When the security management framework is enabled, the following rules apply:
- The super user (dmcl_admin) can run any command.
- A user who has write or execute permission implicitly has read permission also. This applies to both daemon and job-level permissions.
- A user who creates a job is the job owner and automatically has job-level read, write, and execution permissions for the job.
- The job-level read, write, and execute permissions are applied at the base job name only. For commands that have the job execution name in the job_name parameter, the job-level permission is checked against the execution base job name.
- When a regular Viewpoint user runs the create command to create a job, the owner_name field in the SecurityType object is replaced in the create job request to represent the user authentication result. This occurs whenever the request user name is not the super user (dmcl_admin), regardless of the daemon security setting. The Data Mover daemon processes the create command and records the owner name and other user and role permission information. For the super user (dmcl_admin), the owner_name is not changed. This allows the super user to run the create job command with any user credential provided in the original job request.
- When daemon security is enabled, user global modification permissions are verified when running the create command. This includes properties such as available utilities and maximum number of streams. If a user does not have the proper modification permission, the create request fails.
- When daemon security is enabled, user global modification permissions are verified for update_job_steps and update_job_priorities. If a user does not have the proper modification permission, a security exception occurs.
- A user can update job permissions by running the start command with dynamical parameters, or by using the edit_job command. When daemon security is enabled, a user must be the super user (dmcl_admin), the Viewpoint Administrator with write permissions, or the job owner to update job permissions; otherwise, a security exception occurs.
- When security is enabled, only the super user (dmcl_admin) or Viewpoint Administrator with write permission can use the start or edit job command to change job owner.