13.1.7 Isolating the business operations of each scheduler service on a single manager host
For the independent operations of their businesses, the corporate departments require independent resources (execution agents or scheduler services). However, if each department operates its own manager host, information sharing and resource reuse becomes difficult, resulting in excessive management and operating costs.
This subsection describes how corporate departments can use a single manager host for the independent operation of their businesses.
- Organization of this subsection
(1) Operation
Assume that each department has following types of users.
No |
Department |
User role |
---|---|---|
1 |
Sales |
Job administrator: Designs, organizes, and runs jobs that are used by the sales department. |
2 |
General affairs |
Job administrator: Designs, organizes, and runs jobs that are used by the general affairs department. |
3 |
Information systems |
JP1/AJS3 system administrator: Manages the entire JP1/AJS3 system. |
This company uses JP1/AJS3 as follows to enable each department to independently operate its businesses.
-
Each department operates a separate manager host and agent hosts.
-
The job administrator of each department uses a separate JP1/AJS3 - View to perform job operations.
-
The JP1/AJS3 system administrator in the information systems department manages the entire JP1/AJS3 system.
The following figure shows an example in which each department operates its own manager host and agent hosts.
(2) Goal
The goal is to consolidate the separate manager hosts on a single manager host, and make it possible for each department to independently operate its businesses.
Specifically, the following objectives must be achieved:
-
JP1/AJS3 - View does not display the scheduler services of other departments.
If a single manager host is used, the default setting enables all scheduler services, including those of other departments, to be displayed. A department that independently operates its businesses does not need information about the scheduler services of other departments.
-
The number of concurrent JP1/AJS3 - View connections for each department must be limited.
By default, a single manager host can accept no more than 50 connections from JP1/AJS3 - View hosts. If one department is concurrently using JP1/AJS3 - View on 50 host connections, other departments will not be able to use JP1/AJS3 - View.
-
A job belonging to one department must not be executed by an execution agent belonging to another department.
If job execution agents are not defined properly, jobs might be executed on another department's execution agent.
-
The job administrator of each department must be able to change passwords.
If a single manager host is used, only the JP1/AJS3 system administrator can manage JP1/Base. Accordingly, the JP1/AJS3 system administrator's workload increases because the system administrator becomes responsible for changing the passwords of JP1 users.
(3) Solution
This subsection presents a method for achieving each of the objectives in (2) Goal. Performing this settings will make it possible for each department to operate its businesses independently.
-
JP1/AJS3 - View does not display the scheduler services of other departments.
The scheduler service reference restriction function allows the JP1/AJS3 - View used by a department to display only the scheduler services to which the department has access permission.
JP1/AJS3 - View for the sales department displays only the scheduler services used by the sales department, whereas JP1/AJS3 - View for the general affairs department displays only the scheduler services used by the general affairs department.
-
The number of concurrent JP1/AJS3 - View connections for each department must be restricted.
Setting the maximum number of concurrent JP1/AJS3 - View connections for each scheduler service places a limit on the number of JP1/AJS3 - View hosts that each department can use. This setting prevents any one department from using too many JP1/AJS3 - View hosts at the same time and ensures that each department is able to connect from JP1/AJS3 - View.
-
A job belonging to one department must not be executed by an execution agent belonging to another department.
The execution agent restriction function is used to prohibit job execution on unauthorized execution agents. This setting prevents the execution of a job on an execution agent that belongs to another department.
For details about the case study for the execution agent restriction function, see 13.1.2 Preventing execution of jobs that are invalid due to an incorrectly specified execution agent or other reason.
-
The job administrator of each department must be able to change passwords.
The function for changing JP1 user passwords in JP1/AJS3 - View permits a job administrator to change the passwords of the JP1 users in JP1/AJS3 - View. This setting reduces the workload of the JP1/AJS3 system administrator.
(4) Configuration example
This subsection describes the steps for setting the following functions:
-
The scheduler service reference restriction function
-
A function for limiting the maximum number of concurrent connections for a scheduler service
-
Execution agent restriction function
-
A function for changing JP1 user passwords in JP1/AJS3 - View
Suppose that the manager agent configuration has been changed as shown in Figure 13-16.
The JP1 users are assumed to be those in the following table.
No |
JP1 user name |
Department |
User role |
---|---|---|---|
1 |
userA |
Sales |
Job administrator: Designs, organizes, and runs jobs that are used by the sales department. |
2 |
userB |
General affairs |
Job administrator: Designs, organizes, and runs jobs that are used by the general affairs department. |
3 |
jp1admin |
System administration |
JP1/AJS3 system administrator: Manages JP1/AJS3 and JP1/Base. |
The JP1/AJS3 system administrator performs the following operations on the manager host.
(a) Example of setting the scheduler service reference restriction function
This subsection describes how to set the scheduler service reference restriction function.
-
Stop the JP1/AJS3 services.
-
Execute the following command to set the HIDEOTHERSERVICE environment setting parameter:
jajs_config -k [JP1_DEFAULT\JP1AJSMANAGER] "HIDEOTHERSERVICE"="yes"
The function is enabled.
-
Define the JP1 permission level and JP1 resource group appropriate for each JP1 user in JP1/Base.
The definition is as follows.
Table 13‒5: JP1 user definition No
JP1 user name
JP1 permission level
JP1 resource group name
1
userA
JP1_AJS_Manager
Sales
2
userB
JP1_AJS_Manager
GeneralAffairs
3
jp1admin
JP1_AJS_Admin
*
For the job administrators userA and userB, define JP1_AJS_Manager as the JP1 permission level. This permission level enables these users to define, execute, and edit units.
For the JP1/AJS3 system administrator jp1admin, define JP1_AJS_Admin as the JP1 permission level. In addition to defining, executing, and editing units, this permission level enables the user to change definitions for owner names and JP1 resource group names for units even without owner permission.
-
Create new scheduler services used by each department
To create a new scheduler service, execute the jajs_setup command or manually create the service.
Suppose that the new scheduler service AJSROOT2 has been created for the sales department and the new scheduler service AJSROOT3 has been created for the general affairs department.
-
Restart the JP1/AJS3.
-
For each scheduler service, execute the following command to define the owner and JP1 resource group for the root job group of the scheduler service:
ajschange -F service-name -G -o owner-name -g JP1-resource-group-name /
Specify the scheduler service name, owner name, and JP1 resource group name as follows.
Table 13‒6: Owner and JP1 resource group definitions for the root job group of the scheduler service No
Scheduler service name (root job group name)
Owner
JP1 resource group name
1
AJSROOT1
jp1admin
system
2
AJSROOT2
jp1admin
Sales
3
AJSROOT3
jp1admin
GeneralAffairs
For the owner name, specify jp1admin, the user name of the JP1/AJS3 system administrator, for all of the root job groups. This setting prevents the job administrators in the departments from changing the owner and JP1 resource group definitions for the root job group.
For the JP1 resource group, define the same name as the name of the JP1 resource group of the JP1 users that use a particular scheduler service. If departments do not use AJSROOT1 (default scheduler service), define a JP1 resource group name that is not Sales or GeneralAffairs.
Cautionary notes
-
Make sure that the JP1 user name of the JP1/AJS3 system administrator is defined as the owner of the root job group.
If the owner of the root job group is not defined, the definition of the owner and JP1 resource group for the root job group can be changed in any department. If this happens, scheduler services used by the department might not be displayed in the department's JP1/AJS3 - View.
-
Make sure that a JP1 resource group name is defined for each root job group. If a name is not defined, even the user jp1admin, which has access permission for all JP1 resource groups, will not be displayed in JP1/AJS3 - View.
-
-
Set preferences and customize JP1/AJS3 - View as necessary.
Set preferences and customize JP1/AJS3 - View so that job administrators can run jobs.
The following are necessary considerations for the setting process:
-
If you want to allow job administrators userA and userB to apply a setting that will be enabled for all JP1 users, log in to JP1/AJS3 - View as both userA and as userB and specify the setting.
-
Consider whether to use the upload or download functionality of the common user profile. If neither functionality is used, disable the common user profile menu in JP1/AJS3 - View.
-
(b) Example of setting the maximum number of concurrent JP1/AJS3 - View connections for each scheduler service
This subsection describes how to set the maximum number of concurrent connections in JP1/AJS3 - View for scheduler services.
-
Stop the JP1/AJS3 services.
-
Execute the following command to set the SERVICEMAXSESSION environment setting parameter for a scheduler service:
jajs_config -k [JP1_DEFAULT\JP1AJSMANAGER\scheduler-service-name] "SERVICEMAXSESSION"=dword:maximum-concurrent-connections (hexadecimal)
For example, if you want to permit a maximum of 20 concurrent connections for the scheduler service AJSROOT2 used by the sales department, execute the following command:
jajs_config -k [JP1_DEFAULT\JP1AJSMANAGER\AJSROOT2] "SERVICEMAXSESSION"=dword:00000014
-
Restart the JP1/AJS3.
The maximum number of concurrent connections of JP1/AJS3 - View for the scheduler service is defined.
(c) Example of setting the execution agent restriction function
This subsection describes how to set the execution agent restriction function.
-
Create an execution agent profile and edit it.
Create an execution agent profile for each scheduler service and specify the names of the execution agents for which you want to permit execution.
-
Enable the execution agent restriction function.
Use one of the following methods to enable the execution agent restriction function:
-
Restart the JP1/AJS3 service.
-
Restart the scheduler service.
-
Execute the ajsprofalter command.
-
(d) Example settings for the function used to change JP1 user passwords in JP1/AJS3 - View
This subsection describes how to set the function used to change JP1 user passwords in JP1/AJS3 - View.
-
Stop the JP1/AJS3 services.
-
Execute the following command to set the CHANGEPASSWORD and CHANGEPWDLOG environment setting parameter:
jajs_config -k [JP1_DEFAULT\JP1AJSMANAGER] "CHANGEPASSWORD"="yes" jajs_config -k [JP1_DEFAULT\JP1AJSMANAGER] "CHANGEPWDLOG"="all"
-
Restart the JP1/AJS3.
The function is enabled in JP1/AJS3 - View.
(5) Manual references
Type |
item |
Location |
---|---|---|
Overview |
Execution agent restriction |
|
Unit owner and JP1 resource group |
|
|
Configuration |
Restricting the viewing of scheduler services |
|
Maximum number of concurrent connections for JP1/AJS3 - View for a scheduler service |
|
|
Adding a scheduler service |
|
|
Execution agent restriction |
|
|
Function used to change JP1 user passwords in JP1/AJS3 - View |
|
|
Operating procedures |
Customizing JP1/AJS3 - View |
|
Dialog boxes |
Change Password |
|
Commands |
jajs_config |
|
jajs_setup |
|
|
ajschange |
|