Access required to run Orchestration CLI commands

You must have specific permissions to run each command in Orchestration CLI. The level of access to run the command is customizable and you can use Dynamic Workload Console (DWC) or Orchestration CLI to manage the roles.

In HCL Universal Orchestrator you can create roles for each user and configure the level of access to perform specific actions. The roles are classified into two, administrative and standard. You must create an administrative and a standard role for each user. The administrative role defines the level of access user must have to manage API keys and register an agent. The standard role defines the level of access user must have to run specific commands. In DWC, you can navigate to Administration > Manage Workload Security > Create new roles to manage the permissions associated with both the role types. The different permissions associated with Orchestration CLI commands are grouped under the following categories.

Design and Monitor Workload
Permissions related to model commands.
Modify current plan
Permissions related to plan commands.
Submit Workload
Permissions related to job and job stream definitions in plan.
Manage Workload Environment
Permissions related to workstations.
Administrative Tasks
Permissions related to administration and plug-ins.

If you run a command without the specific permissions an error message is displayed. However, if you do not have the LIST permission, for the same operation you get a warning message. The following tables lists the permission required for specific commands and the corresponding error messages displayed if they are not granted.


Orchestration CLI model commands
Command	Access required on items	Message displayed when running commands
Command	Access required on items	With LIST permission	Without LIST permission
add	ADD Important: If you want to perform the action on an existing item, you must have the MODIFY access and if the item is locked by another user, you must also have the UNLOCK access.	`AWSMCS023E`	`AWSMRP006W`
delete	DELETE	`AWSMCS023E`	`AWSMRP006W`
display	DISPLAY Important: If you want to run the command with the FULL parameter to view information about job streams then you must also have Display access on job.	`AWSMCS023E`	`AWSMRP006W`
extract	DISPLAY Important: In addition to the permission mentioned above, you must also have MODIFY access if you want to run the command with the lock parameter.	`AWSMCS023E`	`AWSMRP006W` Note: If you run the extract command with FULL parameter, then `AWSMCS028E` message is displayed.
list	LIST	-	-
listfolder	LIST	`AWSMCS023E`	`AWSMRP006W`
lock	MODIFY	`AWSMCS023E`	`AWSMRP006W`
mkfolder	ADD	`AWSMCS023E`	`AWSMRP006W`
modify	MODIFY and DISPLAY Important: In addition to the permission mentioned above, you must also have the following permissions if you want to run the command to update information about job streams: USE access on jobs. USE access on calendars. Furthermore, if you want to run the command with FULL parameter, you must also have the following permissions: DISPLAY access on jobs. USE access on workstation where the job is defined. ADD access on job, If the job definition is new or MODIFY access on job if the definition is an existing one.	`AWSMCS023E`	`AWSMRP006W`
new	ADD	`AWSMCS023E`	`AWSMRP006W`
rename	DELETE and ADD	`AWSMCS023E`	`AWSMRP006W`
renamefolder	DELETE and ADD	`AWSMCS023E`	`AWSMRP006W`
replace	To replace with a new item: ADD To replace an existing item: MODIFY To replace an existing item that is locked by another user: MODIFY and UNLOCK Important: In addition to the permission mentioned above, you must also have the following permissions if you want to run the command to update information about job streams: USE access on jobs. USE access on calendars. Furthermore, if you want to run the command with FULL parameter, you must also have the following permissions: DISPLAY access on jobs. USE access on workstation where the job is defined. ADD access on job, If the job definition is new or MODIFY access on job if the definition is an existing one.	`AWSMCS023E`	`AWSMRP006W`
rmfolder	DELETE	`AWSMCS023E`	`AWSMRP006W`
unlock	If the item is locked by the same user: LIST If the item is locked by another user: UNLOCK	`AWSMCS023E`	`AWSMRP006W`
`AWSMCS023E: The user user_name is not authorized to perform the action command_name on an item item_name with folder folder_name.` `AWSMRP006W: The entity entity_name is not found with the ID: ID.` `AWSMCS028E: The entity job_name is not found with the ID: job_id.`


Orchestration CLI plan commands
Command	Access required on items	Message displayed when running commands
Command	Access required on items	With LIST permission	Without LIST permission
adddep job/sched	ADDDEP	`AWSMCS027E`	`AWSMCS027E`
altjob	SUBMIT	`AWSMCS027E`	`AWSMCS027E`
altpass	MODIFY	`AWSMCS027E`	`AWSMCS027E`
altpri	altpri	`AWSMCS027E`	`AWSMSL009E`
cancel job/sched	CANCEL	`AWSMCS027E`	`AWSMSL009E`
confirm	JOB-CONFIRM	`AWSMCS027E`	`AWSMSL009E`
deldep job/sched	DELDEP	`AWSMCS027E`	`AWSMCS027E`
fence	fence	`AWSMCS027E`	`AWSMCS027E`
kill	JOB-KILL	`AWSMCS027E`	`AWSMSL009E`
limit sched	limit	`AWSMCS027E`	`AWSMCS027E`
listfolder	LIST	`AWSMCS027E`	`AWSMCS027E`
release job/sched	RELEASE	`AWSMCS027E`	`AWSMCS027E`
rerun	rerun	`AWSMCS027E`	`AWSMSL009E`
setonline	LINK	`AWSMCS027E`	`AWSMSL009E`
setoffline	UNLINK	`AWSMCS027E`	`AWSMSL009E`
showcpu	DISPLAY	`AWSMSL009E`	`AWSMSL009E`
showjobs	DISPLAY	`AWSMSL009E`	`AWSMSL009E`
showsched	DISPLAY	`AWSMSL009E`	`AWSMSL009E`
submit docommand	You must have the same accesses you need for the submit job command.	`AWSMCS027E`	`AWSMSL009E`
submit job	You need specific access to perform actions on jobs and ad-hoc jobs. To submit an existing job definition, you must have JOB-SUBMIT or JOB-SUBMITDB access. If you want to submit an existing job definition into an existing job stream, in addition to the access specified above, you must also have the SCHEDULE-SUBMIT access. To submit an existing ad-hoc job definition, you must have the JOB-SUBMITDB and CPU-USE access. If you want to submit an existing ad hoc job definition into an existing job stream, in addition to the access specified above, you must also have the SCHEDULE-SUBMIT access.	`AWSMCS027E`	`AWSMSL009E`
submit sched	SCHEDULE-SUBMIT	`AWSMCS027E`	`AWSMSL009E`
`AWSMCS027E: You do not have permission to perform the operation command_name on the following item type item_name with item key: item_key.` `AWSMSL009E: The criteria specified in the command does not match any item.`


Orchestration CLI plug-in commands
Command	Access required on items
delete	DELETE_PLUGIN
install	INSTALL_PLUGIN
list	LIST_PLUGIN
update	INSTALL_PLUGIN and DELETE_PLUGIN