Setting Access Control Lists

Access Control Lists (ACLs) allow different users or groups from Active Directory to have different permissions to the functionality in JAMS. For example, you may assign full permissions to create, modify, and run Jobs for your Development group, but you may want to limit the permissions to Jobs for your Operations team, so they can only run Jobs. This helps to ensure your users can perform only the actions that are necessary for their roles. The table below shows a common set of permissions based on roles.

An ACL is a list of Access Control Entries (ACEs). Each ACE includes one identifier along with the type of user access. For example, when a user attempts to perform a function, JAMS starts at the top of the ACL listing to determine if the user can perform that particular function by checking the identifiers specified in each ACE against those held by the user. When a match is found, the user is granted the access specified on the ACE. If the end of the ACL is reached without a match, no access is granted.

NOTE: By default, new installations will have NT AUTHORITY\Authenticated Users set on the root folder in JAMS with full access to objects.
NOTE: Removing all ACEs on a JAMS object behaves the same as in Windows. When all ACEs are removed from an object, only the GrantAdministratorsByPass group will have access to the object. Previously, removing all ACEs from an object would give all Authenticated Users access to that object.

Access Control Screen

The Access Control screen lets you add, modify, or remove ACEs in JAMS. These ACEs can then be used or modified on JAMS objects, such as Folders and Jobs, for a more granular level of control. The Security tab on each JAMS object displays the ACE with additional options.

The Access Control panel lists the various areas in JAMS that can have an ACL, including Agent Definitions, Calendar Definitions, and Configuration. The permission options will vary based on the selected ACE, but most include Add, Change, Delete and Inquire.

Adding an Access Control Entry

  1. Click Access Control from the Shortcuts menu.
  2. On the Access Control tab, select an option.
  3. Click New Access Control Entry .
  4. Enter the identifier for the ACE or click … to browse to it.
  5. Click Ok.
  6. Select the appropriate permissions, such as Add, Change, and Delete.
  7. Click Save.

Modifying an Access Control Entry

  1. Click Access Control from the Shortcuts menu.
  2. On the Access Control tab, select an option.
  3. Click an ACE.
  4. Select the appropriate permissions, such as Add, Change, and Delete.
  5. Click Save.

Deleting an Access Control Entry

You can delete an ACE if it is no longer being used. Note that when you click the Delete Access Control button, you will not be prompted to confirm the deletion.

  1. Click Access Control from the Shortcuts menu.
  2. On the Access Control tab, select an option.
  3. Click an ACE.
  4. Click Delete Access Control Entry .

Configuring Access Control

Typical implementations of JAMS Security Settings have four AD/LDAP groups: admin, developers, submitters, and inquirers. The table below outlines best practice permissions given to each group.

Admins are not listed because they are selected with the Grant Administrators Bypass option or the GrantBypassGroup in the Configuration shortcut. By default, local administrators have full-access to JAMS. If local administrators should not have this level of access, clear the Grant Administrators Bypass option and enter another group in the Grant Bypass Group field.

A Job called SetJAMSAccessControl is available in the JAMS Folder. This Job configures JAMS Access Control on all JAMS objects in the Access Control shortcut, to match the best practices outlined below. You can select an Active Directory Group for each of the four categories.

Access Control Line Item DEV SUB INQ
Agent Definitions
Add X
Change X
Delete X
Inquire X X X
Calendar Definitions
Add X
Change X
Delete X
Inquire X X X
Certificates
Manage  
Configuration
Execute
Inquire
Credential Definitions
Add X
Change X
Delete X
Inquire X X X
Folder Definitions
Add X
Change X
Control
Delete X
Inquire X X X
History Inquiry
Execute X X X
Job Definitions
Add X
Change X
Delete X
Inquire X X X
Menu Definitions
Add X
Change X
Delete X
Inquire X X X
Monitor
Abort X X
Execute X X
Manage X X
See All Jobs X X X
See Own Jobs X X X
Named Time Definitions
Add X
Change X
Delete X
Inquire X X X
Manage X
Queue Definitions
Add X
Change X
Delete X
Inquire X X X
Reporting
Add X
Change X
Delete X
Execute X X X
Inquire X X X
Resource Definitions
Add X
Change X
Delete X
Inquire X X X
Manage X
Security
Execute
Inquire
Server
Execute X X X
Variable Definitions
Add X
Change X
Control
Delete X
Inquire X X X

The access capabilities (access types) for each security function are detailed in the following sections.

Agent Definitions

  • Add: allows the addition of new Agent Definitions.
  • Change: allows the modification of existing Agent Definitions.
  • Delete: allows the deletion of Agent Definitions.
  • Inquire: permits inquiry into Agent Definitions.

Calendar Definitions

  • Add: permits the addition of new Calendars.
  • Change: allows the modification of existing Calendars.
  • Delete: allows the deletion of Calendars.
  • Inquire: permits inquiry into Calendars.

Certificates

  • Manage: manages and allows access to service-level certificates.

Configuration

  • Execute: grants or denies access to the Configuration options.
  • Inquire: allows viewing status to the Configuration options.

Credential Definitions

  • Add: permits the addition of new user Credential Definitions.
  • Change: permits the modification of existing user Credential Definitions.
  • Delete: allows the deletion of user Credential Definitions.
  • Inquire: allows the inquiry into user Credential Definitions.

Folder Definitions

Each Folder Definition has its own access control information. This ACL can be viewed and/or modified from the Security tab in a Folder Definition.

To modify, delete, or view a Folder Definition, you must have Change, Delete, or Inquire access to the specific Folder Definition which you want to modify.

  • Add: allows the addition of new Folder Definitions.
  • Change: permits modifications to existing Folder Definitions.
  • Control: permits modification of an individual Folder ACL. This allows you to change the security/permission options for Folder Definitions.
  • Delete. permits the deletion of Folder Definitions.
  • Inquire: allows inquiry into Folder Definitions.

History Inquiry

History Inquiry has only one security option: Execute. You can either grant or deny access to view History entries.

Job Definitions

Job Definitions can also be controlled by the Access Control List within each Folder or individual Job Definition. To create a Job, you must have Add access to Job Definitions plus Job Add access to the Folder to which the Job belongs. To modify, delete, or inquire into a Job Definition, you must have the corresponding Job Change, Job Delete, or Job Inquire access rights for the Folder to which the Job belongs.

  • Add: allows the addition of new Job Definitions.
  • Change: permits modification of existing Job Definitions.
  • Delete: allows the deletion of Job Definitions.
  • Inquire: permits user inquiry into Job Definitions.

 Menu Definitions

  • Add: permits the addition of new Menu Definitions.
  • Change: allows the modification of existing Menu Definitions.
  • Delete: allows the deletion of Menu Definitions.
  • Inquire: permits user inquiry into Menu Definitions.

Monitor

Monitor capabilities are also controlled using Folder and Job Definitions. For example, you could grant someone See All Jobs access to the Job Monitor giving them the ability to monitor all JAMS Jobs. Then each Folder Definition could define if the user can manage or abort any Jobs located within that Folder. Additionally, you can get even more granular and set additional allowances on individual Jobs.

  • Abort Jobs: permits a person to abort and restart any Job appearing on their display.
  • Execute: permits access to the Job Monitor. Only Jobs which the user has Monitor access can be displayed.        
  • Manage: allows a person to reschedule, hold, release and delete any Job appearing on their display.
  • See All Jobs: allows access to the Job Monitor and includes the ability to monitor Jobs submitted by anyone.
  • See Own Jobs: allows access to the Job Monitor but only displays Jobs submitted by the user running the monitor.

Named Time Definitions

  • Add: permits the addition of new Named Time Definitions.
  • Change: allows the modification of existing Named Time Definitions.
  • Delete: allows the deletion of Named Time Definitions.
  • Inquire: permits the inquiry into Named Time Definitions.
  • Manage: allows access to the Enable Time and Disable Time commands.

Queue Definitions

  • Add: permits the addition of new Queue Definitions.
  • Change: allows the modification of existing Queue Definitions.
  • Delete: permits the deletion of Queue Definitions.
  • Inquire: allows the inquiry into Queue Definitions.

Reporting

  • Add: allows the addition of new Report Definitions.
  • Change: allows the modification of existing Report Definitions.
  • Delete: allows the deletion of Report Definitions.
  • Execute: allows the execution of Report Definitions.
  • Inquire: permits the inquiry into Report Definitions.

Resource Definitions

  • Add: permits the addition of new Resource Definitions.
  • Change: allows the modification of existing Resource Definitions.
  • Delete: permits the deletion of Resource Definitions.
  • Inquire: allows inquiry into existing Resource Definitions.
  • Manage: allows the Jobs submitted by the user to acquire units of a Resource.

Security

  • Execute: grants the user the ability to modify the Access Control List for all security options.
  • Inquire: provides the user view access to the Access Control Lists for all security options.

Server

The Server ACL contains only one security option.

  • Execute: grants or denies access to the Server. This affects if a user can login to JAMS.

Variable Definitions

Each Variable has an individual ACL that is used to protect only that Variable. Variables do not inherit security settings from other JAMS objects, such as Folders. If you do not add other groups or users on a Variable, only the JAMS administrators and the account that created the Variable will have access.

  • Add: allows addition of new Variable Definitions.
  • Change: allows modification of existing Variable Definitions.
  • Control: permits the modification of an individual Variable ACLs.
  • Delete: allows the deletion of Variable Definitions.
  • Inquire: permits the inquiry into Variable Definitions.

Related Topics