5.4.1 User account for job execution
In JP1/AJS3, jobs are executed under the OS user account of the agent host. To use this account, user mapping must be defined on the agent host where the job is to be executed. When a job is executed, the JP1 user who registered the jobnet for execution is converted to the OS user according to the user mapping definitions. The job is then executed under the OS user's permissions. The resources referenced or updated by the job process are dependent on the OS security control.
The user account is referenced each time a job is executed. Any changes to the mapping definitions affect jobs executed after the changes are made.
In the Windows version of JP1/AJS3, when a job is executed under a user account other than the account from which the JP1/AJS3 service was started, JP1/AJS3 acquires the user information needed to start the job process. To acquire information about a user, an access token is required. The access token contains user information such as the security groups to which the user belongs and the user's access permissions.
Using Win32 API functions, JP1/AJS3 obtains an access token each time it starts a job (with the exception of queueless jobs), and releases the access token when the job completes execution. When an error occurs in one of these functions, the job is placed in Failed to start status if the access token could not be acquired, or in Ended abnormally status if the access token could not be released.
You can keep and reuse the information contained in an access token if the domain name, user name, and password remain the same.
By reusing access tokens, you can minimize the number of times tokens are acquired and released, thus avoiding the temporary errors caused by the Win32 API functions. This results in fewer jobs ending abnormally. For details, see 6.2.17 Reusing access tokens for job execution in the JP1/Automatic Job Management System 3 Configuration Guide.