New EEM policy for specific user access blocking other users from resource
search cancel

New EEM policy for specific user access blocking other users from resource


Article ID: 139182


Updated On:


CA Workload Automation AE - Scheduler (AutoSys) Autosys Workload Automation


A New EEM policy is defined to grant access to a specific set of jobs to a specific user is blocking access to the jobs for all other users.
The other users are granted access to all jobs via the default as-job policy.
However, that doesn't appear to be taken into consideration when accessing a job that matches the resource specified in the new policy.


Autosys 11.x 12.x
EEM 12.X


The AutoSys policies in EEM are all configured to use best-match for policy evaluation.
This means that when an authorization request comes in, EEM will use the policy that is configured with a resource that best matches the resource in the authorization request.

as-job Policy 1 has a resource of ACE.* (matches any job in instance ACE)
as-job Policy 2 has a resource of ACE.PAYROLL* (matches any job in instance ACE that starts with PAYROLL)

A request comes in to check as-job policies to see if a user has execute access on resource "ACE.PAYROLL_JOB1".
EEM will determine the access for the user based on Policy 2 since the resource in that policy (ACE.PAYROLL*) is a better match to the resource in the request (ACE.PAYROLL_JOB1).
Access granted by Policy 1 will not be considered in this scenario.

Any time you create an explicit grant policy that will result in a best match scenario like this, you must make sure that all users that need access to the resource set in the policy are included in the identities list and given the necessary level of access.
This holds true for all AutoSys policies (as-owner, as-group, etc.).