![[Contents]](FIGURE/CONTENT.GIF)
![[Glossary]](FIGURE/GLOSS.GIF)
![[Index]](FIGURE/INDEX.GIF)
![[Back]](FIGURE/FRONT.GIF)
![[Next]](FIGURE/AFTER.GIF)
Job Management Partner 1/Automatic Job Management System 3 Overview
In JP1/AJS3, you can use the JP1/Base user authentication function to manage the login authentication and operational permission of users.
The JP1/Base user authentication function manages the login authentication of users from JP1/AJS3 - View or other JP1 series programs (such as JP1/IM), and controls the operational permission levels of users who are logged in. The JP1/Base that manages login authentication and controls the operational permission levels of users who are logged in is called the authentication server. You register the users who use JP1/AJS3 in this authentication server as JP1 users, and then set operational permission for the units for each of these JP1 users. For copies of JP1/Base installed on a different server from the authentication server, you must define the host that is used as the authentication server. When a user attempts to log in to another host using JP1/AJS3 - View, the ability of the user to log in, and the access permission available to the user is determined by the JP1 user information registered in the authentication server. An example of user authentication is shown below.
Figure 8-1 Example of user authentication
In this example, HostA is defined as the authentication server. In HostB and HostC, HostA is specified as the authentication server. Hence HostA, HostB and HostC function as a single authentication bloc. A user called jp1user1 is registered as a JP1 user in the authentication server of HostA. In the case shown, the JP1 user called jp1user1 and another JP1 user called jp1user2 attempt to log in to HostB. HostA, which functions as the authentication server for HostB, determines whether each user has login permission based on the registered JP1 user information. In the example shown, jp1user2 is not registered in the authentication server, and so login permission is denied.
- Organization of this subsection
- (1) Registering JP1 users
- (2) Setting access permission
Users who use JP1/AJS3 and other JP1 series programs are called JP1 users. You register JP1 users in the authentication server. To register a JP1 user, you specify a JP1 user name and a password to be used by the JP1 user at login.
JP1 users registered in this manner are able to use not only JP1/AJS3, but also other JP1 series programs (such as JP1/IM).
(2) Setting access permission
Operational access to units within JP1/AJS3 is called access permission. You can set access permission for each JP1 user.
You set access permission by setting the operational permission, known as the JP1 permission level, for a series of groups known as JP1 resource groups.
There are three different types of JP1 permission level:
- Access permission for defining and executing jobnets.
- Access permission for executing and operating jobs.
- Access permission for agent management information
An explanation of each type of JP1 permission level is given below.
- Access permission for defining and executing jobnets
- JP1_AJS_Admin
Administrator's permission. This permission level allows you to alter unit owners and the operational permission levels for resource groups. You can also define, execute and edit jobnets.
- JP1_AJS_Manager
This permission level allows you to define, execute and edit jobnets.
- JP1_AJS_Editor
This permission level allows you to define and edit jobnets.
- JP1_AJS_Operator
This permission level allows you to execute and reference jobnets.
- JP1_AJS_Guest
This permission level allows you to reference jobnets.
- Access permission for executing and operating jobs
- JP1_JPQ_Admin
Administrator's permission. This permission level allows you to set job execution environments, operate queues and agents that execute jobs, and operate jobs that have been queued by other users.
- JP1_JPQ_Operator
This permission level allows you to operate queues and agents that execute jobs, and operate jobs that have been queued by other users.
- JP1_JPQ_User
This permission level allows you to register submitted jobs, and operate jobs that you have queued.
- Access permission for agent management information
- JP1_JPQ_Admin
Administrator's permission. This permission level allows you to add, change, and delete the definitions of execution agents and execution agent groups.
- JP1_JPQ_Operator
This permission level allows you to change the job transfer restriction status for execution agents and execution agent groups.
- JP1_JPQ_User
This permission level allows you to view the status and definitions of execution agents and execution agent groups.
For details about each JP1 permission level, see 6.4(2) Determining JP1 permission levels in the Job Management Partner 1/Automatic Job Management System 3 System Design (Work Tasks) Guide.
A JP1 user mapped to an OS user who is a member of the Administrators group (Windows) or a superuser (UNIX) can perform all operations that require JP1_AJS permissions (not JP1_JPQ permissions) regardless of the granted JP1 permissions. For details on the mapping of OS users, see 8.1.2 User management using the user mapping function of JP1/Base.
A JP1 resource group is set for each unit within JP1/AJS3 as a way of controlling access to each unit by JP1 users.
For example, assume that a JP1 resource group called keiri has been set for a unit called jobnet A. Furthermore, assume that in the authentication server, the JP1 user called jp1user1 has a JP1 permission level set to JP1_AJS_Operator for the resource group keiri, and a JP1 permission level set to JP1_AJS_Editor for the resource group called eigyo. In this case, the JP1 user called jp1user1 can perform operations on the jobnet A at the permission level of JP1_AJS_Operator set for the resource group keiri. In other words, jp1user1 can register the jobnet A for execution, cancel a registration of the jobnet A for execution, change the schedule, or change the status of a job. However, jp1user1 cannot change the definition of the jobnet A, nor delete the jobnet. In contrast, if the JP1 resource group eigyo were set for the jobnet A, jp1user1 could change the definition of the jobnet A or delete the jobnet, but could not register the jobnet A for execution, cancel a registration of the jobnet A for execution, nor change the status of a schedule or a job. If the JP1 resource group called jinji were set for the jobnet A, the user jp1user1 would have no permission in relation to the jobnet A, and would therefore be unable to access the jobnet. However, if jp1user1 logged on as a member of the Administrators group (in the case of a Windows user) or had superuser privileges (in the case of a UNIX user), then jp1user1 could perform operations regardless of the JP1 permission level of the JP1 resource group.
In this manner, controlling the access of JP1 users to each of the units within JP1/AJS3 is achieved by setting a resource group for each JP1/AJS3 unit. If you have not set a JP1 resource group for a unit then you cannot achieve access control using JP1 user permission levels.
Copyright (C) 2009, 2010, Hitachi, Ltd.
Copyright (C) 2009, 2010, Hitachi Solutions, Ltd.
![[Figure]](FIGURE/ZUF08010.GIF)