Granting and Revoking System PrivilegesSystem Privileges

Granting and Revoking Object Privileges

Object privileges can be granted/revoked to/from a custom role or user for a specific object. You cannot modify any of the core, predefined, or user access roles:

Core roles (always required):

  • scheduler-administrator - can perform all actions.
  • scheduler-bae-only-user - indicates that the user account is restricted to logging in via the SAP Inbound interface, only.
  • scheduler-isolation-administrator - can import and modify users.
  • scheduler-screen-reader - indicates that you are using a screen reader.
  • scheduler-user - has access to Redwood Server only, cannot see any objects (always required, even for administrators).
  • scheduler-viewer - read only access to all objects.
  • redwood-administrator - can perform all actions.
  • redwood-login - has access to Redwood Server only, cannot see any objects (always required, even for administrators).
  • redwood-support - read only access to all objects.

The user access roles are bound to features that require a specific license key:

  • scheduler-business-user - can access the business-user-centric user interface.
  • scheduler-it-user - can access the it-user-centric user interface.

Predefined roles (optional):

  • scheduler-event-operator - can raise and clear events, as well as all privileges assigned to scheduler-viewer.
  • scheduler-job-administrator - can create/edit/delete event definitions, process definitions, and chain definitions and modify both processes, and chains, as well as all privileges assigned to scheduler-event-operator.
  • redwood-operator - a combination of the two above roles.
note

The roles scheduler-business-user and scheduler-it-user are use by the Insight module.

Object privileges cannot be granted directly, you grant ranks of privileges. For example, the Job Administrator rank contains View and View Jobs and Submit Onto privileges, this prevents human error, as you need to be able to see the queue, the processes and chains in that queue and you need to be able to submit a process or chain into the queue to be able to be able to submit a process and chain into the queue and monitor its status. Furthermore, privileges can be granted as Granted and Grantable, when you grant a privilege as Grantable, the grantee can grant the privilege to other users.

Exportable privileges will be exported together with the object, the grantee has to exist in the system where you import the object.

The figure below illustrates the privileges of user jdoe on the queue ER2_Queue.

note

Special care needs to be taken when you revoke privileges from users that have scheduled processes and chains with recurrences. If you revoke a privilege that is required to re-submit the process or chain, the resubmit of the process or chain will fail.

Restricting BAE Users

You have the Business Automation Enabler Module and would like to prevent a user created specifically for the BAE interface from logging-on from other interfaces (for example the web interface).

You grant that user the following roles and this user will only be able to access Redwood Server via the BAE interface (SAP Inbound objects):

  • scheduler-user - has access to Redwood Server only, cannot see any objects.
  • scheduler-bae-only-user - indicates that you are restricted to logging in via the SAP Inbound interface, only.

Procedure

Granting object privileges

  1. Navigate to the object you want to change the security for.
  2. Choose Edit Security from the context-menu.
  3. On the Security tab, fill in a grantee.
  4. Choose a Rank with the desired privileges. Admin privileges allow the user to perform the action and to grant the privilege to others as well. Granted privileges allow the user to perform the actions.

Revoking object privileges

  1. Navigate to the object you want to change the security for.
  2. Choose Edit Security from the context-menu.
  3. On the Security tab, choose the grantee.
  4. Choose a Rank with the desired privileges, if you want to revoke all privileges for this object from the grantee, choose Delete. Admin privileges allow the user to perform the action and to grant the privilege to others as well. Granted privileges allow the user to perform the actions.

Example

Granting Submit privileges on the process ProcessPartnerFile to user jdoe.

{
//Get the process and user
JobDefinition jDefinition = jcsSession.getJobDefinitionByName("ProcessPartnerFile");
Subject subject = jcsSession.getSubjectByTypeName(SubjectType.User,"jdoe");
//Create an empty grant
SubjectObjectPrivilegeGrant sopgrant = jDefinition.createSubjectObjectPrivilegeGrant();
//Set the grantee and the rank
sopgrant.setGranteeSubject(subject);
sopgrant.setGrantedRank(sopgrant.getAllRanks()[3]);
//Save the changes to the database
jcsSession.persist();
}

See Also

Granting and Revoking System PrivilegesSystem Privileges