Initial Permission Setup

In a new adTempus installation, only those users provisioned as adTempus Administrators during installation have permission to connect to and use adTempus. Those adTempus Administrators have permission to connect to adTempus, and full control over all objects within adTempus.

To allow other users to use adTempus, you must create and configure adTempus user logins for them, and assign object permissions.

The order in which you perform these actions will depend on the complexity of your security needs (see the Permission Management Guidelines topic). If you expect your security model to be complex, you may want to set up your security groups first so that you can assign logins to the groups as you create each login.

If your security model is simple (e.g., all non-administrator users will have the same permissions), you can simply assign permissions to the adTempus Users security group (which automatically includes all users) once you have created your logins.

If there is no user who has the necessary permission to manage adTempus security, you can give a user Administrator permissions using the Administrator Provisioning tool.

Creating Logins

To configure users,

  1. Start the adTempus Console and connect to the adTempus server (you must be logged in to Windows under an account that was provisioned as an adTempus Administrator during installation).
  2. Go to the Server Security Settings window (Configuration > Security Settings) and go to the Logins page.
  3. For each user who needs to use adTempus, create a Security Login. Creating a login for the user gives that user permission to log in to adTempus. Assign the Login to the appropriate Security Groups, if you have created them.

Assigning Permissions

As discussed in the Permission Management Guidelines topic, permissions should be assigned based on groups of users and objects whenever possible (rather than assigned directly to individual users or objects).

Once you have determined your security needs, you should create the appropriate Security Groups and assign permissions to them. Then assign logins to security groups to grant permissions to users.

Default Permissions

In a new adTempus installation, the following default permissions are present:

Modifying Permissions

By default non-administrator users do not have permission to create any objects in adTempus or to execute any jobs. For those users to do anything other than view data, you must grant permissions to allow them to create or modify jobs, notification recipients, etc.

Permissions for All Objects

To grant a group of users permissions for all objects in adTempus, use the Security Settings page of the Server Security Settings window and select the appropriate option for the Apply Permissions To setting.

For example, if you want to create a Power Users group that has permission to create , view, and modify all objects in adTempus. After creating the Security Group, you would add it to the access list on the Security Settings page, with permissions applied to "All objects below this level," and check all permissions you wish to grant to the Power Users.

By using the "All objects below this level" option, you are preventing those users from being able to change server-level settings and security, so they still don't have full control over adTempus.

Permission to Create Jobs

If you want to give a group of users permission to create jobs, edit the root Job Group (the "Jobs" folder in the Console Tree) or whichever Job Group you want the users to be able to create jobs in. On the Security page of the Job Group Properties, add the group to the access list and grant the "Create jobs and groups in this Group" permission, applying the permission to "Group, Subgroups." 

This will give the users permission to create jobs. The default Object Creator permissions will be assigned to each job they create, giving them Modify permission for their own jobs.

These users will not be able to create other top-level object types (Shared Schedules, Notification Recipients, etc.) unless permissions are also granted for those objects. They will be able to create steps, tasks, conditions, triggers, responses, etc., within their jobs.

Permission to Create Other Objects

To give users permission to create other types of objects, you must grant them Create permission on the appropriate security container. See the Security Inheritance topic for a list of those security containers.

For example, suppose you want to allow all users to create Notification Recipients for use on jobs. To do so:

  1. Right-click the Notification Recipients folder in the Console Tree and choose Notification Security... to open the Notification Recipient Security window.
  2. In the access list, click the Add button and add the "adTempus Users" group to the list.
  3. With the "adTempus Users" entry selected, check the Allow Create box to assign the Create permission.
  4. Click OK to save the changes.

Note that you only assigned the Create permission for all users; you did not select any other permissions. This is because the creator of an object is automatically assigned permission to view, modify, use, and delete that object (this happens through the "<Object Creator>" permissions discussed above), and the default settings give all users permission to view all Notification Recipients.

With this combination of settings, the users can create and manage their own Notification Recipients, but cannot modify Notification Recipients created by other users.

If you had checked the "Update" permission in addition to "Create," you would be granting all users permission to modify all Notification Recipients, whether they are the creator or not.

Related Concepts

Security Overview