2.3 Functions for managing operation targets
JP1/AO provides the following functions to manage operation targets:
Managing groups
You can use user groups and service groups to restrict (for each user group) the range of services that can be run and the range of tasks that can be referenced.
Managing connection destinations
In JP1/AO, a host at a connection destination that is the operation target of a service is called a connection destination. You can restrict connection destinations as targets of services for each service group, and centrally manage authentication information for hosts at connection destinations to reduce workload during operation.
Note that a host that is operated by command execution on a connection destination is not included in connection destinations.
Detailed access control according to operations and jobs - managing groups
By allocating service groups to user groups, you can restrict the services and tasks that each user can reference. At this time, you can specify permissions (roles) to restrict available service operations (such as managing and running services) for each user group.
The following figure shows an example of access control using service groups and user groups.
In this example, users A, B, and C, who belong to user group 1, can use the services in service group 1. Users C, D, and E, who belong to user group 2, can use the services in service groups 2 and 3. User F, who belongs to the built-in user group, can access all services in JP1/AO because All Service Groups (built-in service groups) is assigned to the group.
Therefore, users A and B, who belong only to user group 1, cannot reference the services of service groups 2, 3, and 4.
Thus, using group management enables you to efficiently control accessible services so that they match the usage goals of users.
For example, if IT operations running at a data center are divided among multiple tenants, you can classify the services used by the individual tenants by service group and restrict the services that can be run by each user group. This allows you to prevent services of another tenant from being run by mistake, and to restrict the range of tasks that can be referenced by each tenant.
Agentless operations that reduce the management load - managing connection destinations
The function for managing the connection destination information (including service group names and host names) and the authentication information (including the user ID, password, and protocol that are used to log in to the host at the connection destination) for each connection destination is called the connection destinations management function.
If you register the connection destination information in JP1/AO, you can control accesses to the connection-destination hosts for each service group when running services. If you also register the authentication information, you can save the time required to enter the authentication information each time a service is run because JP1/AO can manage information (such as passwords) shared among multiple services. You can also specify the protocol and authentication method for each host to be connected.
In this figure, an administrator user with the Admin role uses window operations to register connection destination information and authentication information, and then a service execution user with the Submit role for service group R runs the services. In this case, the service execution user can connect only to host1 whose connection destination information has been registered, but cannot connect to any other host. Thus, by restricting connection-destination host for each service group, you can prevent services of another connection-destination host being run by mistake.
Because the authentication information for host1 has been registered in JP1/AO, the user does not need to enter a user ID or password when running a service.