6.5.1 Considerations when mapping users
When you execute a job in JP1/AJS3, the manager host forwards it to an agent host. The forwarded job is executed under the account of the OS user associated with the execution user of the job. This is called user mapping and utilizes the JP1/Base user mapping function.
User mapping is also necessary when you log in from JP1/AJS3 - View. You must set the user mapping before using JP1/AJS3 - View.
The figure below gives an overview of processing execution using user mapping.
|
|
![[Figure]](GRAPHICS/ZG060005.GIF)
In the figure above, the following mapping is performed on the agent host:
-
jp1mngr: jobuser1
-
jp1user1: jobuser2
For the OS user jobuser1, set a user with administrator's permissions or superuser permissions. These permissions are used when they are required by the program specifications; e.g. for rebooting.
For the OS user jobuser2, set permissions for the executed processing (OS user account, file access permissions, etc.) so that the processing does not end abnormally. Remember that standardizing the OS user name (job-executing user) at all agent hosts makes administration easier.
The way that the user names and user mapping used when operating jobs and jobnets are decided differs according to the command used. Cases where units (jobs and jobnets) are operated with an ajsxxxx command and JP1/AJS3 - View, where a job in the job execution environment is operated and executed with a jpqxxxx command, and agent management information is operated with commands are shown below. Approach mapping by referring to the rules described below.
Note that since commands that operate event jobs do not rely on the JP1 permissions level, they do not use a JP1 user name.
- Organization of this subsection
(1) JP1 user names when a job network element is operated with JP1/AJS3 - View and commands
When you operate on a job network element from JP1/AJS3 - View, the JP1 user name used to check the permissions is the one used to log in to JP1/AJS3 - View.
When you operate on a job network element with an ajsxxxx command, the JP1 user name is decided in accordance with the following rules:
-
When the environment variable JP1_USERNAME is set
When the environment variable JP1_USERNAME is set, the setting made for it is taken as the JP1 user name. You must ensure that the OS user name at command execution and the setting for the environment variable JP1_USERNAME are mapped by user mapping, except when the OS user when the command is executed is a user with administrator privileges or superuser privileges, in which case mapping is not necessary.
The user mapping also differs depending on whether the environment variable JP1_HOSTNAME is set.
- When the environment variable JP1_HOSTNAME is set
-
The user mapping defined at the logical host set for the environment variable JP1_HOSTNAME is used.
- When the environment variable JP1_HOSTNAME is not set
-
The user mapping defined at the physical host is used.
-
When the environment variable JP1_USERNAME is not set
When the environment variable JP1_USERNAME is not set, the OS user name is taken as the JP1 user name. When a job is executed the user mapping is checked, so a JP1 user with the same name as the OS user must be registered.
If a JP1 resource group name is specified in the attributes of the jobs and jobnets operated, JP1/AJS3 checks with the authentication server about access permissions. If the environment variable JP1_HOSTNAME is set, the logical server defined in the logical host in the setting is used, and if the environment variable JP1_HOSTNAME is not set, the authentication server defined in the physical host is used. However, if the OS user when the command is executed is a user with administrator privileges or superuser privileges, the authentication server is not asked about access permissions.
Next, we explain how to remotely execute a command for operating units. For details about the commands that can be remotely executed, see 1.1 Command syntax in the manual JP1/Automatic Job Management System 3 Command Reference.
The following settings are required on the hosts that remotely execute commands:
-
When environment variable JP1_USERNAME is set
If environment variable JP1_USERNAME is set when a command is remotely executed, the value set for JP1_USERNAME is used as the JP1 user name when the command is executed on the target host. One of the OS user names on the command execution destination host and the value set for environment variable JP1_USERNAME must be mapped by user mapping on the command execution host.
The type of user mapping to be performed differs depending on whether a logical host name or a physical host name is specified as the command execution destination host.
- When a logical host name is specified for the command execution destination host:
-
The user mapping defined for the specified logical host is used.
- When a physical host name is specified for the command execution destination host:
-
The user mapping defined for the specified physical host is used.
-
When environment variable JP1_USERNAME is not set
If environment variable JP1_USERNAME is not set, JP1/AJS3 treats the OS user name of the command execution source host as the JP1 user name.
If a JP1 resource group name is specified in the attributes of the job or jobnet to be operated, JP1/AJS3 checks with the authentication server about access permissions. If you specify a logical host name for the command execution destination host, the authentication server defined in the logical host is used. If you specify a physical host name for the command execution destination host, the authentication server defined in the physical host is used. Set the JP1 permission level required for using the command. However, if the mapped primary user is a user with administrator privileges or superuser privileges, the authentication server is not asked about access permissions.
(2) JP1 user names when a job in the job execution environment is executed and operated with commands
When you use a jpqxxxx command to perform operations on a job in the job execution environment, or you perform operations on the job execution environment itself, the permissions are checked based on the JP1 user name with the same name as the OS user who executes the command. For that reason, register the OS user who executes the command as a JP1 user regardless of the settings in the JP1_USERNAME environment variable.
For details on how to register JP1 users and how to set JP1 permissions levels, see 3.1.1 Setting up JP1/Base in the JP1/Automatic Job Management System 3 Configuration Guide (for Windows hosts) or see 13.1.1 Setting up JP1/Base in the JP1/Automatic Job Management System 3 Configuration Guide (for UNIX hosts).
In addition, for details on the permission levels required to use the various commands, see 1.5 Commands in the manual JP1/Automatic Job Management System 3 Command Reference.
(3) JP1 user names when agent management information is operated on with commands
When you use a command to perform operations on agent management information, the JP1 user name is decided in accordance with the following rules:
-
When the environment variable JP1_USERNAME is set
The user name set in the environment variable JP1_USERNAME is used as the JP1 user name. Note that you must ensure that the user name set in the environment variable JP1_USERNAME and the OS user at command execution are mapped in the JP1/Base user mapping definition. User mapping is unnecessary if the OS user at command execution is a user with administrator privileges or superuser privileges.
The user mapping also differs depending on whether the environment variable JP1_HOSTNAME is set.
- If the environment variable JP1_HOSTNAME is set
-
The user mapping defined on the logical host set for the environment variable JP1_HOSTNAME is used.
- If the environment variable JP1_HOSTNAME is not set
-
The user mapping defined on the physical host is used.
-
When the environment variable JP1_USERNAME is not set
Because the OS user name is used as the JP1 user name, a JP1 user with the same name as the OS user must be registered.
When you attempt to perform an operation on agent management information, JP1/AJS3 queries the authentication server about access permissions. If you specify a logical host as the target host for the agent management information, the authentication server defined on the logical host is used. If you specify a physical host as the target host, the authentication server defined on the physical host is used. Note, however, that when you use the ajsagtshow and ajsagtprint commands as a user with administrator privileges or superuser privileges, user mapping is unnecessary and the authentication server is not queried about access permissions.
(4) JP1 user names when flexible jobs are executed
A flexible job performs user mapping on the relay agent or on the destination agent. On the relay agent, user mapping is performed in the same way as when normal jobs are executed, and performs relay processing of the mapped OS users. On the destination agent, user mapping is performed and jobs are executed by the mapped OS users. Note that if you choose to use a relay agent, set either the host name of the relay agent or * (asterisk) for Server host in the user mapping definition on the destination agent.