A client needs to limit end-user access within the WCC Agent Inventory to a specific set of machines.
Additionally, they wish to restrict the available commands so that users can only perform "Restart" actions without having the ability to "Stop" or "Delete" agents.

• AutoSys Workload Automation (All Versions)
• Workload Control Center (WCC)
• Embedded Entitlements Manager (EEM)

This is a guidance request regarding the security architecture of WCC.
The requirement exceeds the default granular permissions available in the EEM resource classes.

1. Restricting Access to Specific Agent Machines

User access can be restricted to specific agent machines using CA EEM.

• Application Instance: Locate your WCC instance (typically WCC0004).
• Resource Class: Use the AgentAccess resource class.
• Policy Configuration: Create a custom policy and specify the individual machine names or naming patterns (using wildcards) in the Resource field.
• Limitation: This approach requires high administrative overhead. Unless a consistent naming convention (e.g., PROD_AGENTS_*) is used, policies must be manually updated whenever agents are commissioned or decommissioned.
• Behavior: Users may still see restricted agents in the global list depending on ServerAccess policies, but attempting any action will result in an EEM permission error: "User does not have permission to perform the action."

2. Restricting Granular UI Actions

It is not possible to isolate the "Restart" action by itself in the WCC UI. EEM groups Agent Inventory actions into four rigid "buckets." To grant "Restart," a user must be granted the Control bucket, which automatically includes:

• Restart Agent
• Stop Agent
• Reset Action Status

There is no supported method to grant "Restart" while denying "Stop."