Setting job information access control

There are three parameters available in lsb.params that allow you to control access to job information: SECURE_JOB_INFO_LEVEL, ENABLE_JOB_INFO_BY_ADMIN_ROLE, and SECURE_INFODIR_USER_ACCESS.

Controlling jobs a user can see

The parameter SECURE_JOB_INFO_LEVEL in lsb.params allows you to control which jobs any user (including adminisrators other than the primary administrator) can see information for. A value between 0 and 4 is defined, with 0 being no security and 4 being the highest security.

When a user or administrator enters one of the commands to see job information (bjobs, bjdepinfo, bread, or bstatus), the SECURE_JOB_INFO_LEVEL parameter controls what they see. The following table describes the type of job information that can be viewed by a user with each security level.

Security Level	User’s Own Job	Same User Group Job Summary Info	Same User Group Job Detail Info	All Other Jobs’ Summary Info	All Other Jobs’ Detail Info
0	Y	Y	Y	Y	Y
1	Y	Y	Y	Y
2	Y	Y	Y
3	Y	Y
4	Y

Note: If SECURE_JOB_INFO_LEVEL is set to level 1, 2, 3, or 4, check if SECURE_INFODIR_USER_ACCESS is enabled (set to Y). If it is not enabled, access to bjobs functions will be restricted, but access to bhist or bacct will be available.

Note: In a MultiCluster environment, this security level definition also applies when a user views job information from a remote cluster using bjobs –m remotecluster. The security level configuration of the specified cluster will take effect.

Enabling administrator rights to job information

By default, an administrator’s access to job details is determined by the setting of SECURE_JOB_INFO_LEVEL, the same as a regular user. The parameter ENABLE_JOB_INFO_BY_ADMIN_ROLE in lsb.params allows you to enable user group, queue, and cluster administrators the right to access job detail information for jobs in the user group, queue, and clusters they manage, even when the administrator has no right based on the configuration of SECURE_JOB_INFO_LEVEL.

When an administrator enters one of the commands to see job information (bjobs, bjdepinfo, bread, or bstatus), the ENABLE_JOB_INFO_BY_ADMIN_ROLE definition controls whether they see job detail information about jobs in their user group, queue or cluster that they manage.

The parameter may be set with any combination of the values usergroup, queue, or cluster.

Note: This does not apply to the primary administrator who will always see job information.

Preventing users from viewing jobs using bhist or bacct

The parameter SECURE_INFODIR_USER_ACCESS in lsb.params allows you to control whether regular and administrator users (except the primary admin) can see other user’s jobs when using the bhist or bacct command.

If enabled (defined as Y), regular users and administrators can view only their own job information when using the bhist or bacct command. LSB_SHAREDIR/cluster/logdir will be readable only by the primary administrator.

When disabled (defined as N), access to read LSB_SHAREDIR/cluster/logdir returns to default after an mbatchd restart or reconfig.

Note: An LSF cluster should have only one primary administrator. For example, slave and master hosts should have the same primary administrator to ensure bhist and bacct commands have rights to access the events file.

Note: This feature is only supported when LSF is installed on a file system that supports setuid bit for file. Therefore, this feature does not work on Windows platforms.