Completing the security configuration

Configuring the security file on the new backup master domain manager.

About this task

To complete the security configuration for the new environment, there are a few tasks to complete that can vary depending on whether you are using the default role-based security model, or the classic security model.

Role-based security model
Grant users access to all of the objects associated to the domain and to folders. For example, to grant full access to all objects in the domain and on all folders, create an Access Control list for the users to which you want to give access
  1. Grant users access to all of the objects associated to the domain and to objects in the root (/) folder. For example, to grant full access to all objects in the domain and on all folders, create an Access Control list for the users to which you want to give access:
    1. From the Dynamic Workload Console, open the Manage Workload Security panel and select Give access to users and groups.
    2. Select the group from the drop-down list and then select FULLCONTROL in the field Role.
    3. Select Domain and assign ALLOBJECTS.
    4. Click Save and create new.
    5. Select the group from the drop-down list and then select FULLCONTROL in the field Role.
    6. Select Folder and then assign the root by clicking /.
    7. Click Save.
Classic security model
If you use the classic security model and have specific security settings in your current environment, these settings must be manually merged with the new settings before you build the final security file to be used in your new environment. The statements you might have to add manually vary depending on your specific security settings.
To manually merge the new settings, complete the following procedure:
  1. Log in as TWS_user on your upgraded master domain manager and set the HCL Workload Automation environment.
  2. If you have centralized security enabled, extract the new security file on the master using the command: 
    dumpsec > sec_file
    where sec_file is the text file created by the dumpsec command.
  3. Edit the sec_file, and insert the following statements in all of the stanzas in the file:
    Folder
    FOLDER    NAME=/     ACCESS=ADD,DELETE,DISPLAY,MODIFY,USE,LIST,UNLOCK, ACL
    Folder access must be given to scheduling objects and access to the folder in which the workstation is defined must be given for the JOB, SCHEDULE, USEROBJ, RESOURCE, and PARAMETER objects:
    job           cpu=@   + folder = /  + cpufolder = /  access=@
schedule      cpu=@   + folder = /   + cpufolder = / access=@
cpu           cpu=@   + folder = /                   access=@
userobj       cpu=@   + cpufolder = /                access=@
resource      cpu=@   + folder = /   + cpufolder = / access=@
prompt         + folder = /                          access=@
calendar       + folder = /                          access=@
eventrule     name=@  + folder = /    access=add,delete,display,modify,list,unlock
parameter     cpu=@   + folder = /   + cpufolder = / access=@
runcygrp      name=@  + folder = /    access=add,delete,display,modify,use,list,unlock 
vartable      name=@  + folder = /    access=add,delete,display,modify,use,list,unlock
wkldappl      name=@  + folder = /    access=add,delete,display,modify,list,unlock
    Workload application
    WKLDAPPL NAME=@  + FOLDER = /      ACCESS=ADD,DELETE,DISPLAY,MODIFY,LIST,UNLOCK
    Run cycle group
    RUNCYGRP NAME=@  + FOLDER = /      ACCESS=ADD,DELETE,DISPLAY,MODIFY,USE,LIST,UNLOCK
    Centralized agent update
    Replace the statement: 
    CPU CPU=@   
ACCESS=ADD,CONSOLE,DELETE,DISPLAY,FENCE,LIMIT,LINK,MODIFY,SHUTDOWN,
START,STOP,UNLINK,LIST,UNLOCK,RUN,RESETFTA
    with the following statement: 
    CPU CPU=@   + FOLDER = / 
ACCESS=ADD,CONSOLE,DELETE,DISPLAY,FENCE,LIMIT,LINK,MODIFY,SHUTDOWN,
START,STOP,UNLINK,LIST,UNLOCK,RUN,RESETFTA,MANAGE
    Adding members to workstation class
    Following the upgrade, to create or modify workstation classes, you must add USE access to CPU objects that are members, or that will be added as members to a workstation class.
    CPU CPU=@  + FOLDER = /  
ACCESS=ADD,CONSOLE,DELETE,DISPLAY,FENCE,LIMIT,LINK,MODIFY,SHUTDOWN,
START,STOP,UNLINK,LIST,UNLOCK,RUN,RESETFTA,MANAGE,USE
  4. Check that the user permissions of the new statements are correct and, if necessary, add the user of your old master domain manager to the security file of the master you just upgraded.
  5. Due to new support of the UPN Windows user, if you have Windows domain users that are defined in the logon fields as domain\username, insert the escape character '\' before the '\' character in the domain\username value.For example, if you use the MYDOMAIN\user1 value in the logon field, after the upgrade, in the Security file you must update the line in following way:
    ..............
logon=MYDOMAIN\\user1
...............
  6. Save your changes to the sec_file.
  7. Build your final security file for your new master domain manager using the makesec command: 
    makesec sec_file
  8. If you have centralized security enabled, distribute the security file.

    Run JnextPlan -for 0000 to distribute the Symphony file to the agents.

    Note: Ensure that the optman cf option is set to all or only the unfinished job streams are carried forward.
  9. Restore the previous setting of the optman cf option, if necessary.

What to do next

You can now proceed to Making the switch manager permanent.