Forums  »  adTempus  »  General  »  The Use Credential permission needs better support from Console UI

The Use Credential permission needs better support from Console UI

John Cheng (4 posts)
May 6, 2025 04:31 PM
Accepted Answer
I want to keep the Use Credential permission within admin only. Since otherwise, it may lead to a security concern. Because it allows regular users do more with some powerful service accounts. With Use Credential permission, users don't need to provide password but simply select a powerful service account that's already in the system. So, I tried to remove Use Credential from regular users. However, after taking this permission away, a regular user cannot even edit an existing job that's created by admin. When saving the edit, a regular user got error that ask him to set service account. While the service had already been set by admin. I think that behavior is not. The right way should be letting the UI display a read-only (or hidden) field of the service account for regular users. When saving other changes, the system should retain the service account and let regular user update other part. 
Permalink
Bill Staff (618 posts)
May 6, 2025 05:23 PM
Accepted Answer
That is the correct behavior: without Use permission, you cannot use the Credential Profile on a job, and this includes modifying a job that uses the profile. If the user were allowed to make changes to the job, they could change it to do whatever they want. This would be the same as letting the user create a new job using the credentials, and would defeat the purpose of having restrictions on the credentials.
Permalink
John Cheng (4 posts)
May 6, 2025 08:59 PM
Accepted Answer
If editing requires Use, why you need to set it as a separate permission? Under what circumstances should I use it separately? On the other hand, I am okay to let user do anything with the account pre-set by admin. But don't want give the freedom letting user pick any account. 
Permalink
Bill Staff (618 posts)
May 7, 2025 12:07 PM
Accepted Answer

You are setting permissions for 2 (or 3) different things:

  • Edit permission on a Credential Profile determines whether a user can make changes to the profile (change settings, password, user ID, etc.)
  • Use permission on a Credential Profile determines whether a user can use the Credential Profile on a job. As you said originally, this is to prevent users from being able to run jobs under accounts they shouldn't have permission to use.
  • Edit permission on a job determines whether a user can make changes to the job. When editing a job, they can only use a Credential Profile that they have Use permission for.

 

John Cheng wrote:
I am okay to let user do anything with the account pre-set by admin. But don't want give the freedom letting user pick any account. 

In that case you should give the user Use permission for that Credential Profile and not for any other Credential Profile. That's exactly what the Use permission is for.

Can you explain more about what your goal is? What is it you want the user to be able to change in the job? You're seem to be saying that you want them to be able to use the Credential Profile that you have selected for them, but you don't want to give Use permission, which is the opposite.

The issue is that once you give a user Edit permission for a job, you cannot restrict what parts of the job they can change. If you have set up the job for them to run a certain program, they can change the job to run any other program they want, as long as the user account in the Credential Profile has permission for it. It doesn't make sense to say that "I want the user to be able to use this Credential Profile, but only on this particular job" because the user can change the job to do whatever they want.

If you only want the user to be able to run certain programs or do certain things on the computer, then you should be giving them a Credential Profile for a user account that only has permission for those things.

If you don't want the user to be able to create new jobs using a Credential Profile, you can change settings so that they don't have permission to create jobs. There's no way to say "don't allow them to create new jobs with these credentials, but they can use these credentials for existing jobs," because again, they could bypass the restriction by changing the existing job to do whatever they want.

Permalink
John Cheng (4 posts)
May 7, 2025 01:57 PM
Accepted Answer

Bill, 

Your message let me aware that the security can be set on per Contedential level as well as per job and/or job folder level. Which is great! I will align my design based on those. 

Permalink