Retrieving human-readable UserGroup privileges prior to V24 in list
Article ID: 391334
Updated On:
Products
CA Automic Workload Automation - Automation Engine
CA Automic One Automation
Automic SaaS
Issue/Introduction
Due to auditing purposes, a list of privileges may need to be retrieved. Prior to version 24, there was no human-readable way to do this out of the box. What other options are there?
Resolution
This can be done using two SEC_SQLI objects and a SCRIPT object. Please note that these are simply examples and are not maintained by Broadcom; they may need to be updated by your own developers for you specific system and database.
- Create a SEC_SQLI variable with the name vara.sqli.find_usergroups
- Add the following SQL statement into the vara.sqli.find_usergroups from step 1 above:
select * from usg - Create a SEC_SQLI variable with the name vara.sec_sqli.get_usergroup_name_and_client
- Add the following SQL statement into the vara.sec_sqli.get_usergroup_name_and_client from step 3 above:
select oh_idnr, oh_name, oh_client from oh where oh_otype in ('USER', 'USRG') - Create a script object - for example, scri.get_usergroup_privileges
- Add the following script to the script object:
!set variable names !get_usergroups_var is the sec_sqli var that will be looped through to get usg_oh_idnr and usg_privilege (the decimal representation of the binary privileges) !usergroup_name_and_clieng_var is the sec_sqli var that is used to get usergroup name and client from the db - based on usg_oh_idnr from get_usergroups_var :set &get_usergroups_var# = 'vara.sqli.find_usergroups' :set &usergroup_name_and_client_var# = 'vara.sec_sqli.get_usergroup_name_and_client' !set new line character :set &nl# = UC_CRLF() !Loop through the usergroups :set &hnd# = prep_process_var(&get_usergroups_var#) :process &hnd# ! get the decimal representation for the usergroup privileges : set &privilege# = get_process_line(&hnd#, 4) ! get the oh_idnr from the usergroup : set &usergroup_id# = get_process_line(&hnd#, 2) ! get the usergroup name for the report : set &group_name# = get_var(&usergroup_name_and_client_var#, &usergroup_id#, 2) ! get the usergroup client for the report : set &usergroup_client# = get_var(&usergroup_name_and_client_var#, &usergroup_id#, 3) ! initialize results to be blank and each group of privileges for the report : set &result# = '' : set &full_out# = "UserGroup &group_name# in client &usergroup_client# has the following permissions:" : set &full_out_grp1# = 'Access to Explorer Folders' : set &full_out_grp2# = 'Administration' : set &full_out_grp3# = 'AWI Access Control' : Set &full_out_grp4# = 'Advanced Editing' : set &full_out_grp5# = 'View Messages' : set &full_out_grp6# = 'Access Control' ! highest position (as of 21.0.13) will be 45 for binary - we will loop through backwards from this binary position : set &pos# = 45 ! Loop through the binary of the privileges, looking at each bit and lowering position by 1 each time through : while &pos# > 0 : set &output# = get_bit(&privilege#, &pos#) : set &pos# = sub(&pos#, 1) : set &pos# = format(&pos#) ! if the bit came back with something, write this to the final report - each bit corresponds with one of the privileges in a usergroup : if &output# = 1 : switch &pos# ! Group 1 - Access to Explorer Folders : case 19 : set &priv# = "Access to <No Folder>" : set &full_out_grp1# = "&full_out_grp1#&nl# &priv#" : case 2 : set &priv# = "Access to Recycle Bin" : set &full_out_grp1# = "&full_out_grp1#&nl# &priv#" : case 3 : set &priv# = "Access to Transport Case" : set &full_out_grp1# = "&full_out_grp1#&nl# &priv#" : case 22 : set &priv# = "Access to Version Management folder" : set &full_out_grp1# = "&full_out_grp1#&nl# &priv#" ! Group 2 - Adminsitration : case 24 : set &priv# = "Create diagnostic information" : set &full_out_grp2# = "&full_out_grp2#&nl# &priv#" : case 0 : set &priv# = "Enable / Disable automatic processing (STOP / GO)" : set &full_out_grp2# = "&full_out_grp2#&nl# &priv#" : case 8 : set &priv# = "Execute system upgrades" : set &full_out_grp2# = "&full_out_grp2#&nl# &priv#" : case 40 : set &priv# = "FileEvents: Start without Login object specified" : set &full_out_grp2# = "&full_out_grp2#&nl# &priv#" : case 16 : set &priv# = "FileTransfer: Start without Login object specified" : set &full_out_grp2# = "&full_out_grp2#&nl# &priv#" : case 26 : set &priv# = "ILM actions" : set &full_out_grp2# = "&full_out_grp2#&nl# &priv#" : case 29 : set &priv# = "Manage favorites on UserGroup Level" : set &full_out_grp2# = "&full_out_grp2#&nl# &priv#" : case 21 : set &priv# = "SAP Criteria Manager" : set &full_out_grp2# = "&full_out_grp2#&nl# &priv#" ! Group 3 - AWI Access Control : case 36 : set &priv# = "Access to Administration" : set &full_out_grp3# = "&full_out_grp3#&nl# &priv#" : case 41 : set &priv# = "Access to Analytics" : set &full_out_grp3# = "&full_out_grp3#&nl# &priv#" : case 43 : set &priv# = "Access to Analytics for all clients" : set &full_out_grp3# = "&full_out_grp3#&nl# &priv#" : case 37 : set &priv# = "Access to Dashboards" : set &full_out_grp3# = "&full_out_grp3#&nl# &priv#" : case 39 : set &priv# = "Access to Messages" : set &full_out_grp3# = "&full_out_grp3#&nl# &priv#" : case 30 : set &priv# = "Access to My Catalog" : set &full_out_grp3# = "&full_out_grp3#&nl# &priv#" : case 35 : set &priv# = "Access to Process Assembly" : set &full_out_grp3# = "&full_out_grp3#&nl# &priv#" : case 31 : set &priv# = "Access to Process Monitoring" : set &full_out_grp3# = "&full_out_grp3#&nl# &priv#" ! Group 4 - Advanced Editing : case 12 : set &priv# = "Create and modify Backend Variables" : set &full_out_grp4# = "&full_out_grp4#&nl# &priv#" : case 27 : set &priv# = "Create and modify SQL-internal variables" : set &full_out_grp4# = "&full_out_grp4#&nl# &priv#" : case 15 : set &priv# = "Object properties: Allow manual reset of 'Edit Hint'" : set &full_out_grp4# = "&full_out_grp4#&nl# &priv#" ! Group 5 - View Messages : case 42 : set &priv# = "Dump memory trace" : set &full_out_grp5# = "&full_out_grp5#&nl# &priv#" : case 6 : set &priv# = "View all messages from accorded client" : set &full_out_grp5# = "&full_out_grp5#&nl# &priv#" : case 4 : set &priv# = "View messages of the user's respective UserGroup" : set &full_out_grp5# = "&full_out_grp5#&nl# &priv#" : case 5 : set &priv# = "View messages to administrators" : set &full_out_grp5# = "&full_out_grp5#&nl# &priv#" : case 7 : set &priv# = "View security messages" : set &full_out_grp5# = "&full_out_grp5#&nl# &priv#" ! Group 6 - Access Control : case 23 : set &priv# = "Access to AutoForecast" : set &full_out_grp6# = "&full_out_grp6#&nl# &priv#" : case 10 : set &priv# = "Access to deactivated tasks" : set &full_out_grp6# = "&full_out_grp6#&nl# &priv#" : case 1 : set &priv# = "Access to System Overview" : set &full_out_grp6# = "&full_out_grp6#&nl# &priv#" : case 44 : set &priv# = "Access to the metrics endpoint of the Automic REST API" : set &full_out_grp6# = "&full_out_grp6#&nl# &priv#" : case 13 : set &priv# = "Deal with authorizations at object level" : set &full_out_grp6# = "&full_out_grp6#&nl# &priv#" : case 20 : set &priv# = "Logon via CallAPI" : set &full_out_grp6# = "&full_out_grp6#&nl# &priv#" : case 14 : set &priv# = "Modify the status of a task manually" : set &full_out_grp6# = "&full_out_grp6#&nl# &priv#" : case 25 : set &priv# = "Take over task" : set &full_out_grp6# = "&full_out_grp6#&nl# &priv#" : case 18 : set &priv# = "View server usage of all clients" : set &full_out_grp6# = "&full_out_grp6#&nl# &priv#" : endswitch : endif : set &result# = &result#&output# : endwhile ! print results to report : p 'decimal in binary is &result#' : p &full_out# : if &full_out_grp1# <> "Access to <No Folder>" : p &full_out_grp1# : endif : if &full_out_grp2# <> "Administration" : p &full_out_grp2# : endif : if &full_out_grp3# <> "AWI Access Control" : p &full_out_grp3# : endif : if &full_out_grp4# <> "Advanced Editing" : p &full_out_grp4# : endif : if &full_out_grp5# <> "View Messages" : p &full_out_grp5# : endif : if &full_out_grp6# <> "Access Control" : p &full_out_grp6# : endif : p 'End usergroup &nl#&nl#' :endprocess &hnd# - Run the script. Output will look something like this:
2025-03-19 22:24:35 - U00020408 decimal in binary is 111111111111111111111111111011111010111111111 2025-03-19 22:24:35 - U00020408 UserGroup ADMINISTRATORS in client 0 has the following permissions: 2025-03-19 22:24:35 - U00020408 Access to Explorer Folders Access to Version Management folder Access to <No Folder> Access to Transport Case Access to Recycle Bin 2025-03-19 22:24:35 - U00020408 Administration FileEvents: Start without Login object specified Manage favorites on UserGroup Level ILM actions Create diagnostic information SAP Criteria Manager FileTransfer: Start without Login object specified Execute system upgrades Enable / Disable automatic processing (STOP / GO) 2025-03-19 22:24:35 - U00020408 AWI Access Control Access to Analytics for all clients Access to Analytics Access to Messages Access to Dashboards Access to Administration Access to Process Assembly Access to Process Monitoring Access to My Catalog 2025-03-19 22:24:35 - U00020408 Advanced Editing Create and modify SQL-internal variables Object properties: Allow manual reset of 'Edit Hint' Create and modify Backend Variables 2025-03-19 22:24:35 - U00020408 View Messages Dump memory trace View security messages View all messages from accorded client View messages to administrators View messages of the user's respective UserGroup 2025-03-19 22:24:35 - U00020408 Access Control Access to the metrics endpoint of the Automic REST API Take over task Access to AutoForecast Logon via CallAPI View server usage of all clients Modify the status of a task manually Deal with authorizations at object level Access to deactivated tasks Access to System Overview 2025-03-19 22:24:35 - U00020408 End usergroup
Additional Information
This knowledge article covers more information about the REST API call available in version 24:
Getting USER permissions from the Automic database
Feedback
Yes
No
Powered by
