Job Management Partner 1/Automatic Job Management System 3 System Design (Work Tasks) Guide

6.4 Setting access permissions

When you have registered the required JP1 users, you must decide what access permissions (JP1 permission levels) to grant to these JP1 users in regard to which groups (JP1 resource groups).

Organization of this section

(1) Determining the JP1 resource groups to be defined

(2) Determining JP1 permission levels

(3) Unit owner permission

(1) Determining the JP1 resource groups to be defined

A job network element (unit) is saved and managed as a member of a number of groups. These groups are called JP1 resource groups. You can define any name you like for a JP1 resource group. For example you can set definitions such as purchasingdep or personneldep for company departments (in this case the Purchasing Department and Personnel Department).

You need to define a JP1 resource group to a JP1 user. If you fail to do so, access control is not applied to that group. It is therefore inadvisable to operate JP1/AJS3 without specifying the JP1 users for which a JP1 resource group is defined.

Note that you can define multiple JP1 resource groups for a single JP1 user. For example, a single JP1 user can be defined both as a user who can execute and edit work tasks for the purposes of the General Affairs Department JP1 resource group, and also as a user that can only view work tasks for the purposes of the Sales Department JP1 resource group.

(2) Determining JP1 permission levels

A JP1 permission level determines the operations that can be done with respect to a work task defined with JP1/AJS3.

JP1 permission levels are set for JP1 resource groups. A JP1 permission level setting only becomes effective when a JP1 resource group is specified. For example, different JP1 resource groups can be granted different access permissions for defining and executing jobnets: one JP1 resource group could be granted JP1_AJS_Admin access permissions, while another could be granted JP1_AJS_Manager permissions. In this case, note that the JP1 permission level will not be valid when no JP1 resource group is specified or when a different JP1 resource group is specified.

There are three types of JP1 permission level:

Access permission for defining and executing jobnets

Access permissions for executing and working with commands in the execution environment of QUEUE jobs and submit jobs

Access permissions for working with execution agents

The names of the permission levels and the operations possible with each are covered below. Refer to the details on operations given here when setting JP1 permission levels.

(a) Access permissions when defining and executing jobnets

There are the following five kinds of access permissions for defining and executing jobnets:

JP1_AJS_Admin
This is the administrator's permission. It confers ownership of the unit, the permission to operate resource groups, the permissions to define, execute, and edit jobnets, and so on.

JP1_AJS_Manager
Confers permissions including the permissions to define, execute, and edit jobnets.

JP1_AJS_Editor
Confers permissions including the permissions to define and edit jobnets.

JP1_AJS_Operator
Confers permissions including the permissions to execute and view jobnets.

JP1_AJS_Guest
Confers permissions including the permissions to view jobnets.

The following table lists the JP1 permission level names and details of their operation when defining and executing jobnets.

Table 6-3 JP1 permission level names and available operations when jobnets are defined and executed

Operation details JP1_AJS_Admin JP1_AJS_Manager JP1_AJS_Editor JP1_AJS_Operator JP1_AJS_Guest

Changing the owner, JP1 resource group name, or type of job execution user of a unit whose owner permission resides with another user P^#1 -- -- -- --

Defining units P P P -- --

Changing the definition of units defined for jobnets P P^#2 P^#2 -- --

Changing jobnet definitions P P P -- --

Replicating and moving units, and changing their names^#3 P P P -- --

Deleting units^#4 P P P -- --

Outputting units to standard output files P P P P P

Outputting definitions of units to standard output files P P P P P

Backing up units P P P P P

Recovering units P P P -- --

Defining calendar information for a job group P P P -- --

Defining a jobnet execution schedule for a specific period P P P P P

Registering a defined jobnet for execution P P -- P --

Canceling the registration of a jobnet for execution P P -- P --

Registering a jobnet for release P P P^#5 P^#5 --

Canceling the release of a jobnet P P P^#5 P^#5 --

Viewing the release information for a jobnet P P P P P

Outputting information such as the job execution history, current status, and next planned execution to a standard output file P P P P P

Temporarily changing a schedule defined in a jobnet P P -- P --

Temporarily changing the status of a job P P -- P --

Changing the status of a job P P -- P --

Suspending the execution of a jobnet P P -- P --

Rerunning a jobnet P P -- P --

Killing a job or jobnet P P -- P --

Exporting units P P P P P

Importing units P P P -- --

Exporting the execution registration status of a jobnet P P P P P

Importing the execution registration status of a jobnet P P -- P --

Legend:

P: Possible

--: Not possible

#1

If you are the owner of a unit, you can perform these operations even if you have not been granted JP1_AJS_Admin permission. However, even if you are the owner of a unit, if no reference permission has been assigned to the JP1 resource group set for that unit, you will not be able to change the JP1 resource group name, the owner, or the type of user who executes jobs from JP1/AJS3 - View. If you want to change the JP1 resource group name, the owner, or the type of user who executes jobs from JP1/AJS3 - View, execute the ajschange -g JP1-resource-group-name unit-name command, and change to a JP1 resource group that has been granted permission to reference JP1 resource group names.

Note that if no owner has been set for a unit, all users can change the JP1 resource group names, owner, and type of user who executes jobs. When owner user is set as the type of user who executes the unit, if a user other than those indicated at (a) and (b) below changes the unit owner to another JP1 user, the registered user will be set as the type of user who executes the unit. In this case, the type of user who executes jobs is taken to be the user who registered the jobnet for execution. This is intended to prevent jobs being executed by users other than those indicated at (a) and (b) (users with any user permission).

(a) : Users granted administrator's permissions or superuser permissions

(b) : JP1 users granted JP1_AJS_Admin permissions with respect to the JP1 resource group set for the unit

#2

When the type of user who executes the unit is owner user, JP1 users with permissions other than JP1_AJS_Admin cannot execute change operations in units except those that they own. This is intended to prevent general users that have not been granted JP1_AJS_Admin permission from executing any job they like. If the type of user who executes the unit is the registered user, anyone who obtains the JP1 permission level that permits the operation can execute a change operation.

#3

The permission is required for the parent unit of the unit to be copied, moved, or renamed. For example, when you want to move the unit /AAA/BBB/CCC, the permission must be set for the JP1 resource group of the unit /AAA/BBB. Note that you need the following permissions for a unit that you want to copy, move, or rename.

To copy a unit, the JP1_AJS_Admin, JP1_AJS_Manager, JP1_AJS_Editor, JP1_AJS_Operator, or JP1_AJS_Guest permission must be set for the JP1 resource group of the unit (including subordinate units).

To move or rename a unit, the JP1_AJS_Admin, JP1_AJS_Manager, or JP1_AJS_Editor permission must be set for the JP1 resource group of the unit.

#4

The permission is also required for the parent unit of the unit to be deleted. For example, when you want to delete the unit /AAA/BBB/CCC, the permission must be set for the JP1 resource groups of the unit /AAA/BBB/CCC (including subordinate units) and the unit /AAA/BBB.

#5

JP1_AJS_Editor and JP1_AJS_Operator permissions are both required.

This is because registering a jobnet for release and canceling the release involves changing the jobnet definition and submitting the redefined jobnet for execution.

A user who performs operations on a unit must have permission to operate the JP1 resource group set for that unit. In addition, the JP1_AJS_Admin, JP1_AJS_Manager, JP1_AJS_Editor, JP1_AJS_Operator, or JP1_AJS_Guest permission must be set for the JP1 resource groups of the upper-level units.

JP1 users mapped to OS users with administrator's permissions or superuser permissions can execute all operations regardless of their JP1 permission level. If you execute a command that affects a job network element as a user with administrator's permissions or superuser permissions, you will be able to perform all operations regardless of the user permissions of the JP1 user set in the JP1_USERNAME environment variable.

Note that if no JP1 resource group has been set for a unit, all users can perform all JP1/AJS3 operations with respect to that unit.

Cautionary notes

Access permission for the referenced JP1/AJS3 - Manager is granted for manager job groups and manager jobnets.

While JP1/AJS3 - View is connected to JP1/AJS3 - Manager, access permission information is stored in a JP1/AJS3 - Manager cache. For this reason, when access permissions are changed, the change might not be applied to the connected JP1/AJS3 - View. When you change access permissions, disconnect JP1/AJS3 - View from JP1/AJS3 - Manager, change the access permissions, and then connect JP1/AJS3 - View again.

(b) Access permissions for executing and working with commands in the execution environment of QUEUE jobs and submit jobs

There are three types of access permissions for executing and working with commands in the execution environment of QUEUE jobs and submit jobs.

JP1_JPQ_Admin
This is the administrator's permission. It confers the permission to set job execution environments, the permission to operate queues and job executing agents, and the permission to operate jobs queued by other users.

JP1_JPQ_Operator
This confers the permission to operate queues and agents, and the permission to operate jobs queued by other users.

JP1_JPQ_User
This confers the permission to register submit jobs and to operate jobs that you have queued yourself.

When setting access permissions for executing and working with commands in the execution environment of QUEUE jobs and submit jobs, assign these permission levels to the JP1 resource group JP1_Queue. Note that the entry JP1_Queue is case sensitive.

The following table lists the JP1 permission level names and details of their operation for executing and working with commands used in the execution environment of QUEUE jobs and submit jobs.

Table 6-4 JP1 permission level names and available operations for executing and working with commands in the execution environment of QUEUE and submit jobs

Operation details JP1_JPQ_
Admin JP1_JPQ_
Operator JP1_JPQ_
User

Registering submit jobs P P P

Canceling/killing job execution P P O

Holding job execution/releasing a job from held status P P O

Moving a job P P O

Outputting job information P P O

Outputting ended job information P P O

Deleting ended job information from the database P P --

Opening a queue P P --

Closing a queue P P --

Adding a queue P -- --

Deleting a queue P -- --

Outputting queue information P P P

Changing the definition of a queue P -- --

Connecting a queue to an agent P -- --

Disconnecting a queue from an agent P -- --

Changing the maximum number of concurrently executable jobs P -- --

Adding an agent P -- --

Deleting an agent P -- --

Outputting agent host information P -- --

Adding an execution-locked resource P -- --

Deleting an execution-locked resource P -- --

Outputting information about an execution-locked resource P P P

Legend:

P: Possible.

O: Possible, but not for jobs executed by other users.

--: Not possible

Cautionary note

The execution and operation of commands used in the execution environment of QUEUE and submit jobs is subject to the access permissions defined for the manager that requested the processing.

(c) Access permissions for working with agent management information

There are three kinds of access permissions for working with agent management information:

JP1_JPQ_Admin
This is the administrator's permission. It is the permission required to add, edit, and delete execution agent and execution agent group definitions.

JP1_JPQ_Operator
This is the permission required to change the job transfer restriction status of execution agents and execution agent groups.

JP1_JPQ_User
This is the permission required to view statuses and definition information for execution agents and execution agent groups.

When setting access permissions for working with agent management information, assign these permission levels to the JP1 resource group JP1_Queue. Note that the entry JP1_Queue is case sensitive.

The following table lists the JP1 permission level names and operational details for working with agent management information.

Table 6-5 JP1 permission level names and available operations for working with agent management information

Operation details JP1_JPQ_
Admin JP1_JPQ_
Operator JP1_JPQ_
User

Adding an execution agent P -- --

Adding an execution agent group P -- --

Deleting an execution agent P -- --

Deleting an execution agent group P -- --

Changing the execution host for an execution agent P -- --

Changing the number of concurrently executable jobs at an execution agent P -- --

Changing the description of an execution agent P -- --

Changing the description of an execution agent group P -- --

Adding an execution agent that connects to an execution agent group P -- --

Changing the priority of an execution agent connected to an execution agent group P -- --

Removing an execution agent as a connection-destination of an execution agent group P -- --

Changing the job transfer restriction status of an execution agent P P --

Changing the job transfer restriction status of an execution agent group P P --

Displaying the status of an execution agent^# P P P

Displaying the status of an execution agent group^# P P P

Displaying the status of all execution agents and execution agent groups^# P P P

Displaying the names of all execution agents and execution agent groups^# P P P

Outputting the definition of an execution agent^# P P P

Outputting the definition of an execution agent group^# P P P

Outputting the definition of all execution agents and execution agent groups^# P P P

Legend:

P: Possible.

--: Not possible

#

Users with administrator's permissions or superuser permissions can perform all operations regardless of their JP1 permission levels.

Operation details	JP1_AJS_Admin	JP1_AJS_Manager	JP1_AJS_Editor	JP1_AJS_Operator	JP1_AJS_Guest
Changing the owner, JP1 resource group name, or type of job execution user of a unit whose owner permission resides with another user	P^#1	--	--	--	--
Defining units	P	P	P	--	--
Changing the definition of units defined for jobnets	P	P^#2	P^#2	--	--
Changing jobnet definitions	P	P	P	--	--
Replicating and moving units, and changing their names^#3	P	P	P	--	--
Deleting units^#4	P	P	P	--	--
Outputting units to standard output files	P	P	P	P	P
Outputting definitions of units to standard output files	P	P	P	P	P
Backing up units	P	P	P	P	P
Recovering units	P	P	P	--	--
Defining calendar information for a job group	P	P	P	--	--
Defining a jobnet execution schedule for a specific period	P	P	P	P	P
Registering a defined jobnet for execution	P	P	--	P	--
Canceling the registration of a jobnet for execution	P	P	--	P	--
Registering a jobnet for release	P	P	P^#5	P^#5	--
Canceling the release of a jobnet	P	P	P^#5	P^#5	--
Viewing the release information for a jobnet	P	P	P	P	P
Outputting information such as the job execution history, current status, and next planned execution to a standard output file	P	P	P	P	P
Temporarily changing a schedule defined in a jobnet	P	P	--	P	--
Temporarily changing the status of a job	P	P	--	P	--
Changing the status of a job	P	P	--	P	--
Suspending the execution of a jobnet	P	P	--	P	--
Rerunning a jobnet	P	P	--	P	--
Killing a job or jobnet	P	P	--	P	--
Exporting units	P	P	P	P	P
Importing units	P	P	P	--	--
Exporting the execution registration status of a jobnet	P	P	P	P	P
Importing the execution registration status of a jobnet	P	P	--	P	--

Operation details	JP1_JPQ_ Admin	JP1_JPQ_ Operator	JP1_JPQ_ User
Registering submit jobs	P	P	P
Canceling/killing job execution	P	P	O
Holding job execution/releasing a job from held status	P	P	O
Moving a job	P	P	O
Outputting job information	P	P	O
Outputting ended job information	P	P	O
Deleting ended job information from the database	P	P	--
Opening a queue	P	P	--
Closing a queue	P	P	--
Adding a queue	P	--	--
Deleting a queue	P	--	--
Outputting queue information	P	P	P
Changing the definition of a queue	P	--	--
Connecting a queue to an agent	P	--	--
Disconnecting a queue from an agent	P	--	--
Changing the maximum number of concurrently executable jobs	P	--	--
Adding an agent	P	--	--
Deleting an agent	P	--	--
Outputting agent host information	P	--	--
Adding an execution-locked resource	P	--	--
Deleting an execution-locked resource	P	--	--
Outputting information about an execution-locked resource	P	P	P

Operation details	JP1_JPQ_ Admin	JP1_JPQ_ Operator	JP1_JPQ_ User
Adding an execution agent	P	--	--
Adding an execution agent group	P	--	--
Deleting an execution agent	P	--	--
Deleting an execution agent group	P	--	--
Changing the execution host for an execution agent	P	--	--
Changing the number of concurrently executable jobs at an execution agent	P	--	--
Changing the description of an execution agent	P	--	--
Changing the description of an execution agent group	P	--	--
Adding an execution agent that connects to an execution agent group	P	--	--
Changing the priority of an execution agent connected to an execution agent group	P	--	--
Removing an execution agent as a connection-destination of an execution agent group	P	--	--
Changing the job transfer restriction status of an execution agent	P	P	--
Changing the job transfer restriction status of an execution agent group	P	P	--
Displaying the status of an execution agent^#	P	P	P
Displaying the status of an execution agent group^#	P	P	P
Displaying the status of all execution agents and execution agent groups^#	P	P	P
Displaying the names of all execution agents and execution agent groups^#	P	P	P
Outputting the definition of an execution agent^#	P	P	P
Outputting the definition of an execution agent group^#	P	P	P
Outputting the definition of all execution agents and execution agent groups^#	P	P	P

(3) Unit owner permission

When a job or jobnet is defined, the user who defines it has the owner permission for that job or jobnet. Holding the owner permission means that you can change JP1 resource group names, the owner, and the type of user who executes jobs regardless of the JP1 permission level. You should therefore take care regarding the following points.

Cautionary notes

If no owner is set for a unit, all users are able to change JP1 resource group names, owners, and the type of user who executes jobs.

When owner user is set as the type of user who executes the unit, if a user other than those indicated at (a) and (b) below changes the unit owner to another JP1 user, the registered user will be set as the type of user who executes the unit. In this case, the type of user who executes jobs is taken to be the user that registered the jobnet for execution. This is intended to prevent jobs being executed by users other than those indicated at (a) and (b) (users with any user permission).
(a): Users granted administrator's permissions or superuser permissions
(b): JP1 users granted JP1_AJS_Admin permissions with respect to the JP1 resource group set for the unit

When job owner is set as the type of user who executes the job, if a user other than those indicated below changes the definition of the job, a permission error occurs:
- Owner of the job
- JP1 user mapped to an OS user granted administrator's permissions or superuser permissions
- General users granted JP1_AJS_Admin permissions

If you are not granted reference permission to a JP1 resource group set for a unit even though you are the owner of that unit, you cannot change the JP1 resource group name, owner, or type of user who executes jobs from JP1/AJS3 - View. If you want to change the JP1 resource group name, owner, or type of user who executes jobs, execute the ajschange -g JP1-resource-group-name unit-name command and then change to a JP1 resource group granted the permission to reference the JP1 resource group name.

[Contents][Back][Next]

[Trademarks]