KBEC-00147 - Restricting users from aborting jobs

Summary

You want users to be able to start jobs, but not abort jobs.

The key to limiting who can abort jobs is in the online documentation under the comment "Aborting a step requires the execute privilege on the job — not just the modify privilege."

  1. When a job is run, the project principal is given all privileges on the job. This allows users to lock down the project by removing the project principal to allow all ACE from the project. Jobs can still run, but will not be able to modify anything outside of that particular job.
  2. If a job is launched by a user, that user will also be given all privileges on the job. This allows the user to modify the job while it is running (to the extent that it is modifiable), change permissions for the job, etc.
  3. If a job is started by a schedule, the schedule's execute privileges are copied to the job. Only the execute privilege will be copied from each ACE, regardless of whether the user or group also has other privileges.

Example Setup

  1. Create the implementation support groups
    1. Create a user named "buildmgr", Administration -> Users -> Create User.
    2. Create a group named "AbortManagers", Administration -> Groups -> Create Group and add "buildmgr" to the group.
  2. Set up the project so that OrdinaryUsers DO NOT have execute permission on the Project, but AbortManagers DO have execute permission on the Project.
    1. At the "Projects" level, Administration -> Server select "Projects" under "System Access Control: remove execute for Everyone.
    2. At the "Projects" level, Administration -> Server select "Projects" under "System Access Control: add the "Group" "AbortManagers" and grant "read" and "execute" permission. This means that members of "AbortManagers" have "read" and "execute" permission on all projects and schedules through inheritance.
  3. Set up the procedures in the project so that OrdinaryUsers DO have execute permission on the individual Procedure.
    1. For each procedure, Access Control -> add user or group to have "read," "modify," and "execute" permissions.
  4. Add a step to the job when it runs that modifies the ACL for the "launchedByUser" to remove the "execute" permission.
    ectool modifyAclEntry user $[/myJob/launchedByUser] --jobId $[/myJob/jobId] --executePrivilege deny
Have more questions? Submit a request

Comments

Powered by Zendesk