Defining User Authority

About this task

Use this procedure to restrict the functions that a user can perform and the directories where a function can be performed.

To set user authorities:

Procedure

  1. Select Settings > Users > Under New Functional Authority, click Create. For more information, refer to <Redirection link to User authority page of ICDWS>
    The User Authorities view is the default view.
  2. Choose one of the following types of users:
    • Click New Admin to create a new user authority with full privileges for Process controls and functions.
    • Click New Genusr to create a user authority with reduced privileges.
    • Click New Operator to create a user authority with view-only privileges.
  3. Type a name, from 1 to 50 alphanumeric characters, for the new user in the Name field. You can use spaces.
    Note: You can enter a user ID in UPN format such as cduser@adtree.mycomp.com or cduser@mydomain. The UPN format allows you to identify both the user name and the domain.
  4. Do one of the following:
    • To save the new user authority with the default privileges, click OK.
    • To modify the default user privileges, continue with the next step.
  5. To restrict the control functions or statements a user is authorized to perform, change the value of one or more of the fields under Transfer Control, Process Statement and Authentication (settings) to No to deny user authority for that privilege and click OK.
    Field Name Definition Valid Values
    Client Source Addresses Use this parameter to list all of the IP addresses and/or host names that are valid for this user's API connection. If you specify values for this field, the IP address of this user's API connection is validated with the client.source_ip list. If the IP address does not match the one specified on the list, the connection is rejected.

    A comma-separated list of client IP addresses or host names associated with client IP addresses.

    The IP address of the client connection for this user must match the address configured in this field.

    For example: nnn.nnn.nnn.nnn, localhost

    Allow Client Certificate Authentication Determines if the user can perform certificate authentication for client API connections.

    Check Box selected—Enables client certificate authentication for the user

    Check Box not selected—Disables client certificate authentication for the user

    Selected | Not Selected

    Allow No Password local Connections Determines if the user can perform a local client API connection without a password.

    Check Box selected—Enables local client API connection for the user

    Check Box not selected—Disables local client API connection for the user

    Selected | Not Selected

    Allow Process to run using Service Account Grants permission to run process using Service Account

    Selected | Not Selected

    Use Password Exit Determines if user can obtain its password using the Password Exit.

    Selected | Not Selected

    Submit

    Grants authority to submit Processes.

    Yes | No

    Monitor

    Grants access to the Process Monitor function.

    Yes specifies that you can monitor your own Processes; All specifies that you can monitor anyone's Processes.

    Yes | No | All

    Change

    Grants authority to change Processes in the TCQ.

    Yes specifies that you can change your own Processes; All specifies that you can change anyone's Processes.

    Yes | No | All

    Delete

    Grants authority to delete Processes from the TCQ.

    Yes specifies that you can delete your own Processes; All specifies that you can delete anyone's Processes.

    Yes | No | All

    Statistics

    Grants authority to access Process statistics using the Select Statistics command.

    Yes specifies that you can access statistics for your own Processes; All specifies that you can access statistics for anyone's Processes.

    Yes | No | All

    Copy Send

    Grants authority to submit copy Process statements. Yes | No

    Copy Receive

    Grants authority to receive copy Process statements. Yes | No

    Run Job

    Grants authority to submit run job Process statements.

    Yes | No

    Run Task

    Grants authority to submit run task Process statements.

    Yes | No

    Submit

    Grants authority to submit Processes from within another Process.

    Yes | No
  6. To define directory restrictions, click the Directories tab.
  7. To restrict a user's access to directories, specify the directory from which the user can perform a function, submit Processes, or run programs and click OK. Refer to the following table for the Directory Restrictions functions:
    Field Name Description

    Upload

    Specifies the directory that the user can copy files from and use as a source.

    Security in some Microsoft Windows systems prompts for administrative permissions confirmation when it writes to the Program Files subdirectories. If you specify a Program Files directory in the Upload field, the system may be unable to copy files to that location.

    To fix this problem:
    1. Specify an upload directory that is not in the Program Files directory.
    2. On the IBM® Connect:Direct® for Microsoft Windows Server, use Microsoft Windows Control Panel to change User Account Control Settings to Never Notify.

    Reboot the server to enable the updates.

    Download

    Specifies the directory that the user can copy files to and use as a destination.

    Process

    Specifies the directory from which the user can submit a Process.
    Note: Setting a Process directory restriction here only restricts submit statements within a Process. In other words, given an entry in this field, a user (or, in the case of a group functional authority, a group) can use Integradted COnnect:Direct Web Services to submit a Process without restrictions on where the Process is submitted from, but a Submit Process statement within the Process will run only from the directory specified here.

    Program

    Specifies the directory from which the user can run a program.

  8. To define administrative privileges, click General Information and Server Control tab.
  9. To give a user access to an administrative function, change the value to Yes or select View to grant read-only access and click OK. Refer to the following table for Administrative functions:
    Field Name Definition Valid Values

    Netmap

    Grants authority to update the network map.

    Yes | No| View

    Translation Table

    Grants authority to update the translation tables.

    Yes | No| View

    User Authorities

    Grants authority to update local user Connect:Direct functional authorities.

    Yes | No| View

    User Proxy

    Grants authority to update user proxies.

    Yes | No| View
    Secure+

    Grants authority to send Connect:Direct Secure Plus commands through the API.

    Yes | No

    Stop

    Grants authority to stop Connect:Direct.

    Yes | No

    Initparms

    Grants authority to refresh the Connect:Direct server initialization parameters.

    Yes | No | View
    Trace

    Grants authority to access the Trace utility.

    Yes | No
    Process Library Grants authority of the process library operations Yes | No | View
    File Agent Grant authority to Integrated File Agent Yes | No | View
    External Stats Logging Grant authority to log external statistics in Connect:Direct Yes | No
    Web Services Grant authority to update the web services configuration Yes |No | View
    Note: This field is only configurable using Web services.
  10. Click the Override tab to define override authority.
  11. To grant access to the override function, set any of the override privileges to Yes. Refer to the following table for the override privilege functions:
    Field Name Definition Valid Values

    Execution Priority

    Grants authority to override the default execution priority in a Process.

    Yes | No | All

    Remote Node ID

    Grants authority to use the remote node ID parameter on the Process or when submitting the Process.

    Yes | No

    File Attributes

    Grants authority to override the system's default file attributes when creating files using a copy Process.

    Yes | No

    ACL Update

    Grants authority to define access–allowed and access–denied entries in the Access Control List (ACL) for a file created using a copy Process.

    Yes | No

    CRC

    Grants authority to override the CRC-enabled state in node and Process statements.

    ON | OFF | Blank

  12. To specify password exit values, click the Password Exit .
  13. The Application ID and Policy ID are password exit parameters. These parameters may be configured per-user in the Functional User Authorities.
    Field Name Definition
    Application ID Default password.exit.application.id specified in initialization parameters for this user.
    Policy ID Default password.exit.policy.id specified in initialization parameters for this user.
    Safe Default password.exit.policy.safe specified in initialization parameters for this user.
    Object Default password.exit.policy.object specified in initialization parameters for this user.
    UserDefined Default password.exit.policy.user.defined specified in initialization parameters for this user.
  14. Click OK.