Access required to run Orchestration CLI commands

You must have specific permissions to run each command in Orchestration CLI. The level of access to run the command is customizable and you can use Dynamic Workload Console (DWC) or Orchestration CLI to manage the roles.

In HCL Universal Orchestrator you can create roles for each user and configure the level of access to perform specific actions. The roles are classified into two, administrative and standard. You must create an administrative and a standard role for each user. The administrative role defines the level of access user must have to manage API keys and register an agent. The standard role defines the level of access user must have to run specific commands. In DWC, you can navigate to Administration > Manage Workload Security > Create new roles to manage the permissions associated with both the role types. The different permissions associated with Orchestration CLI commands are grouped under the following categories.
  • Design and Monitor Workload

    Permissions related to model commands.

  • Modify current plan

    Permissions related to plan commands.

  • Submit Workload

    Permissions related to job and job stream definitions in plan.

  • Manage Workload Environment

    Permissions related to workstations.

  • Administrative Tasks

    Permissions related to administration.

The specific permissions required to run particular commands are given below.
Orchestration CLI model commands
Command Access required on items
add ADD
Important: If you want to perform the action on an existing item, you must have the MODIFY access and if the item is locked by another user, you must also have the UNLOCK access.
delete DELETE
display DISPLAY
Important: If you want to run the command with the FULL parameter to view information about job streams then you must also have Display access on job.
extract DISPLAY
Important: In addition to the permission mentioned above, you must also have MODIFY access if you want to run the command with the lock parameter.
list LIST
listfolder LIST
lock MODIFY
mkfolder ADD
modify

MODIFY and DISPLAY

Important: In addition to the permission mentioned above, you must also have the following permissions if you want to run the command to update information about job streams:
  • USE access on jobs.
  • USE access on calendars.
Furthermore, if you want to run the command with FULL parameter, you must also have the following permissions:
  • DISPLAY access on jobs.
  • USE access on workstation where the job is defined.
  • ADD access on job, If the job definition is new or MODIFY access on job if the definition is an existing one.
new ADD
rename DELETE and ADD
renamefolder DELETE and ADD
replace
  • To replace with a new item: ADD
  • To replace an existing item: MODIFY
  • To replace an existing item that is locked by another user: MODIFY and UNLOCK
    Important: In addition to the permission mentioned above, you must also have the following permissions if you want to run the command to update information about job streams:
    • USE access on jobs.
    • USE access on calendars.
    Furthermore, if you want to run the command with FULL parameter, you must also have the following permissions:
    • DISPLAY access on jobs.
    • USE access on workstation where the job is defined.
    • ADD access on job, If the job definition is new or MODIFY access on job if the definition is an existing one.
rmfolder DELETE
unlock
  • If the item is locked by the same user: LIST
  • If the item is locked by another user: UNLOCK
Orchestration CLI plan commands
Command Access required on items
adddep job/sched ADDDEP
altjob SUBMIT
altpass MODIFY
cancel job/sched CANCEL
confirm JOB-CONFIRM
deldep job/sched DELDEP
kill JOB-KILL
listfolder LIST
release job/sched RELEASE
setonline LINK
setoffline UNLINK
showcpu DISPLAY
showjobs DISPLAY
showschedules DISPLAY
submit docommand You must have the same accesses you need for the submit job command.
submit job You need specific access to perform actions on jobs and ad-hoc jobs.
  • To submit an existing job definition, you must have JOB-SUBMIT or JOB-SUBMITDB access. If you want to submit an existing job definition into an existing job stream, in addition to the access specified above, you must also have the SCHEDULE-SUBMIT access.
  • To submit an existing ad-hoc job definition, you must have the JOB-SUBMITDB and CPU-USE access. If you want to submit an existing ad hoc job definition into an existing job stream, in addition to the access specified above, you must also have the SCHEDULE-SUBMIT access.
submit sched SCHEDULE-SUBMIT