This section explains the user definitions when using a Systemwalker authentication repository.
Functions for managing users with a Systemwalker authentication repository
If a Systemwalker authentication repository is used, users that have been registered with the Systemwalker authentication repository can use compatible Systemwalker Operation Manager functions from their client machines.
Users registered on the Systemwalker authentication repository all have non-administrator attributes. For the administrator, use a system administrator user that has been registered with the operating system (the built-in Windows Administrator account or UNIX superuser). At this point, users that have not been registered with the operating system as a system administrator cannot use Systemwalker Operation Manager from their client machines.
Also, even if a user that has been registered with the Systemwalker authentication repository logs in to the client, but if jobs are executed on the server, they will be executed using the privileges of a user that has been registered with the operating system. OS users must be specified for project owners and job execution users beforehand.
Overview of user definitions when using a Systemwalker authentication repository
The user definitions when using a Systemwalker authentication repository are explained below:
A Systemwalker authentication repository is designed to centrally manage users for multiple Systemwalker products. Before using a Systemwalker authentication repository, decide on a rule for creating users that are unique among all servers that use the Systemwalker authentication repository. Note that the users in the Systemwalker authentication repository are all non-administrator users in Systemwalker Operation Manager. If administrator privileges are required, use a system administrator for the operating system.
Users that are created according to the rules above are registered in the Systemwalker authentication repository.
Use the swidmg_user_mng command (user management command) to register newly created accounts and initial passwords with the Systemwalker authentication repository. Refer to the Systemwalker User's Guide - Systemwalker User Management and Single Sign-on for details.
The user IDs and passwords that can be registered are subject to the following restrictions:
Item | Length | Character types that can be used | Restrictions on combinations of character types |
|---|---|---|---|
User ID | 1 to 32 bytes | Alphabetic characters, numeric characters, underscore ("_"), hyphen ("-") and period (".") | None |
Password | 8 to 50 bytes | Alphabetic characters, numeric characters, and the following symbols: ! $ ' ( ) ~ ` { } _ - ^ . | At least one alphabetic character and at least one numeric character must be used. |
This section explains how to manage users with a Systemwalker authentication repository.
If a Systemwalker authentication repository is enabled, operations from Systemwalker Operation Manager clients can only be performed by users registered with the Systemwalker authentication repository and system administrators registered with the operating system (the built-in Windows Administrator account or UNIX superuser).
Logging in to Systemwalker Operation Manager servers
To log in to the Systemwalker Operation Manager server from each Systemwalker Operation Manager client when a Systemwalker authentication repository is enabled, specify a user registered with the Systemwalker authentication repository or a system administrator registered with the operating system (the built-in Windows Administrator account or UNIX superuser).
Registering and deleting projects
All users registered with the Systemwalker authentication repository are non-administrators. Because administrator privileges are required to register or delete projects, always register or delete projects as a system administrator that has been registered with the operating system (the built-in Windows Administrator account or UNIX superuser).
Project owners
Be sure to specify OS users as the project owners. Either a system administrator (superuser) or a general user can be specified.
The users in the Systemwalker authentication repository are non-administrators, so they cannot change owners. To change the owner, log in as a system administrator that has been registered with the operating system (the built-in Windows Administrator account or UNIX superuser).
Setting up access permissions for projects
The users in the Systemwalker authentication repository are non-administrators, so they cannot set up access permissions for projects.
To set up access permissions to the project, log in as a system administrator that has been registered with the operating system (the built-in Windows Administrator account or UNIX superuser).
Monitoring and operating on projects
The users in the Systemwalker authentication repository are non-administrators, so they can only operate on projects for which access permissions have already been set up. System administrators that have been registered with the operating system (the built-in Windows Administrator account or UNIX superuser) have update rights for all projects.
Registering and changing job nets and groups
Registering and changing job nets and groups from a client can be performed by either a system administrator that has been registered with the operating system (the built-in Windows Administrator account or UNIX superuser) or by users in the Systemwalker authentication repository that have update rights or change rights to the project.
User restrictions
Users in the Systemwalker authentication repository cannot start on-demand jobs or job nets with the Job Execution Control attribute, nor can they execute commands for Jobscheduler.
Execution users for jobs
Be sure to specify OS users as the execution users for jobs.
Execution users for commands and APIs
If the commands provided by Systemwalker Operation Manager are executed on a server, those commands and APIs that require system administrator privileges can only be executed by system administrators (superusers) as was the case with previous versions.
Commands and APIs that can be used by general users and that are not affected by access permissions to projects can be executed by general users as was the case with previous versions.
Commands for general users that are only executed when the user has access permission to the project (*1) can be executed using the following method:
If the OS user executing the command is a system administrator, the command is executed with Systemwalker Operation Manager administrator privileges (with update rights to all projects).
If the OS user that executed the command is a project owner, the command will be executed with update rights for the project for which the OS user is the owner.
For all other users, the command will be executed if the user is an OS user for which access permissions to the project have been set up.
*1: The following commands are included:
jobschsetnet command
jobschsetgrp command
jobschctljob command
jobschcontrol command
jobschctlgrp command
jobschmove command
jobschmsgclear command
jobschprint command
jobschnetmemo command
The access permissions for OS users for each project can be checked using the mpprjcmdacl command. Refer to "mpprjcmdac Command" in the Systemwalker Operation Manager Reference Guide for details.
