| Contents | Index | JAMS Home | Support |
|
||||
|
| Previous | Contents | Index |
1.14 Access Control
Access Control Lists are used to define access restrictions for various
capabilities within the JAMS system. JAMS access
control makes use of OpenVMS Access Control Lists, also known as ACLs.
Refer to the OpenVMS documentation for more information on Access
Control Lists.
An ACL is a list of Access Control Entries (or ACEs). An ACE consists of one or more identifiers and the types of access to be granted to users which match the identifiers.
The identifier field can contain one or more user identifiers separated by a plus sign (+). Identifiers can take any of the following forms:
These identifiers can be combined, for example, "[100,*]+PAYROLL_USER" will only match users in UIC group 100 who have the PAYROLL_USER rights identifier.
When JAMS checks to determine if a user can perform a function, it will start at the top of the ACL and check the identifiers specified in each ACE against the identifiers held by the user. When a match is found, the user is granted only the access specified on the ACE which matched, subsequent ACEs in the list are not checked. If the end of the list is reached without finding a match, no access is granted.
The Access fields on the ACE Maintenance Screen will vary based on the
function whose security you are modifying. The Access fields accept a Y
(yes) or N (no) entry to either grant or deny the specified access
capability. The Access capabilities for each of the security functions
are explained in the following sections.
1.14.1 History Inquiry
History Inquiry has only one security option, Inquiry. You can either
grant or deny access to the History Inquiry application.
1.14.2 Job Monitor Access
Job Monitor security has the following access types:
| Access | Description |
|---|---|
| Execute | Allows access to the Job Monitor. Only Jobs which the user has MONITOR access to will be displayed. MONITOR access is defined in the Jobs System definition. |
| See_All_Jobs | Allows access to the Job Monitor and the ability to monitor jobs submitted by anyone. |
| See_Own_Jobs | Allows access to the Job Monitor but only jobs submitted by the user running the monitor will be displayed. |
| Operator | Allows a person to reschedule, hold, release and delete any job which is on their display. |
| Abort_Jobs | Allows a person to abort and restart any job which is on their display. |
Monitor capabilities are also controlled by System definitions. For
example, you could grant someone SEE_ALL_JOBS access to the Job Monitor
which would let them monitor all batch jobs. Then each System
definition could define whether or not the user can manage or abort
Jobs which are in the System.
1.14.3 Setup Definitions
Setup Definitions has the following access types:
| Access | Description |
|---|---|
| Add | Allows addition of new Setup definitions |
| Change | Allows modification of existing Setup definitions |
| Inquire | Allows inquiry into Setup definitions |
| Delete | Allows deletion of Setup definitions |
Setup definitions are also controlled by the Access Control List of each System definition. To create a Setup, you need to have ADD access to Setup definitions and you must have SUBMIT access to the System to which the Setup's Job definition belongs and, DEFINE_SETUP access to the System to which the Setup definition belongs.
The SUBMIT and DEFINE_SETUP access rights are defined for each System
definition. Refer to the Section 1.2, System Definitions for more information on Systems
and their security.
1.14.4 Job Definitions
The Job Definitions function has the following access types:
| Access | Description |
|---|---|
| Add | Allows addition of new Job definitions |
| Change | Allows modification of existing Job definitions |
| Inquire | Allows inquiry into Job definitions |
| Delete | Allows deletion of Job definitions |
Job definitions are also controlled by the Access Control List of each System definition. To create a Job, you need to have ADD access to Job definitions, and you must have JOB_ADD access to the System to which the Job belongs. Similarly, to modify, delete or inquire into a Job definition, you must have the corresponding JOB_CHANGE, JOB_DELETE or JOB_INQUIRE access right for the System to which the Job belongs.
Refer to the Section 1.2, System Definitions for more information on Systems and their
security.
1.14.5 System Definitions
System Definitions has the following access types:
| Access | Description |
|---|---|
| Control | Allows modification of a Systems individual ACL |
| Add | Allows addition of new System definitions |
| Change | Allows modification of existing System definitions |
| Inquire | Allows inquiry into System definitions |
| Delete | Allows deletion of System definitions |
Each System Definition has it's own access control information. This ACL can be viewed and/or modified from the System Definitions menu option.
Note that in order to modify, delete or view a System definition, you
must have CHANGE, DELETE or INQUIRE access to System definitions and
CHANGE, DELETE or INQUIRE access to the specific System definition
which you want to manipulate.
1.14.6 Menu Definitions
Menu Definitions has the following access types:
| Access | Description |
|---|---|
| Add | Allows addition of new Menu definitions |
| Change | Allows modification of existing Menu definitions |
| Inquire | Allows inquiry into Menu definitions |
| Delete | Allows deletion of Menu definitions |
The Variable Definitions function has the following access types:
| Access | Description |
|---|---|
| Control | Allows modification of Variables individual ACLs, provided that the Variables individual ACL also grants CONTROL. |
| Add | Allows addition of new Variable definitions |
| Change | Allows modification of existing Variable definitions |
| Inquire | Allows inquiry into Variable definitions |
| Delete | Allows deletion of Variable definitions |
Each Variable has an individual ACL which is used to protect only that
Variable.
1.14.8 Trigger Definitions
The Trigger Definitions function has the following access types:
| Access | Description |
|---|---|
| Reset | Allows use of the RESET command. |
| Manage | Allows use of the ENABLE and DISABLE commands. |
| Add | Allows addition of new Trigger definitions |
| Change | Allows modification of existing Trigger definitions |
| Inquire | Allows inquiry into Trigger definitions |
| Delete | Allows deletion of Trigger definitions |
Date Maintenance has the following access types:
| Access | Description |
|---|---|
| Add | Allows addition of new Date definitions |
| Change | Allows modification of existing Date definitions |
| Inquire | Allows inquiry into Date definitions |
| Delete | Allows deletion of Date definitions |
Configuration has only one security option, Execute. You can either
grant or deny access to the Configuration application.
1.14.11 Date Type Definitions
Date Type Maintenance has the following access types:
| Access | Description |
|---|---|
| Add | Allows addition of new Date Types |
| Change | Allows modification of existing Date Types |
| Inquire | Allows inquiry into Date Types |
| Delete | Allows deletion of Date Types |
Access Control has two security options, Execute and Inquiry. Execute
access grants the ability to manipulate the Access Control Lists for
all security options.
1.14.13 Node Definitions
The Node Maintenance security option controls the ability to access Node and Node Group definitions. Node Maintenance has the following access types:
| Access | Description |
|---|---|
| Add | Allows addition of new Node definitions |
| Change | Allows modification of existing Node definitions |
| Inquire | Allows inquiry into Node definitions |
| Delete | Allows deletion of Node definitions |
The Named Times Access security option controls the ability to access Named Time Definitions. Named Time Access has the following access types:
| Access | Description |
|---|---|
| Manage | Allows access to the ENABLE TIME and DISABLE TIME commands |
| Add | Allows addition of new Named Time definitions |
| Change | Allows modification of existing Named Time definitions |
| Inquire | Allows inquiry into Named Time definitions |
| Delete | Allows deletion of Named Time definitions |
The Username Access security option controls the ability to use the SET USERNAME and EXTRACT USERNAME commands. Username Access has the following access types:
| Access | Description |
|---|---|
| Execute | Allows use of the SET USERNAME command |
| Inquire | Allows use of the EXTRACT USERNAME |
The Resource Access security option controls the ability to access Resource Definitions. Resource Access has the following access types:
| Access | Description |
|---|---|
| Add | Allows addition of new Resource definitions using the CREATE RESOURCE/NOREPLACE command |
| Change | Allows modification of existing Resource definitions using the CREATE RESOURCE/REPLACE or the SET RESOURCE commands |
| Inquire | Allows inquiry into existing Resource definitions using the EXTRACT RESOURCE or SHOW RESOURCE commands |
| Delete | Allows deletion of Resource definitions using the DELETE RESOURCE command |
| Previous | Next | Contents | Index |
 | Copyright © 2000, MVP Systems, Inc. All rights reserved. |