Groups
Group is an abstract set of users, which gives assigned users some permissions. So it is not necessary to specify permission for each single user.
There are independent levels of permissions implemented in CloverETL Server
permissions to Read/Write/eXecute in sandboxes - sandbox owner can specify different permissions for different groups. See Sandbox Content Security and Permissions for details.
permissions to perform some operation - user with operation permission "Permission assignment" may assign specific permission to existing groups.
permissions to launch specific service - see Launch Services for details.
Table 14.3. Default groups created during installation
| Group name | Description |
|---|---|
| admins | This group has operation permission "all" assigned, which means, that it has unlimited permission. Default user "clover" is assigned to this group, which makes him administrator. |
| all users | Every single CloverETL user is assigned to this group by default. It is possible to remove user from this group, but it is not a recommended approach. This group is useful for some permissions to sandbox or some operation, which you would like to make accessible for all users without exceptions. |
 |
Figure 14.5. Web GUI - section "Groups"
Users Assignment
Relation between users and groups is N:M. Thus in the same way, how groups are assignable to users, users are assignable to groups.
 |
Figure 14.6. Web GUI - users assignment
Groups permissions
Groups permissions are structured as a tree, where permissions are inherited from the root to leafs. Thus if some permission (tree node) is enabled (blue dot), all permissions in sub tree are automatically enabled (white dot). Permissions with red cross are disabled.
Thus for "admin" group just "all" permission is assigned, every single permission in sub tree is assigned automatically.
 |
Figure 14.7. Tree of permissions
With no of the following privileges, user can: login to the server console, create server project (in Designer) from its own sandbox, create a file in its own existing sandbox, and run graphs.
all
A user with this permission has all available permissions. Admin group has all permissions by default.
Unlimited access to sandboxes
This permission allows user to perform operations on all sandboxes, even if the sandbox accessibility is not specified explicitly.
Unlimited access to sandboxes permission does not include the suspend sandbox permission.
Sandboxes
This permission allows user work with sandboxes. This permission contains all the permissions below. The user can perfom operations only on sandboxes owned by himself or on sandboxes with explicitly added access to him.
See Chapter 15, Server Side Job Files - Sandboxes.
List sandbox
In server web interface, this permission allows user to list her sandboxes and list sandboxes with read permission granted to the user's group.
In server web interface, this permission is necessary to create, edit, or delete sandboxes.
Within a sandbox with write access granted, user can edit or remove files and create or delete directories even without this permission.
Create sandbox
This permission allows user to create a new sandbox.
If the sandbox is to be created in web interface, the user is required to have the list sandbox permission.
Delete sandbox
This permission allows user to delete a sandbox.
If the sandbox is to be deleted in web interface, the user is required to have the list sandbox permission.
Edit sandbox
This permission allows user to edit a sandbox.
If the sandbox is to be modified in web interface, the user is required to have the list sandbox permission.
May delete files missing in uploaded ZIP
In → , this permission allows user to use a checkbox to delete files missing in the ZIP to be uploaded. If the user does not have this permission, the checkbox to delete mission files in ZIP is not displayed.
If the sandbox is to be uploaded from a ZIP file in server web interface, it is required to have the list sandbox permission.
Scheduling
This permission allows user to manage schedules.
List schedule
This permission allows user to list all schedules.
List schedule limited
This permission allows user to list the enabled schedules.
Create schedule
This permission allows user to create a new schedule.
The user needs the list schedule limited permission to access the scheduling section to create a new schedule.
Delete schedule
This permission allows user to delete the schedule.
User needs list schedule limited permission or list schedule permission to access the scheduling section to delete the schedule.
Edit schedule
This permision allows user to edit the schedule.
User needs list schedule limited permission or list schedule permission to access the scheduling section to edit the schedule.
Event listeners
This permission allows user to manage event listeners.
List of Event Listeners
This permission allows user to list all event listeners.
List of Jobflow Event Listeners unlimited
This permission allows user to list jobflow event listeners.
List of Jobflow Event Listeners limited
This permission allows user to list jobflow event listeners of sandboxes the user can read from.
List of Graph Event Listeners unlimited
This permission allows user to list all graph event listeners.
List of Graph Event Listeners limited
This permission allows user to list graph event listeners from sandboxes the user can read from.
List of File Event Listeners unlimited
This permission allows user to list all file event listeners.
See File Event Listeners (remote and local).
List of File Event Listeners limited
This permission allows user to list all file event listeners.
List of JMS Event Listeners unlimited
This permission allows user to list all JMS listeners.
List of JMS Event Listeners limited
This permission allows user to list all JMS listeners.
List of Universal Event Listeners unlimited
This permission allows user to list all universal event listeners.
See Universal Event Listeners.
List of Universal Event Listeners limited
This permission allows user to list all universal event listeners.
Create Event Listener
This permission allows user to create event listeners.
If the event listener is to be created in server web interface, the user needs to have permission to list the event listeners of the particular type.
Create Jobflow Event Listener
This permission allows user to create a new Jobflow Event listener.
If the jobflow event listener is to be created in server web interface, the user needs to have the list of jobflow event listeners limited permission.
Create Graph Event Listener
This permission allows user to create a graph event listener.
If the graph gvent listener is to be created in server web interface, the user needs to have the list of graph event listeners limited permission.
Create File Event Listener
This permission allows user to create a graph event listener.
If the file event listener is to be created in server web interface, the user needs to have the list of file event listeners limited permission.
Create JMS Listener
This permission allows user to create a JMS event listener.
If the JMS event listener is to be created in server web interface, the user needs to have the list of JMS event listeners limited permission.
Create Universal Event Listener
This permission allows user to create a universal event listener.
If the universal event listener is to be created in server web interface, the user needs to have the list of universal event listeners limited permission.
Edit Event Listener
This permission allow user to edit an event listener.
If the event listener is to be created in server web interface, the user needs to have permission to list event listener of the particular type.
Edit Jobflow Event Listener
This permission allows user to edit a jobflow event listener.
If the jobflow event listener is to be edited in server web interface, the user needs to have the list of jobflow event listeners limited permission.
Edit Graph Event Listener
This permission allows user to edit a graph event listener.
If the graph event listener is to be edited in server web interface, the user needs to have the list of graph event listeners limited permission.
Edit File Event Listener
This permission allows user to edit a file event listener.
If the file event listener is to be edited in server web interface, the user needs to have the list of file event listeners limited permission.
Edit JMS Event Listener
This permission allows user to edit a JMS event listener.
If the JMS event listener is to be edited in server web interface, the user needs to have the list of JMS event listeners limited permission.
Edit Universal Event Listener
This permission allows user to edit a universal event listener.
If the universal event listener is to be edited in server web interface, user needs to have permission list of universal event listeners limited permission.
Delete Event Listener
This permission allows user to delete event listeners.Delete Jobflow Event Listener
This permisison allows user to delete a jobflow event listener.
User needs to have the delete graph event listener permission to delete a jobflow event listener.
It the jobflow event listener is to be deleted in server web interface, the user needs to have the list of jobflow event listeners limited permission
Delete Graph Event Listener
This permission allows user to delete a graph event listener.
If the graph event listener is to be deleted in server web interface, the user needs to have the list of graph event listeners limited permission.
Delete File Event Listener
This permission allows user to delete a file event listener.
The user needs to have the delete graph event listener permission to delete a file event listener.
If the file event listener is to be deleted in server web interface, the user needs to have the list of file event listeners limited permission.
Delete JMS Event Listener
This permission allows user to delete a JMS Event Listener.
The user needs to have the delete graph event listener permission to delete a JMS event listener.
If the graph event listener is to be deleted in server web interface, the user needs to have the list of JMS event listeners limited permission.
Delete Universal Event Listener
This permission allows user to delete a universal event listener.
The user needs to have the delete graph event listener permission to delete universal event listener.
If the universal event listener is to be deleted in server web interface, the user needs to have the list of universal event listeners limited permission.
Manual task Execution
This permission allows user to manually execute a task (send an email, execute a script, etc.) with an immediate effect.
Unlimited access to execution history
This permission allows user to perform the same operations as unlimited access to execution history list permission.
Unlimited access to execution history list
This permission allows user to view execution history of all jobs.
Limited access to execution history list
This permission allows user to view execution history of jobs from sandboxes the user can read from. In Designer, this permission is required to be able to view Execution log in Designer's console and execution history in Execution tab.
Launch Services
This permission allows user to list, create, edit, and delete launch services.
See Launch Services.
List Launch Services unlimited
This permission allows user to list all launch services.
List Launch Services Limited
This permission allows user to list launch services from sandboxes the user can read from.
Create Launch service
This permission allows user to create a new launch service.
User has to have the create graph event listener permission to bind the launch service with a graph.
If the launch service is to be created in server web interface, the user has to have the list launch services limited permission (or the list launch services unlimited permission) to access the section with launch services.
Delete Launch Service
This permission allows user to delete a launch service.
User has to have delete graph event listener permission to delete a launch service.
If the launch service is to be deleted in server web interface, the user needs to have the list launch services limited permission to access the section with launch services.
Edit Launch Service
This permission allows user to edit a launch services.
User has to have edit graph event listener to edit the launch service.
If the launch service is to be edited in server web interface, the user needs to have the list launch services limited permission to choose the launch service in the server interface.
Tasks history
This permission allows user to access Tasks history section.
See Chapter 20, Tasks.
Monitoring
Monitoring permission grants user all its subpermissions.
Monitoring section
This permission allows user to access the monitoring section.
Suspend
This permission allows user to suspend the server, a cluster node, or a sandbox.
The user needs to have the monitoring section permission to access the Monitoring section.
Suspend server
This permission allows user to suspend or resume the server.
The user needs to have the monitoring section permission to access the monitoring section.
Suspend cluster node
This permission allows user to suspend or resume a cluster node.
The user needs to have the monitoring section permission to access the monitoring section.
Suspend sandbox
This permission allows user to suspend a sandbox. The user needs to have list sandbox permission to view the sandboxes to suspend them.
Reset caches
Deprecated.
Running jobs unlimited
If the graph is to be run from server web interface, the user needs to have the list sandbox permission to list the graphs.
Running jobs limited
If the graph is to be run from server web interface, the user needs to have the list sandbox permission to list the graphs.
Configuration
This permission allows user to access the configuration section.
Users
This permission allow user to access the Users section and configure user accounts.
List user
This permission allows user to list users and access to the Users administation section ( → )
Change passwords
This permission allows user to change his password and to change password of another user.
To see list of users, the user needs the list user permission.
Edit user
This permission allows user to change group assignment.
To see the list of users, the user needs to have the list user permission.
Edit own profile and password
This permisison allows user to change his profile (first name, last name, email, and password).
The user can access her profile in main web onsole view under username, in upper right corner of the page.
Delete user
This permission allows user to disable a user.
The user needs to have the list user permission to list available users.
Create user
This permission allows user to create a new user.
If the user is to be created in server web interface, the creating user needs to have the list user permission to list users to access this option.
Groups assignement
This permission allows user to assign users to groups.
The user needs to have the edit user permission to sucessfully finish the assigment of users to groups.
If the user is to be created in server web interface, the creating user needs to have the list user permission to list users to access this option.
Groups
This permission allows user to manage groups: user can list groups, create groups, delete groups, edit the group, assign users to the group, and change permissions of the group.
List groups
This permission allows user to list groups. This permission is necessary for use of other options from the Groups group.
Create group
This permission allows user to create a new user group.
If the user group is to be created in server web interface, the user needs to have the list groups permission to view a list of groups and to access this option.
Delete group
This permission allows user to delete a user group.
Only empty groups can be deleted. You need to have the list groups permission to view list of groups and to access this option.
Edit group
This permission allow user to edit user groups.
This permission does not include User assignment and .
If the user group is to be edited from server web interface, the user needs to have the list groups permission.
Users assignment
This permission allows user to assign users to groups.
The user needs Edit group permission to commit the changes in the assignment.
If the assignment is to be edited in server web interface, the user needs to have the list groups permission to list the groups.
Permission assignment
This permission allows user to configure group Permissions.
The user needs have the Edit group permission to commit the changes.
If the permissions are to be edited in server web interface, the user needs to have the list groups permission to list the groups.
Secure parameters administration
Secure params
This permission allows user to change the value of a secure parameter.
The user can use secure parameters in graphs even without this permission.
CloverETL/System info sections
This permission allows user to view System Info and CloverETL Info sections.
CloverETL Server properties
This permission allows user to view Server Properties tab and Data Profiler properties tab in CloverETL Info section.
The user needs to have the CloverETL/System info sections permission to access CloverETL Info section.
Reload license
This permission allows user to reload and view the server license.
The user needs to have the CloverETL/System info sections permission to access the Configuration section.
Upload license
This permission allows user to update the server license.
The user needs to have the CloverETL/System info sections permission to access the Configuration section.
Server Configuration Management
This permission allows user to import and export the server configuration.
See Chapter 17, Server Configuration Migration.
Export Server Configuration
This permission allows user to export the server configuration.
Import Server Configuration
This permission allows user to import the server configuration.
Temp Space Management
This permission allows user to access Temp Space Management section.
Server Setup
This permission allows user to access the server setup.
See Chapter 7, Setup.
Heap Memory Dump
This permission allows user to create a Thread dump and a Heap Memory Dump.
Groovy Code API
This permission allows user to run groovy scripts.
See Groovy Code API.
Open Profiler Reporting Console
This permission allows user to login to the Profiler reporting console.
The permission is necessary to view the results of Clover Profiling Jobs in Designer.
Even without this permission, a user can create and run .cpj jobs from Designer.