JAMS Security: Setting Access Control Lists

Access Control Lists are used to define access restrictions for a variety of features within JAMS.

An ACL is a list of Access Control Entries (ACEs). Each ACE includes one or more identifier along with the type of user access. For example, when a user attempts to perform a function, JAMS starts at the top of the ACL listing to determine if he/she can perform that particular function by checking the identifiers specified in each ACE against those held by the user. When a match is found the user is granted access specified on the ACE. If the end of the ACL list is reached without a match, no access is granted.

NOTE: By default, new installations will have NT AUTHORITY\Authenticated Users set on the root folder in JAMS with full access to objects.

NOTE: In JAMS V7.0.1367 and later, removing all ACEs on an object behaves the same as Windows would. When all ACEs are removed from an object, only the GrantAdministratorsByPass group will have access to the object. Previously, removing all ACEs from an object would give all Authenticated Users access to that object.

Configure Access Control

In JAMS, a Job called SetJAMSAccessControl is available in the JAMS Folder. This Job configures JAMS Access Control to match the best practices outlined below.

Best Practices

Typical implementations of JAMS Security Settings result in the creation of four groups: Admin, developers, submitters, and inquirers. The following table outlines best practice permissions given to each group. Admins are not listed, as they are the GrantBypassGroup in the Configuration.

Access control Line Item	DEV	SUB	INQ
Agent Definitions
Add	X
Change	X
Delete	X
Inquire	X	X	X
Calendars
Add	X
Change	X
Delete	X
Inquire	X	X	X
Configuration
Execute
Inquire
Credential Definitions
Add	X
Change	X
Delete	X
Inquire	X	X	X
Date Types
Add	X
Change	X
Delete	X
Inquire	X	X	X
Folder Definitions
Add	X
Change	X
Control
Delete	X
Inquire	X	X	X
History Inquiry
Execute	X	X	X
Job Definitions
Add	X
Change	X
Delete	X
Inquire	X	X	X
Menu Definitions
Add	X
Change	X
Delete	X
Inquire	X	X	X
Monitor
Abort	X	X
Execute	X	X
Manage	X	X
See All Jobs	X	X	X
See Own Jobs	X	X	X
Named Time Definitions
Add	X
Change	X
Delete	X
Inquire	X	X	X
Manage	X
Queues
Add	X
Change	X
Delete	X
Inquire	X	X	X
Reporting
Add	X
Change	X
Delete	X
Execute	X	X	X
Inquire	X	X	X
Resource Definitions
Add	X
Change	X
Delete	X
Inquire	X	X	X
Manage	X
Security
Execute
Inquire
Server
Execute	X	X	X
Variable Definitions
Add	X
Change	X
Control
Delete	X
Inquire	X	X	X

The access capabilities (access types) for each security function are detailed in the following sections.

Agent Definitions

Add: allows the addition of new Agent Definitions.
Change: allows the modification of existing Agent Definitions.
Delete: allows the deletion of Agent Definitions.
Inquire: permits inquiry into Agent Definitions.

Calendars

Add: permits the addition of new Calendars.
Change: allows the modification of existing Calendars.
Delete: allows the deletion of Calendars.
Inquire: permits inquiry into Calendars.

Configuration

Execute: grants or denies access to the Configuration options.
Inquire: allows viewing status to the Configuration options.

Credential Definitions

Add: permits the addition of new user Credential Definitions.
Change: permits the modification of existing user Credential Definitions.
Delete: allows the deletion of user Credential Definitions.
Inquire: allows the inquiry into user Credential Definitions.

Date Types

Add: permits the addition of new Date Type Definitions.
Change: allows the modification of existing Date Type Definitions.
Delete: allows the deletion of Date Type Definitions.
Inquire: permits inquiry into Date Type Definitions.

Folder Definitions

Add: allows the addition of new Folder Definitions.
Change: permits modifications to existing Folder Definitions.
Control: permits modification of an individual Folders ACL.
Delete. permits the deletion of Folder Definitions.
Inquire: allows inquiry into Folder Definitions.

Note: Each Folder Definition has its own access control information. This ACL can be viewed and/or modified from the Folder Definitions > Security tab.

Note: In order to modify, delete or view a Folder Definition you must have Change, Delete or Inquire access to Folder definitions as well as Change, Delete or Inquire access to the specific Folder definition which you want to modify.

History Inquiry

History Inquiry has only one security option, Execute. You can either grant or deny access to view History entries.

Job Definitions

Add: allows the addition of new Job Definitions.
Change: permits modification of existing Job Definitions.
Delete: allows the deletion of Job Definitions.
Inquire: permits user inquiry into Job Definitions.

Note: Job Definitions can also be controlled by the Access Control List within each Folder definition. To create a Job you must have Add access to Job Definitions plus Job Add access to the Folder to which the Job belongs. Similarly, to modify, delete or inquire into a Job definition you must have the corresponding Job Change, Job Delete or Job Inquire access rights for the Folder to which the Job belongs.

Menu Definitions

Add: permits the addition of new Menu Definitions.
Change: allows the modification of existing Menu Definitions.
Delete: allows the deletion of Menu Definitions.
Inquire: permits user inquiry into Menu Definitions.

Monitor

Abort Jobs: permits a person to abort and restart any Job appearing on their display.
Execute: permits access to the Job Monitor. Only Jobs which the user has Monitor access can be displayed.
Manage: allows a person to reschedule, hold, release and delete any Job appearing on their display.
See All Jobs: allows access to the Job Monitor and includes the ability to monitor Jobs submitted by anyone.
See Own Jobs: allows access to the Job Monitor but only displays Jobs submitted by the user running the monitor.

Note: Monitor capabilities are also controlled using Folder Definitions. For example, you could grant someone See All Jobs access to the Job Monitor giving them the ability to monitor all batch Jobs. Then each Folder definition could define whether or not the user can manage or abort any Jobs located within that Folder.

Named Time Definitions

Add: permits the addition of new Named Time Definitions.
Change: allows the modification of existing Named Time Definitions.
Delete: allows the deletion of Named Time Definitions.
Inquire: permits the inquiry into Named Time Definitions.
Manage: allows access to the Enable Time and Disable Time commands.

Queues

Add: permits the addition of new Queue Definitions.
Change: allows the modification of existing Queue Definitions.
Delete: permits the deletion of Queue Definitions.
Inquire: allows the inquiry into Queue Definitions.

Reporting

Add: allows the addition of new Report Definitions.
Change: allows the modification of existing Report Definitions.
Delete: allows the deletion of Report Definitions.
Execute: allows the execution of Report Definitions.
Inquire: permits the inquiry into Report Definitions.

Resource Definitions

Add: permits the addition of new Resource Definitions.
Change: allows the modification of existing Resource Definitions.
Delete: permits the deletion of Resource Definitions.
Inquire: allows inquiry into existing Resource Definitions.
Manage: allows the Jobs submitted by the user to acquire units of a Resource.

Security

Execute: grants the user the ability to modify the Access Control List for all security options.
Inquire: provides the user view access to the Access Control Lists for all security options.

Server

The Server ACL contains only one security option.

Execute: grants or denies access to the Server.

Variable Definitions

Add: allows addition of new Variable Definitions.
Change: allows modification of existing Variable Definitions.
Control: permits the modification of an individual Variable ACL's.
Delete: allows the deletion of Variable Definitions.
Inquire: permits the inquiry into Variable Definitions.

Note: Each Variable has an individual ACL which is used to protect only that Variable.

Access control Line Item

DEV

SUB

INQ