Group Permission Security Broken
Moderators: chulett, rschirm, roy
Group Permission Security Broken
It was recently discovered that group permissions in our production environment do not seem to be working. It appears that any UNIX account has wide-open access via DataStage Administrator to manipulate project properties (including their addition or deletion). Our development and test environments (which reside on a different server) are working correctly. The permissions of the projects as well as the .developer.adm and .prodmgr.adm files in production seem to be consistent with those in development. This issue must be due to something simple but not intuitively obvious. Any suggestions would be appreciated.
Hi,
several things:
1. what is the method of transporting jobs to the production system?
2.Did you verify the users which are not suposed to have access really don't?
First make sure only proper group/s have access in the DSAdministrator.
Then login to the system as the user/s you think should not have access and check via id command they do not belong to any group that has privilages.
3. a peek in Vincent's FAQ post here:viewtopic.php?t=89071
won't hurt.
IHTH,
several things:
1. what is the method of transporting jobs to the production system?
2.Did you verify the users which are not suposed to have access really don't?
First make sure only proper group/s have access in the DSAdministrator.
Then login to the system as the user/s you think should not have access and check via id command they do not belong to any group that has privilages.
3. a peek in Vincent's FAQ post here:viewtopic.php?t=89071
won't hurt.
IHTH,
Roy R.
Time is money but when you don't have money time is all you can afford.
Search before posting:)
Join the DataStagers team effort at:
http://www.worldcommunitygrid.org
Time is money but when you don't have money time is all you can afford.
Search before posting:)
Join the DataStagers team effort at:
http://www.worldcommunitygrid.org
Roy:
1. Version Control has been the mechanism to promote jobs to production, however, nothing has been promoted for several months.
2. To validate that I have a problem, I created a new UNIX account that is a member of only one group. That group does not have access (as seen in Administrator) to any of the projects in production (i.e. a user role of "<None>"). If I open Administrator using the new account, it signs-on and allows full access to any of the projects (including the ability to change group permissions). It appears that DataStage is not validating permissions at all.
Kevin
1. Version Control has been the mechanism to promote jobs to production, however, nothing has been promoted for several months.
2. To validate that I have a problem, I created a new UNIX account that is a member of only one group. That group does not have access (as seen in Administrator) to any of the projects in production (i.e. a user role of "<None>"). If I open Administrator using the new account, it signs-on and allows full access to any of the projects (including the ability to change group permissions). It appears that DataStage is not validating permissions at all.
Kevin
I can't remember what happens if let us say root user gives recursive full access to everyone eventually effecting on the project directory. do check it.
build a simple job control with 1 line:
Call DSLogInfo("test","Testing:")
promote that job and see if all have access to that job?
(that should test what I mentioned above)
do you use readonly flag when promoting?
do you maintain a protected project policy on your production project?
(after your done promoting jobs that is)
at least protect the project to verify that works and no one changes your production.
IHTH,
build a simple job control with 1 line:
Call DSLogInfo("test","Testing:")
promote that job and see if all have access to that job?
(that should test what I mentioned above)
do you use readonly flag when promoting?
do you maintain a protected project policy on your production project?
(after your done promoting jobs that is)
at least protect the project to verify that works and no one changes your production.
IHTH,
Roy R.
Time is money but when you don't have money time is all you can afford.
Search before posting:)
Join the DataStagers team effort at:
http://www.worldcommunitygrid.org
Time is money but when you don't have money time is all you can afford.
Search before posting:)
Join the DataStagers team effort at:
http://www.worldcommunitygrid.org