Defining User Authority

Use this procedure to restrict the functions that a user can perform and the directories where a function can be performed.

To set user authorities:

  1. Select Admin > Functional Authorities.
    The User Authorities view is the default view.
  2. Choose one of the following types of users:
    • Click New Admin to create a new user authority with full privileges for Process controls and functions.
    • Click New Genusr to create a user authority with reduced privileges.
    • Click New Operator to create a user authority with view-only privileges.
  3. Type a name, from 1 to 50 alphanumeric characters, for the new user in the Name field. You can use spaces.
    Note: You can enter a user ID in UPN format such as or cduser@mydomain. The UPN format allows you to identify both the user name and the domain.
  4. Do one of the following:
    • To save the new user authority with the default privileges, click OK.
    • To modify the default user privileges, continue with the next step.
  5. To restrict the control functions or statements a user is authorized to perform, change the value of one or more of the fields on the Main tab to No to deny user authority for that privilege and click OK.
    Field Name Definition Valid Values
    Client Source Addresses Use this parameter to list all of the IP addresses and/or host names that are valid for this user's API connection. If you specify values for this field, the IP address of this user's API connection is validated with the client.source_ip list. If the IP address does not match the one specified on the list, the connection is rejected.

    A comma-separated list of client IP addresses or host names associated with client IP addresses.

    The IP address of the client connection for this user must match the address configured in this field.

    For example: nnn.nnn.nnn.nnn, localhost

    Allow Client Certificate Authentication Determines if the user can perform certificate authentication for client API connections.

    Check Box selected—Enables client certificate authentication for the user

    Check Box not selected—Disables client certificate authentication for the user

    Selected | Not Selected

    Allow No Password local Connections Determines if the user can perform a local client API connection without a password.

    Check Box selected—Enables local client API connection for the user

    Check Box not selected—Disables local client API connection for the user

    Selected | Not Selected

    Allow Process to run using Service Account  

    Selected | Not Selected


    Grants authority to submit Processes.

    Yes | No


    Grants access to the Process Monitor function.

    Yes specifies that you can monitor your own Processes; All specifies that you can monitor anyone's Processes.

    Yes | No | All


    Grants authority to change Processes in the TCQ.

    Yes specifies that you can change your own Processes; All specifies that you can change anyone's Processes.

    Yes | No | All


    Grants authority to delete Processes from the TCQ.

    Yes specifies that you can delete your own Processes; All specifies that you can delete anyone's Processes.

    Yes | No | All


    Grants authority to access Process statistics using the Select Statistics command.

    Yes specifies that you can access statistics for your own Processes; All specifies that you can access statistics for anyone's Processes.

    Yes | No | All

    Copy Send

    Grants authority to submit copy Process statements. Yes | No

    Copy Receive

    Grants authority to receive copy Process statements. Yes | No

    Run Job

    Grants authority to submit run job Process statements.

    Yes | No

    Run Task

    Grants authority to submit run task Process statements.

    Yes | No


    Grants authority to submit Processes from within another Process.

    Yes | No
  6. To define directory restrictions, click the Directories tab.
  7. To restrict a user's access to directories, specify the directory from which the user can perform a function, submit Processes, or run programs and click OK. Refer to the following table for the Directory Restrictions functions:
    Field Name Description


    Specifies the directory that the user can copy files from and use as a source.

    Security in some Microsoft Windows systems prompts for administrative permissions confirmation when it writes to the Program Files subdirectories. If you specify a Program Files directory in the Upload field, the system may be unable to copy files to that location.

    To fix this problem:
    1. Specify an upload directory that is not in the Program Files directory.
    2. On the Connect:Direct® for Microsoft Windows Server, use Microsoft Windows Control Panel to change User Account Control Settings to Never Notify.

    Reboot the server to enable the updates.


    Specifies the directory that the user can copy files to and use as a destination.


    Specifies the directory from which the user can submit a Process.
    Note: Setting a Process directory restriction here only restricts submit statements within a Process. In other words, given an entry in this field, a user (or, in the case of a group functional authority, a group) can use Requester to submit a Process without restrictions on where the Process is submitted from, but a Submit Process statement within the Process will run only from the directory specified here.


    Specifies the directory from which the user can run a program.

  8. To define administrative privileges, click the Admin tab.
  9. To give a user access to an administrative function, change the value to Yes or select View to grant read-only access and click OK. Refer to the following table for Administrative functions:
    Field Name Definition Valid Values


    Grants authority to update the network map.

    Yes | No| View

    Translation Table

    Grants authority to update the translation tables.

    Yes | No| View

    User Authorities

    Grants authority to update local user Connect:Direct functional authorities.

    Yes | No| View

    User Proxy

    Grants authority to update user proxies.

    Yes | No| View

    Grants authority to send Connect:Direct Secure Plus commands through the API.

    Yes | No


    Grants authority to stop Connect:Direct.

    Yes | No


    Grants authority to refresh the Connect:Direct server initialization parameters.

    Yes | No | View

    Grants authority to access the Trace utility.

    Yes | No
  10. Click the Override tab to define override authority.
  11. To grant access to the override function, set any of the override privileges to Yes. Refer to the following table for the override privilege functions:
    Field Name Definition Valid Values

    Execution Priority

    Grants authority to override the default execution priority in a Process.

    Yes | No | All

    Remote Node ID

    Grants authority to use the remote node ID parameter on the Process or when submitting the Process.

    Yes | No

    File Attributes

    Grants authority to override the system's default file attributes when creating files using a copy Process.

    Yes | No

    ACL Update

    Grants authority to define access–allowed and access–denied entries in the Access Control List (ACL) for a file created using a copy Process.

    Yes | No


    Grants authority to override the CRC-enabled state in node and Process statements.

    ON | OFF | Blank

  12. Click OK.