Organizations often need to enforce security policies that prevent non-administrative users from defining AutoSys jobs with root as the job owner.  Allowing jobs to run as root can pose significant security risks. This document outlines methods to restrict the ability to specify root as the owner when creating or modifying AutoSys jobs. 

Product: AutoSys Workload Automation

Component: EEM (Embedded Entitlements Manager)

JIL (Job Information Language)

Integration: Security policies 

To restrict users from specifying root as the job owner, you can implement an as-owner EEM policy or explore AutoSys JIL Verification. 

1. Using an EEM as-owner Policy: Create an EEM policy specifically for the as-owner resource class, targeting root.* with regular expression matching enabled. 
This policy will define which users or groups are explicitly allowed to use root as an owner, effectively denying it for all others. 

For more details about WorkloadAutomationAE policies see here: 

AE EEM Security

Important Note on jil 
 Inserts: This as-owner policy is only checked during jil inserts if the owner field is explicitly specified. 
 If the owner field is omitted, the default owner for the job will be used, and this policy might not be triggered. 

2. AutoSys JIL Verification: As a more advanced and customizable option, you can implement AutoSys JIL Verification. 
 This allows clients to write custom code to enforce specific restrictions or validations during the JIL submission process, including checks on job owners. 
 * Implementation: JIL Verification involves custom coding to meet specific organizational requirements. 
 * Resources for JIL Verification:
 * JIL Verification Example - YouTube
 * AutoSys JIL Verification - Broadcom community
Note: Any custom JIL Verification implementation must be deployed and active on all as_server hosts to be effective across the AutoSys environment.