In AutoSys, when an as-owner EEM policy is configured with broad permissions, users can set any value for a job's owner attribute. This article provides instructions on how to create an EEM filter that requires the job owner to be the same as the user submitting the job, preventing the use of arbitrary or incorrect owner values.

Any

R12.x, R24.x

This procedure will guide you through modifying the EEM as-owner policy. The goal is to create a filter that dynamically checks if the user creating a job (userA) is also specified as the job's owner.

Step 1: Log in to the EEM GUI

1. Open a web browser and navigate to your EEM server's URL.

2. Log in with an EEM administrator account (e.g., EiamAdmin).

3. From the "Application" dropdown menu at the top right, select WorkloadAutomationAE.

    

Step 2: Navigate to Access Policies

1. Click on the Manage Access Policies tab.
2. You will see a list of existing policies. You will either modify an existing as-owner policy or create a new one.

Step 3: Create or Modify the as-owner Policy

1. Click New Policy to create a new access policy.
2. In the "Name" field, give the policy a descriptive name, such as as-owner-self-only.
3. Under the "General" section, ensure the policy is Enabled.

Step 4: Configure Policy Identities

1. In the "Identities" section, click Add Identity.

2. To make this rule apply to all users, select the All Identities group. This ensures that any user attempting to create a job will be evaluated by this policy.

    

Step 5: Define the Resource and Actions

1. In the "Access Policy Configuration" section, click Add Resource/Action.
2. For the "Resource Class," select as-owner.
3. For the "Resource Name," enter a wildcard character (*). This ensures the policy applies to any value specified in the owner attribute.
4. For "Actions," select the actions you want to permit. For job creation and execution, you typically need to grant execute and sendevent_jobexecute.

Step 6: Add the Dynamic Filter

This is the most critical step. You will add a filter that compares the user making the request with the value of the owner attribute.

1. In the "Filters" section of the policy configuration, click Add Filter.

2. In the text box, enter the following expression exactly as written:

   request.resource == request.identity
   

   Copy
   • request.resource: In an as-owner policy check, this variable holds the value of the owner attribute from the job definition (e.g., owner: userA).
   • request.identity: This variable holds the ID of the user performing the action (e.g., the user logged in and running jil).

3. Click Save to add the filter.

    

Step 7: Save and Verify the Policy

1. Click Save at the bottom of the page to save the entire policy.
2. The policy is now active.

Verification Example

With this policy in place, here is how EEM will process requests from userA:

Scenario 1: Allowed Action (Correct Owner)

• userA runs jil to insert a job with the following definition:
  jil insert_job: my_job job_type: CMD command: ls -l machine: localhost owner: userA
• EEM Evaluation:
  • request.identity is userA.
  • request.resource (the owner value) is userA.
  • The filter request.resource == request.identity evaluates to TRUE.
• Result: The action is permitted, and the job is created successfully.

Scenario 2: Denied Action (Incorrect Owner)

• userA runs jil to insert a job with a different owner:
  jil insert_job: another_job job_type: CMD command: date machine: localhost owner: some_other_user
• EEM Evaluation:
  • request.identity is userA.
  • request.resource (the owner value) is some_other_user.
  • The filter request.resource == request.identity evaluates to FALSE.
• Result: The action is denied. The user will receive a security error, and the job will not be created.

By following these steps, you have successfully configured EEM to enforce that a job's owner must match the user creating the job.