13.1.1 Setting up JP1/Base

This subsection describes how to set up JP1/Base.

The subsection contains an overview of setup and brief setup procedures. For details about the setup procedures, items to be set, and commands, see the JP1/Base User's Guide.

The following is an overview of JP1/Base setup:

Set user information.

JP1/Base user management is used to specify user authentication and mapping settings.

The user authentication settings specify JP1/AJS3 users and the permissions required to use JP1/AJS3.

The user mapping settings are required to execute jobs and to log in from JP1/AJS3 - View. JP1 users are mapped to OS users who have been registered on hosts.

For details about how to specify these settings, see (1) Setting user information.
Specify the event service environment settings.

The event service environment settings are required to send and receive JP1 events.

In the JP1/Base event service environment settings, specify keep-alive as the communication type for the server parameter in the API settings file. If close is specified, the following problems might occur:
- The JP1 event issued by JP1/AJS3 at startup cannot be issued.
- The KAVT1040-E message is output to the integrated trace log, and the JP1 event reception monitoring job, log file monitoring job, and Windows event log monitoring job cannot detect events.
- The JP1 event sending job terminates abnormally (Ended abnormally status).
For details about how to specify settings and about the API settings file, see the JP1/Base User's Guide.

The following describes the JP1/Base setup procedure and definitions.

Organization of this subsection

(1) Setting user information
(2) JP1 permission levels required for JP1/AJS3

(1) Setting user information

The general procedure for setting user information is as follows:

Specify the authentication server to be used.
Register JP1 users.
Set the JP1 permission level.
Perform user mapping. (This step is also required when a user logs in from JP1/AJS3 - View.)

Note that if the authentication server has been set on another host, steps 2 and 3 are not necessary. However, the operations in these steps must have been performed for the authentication server on the other host.

In the UNIX version of JP1/Base, user information is set by using commands.

The following describes the steps required to set user information.

(a) Specify the authentication server to be used

Execute the following command:

jbssetusrsrv primary-authentication-server [secondary-authentication-server]

The host specified for primary-authentication-server is used as the default authentication server, while the host specified for secondary-authentication-server is used as the backup authentication server.

You do not always need to specify a secondary authentication server. If you omit the specification, only the host specified for primary-authentication-server operates as the authentication server in the user authentication block.

Important

The authentication server names you specify in the command must be set in the hosts file or on the DNS server before JP1/Base starts. You can execute the jbssetusrsrv command to specify authentication server names before or after the names are set in the hosts file or on the DNS server. However, JP1/Base must be able to resolve the server names into IP addresses when it starts. If you execute the jbssetusrsrv command to specify the local host as an authentication server (primary or secondary authentication server), you must also execute the following commands:

cd /etc/opt/jp1base/conf

cp -p jp1bs_spmd.conf.session.model jp1bs_spmd.conf

The local host is not started as an authentication server (primary or secondary authentication server) until these commands have been executed.

(b) Register JP1 users

Execute the following command:

jbsadduser JP1-user-name

You need to execute the command for each JP1 user to be registered.

(c) Set the JP1 permission level

For each JP1 user you register, set a permission level, which determines what processing the JP1 user can define or execute in JP1/AJS3. When you set a permission level for a JP1 user, you must define both a JP1 resource group and a JP1 permission level for the JP1 user.

To set a JP1 permission level:

Open the following file with a text editor:
```
/etc/opt/jp1base/conf/user_acl/JP1_UserLevel
```
This file initially contains the following definition entry:
```
jp1admin:*=JP1_AJS_Admin,JP1_Console_Admin,JP1_JPQ_Admin
```
Modify the definition entry (the format is JP1-user-name:JP1-resource-group-name=JP1-permission-level-name).

If you want to specify two or more JP1 permission level names, use a comma (,) to separate the JP1 permission level names. If you want to define permission levels for two or more resource groups, use a colon (:) to separate the resource group names. If you want to insert a comment in the file, start the line with a semicolon (;). A line beginning with a semicolon (;) is treated as a comment line.

Note that JP1_Queue is a case-sensitive name.

For details about the JP1 permission levels required for JP1/AJS3, see (2) JP1 permission levels required for JP1/AJS3.

The following shows an example of the definition in the file.
Set JP1 permission levels for all JP1 users, and then close the file.
Restart JP1/Base, or execute the jbs_spmd_reload command.

The new definition in the file takes effect.

(d) Map the JP1 users

Map the registered JP1 users to OS users. This user mapping is required for JP1 users to execute jobs or log in from JP1/AJS3 - View.

To map a JP1 user:

Use a text editor to create or open a user mapping definition file.

Although you can use a file with any name, we recommend that you use a file named /etc/opt/jp1base/conf/user_acl/jp1BsUmap.conf.
Specify the user mapping entries (the format is JP1-user-name:host-name:OS-user-name).

The following shows an example of the definition in the file.
When you have completed the definition, close the file, and then execute the following command:
```
jbsmkumap [-f user-mapping-definition-file]
```
The definition in the file takes effect.

If the user mapping definition file is /etc/opt/jp1base/conf/user_acl/jp1BsUmap.conf, you do not need to specify the -f option.

Supplementary note:

The following table describes the items that can be specified in the user mapping definition file.

Table 13‒1: Items that can be specified in the user mapping definition file (JP1/AJS3 - Manager)
Permitted operation	JP1 user	Host	OS user
Executing a job from JP1/AJS3 - View	User who logs in to JP1/AJS3 - Manager	JP1/AJS3 - Manager host to which JP1/AJS3 - View connects	User registered in the OS of the host on which the job will be executed
Executing a job on a host other than the JP1/AJS3 - Manager host	User who logs in to the OS of the JP1/AJS3 - Manager host	JP1/AJS3 - Manager host	User registered in the OS of the host on which the submit job will be executed
Registering a submit job from JP1/AJS2 - Client Toolkit	User who logs in to the OS of the JP1/AJS3 - Manager host to which the job is to be submitted	JP1/AJS3 - Manager host	User registered in the OS of the host on which the submit job will be executed

Cautionary note:

Make sure that the user ID and group ID have been set correctly for any OS user to whom you map a JP1 user.

For a JP1 user to log in from JP1/AJS3 - View, the home directory must be set correctly for the OS user to whom the JP1 user is mapped.

The OS users to which you map JP1 users must be able to log in to the OS normally.

If the OS user to whom you map a JP1 user satisfies either of the following conditions, the job might fail to start:

The home directory specified in /etc/passwd does not exist.
The login shell specified in /etc/passwd does not exist.

To Page Top

(2) JP1 permission levels required for JP1/AJS3

JP1/AJS3 provides three types of JP1 permission levels:

Those related to defining and executing jobnets
Those related to manipulating agent management information
Those related to executing and manipulating jobs

The following describes the JP1 permission levels for each type.

(a) JP1 permission levels related to defining and executing jobnets

The following five JP1 permission levels are related to defining and executing jobnets:

JP1_AJS_Admin

Grants administrator authority to the holder, and permits the holder to perform operations related to the owner and resource group of a unit, and to define, execute, and edit a jobnet.
JP1_AJS_Manager

Permits the holder to define, execute, and edit a jobnet.
JP1_AJS_Editor

Permits the holder to define and edit a jobnet.
JP1_AJS_Operator

Permits the holder to execute and view a jobnet.
JP1_AJS_Guest

Permits the holder to view a jobnet.

The following table provides information about the operations that are permitted by the above JP1 permission levels.

Table 13‒2: Operations permitted by the JP1 permission levels related to defining and executing jobnets
Operation	JP1_AJS_Admin	JP1_AJS_Manager	JP1_AJS_Editor	JP1_AJS_Operator	JP1_AJS_Guest
Changing the owner, JP1 resource group name, or job execution-user type (Executed by) of a unit owned by another user	Y^#1	--	--	--	--
Defining a unit	Y	Y^#2	Y^#2	--	--
Changing the definition of the units of a jobnet	Y	Y^#3	Y^#3	--	--
Changing the definition of a jobnet	Y	Y	Y	--	--
Copying, moving, or renaming a unit	Y	Y^#2	Y^#2	--	--
Deleting a unit	Y	Y	Y	--	--
Outputting the name of a unit to the standard output file	Y	Y	Y	Y	Y
Outputting the definition of a unit to the standard output file	Y	Y	Y	Y	Y
Backing up a unit	Y	Y	Y	Y	Y
Restoring a unit	Y	Y^#2	Y^#2	--	--
Defining calendar information for a job group	Y	Y	Y	--	--
Defining a jobnet execution schedule for a specific period	Y	Y	--	Y	--
Registering a defined jobnet for execution	Y	Y	--	Y	--
Unregistering execution of a jobnet	Y	Y	--	Y	--
Outputting information such as the execution log, current status, and next execution schedule of a jobnet or job to the standard output file	Y	Y	Y	Y	Y
Temporary changing the schedule of a jobnet	Y	Y	--	Y	--
Temporary changing the status of a job	Y	Y	--	Y	--
Changing the status of a job	Y	Y	--	Y	--
Interrupting execution of a jobnet	Y	Y	--	Y	--
Re-executing a jobnet	Y	Y	--	Y	--
Forcibly terminating a job or jobnet	Y	Y	--	Y	--
Exporting a unit	Y	Y	Y	Y	Y
Importing a unit	Y	Y	Y	--	--
Exporting the registered execution-schedule information for root jobnets	Y	Y	Y	Y	Y
Importing the registered execution-schedule information for root jobnets	Y	Y	--	Y	--
Registering release of a jobnet	Y	Y	Y^#4	Y^#4	--
Canceling the release of a jobnet	Y	Y	Y^#4	Y^#4	--
Viewing jobnet release information	Y	Y	Y	Y	Y

Legend:

Y: This operation can be performed at this permission level.

--: This operation cannot be performed at this permission level.

Note:

JP1 users who are mapped to OS users with superuser permissions can perform all operations regardless of the granted JP1 permission level. Note, however, that if the value of the ADMACLIMIT environment setting parameter is changed to yes from the default, the JP1 user can only perform operations permitted for the granted JP1 permission level. In this case, grant the necessary permissions to JP1 users who back up or recover JP1/AJS3 - Manager or perform operations on related products.

For details about the ADMACLIMIT environment setting parameter, see 20.11.2(4) ADMACLIMIT.

If no JP1 resource group has been set for a unit, all users can perform all JP1/AJS3 operations for that unit.

#1

The owner of a unit can perform these operations for the unit even when JP1_AJS_Admin permission has not been granted. For details, see 7.2.1 Unit owner permission in the manual JP1/Automatic Job Management System 3 Overview.

#2

For the manager job group and manager jobnet, the access permission definition of the JP1/AJS3 - Manager to be accessed applies.

#3

When the execution-user type of a unit is User who owns, operations that change the unit can be performed only by the owner of the unit and by JP1 users who have JP1_AJS_Admin permission. This prevents general users without JP1_AJS_Admin permission from executing jobs.

When the execution-user type of a unit is User who registered, operations that change the unit can be performed by any user who has a JP1 permission level sufficient for performing those operations.

#4

Both JP1_AJS_Editor and JP1_AJS_Operator permissions must be granted. The reason is that operations for changing definitions and registering execution are required to register or cancel the release of a jobnet.

(b) JP1 permission levels related to manipulating agent management information

The following three JP1 permission levels are related to manipulating agent management information:

JP1_JPQ_Admin

Grants administrator authority to the holder, and permits the holder to add, change, or delete an execution agent or execution agent group.
JP1_JPQ_Operator

Permits the holder to change the job transfer restriction status for an execution agent or execution agent group.
JP1_JPQ_User

Permits the holder to view the status and definition of an execution agent or execution agent group.

When you set JP1 permission levels related to manipulating agent management information, make sure that you set them for the resource group named JP1_Queue. Note that JP1_Queue is case sensitive.

The following table provides information about the operations permitted by the above JP1 permission levels.

Table 13‒3: Operations permitted by the JP1 permission levels related to manipulating agent management information
Operation	JP1_JPQ_Admin	JP1_JPQ_Operator	JP1_JPQ_User
Adding an execution agent	Y	--	--
Adding an execution agent group	Y	--	--
Deleting an execution agent	Y	--	--
Deleting an execution agent group	Y	--	--
Changing the target host defined on an execution agent	Y	--	--
Changing the maximum number of concurrently executable jobs on an execution agent	Y	--	--
Changing the description of an execution agent	Y	--	--
Changing the description of an execution agent group	Y	--	--
Adding an execution agent to an execution agent group	Y	--	--
Changing the priority of execution agents in an execution agent group	Y	--	--
Removing an execution agent from an execution agent group	Y	--	--
Changing the job transfer restriction status for an execution agent	Y	Y	--
Changing the job transfer restriction status for an execution agent group	Y	Y	--
Displaying the status of an execution agent^#	Y	Y	Y
Displaying the status of an execution agent group^#	Y	Y	Y
Displaying the status of all execution agents and execution agent groups^#	Y	Y	Y
Displaying the names of all execution agents and execution agent groups^#	Y	Y	Y
Outputting the definition of an execution agent^#	Y	Y	Y
Outputting the definition of an execution agent group^#	Y	Y	Y
Outputting the definitions of all execution agents and execution agent groups^#	Y	Y	Y

Legend:

Y: This operation can be performed at this permission level.

--: This operation cannot be performed at this permission level.

#

OS superusers can perform all operations, regardless of the granted JP1 permission level.

Important: For the manipulation of agent management information, the access permission definition of the authentication server used by the Manager that executes the command applies.

(c) JP1 permission levels related to executing and manipulating jobs

The following three JP1 permission levels are related to executing and manipulating jobs:

JP1_JPQ_Admin

Grants administrator authority to the holder, and permits the holder to set up the execution environment, to manipulate queues and job execution agents, and to manipulate jobs queued by other users.
JP1_JPQ_Operator

Permits the holder to manipulate queues and to manipulate jobs queued by other users.
JP1_JPQ_User

Permits the holder to register submit jobs and manipulate jobs queued by the holder.

When you set JP1 permission levels related to executing and manipulating jobs, make sure that you set the JP1 permission levels for the resource group named JP1_Queue. Note that JP1_Queue is case sensitive.

The following table provides information about the operations permitted by the above JP1 permission levels.

Table 13‒4: Operations permitted by the JP1 permission levels related to executing and manipulating jobs
Operation	JP1_JPQ_Admin	JP1_JPQ_Operator	JP1_JPQ_User
Canceling or forcibly terminating job execution	Y	Y	U
Holding job execution or canceling a hold placed on job execution	Y	Y	U
Moving a job	Y	Y	U
Outputting job information	Y	Y	U
Outputting information about jobs that have ended	Y	Y	U
Deleting information about jobs that have ended from the database	Y	Y	--
Registering a submit job^#	Y	Y	Y
Opening a queue^#	Y	Y	--
Closing a queue^#	Y	Y	--
Adding a queue^#	Y	--	--
Deleting a queue^#	Y	--	--
Outputting queue information^#	Y	Y	Y
Changing the queue definition^#	Y	--	--
Connecting a queue to an agent^#	Y	--	--
Disconnecting a queue from an agent^#	Y	--	--
Changing the maximum number of concurrently executable jobs^#	Y	--	--
Adding an agent^#	Y	--	--
Deleting an agent^#	Y	--	--
Outputting agent host information^#	Y	--	--
Adding an execution-locked resource^#	Y	--	--
Deleting an execution-locked resource^#	Y	--	--
Outputting information about execution-locked resources^#	Y	Y	Y

Legend:

Y: This operation can be performed at this permission level.

U: This operation cannot be performed by a user at this permission level when the job was executed by another user.

--: This operation cannot be performed at this permission level.

#

This operation can be performed only in a configuration in which submit jobs can be used.

Important

For the execution and manipulation of a job, the access permission definition of the authentication server used by the Manager that accepts the processing request applies.

When a job execution control command is used to execute or manipulate a job, make sure that a JP1 user whose name is the same as the OS user who executes the command is registered.

In addition, for that JP1 user, set a JP1 permission level sufficient for executing or manipulating the job.

For example, to execute a command after logging in as OS user root, set the following entry in the definition file:

root:JP1_Queue=JP1_JPQ_Admin

Although JP1_JPQ_Admin is specified as the JP1 permission level in the above example, specify the JP1 permission level required to execute the command.

If the jpqjobsub command is executed, the JP1 user executing the job (the user with the same name as the OS user who executes the command) must be mapped on the job execution host to an OS user on that host.

If -eu is specified in the executed jpqjobsub command, the JP1 user that has the same name as the OS user who executes the command must be mapped on the job execution host to the OS user specified in -eu.

To Page Top