What AutoSys EEM policies determine whether a user can start/force start a job?
search cancel

What AutoSys EEM policies determine whether a user can start/force start a job?

book

Article ID: 242940

calendar_today

Updated On:

Products

Autosys Workload Automation CA Workload Automation AE - Scheduler (AutoSys)

Issue/Introduction

Which AutoSys EEM policies are used to determine whether a user has permission to start or force start a job?

Environment

Release : 12.0/12.0.01

Component : AutoSys Workload Automation

Resolution

When a user starts/force starts a job, there are up to 7 EEM different resource classes that are used to determine whether the user has permission to perform the action. Policies for various resource classes are checked in the following order...

as-sendevent - The user must have general access to send the STARTJOB/FORCE_STARTJOB event for the instance.
as-appl - If the job has an application attribute, the user must have execute permission for jobs with that application value.
as-group - If the job has a group attribute, the user must have execute permission for jobs with that group value.
as-basejobtype - The user must have execute permission for the job type that is being started
as-owner - The user must have sendevent_jobexecute permission for the job owner value
as-machine - The user must have execute permission to start a job on the machine to which the job is defined to run
as-job - The user must have execute permission for the job name

EXAMPLE:

User 'autosys' sends a FORCE_STARTJOB event to a job with the following definition in an instance called ACE...

insert_job: PAYROLL_JOB1     job_type: CMD
machine: agent1
command: /tmp/payroll_script.sh
owner: svcuser@agent1
application: payroll

The Application Server would perform the following EEM resource class checks for user 'autosys'...

ResourceClass: as-sendevent, Action: force_startjob, Resource: ACE
ResourceClass: as-appl, Action: execute, Resource: ACE.payroll
ResourceClass: as-basejobtype, Action: execute, Resource: ACE.CMD
ResourceClass: as-owner, Action: sendevent_jobexecute, Resource: svcuser@agent1
ResourceClass: as-machine, Action: execute, Resource: ACE.agent1
ResourceClass: as-job, Action: execute, Resource: ACE.PAYROLL_JOB1

If any of these checks fail, the user will be denied access to start the job. The error that is returned contains details about which resource class check failed...

CAUAJM_W_10758 Owner sendevent_jobexecute Access Denied!

CAUAJM_W_10439 No policies granting access to resource.
CAUAJM_W_10440 Class: as-owner Resource: svcuser@agent1 User: autosys Access: sendevent_jobexecute
CAUAJM_W_10442 Time: 1654038513 Delegator: None

Powered by Wolken Software