User permission check using a command line in CA embedded entitlement manager
search cancel

User permission check using a command line in CA embedded entitlement manager

book

Article ID: 134948

calendar_today

Updated On:

Products

Autosys Workload Automation

Issue/Introduction

Is there a way to perform user permission check using a command line in CA embedded entitlement manager?

Environment

Release: All Supported releases

Component: External Security (CA Embedded Entitlement Manager)

Resolution

An XML file with the appropriate syntax for the permission check can be feed into the CA embedded entitlement manager binary  "safex". Which returns if the user is allowed to access the resource as defined in the policy.

The "safex" binary is part of both CA EEM and CA Workload Automation AE.

 

The following example uses the binary from CA Workload Automation AE install (/opt/CA/WorkloadAutomationAE/autosys/bin/safex) and executed in Linux environments. 

However, the syntax of the procedure is the same for all the supported environments.

 

    # cat safexuser.xml

    <?xml version='1.0' encoding='UTF-8' standalone='no'?>

 

    <Safex>

          <Attach label="WorkloadAutomationAE"/>

                 <Perm ref="1" id="user123" resourceclass="as-job" resourcename="ACE.JOB123" action="write" when="1"/>

    </Safex>

    #

 

label: Application Name

id: User who's privileges being validated

resourceclass: Policy name

resourcename: Name of the resource

Action: Action which is valid for the resource as defined in the policy (read/write/execute)



    # safex -u EiamAdmin -p XXXXXXXX  -f safexuser.xml

    Setting back end to "localhost"

 

    Setting locale to "en_us"

 

    OK:Successfully Authenticated

    OK: action[Attach] with ApplicationInstance label[WorkloadAutomationAE]

    OK: action[Perm] ALLOWED ref[1] id[user123] resourceclass[as-job] resource[ACE.JOB123*] action[write] when[1]

    policy allowing: [PRD: Default Job Policy] delegator []

    OK:Total objects Added 0

    OK:Total objects Modified 0

    OK:Total objects Removed 0

    OK:Total objects Skipped 0

    OK:Total objects Exported 0

In this case, the user "user123" is allowed to add, remove or update jobs whose name start with "ACE.JOB123". 

 

Click on the below link for more information on CA Workload Automation AE policies (as-job):

 

https://docops.ca.com/ca-workload-automation-ae/11-4-2/en/securing/security-policy-customization/customize-security-policy-and-settings/customize-access-policy/ca-eem-resource-classes-for-ca-workload-automation-ae




Additional Information

Information on binary safex from CA Embedded Entitlement Manager :


https://docops.ca.com/ca-embedded-entitlements-manager/12-6/en/programming/safex-command-line-reference


Other helpful Safex XML Script Examples: 

https://docops.ca.com/ca-embedded-entitlements-manager/12-6/en/programming/example-safex-xml-scripts