adTempus Security

adTempus is fully integrated with the Windows security framework. Security is important in adTempus in two ways: access control and job execution.

Access Control

adTempus itself features a security framework that offers granular control over which users can perform which operations within adTempus. adTempus users can be identified using explicit logins (user ID and password) or automatically based on their Windows login identity.

Permissions determine:

  • Who can connect to the adTempus server.
  • Who can make changes to adTempus system configuration settings (such as global options and security settings).
  • The level of access users have to individual objects within adTempus.

Each object within adTempus (for example, a particular job) can have its own security settings, and users can have varying degrees of access. For example, you might configure a job so that:

  • The owner of the job has full control over the job (can modify, delete, and administer the job).
  • System operators have permission to view and monitor the job, but not to modify it.
  • Other adTempus users have no permission for the job, and cannot view or modify it.

Security is applied regardless of the method by which a user is connected to adTempus: through the adTempus Console, Web Console, or a customer-provided tool that uses the API.

Job Execution Security

Every job in adTempus is run under a Windows security account specified by the user when the job is created. Because the job is run under the user account, Windows enforces security for the job just as though that user were manually running the program.

This means that jobs are not able to do anything the user account would not be able to do. Windows enforces all file and other permissions for the job.

Because of this, system administrators can allow individual users to schedule jobs to run on a server without worrying about the security consequences (as long as permissions are set appropriately, of course), because the job won't be able to do anything it shouldn't be able to do.

Credential Profiles allow Windows login credentials to be stored within adTempus for use in jobs. For example, if you run all jobs under a special Windows account set up for offline processes, you would create a Credential Profile for it. adTempus users can then be given permission to create jobs that use those credentials without being given the account password.