Hitachi

Job Management Partner 1 Version 10 Job Management Partner 1/Automatic Job Management System 3 Overview

8.1.1 User management using the JP1/Base user authentication function

In JP1/AJS3, you can use the JP1/Base user authentication function to manage the login authentication and operational permission of users.

The JP1/Base user authentication function manages the login authentication of users from JP1/AJS3 - View or other JP1 series programs (such as JP1/IM), and controls the operational permission levels of users who are logged in. The JP1/Base that manages login authentication and controls the operational permission levels of users who are logged in is called the authentication server. You register the users who use JP1/AJS3 in this authentication server as JP1 users, and then set operational permission for the units for each of these JP1 users. For copies of JP1/Base installed on a different server from the authentication server, you must define the host that is used as the authentication server. When a user attempts to log in to another host using JP1/AJS3 - View, the ability of the user to log in, and the access permission available to the user is determined by the JP1 user information registered in the authentication server. An example of user authentication is shown below.

Figure 8‒1: Example of user authentication

[Figure]

In this example, HostA is defined as the authentication server. In HostB and HostC, HostA is specified as the authentication server. Hence HostA, HostB and HostC function as a single authentication bloc. A user called jp1user1 is registered as a JP1 user in the authentication server of HostA. In the case shown, the JP1 user called jp1user1 and another JP1 user called jp1user2 attempt to log in to HostB. HostA, which functions as the authentication server for HostB, determines whether each user has login permission based on the registered JP1 user information. In the example shown, jp1user2 is not registered in the authentication server, and so login permission is denied.

Organization of this subsection

(1) Registering JP1 users

Users who use JP1/AJS3 and other JP1 series programs are called JP1 users. You register JP1 users in the authentication server. To register a JP1 user, you specify a JP1 user name and a password to be used by the JP1 user at login.

JP1 users registered in this manner are able to use not only JP1/AJS3, but also other JP1 series programs (such as JP1/IM).

To Page Top

(2) Setting access permission

Operational access to units within JP1/AJS3 is called access permission. You can set access permission for each JP1 user.

You set access permission by setting the operational permission, known as the JP1 permission level, for a series of groups known as JP1 resource groups.

There are three different types of JP1 permission level:

An explanation of each type of JP1 permission level is given below.

Access permission for defining and executing jobnets

  • JP1_AJS_Admin

    Administrator's permission. This permission level allows you to alter unit owners and the operational permission levels for resource groups. You can also define, execute and edit jobnets.

  • JP1_AJS_Manager

    This permission level allows you to define, execute and edit jobnets.

  • JP1_AJS_Editor

    This permission level allows you to define and edit jobnets.

  • JP1_AJS_Operator

    This permission level allows you to execute and reference jobnets.

  • JP1_AJS_Guest

    This permission level allows you to reference jobnets.

Access permission for executing and operating jobs

  • JP1_JPQ_Admin

    Administrator's permission. This permission level allows you to set job execution environments, operate queues and agents that execute jobs, and operate jobs that have been queued by other users.

  • JP1_JPQ_Operator

    This permission level allows you to operate queues and agents that execute jobs, and operate jobs that have been queued by other users.

  • JP1_JPQ_User

    This permission level allows you to register submit jobs, and operate jobs that you have queued.

Access permission for agent management information

  • JP1_JPQ_Admin

    Administrator's permission. This permission level allows you to add, change, and delete the definitions of execution agents and execution agent groups.

  • JP1_JPQ_Operator

    This permission level allows you to change the job transfer restriction status for execution agents and execution agent groups.

  • JP1_JPQ_User

    This permission level allows you to view the status and definitions of execution agents and execution agent groups.

For details about each JP1 permission level, see 6.4.1(2) Determining JP1 permission levels in the Job Management Partner 1/Automatic Job Management System 3 System Design (Work Tasks) Guide.

Supplementary note

If the OS user mapped to a JP1 user is a member of the Administrators group or a superuser, the OS user has the following access permissions for units:

  • JP1_AJS_XXX access permissions (for defining and executing jobnets)

    All operations can be performed regardless of the JP1 permission level.

  • JP1_JPQ_XXX access permissions (for executing and operating jobs, and for accessing agent management information)

    Only operations permitted by the JP1 permission level set for the mapped JP1 user can be performed.

However, if yes is explicitly specified for the ADMACLIMIT environment setting parameter, only operations permitted by the JP1 permission level set for the mapped JP1 user can be performed, regardless of the type of access. For details about this parameter, see 2.9.2(4) ADMACLIMIT in the Job Management Partner 1/Automatic Job Management System 3 Configuration Guide 2.

A JP1 resource group is set for each unit within JP1/AJS3 as a way of controlling access to each unit by JP1 users.

For example, assume that a JP1 resource group called Accounting has been set for a unit called jobnet A. Furthermore, assume that in the authentication server, the JP1 user called jp1user1 has a JP1 permission level set to JP1_AJS_Operator for the resource group Accounting, and a JP1 permission level set to JP1_AJS_Editor for the resource group called Sales. In this case, the JP1 user called jp1user1 can perform operations on the jobnet A at the permission level of JP1_AJS_Operator set for the resource group Accounting. In other words, jp1user1 can register the jobnet A for execution, cancel a registration of the jobnet A for execution, change the schedule, or change the status of a job. However, jp1user1 cannot change the definition of the jobnet A, nor delete the jobnet. In contrast, if the JP1 resource group Sales were set for the jobnet A, jp1user1 could change the definition of the jobnet A or delete the jobnet, but could not register the jobnet A for execution, cancel a registration of the jobnet A for execution, nor change the status of a schedule or a job. If the JP1 resource group called Personnel were set for the jobnet A, the user jp1user1 would have no permission in relation to the jobnet A, and would therefore be unable to access the jobnet. However, if the user jp1user1 is a member of the Administrators group (in Windows) or a superuser (in UNIX), the JP1 permission level of the JP1 resource group applies to the user.

In this manner, controlling the access of JP1 users to each of the units within JP1/AJS3 is achieved by setting a resource group for each JP1/AJS3 unit. If you have not set a JP1 resource group for a unit then you cannot achieve access control using JP1 user permission levels.

To Page Top

Trademarks

Copyright (C) 2012, 2014, Hitachi, Ltd.

Copyright (C) 2012, 2014, Hitachi Solutions, Ltd.