Job Management Partner 1/Automatic Job Management System 3 System Design (Work Tasks) Guide

6.5 Mapping users

You need to establish the correspondence between the JP1 users at the JP1/AJS3 work task manager and the OS users at the host that executes the processing.

When JP1/AJS3 executes processing, OS resources such as executable files are accessed in accordance with the permissions of the OS user that corresponds to the JP1 user. This means that you must specify the OS user corresponding to the JP1 user at the host that executes the processing. This is called user mapping and utilizes the JP1/Base user mapping function.

User mapping is also necessary when you log in from JP1/AJS3 - View. You must set the user mapping before using JP1/AJS3 - View.

Note that JP1/AJS3 event jobs (in Windows) do not rely on JP1 users at execution. They rely on the account permissions of JP1/AJS3 Service.

The figure below gives an overview of processing execution using user mapping.

Figure 6-2 Overview of processing execution using user mapping

In the figure above, the following mapping is performed on the agent host:

• jp1mngr: jobuser1
• jp1user1: jobuser2

For the OS user jobuser1, set a user with administrator's permissions or superuser permissions. These permissions are used when they are required by the program specifications; e.g. for rebooting.

For the OS user jobuser2, set permissions for the executed processing (OS user account, file access permissions, etc.) so that the processing does not end abnormally. Remember that standardizing the OS user name (job-executing user) at all agent hosts makes administration easier.

The way that the user names and user mapping used when operating jobs and jobnets are decided differs according to the command used. Cases where units (jobs and jobnets) are operated with an ajsxxxx command and JP1/AJS3 - View, where a job in the job execution environment is operated and executed with a jpqxxxx command, and agent management information is operated with commands are shown below. Approach mapping by referring to the rules described below.

Note that since commands that operate event jobs do not rely on the JP1 permissions level, they do not use a JP1 user name.

Organization of this section

(1) JP1 user names when a job network element is operated with JP1/AJS3 - View and commands

(2) JP1 user names when a job in the job execution environment is executed and operated with commands

(3) JP1 user names when agent management information is operated on with commands

(1) JP1 user names when a job network element is operated with JP1/AJS3 - View and commands

When you operate on a job network element from JP1/AJS3 - View, the JP1 user name used to check the permissions is the one used to log in to JP1/AJS3 - View. When you operate on a job network element with an ajsxxxx command, the JP1 user name is decided in accordance with the following rules:

• When the environment variable JP1_USERNAME is set
  When the environment variable JP1_USERNAME is set, the setting made for it is taken as the JP1 user name. You must ensure that the OS user name at command execution and the setting for the environment variable JP1_USERNAME are mapped by user mapping, except when the OS user when the command is executed is a member of the Administrators group or a superuser, in which case mapping is not necessary.
  The user mapping also differs depending on whether the environment variable JP1_HOSTNAME is set.
  

  When the environment variable JP1_HOSTNAME is set

  The user mapping defined at the logical host set for the environment variable JP1_HOSTNAME is used.

  When the environment variable JP1_HOSTNAME is not set

  The user mapping defined at the physical host is used.

• When the environment variable JP1_USERNAME is not set
  When the environment variable JP1_USERNAME is not set, the OS user name is taken as the JP1 user name. When a job is executed the user mapping is checked, so a JP1 user with the same name as the OS user must be registered.
  

If a JP1 resource group name is specified in the attributes of the jobs and jobnets operated, JP1/AJS3 checks with the authentication server about access permissions. If the environment variable JP1_HOSTNAME is set, the logical server defined in the logical host in the setting is used, and if the environment variable JP1_HOSTNAME is not set, the authentication server defined in the physical host is used. However, if the OS user when the command is executed is a member of the Administrators group or a superuser, the authentication server is not asked about access permissions.

Next, we explain how to remotely execute a command for operating units. For details about the commands that can be remotely executed, see 1.1 Command syntax in the manual Job Management Partner 1/Automatic Job Management System 3 Command Reference 1.

The following settings are required on the hosts that remotely execute commands:

• When environment variable JP1_USERNAME is set
  If environment variable JP1_USERNAME is set when a command is remotely executed, the value set for JP1_USERNAME is used as the JP1 user name when the command is executed on the target host. One of the OS user names on the command execution destination host and the value set for environment variable JP1_USERNAME must be mapped by user mapping on the command execution host.
  The type of user mapping to be performed differs depending on whether a logical host name or a physical host name is specified as the command execution destination host.
  

  When a logical host name is specified for the command execution destination host:

  The user mapping defined for the specified logical host is used.

  When a physical host name is specified for the command execution destination host:

  The user mapping defined for the specified physical host is used.

• When environment variable JP1_USERNAME is not set
  If environment variable JP1_USERNAME is not set, JP1/AJS3 treats the OS user name of the command execution source host as the JP1 user name.
  

If a JP1 resource group name is specified in the attributes of the job or jobnet to be operated, JP1/AJS3 checks with the authentication server about access permissions. If you specify a logical host name for the command execution destination host, the authentication server defined in the logical host is used. If you specify a physical host name for the command execution destination host, the authentication server defined in the physical host is used. Set the JP1 permission level required for using the command. However, if the mapped primary user is a member of the Administrators group or a superuser, the authentication server is not asked about access permissions.

(2) JP1 user names when a job in the job execution environment is executed and operated with commands

When you use a jpqxxxx command to perform operations on a job in the job execution environment, or you perform operations on the job execution environment itself, the permissions are checked based on the JP1 user name with the same name as the OS user who executes the command.

You should therefore register the OS user that executes the command as the JP1 user. Then, map the registered JP1 user and OS user. Note that regardless of the setting of the environment variable JP1_USERNAME, you must register the OS user that executes the command as the JP1 user and set the user mapping.

Before executing a job, and this includes cases where you start the job from JP1/AJS3 - View, you also have to register the OS user that executes the job as a JP1 user in the authentication server.

For details on how to register JP1 users and how to set JP1 permissions levels, see 3.1.1 Setting up JP1/Base in the Job Management Partner 1/Automatic Job Management System 3 Configuration Guide 1 (for Windows hosts) or see 12.1.1 Setting up JP1/Base in the Job Management Partner 1/Automatic Job Management System 3 Configuration Guide 1 (for UNIX hosts).

In addition, for details on the permission levels required to use the various commands, see 1.5 Commands in the manual Job Management Partner 1/Automatic Job Management System 3 Command Reference 1.

(3) JP1 user names when agent management information is operated on with commands

When you use a command to perform operations on agent management information, the JP1 user name is decided in accordance with the following rules:

• When the environment variable JP1_USERNAME is set
  The user name set in the environment variable JP1_USERNAME is used as the JP1 user name. Note that you must ensure that the user name set in the environment variable JP1_USERNAME and the OS user at command execution are mapped in the JP1/Base user mapping definition. User mapping is unnecessary if the OS user at command execution is a member of the Administrators group or a superuser.
  The user mapping also differs depending on whether the environment variable JP1_HOSTNAME is set.
  

  If the environment variable JP1_HOSTNAME is set

  The user mapping defined on the logical host set for the environment variable JP1_HOSTNAME is used.

  If the environment variable JP1_HOSTNAME is not set

  The user mapping defined on the physical host is used.

• When the environment variable JP1_USERNAME is not set
  Because the OS user name is used as the JP1 user name, a JP1 user with the same name as the OS user must be registered.
  

When you attempt to perform an operation on agent management information, JP1/AJS3 queries the authentication server about access permissions. If you specify a logical host as the target host for the agent management information, the authentication server defined on the logical host is used. If you specify a physical host as the target host, the authentication server defined on the physical host is used. Note, however, that when you use the ajsagtshow and ajsagtprint commands as a member of the Administrators group or a superuser, user mapping is unnecessary and the authentication server is not queried about access permissions.

[Contents][Back][Next]

Copyright (C) 2009, 2010, Hitachi, Ltd.
Copyright (C) 2009, 2010, Hitachi Solutions, Ltd.