Understanding User Privileges and Access Control

Understanding Privileges

Privileges control access to Xi-Batch functions. Each user has a set of privileges determining what they can do.

Privileges vs Modes:

Privileges : System-wide capabilities (can create jobs, can stop scheduler, etc.)

Modes : Per-job/per-variable access (can read this job, can write that variable)

The Nine Privileges

Read admin file (RA) : View user administration information : See privileges, load levels, priorities for all users

Write admin file (WA) : Full administrator access : Can grant/revoke all privileges : Can modify all user settings : Makes user full Xi-Batch administrator

Create entry (CR) : Submit jobs and create variables : Default: Enabled for all users

Special create (SPC) : Create jobs with custom load levels : Modify command interpreters : Override default load levels

Stop scheduler (ST) : Can stop Xi-Batch with btquit : Should be restricted to admins

Change default modes (Cdft) : Modify own default job/variable modes : Default: Enabled for all users

Combine user and group permissions (UG) : For jobs/vars in user's group, combine user+group permissions : Makes managing group jobs easier

Combine user and other permissions (UO) : For jobs/vars not in user's group, combine user+other permissions : Rarely used

Combine group and other permissions (GO) : Combine group+other permissions : Effectively removes distinction between group and other

Default Privileges

Standard user (default):

Create entry: Yes
Change default modes: Yes
All others: No

Administrators (root, batch user):

All privileges: Yes

Viewing Privileges

Command line:

bash

# View own privileges
btuser -d

# View specific user (requires RA privilege)
btuser -l <username>

In btuser:

1. Run btuser
2. Navigate to user
3. Press p to view privileges

Granting Privileges

Requires: Write admin file privilege

In btuser:

1. Run btuser
2. Navigate to user
3. Press p (privileges)
4. For each privilege:
   • Y or T to set
   • N or F to unset
   • ! or ~ to toggle
5. Press Enter to save

Command line:

bash

# Grant specific privilege
btuchange -u <username> -p <privilege_code>

# Remove privilege
btuchange -u <username> -n <privilege_code>

Privilege codes: RA, WA, CR, SPC, ST, Cdft, UG, UO, GO

Common Privilege Scenarios

Standard User

Most users need only default privileges:

Create entry: Yes
Change default modes: Yes

Can submit jobs, create variables, modify their defaults.

Power User

User who manages group's jobs:

Create entry: Yes
Change default modes: Yes
Combine user and group permissions: Yes

Can fully manage all jobs/variables in their group.

Developer

Needs to create different job types:

Create entry: Yes
Change default modes: Yes
Special create: Yes

Can create jobs with custom load levels, manage command interpreters.

Administrator

Full system administrator:

All privileges: Yes

Can do anything in Xi-Batch.

Read-Only Admin

Can view but not change administration:

Read admin file: Yes
All others: No (except defaults)

Useful for audit or monitoring roles.

Special Create Privilege

Allows:

• Creating jobs with custom load levels (override interpreter default)
• Modifying existing job load levels
• Adding/modifying/deleting command interpreters
• Setting default load level for new command interpreters

Use cases:

• Developers creating optimized job schedules
• Administrators setting up new job types
• Users managing complex workflows

Without this privilege:

Users inherit load level from command interpreter - no way to override.

Grant carefully:

Users with special create can circumvent load level restrictions.

bash

# Grant special create
btuchange -u developer1 -p SPC

Combine Permissions Privileges

UG (User + Group):

For jobs/vars in same group as user:

Without UG:
  User permissions: Read, Write
  Group permissions: Read
  Effective: Read, Write (user only)

With UG:
  User permissions: Read, Write
  Group permissions: Read, Delete
  Effective: Read, Write, Delete (combined)

Use case:

Team lead managing team's jobs without full admin privileges.

UO (User + Other):

Similar, but for jobs/vars outside user's group. Rarely used.

GO (Group + Other):

Combines group and other permissions. Rarely used.

Setting Default Privileges

Applies to new users only.

Existing users unaffected unless explicitly copied.

In btuser:

1. Run btuser
2. Press P (capital - default privileges)
3. Set privileges as desired
4. Save

Existing users:

Won't change unless you press A (copy to all).

Managing Privileges

View all users' privileges:

bash

# Command line
btulist -v

# In btuser
# Just browse user list, privileges shown

Grant privilege to user:

bash

# In btuser
# Navigate to user, press 'p', set privilege

# Or command line
btuchange -u jsmith -p SPC

Revoke privilege:

bash

# In btuser  
# Navigate to user, press 'p', unset privilege

# Or command line
btuchange -u jsmith -n SPC

Reset user to defaults:

bash

# In btuser
# Navigate to user, press 'a'

Apply defaults to all users:

bash

# In btuser
# Press 'A' (capital)
# Confirms before proceeding

Privilege Interactions

Write admin file implies all others:

Setting WA automatically enables all privileges.

Can't disable WA for root/batch:

Attempts silently ignored - system protection.

Create entry + Special create:

Together allow full job creation flexibility.

Privilege changes take effect:

Immediately for other users, on exit for self.

Security Best Practices

Limit write admin file:

Only 2-3 trusted administrators.

Grant special create sparingly:

Only to users who need custom load levels.

Don't grant stop scheduler widely:

Accidental scheduler stops disruptive.

Use UG for team leads:

Instead of full admin, grant UG for group management.

Review privileges regularly:

Audit user privileges quarterly.

Document privilege decisions:

Record why specific users have specific privileges.

Start restrictive:

Grant additional privileges as needed, not preemptively.

Test with limited users:

Create test user to verify privilege settings work as intended.