Monday, May 4, 2015

Security File - functionality, details & examples

In TWS all users rights are granted / revoked using the "Security" file.

To modify the Security file, perform the following steps:

1. Run dumpsec command to decrypt the current security file into an editable configuration file. 
dumpsec              # To display the operational Security file to stdout
dumpsec > sectemp    # To dump the operational Security file to a file name sectemp
2. Modify the user definitions with a text editor
edit sectemp
3. Close any open conman user interfaces using the exit command.
4. Stop any connectors on systems running Windows operating systems.
5. Run the makesec command to encrypt the security file and apply the modifications.
makesec sectem
6. If you are using local security, the file will be immediately available on the workstation where it has been updated.
    If you are using centralized security you must now do the following:
       a. If you are using a backup master domain manager, copy the file to it
       b. Distribute the centralized file manually to all fault-tolerant agents in the network (not standard, extended, or broker agents), and store it in the TWA_home/TWS directory
       c. Run JnextPlan to distribute the Symphony file that corresponds to the new Security file

Below is a detailed list for all the options in the Security file and several generic examples:

Workstation definition and management:
CPU            CPU =   $THISCPU, # The workstation where you ran conman/composer
                       $MASTER,  # The master domain manager
                       $SLAVES,  # Any fault tolerant agent
                       serverA  # or TWS workstation "serverA"

               TYPE=   AGENT,     # Only "dynamic" agent
                       BROKER,    # BROKER workstations (that run JSDL from the Broker library)
                       FTA,       # Fault tolerant agents
                       D-POOL,    # Dynamic pool
                       MANAGER,   # Domain managers, including the master
                       POOL,      # Workstations type POOL
                       REM-ENG,   # Remote engine workstation
                       S-AGENT,   # Standard agents
                       X-AGENT    # Extended agents

               ACCESS= ADD,       # composer add
                       CONSOLE,   # conman cons
                       DELETE,    # composer delete
                       DISPLAY,   # composer display
                       FENCE,     # conman fence
                       LIMIT,     # conman limit
                       LINK,      # conman link
                       MODIFY,    # composer mod
                       RESETFTA,  # conman resetfta
                       RUN,       # composer maknew (jobs using JavaExt)
                       SHUTDOWN,  # conman shut
                       START,     # conman start
                       STOP,      # conman stop
                       UNLINK,    # conman unlink
                       LIST,      # conman showcpu/composer list
                       UNLOCK     # composer unlock
Job definition and management:
JOB            CPU =   $THISCPU, # The same workstation where the user logs on
                       $MASTER,  # The master workstation
                       $SLAVES,  # Any fault tolerant agent
                       $REMOTES  # Any standard agent
                       server@     # Any workstation whose name starts with "server"
                     
             + NAME =  J@   # Any job with the name starting in J
             ~ NAME =  J_@  # But not if it starts with J_
             + JCLTYPE = SCRIPTNAME # Allow only SCRIPTNAME type of job definition
             + JCLTYPE = DOCOMMAND  # Allow only DOCOMMAND type of job definition
             + LOGON=  $USER,     # Streamlogon is the conman/composer user
                       $OWNER,    # Streamlogon is the job creator
                       $JCLOWNER, # Streamlogon is the OS owner of the file
                       $JCLGROUP  # Streamlogon is the OS group of the file
             ~ LOGON=  root, twsuser  # The job does not logon as "root" or "twsuser"
             + JCL =   "/usr/local/bin/@"  # The script is in /usr/local/bin
             ~ JCL =  "@rm@" # But not any command containing "rm"
   
               ACCESS= ADD,         # composer new/rename
                       ADDDEP,      # conman adj
                       ALTPRI,      # conman apj
                       CANCEL,      # conman cj
                       CONFIRM,     # conman confirm
                       DELDEP,      # conman ddj
                       DELETE,      # composer delete/rename
                       DISPLAY,     # conman, composer display/create/list/print
                       KILL,        # conman kill
                       MODIFY,      # composer mod
                       RELEASE,     # conman rj
                       REPLY,       # conman reply (local prompt, recovery)
                       RERUN,       # conman rerun
                       SUBMIT,      # conman sbd
                       SUBMITDB,    # conman sbj
                       USE,         # composer use in job stream
                       LIST,        # conman showjobs
                       UNLOCK       # composer unlock
Windows username/passwords:
USEROBJ        CPU =   $THISCPU, # On the same workstation where the user logs on
                       $MASTER,  # On the master workstation
                       $SLAVES,  # On any fault tolerant agent
                       $REMOTES  # On any standard agent
             + LOGON=  "Workgroup\Administrator","twsuser"  # Admin or twsuser
             ~ LOGON=  "MyDomain\@" # but not in Domain "mydomain"

               ACCESS= ADD,     # composer add
                       DELETE,  # composer delete
                       DISPLAY, # composer display
                       MODIFY,  # composer modify
                       ALTPASS, # conman altpass
                       UNLOCK   # composer unlock
Job streams:
SCHEDULE       CPU =   $THISCPU, # The same workstation where the user logs on
                       $MASTER,  # The master workstation
                       $SLAVES,  # Any fault tolerant agent
                       $REMOTES  # Any standard agent
             + NAME =  STR@    # Any job stream with the name starting with STR
             ~ NAME = @ZZ      # and not ending in "ZZ"

               ACCESS= ADD,     # composer add
                       ADDDEP,  # conman ads
                       ALTPRI,  # conman aps
                       CANCEL,  # conman cs
                       DELDEP,  # conman dds
                       DELETE,  # composer delete
                       DISPLAY, # composer dis
                       LIMIT,   # conman ls
                       MODIFY,  # composer mod
                       RELEASE, # conman rs
                       REPLY,   # conman reply (local prompt)
                       SUBMIT,  # conman sbs
                       LIST,    # conman ss
                       UNLOCK   # composer unlock
Business calendars:
CALENDAR     + NAME =  CAL@    # Any calendar with the name starting with CAL
             ~ NAME = @ZZ      # and not ending in "ZZ"
               ACCESS= ADD,      # composer add
                       DELETE,   # composer delete
                       DISPLAY,  # composer display
                       MODIFY,   # composer modify
                       USE,      # use in a job stream
                       UNLOCK    # composer unlock
Create event rules:
EVENTRULE    + NAME =  EVT@    # Any event rules with the name starting with EVT
             ~ NAME =  ADM@    # and not starts with "ADM"
               ACCESS= ADD,     # composer add
                       DELETE,   # composer delete
                       DISPLAY,  # composer display
                       MODIFY,   # composer modify
                       LIST,     # conman "sc;getmon"
                       UNLOCK    # composer unlock
Which of the TWS objects events can be used:
EVENT          PROVIDER=TWSObjectsMonitor
               TYPE=   JobStatusChanged,
                       JobUntil,
                       JobSubmit,
                       JobCancel,
                       JobRestart,
                       JobLate,
                       JobStreamStatusChanged,
                       JobStreamCompleted,
                       JobStreamUntil,
                       JobStreamSubmit,
                       JobStreamCancel,
                       JobStreamLate,
                       WorkstationStatusChanged,
                       ApplicationServerStatusChanged,
                       ChildWorkstationLinkChanged,
                       ParentWorkstationLinkChanged,
                       PromptStatusChanged

               ACCESS= USE # composer use an event in an event rule definition
Which of the file monitor events can be used
EVENT          PROVIDER=FileMonitor
               TYPE=   FileCreated,
                       FileDeleted,
                       ModificationCompleted,
                       LogMessageWritten
               ACCESS= USE    # composer use an event in an event rule definition
               CUSTOM= SAMPLE # Specify security attribute for custom-made event drivers
Event rule actions
ACTION         PROVIDER=TECEventForwarder     # Forward events to omnibus
               TYPE=   TECFWD
               ACCESS= DISPLAY,  # composer display
                       SUBMIT,   # conman deploy
                       USE,      # composer use
                       LIST,     # conman "sc;getmon"
               HOST=   omnibushost.ibm.com
               PORT=   SNMPlistenerport
ACTION         PROVIDER=MailSender            # Send e-mail
               TYPE=   SendMail
               ACCESS= DISPLAY,  # composer display
                       SUBMIT,   # conman deploy
                       USE,      # composer use
                       LIST,     # conman "sc;getmon"
ACTION         PROVIDER = MessageLogger       # Write to the operator log
               TYPE =  MSGLOG
               ACCESS= DISPLAY,  # composer display
                       SUBMIT,   # conman deploy
                       USE,      # composer use
                       LIST,     # conman "sc;getmon"
ACTION         PROVIDER = TWSAction           # Perform TWS actions
               TYPE =  GenericAction
               ACCESS= DISPLAY,  # composer display
                       SUBMIT,   # conman deploy
                       USE,      # composer use
                       LIST,     # conman "sc;getmon"
Report generation
REPORT         NAME=   RUNHIST,  # Job Run History
                       RUNSTATS, # Job Run Statistics
                       WWS,      # Workstation Workload Summary
                       WWR,      # Workstation Workload Runtimes
                       SQL,      # Custom SQL
                       ACTPROD,  # Actual production details (for current and archived plans)
                       PLAPROD   # Planned production details
               ACCESS= DISPLAY   # composer display
Special purpose TWS files
FILE           NAME =  GLOBALOPTS,  # optman (ls, show, chg)
                       PRODSKED,    # planman (current plan)
                       SECURITY,    # dumpsec, makesec
                       SYMPHONY,    # stageman
                       TRIALSKED    # planman (trial and forecast)

               ACCESS= BUILD,   # planman deploy, stageman
                       DELETE,  # delete objects from the database
                       DISPLAY, # optman (ls, show), dumpsec, planman showinfo
                       MODIFY   # optman chg, makesec, planman (crt, ext, reset, crttrial, exttrial, crtfc)
Prompts
PROMPT       + NAME =  A@           # Prompts with names starting with "A"
             ~ NAME =  Z@           # Prompts names not starting with "Z"

               ACCESS= ADD,       # composer add/rename
                       DELETE,    # composer delete/rename
                       DISPLAY,   # composer display/list/print/create, conman recall
                       MODIFY,    # composer modify
                       REPLY,     # conman reply
                       USE,       # use in your job stream
                       LIST,      # composer list/ conman showprompts
                       UNLOCK     # composer unlock
Resources
RESOURCE       CPU =   @,        # All workstations
                       $THISCPU, # The same workstation where the user logs on
                       $MASTER,  # The master workstation
                       $SLAVES,  # Any fault tolerant agent
                       $REMOTES  # Any standard agent
             + NAME =  @

               ACCESS= ADD,       # composer add
                       DELETE,    # composer delete
                       DISPLAY,   # composer display
                       MODIFY,    # composer modify
                       RESOURCE,  # conman res/release util.
                       USE,       # use in your job stream
                       LIST,      # composer list/ conman showprompts
                       UNLOCK     # composer unlock
Variables
PARAMETER      CPU =   @,        # All workstations
                       $THISCPU, # The same workstation where the user logs on
                       $MASTER,  # The master workstation
                       $SLAVES,  # Any fault tolerant agent
                       $REMOTES  # Any standard agent>
               NAME =  @

               ACCESS= ADD,      # composer add/rename or "parms -c"
                       DELETE,   # composer delete/rename
                       DISPLAY,  # composer display or "parms"
                       MODIFY,   # composer mod or "parms -c"
                       UNLOCK    # composer unlock
Run cycle groups
RUNCYGRP       NAME=   R@,       # Access to run cycle groups with name starting in "R"
               ACCESS= ADD,      # composer new/add
                       DELETE,   # composer delete
                       DISPLAY,  # composer display, extract
                       MODIFY,   # composer modify, lock
                       USE,      # use run cycle groups in job streams
                       LIST,     # composer list
                       UNLOCK    # composer unlock
Variable Tables
VARTABLE       NAME=   A@,       # Access to variable tables with name starting in "A"
                       $DEFAULT  # Access to the default variable table

               ACCESS= ADD,      # composer new/add
                       DELETE,   # composer delete
                       DISPLAY,  # composer display, extract
                       MODIFY,   # composer modify, lock
                       USE,      # use variable tables in run cycles, job streams, and workstations
                       LIST,     # composer list; also, list individual variable entries within the table
                       UNLOCK    # composer unlock

!!! Note: To allow users to create their own variable tables, but not touch the default table, use the following:
VARTABLE NAME=$DEFAULT ACCESS=DISPLAY,USE,LIST,UNLOCK
VARTABLE NAME=@        ACCESS=ADD,DELETE,DISPLAY,MODIFY,USE,LIST,UNLOCK
A Special "Default" group for everybody not listed above will cause unlisted users to be accepted through console connections but will not have access to any objects once connected they are "trapped" by the system and logged)
USER DEFAULT
  CPU =        @
  +LOGON =     # Everybody not listed above
               @
BEGIN
  # No access privileges!
END

!!! Note: To include something use "+" to exclude use "~":
JOB     CPU=$SLAVES+NAME=ABC@   ACCESS=ADD,ADDDEP,ALTPRI,CANCEL,CONFIRM,DELDEP,DELETE,DISPLAY,KILL,MODIFY,RELEASE,REPLY,RERUN,SUBMIT,USE,LIST,UNLOCK,SUBMITDB  # Full access to jobs on $SLAVES starting with name ABC@
JOB     CPU=APP_WK~NAME=@XYZ   ACCESS=ADD,ADDDEP,ALTPRI,CANCEL,CONFIRM,DELDEP,DELETE,DISPLAY,KILL,MODIFY,RELEASE,REPLY,RERUN,SUBMIT,USE,LIST,UNLOCK,SUBMITDB   # No access to jobs on APP_WK ending in @XYZ
SCHEDULE        CPU=$MASTERS~NAME=FINAL   ACCESS=ADDDEP,ALTPRI,CANCEL,DELDEP,DISPLAY,RELEASE,SUBMIT,LIST                                                       # No access to job stream FINAL on $MASTERS

Examples (the below ones are generic and can / should be customized to match your needs):

Default installation security file for TWS admin user / group:
USER MAESTRO
        CPU=@+LOGON=twsuser
BEGIN
        USEROBJ CPU=@   ACCESS=ADD,DELETE,DISPLAY,MODIFY,USE,ALTPASS,LIST,UNLOCK
        JOB     CPU=@   ACCESS=ADD,ADDDEP,ALTPRI,CANCEL,CONFIRM,DELDEP,DELETE,DISPLAY,KILL,MODIFY,RELEASE,REPLY,RERUN,SUBMIT,USE,LIST,UNLOCK,SUBMITDB,RUN
        SCHEDULE        CPU=@   ACCESS=ADD,ADDDEP,ALTPRI,CANCEL,DELDEP,DELETE,DISPLAY,LIMIT,MODIFY,RELEASE,REPLY,SUBMIT,LIST,UNLOCK
        RESOURCE        CPU=@   ACCESS=ADD,DELETE,DISPLAY,MODIFY,RESOURCE,USE,LIST,UNLOCK
        PROMPT          ACCESS=ADD,DELETE,DISPLAY,MODIFY,REPLY,USE,LIST,UNLOCK
        FILE    NAME=@  ACCESS=BUILD,DELETE,DISPLAY,MODIFY,UNLOCK
        CPU     CPU=@   ACCESS=ADD,CONSOLE,DELETE,DISPLAY,FENCE,LIMIT,LINK,MODIFY,SHUTDOWN,START,STOP,UNLINK,LIST,UNLOCK,RUN,RESETFTA
        PARAMETER       CPU=@   ACCESS=ADD,DELETE,DISPLAY,MODIFY,LIST,UNLOCK
        CALENDAR                ACCESS=ADD,DELETE,DISPLAY,MODIFY,USE,LIST,UNLOCK
        REPORT  NAME=@  ACCESS=DISPLAY
        EVENTRULE       NAME=@  ACCESS=ADD,DELETE,DISPLAY,MODIFY,LIST,UNLOCK
        ACTION  PROVIDER=@      ACCESS=DISPLAY,SUBMIT,USE,LIST
        EVENT   PROVIDER=@      ACCESS=USE
        VARTABLE        NAME=@  ACCESS=ADD,DELETE,DISPLAY,MODIFY,USE,LIST,UNLOCK
END

USER MAESTRO_GROUP
        CPU=@+GROUP=@TWSadmins
BEGIN
        USEROBJ CPU=@   ACCESS=ADD,DELETE,DISPLAY,MODIFY,USE,ALTPASS,LIST,UNLOCK
        JOB     CPU=@   ACCESS=ADD,ADDDEP,ALTPRI,CANCEL,CONFIRM,DELDEP,DELETE,DISPLAY,KILL,MODIFY,RELEASE,REPLY,RERUN,SUBMIT,USE,LIST,UNLOCK,SUBMITDB,RUN
        SCHEDULE        CPU=@   ACCESS=ADD,ADDDEP,ALTPRI,CANCEL,DELDEP,DELETE,DISPLAY,LIMIT,MODIFY,RELEASE,REPLY,SUBMIT,LIST,UNLOCK
        RESOURCE        CPU=@   ACCESS=ADD,DELETE,DISPLAY,MODIFY,RESOURCE,USE,LIST,UNLOCK
        PROMPT          ACCESS=ADD,DELETE,DISPLAY,MODIFY,REPLY,USE,LIST,UNLOCK
        FILE    NAME=@  ACCESS=BUILD,DELETE,DISPLAY,MODIFY,UNLOCK
        CPU     CPU=@   ACCESS=ADD,CONSOLE,DELETE,DISPLAY,FENCE,LIMIT,LINK,MODIFY,SHUTDOWN,START,STOP,UNLINK,LIST,UNLOCK,RUN,RESETFTA
        PARAMETER       CPU=@   ACCESS=ADD,DELETE,DISPLAY,MODIFY,LIST,UNLOCK
        CALENDAR                ACCESS=ADD,DELETE,DISPLAY,MODIFY,USE,LIST,UNLOCK
        REPORT  NAME=@  ACCESS=DISPLAY
        EVENTRULE       NAME=@  ACCESS=ADD,DELETE,DISPLAY,MODIFY,LIST,UNLOCK
        ACTION  PROVIDER=@      ACCESS=DISPLAY,SUBMIT,USE,LIST
        EVENT   PROVIDER=@      ACCESS=USE
        VARTABLE        NAME=@  ACCESS=ADD,DELETE,DISPLAY,MODIFY,USE,LIST,UNLOCK
END
Scheduling and monitoring access rights for an application using TWS:
USER APP_admins
        CPU=@+GROUP=@APPadmins
BEGIN
        USEROBJ CPU=APP_WK   ACCESS=ADD,DELETE,DISPLAY,MODIFY,USE,ALTPASS,LIST,UNLOCK
        JOB     CPU=APP_WK   ACCESS=ADD,ADDDEP,ALTPRI,CANCEL,CONFIRM,DELDEP,DELETE,DISPLAY,KILL,MODIFY,RELEASE,REPLY,RERUN,SUBMIT,USE,LIST,UNLOCK,SUBMITDB,RUN
        SCHEDULE        CPU=APP_WK   ACCESS=ADD,ADDDEP,ALTPRI,CANCEL,DELDEP,DELETE,DISPLAY,LIMIT,MODIFY,RELEASE,REPLY,SUBMIT,LIST,UNLOCK
        RESOURCE        CPU=APP_WK   ACCESS=ADD,DELETE,DISPLAY,MODIFY,RESOURCE,USE,LIST,UNLOCK
        PROMPT  NAME=APP@        ACCESS=ADD,DELETE,DISPLAY,MODIFY,REPLY,USE,LIST,UNLOCK
        CPU     CPU=APP_WK   ACCESS=CONSOLE,DISPLAY,FENCE,LIMIT,LINK,MODIFY,LIST
        PARAMETER       CPU=APP_WK   ACCESS=ADD,DELETE,DISPLAY,MODIFY,LIST,UNLOCK
        CALENDAR  NAME=APP@   ACCESS=ADD,DELETE,DISPLAY,MODIFY,USE,LIST,UNLOCK
        VARTABLE        NAME=APP@  ACCESS=ADD,DELETE,DISPLAY,MODIFY,USE,LIST,UNLOCK
END
Specific application operators:
USER OPERATORS
        CPU=@+GROUP=@APPOperators
BEGIN
        USEROBJ CPU=APP_WK     ACCESS=ADD,DELETE,DISPLAY,MODIFY,ALTPASS,UNLOCK
        JOB     CPU=APP_WK     ACCESS=ADDDEP,ALTPRI,CANCEL,CONFIRM,DELDEP,DISPLAY,KILL,RELEASE,RERUN,SUBMIT,LIST,SUBMITDB
        SCHEDULE        CPU=APP_WK     ACCESS=ADDDEP,ALTPRI,CANCEL,DELDEP,DISPLAY,LIMIT,RELEASE,REPLY,SUBMIT,LIST
        CPU     CPU=APP_WK     ACCESS=DISPLAY,FENCE,LIMIT,LINK,START,STOP,UNLINK,LIST
END
A generic monitoring access:
USER MONITORING
        CPU=@+LOGON=userA,userB
BEGIN
        JOB     CPU=$SLAVES  ACCESS=DISPLAY,RERUN,LIST
        SCHEDULE        CPU=$SLAVES  ACCESS=DISPLAY,LIST
        CPU     CPU=$SLAVES     ACCESS=DISPLAY,FENCE,LIMIT,LINK,START,STOP,UNLINK,LIST
END
Full read-only access:
USER READONLY
        CPU=@+LOGON=readuser
BEGIN
        USEROBJ CPU=@   ACCESS=DISPLAY
        JOB     CPU=@   ACCESS=DISPLAY
        SCHEDULE        CPU=@   ACCESS=DISPLAY
        RESOURCE        CPU=@   ACCESS=DISPLAY
        PROMPT          ACCESS=DISPLAY
        FILE    NAME=@  ACCESS=DISPLAY
        CPU     CPU=@   ACCESS=DISPLAY
        PARAMETER       CPU=@   ACCESS=DISPLAY
        CALENDAR                ACCESS=DISPLAY
        REPORT  NAME=@  ACCESS=DISPLAY
        EVENTRULE       NAME=@  ACCESS=DISPLAY
        ACTION  PROVIDER=@      ACCESS=DISPLAY
        VARTABLE        NAME=@  ACCESS=DISPLAY
END
Posted by at

5 comments:

  1. UnknownFebruary 22, 2016 at 6:25 PM

    its nice to see such huge information!! great work:)
    Can you please explain Events functionality in TWS like where does the flow start and how it reaches till job start.. Thanks

    ReplyDelete
    Replies
    1. RaduFebruary 29, 2016 at 6:29 PM

      thanks for feedback

      i will put this on to do list

      Delete
  2. AnonymousNovember 8, 2016 at 3:57 PM

    Well Put, Radu. Thank you.

    I am trying to create a custom report using 'Reports -> SQL Query'.
    The start time from the SQL doesn't match with the actual start time from the PLAN.

    Can you please help mw with a SQL which would fetch the JOB NAME, START TIME & END TIME of a JOBSTREAM for a particular day?

    ReplyDelete
  3. UnknownFebruary 14, 2020 at 5:10 PM

    nice... still helping

    ReplyDelete
  4. AnonymousJune 26, 2022 at 12:53 PM

    I have a request to convert the data from the security file to CSV format (User ID, Group, Entitlements). Any suggestions?

    ReplyDelete

Subscribe to: Post Comments (Atom)