permission setting

djoni · Post by **djoni** » Tue Nov 01, 2005 8:48 am

Right after install, by default, all AIX users are set to "Developer" category.
My EE server shares its AIX system with many other applications.
Meaning I must disabled, set all non DS groups to "<None>", manually on the Administrator's permission window.
Is there any better mechanism than this manual work?
djoni

kcbland · Post by **kcbland** » Tue Nov 01, 2005 9:09 am

Sneak a look at the *.adm files in each project.

ray.wurlod · Post by **ray.wurlod** » Tue Nov 01, 2005 2:27 pm

By default, the *.adm files aren't present. And you won't see them even if they are, unless you enable listing of hidden files (for example ls -la .*.adm)

The files are brought into use by using the Administrator client's Permissions tab.

Or by using a text editor on the server. File name .developer.adm for the Developer role contains a list of UNIX groups assigned to that role.

kcbland · Post by **kcbland** » Tue Nov 01, 2005 2:33 pm

They're there, you just have to work a little to find them. We learn by doing....

djoni · Post by **djoni** » Wed Nov 02, 2005 11:15 am

Is this by project (one file one project) or just one developer.adm file for all groups with developer role?
djoni

ray.wurlod wrote:By default, the *.adm files aren't present. And you won't see them even if they are, unless you enable listing of hidden files (for example ls -la .*.adm)

The files are brought into use by using the Administrator client's Permissions tab.

Or by using a text editor on the server. File name .developer.adm for the Developer role contains a list of UNIX groups assigned to that role.

kcbland · Post by **kcbland** » Wed Nov 02, 2005 11:41 am

Yep, buried in each project folder.

djoni · Post by **djoni** » Wed Nov 02, 2005 2:27 pm

When there's a new group added after I clean up the file, in the AIX where I have my DS Server, will this new group appear in the file?
djoni

ray.wurlod · Post by **ray.wurlod** » Wed Nov 02, 2005 2:41 pm

Yes. The .*.adm files are where the groups associated with each role are stored.

kduke · Post by **kduke** » Wed Nov 02, 2005 6:18 pm

I would never let other groups into the DataStage directories. You should write files which other applications need into directories outside of the project or DataStage engine. These directories can be wide open.

Some moron might vi a hash file like the VOC and shutdown DataStage.

djoni · Post by **djoni** » Wed Nov 02, 2005 7:39 pm

How do you prevent new AIX groups from entering the .adm file?
djoni

kduke wrote:I would never let other groups into the DataStage directories. You should write files which other applications need into directories outside of the project or DataStage engine. These directories can be wide open.

Some moron might vi a hash file like the VOC and shutdown DataStage.

kduke · Post by **kduke** » Wed Nov 02, 2005 10:02 pm

I would out all DataStage users in one group like dstage. I would change the projects so other groups cannot read or write to these directories.

chmod -R 770 ProjectDir

or

chmod -R o-rwx ProjectDir

Write files to /usr1/shared or somewhere outside of the project.