5.4.4 Checking file access permission at job execution (Unix jobs)
For Unix jobs, you can specify the scope of the file access permission check performed when a job is executed. You can choose to check the file permissions only, or the access control list (ACL) and secondary group settings as well.
An access permission check is performed on the following files:
-
Script file
-
Environment variable file
-
Standard input file
-
Standard output file
-
Standard error output file
-
Transfer destination file
You can set any of the following three methods of checking access permissions:
-
Check only the file permission setting for the file in question.
-
For a script file, check the ACL and secondary group settings in addition to the file permission. For all other types of files, check the file permission only.
-
For all files, check the file permission and the ACL and secondary group settings.
The default method is to check file permissions only.
The check method is set separately for each agent host. For details on the setting procedure, see 15.2.18 Enabling the file access permission check for the ACL and secondary group settings during job execution in the Job Management Partner 1/Automatic Job Management System 3 Configuration Guide 1.
The following table describes the relationships between the type of user accessing the file, the file category, and the check method when the ACL and secondary group settings are checked in addition to the file permission settings.
User category |
File category |
|||
---|---|---|---|---|
Files provided by JP1/AJS3#1 |
User files#2 |
|||
No ACL |
With ACL |
|||
Superuser |
No check needed |
No check needed |
No check needed |
|
Others |
No secondary groups |
File permission |
File permission |
ACL |
With secondary groups |
File permission |
File permission and secondary groups |
ACL and secondary groups |
- Legend:
-
ACL: Access control list
- #1
-
Files and directories provided by JP1/AJS3 products.
- #2
-
Files and directories for user resources, specified by the user when executing a job or command.
- Cautionary notes
-
-
Access permissions to files and directories provided by JP1/AJS3 products are not checked.
-
If the agent host is running JP1/AJS version 08-10 or earlier, only the file access permissions are checked. The ACL and secondary group settings are not checked.
-
If you change the file access permission check method, jobs that were executable under the previous check method might fail to start. When setting the check method, consider whether the file permission settings differ from those in the ACL and secondary group settings, and make sure that the check will not impact on job startup.
-