Web UI or WCC Enterprise Command Line (ECLI) Architecture
search cancel

Web UI or WCC Enterprise Command Line (ECLI) Architecture

book

Article ID: 280997

calendar_today

Updated On:

Products

Autosys Workload Automation

Issue/Introduction

How does the architectural flow of the WCC Enterprise Command Line (ECLI) function,
and what configurations are required to authorize commands other than the default, such asautotrack?

Environment

  • Product: AutoSys Workload Automation 12.x, 24.x
  • Component: Web Control Center (WCC) Enterprise Command Line (ECLI) 12.x, 24.x
  • Security: CA EEM (Embedded Entitlements Manager)

Resolution

The WCC ECLI architecture relies on a handshake between WCC, the AutoSys Web Server (AEWS), and EEM.
To authorize a command for use in the Web UI, follow the structural requirements below:

1. Server-Side Configuration (AEWS)

Commands executed via ECLI are filtered and authorized at the operating system level on the AutoSys Web Server host.

  • Command Filter List: Authorized commands must be explicitly listed in the following file: $AUTOSYS/config/AutoSysCommandFilters.txt
  • Authorization Wrapper: The execution is handled by the AutosysCommandWrapper binary.
    • Requirement: This module must be owned by root with the sticky bit set to authorize user credentials across the OS.
    • Path: $AUTOSYS/bin/AutosysCommandWrapper

2. Security and Identity (EEM)

Both WCC and AutoSys must share the same EEM configuration.

  • Monitor ID: The monitorid defined in the WCC AutoSys Server definition must be a member of the EEM application group WorkloadAutomationAEWebService within the WorkloadAutomationAE application.
  • CommandExecute Policy: Access to specific commands is governed by the CommandExecute policy in EEM under the WCC application (WCC00004).

3. High-Level Architectural Flow

When a WCC user attempts to execute an ECLI command, the following sequence occurs:

  1. EEM Validation: The monitorID is validated in EEM for membership in the WorkloadAutomationAEWebService group. (If this fails, a "403 Forbidden" error typically occurs).
  2. Credential Passing: If successful, WCC passes the credentials of the logged-in user (or a defined Global Credential) to the AEWS URL via a SAML token.
  3. Command Filtering: The AEWS server checks the requested command against the AutoSysCommandFilters.txt file.
  4. OS Validation: The AutosysCommandWrapper uses the SAML token to verify that the user is a valid Operating System user on the AEWS host.
  5. Execution: The command is executed, and the output is passed back to the WCC interface.

Summary of Requirements:

  • Condition 1: The monitorID must be a member of the required EEM application group.
  • Condition 2: Either every WCC user must have an OS account on the AEWS host, OR a _GLOBAL_
    A credential must be created in WCC that exists as an OS user on the AEWS host for all users to share.

 

 

Additional Information

  • Global Credentials: For environments where individual OS accounts are not feasible,
    _GLOBAL_ credential can be defined in WCC to be shared by authorized users.
  • User Status: Ensure the user is not "Disabled" in the WCC Credentials tab,
    as this state is stored in the cfg_user_pref table and will block ECLI access regardless of other configurations.
Powered by Wolken Software