+

Search Tips   |   Advanced Search

(dist)

Secure the job scheduler using groups on distributed operating systems

We can secure the job scheduler using groups. A user can then act on a job only if the user and job are members of the same group.

Create a group and a user that belongs to the group. Enable group security for the job scheduler by mapping authenticated users to the lradmin administrative security role. Assign a group to a job.

  1. Create a group and a user that belongs to that group.

    Read the section on assigning users and groups to roles in the WAS documentation and follow the directions. For this task, an example user is user1 and an example group is BATCHGROUP.

  2. Enable group security for the job scheduler.

    1. Click System administration > Job scheduler > Custom properties.

    2. Click New and add JOB_SECURITY_POLICY for Name and GROUP for Value.

    3. Click Apply to save the configuration.

    4. Click System administration > Job scheduler > Security role to user/group mapping.

    5. Select lradmin for the role, Map Special Subjects, and All authenticated in application realm.

    6. Save the updates.

    7. Restart the server.

    8. Verify that group security is enabled.

      If we see the following message in the SystemOut.log file, group security is enabled:

        CWLRB5837I: The WebSphere Application Server Batch Feature is running under GROUP security policy.

  3. Assign a group to a job.

    A job belongs to a user group and an administrative group. If the JOB_SECURITY_ADMIN_GROUP variable is not defined, the job scheduler automatically assigns the administrative group to each job.

    • Configure the value of the administrative group name through the JOB_SECURITY_ADMIN_GROUP job scheduler custom property:

        JOB_SECURITY_ADMIN_GROUP=JSYSADMN

      The default administrative group name is JSYSADMN.

    • Assign the group using one of the following methods.

      • Define the group on the group attribute in the xJCL, for example:

          <job-name="{jobname}" group="{group-name}" />

      • Set the job scheduler default group name using the JOB_SECURITY_DEFAULT_GROUP job scheduler custom property:

          JOB_SECURITY_DEFAULT_GROUP=JSYSDFLT

        The default group name is JSYSDFLT.

      The group attribute in the xJCL takes precedence over the job scheduler custom property. If we do not specify a group name in the xJCL, the job scheduler assigns the default group name.


Results

We created a group and assigned a user to the group so that a user can manage jobs using group security.


What to do next

Manage jobs using group security.

  1. Submit the job.

  2. Have the user1 user created in a previous step act on the job, such as by viewing the job log.


Related concepts

  • Roles and privileges for securing the job scheduler
  • Job scheduler security overview


    Related tasks

  • Enable security
  • Assigning users and groups to roles

  • Job scheduler custom properties