JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 10

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 11

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • It is a bad idea to run a JS7 Controller or Agent using a Unix root account or Windows Administrator account.
    • Certainly this makes life easy when it comes to switching to other user accounts or for accessing files.
    • However, you should not grant more permissions to a process than required.
  • Use specific user accounts to run JS7 Controllers and Agents:
    • Do not use the system account (Windows) or root (Unix).
    • Create specific service accounts that are limited to the privileges that are required to execute jobs.
  • Do not specify credentials for Windows Service accounts during installation:
    • The installer does not store such credentials but forwards them to the Windows Service interface, however, there is no guarantee that such credentials will be logged by some Windows mechanism.
    • Instead, use the Windows Service Panel to manually specify credentials for the service account.
  • There are a number of options when it comes to running jobs for different user accounts:
    • In Unix environments
      • Your job Job scripts can switch to a different user context by use of sudo or su commands. sudo is the preferred option as this the standard Unix tool that allows secure configuration of the users that are allowed to execute certain commands (sudoers file). In addition sudo provides reporting capabilities about (ab)use of commands.
    • In Windows environments
      • You can use the Windows Credential Manager to safely store credentials of the user account that a job should be executed for. The JobScheduler will then read the credentials and create a new process to run a job in the target user context. This is the preferred solution as it does not store credentials in the JobScheduler configuration.
      • You will find Find detailed information in with the JobScheduler Universal Agent JS7 - Running jobs as a different user article article.
    • For all environments
      • You can run a number of Agents in parallel using different user accounts.
  • A credential store can be used for jobs that require credentials, e.g. to access a database: see the JS7 - Credential Store article for more information.
    • Credentials are not provided from parameters (that could be logged in clear text), instead an interface is provided that allows on demand access to the credential store. 
    • This feature is available for Shell jobs and for JVM jobs.

...