Delegate administrative tasks to other users in your Workload Automation on Cloud subscription folder

LET’S INTRODUCE what’s new
Get familiar with the new concepts introduced by Workload Automation on Cloud that leverage the 9.5 Fix Pack 1 on-premise version, released in July:

• Subscription folder: to increase business agility and enforce the security of your subscription, Workload Automation on Cloud introduces workflow folders for job streams and jobs.

• New security roles for subscription users: to provide flexibility in the security of your subscription, Workload Automation on Cloud provides the capability to maintain separate roles between the subscription owner and invited users. In the past, invited users had the same role as the subscription owner.
• Security role delegation on subscription folder: to distribute the workload in your subscription, the owner can invite other users to join and grant them access to modeling and/or planning. This can be achieved through Access Control Lists (ACLs) that bind a user to a security role on a specific folder. 

 
Before we get into explaining how to delegate administrative tasks to other users in your subscription, let’s first start with:

• Mentioning some basic concepts about your subscription folder;
• Understanding which workstation type the subscription owner can manage;
• Identifying the actions an owner is authorized to perform in the database and in the plan for the  suscription folder and any other folders the owner can see in the Explorer view.

 
 Explore the subscription folder
A folder named /<envID> (e.g. /AP) is automatically created when the subscription is generated. The subscription owner (for example, the user that creates the subscription) is authorized to administrate only this folder and its subfolders. When the owner uses the Workload Designer in the Dynamic Workload Console to define scheduling objects, the Explorer view automatically displays the <envID> folder and its contents.
Another folder the user can see is /SVC/<envID>: this is a read-only service folder used to manage job streams that enable services from the Self-Service Catalog.

What kind of workstation can the subscription owner manage?
A subscription owner can work with the following workstations:

• <envID><hostname>: agents that were downloaded and installed by the subscription owner; the agents automatically register with the <envID> prefix after installation; 
• <envID>_CLOUD: a pool agent installed in the subscription by default when the subscription is generated;
• <envID><name> (type pool): a static pool created by the subscription owner with its agents;
• <envID><name> (workstation class): a workstation class created by the subscription owner with its agents;
• S_DWB: a broker workstation that the subscription owner can use to define resources.

​Let’s explore the possible actions the subscription owner can perform on these workstations: 

​* agents cannot be added because they automatically register when they are installed.
 
 What actions can a subscription owner perform on scheduling objects?

• Job/Job streams

Folders impact the entire lifecyle of a job and job stream, from creation, to submission, monitoring, and so on. By merging the folder concepts explained earlier with the information in Table A for workstations, we obtain the following table that lists the access rights a subscription owner has on job streams and jobs in folders:

* In the /SVC/<envID> folder,  the user is authorized to manage only job streams and jobs related to the Self-Service Catalog service requests.
** NOT authorized on <envID>_CLOUD pool workstation.
 The subscription owner is not able to submit predefined jobs or submit ad hoc jobs in the /JOBS job stream, but an owner can submit into a predefined job stream that is already submitted into the PLAN.
​

• Dependencies scheduling objects (calendars, prompts, resources, variable tables, etc.)

The following table shows the actions the subscription owner is authorized to perform on scheduling objects other than job streams and jobs, related to workstations listed in Table A.

​* object name must start with the <envID> prefix, otherwise, the subscription user is not authorized to save it.
** also on the S_DWB broker workstation.
*** workload application templates can contain only objects that the user can manage (for example, it cannot contain job streams defined in /SVC/<envID> folder).
 

• Event rules

In Workload Automation on Cloud the subscription owner can manage new events that detect changes in jobs, job streams, workstations and prompts in addition to the events that detect the changes in file management, as in the previous version. Owners can now define event rules with the following types of providers:
Event Provider: 

• Plan events   
• File monitoring events

Action Provider: 

• Workload Scheduler actions

 
What are the available roles for delegation in the subscription folder or subfolders?
Users invited to an existing subscription are created with limited privileges. The subscription owner can create access control lists (ACL) for users in its subscription giving them accesses to jobs and job streams in specific folders.

You can delegate administrative privileges only for operating on jobs and job streams. To grant privileges on other object types, contact customer support.

Each ACL can grant access to jobs and job streams in the parent folder (<envID> folder) and the user can manage the entire folder hierarchy. If instead access is granted on a subfolder of the parent folder, the user can manage jobs and job streams in this subfolder and any of its child folders.
 
The following table shows the security roles that can be assigned to a user: 

Subscription owner vs Invited user
Compared with an invited user, the subscription owner can access a larger set of objects. By default, a new user is added to Workload Automation on Cloud with the SECROLE_SAAS_VIEWER role assigned, which means that the user can only display and list scheduling objects. 
The following tables show actions that an invited user can perform by default. As we explained earlier, the subscription owner can assign different roles to the user to augment privileges only on job and job streams.

• Workstations

• Jobs and Job streams

* the only job streams and jobs you can access in the /SVC/<envID> folder are the ones related to Self-Service Catalog service requests.
** NOT authorized on <envID>_CLOUD pool workstation.
 

• Dependencies scheduling objects

* object name must start with the <envID> prefix, otherwise the subscription user is not authorized to save it.
** also on the S_DWB broker workstation.
*** workload application templates can contain only objects that a user can manage (e.g. it cannot contain job streams defined in the /SVC/<envID> folder).
 
LET’S BEGIN delegating administrative tasks 
The subscription owner performs the following steps to delegate administrative privileges to other users:

1. Invite users to the subscription:

The owner can invite users to its subscription by using the Service page of its subscription:

​By clicking Invite others, the subscription owner is redirected to MyIBM web site. Here, the owner can manageinformation including account details, password, IBMid, support and preferences. From the MyIBM homepage, the subscription owner can see its IBM Workload Automation on Cloud trial offering:

​To add a new user, click Manage, and then, in the Manage users section, click Add new user:

​Add the user to your subscription. In this example, the user oslo.london@mailinator.com is added.

​Click Submit to display the following result:

​The status remains Pending until the oslo.london@mailinator.com user accepts the subscription invite in his email account. The status then becomes Active.
 
The oslo.london@mailinator.com user finds the following email from the IBM Marketplace team:

​The invited user must open the email and click Accept invite and follow the instructions.

​A mailinator account cannot be used in the production environment. It is used here as an example in a preproduction environment.
 

1. Grant the user access rights to your subscription:

To verify that the oslo.london@mailinator.com user has been added with the SECROLE_SAAS_VIEWER role assigned in the subscription, launch the Dynamic Workload Console and go to Administration -> Security.

​From the Manage Workload Security page, the subscription owner can click on Manage Access in the Access Control List (ACL) section, and see that the user oslo.london@mailinator.com has the following ACL setting on the /AP/ folder and in the AP_SECURITY and AP_SERVICE domains:

​From the Manage Workload Security page, to grant a user rights on the <envID> folder and its sub folders, the subscription owner can click on Give access to users or groups from the Access Control List (ACL) section.

2a) Delegate SECROLE_SAAS_SCHEDULER role to the user:
Procedure:On the Create Access Control List page, do the following:

1. Select User name from the drop-down list.
2. Manually write the name of the user, in this example, oslo.london@mailinator.com
3. Select the SECROLE_SAAS_SCHEDULER role in the Role text box.
4. Next to the Folder selection, click the drop-down list and select the Manage Folders hyperlink to select the folder to use as the repository for jobs and job streams. In this example, /AP/EMEA folder. Click Save.
5. Click Save and Exit.

​ResultsFrom the list of ACLs, the subscription owner can see the following list:

​ 
The following table shows the actions that the Scheduler user can now perform on jobs and job streams in the delegated folder (and all its subfolders): 

SECROLE_SAAS_SCHEDULER is not able to submit newly created job streams or jobs, so users with this role need to ask the subscription owner or a user that has either the SECROLE_SAAS_OPERATOR or SECROLE_SAAS_FULLACCESS role on the same folder to submit these job streams and jobs.
SECROLE_SAAS_SCHEDULER is not able to define and manage event rules.
  SECROLE_SAAS_SCHEDULER is not able to define calendars, run cycles, prompts, resources, workload application templates, variable tables, etc, but users with this role can use them in existing job stream definitions (if already created by the subscription owner).
 
2b) Delegate SECROLE_SAAS_OPERATOR role:
Procedure:On the Create Access Control List page, do the following:

1. Select User name from the drop-down list.
2. Manually type the name of the user, in this example, oslo.london@mailinator.com. For security reasons, the list of users is empty. 
3. Select the SECROLE_SAAS_OPERATOR role in the Role text box.
4. Next to the Folder selection, click the drop-down list and select the Manage Folders hyperlink to select the folder to use as the repository for jobs and job streams. In this example, /AP/EMEA folder. 

​The following table shows the actions that the Operator user can now perform on jobs and job streams in the delegated folder (and all its subfolders): 

2c) Delegate SECROLE_SAAS_FULLACCESS and SECROLE_SAAS_ADMIN role:
Procedure:On the Create Access Control List page, do the following:

1. Select User name from the drop-down list.
2. Manually type the name of the user, in this example, oslo.london@mailinator.com. For security reasons, the list of users is empty. 
3. Select the SECROLE_SAAS_ADMIN and SECROLE_SAAS_FULLACCESS roles in the Role text box.
4. Next to the Folder selection, click the drop-down list and select the Manage Folders hyperlink to select the folder to use as the repository for jobs and job streams. 

​ResultsThe subscription owner can see the following list of ACLs:

​The following table shows the actions that the user with the SECROLE_SAAS_FULLACCESS role can now perform on jobs and job streams in the delegated folder (and all its subfolders): 

SECROLE_SAAS_ADMIN role allows oslo.london@mailinator.com to define ACLs on the delegated folder, in our example, /AP/EMEA and its subfolders. After the owner delegates oslo.london@mailinator.com to have the SECROLE_SAAS_ADMIN andSECROLE_SAAS_FULLACCESS roles, oslo.london@mailinator.com has full administrative privileges on the subscription only for jobs and job streams, but not for the other scheduling objects.
 
LET’S THINK about the future:
The delegation of the administrative tasks to other users in the subscription is currently limited to jobs and job streams. This limitation remains until a subsequent update of Workload Automation on Cloud is rolled out, where the folder concept is extended to the other scheduling objects.

---

Serena Girardini, Workload Automation Test Technical Leader
Serena Girardini is a Test Technical leader for ​the Workload Automation product in distributed environments. She joined IBM in 2000 as a Tivoli Workload Scheduler developer and she was involved in the product relocation from San Jose Lab to Rome Lab during a short term assignement in San Jose (CA). For 14 years, Serena gained experience in Tivoli Workload Scheduler distributed product suite as developer, customer support engineer, tester and information developer. She covered for a long time the role of L3 fixpack releases Test Team Leader and in this period she was a facilitator during critical situations and upgrade scenarios at customer site. In her last 4 years at IBM she became IBM Cloud Resiliency and Chaos Engineering Test Team Leader. She joined HCL in April, 2019 as expert Tester for IBM Workload Automation product suite and she was recognized as Test Leader for the product porting to the most important Cloud offerings in the market. She has a math bachelor degree.
Linkedin: https://www.linkedin.com/in/serenagirardini/

Danilo Bernardini, Workload Automation Software Engineer
​​Danilo is a Software Engineer of the Workload Automation team, distributed version. He joined HCL in 2018, working since then on docker containers and cloud distribution of WA packages. He contributed at the release of new features for Workload Automation on Cloud based on 9.5 on-premises version. He studied in Rome and has a master degree in Engineering in computer science. 
 LinkedIn: https://www.linkedin.com/in/danilo-bernardini-23979013a