Systemwalker Operation Manager allows you to set any user who can access to the resources used by services/daemons and limits the users.
Note
You can use this option to limit the Systemwalker Operation Manager users only when you are using the file system of NTFS. You cannot use this option when you are using FAT [Windows].
Creating the swadmin group
The swadmin group is required to restrict the users who can submit on-demand jobs, start job nets with the job execution control attribute or use the Jobscheduler commands.
Windows:
The swadmin group is created automatically during installation of the Systemwalker Operation Manager server. Once the swadmin group is created, it is NOT deleted even when the user restriction is canceled from the Define Operation Manager Shared Parameter window.
UNIX version:
The swadmin group is created automatically during installation of the Systemwalker Operation Manager server.
Register all of the users who are permitted to use the Jobscheduler and Job Execution Control commands in the swadmin group.
Protecting audit log files
To protect audit log files, make security definitions, and then use the following procedure to set up access rights for the output destination directory.
Note
Make these settings again if the output destination directory for audit log files is changed.
[Windows]
Log in as a user that belongs to the Administrators group.
Delete the "full control" access rights to the audit log output destination directory for the "Everyone" user group.
Add "full control" access rights to the audit log output destination directory for the "swadmin" group.
[UNIX]
Log in as a superuser.
Change the ownership rights to the audit log output destination directory to the "swadmin" group.
Example: # chgrp swadmin /var/opt/FJSVftlo/audit
Change the access rights to the audit log output destination directory.
Example: # chmod 770 /var/opt/FJSVftlo/audit
The commands in this example assume the default settings are used for the audit log output destination directory.
Definition procedure
Open the Define Operation Manager Shared Parameter window.
Click the Shared parameter button in the Systemwalker Operation Manager Environment Setup window, and the Define Operation Manager Shared Parameter window will appear.
Define user restrictions.
When Restrict so that only users included in the swadmin group can start demand jobs, start jobnet Job Execution Control attributes or use Jobscheduler command functions is checked. Only the users registered in the swadmin group and the users who belong to the Administrators group and the superuser will be enabled.
Restart services/daemons.
After you have completed the setup in the Define Operation Manager Shared Parameter window, click the OK button. Then a dialog box prompting you to confirm restart appears. By clicking the OK button in the dialog box, the following items are restarted.
[Windows]
The services of Job Execution Control, Jobscheduler, and Task Link are restarted. In the environment where multiple subsystems are running, all the subsystems and Task Link service are restarted.
[UNIX]
The daemons of Job Execution Control and Jobscheduler are restarted. In the environment where multiple subsystems are running, all the subsystems are restarted.
Define Operation Manager Shared Parameter window
Specify this option to allow only users of swadmin group, those of Administrators group and the superuser to start on-demand jobs, start job nets having Job Execution Control attributes, and use Jobscheduler commands.
Note
Access privileges to resources used by services/daemons
Windows:
You can start some Systemwalker Operation Manager services only when you have access privileges to those resources. To do so, you must set the "full control" to the Administrators group to use the following resources of Systemwalker Operation Manager servers.
Installation destination directory and subordinate files specified during installation
Calendar information directory (Systemwalker Operation Manager installation directory \MpWalker.JM\mpjmcal\caldb)
Database directory of Jobscheduler (The initial value is the Systemwalker Operation Manager installation directory \MpWalker.JM\mpjobsch\jobdb) and subordinate files
UNIX:
Each daemon of Systemwalker Operation Manager uses the following resources, and the access privileges to those resources are set depending on the selection of the Operation Manager user restrictions check box option. Never change these access privileges. If changed, Systemwalker Operation Manager may not operate normally.
Solaris version, Linux system
Resources under the system installation directory
Resources under the database directory (/var/opt/package-name)
HP-UX version, AIX system
Resources under the system installation directory
The access privileges that differ from those specified during system installation may be used when you check the Operation Manager User Restrictions option, and an error message may be output when you issue the pkgchk command.
Note
Availability of Previous Load Distribution [Windows]
When Restrict so that only users included in the swadmin group can start demand jobs, start jobnet Job Execution Control attributes or use Jobscheduler command functions. is checked in the Define Operation Manager Shared Parameter window for user restriction, the Previous Load Distribution CANNOT be used.
However, the Distributed Execution supported in Systemwalker Operation Manager V11.0L10/11.0 and later can be used.
Note
When using the Extended User Management function [UNIX]
If the Extended User Management function is enabled, OS users that are associated with Operation Manager users will be subject to the definitions in "Define user restrictions".
When the Extended User Management function is enabled and Operation Manager User Restrictions is checked, the access privileges are determined as follows.
The associated OS user is checked for belongingness to the swadmin group.
If the belongingness to the swadmin group is confirmed, the OS user is checked for possession of the access privileges to projects.
When the OS user's access privileges is confirmed, he/she can use this option to submit on-demand jobs, start job nets having Job Execution Control attributes, and issue Jobscheduler commands.
Note
Submitting jobs [Windows]
If Operation Manager users have been restricted by selecting the Restrict so that only users included in the swadmin group can start demand jobs, start jobnet Job execution control attributes or use Jobscheduler command functions checkbox in the Define Operation Manager Shared Parameter window and a domain user that belongs to the swadmin group is specified for the following users, then the specified domain user must be registered in the Define Job Owner's Information window in order for jobs to be submitted successfully.
Schedule jobs: The project owner or the execution user for the job
On-demand jobs: The login user
The qsub command: The execution user for the job
Job submission API: The execution user for the job
