run tasks.

Agent Cluster Permissions

(You also can assign Agent Cluster Permissions to a user by assigning the ops_agent_cluster_admin role to the user.)


 

Options

Description

Create

Grants permission to create a new Agent Cluster.

Read

Grants permission to read an Agent Cluster definition.
 

The Read check box will be checked automatically if the Business Service Visibility Restricted Universal Controller system property is false.

Update

Grants permission to update an Agent Cluster definition. (Only certain fields can be updated.)

Delete

Grants permission to delete an Agent Cluster.

Commands

  • ALL: Grants permission to issue any command.
  • Resume Agent Cluster: Grants permission to resume the ability of a suspended Agent Cluster to run tasks.
  • Suspend Agent Cluster: Grants permission to suspend the ability of an Agent Cluster to run tasks.
  • Resume Agent Cluster Membership: Grants permission to resume the membership of an Agent in an Agent Cluster.
  • Suspend Agent Cluster Membership: Grants permission to suspend the membership of an Agent from an Agent Cluster.
  • Resolve Agent Cluster: Grants permission to resolve the Network Alias of an Agent Cluster with a Distribution type of Network Alias.

Application Permissions


 

Options

Description

Create

Grants permission to create a new Application.

Read

Grants permission to read an Application.

Update

Grants permission to update an Application.

Delete

Grants permission to delete an Application.

Commands

See Application Control Tasks for details. Options:

  • ALL: Grants permission to execute a Start, Stop, and Query from the Application resource screen.
  • Start: Grants permission to execute a Start from the Application resource screen.
  • Stop: Grants permission to execute a Stop from the Application resource screen.
  • Query: Grants permission to execute a Query from the Application resource screen.

Bundle Permissions

(You also can assign Bundle Permissions to a user by assigning the ops_bundle_admin role to the user.)


Options

Description

Create

Grants permission to create a Bundle matching both the specified name wildcard and business service membership, including the use of the Create Bundle By Date and Create Bundle By Business Service commands.

Read

Grants permission to read a Bundle matching both the specified name wildcard and business service membership.

  • User can run a Bundle Report for a Bundle matching both the specified name wildcard and business service membership.
  • User can Read a Promotion Schedule associated with a Bundle matching both the specified name wildcard and business service membership.

Update

Grants permission to update a Bundle matching both the specified name wildcard and business service membership, including the use of the Add To Bundle command.

Delete

Grants permission to delete a Bundle matching both the specified name wildcard and business service membership.

Commands

  • ALL: Grants permission to issue any command.
  • Promote Bundle: Grants permission to promote a Bundle.

For the ALL or Promote Bundle command:

  • User can promote a Bundle matching both the specified name wildcard and business service membership, assuming the user has Read permission for the Bundle.
  • User can Cancel, Reschedule, or Delete a Promotion Schedule associated with a Bundle matching both the specified name wildcard and business service membership, assuming the user has Read permission for the Bundle.

Calendar Permissions


 

Options

Description

Create

Grants permission to create a new Calendar.

Read

Grants permission to read a Calendar.
 
The Read check box will be checked automatically if the Business Service Visibility Restricted Universal Controller system property is false.

Update

Grants permission to update a Calendar.

Delete

Grants permission to delete a Calendar.

Commands

  • ALL: Grants permission to issue any command.
  • Copy Calendar: Grants permission to copy a Calendar.

Credential Permissions


 

Options

Description

Create

Grants permission to create a new Credential.

Read

Grants permission to read a Credential.
 
The Read check box will be checked automatically if the Business Service Visibility Restricted Universal Controller system property is false.

Update

Grants permission to update a Credential.

Delete

Grants permission to delete a Credential.

Execute

Grants permission to execute a task that requires a Credential.

Commands

N/A

Database Connection Permissions

(You also can assign Database Connection Permissions to a user by assigning the ops_dba role to the user.)


Options

Description

Create

Grants permission to create a new Database Connection.

Read

Grants permission to read a Database Connection.
 
The Read check box will be checked automatically if the Business Service Visibility Restricted Universal Controller system property is false.

Update

Grants permission to update a Database Connection.

Delete

Grants permission to delete a Database Connection.

Execute

Grants permission to execute a task that requires a Database Connection. (Displays only if the Strict Connection Execute Constraints Universal Controller system property is true.)

Commands

  • ALL: Grants permission to issue any command.
  • Copy Database Connection: Grants permissions to copy a Database Connection.
  • Test Connection: Grants permission to test a Database Connection.

Email Connection Permissions

(You also can assign Email Connection Permissions to a user by assigning the ops_email_admin role to the user.)


Options

Description

Create

Grants permission to create a new Email Connection.

Read

Grants permission to read an Email Connection.
 
The Read check box will be checked automatically if the Business Service Visibility Restricted Universal Controller system property is false.

Update

Grants permission to update an Email Connection.

Delete

Grants permission to delete an Email Connection.

Execute

Grants permission to execute a task that requires an Email Connection. (Displays only if the Strict Connection Execute Constraints Universal Controller system property is true.)

Commands

  • ALL: Grants permission to issue any command.
  • Copy Email Connection: Grants permissions to copy an Email Connection.
  • Test Connection: Grants permission to test an Email Connection.

Email Template Permissions


Options

Description

Create

Grants permission to create a new Email Template.

Read

Grants permission to read an Email Template.
 
The Read check box will be checked automatically if the Business Service Visibility Restricted Universal Controller system property is false.

Update

Grants permission to update an Email Template.

Delete

Grants permission to delete an Email Template.

Commands

  • ALL: Grants permission to issue any command.
  • Copy Email Template: Grants permission to copy an Email Template.

OMS Server Permissions

(You also can assign OMS Server Permissions to a user by assigning the ops_oms_admin role to the user.)


Options

Description

Create

Grants permission to create a new OMS Server.

Read

Grants permission to read an OMS Server.
 
The Read check box will be checked automatically if the Business Service Visibility Restricted Universal Controller system property is false.

Update

Grants permission to update an OMS Server.

Delete

Grants permission to delete an OMS Server.

Commands

  • ALL: Grants permission to suspend and resume OMS Servers.
  • Resume: Grants permission to resume the connection of a suspended OMS Server.
  • Suspend: Grants permission to suspend the connection of an OMS Server.

PeopleSoft Connection Permissions

(You also can assign PeopleSoft Connection Permissions to a user by assigning the ops_peoplesoft_admin role to the user.)


Options

Description

Create

Grants permission to create a new PeopleSoft Connection.

Read

Grants permission to read a PeopleSoft Connection.
 
The Read check box will be checked automatically if the Business Service Visibility Restricted Universal Controller system property is false.

Update

Grants permission to update a PeopleSoft Connection.

Delete

Grants permission to delete a PeopleSoft Connection.

Execute

Grants permission to execute a task that requires a PeopleSoft Connection. (Displays only if the Strict Connection Execute Constraints Universal Controller system property is true.)

Commands

  • ALL: Grants permission to issue any command.
  • Copy PeopleSoft Connection: Grants permission to copy a PeopleSoft Connection.

Promotion Target Permissions

(You also can assign Promotion Target Permissions to a user by assigning the ops_promotion_admin role to the user.)


Options

Description

Create

Grants permission to create a Promotion Target matching both the specified name wildcard and business service membership.

Read

Grants permission to read a Promotion Target matching both the specified name wildcard and business service membership.
 
User can View Target Server Info for Promotion Target matching both the specified name wildcard and business service membership.

Update

Grants permission to update a Promotion Target matching both the specified name wildcard and business service membership.

Delete

Grants permission to delete a Promotion Target matching both the specified name wildcard and business service membership

Execute

Grants permission to promote a Bundle using a Promotion Target matching both the specified name wildcard and business service membership, assuming the user has both Read permission and Promote Bundle command permission for the Bundle.

Commands

  • ALL: Grants permission to issue any command.
  • Refresh Target Agents: Grants permission to refresh Target Agents.

SAP Connection Permissions

(You also can assign SAP Connection Permissions to a user by assigning the ops_sap_admin role to the user.)


Options

Description

Create

Grants permission to create a new SAP Connection.

Read

Grants permission to read an SAP Connection.
 
The Read check box will be checked automatically if the Business Service Visibility Restricted Universal Controller system property is false.

Update

Grants permission to update an SAP Connection.

Delete

Grants permission to delete an SAP Connection.

Execute

Grants permission to execute a task that requires an SAP Connection. (Displays only if the Strict Connection Execute Constraints Universal Controller system property is true.)

Commands

  • ALL: Grants permission to issue any command.
  • Copy SAP Connection: Grants permissions to copy an SAP Connection.

Script Permissions


 

Options

Description

Create

Grants permission to create a new Script.

Read

Grants permission to read a Script.

Update

Grants permission to update a Script.

Delete

Grants permission to delete a Script.

Execute

Grants permission to execute a Script contained by a task.

Commands

  • ALL: Grants permission to issue any command.
  • Copy Script: Grants permission to copy a Script.

SNMP Manager Permissions

(You also can assign SNMP Manager Permissions to a user by assigning the ops_snmp_admin role to the user.)


Options

Description

Create

Grants permission to create a new SNMP Manager.

Read

Grants permission to read an SNMP Manager.
 
The Read check box will be checked automatically if the Business Service Visibility Restricted Universal Controller system property is false.

Update

Grants permission to update an SNMP Manager.

Delete

Grants permission to delete an SNMP Manager.

Execute

Grants permission to execute a task that requires an SNMP Manager. (Displays only if the Strict Connection Execute Constraints Universal Controller system property is true.)

Commands

  • ALL: Grants permission to issue any command.
  • Copy SNMP Manager: Grants permissions to copy an SNMP Manager.

Task Permissions


 

Options

Description

Create

Grants permission to create a new Task.

Read

Grants permission to read a Task.

Update

Grants permission to update a Task.

Delete

Grants permission to delete a Task.

Commands

  • ALL: Grants permission to issue any command.
  • Copy Task: Grants permission to copy a Task.
  • Launch: Grants permission to launch a Task.
  • Recalculate Forecast: Grants permission to recalculate a forecast.
  • Reset Statistics: Grants permission to reset statistics, including statistics being tracked by each parent Workflow of a Task.
  • Reset z/OS Override Statistics: Grants permission to reset z/OS override statistics.
  • Set Execution Restriction: Grants permission to set an execution restriction for a task in a workflow.

Task Instance Permissions


 

Options

Description

Create

Task instances are created automatically when the task launches, so the Create permission does not appear.

Read

Grants permission to read a Task Instance

Update

Grants permission to update certain fields on a Task Instance.

Delete

Grants permission to delete a Task Instance.

Commands

For command descriptions, see Manually Running and Controlling Tasks.

  • ALL: Grants permission to issue any command.
  • Cancel: Grants permission to cancel a Task Instance.
  • Clear All Dependencies: Grants permission to clear all dependencies on a Task Instance.
  • Clear Predecessors: Grants permission to clear all predecessors on a Task Instance.
  • Clear Exclusive: Grants permission to clear all mutual exclusive dependencies from a Task Instance.
  • Clear Resources: Grants permission to clear all resource dependencies of a Task Instance.
  • Clear Time Wait/Delay: Grants permission to clear all Wait To Start and Delay On Start specifications for a Task Instance.
  • Force Finish: Grants permission to force finish a Task Instance.
  • Force Finish/Cancel: Grants permission to force finish/cancel a Task Instance.
  • Hold: Grants permission to put a Task Instance on hold.
  • Insert Task: Grants permission to insert a task on the workflow monitor of a workflow Task Instance.
  • Mark as Satisfied: Can mark a dependency as satisfied.
  • Re-run: Grants permission to re-run a Task Instance.
  • Release: Grants permission to release a Task Instance from hold.
  • Release Recursive: Grants permission to release a workflow and all its tasks from hold.
  • Retrieve Output: Grants permission to execute the Retrieve Output button.
  • Set Priority Low: Grants permission to change the priority of a task to Low.
  • Set Priority Medium: Grants permission to change the priority of a task to Medium.
  • Set Priority High: Grants permission to change the priority of a task to High.
  • Set Completed: Grants permission to set a Manual Task Instance status to completed.
  • Set Started: Grants permission to set a Manual Task Instance status to a new started time.
  • Skip: Grants permission to skip a Task Instance.
  • Unskip: Grants permission to unskip a Task Instance selected to be skipped.

Note

Universal Controller will initially check for command permission specifically for the task instance.

If no command permission is granted for the task instance, Universal Controller will check if command permission is granted for the parent workflow task instance, and then continue to check for command permission up the workflow task instance hierarchy.

Trigger Permissions


 

Options

Description

Create

Grants permission to create a Trigger.

Read

Grants permission to read a Trigger.

Update

Grants permission to update a Trigger.

Delete

Grants permission to delete a Trigger.

Commands

  • ALL: Grants permission to issue any command.
  • Assign Execution User: Grants permission to override the execution user of task instances launched by a Trigger.
  • Copy Trigger: Grants permission to copy a Trigger.
  • Disable Trigger: Grants permission to disable a Trigger.
  • Enable Trigger: Grants permission to enable a Trigger.
  • Recalculate Forecast: Grants permission to recalculate a forecast.
  • Set Skip Count: Grants permission to perform a Set Skip Count action with/without Update permission.  
  • Trigger Now: Grants permission to Trigger (launch) a task.

Universal Event Permissions

The authorization for publishing and monitoring Universal Events is separate from the Universal Event Template administration and requires the Universal Event permission.

The permission Name wildcard applies to the published Universal Event Name.

The Name of a published global Universal Event is derived from the Universal Event Template Name.

The Name of a published local Universal Event is derived from the Universal Template Name and the Universal Template Event Template Name.
    <template-name>.<event-template-name>

The permission Member of Any Business Service or Unassigned, Unassigned to Business Service, and Member of Business Services applies to the published Universal Event Member of Business Services.

For a global Universal Event published through the Web Service API, the publisher optionally specifies the Member of Business Services.

For a local Universal Event published by a Universal Task Instance Extension, the Universal Event inherits the Universal Task Instance Member of Business Services.


Options

Description

Create

Grants permission to publish or push Universal Events.

Read

Grants permission to monitor Universal Events.

Commands

-- None --

Variable Permissions


 

Options

Description

Create

Grants permission to create a Variable.

Read

Grants permission to read a Variable.

Update

Grants permission to update a Variable.

Delete

Grants permission to delete a Variable.

Commands

N/A

Enabling / Disabling Enhanced Variable Security

Important

If you have upgraded from a Controller release that did not previously support the Variable permission type, it is important that you review and assign global variable permissions to all appropriate users/groups to avoid impacting existing workload that requires the use of global variables to execute.

By default, enhanced global variable security is enabled; the Variable Security Enabled Universal Controller system property is set to true.

This controls global variable access the following ways:

  • Users with the ops_admin role have full access to all global variables.
  • Users with the ops_promotion_admin role have Read access to all global variables.
  • Create, Read, Update, and Delete permissions must be assigned to users explicitly if those permissions are not granted through the ops_admin or ops_promotion_admin role.
  • Only those global variables for which a user has Read permission will be visible from the Variables list.
  • Only those global variables for which the Execution User of a task instance has Read permission will be available within the variable scope of a task instance.
  • A Set Variable action for a global variable will require appropriate global variable Create or Update permission.
  • CLI and Web Services APIs will require appropriate global variable permissions depending on whether the command will Read, Create, or Update a global variable.
  • Create Bundle By Date command will only add a global variable to the bundle if the:
    • Global variable qualifies for the specified date.
    • User invoking the command has Read permission for that global variable.

All defined Variable permissions will be enforced unless enhanced global variable security has been disabled by setting Variable Security Enabled to false. This allows all global variables to be managed and used by any valid Universal Controller user.

Virtual Resource Permissions


 

Options

Description

Create

Grants permission to create a virtual resource.

Read

Grants permission to read a virtual resource.
 
The Read check box will be checked automatically if the Business Service Visibility Restricted Universal Controller system property is false.

Update

Grants permission to update a virtual resource.

Delete

Grants permission to delete a virtual resource.

Execute

Grants permission to execute a virtual resource.

Commands

  • ALL: Grants permission to issue any command.
  • Copy Virtual Resource: Grants permission to copy a Virtual Resource.

Enabling Enhanced Virtual Resource Security

Important

If you have upgraded from a Controller release that did not previously support the Virtual Resource permission type, it is important that you review and assign virtual resource permissions to all appropriate users/groups to avoid impacting existing workload that requires the use of virtual resources to execute.

By default, enhanced virtual resource security is enabled; the Virtual Resource Security Enabled Universal Controller system property is set to true.

This controls virtual resource access the following ways:

  • All users will have Read access to virtual resources.
  • Users with the ops_admin role will have full access to all virtual resources.
  • Create, Update, Delete, and Execution permissions must be explicitly assigned to users if those permissions are not granted through the ops_promotion_admin role.
  • Only those virtual resources for which the Execution User of the task instance has Execute permission can be requested by the task instance. Any virtual resource requested by task instances with an Execution User that does not have Execute permission for that virtual resource will result in the task instance going into Start Failure status, with status description Execution for virtual resource "resource-name" prohibited due to security constraints.
  • Set Virtual Resource Limit System Operation action will require appropriate virtual resource Update permission.
  • CLI and Web Services APIs will require appropriate virtual resource permissions: Updating a virtual resource limit through the CLI and Web Services APIs will require virtual resource Update permission.

All defined Virtual Resource permissions will be enforced unless enhanced virtual resource security has been disabled by setting Virtual Resource Security Enabled to false. This allows all virtual resources to be managed and used by any valid Universal Controller user.

Webhook Permissions

Options

Description

Create

Grants permission to create a Webhook.

Read

Grants permission to read a Webhook.

Update

Grants permission to update a Webhook.

Delete

Grants permission to delete a Webhook.

Commands
  • ALL: Grants permission to issue any command.
  • Enable: Grants permission to enable Webhook.
  • Disable: Grants permission to disable Webhook.
  • Assign Execution User: Grants permission to assign execution user to Webhook. 

Exporting Permissions for a Group

The Controller lets you export user groups and their permissions, which then can be imported into another Controller system. Only the permissions listed under the Permissions tab for each group will be exported.
 

Step 1

From the Administration navigation pane, select Security > Groups. The Groups list displays.

Step 2

As desired, filter the list to select the group(s) whose permissions you want to export. When you perform the export, all groups matching the filter will be exported.

Step 3

Access the Action menu and select Export > Permissions For Group.
 


To export or import the Permissions For Group XML, you must have the ops_admin role or the ops_imex and ops_user_admin roles.

If the groups do not exist on the import system, they (and their Permissions) will be created there.

If the groups do exist on the import system, only the description of the groups and the permissions under their Permissions tab will be replaced with those from the imported XML.