Access Control Lists are used to define access restrictions for a variety of features within JAMS.
An ACL is a list of Access Control Entries (ACEs). Each ACE includes one or more identifier along with the type of user access. For example, when a user attempts to perform a function, JAMS starts at the top of the ACL listing to determine if he/she can perform that particular function by checking the identifiers specified in each ACE against those held by the user. When a match is found the user is granted access specified on the ACE. If the end of the ACL list is reached without a match, no access is granted.
Configure Access Control
In JAMS V6.5.18 and newer, a Job called SetJAMSAccessControl is available in the JAMS Folder. This Job configures JAMS Access Control to match the best practices outlined below. An overview of the SetJAMSAccessControl Job is available here.
Typical implementations of JAMS Security Settings result in the creation of four groups: Admin, developers, submitters, and inquirers. The following table outlines best practice permissions given to each group. Admins are not listed, as they are the GrantBypassGroup in the Configuration.
Access control Line Item |
DEV |
SUB |
INQ |
| Alert Definitions | |||
| Add | X | ||
| Change | X | ||
| Delete | X | ||
| Inquire | X | X | X |
| Configuration | |||
| Execute | |||
| Inquire | |||
| Dates | |||
| Add | X | ||
| Change | X | ||
| Delete | X | ||
| Inquire | X | X | X |
| Date Types | |||
| Add | X | ||
| Change | X | ||
| Delete | X | ||
| Inquire | X | X | X |
| Folder Definitions | |||
| Add | X | ||
| Change | X | ||
| Control | |||
| Delete | X | ||
| Inquire | X | X | X |
| History Inquiry | |||
| Execute | X | X | X |
| Job Definitions | |||
| Add | X | ||
| Change | X | ||
| Delete | X | ||
| Inquire | X | X | X |
| Menu Definitions | |||
| Add | X | ||
| Change | X | ||
| Delete | X | ||
| Inquire | X | X | X |
| Monitor | |||
| Abort | X | X | |
| Execute | X | X | |
| Manage | X | X | |
| See All Jobs | X | X | X |
| See Own Jobs | X | X | X |
| Named Time Definitions | |||
| Add | X | ||
| Change | X | ||
| Delete | X | ||
| Inquire | X | X | X |
| Manage | X | ||
| Queues | |||
| Add | X | ||
| Change | X | ||
| Delete | X | ||
| Inquire | X | X | X |
| Reporting | |||
| Add | X | ||
| Change | X | ||
| Delete | X | ||
| Execute | X | X | X |
| Inquire | X | X | X |
| Resource Definitions | |||
| Add | X | ||
| Change | X | ||
| Delete | X | ||
| Inquire | X | X | X |
| Manage | X | ||
| Security | |||
| Execute | |||
| Inquire | |||
| Server | |||
| Execute | X | X | X |
| Setup Definitions | |||
| Add | X | ||
| Change | X | ||
| Delete | X | ||
| Inquire | X | X | X |
| Trigger Definitions | |||
| Add | X | ||
| Change | X | ||
| Delete | X | ||
| Inquire | X | X | X |
| Manage | X | ||
| Reset | X | X | |
| Users | |||
| Add | X | ||
| Change | X | ||
| Delete | X | ||
| Inquire | X | X | X |
| Variable Definitions | |||
| Add | X | ||
| Change | X | ||
| Control | |||
| Delete | X | ||
| Inquire | X | X | X |
The access capabilities (access types) for each security function are detailed in the following sections.
Alert Definitions
-
Add: allows the addition of new Alert Definitions.
-
Change: allows the modification of existing Alert Definitions.
-
Delete: allows the deletion of Alert Definitions.
-
Inquire: permits inquiry into Alert Definitions.
Configuration
-
Execute: grants or denies access to the Configuration options.
-
Inquire: allows viewing status to the Configuration options.
Dates
-
Add: permits the addition of new Date Definitions.
-
Change: allows the modification of existing Date Definitions.
-
Delete: allows the deletion of Date Definitions.
-
Inquire: permits inquiry into Date Definitions.
Date Types
-
Add: permits the addition of new Date Type Definitions.
-
Change: allows the modification of existing Date Type Definitions.
-
Delete: allows the deletion of Date Type Definitions.
-
Inquire: permits inquiry into Date Type Definitions.
Folder Definitions
-
Add: allows the addition of new Folder Definitions.
-
Change: permits modifications to existing Folder Definitions.
-
Control: permits modification of an individual Folders ACL.
-
Delete. permits the deletion of Folder Definitions.
-
Inquire: allows inquiry into Folder Definitions.
 |
Note: Each Folder Definition has its own access control information. This ACL can be viewed and/or modified from the Folder Definitions > Security tab. |
|
Note: In order to modify, delete or view a Folder Definition you must have Change, Delete or Inquire access to Folder definitions as well as Change, Delete or Inquire access to the specific Folder definition which you want to modify. |
History Inquiry
History Inquiry has only one security option, Execute. You can either grant or deny access to view History entries.
Job Definitions
-
Add: allows the addition of new Job Definitions.
-
Change: permits modification of existing Job Definitions.
-
Delete: allows the deletion of Job Definitions.
-
Inquire: permits user inquiry into Job Definitions.
|
Note: Job Definitions can also be controlled by the Access Control List within each Folder definition. To create a Job you must have Add access to Job Definitions plus Job Add access to the Folder to which the Job belongs. Similarly, to modify, delete or inquire into a Job definition you must have the corresponding Job Change, Job Delete or Job Inquire access rights for the Folder to which the Job belongs. |
Menu Definitions
-
Add: permits the addition of new Menu Definitions.
-
Change: allows the modification of existing Menu Definitions.
-
Delete: allows the deletion of Menu Definitions.
-
Inquire: permits user inquiry into Menu Definitions.
Monitor
-
Abort Jobs: permits a person to abort and restart any Job appearing on their display.
-
Execute: permits access to the Job Monitor. Only Jobs which the user has Monitor access can be displayed.
-
Manage: allows a person to reschedule, hold, release and delete any Job appearing on their display.
-
See All Jobs: allows access to the Job Monitor and includes the ability to monitor Jobs submitted by anyone.
-
See Own Jobs: allows access to the Job Monitor but only displays Jobs submitted by the user running the monitor.
|
Note: Monitor capabilities are also controlled using Folder Definitions. For example, you could grant someone See All Jobs access to the Job Monitor giving them the ability to monitor all batch Jobs. Then each Folder definition could define whether or not the user can manage or abort any Jobs located within that Folder. |
Named Time Definitions
-
Add: permits the addition of new Named Time Definitions.
-
Change: allows the modification of existing Named Time Definitions.
-
Delete: allows the deletion of Named Time Definitions.
-
Inquire: permits the inquiry into Named Time Definitions.
-
Manage: allows access to the Enable Time and Disable Time commands.
Queues
-
Add: permits the addition of new Queue Definitions.
-
Change: allows the modification of existing Queue Definitions.
-
Delete: permits the deletion of Queue Definitions.
-
Inquire: allows the inquiry into Queue Definitions.
Reporting
-
Add: allows the addition of new Report Definitions.
-
Change: allows the modification of existing Report Definitions.
-
Delete: allows the deletion of Report Definitions.
-
Execute: allows the execution of Report Definitions.
-
Inquire: permits the inquiry into Report Definitions.
Resource Definitions
-
Add: permits the addition of new Resource Definitions.
-
Change: allows the modification of existing Resource Definitions.
-
Delete: permits the deletion of Resource Definitions.
-
Inquire: allows inquiry into existing Resource Definitions.
-
Manage: allows the Jobs submitted by the user to acquire units of a Resource.
Security
-
Execute: grants the user the ability to modify the Access Control List for all security options.
-
Inquire: provides the user view access to the Access Control Lists for all security options.
Server
The Server ACL contains only one security option.
-
Execute: grants or denies access to the Server.
Setup Definitions
-
Add: allows the addition of new Setup Definitions.
-
Change: permits modification of existing Setup Definitions.
-
Delete: allows deletion of Setup Definitions.
-
Inquire: permits the inquiry into Setup Definitions.
Setup Definitions are also controlled by the Access Control List for each Folder definition. To create a Setup you must have Add access for all Setup Definitions and Submit access to the Folder to which the Setup’s Job definition belongs, plus Define Setup access to the Folder to which the Setup definition belongs.
The Submit and Define Setup access rights are defined within each Folder definition.
Trigger Definitions
-
Add: permits the addition of new Trigger Definitions.
-
Change: allows modification to existing Trigger Definitions.
-
Delete: allows the deletion of Trigger Definitions.
-
Inquire: permits the inquiry into Trigger Definitions.
-
Manage: allows the use of the Enable and Disable commands.
-
Reset: permits the use of the Reset command.
Users
-
Add: permits the addition of new user Definitions.
-
Change: permits the modification of existing User Definitions.
-
Delete: allows the deletion of User Definitions.
-
Inquire: allows the inquiry into User Definitions.
Variable Definitions
-
Add: allows addition of new Variable Definitions.
-
Change: allows modification of existing Variable Definitions.
-
Control: permits the modification of an individual Variable ACL's.
-
Delete: allows the deletion of Variable Definitions.
-
Inquire: permits the inquiry into Variable Definitions.
|
Note: Each Variable has an individual ACL which is used to protect only that Variable. |