Hitachi

JP1 Version 12 JP1/Automatic Job Management System 3 Administration Guide


13.1.11 Restricting operations that can be performed from the Web GUI or user applications

If multiple users are using the Web GUI or user applications to monitor job processing, some users might perform unauthorized operations on units or the manager host. In such a situation, you can restrict operations that specific users can perform. This subsection describes how to restrict operations that can be performed from the Web GUI and user applications.

Organization of this subsection

(1) Operation

Assume that there is a company in which a separate manager host is used for each department. In some departments, multiple operators use the Web GUI to monitor job processing. The following figure shows an example of a system in which a separate manager host is used for each department and multiple operators use the Web GUI to monitor job processing.

Figure 13‒23: Example of a system in which a separate manager host is used for each department and multiple operators use the Web GUI to monitor job processing

[Figure]

The following table describes the manager hosts used in the preceding example.

No.

Host name

Description

1

HostA

The manager host used by the Sales department. Operation of this host is monitored by using the Web GUI.

2

HostB

The manager host used by the General Affairs department. Operation of this host is monitored by using the Web GUI.

3

HostC

The manager host used by other departments. Operation of this host is monitored by using the JP1/AJS3 - View.

(2) Problem

Unauthorized operations might be performed from the Web GUI or user applications.

Specifically, the following problems must be resolved:

  1. Some users who use the Web GUI might perform unauthorized operations on units.

    If multiple users use the Web GUI, the default settings allow all users to perform all operations on any units monitored by the Web GUI. Therefore, some users might perform unauthorized operations. For example, a user who is appointed to perform only reruns might inadvertently register a unit for execution.

    [Figure]

  2. An operator in a department might inadvertently perform operations on the manager host of another department.

    If each department uses a separate manager host, the default settings allow all users to log in to any manager host from the Web GUI and to run API functions on any manager host from a user application. All JP1 users can perform all operations on any manager host. Therefore, a user might inadvertently log in to the manager host of another department and unintentionally perform operations on that manager host.

    [Figure]

  3. If there are many Web GUI users, it is difficult for the system administrator to manage all operational restrictions.

    If the Web GUI is used in multiple departments and only the system administrator manages all operational restrictions for users who belong to the departments, a heavy burden is placed on the system administrator.

    [Figure]

  4. Unauthorized API functions might be run.

    If only the Web GUI is used to perform operations without using user applications, unauthorized API functions might be run from unauthorized user applications, because the default settings do not restrict execution of API functions.

    [Figure]

(3) Solution

This subsection describes the solution for each item in (2) Problem. You can restrict operations that can be performed by users from the Web GUI or user applications by specifying the following settings:

  1. For each JP1 user, restrict operations that can be performed from the Web GUI, so that unauthorized operations are not performed.

    By enabling the operation restriction function of the Web GUI, you can set operational restrictions for each JP1 user who logs in. If a user for which operational restrictions are set logs in, the buttons, menus, and other items for performing the restricted operations are hidden.

    If the operation restriction function is enabled on the Web Console server, the function is enabled on all manager hosts to which the Web Console server can connect.

    [Figure]

  2. Prevent the users in a department from performing operations on the manager hosts of other departments.

    Performing operations on the hosts of other departments can be prevented by using the following two functions:

    Connection-destination host restriction function of the Web Console server:

    The manager hosts to which the Web Console server is permitted to connect can be specified. If this function is used, users can log in to only the specified manager hosts from the Web GUI and can run API functions from user applications on the specified manager hosts only. By permitting connection to only the manager hosts to be monitored by using the Web GUI, you can prevent login to other manager hosts.

    Operation restriction function of the Web GUI:

    The operational restrictions on JP1 users can be specified on each manager host. For the JP1 users for whom operational restrictions are not set, the default settings (permit only viewing) are applied. By granting permission of operations to only the JP1 users that are used by the operators in a department, you can prevent the operators of the other departments from performing operations on units.

    [Figure]

  3. Allow a user in each department to manage the operational restrictions on the users in the department.

    With the operation restriction function of the Web GUI, you can appoint users who manage operational restrictions (users who set permissions) for each manager host.

    By appointing only the JP1 user used by the department administrator as a user who sets permissions for each department, the administrator of a department can manage the operational restrictions on the users in the department. This also can prevent the operation restriction settings of a department from being changed by the administrator of another department.

    [Figure]

  4. Restrict execution of API functions from user applications.

    By enabling the API execution restriction function, execution of API functions can be restricted. If only the Web GUI is used to perform operations without using user applications, by restricting execution of API functions, you can prevent unauthorized operations from user applications.

    [Figure]

(4) Configuration procedure

The following describes what the system administrator and the user who sets permissions must perform to set up functions.

Tasks of the system administrator

The system administrator enables the operation restriction function of the Web GUI and the API execution restriction function. The system administrator also specifies the names of the manager hosts to which the Web Console server can connect, and appoints users who set permissions for each manager host.

Tasks of the user who sets permissions

A user who sets permissions uses the Web GUI to set operational restrictions on users for each manager host.

The JP1 users are assumed to be those in the following table.

Table 13‒9: Example JP1 users

No.

JP1 user name

User role

Duty

1

jp1admin

System administrator

Manages the entire JP1/AJS3 system

2

admin1

Administrator of the Sales department

To perform monitoring and operation and manage operational restrictions on users as a user who sets permissions by using the Web GUI

3

admin2

Administrator of the General Affairs department

To perform monitoring and operation and manage operational restrictions on users as a user who sets permissions by using the Web GUI

4

user1

Operator in the Sales department

Monitors the operating status and reruns units by using the Web GUI

The following describes the procedure for the tasks that each type of user must perform.

(a) Tasks of the system administrator

The system administrator enables the operation restriction function of the Web GUI and the API execution restriction function by editing the environment setting file (ajs3web.conf) of JP1/AJS3 - Web Console. The system administrator also specifies the names of manager hosts to which the Web Console server can connect, and appoints users who set permissions for each manager host.

The following shows the procedure of the tasks that the system administrator must perform.

  1. Stop the JP1/AJS3 HTTP Server and JP1/AJS3 Web Application Server services.

  2. Back up the ajs3web.conf file, and store the backup file in any folder.

  3. Copy the model file (ajs3web.conf.model), and then rename the copy of the file to ajs3web.conf.

  4. Open the ajs3web.conf file by using a text editor.

  5. Delete the semicolon (;) prefixed to the GUI_OPERATION_RESTRICTION parameter, and then specify yes as the value of the parameter.

  6. Delete the semicolon (;) prefixed to the PERMITTED_AJS_MANAGER_HOST parameter, and then, for the parameter, specify the names of manager hosts to which the Web Console server is permitted to connect.

    You can specify the following manager host names:

    Physical host:

    Host name that is output when the hostname command is run on a manager host

    Logical host:

    Logical host name that was specified when the logical host environment was set up

    For example, in the system example shown earlier, if you want only the Sales department's and General Affairs department's manager hosts to be connectible manager hosts, specify the parameter as follows:

    PERMITTED_AJS_MANAGER_HOST=HostA,HostB

  7. Delete the semicolon (;) prefixed to the API_EXECUTION_RESTRICTION parameter, and then specify yes as the value of the parameter.

  8. Specify the JP1 users to be appointed as users who set permissions.

    Here, you specify jp1admin, which is used by the system administrator, and the JP1 user used by the administrator of each department as the user who sets permissions as follows:

    Manager host of the Sales department:

    [HostA]

    WEB_CONSOLE_SETTING_USER=jp1admin,admin1

    Manager host of the General Affairs department:

    [HostB]

    WEB_CONSOLE_SETTING_USER=jp1admin,admin2

  9. Save the ajs3web.conf file.

  10. Start the JP1/AJS3 HTTP Server and JP1/AJS3 Web Application Server services.

(b) Tasks of the user who sets permissions

A user who sets permissions sets the users' operational permissions by applying the operating permission configuration file from the Web GUI. The following shows the procedure for the tasks that the user who sets permissions must perform.

  1. Log in with the Web GUI by specifying a manager host for which you want to set operational restrictions.

  2. From the Management menu at the top of the screen, select Operating Permission Settings, and then Acquire Model File.

    The model file for the operating permission configuration file (operationpermission_model.csv) is downloaded.

  3. Copy the downloaded model file, and then rename it to a desired name.

  4. Save the renamed operating permission configuration file to any folder as the master operating permission configuration file.

  5. Open the master operating permission configuration file (CSV file) with spreadsheet software or a similar program.

  6. Modify the definitions to be changed.

    The following table shows an example of operational restrictions, and the table is followed by the contents of the operating permission configuration file that sets those operational restrictions.

    Table 13‒10: Operational restrictions to be set using the operating permission configuration file

    Name

    JP1 user name

    Section the user belongs to

    Position

    Operational restrictions

    Taro Hitachi

    jp1admin

    Operational section

    Manager of operators

    Permit all operations

    Hanako Hitachi

    jp1user1

    Operational section

    Operator

    Permit all operations other than definition editing

    Jiro Hitachi

    jp1user2

    Development section

    Developer

    Permit only viewing and definition editing

    Other users

    Permit only viewing

    An example of coding

    FileVersion=1.0,,,,,,,,,,,,,,,,,,,,,,,,,,,
    #,Option 1,Option 2,Option 3,Option 4,Option 5,Option 6,Option 7,Option 8,Option 9,Option 10,JP1 User Name,Classification,Register for Execution,Cancel Registration,Add,Change Plan (Change Time),Change Plan (Execute Immediately),Change Plan (Execution Prohibited),Change Plan (Release Change),Delay monitoring changed,Rerun,Interrupted,Kill,Change Status,Edit Definition,Hold,Hold Release
    ,Hitachi,Operational section,Manager of operators,Taro Hitachi,,,,,,,jp1admin,A,,,,,,,,,,,,,,,
    ,Hitachi,Operational section,Operator,Hanako Hitachi,,,,,,,jp1user1,C,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1
    ,Hitachi,Development section,Developer,Jiro Hitachi,,,,,,,jp1user2,C,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0
    ,Default setting,,,,,,,,,,*,R,,,,,,,,,,,,,,,
  7. Save the operating permission configuration file in CSV format.

  8. From the Management menu at the top of the Web GUI screen, select Operating Permission Settings, and then Apply.

    The Apply Operating Permission Settings dialog box opens.

  9. From Select, select the operating permission configuration file that you edited, and then click the OK button.

    Note

    After you select the operating permission configuration file, if you change the file contents and then apply the file, the changes might not be applied or communication might time out because a request cannot be sent. If you change the contents of the operating permission configuration file after selecting the file, reselect the file.

  10. Notify all Web GUI users that re-login is required.

    Note

    The specified or changed settings in the operating permission configuration file are not applied to the relevant Web GUI users until they log in again. If possible, restart the JP1/AJS3 HTTP Server service and the JP1/AJS3 Web Application Server service.

(5) Manual references

Type

Item

Location

Overview

Operation restriction function of the Web GUI

14.2 Settings for restricting the operations that Web GUI users can perform in the JP1/Automatic Job Management System 3 Operator's Guide

Configuration

Environment-settings file (ajs3web.conf)

  • 3.4.3 Details on the settings in the environment-settings file (ajs3web.conf) in the JP1/Automatic Job Management System 3 Configuration Guide (for Windows)

  • 13.3.3 Details on settings in the environment-settings file (ajs3web.conf) in the JP1/Automatic Job Management System 3 Configuration Guide (for UNIX)

Operating permission configuration file

17.2.2 Customizing the operation restriction settings for each user in the JP1/Automatic Job Management System 3 Operator's Guide

Dialog boxes

Apply Operating Permission Settings

16.27 Apply Operating Permission Settings dialog box in the JP1/Automatic Job Management System 3 Operator's Guide

(6) Cautionary notes