Security objects for Teracloud® Streams domains and instances

This information describes the security objects for Teracloud® Streams domains and instances.

Table 1. Teracloud® Streams security objects for domains
This table contains three columns. The first column lists a domain object, the second lists the parent object, and the third contains a description of the object.
Domain object	Parent object	Description
domain	Not applicable	Controls who is allowed to start, stop, or control a domain.
config	domain	Controls who is allowed to change the configuration for the domain
hosts	domain	Controls who is allowed to view, add, and remove hosts from the domain configuration.
instances	domain	Controls who is allowed to view, add, and remove instances from the domain configuration.
system-log	domain	Controls who has access to view the domain and host log data.
appconfig	domain	Controls who has access to view, add, and remove domain-level application configurations.
appconfig_`<element-name>`	appconfig	Controls who has access to view, add, and remove domain-level application configuration security elements.

Table 2. Teracloud® Streams security objects for instances
This table contains three columns. The first column lists an instance object, the second lists the parent object, and the third contains a description of the object.
Instance object	Parent object	Description
instance	Not applicable	Controls who is allowed to start, stop, or view an instance.
config	instance	Controls who is allowed to change the configuration for the instance.
hosts	instance	Controls who is allowed to view, add, and remove hosts from the instance configuration.
jobs	instance	Controls who is allowed to submit new jobs to the instance.
jobgroup_`name`	jobs	Controls who is allowed to view or change all jobs submitted in the job group for the running instance, and who can submit a job in the instance. The parent job group is checked for authority when checking that a user has permission to submit a job. Updated permissions for a job group are used when checking permissions for a submitted job in the running instance. Job group permissions can be updated by using the streamtool grantjobpermission, streamtool revokejobpermission, or streamtool setacl command. The Access Control List entries for jobgroup_`name` objects control the export of data from a job and the import of data to a job. In order for one job to export data to a second job, the user that started the exporting job must have write access to the second job. In order for the second job to import data from the exporting job, the user that started the importing job must have read access to the exporting job. If permissions are changed after a job is submitted, either the exporting or importing PE must be restarted for the changes to take effect.
jobs-override	instance	Controls who is allowed to override the resource load protection settings when submitting jobs.
application-log	instance	Controls who is allowed to view the application log data.
system-log	instance	Controls who has access to view the instance and host log data.
appconfig	instance	Controls who has access to view, add, and remove instance-level application configurations.
appconfig_`<element-name>`	appconfig	Controls who has access to view, add, and remove instance-level application configuration security elements.