Getting USER permissions from the Automic database

Products

CA Automic Workload Automation - Automation Engine

Issue/Introduction

There is an audit requirement to provide information regarding the user permissions - privileges and authorizations.

Environment

Automation Engine Version 24
Automation Engine Version 21

Resolution

The REST API in Automic has an endpoint called /objects/{object name} which can be used for each user or usergroup object to show what privileges and authorizations are assigned to it.

As an example, the AE server is accessible at automic-rest-api.example.com:8088 and the query is being run for client 100 and user group called USRG.ADMIN. Run a REST API call to the following:

https://automic-rest-api.example.com:8088/ae/api/v1/0100/objects/USRG.ADMIN

Here is the response:

{
"total": 1,
"data": {
"usrg": {
"metadata": {
"version": "21.0.8"
},
"general_attributes": {
"type": "USRG",
"name": "USRG.ADMIN",
"minimum_ae_version": "11.2"
},
"user_group_attributes": {
"privileges": 9968168272131
},
"members": [
{
"username": "GENERAL/ADMIN"
}
],
"authorizations": [
{
"filter_object_type": "JOBS",
"filter_object_name": "JOBS.HR.*",
"filter_agent_name1": "*",
"filter_agent_name2": "*",
"filter_user_id1": "*",
"filter_user_id2": "*",
"filter_file_names1": "*",
"filter_file_names2": "*",
"bitcode": 3,
"auth_group": 1
},
{
"filter_object_type": "JOBP",
"filter_object_name": "JOBP.FINANCE.*",
"filter_agent_name1": "*",
"filter_agent_name2": "*",
"filter_user_id1": "*",
"filter_user_id2": "*",
"filter_file_names1": "*",
"filter_file_names2": "*",
"bitcode": 255,
"auth_group": 1
},
{
"filter_object_type": "*",
"filter_object_name": "*",
"filter_agent_name1": "*",
"filter_agent_name2": "*",
"filter_user_id1": "*",
"filter_user_id2": "*",
"filter_file_names1": "*",
"filter_file_names2": "*",
"bitcode": 4,
"auth_group": 1
}
]
}
},
"path": "",
"client": 100,
"hasmore": false
}
The important parts above are:
the members, which are all users that are a part of the usergroup
the authorizations, a line-by-line equivilant to what you see in the authorizations tab of a user or usergroup; there is bit code in each line which needs to be extrapolated. It's in a binary code with the following be the value for each authorization type:
R: 1
W: 2
X: 4
D: 8
C: 16
S: 32
P: 64
M: 128
So for something that shows 136, it's 8+128 or D, M

The privileges section is not human readable in v12.3 or v21.0 (this is also the case in the database).

The recommendation for privileges is to use a best practice of keeping the number of usergroups to a low amount and don't have privileges on user objects, but instead on usergroups and assign users to usergroups.

This makes it simple to review usergroups to retrieve the privileges allowed to them and run the REST call against the usergroup. The usergroup will have members listed in something like the following:

"members": {

"USERNAME": "ADMIN/AUTOMIC"

},

In v24.0, the REST endpoint will show privileges exactly as they appear in AWI like the following:

"user_group_attributes": {

"privileges": 35184371955199,

"privileges_set": [

"automatic_processing",

"access_systemoverview",

"recycle_bin",

"transport_case",

"view_messages",

"view_administrators_messages",

"view_all_messagesfrom_accorded_client",

"view_security_messages",

"execute_system_upgrades",

"access_to_selective_statistics",

"create_and_modify_backend_variables",

"deal_with_authorizations_at_object_level",

"modify_the_status_of_a_task_manually",

"object_properties_allow_manual_reset_of_edit_hint",

"filetransfer_start_without_login_object_specified",

"view_server_usage_of_all_clients",

"access_to_no_folder",

"logon_via_callapi",

"sap_criteria_manager",

"access_to_version_management_folder",

"access_to_autoforecast",

"create_diagnostic_information",

"take_over_task",

"ilm_actions",

"create_and_modify_sql_internal_variables",

"work_in_runbook_mode",

"manage_favorites_on_usergroup_level",

"access_to_service_catalog",

"access_to_process_monitoring",

"access_to_policy_orchestrator",

"access_to_process_assembly",

"access_to_administration",

"access_to_dashboards",

"access_to_predictive_analytics",

"access_to_messages",

"fileevents_start_without_login_object_specified",

"access_to_analytics",

"dump_memory_trace",

"access_to_analytics_for_all_clients",

"access_metrics_endpoint"

]

},

The suggestion for putting this all together is to get a list of usergroups (this can be done in the AWI under Administration). Then run a rest call to get this information against each user group. Along with that, use a best practice of not assigning additional authorizations or privileges to individual users, but instead assign them to usergroups. Then run the rest call against the usergroup and get information on what users belong to the group and their authorizations (and privileges in v24) in the rest call.

Additional Information

There are a number of ways to run rest calls against our rest api:
You can simply put the full rest endpoint into a browser that can reach the AE server. You'll be prompted and need to put in a user's credentials in the browser when doing so.
You can run the REST call via an external tool like postman (this requires some REST WebService knowledge, but there are many tutorials online)
You can run the calls against the REST API using our WebService REST Agent. This also requires some REST WebService knowledge. More information on the agent and jobs can be found here:
https://docs.automic.com/documentation/webhelp/english/ALL/components/RA_WEB_SERVICE_REST/latest/Agent%20Guide/Content/RA/WS/AWI/Defining_Requests_for_REST_Jobs.htm