Defining a job execution override for a role and user
BMC Server Automation lets you give other role:user combinations the ability to execute a job as if your own role and user were actually executing the job. This capability is particularly useful if you want to set up a job that includes functionality that other roles and users should not normally be granted permission to perform.
When to use a job execution override
Suppose you set up a Network Shell Script Job, and the script includes certain commands. You do not want to grant permission to other users to perform these commands. Under normal circumstances, those other users cannot successfully execute the Network Shell Script Job because they would not have permission to run those commands. With an execution override, however, you can set up your own role and user as the override, and other role:user combinations can execute the job as if your role and user had scheduled the job.
If an execution override is already defined for a job and another role:user combination makes updates to the job, the override is removed. (A message warns you before the execution override is removed.) For example, suppose a role:user combination of BLAdmins:BLAdmin sets up a job and then sets up an execution override so that when the job executes, it executes as BLAdmins:BLAdmin. If another role:user combination such as BLAdmins:JrAdmin modifies the job, after the job is saved, when BLAdmins:JrAdmin schedules the job, it executes as BLAdmins:JrAdmin. If the job requires the permission of BLAdmins:BLAdmin for successful completion, the job will fail.
The override capability is particularly valuable when a user executes a job against failed or specific targets. Those actions do not modify a job's definition. One role:user combination can set up an execution override, while another role:user combination can run the job using these special approaches to job execution. Jobs run in this way execute using the role:user combination set up in the override.
When you set up an execution override, two job properties,
EXECUTION_USER, are set so they equal your current role and user. (Note that you cannot manually edit the value of these properties.) If you remove an execution override, these two properties no longer display a value, but they are set by default to equal the role and user who scheduled the job.
To define a job execution override
On the Job Options panel of the Batch Job wizard or the General panel of any other job wizard, do one of the following:
- To define an execution override so that the job executes as the current role:user combination, click Set Execution Override.
The job definition shows the role:user combination under which the job executes.
- To clear an existing override, click Clear Execution Override.
In the future, the job will execute as the role:user combination that schedules the job.
Alternatively, if you modify a job on which an execution override has been previously set and you do not set up another execution override, the existing execution override is removed.