8.4.1 Managing JP1 users

JP1/IM performs user authentication and access control based on dedicated JP1 user accounts, designed to allow JP1/IM to operate securely in a multi-platform environment. JP1 users are managed via JP1/Base user management.

The following are the details about the user management functionality.

Organization of this subsection

(1) User authentication
(2) Access control
(3) User mapping

(1) User authentication

JP1/IM monitors the system by accessing JP1/IM on the manager from JP1/IM - View on the viewer. To prevent access by unauthorized users, user authentication is performed by a login processing when JP1/IM is accessed from JP1/IM - View.

In JP1/IM, user authentication is carried out by the JP1/Base user authentication function when a user attempts to log in to JP1/IM from JP1/IM - View. The JP1/Base that performs this user authentication is called an authentication server.

At login, the JP1 user is authenticated by the authentication server assigned to the JP1/IM host.

The following figure shows the flow of user authentication when a user logs in to the JP1/IM host from JP1/IM - View.

Figure 8‒5: Flow of processing for user authentication

The flow of processing is described below, following the numbers in the figure:

When a user logs in to the JP1/IM host from JP1/IM - View, user authentication is carried out by the authentication server associated with JP1/Base on the JP1/IM host.

The authentication server used by the JP1/IM host is set up in JP1/Base on that host.

When the authentication server is installed on a host that is not the JP1/IM - Manager host, login from JP1/IM - View fails if the authentication server is not already running.
The authentication server checks whether the JP1 user who made the login attempt is registered. If the JP1 user is registered, information about the operating permissions for that JP1 user is returned to JP1/IM - View via the JP1/IM host. (For details about operating permissions for JP1 users, see 8.4.1(2) Access control.)

JP1 users must be registered in the authentication server in advance.

A group of hosts that use the same authentication server for JP1 user authentication is called an authentication block. Users can access JP1/AJS - View windows from JP1/IM - View without needing to log in to JP1/AJS - View if the associated JP1/AJS - Manager is in the same authentication block as JP1/IM - View, as shown in the following figure. (In a system that switches between authentication servers, login will be required after a switch has taken place.) If the JP1/AJS - Manager is in a different authentication block, login is required.

Figure 8‒6: Authentication blocks

You can set up two authentication servers in the same authentication block. If connection to one authentication server fails, the JP1 user can connect to and be authenticated by the other authentication server. This prevents any interruption of job processing due to an authentication server error or other such problem. The authentication server used routinely is called the primary authentication server, and the authentication server in reserve is called the secondary authentication server. Both servers must be running the same JP1/Base version.

To Page Top

(2) Access control

Only users authenticated by the authentication server are able to log in to JP1/IM. However, there are problems inherent in giving all logged-in users unrestricted access to reference or operate on the management information of JP1/IM. For this reason, JP1/IM allows you to assign access permissions and operating permissions to individual JP1 users that restrict the operations and information available to them in JP1/IM - View.

The access permissions and operating permissions for JP1 users are managed by the authentication server. When user authentication is performed at login, information about the access permissions and operating permissions of the logged-in user (JP1 user) is returned to JP1/IM. JP1/IM uses this information to control what information is displayed and what operations the user might perform in JP1/IM - View.

Access permissions and operating permissions are set when JP1 users are registered in the authentication server. The access permission for a JP1 user is called a JP1 resource group, and the operating permission is called a JP1 permission level. The range of tasks a JP1 user can perform in JP1/IM - View is determined by assigned JP1 resource group and JP1 permission level.

The JP1 resource group for JP1/IM is JP1_Console. You do not have to change this if you use IM Configuration Management. If you want to restrict viewing of and operating on business groups for individual JP1 users in the Central Console, or if you want to control the display range of the monitoring tree in the Central Scope, you need to change the JP1 resource groups set on the authentication server. For details, see 4.1.4 Restrictions on viewing and operating business groups and 5.4.3 Setting the monitoring range of a monitoring tree.

JP1/IM and IM Configuration Management provide three JP1 permission levels, as listed below. To each JP1 user, assign the permission level that matches their responsibilities (the range of tasks the user performs in JP1/IM - View).

Table 8‒11: JP1 permission levels
JP1/IM - Manager component	Permission level	Permitted operations
JP1/IM	`JP1_Console_Admin`	Use the Central Console and Central Scope (set the system environment, perform system operations, reference information, set the user environment, and start linked products). Reference the system hierarchy and host information in IM Configuration Management.
	`JP1_Console_Operator`	Use the Central Console and Central Scope, reference information, set the user environment, and start linked products. Reference the system hierarchy and host information in IM Configuration Management.
	`JP1_Console_User`	Perform reference operations in the Central Console and Central Scope, set the user environment, and start linked products. Reference the system hierarchy and host information in IM Configuration Management. Cannot execute commands.
IM Configuration Management	`JP1_CF_Admin`	Perform all operations in IM Configuration Management, including changing the system hierarchy, changing profiles, and so on.
	`JP1_CF_Manager`	Reference the system hierarchy, and reference and collect host information.
	`JP1_CF_User`	Reference and collect the system hierarchy and host information.

Users who work with IM Configuration Management must have both a JP1/IM permission level and an IM Configuration Management permission level.

For details about the operations that the different JP1 permission levels allow JP1 users to perform in JP1/IM - View, see Appendix E. Operating Permissions.

The following figure shows an example of controlling a JP1 user's access.

Figure 8‒7: Example of JP1 user access control

To Page Top

(3) User mapping

When a command is executed from JP1/IM, either by automated action or from JP1/IM - View, the OS user permissions for the target host are required to actually execute the command on that host. For this reason, the OS user permissions associated with the JP1 user are acquired at command execution.

The functionality that associates JP1 users with OS users is called user mapping and is provided by JP1/Base.

User mapping must be defined on all target hosts at which commands are to be executed.

To use IM Configuration Management, you do not need to define user mapping on the manager running IM Configuration Management or on its managed hosts.

To Page Top