ACTIVATE_UC_OBJECT allows starting jobs on an unauthorized Agent

book

Article ID: 84617

calendar_today

Updated On:

Products

CA Automic Workload Automation - Automation Engine

Issue/Introduction

Error Message :
N/A

The Script Function ACTIVATE_UC_OBJECT allows a Job to be started on an Agent that does not have execute permissions in the current client.

Investigation

1. Agent ABC has no "Execute" authorization for Client 100.

2. Client 100 contains these 2 Objects:
  • SCRI.ACTIVATE.OBJECT
:PSET &AGENT# = 'ABC'
:SET &START# = ACTIVATE_UC_OBJECT("JOBS.WIN.PING.LOCALHOST",,,,,PASS_VALUES,,"JOBS.WIN.PING.LOCALHOST")
  • JOBS.WIN.PING.LOCALHOST with '&AGENT#' in the Host Attribute.

3. Now run SCRI.ACTIVATE.OBJECT.

Results

Expected: The execution of "JOBS.WIN.PING.LOCALHOST" should fail because the agent does not have the necessary authorizations.

Actual: "JOBS.WIN.PING.LOCALHOST" will run on the Agent although it has no execute authorizations on this Client. Also happens if it has no permissions at all for this client.

Cause

Cause type:
Defect
Root Cause: The check of the execute permissions is not performed on an agent if the job is started via ACTIVATE_UC_OBJECT

Environment

OS Version: N/A

Resolution

Update to a fix version listed below or a newer version if available.

Fix Status: Fixed

Fix Version(s):
Component(s): AE Server + Initial Data:

Automation Engine 12.2.0 - Available
Automation Engine 12.1.1 - Available
Automation Engine 12.0.5 - Available

Additional Information

Workaround :
In client 0, add

1 - A VARA.SQLI to check the agent's execute permissions in the current client:

SELECT HACL_execute
FROM OH, HACL
WHERE OH_Idnr=HACL_OH_Idnr
AND OH_DeleteFlag='0'
AND HACL_Client= &$Client#
AND OH_Name= &$AGENT#

Prerequisites:
  • SQLVAR_INTERNAL must be set to 'Y' in UC_SYSTEM_SETTINGS
  • VAR_SECURITY_LEVEL must be set to '2' so the predefined variables can be used in the SQLI.

2 -  A HEADER.<JOBS.TYPE>.PRE.USER that will use the SQLI to check the authorizations and terminate the task if the agent does not have execute permissions:
 
:SET &EXEC_PERM# = GET_VAR(VARA.SQLI.HACL)
:IF &EXEC_PERM# = '1'
: PRINT &AGENT# is allowed to run tasks in Client &$CLIENT#. Execution will proceed.
:ELSE
: PRINT &AGENT# is not allowed to run tasks in Client &$CLIENT#. The current task will be canceled.
: EXIT 1
:ENDIF

An XML import of the objects is attached to this article.

Attachments

1558536014990authorizations_issue_workaround.xml get_app