13.1.7 Isolating the business operations of each scheduler service on a single manager host

For the independent operations of their businesses, the corporate departments require independent resources (execution agents or scheduler services). However, if each department operates its own manager host, information sharing and resource reuse becomes difficult, resulting in excessive management and operating costs.

This subsection describes how corporate departments can use a single manager host for the independent operation of their businesses.

Organization of this subsection

(1) Operation
(2) Goal
(3) Solution
(4) Configuration example
(5) Manual references

(1) Operation

Assume that each department has following types of users.

Table 13‒3: Example of users
No	Department	User role
1	Sales	Job administrator: Designs, organizes, and runs jobs that are used by the sales department.
2	General affairs	Job administrator: Designs, organizes, and runs jobs that are used by the general affairs department.
3	Information systems	JP1/AJS3 system administrator: Manages the entire JP1/AJS3 system.

This company uses JP1/AJS3 as follows to enable each department to independently operate its businesses.

Each department operates a separate manager host and agent hosts.
The job administrator of each department uses a separate JP1/AJS3 - View to perform job operations.
The JP1/AJS3 system administrator in the information systems department manages the entire JP1/AJS3 system.

The following figure shows an example in which each department operates its own manager host and agent hosts.

Figure 13‒15: An example in which each department operates its own manager host and agent hosts

To Page Top

(2) Goal

The goal is to consolidate the separate manager hosts on a single manager host, and make it possible for each department to independently operate its businesses.

Figure 13‒16: Configuration example of an integrated JP1/AJS3 system

Specifically, the following objectives must be achieved:

JP1/AJS3 - View does not display the scheduler services of other departments.

If a single manager host is used, the default setting enables all scheduler services, including those of other departments, to be displayed. A department that independently operates its businesses does not need information about the scheduler services of other departments.
The number of concurrent JP1/AJS3 - View connections for each department must be limited.

By default, a single manager host can accept no more than 50 connections from JP1/AJS3 - View hosts. If one department is concurrently using JP1/AJS3 - View on 50 host connections, other departments will not be able to use JP1/AJS3 - View.
A job belonging to one department must not be executed by an execution agent belonging to another department.

If job execution agents are not defined properly, jobs might be executed on another department's execution agent.
The job administrator of each department must be able to change passwords.

If a single manager host is used, only the JP1/AJS3 system administrator can manage JP1/Base. Accordingly, the JP1/AJS3 system administrator's workload increases because the system administrator becomes responsible for changing the passwords of JP1 users.

To Page Top

(3) Solution

This subsection presents a method for achieving each of the objectives in (2) Goal. Performing this settings will make it possible for each department to operate its businesses independently.

JP1/AJS3 - View does not display the scheduler services of other departments.

The scheduler service reference restriction function allows the JP1/AJS3 - View used by a department to display only the scheduler services to which the department has access permission.

JP1/AJS3 - View for the sales department displays only the scheduler services used by the sales department, whereas JP1/AJS3 - View for the general affairs department displays only the scheduler services used by the general affairs department.
The number of concurrent JP1/AJS3 - View connections for each department must be restricted.

Setting the maximum number of concurrent JP1/AJS3 - View connections for each scheduler service places a limit on the number of JP1/AJS3 - View hosts that each department can use. This setting prevents any one department from using too many JP1/AJS3 - View hosts at the same time and ensures that each department is able to connect from JP1/AJS3 - View.
A job belonging to one department must not be executed by an execution agent belonging to another department.

The execution agent restriction function is used to prohibit job execution on unauthorized execution agents. This setting prevents the execution of a job on an execution agent that belongs to another department.

For details about the case study for the execution agent restriction function, see 13.1.2 Preventing execution of jobs that are invalid due to an incorrectly specified execution agent or other reason.
The job administrator of each department must be able to change passwords.

The function for changing JP1 user passwords in JP1/AJS3 - View permits a job administrator to change the passwords of the JP1 users in JP1/AJS3 - View. This setting reduces the workload of the JP1/AJS3 system administrator.

To Page Top

(4) Configuration example

This subsection describes the steps for setting the following functions:

The scheduler service reference restriction function
A function for limiting the maximum number of concurrent connections for a scheduler service
Execution agent restriction function
A function for changing JP1 user passwords in JP1/AJS3 - View

Suppose that the manager agent configuration has been changed as shown in Figure 13-16.

The JP1 users are assumed to be those in the following table.

Table 13‒4: Example JP1 users
No	JP1 user name	Department	User role
1	userA	Sales	Job administrator: Designs, organizes, and runs jobs that are used by the sales department.
2	userB	General affairs	Job administrator: Designs, organizes, and runs jobs that are used by the general affairs department.
3	jp1admin	System administration	JP1/AJS3 system administrator: Manages JP1/AJS3 and JP1/Base.

The JP1/AJS3 system administrator performs the following operations on the manager host.

(a) Example of setting the scheduler service reference restriction function

This subsection describes how to set the scheduler service reference restriction function.

Stop the JP1/AJS3 services.
Execute the following command to set the HIDEOTHERSERVICE environment setting parameter:
```
jajs_config -k [JP1_DEFAULT\JP1AJSMANAGER] "HIDEOTHERSERVICE"="yes"
```
The function is enabled.

Define the JP1 permission level and JP1 resource group appropriate for each JP1 user in JP1/Base.

The definition is as follows.

Table 13‒5: JP1 user definition
No	JP1 user name	JP1 permission level	JP1 resource group name
1	userA	JP1_AJS_Manager	Sales
2	userB	JP1_AJS_Manager	GeneralAffairs
3	jp1admin	JP1_AJS_Admin	*

For the job administrators userA and userB, define JP1_AJS_Manager as the JP1 permission level. This permission level enables these users to define, execute, and edit units.

For the JP1/AJS3 system administrator jp1admin, define JP1_AJS_Admin as the JP1 permission level. In addition to defining, executing, and editing units, this permission level enables the user to change definitions for owner names and JP1 resource group names for units even without owner permission.

Create new scheduler services used by each department

To create a new scheduler service, execute the jajs_setup command or manually create the service.

Suppose that the new scheduler service AJSROOT2 has been created for the sales department and the new scheduler service AJSROOT3 has been created for the general affairs department.
Restart the JP1/AJS3.

For each scheduler service, execute the following command to define the owner and JP1 resource group for the root job group of the scheduler service:

ajschange -F service-name -G -o owner-name -g JP1-resource-group-name /

Specify the scheduler service name, owner name, and JP1 resource group name as follows.

Table 13‒6: Owner and JP1 resource group definitions for the root job group of the scheduler service
No	Scheduler service name (root job group name)	Owner	JP1 resource group name
1	AJSROOT1	jp1admin	system
2	AJSROOT2	jp1admin	Sales
3	AJSROOT3	jp1admin	GeneralAffairs

For the owner name, specify jp1admin, the user name of the JP1/AJS3 system administrator, for all of the root job groups. This setting prevents the job administrators in the departments from changing the owner and JP1 resource group definitions for the root job group.

For the JP1 resource group, define the same name as the name of the JP1 resource group of the JP1 users that use a particular scheduler service. If departments do not use AJSROOT1 (default scheduler service), define a JP1 resource group name that is not Sales or GeneralAffairs.

Cautionary notes

Make sure that the JP1 user name of the JP1/AJS3 system administrator is defined as the owner of the root job group.

If the owner of the root job group is not defined, the definition of the owner and JP1 resource group for the root job group can be changed in any department. If this happens, scheduler services used by the department might not be displayed in the department's JP1/AJS3 - View.
Make sure that a JP1 resource group name is defined for each root job group. If a name is not defined, even the user jp1admin, which has access permission for all JP1 resource groups, will not be displayed in JP1/AJS3 - View.

Set preferences and customize JP1/AJS3 - View as necessary.

Set preferences and customize JP1/AJS3 - View so that job administrators can run jobs.

The following are necessary considerations for the setting process:
- If you want to allow job administrators userA and userB to apply a setting that will be enabled for all JP1 users, log in to JP1/AJS3 - View as both userA and as userB and specify the setting.
- Consider whether to use the upload or download functionality of the common user profile. If neither functionality is used, disable the common user profile menu in JP1/AJS3 - View.

(b) Example of setting the maximum number of concurrent JP1/AJS3 - View connections for each scheduler service

This subsection describes how to set the maximum number of concurrent connections in JP1/AJS3 - View for scheduler services.

Stop the JP1/AJS3 services.
Execute the following command to set the SERVICEMAXSESSION environment setting parameter for a scheduler service:
```
jajs_config -k [JP1_DEFAULT\JP1AJSMANAGER\scheduler-service-name] "SERVICEMAXSESSION"=dword:maximum-concurrent-connections (hexadecimal)
```
For example, if you want to permit a maximum of 20 concurrent connections for the scheduler service AJSROOT2 used by the sales department, execute the following command:
```
jajs_config -k [JP1_DEFAULT\JP1AJSMANAGER\AJSROOT2] "SERVICEMAXSESSION"=dword:00000014
```
Restart the JP1/AJS3.

The maximum number of concurrent connections of JP1/AJS3 - View for the scheduler service is defined.

(c) Example of setting the execution agent restriction function

This subsection describes how to set the execution agent restriction function.

Create an execution agent profile and edit it.

Create an execution agent profile for each scheduler service and specify the names of the execution agents for which you want to permit execution.
Enable the execution agent restriction function.

Use one of the following methods to enable the execution agent restriction function:
- Restart the JP1/AJS3 service.
- Restart the scheduler service.
- Execute the ajsprofalter command.

(d) Example settings for the function used to change JP1 user passwords in JP1/AJS3 - View

This subsection describes how to set the function used to change JP1 user passwords in JP1/AJS3 - View.

Stop the JP1/AJS3 services.

Execute the following command to set the CHANGEPASSWORD and CHANGEPWDLOG environment setting parameter:

jajs_config -k [JP1_DEFAULT\JP1AJSMANAGER] "CHANGEPASSWORD"="yes"
jajs_config -k [JP1_DEFAULT\JP1AJSMANAGER] "CHANGEPWDLOG"="all"

Restart the JP1/AJS3.

The function is enabled in JP1/AJS3 - View.

To Page Top

(5) Manual references

Type	item	Location
Overview	Execution agent restriction	2.5.1(6) Execution agent restriction in the JP1/Automatic Job Management System 3 System Design (Configuration) Guide
Overview	Unit owner and JP1 resource group	7.2 Settings for restricting access to units in the JP1/Automatic Job Management System 3 Overview 6.4 Setting access permissions in the JP1/Automatic Job Management System 3 System Design (Work Tasks) Guide
Configuration	Restricting the viewing of scheduler services	6.1.10 Settings for preventing scheduler services for which the user does not have access permission from appearing in JP1/AJS3 - View in the JP1/Automatic Job Management System 3 Configuration Guide (for Windows) 15.1.11 Settings for preventing scheduler services for which the user does not have access permission from appearing in JP1/AJS3 - View in the JP1/Automatic Job Management System 3 Configuration Guide (for UNIX)
	Maximum number of concurrent connections for JP1/AJS3 - View for a scheduler service	6.1.11 Settings for restricting the maximum number of allowed concurrent sessions for scheduler services in the JP1/Automatic Job Management System 3 Configuration Guide (for Windows) 15.1.12 Settings for restricting the maximum number of allowed concurrent sessions for scheduler services in the JP1/Automatic Job Management System 3 Configuration Guide (for UNIX)
	Adding a scheduler service	6.1.1(1) Adding a scheduler service in the JP1/Automatic Job Management System 3 Configuration Guide (for Windows) 15.1.1(1) Adding a scheduler service in the JP1/Automatic Job Management System 3 Configuration Guide (for UNIX)
	Execution agent restriction	21.1.1 Setting execution agent restrictions in the JP1/Automatic Job Management System 3 Configuration Guide
	Function used to change JP1 user passwords in JP1/AJS3 - View	6.8.3 Settings for permitting changing JP1 user passwords in JP1/AJS3 - View in the JP1/Automatic Job Management System 3 Configuration Guide (for Windows) 15.9.3 Settings for permitting changing JP1 user passwords in JP1/AJS3 - View in the JP1/Automatic Job Management System 3 Configuration Guide (for UNIX)
Operating procedures	Customizing JP1/AJS3 - View	11. Customizing Windows and Dialog Boxes Used for JP1/AJS3 - View in the JP1/Automatic Job Management System 3 Operator's Guide
Dialog boxes	Change Password	12.3.50 Change Password dialog box in the JP1/Automatic Job Management System 3 Operator's Guide
Commands	`jajs_config`	jajs_config in 2. Commands Used during Setup in the manual JP1/Automatic Job Management System 3 Command Reference
	`jajs_setup`	jajs_setup in 2. Commands Used during Setup in the manual JP1/Automatic Job Management System 3 Command Reference
	`ajschange`	ajschange in 3. Commands Used for Normal Operations in the manual JP1/Automatic Job Management System 3 Command Reference

To Page Top