JAMS can integrate with Active Directory users and groups, or any LDAP provider.
JAMS security can be best described by a series of layers. Each layer of security can be described as a “Door in a hallway”, where users cannot access the next door, without having permissions to the one before it.
Level 1 - Configure Access Control
The very top to level 1 can be considered the "Server" Property. It allows authentication to the JAMS Server from all JAMS Clients – ie. Desktop Client, Web Client, RESTful API, PowerShell, and node.JS.
- The areas listed within this Access Control drop down menu allow users to configure access to those pieces of JAMS as a whole.
- For example, the Job Definitions area will allow users to define the user and groups that will have the ability to either add Jobs, modify Jobs, look at the properties of Jobs, or delete Jobs.
- These permissions are then set for ALL Jobs, regardless of the Folder definition to which they belong.
- By default, each of these areas has an entry for BUILTIN\Administrators and NT AUTHORITY\Authorized Users.
- Access to Jobs in each Folder or System or the individual Jobs themselves is then set within the Folders or Jobs as described above.
Level 2 - Configure Folders
These control access to the "containers" that hold the Jobs.
- Access Control Entries set on a Folder or System are inherited by objects within it.
Level 2a - Configure Job permissions (optional)
- Within each individual Job properties window, there is also a Security tab.
- It works in the same way as the one within the Folder definition properties, with the exception that the Access Control List at the individual Job level will only control access to that one Job.
- This allows you to give granular permissions to a user or group for that one instance of the Job, instead of all Jobs within a Folder.
- You will also see the inherited Access Control entries within the Security tab of a Job from its parent Folder definition.
- If users click on them, the Folder definition entries will indicate that they are an "Inherited ACE" and the user will not be able to modify these permissions, as these are controlled within the Folder definition security tab.
Level 3 - Configure "RunAs" User Definitions and their ACL
- The Credentials shortcut is used to configure Users that will run jobs.
- Each user has their own ACL which can be configured to determine who has access to specific credentials.
Level 4 - Configure Administrator level permissions in Configuration
The "Back Door" to JAMS. JAMS has 2 configuration settings that allow full access to the client:
- GrantAdministratorBypass: When GrantAdministratorBypass is set to True, members of the local Administrators group on the Scheduling Engine have full access to any area of JAMS.
- GrantBypassGroup: For this setting users can add multiple Active Directory groups that will have full access to any area of JAMS. This list must be comma separated.