Security Introduction

Each ActiveBatch object is securable. ActiveBatch Administrators have the ability to establish default security for each object. ActiveBatch supports the Microsoft Windows security model. This means that your existing Windows accounts and groups can be used (or you may create new AD groups, specifically for ActiveBatch). Many of the access permissions mirror those of the Windows file system.

ActiveBatch supports Grant (Allow) and Deny access control entries (ACE). Using Windows conventions, you will see Deny and Allow ACEs on the Security property sheet of all objects.

You can check the box next to the desired permission to deny an account or group access. However, keep in mind that Windows is a positive authorization system in that unless individual accounts and/or a group are authorized (allowed access), they won’t be able to gain access to the object.

Deny is typically used for individual account(s) that have been granted (allowed) access to an object as a group member. You may not want to remove the account from the group, but rather, deny the permission for the individual group member that should not have access. If you want to deny an account access that would otherwise be granted access under a group membership, click the deny checkbox. Deny takes precedence over allow.

The creator/owner of an ActiveBatch object is implicitly granted Full Control access. This access cannot be modified or removed. If you attempt to remove all accounts and groups from an object, you will receive a warning that no one but the owner of the object will be able to perform operations.

ActiveBatch Administrators can always Take Ownership of an object. Take Ownership is a security permission, located on the Security property sheet. To take ownership, the user can click the Take Ownership button for the object in question, or right click on the object in the Object Navigation pane and select Advanced > Take Ownership.

Note: Security is typically verified during the creation and/or update of an ActiveBatch object. For example, if you associate a Job with a particular Queue, the Queue object will be checked for “Use” permission when the Job object is either created or updated. If you later remove that “Use” permission, please note that the association will still take place and that the security change will not be re-verified until the Job object has been updated.

Note: Security Best Practices always advocate that minimum access be allowed and that access be restricted to those users/groups that require access for the operations they may need to perform. As you examine the rest of this section you will see that the security access for each object is very granular.

Spotted a typo or can’t find help on a certain subject? Reach out to the Documentation team at docsupport@redwood.com.