Completing the security configuration

About this task

After updating the master domain manager and backup master domain manager with the fix pack, complete the security configuration. There are a few tasks to complete that can vary depending on whether you are using the default role-based security model, or the classic security model.

Role-based security model
To quickly and easily update your security file with the latest changes introduced with folders, open any access control list definition and make a small change. A single change propagates an update to the entire file. The following is an example of a small change that propagates an update to the entire file:
  1. From the Dynamic Workload Console, click Administration > Manage Workload Security.
  2. In Access Control List, select Manage accesses.
  3. Select the TWSUSER access control list and click Edit.
  4. Remove the FULLCONTROL role, then add it back again.
  5. Click Save and Exit.
The folder attribute is automatically added to all scheduling CPU objects, and the cpufolder attribute is added to the job, job stream, userobj, resources, and parameter objects.
Classic security model
If you use the classic security model and have specific security settings in your current environment, these settings must be manually merged with the new settings before you build the final security file to be used in your new environment. The statements you might have to add manually vary depending on your specific security settings.
To manually merge the new settings, complete the following procedure:
  1. Log in as TWS_user on your upgraded master domain manager and set the HCL Workload Automation environment.
  2. If you have centralized security enabled, extract the new security file on the master using the command: 
    dumpsec > sec_file
    where sec_file is the text file created by the dumpsec command.
  3. Edit the sec_file, and insert the following statements in all of the stanzas in the file:
    Folder
    FOLDER    NAME=/     ACCESS=ADD,DELETE,DISPLAY,MODIFY,USE,LIST,UNLOCK, ACL
    Folder access must be given to scheduling objects and access to the folder in which the workstation is defined must be given for the JOB, SCHEDULE, USEROBJ, RESOURCE, and PARAMETER objects:
    job           cpu=@   + folder = /  + cpufolder = /  access=@
schedule      cpu=@   + folder = /   + cpufolder = / access=@
cpu           cpu=@   + folder = /                   access=@
userobj       cpu=@   + cpufolder = /                access=@
resource      cpu=@   + folder = /   + cpufolder = / access=@
prompt         + folder = /                          access=@
calendar       + folder = /                          access=@
eventrule     name=@  + folder = /    access=add,delete,display,modify,list,unlock
parameter     cpu=@   + folder = /   + cpufolder = / access=@
runcygrp      name=@  + folder = /    access=add,delete,display,modify,use,list,unlock 
vartable      name=@  + folder = /    access=add,delete,display,modify,use,list,unlock
wkldappl      name=@  + folder = /    access=add,delete,display,modify,list,unlock
    Workload application
    WKLDAPPL NAME=@  + FOLDER = /	ACCESS=ADD,DELETE,DISPLAY,MODIFY,LIST,UNLOCK
    Run cycle group
    RUNCYGRP NAME=@  + FOLDER = /	ACCESS=ADD,DELETE,DISPLAY,MODIFY,USE,LIST,UNLOCK
    Centralized agent update
    Replace the statement: 
    CPU CPU=@   
ACCESS=ADD,CONSOLE,DELETE,DISPLAY,FENCE,LIMIT,LINK,MODIFY,SHUTDOWN,
START,STOP,UNLINK,LIST,UNLOCK,RUN,RESETFTA
    with the following statement: 
    CPU CPU=@   + FOLDER = / 
ACCESS=ADD,CONSOLE,DELETE,DISPLAY,FENCE,LIMIT,LINK,MODIFY,SHUTDOWN,
START,STOP,UNLINK,LIST,UNLOCK,RUN,RESETFTA,MANAGE
    Adding members to workstation class
    Following the upgrade, to create or modify workstation classes, you must add USE access to CPU objects that are members, or that will be added as members to a workstation class.
    CPU CPU=@  + FOLDER = /  
ACCESS=ADD,CONSOLE,DELETE,DISPLAY,FENCE,LIMIT,LINK,MODIFY,SHUTDOWN,
START,STOP,UNLINK,LIST,UNLOCK,RUN,RESETFTA,MANAGE,USE
  4. Check that the user permissions of the new statements are correct and, if necessary, add the user of your old master domain manager to the security file of the master you just upgraded.
  5. Due to new support of the UPN Windows user, if you have Windows domain users that are defined in the logon fields as domain\username, insert the escape character '\' before the '\' character in the domain\username value.For example, if you use the MYDOMAIN\user1 value in the logon field, after the upgrade, in the Security file you must update the line in following way:
    ..............
logon=MYDOMAIN\\user1
...............
  6. Save your changes to the sec_file.
  7. Build your final security file for your new master domain manager using the makesec command: 
    makesec sec_file
  8. If you have centralized security enabled, distribute the security file.

    Run JnextPlan -for 0000 to distribute the Symphony file to the agents.

    Note: Ensure that the optman cf option is set to all or only the unfinished job streams are carried forward.
  9. Restore the previous setting of the optman cf option, if necessary.

What to do next

You can now proceed to Updating the dynamic domain manager.