About Local Functional Authorities
We can restrict the tasks a user can perform by defining user authorities for the user. For example, you can permit a user to submit Processes but not monitor or delete them. Define user authority as a default administrator or a general user. Then define the directories where a user can perform functions. You can define authorities for remote users, and you can group users under group authorities. Connect:Direct®
Define a Functional Authority Type
You can define three types of users: administrators, general, and operator users. Each user type has a set of default privileges. The default administrator, general user, and operator definitions allow the user to perform basic Connect:Direct tasks. You can use these templates to assign user authorities and restrict privileges. The following table defines the default authorities of the administrator, general user, and an operator user:
Authority | Default Administrator | Default General User | Default Operator User |
---|---|---|---|
View Processes in the TCQ | yes | yes | yes |
Issue the copy receive, copy send, run job, and run task Process statements | yes | yes | no |
Issue the submit Process statement | all | yes | no |
Submit, change, and delete Processes for all users | yes | no | no |
Monitor processes for all users | yes | yes | yes |
Submit, change, Monitor, and delete your own Processes | yes | yes | no |
Run programs | yes | yes | no |
Access Process statistics | all | yes | all |
Upload and download files from any directory | yes | yes | yes |
Upload and download files to or from specific directories | no | no | no |
Run programs from any directory | yes | yes | no |
Run programs from specific directories | yes | no | no |
Update the network map | yes | no | view |
Update the translation table | yes | yes | view |
Update local user authorities | yes | no | view |
Update remote user secure point-of-entry proxies | yes | no | view |
Stop IBM® Connect:Direct for Microsoft Windows | yes | no | no |
Invoke the refresh initialization parameters options | yes | yes | view |
Use the trace tool or issue traceon and traceoff commands | yes | no | no |
Override execution priority, including Hold, Retain, and Plexclass status | all | yes | yes |
User type can override the CRC status | on. Note: The CRC will be off if Secure+ is used.
|
off | off |
Override Process options such as file attributes and remote node ID | all | yes | off |
Updating Process Directory | Yes | No | View |
Updating Integrated File Agent Configuration | Yes | No | View |
Allow External Stats Logging | Yes | No | No |
Updating Web Services configuration | Yes | No | No |
Define Directories Where Users Can Perform Tasks
You then define directories where a user can perform tasks. If you do not specify a directory for a function, the user can perform it from any directory, regardless of whether the request is submitted from the PNODE or the SNODE; however, the remote user proxy can override the directory specification. Directory restrictions for the Upload and Download directory can be bypassed if restrictions are not also provided for the Process and Program directory paths. As a result, if the remote user is allowed to use the Run Task and Run Job features to execute commands from any directory, then they could perform operating system commands. These commands could include copy commands to copy files to any directory, bypassing the Upload and Download restrictions.
To prevent this, set directory restrictions for the Process and program features using a separate directory path from the Upload and Download directory path or disable the Run Job and Run Task for this user. Programs that be run are defined in the Process and Program directories.
Define Remote User Proxies
You can define remote user proxies. A remote user proxy associates a remote user with a local user ID and gives the remote user the authority to perform the same functions as the proxy. This is useful if you want to give a remote user access to a server, but you do not want to define a user ID and user authorities for the user. Defining a remote user proxy also provides the remote user access to the local node without the need to remember password information.