You can secure the job scheduler using
roles and groups. A user can then act on a job if the user and the
job are members of the same group and the user's role permits
the action.
About this task
Create a group and a user that belongs to the
group. Enable group role security for the
job scheduler.
Procedure
- Create a group and a user that belongs to that group.
Read the section on assigning users and groups to roles in
the WebSphere® Application
Server documentation
and follow the directions. For this task, an example user is user2 and
an example group is BATCH2GROUP.
- Enable group and role security for the job scheduler.
- Click .
- Click New and add JOB_SECURITY_POLICY for Name and GROUPROLE for Value.
- Click Apply to save your configuration.
- Click .
- Select lrsubmitter for the role, Map
users... to map the user2 user to the lrsubmitter role.
The lrsubmitter role was used for this example. You can select
a different role.
- Save the updates.
- Restart the server.
- Verify that group and role security is enabled.
If you see the following message in the SystemOut.log file,
group security is enabled:
CWLRB5837I: The WebSphere Application Server Batch Feature is running under GROUPROLE security policy.
- Assign a group to a job.
A job belongs to
a user group and an administrative group. If the JOB_SECURITY_ADMIN_GROUP
variable is not defined, the job scheduler automatically assigns the
administrative group to each job.
- Configure the value of the administrative group name through the
JOB_SECURITY_ADMIN_GROUP job scheduler custom property:
JOB_SECURITY_ADMIN_GROUP=JSYSADMN
The default
administrative group name is JSYSADMN.
- Assign the group using one of the following methods.
- Define the group on the group attribute in the xJCL, for example:
<job-name=”{jobname}” group=”{group-name}” … />
- Set the job scheduler default group name using the JOB_SECURITY_DEFAULT_GROUP
job scheduler custom property:
JOB_SECURITY_DEFAULT_GROUP=JSYSDFLT
The
default group name is JSYSDFLT.
The group attribute in the xJCL takes precedence over the
job scheduler custom property. If you do not specify a group name
in your xJCL, the job scheduler assigns the default group name.
Results
You created a group and a user that belongs to the group.
You mapped the authenticated user to the lrsubmitter security role.
What to do next
Manage jobs using group and role security.
- Submit the job.
- Have the user2 user that you created in a previous step act on
the job with an action that a user in the lrsubmitter role can complete.