The way that JAMS security can be best described is by a series of layers. Each layer of security can be described as a “Door in a hallway”, where users cannot access the next door, without having permissions to the one before it.
JAMS integrates with Active Directory users and groups, or any LDAP provider.
Level 1 - Configure Access Control: The very top to level 1 can be considered the "Server" Property. It allows authentication to the JAMS Server from the JAMS GUI client.
· The areas within this Access Control drop down menu allow users to configure access to those pieces of JAMS as a whole.
· For example, the Job Definitions area will allow users to define the user and groups that will have the ability to either add Jobs, modify Jobs, look at the properties of Jobs, or delete Jobs.
· These permissions are then set for ALL Jobs, regardless of the Folder definition to which they belong.
· By default, each of these areas has an entry for BUILTIN\Administrators and NT AUTHORITY\Authorized Users.
· Access to Jobs in each Folder or System or the individual Jobs themselves is then set within the Folders, Jobs, or Setups as described above.
Level 2 - Configure Folder: These control access to the "containers" that hold the Jobs and Setups.
· Access Control Entries set on a Folder or System are inherited by objects within it.
Level 2a - Configure Job and Setup's permissions (optional):
· Within each individual Job and Setup properties window, there is also a Security tab.
· It works in the same way as the one within the Folder definition properties, with the exception that the Access Control List at the individual Job or Setup level will only control access to that one Job or Setup.
· This allows you to give granular permissions to a user or group for that one instance of the Job or Setup, instead of all Jobs and Setups within a Folder.
· You will also see the inherited Access Control entries within the Security tab of a Job or Setup from its parent Folder definition.
· If users click on them, the Folder definition entries will indicate that they are an "Inherited ACE" and the user will not be able to modify these permissions, as these are controlled within the Folder definition security tab.
Level 3 - Configure "RunAs" User Definitions and their ACL.
- The Users shortcut in Management group is used to configure Users that will run jobs.
- Each user has their own ACL which can be configured to determine who has access to specific credentials.
Level 4 - Configure Administrator level permissions in Configuration. The "Back Door" to JAMS. JAMS has 2 configuration settings that allow full access to the client:
· GrantAdministratorBypass: When GrantAdministratorBypass is set to True, members of the local Administrators group on the Scheduling Engine have full access to any area of JAMS.
· GrantBypassGroup: For this setting users can add multiple Active Directory groups that will have full access to any area of JAMS. This list must be comma separated.