About Local Functional Authorities

After you define a user ID for each user with access to the local node, you can limit the tasks a user can perform by defining user authorities for each user ID. For example, you can permit a user to submit Processes but not monitor or delete them. Define user authority as a default administrator or a general user. Then define the directories where a user can perform functions. You can define authorities for remote users, and you can group users under group authorities. Connect:Direct®

Define a Functional Authority Type

You can define three types of users: administrators, general, and operator users. Each user type has a set of default privileges. The default administrator, general user, and operator definitions allow the user to perform basic Connect:Direct tasks. You can use these templates to assign user authorities and restrict privileges. The following table defines the default authorities of the administrator, general user, and an operator user:

Authority Default Administrator Default General User Default Operator User
View Processes in the TCQ yes yes yes
Issue the copy receive, copy send, run job, and run task Process statements yes yes no
Issue the submit Process statement all yes no
Submit, change, and delete Processes for all users yes no no
Monitor processes for all users yes yes yes
Submit, change, Monitor, and delete your own Processes yes yes no
Run programs yes yes no
Access Process statistics all yes all
Upload and download files from any directory yes yes yes
Upload and download files to or from specific directories no no no
Run programs from any directory yes yes no
Run programs from specific directories yes no no
Update the network map yes no view
Update the translation table yes yes view
Update local user authorities yes no view
Update remote user secure point-of-entry proxies yes no view
Stop Connect:Direct for Microsoft Windows yes no no
Invoke the refresh initialization parameters options yes yes view
Use the trace tool or issue traceon and traceoff commands yes no no
Override execution priority, including Hold, Retain, and Plexclass status all yes yes
User type can override the CRC status on.
Note: The CRC will be off if Secure+ is used.
off off
Override Process options such as file attributes and remote node ID all yes off

Define Directories Where Users Can Perform Tasks

You then define directories where a user can perform tasks. If you do not specify a directory for a function, the user can perform it from any directory, regardless of whether the request is submitted from the PNODE or the SNODE; however, the remote user proxy can override the directory specification. Directory restrictions for the Upload and Download directory can be bypassed if restrictions are not also provided for the Process and Program directory paths. As a result, if the remote user is allowed to use the Run Task and Run Job features to execute commands from any directory, then they could perform operating system commands. These commands could include copy commands to copy files to any directory, bypassing the Upload and Download restrictions.

To prevent this, set directory restrictions for the Process and program features using a separate directory path from the Upload and Download directory path or disable the Run Job and Run Task for this user. Programs that be run are defined in the Process and Program directories.

Define Remote User Proxies

You can define remote user proxies. A remote user proxy associates a remote user with a local user ID and gives the remote user the authority to perform the same functions as the proxy. This is useful if you want to give a remote user access to a server, but you do not want to define a user ID and user authorities for the user. Defining a remote user proxy also provides the remote user access to the local node without the need to remember password information.