User Types and Authentication

There are three distinct entries for adding users, “Interactive Users”, “Runtime Users” and “LDAP Groups”. TA 6.0 and later allow the setup of a user that authenticates against Active Directory (AD) and Lightweight Directory Access Protocol (LDAP). TA also supports AD/LDAP only users.

At login, user credentials are validated against AD/LDAP. Once authenticated, TA obtains the user’s AD/LDAP groups and other information such and phone number and email. TA then creates a record to represent the AD/LDAP only user if it is not already present and only if the user belongs to an AD/LDAP group defined in TA. All user activity logging is then performed against this new user record allowing for correct auditing and reporting.

AD/LDAP only users are allowed to create and own jobs and other objects if their security permissions permit.

Note: The logging parameter (DisplayUserNameInLog) is set in clientmgr.props for auditing the WebClient login and in master.props for auditing the JavaClient login. For more information on this parameter, see General Property Info section in the Parameters chapter.

Interactive User

During installation of the Windows Master, you provide an existing user in the AD/LDAP User Account. TA creates the first TA user account for you with this information, and automatically assigns you Super User capability. Having the Super User option selected in a User Definition provides access to all TA functions, and supersedes all security policies because it encompasses all security permissions. From this point on, you can set up other users, and specify their user data.

Along with specifying other user data, you need to specify a security policy for each user. TA comes with default security policy templates to help specify the appropriate functions available for each user based on a default network scheduling model.

Note: You can remove the Super User security from the initial TA user account provided that another user is assigned with the Super User security policy. You should have signed into TA as a Super User to remove the Super User security policy from an interactive user account. This prevents accidental removal of all Super User capabilities from a TA environment.

When a new user launches TA, TA checks to see if the user’s login name is listed in the TA database. If the user is not listed, it displays an error message, and prevents the user from entering TA.

Runtime Users

If you are going to schedule jobs for other users, you can specify those users on the Runtime Users tab of the User Definition dialog box. This is necessary to access commands and environments created by those users for whom you are scheduling.

LDAP Groups

LDAP users can be imported into TA for improving user audit trails. These imported users inherit security from multiple LDAP groups. Imported LDAP user information is stored into a user definition that includes email, telephone, etc. Imported LDAP users are allowed to be owners of scheduling constructs such as jobs if their security permits.

Users and Workgroups

Workgroups help organize users according to job function, security level, geographical area or any other category that may be helpful. TA workgroups can correspond to Windows workgroups, but they certainly do not have to. When you create a workgroup, you must always remember to add yourself to the workgroup. Creating a workgroup does not automatically make you a member of the workgroup. The extent of control you can wield over a workgroup is also dependent upon your individual TA security policy. For more information about security policies, see Security Policies.

Note: When you install TA, you are automatically placed in the Schedulers workgroup. Schedulers is TA’s default workgroup.

Impersonating a User

Impersonating a user is one of the higher-level security permissions. When you impersonate another user, you have access to their TA jobs, job actions, job events, system events, user variables, calendars and workgroups as if you had logged on as that user.

Contact Information

You can specify and update user contact information such as phone number and email address. TA or another user can use this contact information to inform you of the status of a job.