Top
Systemwalker Operation Manager V17.0.1 Installation Guide

2.4.5 Define User Restrictions

Systemwalker Operation Manager allows you to set any user who can access to the resources used by services/daemons and limits the Systemwalker Operation Manager users.

When the user definition is enabled, only the users registered in the swadmin group, users who belong to the Administrators group, and the superuser are enabled for the following:

For a new installation of Systemwalker Operation Manager V17.0.0 or later, this definition is enabled by default. Refer to "How to disable the user restriction definition" for information on how to disable it.

Also, refer to "How to enable the user restriction definition" for information on how to enable the definition setting from a disabled status.

Note

You can use this option to limit the Systemwalker Operation Manager users only when you are using the file system of NTFS. You cannot use this option when you are using FAT, so disable the user restriction definition. [Windows]

How to disable the user restriction definition

  1. Log in as system administrator (user belonging to the Administrators group or superuser).

  2. Audit log file settings

    [Windows]

    1. Add "read" and "write" access rights for the Users group to the audit log output destination directory.

    2. Delete the swadmin group from the access permission entries for the audit log output destination directory.

    [UNIX]

    Change the access right for the audit log output destination directory to 777, and the owner to the sys group. The following is an example where the audit log output destination directory is /var/opt/FJSVftlo/audit (by default):

    # cd /var/opt/FJSVftlo

    # chmod 777 audit

    # chgrp sys audit

  3. Display the Define Operation Manager Shared Parameter window

    The Define Operation Manager Shared Parameter window is displayed by clicking Shared parameter in the Systemwalker Operation Manager Environment Setup window.

  4. Disable the user restriction definition

    Clear the option Restrict so that only users included in the swadmin group can start demand jobs, start jobnet Job execution control attributes or use Jobscheduler command functions.

  5. Restart the service/daemon

    If OK is clicked in the Define Operation Manager Shared Parameter window, the restart confirmation dialog box is displayed. If OK is clicked in the dialog box, the following services or daemons restart as below:

    [Windows]

    Job Execution Control, Jobscheduler, Task Link services restart. If running multi-subsystem operation, all the subsystems and Task Link services restart.

    [UNIX]

    Job Execution Control and Jobscheduler daemons restart. If running multi-subsystem operation, all the subsystems restart.

How to enable the user restriction definition

The user restriction definition is inherited from the older version when upgrade installation is performed. Refer to the following procedure for information on how to enable the setting when it was disabled in the older version.

Creating the swadmin group

The swadmin group is required to restrict the users who can submit on-demand jobs, start job nets with the job execution control attribute or use the Jobscheduler commands.

Configuration in the Define Operation Manager Shared Parameter window

  1. Display the Define Operation Manager Shared Parameter window

    The Define Operation Manager Shared Parameter window is displayed by clicking Shared parameter in the Systemwalker Operation Manager Environment Setup window.

  2. Enable the user restrictions definition

    Check the option Restrict so that only users included in the swadmin group can start demand jobs, start jobnet Job execution control attributes or use Jobscheduler command functions.

  3. Restart the service/daemon

    If OK is clicked in the Define Operation Manager Shared Parameter window, the restart confirmation dialog box is displayed. If OK is clicked in the dialog box, the following services or daemons restart as below:

    [Windows]

    Job Execution Control, Jobscheduler, Task Link services restart. If running multi-subsystem operation, all the subsystems and Task Link services restart.

    [UNIX]

    Job Execution Control and Jobscheduler daemons restart. If running multi-subsystem operation, all the subsystems restart.

Define Operation Manager Shared Parameter window

Operation Manager user restrictions:

Specify this option to allow only users of swadmin group, those of Administrators group and the superuser to start on-demand jobs, start job nets having Job Execution Control attributes, and use Jobscheduler commands.

Protecting audit log files

To protect audit log files, make security definitions, and then use the following procedure to set up access rights for the output destination directory.

Note

Make these settings again if the output destination directory for audit log files is changed.

[Windows]

  1. Log in as a user that belongs to the Administrators group.

  2. Delete the "full control" access rights to the audit log output destination directory for the "Everyone" user group.

  3. Add "full control" access rights to the audit log output destination directory for the "swadmin" group.

[UNIX]

  1. Log in as a superuser.

  2. Change the ownership rights to the audit log output destination directory to the "swadmin" group.

    Example: # chgrp swadmin /var/opt/FJSVftlo/audit

  3. Change the access rights to the audit log output destination directory.

    Example: # chmod 770 /var/opt/FJSVftlo/audit

The commands in this example assume the default settings are used for the audit log output destination directory.

Notes on the user restriction definition