Among the latest enhancements of Workload Scheduler product (also known as TWS – Tivoli Workload Scheduler) there is the new role-based security model to grant and revoke accesses and permissions to Workload Scheduler users.
Available from both Command Line Interface (composer) and web interface (Dynamic Workload Console) the new security model introduces some new concepts that simplifies the usage of the Security File.
In this post we will see how define accesses from the web console.
Manage Workload Security Page
This is the entry point to manage the security of Workload Scheduler. Here, you can access different functionalities in one-click (e.g. view access permission for a certain user or group!)
Per the new security model, new objects that you can define from the Manage Workload Security page of the web console are:
Each role is a set of actions that user or groups can do on Workload Scheduler objects. Permissions are organized in meaningful sections with predefined subsets: pick yours with just one-click if they fit your needs!
For example, the section Manage Event Rules provide No Access, Read-Only, Full Access (with predefined set of permissions) and Custom mode (where you can customize each single action).
For each permission there is an association with the security file keywords and a detailed explanation of both general section and single permission itself.
Each domain represents the set of scheduling objects that users or groups can manage. There is available a bunch of filters you can associate to a domain and create your subset of workload that needs to be associated to someone.
You can choose two way of using the Security Domain definition:
- Simple: just specify a set of rules that will apply on all the scheduling objects of the scheduler. If you are using a general name convention to organize your objects, you can specify a rule as follows:
In this way, user that belong to MY_SECURITY_DOMAIN can see only objects that starts with MY_SUBSET (asterisk is used as wildcard) name but that doesn’t belong to workstation WKS01.
In fact, property match can be inclusive or exclusive. The Interface shows AND and OR keywords to let you better understand how the filter will be evaluated.
Moreover, multiple rules can be specified to create a larger domain (e.g. objects that starts with AA01 and BB01)
- Complex: you can specify permission in the same way but for each Workload Scheduler object
Using the “complex” mode, not only Name and Workstation filters can be specified, but for each object you will find a different set of rules that you can specify.
Access Control List
Each access control list is defined assigning roles to users or groups, on a certain security domain.
For users and groups, if available, all the users configured to work with Workload Scheduler are automatically showed in a filterable list. You can also specify a user/group that is not in the picklist of available names.
As soon you associate a user/group with a set of roles on a specific domain, the user interface automatically suggest you a set of roles you can associate to a Dynamic Workload Console user that will leverage this ACL.
If you are working with LDAP, a good way to customize your ACL is to use groups to simplify security definition.
Each of these new objects can be fully managed from a single point of control (the initial page showed at the beginning of this post).
Clicking on Manage Access Control List a table with the full list of ACLs is shown. From here you can edit, delete, create objects and see previous versions of the objects.