Defining User Authority
About this task
Use this procedure to restrict the functions that a user can perform and the directories where a function can be performed.
To set user authorities:
Procedure
-
Select Settings > Users > Under New Functional Authority, click Create. For more information, refer to
<Redirection link to User authority page of ICDWS>
The User Authorities view is the default view.
-
Choose one of the following types of users:
- Click New Admin to create a new user authority with full privileges for Process controls and functions.
- Click New Genusr to create a user authority with reduced privileges.
- Click New Operator to create a user authority with view-only privileges.
-
Type a name, from 1 to 50 alphanumeric characters, for the new user in the
Name field. You can use spaces.
Note: You can enter a user ID in UPN format such as cduser@adtree.mycomp.com or cduser@mydomain. The UPN format allows you to identify both the user name and the domain.
-
Do one of the following:
- To save the new user authority with the default privileges, click OK.
- To modify the default user privileges, continue with the next step.
-
To restrict the control functions or statements a user is authorized to perform, change the
value of one or more of the fields under Transfer Control, Process Statement and Authentication
(settings) to No to deny user authority for that privilege and click OK.
Field Name Definition Valid Values Client Source Addresses Use this parameter to list all of the IP addresses and/or host names that are valid for this user's API connection. If you specify values for this field, the IP address of this user's API connection is validated with the client.source_ip list. If the IP address does not match the one specified on the list, the connection is rejected. A comma-separated list of client IP addresses or host names associated with client IP addresses.
The IP address of the client connection for this user must match the address configured in this field.
For example: nnn.nnn.nnn.nnn, localhost
Allow Client Certificate Authentication Determines if the user can perform certificate authentication for client API connections. Check Box selected—Enables client certificate authentication for the user
Check Box not selected—Disables client certificate authentication for the user
Selected | Not Selected
Allow No Password local Connections Determines if the user can perform a local client API connection without a password. Check Box selected—Enables local client API connection for the user
Check Box not selected—Disables local client API connection for the user
Selected | Not Selected
Allow Process to run using Service Account Grants permission to run process using Service Account Selected | Not Selected
Use Password Exit Determines if user can obtain its password using the Password Exit. Selected | Not Selected
Submit Grants authority to submit Processes.
Yes | No Monitor
Grants access to the Process Monitor function.
Yes specifies that you can monitor your own Processes; All specifies that you can monitor anyone's Processes.
Yes | No | All Change
Grants authority to change Processes in the TCQ.
Yes specifies that you can change your own Processes; All specifies that you can change anyone's Processes.
Yes | No | All Delete
Grants authority to delete Processes from the TCQ.
Yes specifies that you can delete your own Processes; All specifies that you can delete anyone's Processes.
Yes | No | All Statistics
Grants authority to access Process statistics using the Select Statistics command.
Yes specifies that you can access statistics for your own Processes; All specifies that you can access statistics for anyone's Processes.
Yes | No | All Copy Send
Grants authority to submit copy Process statements. Yes | No Copy Receive
Grants authority to receive copy Process statements. Yes | No Run Job
Grants authority to submit run job Process statements.
Yes | No Run Task
Grants authority to submit run task Process statements.
Yes | No Submit
Grants authority to submit Processes from within another Process.
Yes | No - To define directory restrictions, click the Directories tab.
-
To restrict a user's access to directories, specify the directory from which the user
can perform a function, submit Processes, or run programs and click OK.
Refer to the following table for the Directory Restrictions functions:
Field Name Description Upload
Specifies the directory that the user can copy files from and use as a source.
Security in some Microsoft Windows systems prompts for administrative permissions confirmation when it writes to the Program Files subdirectories. If you specify a Program Files directory in the Upload field, the system may be unable to copy files to that location.
To fix this problem:- Specify an upload directory that is not in the Program Files directory.
- On the IBM® Connect:Direct® for Microsoft Windows Server, use Microsoft Windows Control Panel to change User Account Control Settings to Never Notify.
Reboot the server to enable the updates.
Download
Specifies the directory that the user can copy files to and use as a destination.
Process
Specifies the directory from which the user can submit a Process.Note: Setting a Process directory restriction here only restricts submit statements within a Process. In other words, given an entry in this field, a user (or, in the case of a group functional authority, a group) can use Integradted COnnect:Direct Web Services to submit a Process without restrictions on where the Process is submitted from, but a Submit Process statement within the Process will run only from the directory specified here.Program
Specifies the directory from which the user can run a program.
- To define administrative privileges, click General Information and Server Control tab.
-
To give a user access to an administrative function, change the value to Yes or select
View to grant read-only access and click OK.
Refer to the following table for Administrative functions:
Field Name Definition Valid Values Netmap
Grants authority to update the network map.
Yes | No| View Translation Table
Grants authority to update the translation tables.
Yes | No| View User Authorities
Grants authority to update local user Connect:Direct functional authorities.
Yes | No| View User Proxy
Grants authority to update user proxies.
Yes | No| View Secure+ Grants authority to send Connect:Direct Secure Plus commands through the API.
Yes | No Stop
Grants authority to stop Connect:Direct.
Yes | No Initparms
Grants authority to refresh the Connect:Direct server initialization parameters.
Yes | No | View Trace Grants authority to access the Trace utility.
Yes | No Process Library Grants authority of the process library operations Yes | No | View File Agent Grant authority to Integrated File Agent Yes | No | View External Stats Logging Grant authority to log external statistics in Connect:Direct Yes | No Web Services Grant authority to update the web services configuration Yes |No | View Note: This field is only configurable using Web services. - Click the Override tab to define override authority.
-
To grant access to the override function, set any of the override privileges to Yes. Refer
to the following table for the override privilege functions:
Field Name Definition Valid Values Execution Priority
Grants authority to override the default execution priority in a Process.
Yes | No | All
Remote Node ID
Grants authority to use the remote node ID parameter on the Process or when submitting the Process.
Yes | No
File Attributes
Grants authority to override the system's default file attributes when creating files using a copy Process.
Yes | No
ACL Update
Grants authority to define access–allowed and access–denied entries in the Access Control List (ACL) for a file created using a copy Process.
Yes | No
CRC
Grants authority to override the CRC-enabled state in node and Process statements.
ON | OFF | Blank
- To specify password exit values, click the Password Exit .
-
The Application ID and Policy ID are password
exit parameters. These parameters may be configured per-user in the Functional User
Authorities.
Field Name Definition Application ID Default password.exit.application.id specified in initialization parameters for this user. Policy ID Default password.exit.policy.id specified in initialization parameters for this user. Safe Default password.exit.policy.safe specified in initialization parameters for this user. Object Default password.exit.policy.object specified in initialization parameters for this user. UserDefined Default password.exit.policy.user.defined specified in initialization parameters for this user. - Click OK.