JAMS 7.x Help
JAMS Security: Setting Access Control Lists

Access Control Lists are used to define access restrictions for a variety of features within JAMS.

An ACL is a list of Access Control Entries (ACEs). Each ACE includes one or more identifier along with the type of user access. For example, when a user attempts to perform a function, JAMS starts at the top of the ACL listing to determine if he/she can perform that particular function by checking the identifiers specified in each ACE against those held by the user. When a match is found the user is granted access specified on the ACE. If the end of the ACL list is reached without a match, no access is granted.

 

NOTE: By default, new installations will have NT AUTHORITY\Authenticated Users set on the root folder in JAMS with full access to objects.
NOTE: In JAMS V7.0.1367 and later, removing all ACEs on an object behaves the same as Windows would. When all ACEs are removed from an object, only the GrantAdministratorsByPass group will have access to the object. Previously, removing all ACEs from an object would give all Authenticated Users access to that object.

Configure Access Control

In JAMS, a Job called SetJAMSAccessControl is available in the JAMS Folder. This Job configures JAMS Access Control to match the best practices outlined below.

Best Practices

Typical implementations of JAMS Security Settings result in the creation of four groups: Admin, developers, submitters, and inquirers. The following table outlines best practice permissions given to each group. Admins are not listed, as they are the GrantBypassGroup in the Configuration.

 

Access control Line Item

DEV

SUB

INQ

Agent Definitions
Add X
Change X
Delete X
Inquire X X X
Calendars
Add X
Change X
Delete X
Inquire X X X
Configuration
Execute
Inquire
Credential Definitions
Add X
Change X
Delete X
Inquire X X X
Date Types
Add X
Change X
Delete X
Inquire X X X
Folder Definitions
Add X
Change X
Control
Delete X
Inquire X X X
History Inquiry
Execute X X X
Job Definitions
Add X
Change X
Delete X
Inquire X X X
Menu Definitions
Add X
Change X
Delete X
Inquire X X X
Monitor
Abort X X
Execute X X
Manage X X
See All Jobs X X X
See Own Jobs X X X
Named Time Definitions
Add X
Change X
Delete X
Inquire X X X
Manage X
Queues
Add X
Change X
Delete X
Inquire X X X
Reporting
Add X
Change X
Delete X
Execute X X X
Inquire X X X
Resource Definitions
Add X
Change X
Delete X
Inquire X X X
Manage X
Security
Execute
Inquire
Server
Execute X X X
Variable Definitions
Add X
Change X
Control
Delete X
Inquire X X X

 

The access capabilities (access types) for each security function are detailed in the following sections.

Agent Definitions

Calendars

Configuration

Credential Definitions

Date Types

Folder Definitions

Note: Each Folder Definition has its own access control information. This ACL can be viewed and/or modified from the Folder Definitions > Security tab.

Note: In order to modify, delete or view a Folder Definition you must have Change, Delete or Inquire access to Folder definitions as well as Change, Delete or Inquire access to the specific Folder definition which you want to modify.

History Inquiry

History Inquiry has only one security option, Execute. You can either grant or deny access to view History entries.

Job Definitions

Note: Job Definitions can also be controlled by the Access Control List within each Folder definition. To create a Job you must have Add access to Job Definitions plus Job Add access to the Folder to which the Job belongs. Similarly, to modify, delete or inquire into a Job definition you must have the corresponding Job Change, Job Delete or Job Inquire access rights for the Folder to which the Job belongs.

 Menu Definitions

Monitor

Note: Monitor capabilities are also controlled using Folder Definitions. For example, you could grant someone See All Jobs access to the Job Monitor giving them the ability to monitor all batch Jobs. Then each Folder definition could define whether or not the user can manage or abort any Jobs located within that Folder.

Named Time Definitions

Queues

Reporting

Resource Definitions

Security

Server

The Server ACL contains only one security option.

Variable Definitions

Note: Each Variable has an individual ACL which is used to protect only that Variable.

See Also

 

 


Topic updated: 8/17/2018
©2019 HelpSystems, LLC. All Rights Reserved.

Send comments on this topic.