Walkthrough: Creating an ACL based time window to restrict users from running jobs
This walkthrough is mainly target for security administrators and patch administrators. In this walkthrough we are going to demonstrate how you can use the ACL policy time window to allow patching users to run deploy jobs only on weekends. Allowing patching users to run deploy jobs only on weekends can help prevent your servers from being over utilized.
What is an ACL policy time window?
While creating an ACL policy, you can create a time window, during which a role is assigned one or more additional authorizations. The role is assigned the additional authorizations only during that time window. For example, in the context of Patching, you might want to allow Patching users to run catalog update jobs or analysis jobs at any time, but restrict them to executing remediation jobs only on weekends.
The ACL policy time window is a complex feature and requires background knowledge of users, roles, authorizations and BSA objects. For information about these concepts, see Managing access.
Before you begin
To simplify the task of assigning ACL policies to a large number of servers, you can prepare server groups or server smart groups based on criteria that are relevant to your business needs.
Refer to the following pages for information about creating server groups or server smart groups:
Server groups: For information about creating a static group of servers, see Assigning servers to server groups.
Server smart groups: For a step-by-step example on creating a dynamic group of servers, see Walkthrough: Dynamically organizing assets with smart groups.
A server smart group is a dynamic collection of servers that might change with time. However, while enabling maintenance windows on a server smart group, only the servers that are part of the server smart group at that particular time are enabled for the maintenance window feature.
How to use ACL policy time window to allow a specific set of users to run deploy jobs?
|Steps||Example screen (click to enlarge)|
|Log on to the Console using your RBAC Admin credentials.|
Perform the following steps:
The Create New ACL Policy wizard appears.
Use the General panel to provide a name and an optional description for the access control list (ACL) policy.
Assign the ACL permissions that you want the role to perform at all times. The role will be assigned these permissions even outside the ACL policy time window.
Perform the following steps:
Adding a time window to the ACL policy, enables you to specify time intervals during which a role is assigned one or more additional authorizations. The role is assigned the additional authorizations only during that time window.
Click to add a ACL policy time window. The Time Window dialog box appears. In this walkthrough we have defined the time windows to be run weekly, for a period of 24 hours, every Saturday and Sunday.
Click here to expand instructions on defining the time window...
Click the Permissions tab.
From the Permissions tab, assign the Patching User role with the required System or Profile authorizations, that will be applicable during the time window.
Click Finish to create the ACL policy.
Ensure that the Patching User role is assigned to all users who must honor the ACL policy and time window.
Click here to see steps on checking whether the role is assigned to your user
After creating the ACL policy and the time window, update permissions of the all the BSA objects that are used in the patching operation such as, Patching jobs, job folders, servers, and so on.
For example, see the steps below for updating permissions on a patching job.
Click here to expand steps on updating the ACL policy for a patching job.
|The users who are assigned with the Patching User role can now run patch analysis jobs at any time, but are restricted to executing the remediation or deploy jobs only on weekends.|