6.2 Ranges for setting access permissions

JP1/AJS3 manages access permissions, such as the permission to execute processing and the permission to change processing details, based on the unique user names of the JP1 users.

Use the user authentication functionality provided by JP1/Base to register and manage the JP1 users. For the purposes of the user authentication functionality, a JP1/Base host that manages the access permissions of the JP1 users is called an authentication server. Once you have specified a JP1/Base host among those on the network that is to be the authentication server, you can decide the range of hosts where that authentication server manages the access permissions (the user authentication bloc). You must set user authentication blocs when you introduce JP1/AJS3.

Consult the following table when considering how to set user authentication blocs.

Table 6‒1: Number of authentication blocs and merits/demerits

Number of authentication blocs	Merits and demerits
Only one user authentication bloc is set in the system	The system administrator can manage all the JP1 users centrally, and not much time and effort are taken up with registration and changes.
Multiple authentication blocs are set in the system	The system administrator has to manage a number of JP1 users equivalent to the number of authentication blocs set. Some time and effort is expended managing JP1 user registration, changes, and so on, and login authentications are conducted at each of the authentication servers. However, since the individual authentication servers are independent, the resilience of the system as a whole is good.

You can set two authentication servers within a single user authentication bloc. The authentication server in normal use is called the primary authentication server, while another that serves as a backup and is used in the event of trouble is called the secondary authentication server. If you set only one authentication server in a user authentication bloc, there is the risk that if it is not possible to make contact with the authentication server for any reason - for example because the authentication server will not start or a communication fault has occurred - it will not be possible to execute jobs or remote commands, and work tasks will stop.

If you set two authentication servers, even if trouble occurs at the one used under normal circumstances (the primary authentication server), you can still execute jobs and remote commands at the backup authentication server (secondary authentication server). Even if there is only one authentication bloc in the system, setting two authentication servers will increase the resilience of the system. Use two authentication servers if you consider it necessary.

If you set primary and secondary authentication servers, make the settings at both the same by copying the JP1 users, JP1 resource group and other information from the primary authentication server to the secondary authentication server. If the settings are not the same, an authentication error will occur when you switch servers.

For details on the settings at the primary and secondary authentication servers, see the JP1/Base User's Guide.

For details on how to specify the authentication server when primary and secondary authentication servers are set, consult the following references.

• For a Windows host running JP1/AJS3 - Manager:

  See 3.1.1 Setting up JP1/Base in the JP1/Automatic Job Management System 3 Configuration Guide.

• For a Windows host running JP1/AJS3 - Agent:

  See 3.2.1 Setting up JP1/Base in the JP1/Automatic Job Management System 3 Configuration Guide.

• For a UNIX host running JP1/AJS3 - Manager:

  See 13.1.1 Setting up JP1/Base in the JP1/Automatic Job Management System 3 Configuration Guide

• For a UNIX host running JP1/AJS3 - Agent:

  See 13.2.1 Setting up JP1/Base in the JP1/Automatic Job Management System 3 Configuration Guide.

To Page Top