ACTIVATE_UC_OBJECT allows starting jobs on an unauthorized Agent
Article ID: 84617
Updated On:
Products
CA Automic Workload Automation - Automation Engine
Issue/Introduction
Error Message :
N/A
The Script Function ACTIVATE_UC_OBJECT allows a Job to be started on an Agent that does not have execute permissions in the current client.
Investigation
1. Agent ABC has no "Execute" authorization for Client 100.
2. Client 100 contains these 2 Objects:
3. Now run SCRI.ACTIVATE.OBJECT.
Results
Expected: The execution of "JOBS.WIN.PING.LOCALHOST" should fail because the agent does not have the necessary authorizations.
Actual: "JOBS.WIN.PING.LOCALHOST" will run on the Agent although it has no execute authorizations on this Client. Also happens if it has no permissions at all for this client.
N/A
The Script Function ACTIVATE_UC_OBJECT allows a Job to be started on an Agent that does not have execute permissions in the current client.
Investigation
1. Agent ABC has no "Execute" authorization for Client 100.
2. Client 100 contains these 2 Objects:
- SCRI.ACTIVATE.OBJECT
:PSET &AGENT# = 'ABC'
:SET &START# = ACTIVATE_UC_OBJECT("JOBS.WIN.PING.LOCALHOST",,,,,PASS_VALUES,,"JOBS.WIN.PING.LOCALHOST")
:SET &START# = ACTIVATE_UC_OBJECT("JOBS.WIN.PING.LOCALHOST",,,,,PASS_VALUES,,"JOBS.WIN.PING.LOCALHOST")
- JOBS.WIN.PING.LOCALHOST with '&AGENT#' in the Host Attribute.
3. Now run SCRI.ACTIVATE.OBJECT.
Results
Expected: The execution of "JOBS.WIN.PING.LOCALHOST" should fail because the agent does not have the necessary authorizations.
Actual: "JOBS.WIN.PING.LOCALHOST" will run on the Agent although it has no execute authorizations on this Client. Also happens if it has no permissions at all for this client.
Cause
Cause type:
Defect
Root Cause: The check of the execute permissions is not performed on an agent if the job is started via ACTIVATE_UC_OBJECT
Defect
Root Cause: The check of the execute permissions is not performed on an agent if the job is started via ACTIVATE_UC_OBJECT
Environment
OS Version: N/A
Resolution
Update to a fix version listed below or a newer version if available.
Fix Status: Fixed
Fix Version(s):
Component(s): AE Server + Initial Data:
Automation Engine 12.2.0 - Available
Automation Engine 12.1.1 - Available
Automation Engine 12.0.5 - Available
Additional Information
Workaround :
In client 0, add
1 - A VARA.SQLI to check the agent's execute permissions in the current client:
SELECT HACL_execute
FROM OH, HACL
WHERE OH_Idnr=HACL_OH_Idnr
AND OH_DeleteFlag='0'
AND HACL_Client= &$Client#
AND OH_Name= &$AGENT#
Prerequisites:
2 - A HEADER.<JOBS.TYPE>.PRE.USER that will use the SQLI to check the authorizations and terminate the task if the agent does not have execute permissions:
An XML import of the objects is attached to this article.
In client 0, add
1 - A VARA.SQLI to check the agent's execute permissions in the current client:
SELECT HACL_execute
FROM OH, HACL
WHERE OH_Idnr=HACL_OH_Idnr
AND OH_DeleteFlag='0'
AND HACL_Client= &$Client#
AND OH_Name= &$AGENT#
Prerequisites:
- SQLVAR_INTERNAL must be set to 'Y' in UC_SYSTEM_SETTINGS
- VAR_SECURITY_LEVEL must be set to '2' so the predefined variables can be used in the SQLI.
2 - A HEADER.<JOBS.TYPE>.PRE.USER that will use the SQLI to check the authorizations and terminate the task if the agent does not have execute permissions:
:SET &EXEC_PERM# = GET_VAR(VARA.SQLI.HACL)
:IF &EXEC_PERM# = '1'
: PRINT &AGENT# is allowed to run tasks in Client &$CLIENT#. Execution will proceed.
:ELSE
: PRINT &AGENT# is not allowed to run tasks in Client &$CLIENT#. The current task will be canceled.
: EXIT 1
:ENDIF
:IF &EXEC_PERM# = '1'
: PRINT &AGENT# is allowed to run tasks in Client &$CLIENT#. Execution will proceed.
:ELSE
: PRINT &AGENT# is not allowed to run tasks in Client &$CLIENT#. The current task will be canceled.
: EXIT 1
:ENDIF
An XML import of the objects is attached to this article.
Attachments
Feedback
Yes
No
Powered by
