Data Mover provides configuration parameters that control how security permissions are used. When security management is enabled, the access privileges available to a user for the daemon and for individual jobs depend on the security settings designated. If security management is not enabled, a Viewpoint user can perform any operation on any job in the Data Mover portlet.
Security Configuration Parameters
Parameter | Description |
---|---|
job.useSecurityMgmt | Determines whether security management is used. When set to true, the security framework is enabled, and the following two security parameters apply. The default is true. |
job.securityMgmtLevel | Determines the level of security management. The valid choices are daemon and job. The default is job. |
job.allowCommandLineUser | Determines whether the daemon always allows command line requests when the security level is set to daemon. When set to true, the command line does not enforce security checking even if security is enabled for the portlet. The default is false. |
User Profiles
When a user logs onto the Data Mover portlet, a user profile is authorized. The user profile contains one user name and a list of roles to which the user belongs. The user profile determines what actions the user can do, depending on whether global or job level permissions apply.
Daemon-Level Permissions
When the job.useSecurityMgmt parameter is set to daemon, daemon-level permissions are used. A user profile is checked for its daemon read, execute, and write permissions. If the user name or any role of a user profile has a permission (read, run, or write), the user profile has the permission. The permission applies to all jobs on the daemon.
Job-Level Permissions
When the job.useSecurityMgmt parameter is set to job, both the daemon and the job level permissions are evaluated. A user profile has permission on a specific job only if the user profile has that daemon permission and the job level permission on that job. If the user name or any role of a user profile has a job-level permission (read, run, or write), permission is granted to the user profile for that particular job.
Read, write, and run permissions are assessed independently of each other. For example, a user or role has execute permissions for a job only if that user or role has execution permission at both the daemon level and at the job level. The same applies to read and write permissions. If a user profile contains multiple roles, the user profile is granted permissions if one role has daemon permissions and another has job level permissions.
Command-Line Use by Viewpoint Users
# Purpose: The hostname or IP address for the ViewPoint Authentication server. # Default: https://localhost viewpoint.url=https://localhost # Purpose: The port number for the ViewPoint Authentication server. # Default: 443 viewpoint.port=443
If the Viewpoint Authentication server does not have HTTPS enabled, you can set the following if you want to authenticate using HTTP instead: viewpoint.url to http://localhost and viewpoint.port to 80.
The Data Mover daemon makes the web services call to authenticate the user. The HTTP based service call URL is in this format: http://hostname: port /ws/security/rolesForCurrentUser.