This section describes how to define users when using the Extended User Management function.
Users registered and managed in Systemwalker Operation Manager using the Extended User Management function are hereinafter referred to as Operation Manager users, while users managed on operating systems are referred to as OS users.
Extended User Management function
For the UNIX version, the users who have been registered in Systemwalker Operation Manager can use its functions by using the Extended User Management function.
The Operation Manager user will be provided with administrator or non-administrator properties. The Operation Manager user registered as an administrator will have privileges to Systemwalker Operation Manager same as those of the conventional system administrator when performing operation from a client. The Operation Manager user with administrator's privileges can perform tasks which have been conventionally allowed only to the system administrator, such as project registration and Systemwalker Operation Manager environment setup.
However, you can execute commands on the server by the user privileges registered in the operating system even from a client. Registration of the Operation Manager user requires an OS user associated with the Operation Manager user (multiple Operation Manager users can be associated with one OS user). In addition, you must specify an OS user as an owner of the project and a user who can execute jobs.
Overview of user definition when using the Extended User Management function
This section describes an overview of user definition when using the Extended User Management function
Consider the users required for Systemwalker Operation Manager operation you use. Consider the users by referring to "2.5.3.1 User Management of the Extended User Management Function" and "2.5.2.2 Job Execution Privileges".
Register an OS user if necessary. Use the operating system functions to register their users.
Define the Extended User Management function.
Register an Operation Manager user and his/her password, if necessary.
When distributing Operation Manager user information using the Policy Data Distribution function, you do not need to register the user in the policy data distribution destination server.
Execute the command of the Extended User Management function to enable the Extended User Management function.
You must also set it in the policy data distribution destination server.
Set the password for the "root" user (administrator).
You must set it in the policy data distribution destination server.
For more information, see "2.5.3.2 Defining the Extended User Management Function".
Extract and distribute policy data, if necessary. For more information, see "2.14.3 Extracting/Distributing Policy Data when Using the Extended User Management Function [UNIX]".
Point
To allow general users to use projects when Systemwalker Operation Manager is operating, the system administrator should set up access rights for users without administrator privileges (such as general users) by referring to "Setting Access Rights for Projects" in the Systemwalker Operation Manager User's Guide.
Note
Users with administrator privileges
In Systemwalker Operation Manager, "Users with administrator privileges" refers to the users below.
System administrators (users belonging to the Administrators group in the Windows system or superusers in the UNIX system)
Operation Manager users having the Administrator's privileges if the Extended User Management function is valid in the UNIX version
This section explains how to control users by the Extended User Management function.
If the Extended User Management function is valid, only the Operation Manager user can operate the function from the Systemwalker Operation Manager client. The following explains the user management if the Extended User Management function is enabled.
Log into the Systemwalker Operation Manager server
If the Extended User Management function is enabled, you must log in the Systemwalker Operation Manager server as the Operation Manager user from each Systemwalker Operation Manager client.
If the Extended User Management function is disabled, log into it as an OS user.
Registering/deleting projects
If you log in as the Operation Manager user with administrator privileges, you can register or delete projects. The Operation Manager user without administrator privileges cannot register or delete projects.
Project owner
Be sure to specify an OS user as the owner of a project. You can specify either of a system administrator (superuser) or ordinary user.
If you log in as the Operation Manager user with administrator privileges, you can change the owner of the project. The Operation Manager user without administrator privileges cannot change the owner of the project.
Setting access privileges to projects
If you log in as an Operation Manager user, the user name displayed in the Set Permissions window is the Operation Manager user, not the OS user. Registration of users who can access projects is allowed only to the Operation Manager user with administrator privileges. To register them, select some from user names registered as the Operation Manager user.
Refer to "Setting up Access Permissions for Projects" in the Systemwalker Operation Manager User's Guide for details.
Monitoring/operating projects
The Operation Manager user with administrator privileges has the update right to all projects. The Operation Manager user without administrator privileges can operate projects to which their access privileges have been set.
Registering/changing job nets or groups
The Operation Manager user with administrator privileges or Operation Manager user with the update right and change right to projects can register and change job nets or groups from a client.
User restriction
Only the OS user associated with the Operation Manager users registered in the swadmin group can start on-demand jobs, start job nets having Job Execution Control attributes, and execute Jobscheduler commands. For details, see "2.5.5 Define User Restrictions"
Job execution user
Be sure to specify the OS user as the job execution user.
Command/API execution users
When executing commands provided by Operation Manager on the server, only the system administrator (superuser) can conventionally execute commands/API requiring system administrator privileges.
Conventionally, ordinary users can execute commands/API which are available to them and not restricted by the access privileges to projects.
Commands which are accessible to ordinary users and executed only when they have access privileges to projects (Note), are executed as follows.
If the OS user who executed the command or API is the system administrator, it is executed based on the Operation Manager administrator privileges (with the update right to all projects).
If you are the project owner, you are assumed to have the Update right of the project you own.
For all other users, the Operation Manager users for which access rights to the project have been set up are checked.
It checks the OS user with which each Operation Manager user is associated and if the access privileges of the OS user trying execution of the command has been set.
If setting of the access privileges is confirmed, the command is executed.
Note: Commands accessible to ordinary users are as follows.
jobschsetnet command
jobschsetgrp command
jobschctljob command
jobschcontrol command
jobschctlgrp command
jobschmove command
jobschmsgclear command
jobschprint command
jobschnetmemo command
You can check the access privileges of the OS user to each project by the mpprjcmdacl command. For more information, refer to the Systemwalker Operation Manager Reference Guide - mpprjcmdacl Command.
You must define the Operation Manager users to allow using each Systemwalker Operation Manager function.
Outline
Register the Operation Manager user and enable the Extended User Management function.
In addition, set a password for a user name, "root".
Note
Understanding "root"
The user name "root" in the Extended User Management function is registered by default as an Operation Manager user with administrator privileges. You cannot delete it.
Definition procedure
You must execute the following commands using the system administrator (superuser) privileges on the Systemwalker Operation Manager server.
For more information on the commands included in the procedure below, see the Systemwalker Operation Manager Reference Guide - Security Command".
Register an Operation Manager user.
Register an Operation Manager user using the mpadduser command.
Select administrator or non-administrator as an attribute, and specify an OS user to associate with it.
The following shows users who can be associated with Systemwalker Operation administrator or non-administrator.
Operation Manager user | OS user to be associated with |
|---|---|
Administrator | System administrator (superuser) |
Non-administrator | Ordinary users (other than superuser) |
The OS user to be associated with the Operation Manager user must have been registered on the operating system. You cannot use the mpadduser command for registering the OS user.
Set a password using the mpsetpasswd command.
Enabling or disabling the Extended User Management function
Issue the mpsetusermode command to enable the Extended User Management function.
When the Extended User Management function is disabled, the operation is allowed only to the OS users even if Operation Manager users have been registered.
Register a password for "root".
Set a password for "root" using the mpsetpasswd command.
To view the list of the registered Operation Manager users, use the mpusers command. To modify the registered Operation Manager user attributes, use the mpmoduser command, and to delete them, use the mpdeluser command, Use the mpusermode command to confirm if the Extended User Management function is enabled or not.
This section shows the Extended User Management function setup examples.
Operation Manager user registration example
Assume that you have set the Operation Manager users as follows.
Operation Manager user | OS user | Privileges |
|---|---|---|
root (Note) | root (system administrator) | Administrator |
swroot | root (system administrator) | Administrator |
swuser1 | user (ordinary user) | Non-administrator |
swuser2 | user (ordinary user) | Non-administrator |
swuser3 | user (ordinary user) | Non-administrator |
swguest | guest (ordinary user) | Non-administrator |
The user name "root" is registered as an Operation Manager user with administrator privileges by default.
You cannot delete it. When using the user name "root", you must set a password.
When registering an Operation Manager user with administrator privileges, you must associate the OS user of the system administrator with it. When registering an Operation Manager user with non-administrator privileges, you must associate the OS user of the ordinary user with it.
Access privileges setup example
The Operation Manager user with administrator privileges has the update right to all projects as the Systemwalker Operation Manager administrator.
The Operation Manager user without administrator privileges can operate only projects to which their access privileges have been set based on the privileges they have.
The Operation Manager user with administrator privileges must set the access privileges of Operation Manager user without the administrator privileges, if necessary.
As privileges, the update right, Change right, operation right, and reference right are provided; the update right includes the Change right, operation right and reference right, and the Change right and operation right includes the reference right. The order of privilege strength is as follows.
Update right > change right / operation right > reference right |
Assume that you set the access privileges as follows.
Project | Project owner | Access privileges to be set |
|---|---|---|
Management project | root | Not set |
user project | user | swuser1: Update right |
guest project | guest | swguest: Reference right |
Access privileges of the Operation Manager user
If you register Operation Manager users and set the access privileges as shown above, the Operation Manager users' access privileges to the projects are as follows.
Operation Manager user | Displayed project | Access privileges |
|---|---|---|
root | Management project | Update right |
user project | Update right | |
guest project | Update right | |
swuser1 | user project | Update right |
guest project | Reference right | |
swuser2 | user project | Change right |
swuser3 | user project | Operation right |
swguest | guest project | Reference right |
Access privileges of the OS user
When the OS user is the system administrator, he/she has the update right to all projects. If the OS user is the general user and the project owner, he or she has the Update right to his/her own projects.
If the OS user is an ordinary user but not the project owner, he or she has the highest level of privileges out of the access privileges of multiple Operation Manager users who have been associated with the OS user (Update right > Change right / Operation right > Reference right).
Note if an OS user that executes commands or APIs has been associated with multiple Operation Manager users and both change rights and operation rights have been set up, then the OS user will have both rights.
If you register the Operation Manager users and set the access privileges as shown above, the associated OS user's access privileges to the projects are as follows.
OS user | Project | Access privileges to projects when executing command | Description |
|---|---|---|---|
root | Management project | Update right | The "root" OS user is the system administrator, and so has update rights for all projects. |
user project | Update right | ||
guest project | Update right | ||
user | user project | Update right | For the "user" project, "swuser1" has update rights, "swuser2" has operation rights and "swuser3" has change rights, and so the OS user "user" will have update rights to the "user" project. |
guest project | Reference right | For the "guest" project, "swuser1" has reference rights, and so the OS user "user" will have reference rights to the "guest" project. | |
guest | guest project | Update right | The OS user "guest" is the owner of the "guest" project and so has update rights to the "guest" project. |
