3.1.1 Setting up JP1/Base

This subsection describes how to set up JP1/Base.

The subsection contains an overview of setup and brief setup procedures. For details about the setup procedures, items to be set, and commands, see the JP1/Base User's Guide.

The following is an overview of JP1/Base setup:

Set user information.

JP1/Base user management is used to specify user authentication and mapping settings.

The user authentication settings specify JP1/AJS3 users and the permissions required to use JP1/AJS3.

The user mapping settings are required to execute jobs and to log in from JP1/AJS3 - View. JP1 users are mapped to OS users who have been registered on hosts.

For details about how to specify these settings, see (1) Setting user information.
Specify the event service environment settings.

The event service environment settings are required to send and receive JP1 events.

In the JP1/Base event service environment settings, specify keep-alive as the communication type for the server parameter in the API settings file. If close is specified, the following problems might occur:
- The JP1 event issued by JP1/AJS3 at startup cannot be issued.
- The KAVT1040-E message is output to the integrated trace log, and the JP1 event reception monitoring job, log file monitoring job, and Windows event log monitoring job cannot detect events.
- The JP1 event sending job terminates abnormally (Ended abnormally status).
For details about how to specify settings and about the API settings file, see the JP1/Base User's Guide.

The following describes the JP1/Base setup procedure and definitions.

Organization of this subsection

(1) Setting user information
(2) JP1 permission levels required for JP1/AJS3

(1) Setting user information

The general procedure for setting user information is as follows:

Specify the authentication server to be used.
Register JP1 users.
Set the JP1 permission level.
Perform user mapping. (This step is also required when a user logs in from JP1/AJS3 - View.)

Note that if the authentication server has been set on another host, steps 2 and 3 are not necessary. However, the operations in these steps must have been performed for the authentication server on the other host.

In the Windows version of JP1/Base, user information can be set by using either the GUI or commands. This manual describes only the method using the GUI. For the method using commands, see the JP1/Base User's Guide.

The following describes the steps required to set user information.

(a) Specify the authentication server to be used

To specify the authentication server to be used:

From the Windows Start menu, choose JP1_Base and then Environment Settings.

The JP1/Base Environment Settings dialog box appears.
Click the Authentication Server tab.
In the Order of authentication server area, click the Add button.

The Authentication Server dialog box appears.
Enter the name of the host that you want to use as the authentication server, and then click the OK button.

Specify which host you want to use as the authentication server. You can use either the local or a remote host as the authentication server.

If you want to set a secondary authentication server, specify two authentication servers. If you do not want to set a secondary authentication server, specify only one authentication server.

The authentication server or authentication servers that you specify are displayed in the Authentication server of the JP1/Base Environment Settings dialog box. If two authentication servers are displayed, the upper one is the primary authentication server and the lower one is the secondary authentication server.

Authentication server specification is complete.

Important: If you specify the local host as an authentication server (primary or secondary authentication server) in the Order of authentication server area, you must make sure that the JP1/Base service is not running.

(b) Register JP1 users

To register JP1 users:

In the JP1/Base Environment Settings dialog box, click the Authentication Server tab.
In the JP1 user area, click the Add button.

The JP1 User dialog box appears.
Enter the JP1 user name and password for logging in to JP1/AJS3 - Manager, and then click the OK button.

The registered user name is displayed in the JP1 user of the JP1/Base Environment Settings dialog box.

To register more JP1 users, repeat steps 2 and 3.

JP1 user registration is complete.

If you have specified a remote host as an authentication server, register JP1 users on the authentication server.

(c) Set the JP1 permission level

For each JP1 user you register, set a permission level, which determines what processing the JP1 user can define or execute in JP1/AJS3. When you set a permission level for a JP1 user, you must define both a JP1 resource group and a JP1 permission level for the JP1 user.

To set a JP1 permission level:

In the JP1/Base Environment Settings dialog box, click the Authentication Server tab.
In the JP1 user, select the name of the JP1 user for whom you want to set a permission level.
In the Authority level for JP1 resource group area, click the Add button.

The JP1 Resource Group Details dialog box appears.
In JP1 resource group, enter a JP1 resource group name.

Resource group names are arbitrary names that are used to manage units as a group.

Specify the name of an existing resource group that already has JP1 users or the name of a new resource group. The JP1 resource group can consist of alphanumeric characters and underscores (_).
In Permissions not granted, select the name of the JP1 permission level that you want to set for the JP1 user, and then click the Add button.

The selected JP1 permission level name is displayed in the Permissions granted.

If you want to set more than one JP1 permission level, repeat this step.

To delete a JP1 permission level name from the Permissions granted, select the names and then click the Delete button.

For details about the JP1 permission levels required in JP1/AJS3, see (2) JP1 permission levels required for JP1/AJS3.
Click the OK button.

The JP1 resource group name and JP1 permission level names that you have set are displayed in the Authority level for JP1 resource group of the JP1/Base Environment Settings dialog box.

To set JP1 permission levels for other JP1 users, repeat steps 2 through 5.

Specification of the JP1 permission level settings is complete.

If you have specified another host as an authentication server, specify JP1 permission level settings on that server.

(d) Map the JP1 users

Map the registered JP1 users to OS users.

To map a JP1 user:

In the JP1/Base Environment Settings dialog box, click the User Mapping tab.
In Password management, click the Set button.

The Password Manager dialog box appears.
Click the New User button.

The New User dialog box appears.
Specify the OS user name and password as OS user information, and then click the OK button.

The OS user information is set, and the Password Manager dialog box appears again. In the dialog box, you can register, change, and delete OS user and password information.

An OS user is defined in domain-name\user-name or user-name format. In JP1/AJS3, an OS user name with a domain name is distinguished from an OS user name without a domain name. Select the appropriate format as explained below:
- For a domain user, use the domain-name\user-name format.
- For a user on the domain controller, use the domain-name\user-name format.
- For a local user (a user whose domain name and computer name are the same), use the user-name format (do not add a computer name).
Click the Exit button.

The Password Manager dialog box closes, and the JP1/Base Environment Settings dialog box appears again with the User Mapping page displayed.
In the JP1 user area, click the Add button.

The JP1 User dialog box appears.
Enter a JP1 user name, the host permitted to request job execution, and the host to which JP1/AJS3 - View logs in. Then click the OK button.

The OS User Mapping Details dialog box appears.

If a specific host is set for Server host, job execution requests from the other hosts will not be accepted. If an asterisk (*) is set for Server host, job execution requests from all hosts will be accepted. To accept a login request from JP1/AJS3 - View, set the local host name or an asterisk (*) for Server host.
For the displayed JP1 user, select one or more OS users to which you want to map the JP1 user.

The OS users not mapped displays the OS users set in the Password Manager dialog box. In this field, select the OS users to which you want to map the JP1 user, and then click the Add button. The selected OS users move to the OS users to be mapped.

Note that a JP1 user can be mapped to several OS users.
After making sure that all the OS users to which you want to map the JP1 user are selected, click the OK button.

The JP1 user name and the mapped OS user names are displayed in the List of OS users to be mapped of the JP1/Base Environment Settings dialog box.

User mapping is complete.

Important

The OS user that a JP1 user is mapped to requires permissions that allow local logon to the manager host and agent host.

You can set these permissions by using the Windows Local Security Policy administrative tool.

Make sure that the OS users to which a JP1 user is mapped are able to log on normally to the OS.

To Page Top

(2) JP1 permission levels required for JP1/AJS3

JP1/AJS3 provides three types of JP1 permission levels:

Those related to defining and executing jobnets
Those related to manipulating agent management information
Those related to executing and manipulating jobs

The following describes the JP1 permission levels for each type.

(a) JP1 permission levels related to defining and executing jobnets

The following five JP1 permission levels are related to defining and executing jobnets:

JP1_AJS_Admin

Grants administrator authority to the holder, and permits the holder to perform operations related to the owner and resource group of a unit, and to define, execute, and edit a jobnet.
JP1_AJS_Manager

Permits the holder to define, execute, and edit a jobnet.
JP1_AJS_Editor

Permits the holder to define and edit a jobnet.
JP1_AJS_Operator

Permits the holder to execute and view a jobnet.
JP1_AJS_Guest

Permits the holder to view a jobnet.

The following table provides information about the operations that are permitted by the above JP1 permission levels.

Table 3‒1: Operations permitted by the JP1 permission levels related to defining and executing jobnets
Operation	JP1_AJS_Admin	JP1_AJS_Manager	JP1_AJS_Editor	JP1_AJS_Operator	JP1_AJS_Guest
Changing the owner, JP1 resource group name, or job execution-user type (Executed by) of a unit owned by another user	Y^#1	--	--	--	--
Defining a unit	Y	Y	Y	--	--
Changing the definition of the units of a jobnet	Y	Y^#2	Y^#2	--	--
Changing the definition of a jobnet	Y	Y	Y	--	--
Copying, moving, or renaming a unit	Y	Y	Y	--	--
Deleting a unit	Y	Y	Y	--	--
Outputting the name of a unit to the standard output file	Y	Y	Y	Y	Y
Outputting the definition of a unit to the standard output file	Y	Y	Y	Y	Y
Backing up a unit	Y	Y	Y	Y	Y
Restoring a unit	Y	Y	Y	--	--
Defining calendar information for a job group	Y	Y	Y	--	--
Defining a jobnet execution schedule for a specific period	Y	Y	--	Y	--
Registering a defined jobnet for execution	Y	Y	--	Y	--
Unregistering execution of a jobnet	Y	Y	--	Y	--
Outputting information such as the execution log, current status, and next execution schedule of a jobnet or job to the standard output file	Y	Y	Y	Y	Y
Temporary changing the schedule of a jobnet	Y	Y	--	Y	--
Temporary changing the status of a job	Y	Y	--	Y	--
Changing the status of a job	Y	Y	--	Y	--
Interrupting execution of a jobnet	Y	Y	--	Y	--
Re-executing a jobnet	Y	Y	--	Y	--
Forcibly terminating a job or jobnet	Y	Y	--	Y	--
Exporting a unit	Y	Y	Y	Y	Y
Importing a unit	Y	Y	Y	--	--
Exporting the registered execution-schedule information for root jobnets	Y	Y	Y	Y	Y
Importing the registered execution-schedule information for root jobnets	Y	Y	--	Y	--
Registering release of a jobnet	Y	Y	Y^#3	Y^#3	--
Canceling the release of a jobnet	Y	Y	Y^#3	Y^#3	--
Viewing jobnet release information	Y	Y	Y	Y	Y

Legend:

Y: This operation can be performed at this permission level.

--: This operation cannot be performed at this permission level.

Note 1:

JP1 users who are mapped to OS users with administrator permissions can perform all operations regardless of the granted JP1 permission level. Note, however, that if the value of the ADMACLIMIT environment setting parameter is changed to yes from the default, the JP1 user can only perform operations permitted for the granted JP1 permission level. In this case, grant the necessary permissions to JP1 users who back up or recover JP1/AJS3 - Manager or perform operations on related products.

For details about the ADMACLIMIT environment setting parameter, see 20.11.2(4) ADMACLIMIT.

If no JP1 resource group has been set for a unit, all users can perform all JP1/AJS3 operations for that unit.

Note 2:

For the manager job group and manager jobnet, the access permission definition of the JP1/AJS3 - Manager to be accessed applies.

#1

The owner of a unit can perform these operations for the unit even when JP1_AJS_Admin permission has not been granted. For details, see 7.2.1 Unit owner permission in the manual JP1/Automatic Job Management System 3 Overview.

#2

When the execution-user type of a unit is User who owns, operations that change the unit can be performed only by the owner of the unit and by JP1 users who have JP1_AJS_Admin permission. This prevents general users without JP1_AJS_Admin permission from executing jobs.

When the execution-user type of a unit is User who registered, operations that change the unit can be performed by any user who has a JP1 permission level sufficient for performing those operations.

#3

Both JP1_AJS_Editor and JP1_AJS_Operator permissions must be granted. The reason is that operations for changing definitions and registering execution are required to register or cancel the release of a jobnet.

(b) JP1 permission levels related to manipulating agent management information

The following three JP1 permission levels are related to manipulating agent management information:

JP1_JPQ_Admin

Grants administrator authority to the holder, and permits the holder to add, change, or delete an execution agent or execution agent group.
JP1_JPQ_Operator

Permits the holder to change the job transfer restriction status for an execution agent or execution agent group.
JP1_JPQ_User

Permits the holder to view the status and definition of an execution agent or execution agent group.

When you set JP1 permission levels related to manipulating agent management information, make sure that you set them for the resource group named JP1_Queue. Note that JP1_Queue is case sensitive.

The following table provides information about the operations permitted by the above JP1 permission levels.

Table 3‒2: Operations permitted by the JP1 permission levels related to manipulating agent management information
Operation	JP1_JPQ_Admin	JP1_JPQ_Operator	JP1_JPQ_User
Adding an execution agent	Y	--	--
Adding an execution agent group	Y	--	--
Deleting an execution agent	Y	--	--
Deleting an execution agent group	Y	--	--
Changing the target host defined on an execution agent	Y	--	--
Changing the maximum number of concurrently executable jobs on an execution agent	Y	--	--
Changing the description of an execution agent	Y	--	--
Changing the description of an execution agent group	Y	--	--
Adding an execution agent to an execution agent group	Y	--	--
Changing the priority of execution agents in an execution agent group	Y	--	--
Removing an execution agent from an execution agent group	Y	--	--
Changing the job transfer restriction status for an execution agent	Y	Y	--
Changing the job transfer restriction status for an execution agent group	Y	Y	--
Displaying the status of an execution agent^#	Y	Y	Y
Displaying the status of an execution agent group^#	Y	Y	Y
Displaying the status of all execution agents and execution agent groups^#	Y	Y	Y
Displaying the names of all execution agents and execution agent groups^#	Y	Y	Y
Outputting the definition of an execution agent^#	Y	Y	Y
Outputting the definition of an execution agent group^#	Y	Y	Y
Outputting the definitions of all execution agents and execution agent groups^#	Y	Y	Y

Legend:

Y: This operation can be performed at this permission level.

--: This operation cannot be performed at this permission level.

#

Users who have administrator privileges of the OS can perform all operations, regardless of the granted JP1 permission level.

Important: For the manipulation of agent management information, the access permission definition of the authentication server used by the Manager that executes the command applies.

(c) JP1 permission levels related to executing and manipulating jobs

The following three JP1 permission levels are related to executing and manipulating jobs:

JP1_JPQ_Admin

Grants administrator authority to the holder, and permits the holder to set up the execution environment, to manipulate queues and job execution agents, and to manipulate jobs queued by other users.
JP1_JPQ_Operator

Permits the holder to manipulate queues and to manipulate jobs queued by other users.
JP1_JPQ_User

Permits the holder to register submit jobs and manipulate jobs queued by the holder.

When you set JP1 permission levels related to executing and manipulating jobs, make sure that you set the JP1 permission levels for the resource group named JP1_Queue. Note that JP1_Queue is case sensitive.

The following table provides information about the operations permitted by the above JP1 permission levels.

Table 3‒3: Operations permitted by the JP1 permission levels related to executing and manipulating jobs
Operation	JP1_JPQ_Admin	JP1_JPQ_Operator	JP1_JPQ_User
Canceling or forcibly terminating job execution	Y	Y	U
Holding job execution or canceling a hold placed on job execution	Y	Y	U
Moving a job	Y	Y	U
Outputting job information	Y	Y	U
Outputting information about jobs that have ended	Y	Y	U
Deleting information about jobs that have ended from the database	Y	Y	--
Registering a submit job^#	Y	Y	Y
Opening a queue^#	Y	Y	--
Closing a queue^#	Y	Y	--
Adding a queue^#	Y	--	--
Deleting a queue^#	Y	--	--
Outputting queue information^#	Y	Y	Y
Changing the queue definition^#	Y	--	--
Connecting a queue to an agent^#	Y	--	--
Disconnecting a queue from an agent^#	Y	--	--
Changing the maximum number of concurrently executable jobs^#	Y	--	--
Adding an agent^#	Y	--	--
Deleting an agent^#	Y	--	--
Outputting agent host information^#	Y	--	--
Adding an execution-locked resource^#	Y	--	--
Deleting an execution-locked resource^#	Y	--	--
Outputting information about execution-locked resources^#	Y	Y	Y

Legend:

Y: This operation can be performed at this permission level.

U: This operation cannot be performed by a user at this permission level when the job was executed by another user.

--: This operation cannot be performed at this permission level.

#

This operation can be performed only in a configuration in which submit jobs can be used.

Important

For the execution and manipulation of a job, the access permission definition of the authentication server used by the Manager that accepts the processing request applies.

When a job execution control command is used to execute or manipulate a job, make sure that a JP1 user whose name is the same as the OS user who executes the command is registered. In addition, for that JP1 user, set a JP1 permission level sufficient for executing or manipulating the job.

If the jpqjobsub command is executed, the JP1 user executing the job (the user with the same name as the OS user who executes the command) must be mapped on the job execution host to an OS user on that host.

If -eu is specified in the executed jpqjobsub command, the JP1 user that has the same name as the OS user who executes the command must be mapped on the job execution host to the OS user specified in -eu.

To Page Top