CA Process Automation provides fine-grained access control to operations on specific automation objects such as processes, datasets, and schedules. Access control includes not only traditional read and write rights but also rights to start a process and monitor its instances. Access to other objects such as child processes, datasets, or calendars is also controlled. The access rights are enforced at all external interfaces, including the UIs and Web Services.
Consider the following example with these assumptions:
If User A starts a P1 instance, P1 can start P2 only if User A is authorized to start P2 directly. To protect automation objects from exposure, Owner X can require process P1 (or any of its child processes or operators) to run as owner, that is, to run under the identity of Owner X. When Owner X configures a process to Run as Owner, owner X is authorizing other users to run process P1 without granting them access to the elements P1 needs.
Similarly, Owner X can force operators to run under the identity of the user who started the process instance. Although process P1 is configured to Run as Owner, Owner X can force the child process P2 to run under the identity of the user who directly or indirectly starts process P1. In this case, CA Process Automation uses the identity of the originating user to validate access to child process P2.
Consider this scenario: A DBA user creates a database administration process that requires externalizing the DBA credentials to a named Dataset. The DBA configures this process to run as the owner. Run as Owner grants instances of the process access to the dataset that stores the DBA credentials. The DBA authorizes selected users to execute a specific DBA process, without granting these users direct access to the DBA credentials.
In summary, a running process instance has two related identities:
Note: The identity of the current, effective user is used to validate access to child processes, operators, and datasets.
|
Copyright © 2014 CA.
All rights reserved.
|
|