GridLink - Access Groups

By default the  GridLink controller launches AXIS using the credentials of it's own service account. In other words, the AXIS applications will have the same user rights as the GridLink Controller.

Usually this service account is granted "Full Control" access rights to all directories where AXIS datasets reside as well as the directories where all inputs and outputs (e.g. exports of the calculated reports) take place.

Under this mode each GridLink farm user is assigned to the "Unrestricted" access group by default.

In certain situations it is desirable to limit the access rights for a job submitted by certain users to a specific set of directories. E.g. the farm could be shared by users performing test runs and users who execute production jobs. In this situation, the jobs submitted by test users must not be able to access production data.

The Access Groups feature adds this extra level of security control to the AXIS GridLink farm.

By creating "Access Groups" and associating each user with a given group, you can force AXIS instances that have been launched by GridLink to use the credentials of the specified user account instead of the account under which the controller is running.

Separate Access Groups can be created for each individual user or can include several users for whom identical access rights should apply. The following diagram illustrates the possibilities:

The settings that enable this feature are located in the GridLink "Farm Profile - Farm Settings" dialog:

Step 1 - create access groups

Go to "Access Groups" tab, click on "Add" button. Specify a new group name and a windows user account who's credentials GridLink will launch AXIS. This account does not necessarily need to be an existing user's account. It could be a shadow account based on a real user's credentials. Click on "OK" button once you are done, and you will see this new group shows up in the group list.

You can also modify / remove an existing group from this tab.

Once you have finished this step, the access group you created will appear in the "Access Groups" tab as shown below.

 

Step 2 - associate users with access groups.

Open the "Authorized Users" tab, edit a user's information, and assign an access group to this user.

You will see the group name that you have selected in the user list.

If you prefer not to use "Access Groups" feature, you may use a build-in group "Unrestricted", which means AXIS will be launched under the same user account as the controller without limiting its access rights.