Access control sets user rights and manages access through user identification and authentication. It is important to organize and manage the access rights that are granted to users according to their roles in the system.
Appropriate access control can provide the following security-related benefits:
Preventing access by users that do not have the proper authority, and preventing damaging actions, such as unauthorized deletion or alteration of data
Preventing incorrect operations from being performed by users exceeding their authority
Controlling access to projects
System administrators and operations administrators can restrict the role (authority) of operations staff by setting up separate access rights for each individual project for operations staff.
Because operations staff are only granted the minimum authority necessary to do their jobs, this method eliminates problems caused by users performing incorrect operations outside their scope of responsibility or authority, and ensures that system operations are conducted more securely.
For example, in the situation shown in the following diagram, users are only granted authority proportional to their duties. Users in charge of job design are only granted change rights and users in charge of job operations are only granted operation rights. This prevents problems caused by users overstepping their authority whether through action or inaction. It prevents, for example, a user with change rights in charge of job design from accidentally performing a job operation.
The following table lists the different user types and roles that can be specified for projects.
User type | Role |
|---|---|
System administrator | The operations administrator who can set up various operating environments for Systemwalker Operation Manager, register and delete projects, and set access rights to projects (This administrator is given update rights by default.) |
Operations staff with update rights | The operations staff who can update, register, operate, and look up groups, job nets, and jobs within permitted projects |
Operations staff with change rights | The operations staff who can only register and look up groups, job nets, and jobs within permitted projects |
Operations staff with operation rights | The operations staff who can only operate and look up groups, job nets, and jobs within permitted projects |
Operations staff with reference rights | The operations staff who can only look up groups, job nets, and jobs within permitted projects |
Refer to "Setting Access Rights for Projects" in the Systemwalker Operation Manager User's Guide for more information about how to set up roles.
Refer also to "Usage Restrictions Based on Access Rights" in the Systemwalker Operation Manager Installation Guide for a list of the menu items, operations, commands and APIs that can be used by different user types.
Information
When a user is granted multiple access rights
In the following cases, the most powerful access right (update right > change right or operation right > reference right) is valid:
When a user and the group to which that user belongs have been assigned different access rights
When the operating system user that executed a command or API corresponds to multiple Operation Manager users (operations administrators or operations staff) and different access rights have been set up [UNIX version]
Note that in the above cases, if change rights have been set up on the one hand and operation rights have been set up on the other, then both rights are enabled.
Controlling access to Systemwalker Operation Manager directories and files
The users permitted to access directories and files relating to Systemwalker Operation Manager can be restricted as follows:
System administrators, operations administrators, and users belonging to the swadmin group
File and directory owners and users belonging to the swadmin group
To restrict users as shown above, select the Operation Manager user restrictions option in the Define Operation Manager Shared Parameter window.
The system administrator should register all Systemwalker Operation Manager users with the swadmin group.
Note that if the above option is selected, use of the following functions will be restricted to system administrators, operations administrators, and users belonging to the swadmin group:
Starting demand jobs
Starting job nets that have the Job Execution Control attribute
Jobscheduler commands
The output destinations of audit log files must be set individually. Refer to "Define user restrictions" in the Systemwalker Operation Manager Installation Guide for more information.
