Limit ECLI command access

Document ID : KB000096831
Last Modified Date : 18/05/2018
Show Technical Document Details
Question:
We are using the /opt/CA/SharedComponents/iTechnology/AutoSysCommandISponsorFilters.txt file in order to control the allowable commands to be executed in ECLI.  For a certain group of users, we would like to restrict that list even further.
We assume this would be done by using EEM access policies within the WCC0004 applicaiton.
Are there any examples available?
Answer:
Yes, you can further restrict access to commands via EEM policies for WCC. Specifically look at the "CommandExecute" policy type. For some details see: https://docops.ca.com/ca-workload-automation-ae/11-4-2/en/securing/security-policy-customization/customize-ca-wcc-policies#CustomizeCAWCCPolicies-CreateaCommandExecutePolicy
Here is an example:
I created an explicit deny, this was my resource server/MOM.autorep.*
I made sure to select the check box - Treat resource names as regular expressions.
The above denies me the ability to execute autorep from ECLI for the MOM AUTOSERV instance.
I am still able to issue other commands like chk_auto_up against the MOM instance.
And able to run autorep against other AUTOSERV instances.