Understanding Modes
Modes control access to individual jobs and variables. Like Unix file permissions, but more granular.
Three permission categories:
User : Job/variable owner
Group : Users in same primary group as owner
Other : Everyone else
The Eleven Modes
For both jobs and variables:
Read : View job specification or variable value
Write : Modify job specification or variable value : Automatically grants Read
Reveal : See that job/variable exists : Without Reveal, job/variable completely hidden
Display mode : View the modes (permissions) themselves
Set mode : Change the modes
Assume ownership : Accept ownership if transferred
Assume group : Accept group ownership if transferred
Give away owner : Transfer ownership to another user
Give away group : Transfer to another group
Delete : Remove job or variable
For jobs only:
Kill : Terminate running job
Default Modes
New jobs/variables inherit user's default modes.
Typical default modes:
User Group Other Read Yes Yes No Write Yes No No Reveal Yes Yes Yes Display mode Yes Yes Yes Set mode Yes No No Assume owner No No No Assume group No No No Give away owner Yes No No Give away group Yes Yes No Delete Yes No No Kill (jobs) Yes No No
Meaning:
- Owner has full control
- Group can see and read
- Others can see it exists but can't read
- Only owner can modify, delete, or transfer
Viewing Modes
For specific job:
bash
# In btq # Select job, press 'M' # Command line btjlist -v <job_number>
For specific variable:
bash
# In btq # Switch to variables (V), select variable, press 'M' # Command line btvlist -v <var_name>
Display shows:
Modes for Job 'backup-daily'
Job owner jsmith group staff
User Group Other
Read Yes Yes No
Write Yes No No
Reveal Yes Yes Yes
Display mode Yes Yes Yes
Set mode Yes No No
Assume owner No No No
Assume group No No No
Give away owner Yes No No
Give away group Yes Yes No
Delete Yes No No
Kill Yes No No
Changing Modes
Requires: Set mode permission
In btq:
- Select job/variable
- Press M (modes)
- Navigate with cursor
- Set/unset permissions:
- s to set
- u to unset
- t to toggle
- Press q to save
Coupled permissions:
Some permissions automatically grant others:
- Setting Read grants Reveal
- Setting Write grants Read (and Reveal)
Common Mode Patterns
Private Job/Variable
Only owner can access:
User Group Other Read Yes No No Write Yes No No Reveal No No No
Nobody else can even see it exists.
Shared Read
Group can read, only owner can write:
User Group Other Read Yes Yes No Write Yes No No Reveal Yes Yes No
Common for shared workflows.
Public Read
Everyone can read:
User Group Other Read Yes Yes Yes Write Yes No No Reveal Yes Yes Yes
Good for status variables others monitor.
Group Managed
Group can modify:
User Group Other Read Yes Yes No Write Yes Yes No Reveal Yes Yes No
Team members can manage together.
Read-Only for All
Nobody can modify (except owner):
User Group Other Read Yes Yes Yes Write Yes No No Delete No No No
Protected reference data.
Ownership Transfer
Two-stage process for security:
Stage 1: Give away
Current owner transfers:
bash
# In btq # Select job, press 'O' (owner) # Enter new owner username # For group # Select job, press 'G' (group) # Enter new group name
Job marked with designated owner, but change not complete.
Stage 2: Assume
New owner must accept:
bash
# In btq # New owner selects job, press 'O' (assume ownership) # Requires: Assume ownership permission
Administrators bypass process:
Users with write admin file privilege can transfer immediately - both stages happen at once.
Why two stages?
Prevents:
- Unauthorized ownership assumption
- Jobs running masquerading as other users
- Malicious transfers
Setting Default Modes
Your default modes:
New jobs/variables you create inherit these.
View current defaults:
bash
btuser -d
Change defaults (requires Cdft privilege):
bash
# In btuser btuser -m
Navigate and set modes as desired.
Changes affect future jobs/variables only.
Existing jobs/variables keep their current modes.
Permission Scenarios
Hiding Sensitive Job
bash
# Create job
btr sensitive-process.sh
# Get job number
JOB=$(btjlist | grep sensitive | awk '{print $1}')
# Set completely private
# In btq: select job, press M
# Set all Reveal to No
Nobody else can see job exists.
Shared Variable
bash
# Create shared status variable btvar -c project_status "In Progress" # Set readable by group # In btq: press V, select variable, press M # Set Group Read to Yes
Team members can check status.
Transferring Job
bash
# Owner (jsmith) gives away job # In btq: select job, press O, enter 'mjones' # Job now marked for mjones but still owned by jsmith # mjones accepts # In btq: mjones sees job, presses O to assume # Job now owned by mjones
Troubleshooting Permissions
Can't see job/variable:
Check Reveal permission. Without it, job/variable invisible.
Can't modify job/variable:
Check Write permission. Also verify you have Create entry privilege.
Can't delete:
Check Delete permission on the specific job/variable.
Can't transfer ownership:
- Giver needs: Give away owner
- Receiver needs: Assume ownership
Changes not taking effect:
Verify you have Set mode permission.
Best Practices
Use restrictive defaults:
Better to grant access as needed than remove it later.
Reveal controls visibility:
Most important permission - without it, job invisible.
Group permissions for teams:
Enable group read/write for collaborative work.
Document special permissions:
Note why specific jobs have unusual permissions.
Audit sensitive jobs:
Regularly review permissions on critical jobs.
Test permission changes:
Have another user verify access works as expected.
Don't over-restrict:
Balance security with usability.
Use ownership transfer carefully:
Verify recipient before transferring critical jobs.