Introduction
Hi everybody , sometimes users make and develop their own job and manage the whole cycle of life of their folder.
But It can happened that they face issues and contact the administrator for some support.
Here is one case regarding job ordering , to investigate we will proceed by steps.
How to order a job from another Job
User may want to trigger another specific job after its current job completion see below an example:
To proceed, you must use the on-do actions in your job to order the other one after a specific job status ( Job ended OK , not OK and more)
- First ,select the Actions tab and define your On-Do Action
- Then select the job statement to trigger your next job
- Once done ,let’s define the job ordering by using the do part:
- Add the job you want to trigger and the corresponding folder ( usually it is the same but everything is depending of your job definition and your needs)
Note:
For me job ordering from on-do action is not best practice.
Indeed it is difficult to investigate and understand the workflow easily without using the in and out conditions.
I therefore advise you to use this method with caution and only if you have no choice.
Access to folder is not allowed to user
After this reminder on how to trigger a job from a current job ,we will see what was wrong with message found in the Control-M Agent log
It says the user has no access to the folder from where the job has to be executed .
So it seems to be a right access matter?
Note:
For confidentiality I renamed user folder as folder name and testuser as username to demonstrate how to solve this case
As we use ctmsec and authorization we can check if all is correctly defined to access the folder and trigger the job
The “run as” user field in the job is defined with username testuser
- Let’s see if testuser is correctly defined in the cmtsec part
Connect to Control-M Configuration Manager and check if the run as is correctly set
- Click on Control-M server icon
- Go to the ctmsec and check in the authorized AJF part if user is defined
- Here we see that the user TESTUSER is defined in CAPS whereas in the job it is defined in Lowercase
- Let’s define it in lowercase and check if job is ordering correctly
Result
- When trying to order the job after the current job completion we still got the permission message !
Explanation:
That’s because cmtsec is checking for the user authorization to be able to order the job, so user testuser must be defined User/Group Part in ctmsec, to be able to order the next job
Define the user in “User/Group” Part
- Click on the plus icon and define the user
- Add it to the corresponding group
- Add a description
- Click on OK and check if user is now member of the group:
Test again if job is ordered
- By restarting the job ,we can see in its log that following job is ordered successfully
Job on-do-order-job-2 is forced by on-do-order-job-1 as expected 🙂
Note about this case:
Usually when ctmsec is defined correctly you will have some restriction message pop-up asking for sufficient rights to perform the order ( or the check-in ) below an example
In our case , when the job was defined ( to order an other job ) ctmsec was only checking for the first job “on-do-order-job-1” requirements , which were completed successfully so the folder was able to be checked in and job was allowed to be ordered …..but not the second on in the on-do action !
The on-do-order-job-1 user needed rights to access and trigger the on-do-order-job-2 and it was checked only at the moment where the job tried to trigger the on-do-order-job-2
So in other words cmstec was bypassed during the job definition
To sum up:
Bear in mind that ctmsec is case sensitive ,so when defining your user , be careful of that ( I made some job tests switching with testuser and TESTUSER ( depending of what is defined in ctmsec job will be or not ordered )and it confirmed that.
If your job can not order the following job in on-do action be sure that the user in the first job is defined and have the rights to access the folder of the second job :User/Group Part in ctmsec
Note:
You can add a wildcard (*) if you have user defined like for example usertest1, usertest2, usertest3 just user usertest*
Conclusion
You know now how to solve this specific case , I hope it will help you if you face the same issue , Control-M has many security layers so you must keep in mind that you have to investigate step by steps to see where is the problem.
Of course Control-M log messages are very helpful and will give you precious clues ,but sometime you need to go deeper to find the solution , as you know that it’s a right issue but you have to find where it is defined in ctmsec or even in user authorization part
We will see that maybe in another blog , I invite you to check dbi bloggers and also my previous blogs to share with us some cool tips and tricks 🙂