ACTIVATE_UC_OBJECT allows starting jobs on an unauthorized Agent

Article Id: 84617
Status: Published
Updated On: 15-04-2018 07:01
Legacy Id: 000013894
Products:
CA Automic Workload Automation - Automation Engine AUTOMIC WORKLOAD AUTOMATION
Issue/Introduction:

Error Message :
N/A

The Script Function ACTIVATE_UC_OBJECT allows a Job to be started on an Agent that does not have execute permissions in the current client.

Investigation

1. Agent ABC has no "Execute" authorization for Client 100.

2. Client 100 contains these 2 Objects:

  • SCRI.ACTIVATE.OBJECT
:PSET &AGENT# = 'ABC'
:SET &START# = ACTIVATE_UC_OBJECT("JOBS.WIN.PING.LOCALHOST",,,,,PASS_VALUES,,"JOBS.WIN.PING.LOCALHOST")
  • JOBS.WIN.PING.LOCALHOST with '&AGENT#' in the Host Attribute.

3. Now run SCRI.ACTIVATE.OBJECT.

Results

Expected: The execution of "JOBS.WIN.PING.LOCALHOST" should fail because the agent does not have the necessary authorizations.

Actual: "JOBS.WIN.PING.LOCALHOST" will run on the Agent although it has no execute authorizations on this Client. Also happens if it has no permissions at all for this client.

Cause:

Cause type:
Defect
Root Cause: The check of the execute permissions is not performed on an agent if the job is started via ACTIVATE_UC_OBJECT

Environment:

OS Version: N/A

Resolution:

Update to a fix version listed below or a newer version if available.

Fix Status: In Progress

Fix Version(s):
Component(s): AE Server + Initial Data:

Automation Engine 12.2.0 - Planned release date: 2018-06-19
Automation Engine 12.1.1 - Available
Automation Engine 12.0.5 - Planned release date: 2018-05-07

Additional Information:

Workaround :
In client 0, add

1 - A VARA.SQLI to check the agent's execute permissions in the current client:


SELECT HACL_execute
FROM OH, HACL
WHERE OH_Idnr=HACL_OH_Idnr
AND OH_DeleteFlag='0'
AND HACL_Client= &$Client#
AND OH_Name= &$AGENT#

Prerequisites:
  • SQLVAR_INTERNAL must be set to 'Y' in UC_SYSTEM_SETTINGS
  • VAR_SECURITY_LEVEL must be set to '2' so the predefined variables can be used in the SQLI.

2 -  A HEADER.<JOBS.TYPE>.PRE.USER that will use the SQLI to check the authorizations and terminate the task if the agent does not have execute permissions:
 
:SET &EXEC_PERM# = GET_VAR(VARA.SQLI.HACL)
:IF &EXEC_PERM# = '1'
: PRINT &AGENT# is allowed to run tasks in Client &$CLIENT#. Execution will proceed.
:ELSE
: PRINT &AGENT# is not allowed to run tasks in Client &$CLIENT#. The current task will be canceled.
: EXIT 1
:ENDIF

An XML import of the objects is attached to this article.

insert_drive_file 1558536014990authorizations_issue_workaround.xml
arrow_downward Download