Skip to main content
Version: OpCon 26.0 (On-Prem)

Privileges

Theme: Configure
Who Is It For? System Administrator

What Is It?

Privileges in OpCon control what actions each role can perform. They are assigned to roles, which are then assigned to users. Privileges cover access codes, batch users, departments, functions, machine groups, machines, schedules, and scripts — giving administrators fine-grained control over who can view and modify each part of the system.

Access Code Privileges

To implement Access Codes for securing jobs, each user must have the appropriate Access Code privileges through one or more roles to view and update jobs.

Because '<None>' is an Access Code and is applied to all jobs by default, all roles automatically have privileges to update jobs with the '<None>' Access Code. As additional Access Codes are created, the administrator must grant privileges for the Access Codes to the appropriate Role Name.

A user must be a member of a role with All Administrative Functions, All Function Privileges, or must be in the ocadm role to manage Access Code Privileges.

The following information applies to defining Access Code Privileges.

  • Role Name: Defines the unique name of the Role
  • Allow job updates?: Determines if users in the Role can update jobs defined with an Access Code. If allowed, users can modify and delete the job definition in the Master and Daily. If not allowed, users can only view the job definition in the Master and Daily
  • Revoked: Provides the Access Codes not assigned to the Role Name
  • Granted: Provides the Access Codes assigned to the Role Name. Users will be able to see jobs with any of the granted access codes in the Master, Daily, and Schedule Operations

Function Privileges

Function Privileges are used to grant access to functions not related to jobs. Each user must have function privileges via one or more roles to perform actions within OpCon. By default, a new role has no privileges. A user must be a member of a role with All Administrative Functions, All Function Privileges, or must be in the ocadm role to manage roles.

The following data information applies to defining Function Privileges:

  • Role Name: Defines the unique name of the Role
  • Granted Function Privileges: Provides the Function Privileges assigned to the Role Name

All Administrative Functions

Grants privileges to perform the following functions in OpCon:

Manage OpCon Roles

  • Add new Roles
  • Delete Roles
  • Modify Roles

Manage User Accounts

  • Add new User Accounts
  • Delete User Accounts
  • Modify User Accounts

All Function Privileges

Grants privileges to perform the following functions in OpCon:

All Notification Manager Functions

Grants access to all functions in Notification Manager including:

  • Groups
    • Add Machine, Schedule, and Job groups
    • Delete Machine, Schedule, and Job groups
    • Update Machine, Schedule, and Job groups
  • Notifications
    • Add new Notifications
    • Delete Notifications
    • Update Notifications
  • Triggers
    • Add Machine, Schedule, and Job Event Triggers
    • Delete Machine, Schedule, and Job Event Triggers
    • Update Machine, Schedule, and Job Event Triggers
note

No other privileges are verified in Notification Manager. If granted access to this utility, users in the role can set up notifications for any machine, schedule, or job.

Build Daily Schedules

Grants privileges to build and check schedules:

  • View schedules in to build
  • Build schedules for defined dates
  • Check schedules for defined dates
note

Users in the role must also have Schedule Privileges to perform these functions.

Delete Daily Schedules

Grants privileges to perform the following functions in the Daily schedules:

  • View schedules to delete
  • Delete schedules for defined dates
note

Users in the role must also have Schedule Privileges to perform these functions.

Force-Start Schedules

Grants privileges to run the Start command for schedules in the Daily schedules.

note

Users in the role must also have Schedule Privileges to perform this function.

Hold Schedules

Grants privileges to run the Hold command for schedules in the Daily schedules.

note

Users in the role must also have Schedule Privileges to perform this function.

Release Schedules

Grants privileges to run the Release command for schedules in the Daily schedules.

note

Users in the role must also have Schedule Privileges to perform this function.

Import and Export Schedules

Grants access to all functions in the Schedule Import Export utility.

note

When mapping machines to a destination database on import, Machine Privileges are validated for the destination database.

Maintain Access Codes

Grants access to functions related to maintaining Access Codes.

  • View all defined Access Codes
  • Add new Access Codes
  • Delete Access Codes
  • Modify Access Codes

Maintain Audit History

Grants access to all functions in the Audit Management plugin and Audit Cleanup utility including:

  • View all audit records
  • Filter all audit records
  • Archive and Purge specified audit records
note

No other privileges are verified in the Audit Management utility. If granted access to this utility, users in the role can all audit records.

Maintain Calendars

Grants access to functions related to maintaining Calendars.

  • View all defined Calendars
  • Add new Calendars
  • Delete Calendars
  • Modify Calendars

Maintain Departments

Grants access to functions related to maintaining Departments.

  • View all defined Departments
  • Add new Departments
  • Delete Departments
  • Modify Departments

Maintain Embedded Script

Grants access to functions related to maintaining Embedded Scripts:

  • View all defined Scripts
  • Add new Scripts
  • Delete Scripts
  • Modify Scripts
  • Assign roles to Scripts
  • View all defined Script Versions
  • Create Script Versions
  • Delete Script Versions
  • View all defined Script Types
  • Add new Script Types
  • Delete Script Types
  • Modify Script Types
  • View all defined Script Runners
  • Add new Script Runners
  • Delete Script Runners
  • Modify Script Runners

Maintain Global Properties

Grants access to related to maintaining Global Properties.

  • View all defined Global Properties
  • Add new Global Properties
  • Delete Global Properties
  • Modify Global Properties

Maintain Job History

Grants access to all functions in the History Management plugin and History Cleanup utility including:

  • View all job history records
  • Filter all job history records
  • Archive and purge specified job history records
note

No other privileges are verified in the History Management utility. If granted access to this utility, users in the role can manage history for any schedule or job.

Maintain Machine Groups

Grants access to functions related to maintaining Machine Groups.

  • View all defined Machine Groups
  • Add new Machine Groups
  • Delete Machine Groups
  • Modify Machine Groups

Maintain Machines

Grants access to functions related to maintaining Machines.

  • View all defined Machines
  • Add new Machines
  • Delete Machines
  • Modify Machines
  • Start communication with the agent
  • Stop communication with the agent
  • Disable job starts for the agent
  • Enable job starts for the agent
note

To stop and to start communication with the agent from the Machine Information screen in Schedule Operations, the View Jobs in Schedule Operations privilege must also be granted.

Maintain Reports

Grants access to the Reporting settings tab in Library > Reports.

Maintain Schedules

Grants access to all functions related to the Schedule Master including:

  • Add new Schedules
  • Delete Schedules
  • Modify Schedules
note

When a schedule is added, only the creator is automatically granted privileges to the new schedule; otherwise, the user must have Schedule Privileges to perform the Delete and Modify functions.

Maintain Server Options

Grants access to the Server Options page in Library > Server Options to view and modify server configuration settings.

When combined with the Maintain Reports privilege, grants access to the Reporting settings tab. Both privileges must view and modify the Reporting settings—having only one of these privileges will not display the Reporting settings tab.

Maintain Service Request

Grants access to functions related to maintaining Service Requests in the SMA Self Service solution.

  • Add new Service Requests
  • Delete Service Requests
  • Modify Service Requests

Maintain Thresholds/Resources

Grants access to functions related to maintaining thresholds and resources.

  • View all defined Thresholds/Resources
  • Add new Thresholds/Resources
  • Delete Thresholds/Resources
  • Modify Thresholds/Resources

Maintain Tags

Grants access to functions related to maintaining tags.

  • View all defined Tags
  • Add new Tags
  • Delete Tags
  • Modify Tags

Maintain Vision Actions

Grants access to functions related to maintaining Vision actions.

note

All events for Actions are submitted in the ocadm role.

  • Add Vision Actions
  • Delete Vision Actions
  • Modify Vision Actions

Maintain Vision Frequencies

Grants access to functions related to maintaining Vision frequencies.

  • Add Vision Frequencies
  • Delete Vision Frequencies
  • Modify Vision Frequencies

Maintain Vision Workspaces

Grants access to functions related to maintaining Vision cards.

  • Add Vision Cards
  • Delete Vision Cards
  • Modify Vision Cards

View Embedded Script Contents

Grants users, who are not already members of a role with Maintain Embedded Scripts or All Administrative Functions or All Function Privileges, the permissions to view list of embedded scripts, script types, script runners, and the contents of the embedded scripts.

View License Information

Grants access to the License Information tab in the About OpCon Enterprise Manager window accessible from the Help menu in the Enterprise Manager.

View Service Requests

Grants users, who are not already members of a role with Maintain Service Request or All Administrative Functions or All Function Privileges, the permissions to use the Self Service solution and view and trigger Service Requests.

View Vision Workspaces

Grants users the permissions to view the Vision solution.

Departmental Function Privileges

The Departmental Function Privileges are used to grant privileges related to jobs based on individual departments. For all of the privileges in this section, to affect a specific existing job, the role must have the function privilege for the department and all of the following privileges:

The following data information applies to defining Function Privileges:

  • Role Name: Defines the unique name of the Role
  • Granted Departmental Privileges: Provides the Departmental Privileges assigned to the Role Name. Departmental privileges are associated with <All Departments>, the <General> department, or user defined departments
note

The <General> department is the default department for all jobs.

All Daily Schedule Functions

Grants access to all functions related to daily Schedule maintenance including:

All Job Master Functions

Grants access to all functions related to the Job Master including:

View Standard Reports

Grants privileges to view all non-administrative OpCon Reports.

note

To view administrative reports, the All Function Privileges privilege must also be granted.

View Schedule Build Log

Grants privileges to view Schedule Build Logs.

View Application Logs

Grants privileges to view Application Logs.

All Schedule Operation Functions

Grants access to functions related to Schedule Operations including:

note

To Delete Old Schedules, the Delete Daily Schedules privilege must also be granted. To modify Machine Status from Schedule Operations, the Maintain Machines privilege must also be granted.

Add Jobs to Daily Schedules

Grants privileges to add jobs from the Job Master to the Daily schedules.

note

Users in the role must also have View Jobs in Master Schedules and View Jobs in Daily Schedules to perform this function.

Add Jobs to Master Schedules

Grants access to functions related to adding jobs to the Job Master including:

  • Add new jobs
  • Copy Jobs
  • View History
  • View Job Master PERT

Cancel Jobs

Grants privileges to run the Cancel status change command for Jobs in Operations.

note

Users in the role must also have View Jobs in Schedule Operations to perform this function in graphical interfaces.

Delete Jobs from Daily Schedules

Grants privileges to Delete Jobs in the Daily schedules.

note

Users in the role must also have View Jobs in Daily Schedules and Modify Jobs in Daily Schedules to perform this function in graphical interfaces.

Delete Jobs from Master Schedules

Grants privileges to functions related to deleting jobs from the Job Master including:

  • Delete Jobs
  • View History
  • View Job Master PERT
note

Users in the role must also have View Jobs in Master Schedules and Modify Jobs in Job Master to perform this function in graphical interfaces.

Force-Start Jobs

Grants privileges to run the Start status change command for Jobs in Operations.

note

Users in the role must also have View Jobs in Schedule Operations to perform this function in graphical interfaces.

Hold Jobs

Grants privileges to run the Hold status change command for Jobs in Operations.

note

Users in the role must also have View Jobs in Schedule Operations to perform this function in graphical interfaces.

Kill Jobs

Grants privileges to run the Kill status change command for Jobs in Operations.

note

Users in the role must also have View Jobs in Schedule Operations to perform this function in graphical interfaces.

Mark Jobs Failed

Grants privileges to run the Mark Jobs Failed status change command for Jobs in Operations.

note

Users in the role must also have View Jobs in Schedule Operations to perform this function in graphical interfaces.

Mark Jobs Finished OK

Grants privileges to run the Mark Jobs Finished OK status change command for Jobs in Operations.

note

Users in the role must also have View Jobs in Schedule Operations to perform this function in graphical interfaces.

Modify Jobs in Daily Schedules

Grants access to functions related to modifying jobs in the Daily Schedules including:

  • Modify Job Details
  • Add/Modify/Delete Documentation
  • Add/Modify/Delete Events
  • Add/Modify/Delete Other Job Details
  • Add/Modify/Delete Job Dependencies
  • Add/Modify/Delete Threshold/Resource Dependencies
  • Add/Modify/Delete Threshold/Resource Updates
  • Check Daily Schedules
  • Edit Daily Schedules
note

Users in the role must also have View Jobs in Daily Schedules to perform this function in graphical interfaces.

Modify Jobs in Master Schedules

Grants access to functions related to modifying jobs in the Job Master including:

  • Modify Job Details
  • Add/Modify/Delete Documentation
  • Add/Modify/Delete Events
  • Add/Modify/Delete Frequency and Other Job Details
  • Add/Modify/Delete Job Dependencies
  • Add/Modify/Delete Threshold/Resource Dependencies
  • Add/Modify/Delete Threshold/Resource Updates
  • View History
  • View PERT
note

Users in the role must also have View Jobs in Master Schedules to perform this function in graphical interfaces.

Release Jobs

Grants privileges to run the Release status change command for Jobs in Operations.

note

Users in the role must also have View Jobs in Schedule Operations to perform this function in graphical interfaces.

Restart Jobs

Grants privileges to run the Restart status change command for Jobs in Operations.

note

Users in the role must also have View Jobs in Schedule Operations to perform this function in graphical interfaces.

Skip Jobs

Grants privileges to run the Skip status change command for Jobs in Operations.

note

Users in the role must also have View Jobs in Schedule Operations to perform this function in graphical interfaces.

View Jobs in Daily Schedules

Grants access to functions related to viewing jobs in the daily Schedules including:

  • View Job Details
  • View Documentation
  • View Events
  • View Job Dependencies
  • View Other Job Details
  • View Threshold/Resource Dependencies
  • View Threshold/Resource Updates
  • Check Daily Schedules

View Jobs in Master Schedules

Grants access to functions related to viewing jobs in the Job Master including:

  • View Job Details
  • View Documentation
  • View Events
  • View Frequency and Other Job Details
  • View History
  • View Job Dependencies
  • View PERT
  • View Threshold/Resource Dependencies
  • View Threshold/Resource Updates

View Jobs in Schedule Operations

Grants access to functions related to viewing jobs in the following Enterprise Manager Operation views:

  • List
  • Matrix
  • Gantt
  • PERT Viewer
  • Bar Chart
  • Pie Chart

Machine Privileges

Machine privileges are used to control the machines for users in a role that have privileges to create and edit jobs. Within Job Master and Job Daily, users will only see Machines based on their role privileges. In Schedule Operations, the machine privileges are not applied.

A user must be a member of a role with All Administrative Functions, All Function Privileges, or must be in the ocadm role to manage Machine Privileges. The following information applies to defining Machine Privileges:

  • Role Name: Defines the unique name of the Role
  • Allow job updates?: Determines if users in the Role can update jobs defined with a Machine. If allowed, users can modify and delete the job definition in the Master and Daily. If not allowed, users can only view the job definition in the Master and Daily
  • Revoked: Provides the machines not assigned to the Role Name
  • Granted: Provides the machines assigned to the Role Name. Users will be able to see jobs with any of the granted machines in the Master and Daily

Machine Group Privileges

Machine Group privileges are used to control the machine groups that users in a role have privileges to maintain jobs on. Within Job Master Maintenance and Daily Schedule Maintenance, users will only see Machine Groups based on their role privileges. In Schedule Operations, the machine group privileges are not applied.

A user must be a member of a role with All Administrative Functions, All Function Privileges, or must be in the ocadm role to manage Machine Group Privileges. The following information applies to defining Machine Group Privileges:

  • Role Name: Defines the unique name of the Role
  • Allow job updates?: Determines if users in the Role can update jobs defined with a Machine Group. If allowed, users can modify and delete the job definition in the Master and Daily. If not allowed, users can only view the job definition in the Master and Daily
  • Revoked: Provides the Machines not assigned to the Role Name
  • Granted: Provides the Machines assigned to the Role Name. Users will be able to see jobs with any of the granted machine groups in the Master and Daily
note

Machine Group Privileges do not automatically grant privileges to the individual Machines in the group. To grant privileges to individual machines, refer to Machine Privileges.

Schedule Privileges

Each user must have schedule privileges via one or more roles to access schedules within OpCon. By default, a new role has privileges to no schedules. If a role is not granted privileges to a schedule, users in that role will not see that schedule listed in the graphical interfaces. A user must be a member of a role with All Administrative Functions, All Function Privileges, or must be in the ocadm role to manage roles.

note

Schedule Privileges for individual users are not dynamically granted if they are logged in. If the user is logged into the account when an administrator grants a Schedule Privilege to this user's role, then it is required for the user to log out and log back in for the privilege to be granted.

The following information applies to defining Schedule Privileges:

  • Role Name: Defines the unique name of the Role
  • Revoked: Provides the Schedules not assigned to the Role Name
  • Granted: Provides the Schedules assigned to the Role Name

Batch User Privileges

Most platforms require a valid user ID to be associated with each job submitted by OpCon. Valid user IDs for each of those platforms must be defined in OpCon.

The following platforms do not require a user ID to be defined: OS 2200, BIS, and z/OS.

The Batch User Privileges in OpCon contain the user ID definitions for each platform. Additionally, the Batch User Privileges define which OpCon roles are allowed to use which user ID's for the jobs.

The following information applies to defining Batch User Privileges:

  • Select Role: Defines the unique name of the Role
  • Target Operating System: Provides the operating systems that require Batch User Privileges which includes MCP, IBM i, UNIX, VMS, and Windows
  • Revoked: Provides the Batch User IDs not assigned to the Role Name
  • Granted: Provides the Batch User IDs assigned to the Role Name

Embedded Script Privileges

Each user must have embedded script privileges via one or more roles to access embedded scripts within OpCon. By default, a new role has privileges to no embedded scripts. If a role is not granted privileges to an embedded script, users in that role will not see that embedded script listed in the graphical interfaces. A user must be a member of a role with All Administrative Functions, All Function Privileges, or must be in the ocadm role to manage roles.

note

Embedded Script Privileges for individual users are not dynamically granted if they are logged in. If the user is logged into the account when an administrator grants an Embedded Script Privilege to this user's role, then it is required for the user to log out and log back in for the privilege to be granted.

The following information applies to defining Embedded Script Privileges:

  • Role Name: Defines the unique name of the Role
  • Revoked: Provides the Embedded Scripts not assigned to the Role Name
  • Granted: Provides the Embedded Scripts assigned to the Role Name

Configuration Options

SettingWhat It DoesDefaultNotes
Role NameDefines the unique name of the Rolemust be a member of a role with All Administrative Functions, All Function Privileges, o
Allow job updates?Determines if users in the Role can update jobs defined with an Access Code.must be a member of a role with All Administrative Functions, All Function Privileges, o
RevokedProvides the Access Codes not assigned to the Role Namemust be a member of a role with All Administrative Functions, All Function Privileges, o
GrantedProvides the Access Codes assigned to the Role Name.must be a member of a role with All Administrative Functions, All Function Privileges, o
Granted Function PrivilegesProvides the Function Privileges assigned to the Role Name
Granted Departmental PrivilegesProvides the Departmental Privileges assigned to the Role Name.department for all jobs
Select RoleDefines the unique name of the Rolemust be a member of a role with All Administrative Functions, All Function Privileges, o
Target Operating SystemProvides the operating systems that require Batch User Privileges which includes MCP, IBM i, UNIX, VMS, and Windowsmust be a member of a role with All Administrative Functions, All Function Privileges, o

Security Considerations

Authorization

Managing any category of privilege requires membership in a role with All Administrative Functions, All Function Privileges, or membership in the ocadm role. This applies to Access Code Privileges, Function Privileges, Machine Privileges, Machine Group Privileges, Schedule Privileges, Batch User Privileges, and Embedded Script Privileges.

Access Code Privileges control which jobs each role can view and modify. All roles automatically have privileges for the <None> Access Code applied to all jobs by default; additional Access Codes must be explicitly granted by an administrator.

Schedule Privileges are not dynamically applied to active sessions. A user already logged in must log out and log back in after a new Schedule Privilege is granted before the change takes effect. The same requirement applies to Embedded Script Privileges.

Machine Privileges and Machine Group Privileges control which machines users can see and select in Job Master and Job Daily; these privileges are not enforced in Schedule Operations. Machine Group Privileges do not automatically grant privileges to the individual machines within the group.

Data Security

Batch User Privileges define which platform user IDs (for Windows, UNIX, IBM i, MCP, and VMS) each role is permitted to use when submitting jobs. Restricting these privileges limits which operating-system accounts OpCon may invoke during automation.

Embedded Script Privileges control access to scripts stored in the OpCon database. Users without the Maintain Embedded Scripts or All Administrative Functions privilege can be granted the View Embedded Script Contents privilege to read scripts without being able to modify them.

The Maintain Vision Actions function privilege causes all Vision Action events to be submitted under the ocadm role, regardless of which user triggers the action.

FAQs

Q: Who can manage privileges in OpCon?

A user must be a member of a role with All Administrative Functions, All Function Privileges, or must be in the ocadm role to manage any category of privilege.

Q: What is the difference between All Administrative Functions and All Function Privileges?

All Administrative Functions grants access to administrative tasks such as managing roles, user accounts, access codes, calendars, schedules, and other configuration objects. All Function Privileges includes everything in All Administrative Functions plus access to daily schedule functions, job master functions, notification manager functions, schedule operations, and reporting utilities.

Q: Do Machine Group Privileges automatically grant privileges to the individual machines in a group?

No. Machine Group Privileges only grant access to job definitions using that machine group. To grant privileges to the individual machines within the group, Machine Privileges must be granted separately.

Q: When does a newly granted Schedule Privilege take effect for a user already logged in?

Schedule Privileges are not dynamically applied to active sessions. If a user is logged in when an administrator grants a Schedule Privilege, the user must log out and log back in for the privilege to take effect.

Glossary

LSAM (Local Schedule Activity Monitor): An agent installed on a target platform that runs jobs in the native language of that platform and communicates results back to SAM via SMANetCom over TCP/IP.

Enterprise Manager (EM): OpCon's rich client graphical user interface for Windows and Linux, used to define schedules and jobs, manage automation data, and perform operational tasks.

Frequency: A set of rules that defines when a job or schedule is eligible to run, based on calendar rules, day-of-week settings, period offsets, and other timing criteria.

Threshold: A numeric variable stored in the OpCon database used to control job execution. Jobs can be made dependent on threshold values, and OpCon events can update threshold values at runtime.

Access Code: A security label applied to jobs and schedules in OpCon. Users must have the matching access code privilege to view or manage items with that label.

Department: An organizational grouping in OpCon used to assign jobs to logical divisions. User roles can be scoped to specific departments, controlling which jobs a user can manage.

Embedded Script: A script stored and versioned directly within the OpCon database. Embedded scripts can be assigned to Windows jobs and run at runtime without requiring the script file to exist on the target machine.

Notification: A message sent by the SMA Notify Handler when a Machine, Schedule, or Job changes to a specific status. Notifications can be delivered as emails, text messages, Windows Event Log entries, SNMP traps, or other formats.