HCL Workload Automation, Version 9.4

Order of user definition

You must order user definitions from most specific to least specific. HCL Workload Automation scans the security file from top-down, with each user ID being tested against each definition in turn. If the user ID is satisfied by the definition, it is selected, and the matching stops.

For example:
Incorrect:
#First User Definition in the Security File
USER TwsUser
CPU=@+LOGON=TWS_user
Begin
job name=@ access=modify
End

#Second User Definition in the Security File
USER Twsdomain:TwsUser
CPU=@+LOGON=TWSDomain\\TWS_user
Begin
job name=@ access=display 
End
The definitions are intended to determine the following:
  1. Users on all workstations with a logon of "TWS_user" will be given "modify" access to all jobs
  2. Users on all workstations with a logon of "TWSDomain\TWS_user" will be given "display" access to all jobs
However, all users with a logon of "TWS_user" will satisfy the first rule, regardless of their domain, and will be given "modify" access to all jobs. This is because defining a user without its domain is a shorthand way of defining that user ID in any domain; it is the equivalent of "@\TWS_User". So the second rule will never be satisfied, for any user, because the matching for the "TWS_user" stops after a successful match is made.
Correct
#First User Definition in the Security File
USER Twsdomain:Tws_User
CPU=@+LOGON="TWSDomain\\TWS_user" 
Begin
job name=@ access=display 
End

#Second User Definition in the Security File
USER Tws_User
CPU=@+LOGON=TWS_user
Begin
job name=@ access=modify 
End
By putting the more specific definition first, both object access definitions are applied correctly.

See Sample security file for a practical example.