Unix user group setup for Datastage implementation
Moderators: chulett, rschirm, roy
Unix user group setup for Datastage implementation
Hi
I am setting up the Unix groups for my organization- we are implementing Datastage for the first time. I wanted some input on this. Also this is how I plan to setup the user.
First I have a etl level admin id.
User id : etladm
Id desc: this is the owner of all the Unix level directories for ETL
groups=etladmin, etldba, etlbo, project level development group, project level manager group
Then I have project level admin Ids:
User id : project_cd>adm
Id desc: this is the owner of all the Unix level directories for a project but would be always under the ETL directory
groups=dsadmin, project level development group, project level manager group
Then I have the datastage administrator:
User id : dsadm
Id desc: this is the datastage administrator
groups=dsadmin, project level development group, project level manager group
Atlast I have the general user
User id : user name
Id desc: this is the individual user
groups=project level development group (or/and) project level manager group
Please guide me.
I am setting up the Unix groups for my organization- we are implementing Datastage for the first time. I wanted some input on this. Also this is how I plan to setup the user.
First I have a etl level admin id.
User id : etladm
Id desc: this is the owner of all the Unix level directories for ETL
groups=etladmin, etldba, etlbo, project level development group, project level manager group
Then I have project level admin Ids:
User id : project_cd>adm
Id desc: this is the owner of all the Unix level directories for a project but would be always under the ETL directory
groups=dsadmin, project level development group, project level manager group
Then I have the datastage administrator:
User id : dsadm
Id desc: this is the datastage administrator
groups=dsadmin, project level development group, project level manager group
Atlast I have the general user
User id : user name
Id desc: this is the individual user
groups=project level development group (or/and) project level manager group
Please guide me.
Avishek Mukherjee
Data Integration Architect
Chicago, IL, USA.
Data Integration Architect
Chicago, IL, USA.
-
- Participant
- Posts: 54607
- Joined: Wed Oct 23, 2002 10:52 pm
- Location: Sydney, Australia
- Contact:
Use the Permissions tab in Project Properties in Administrator to assign DataStage roles to your group.
Create the dsadm user identity for administering DataStage.
Create the dsadm user identity for administering DataStage.
IBM Software Services Group
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
Which user group should "dsadm" lie- should it be in all user group where the Datastage users are present?ray.wurlod wrote:Use the Permissions tab in Project Properties in Administrator to assign DataStage roles to your group.
Create the dsadm user identity for administering DataStage.
Avishek Mukherjee
Data Integration Architect
Chicago, IL, USA.
Data Integration Architect
Chicago, IL, USA.
Hi
I am still unable to log on to Datastage.........do I need to restart the Datastage server after changing the User groups in Unix. What else I need to do...
There are two files in /applications/Ascential/DataStage/DSEngine- .developer.adm and .dsadmin. In these files do I need to add the user groups
This is the user group plan...and the actual structure in UNIX....etc/group
User id : etladm
Id desc: this is the owner of all the Unix level directories for ETL
groups =etladmin, etldba, etlbo, project level development group, project level manager group
Then I have project level admin Ids:
User id : project_cd>adm
Id desc : this is the owner of all the Unix level directories for a project but would be always under the ETL directory
groups =dsadmin, project level development group, project level manager group
Then I have the datastage administrator:
User id : dsadm
Id desc : this is the datastage administrator
groups =dsadmin, project level development group, project level manager group
Atlast I have the general user
User id : user name
Id desc : this is the individual user
groups =project level development group (or/and) project level manager group
I am still unable to log on to Datastage.........do I need to restart the Datastage server after changing the User groups in Unix. What else I need to do...
There are two files in /applications/Ascential/DataStage/DSEngine- .developer.adm and .dsadmin. In these files do I need to add the user groups
This is the user group plan...and the actual structure in UNIX....etc/group
User id : etladm
Id desc: this is the owner of all the Unix level directories for ETL
groups =etladmin, etldba, etlbo, project level development group, project level manager group
Then I have project level admin Ids:
User id : project_cd>adm
Id desc : this is the owner of all the Unix level directories for a project but would be always under the ETL directory
groups =dsadmin, project level development group, project level manager group
Then I have the datastage administrator:
User id : dsadm
Id desc : this is the datastage administrator
groups =dsadmin, project level development group, project level manager group
Atlast I have the general user
User id : user name
Id desc : this is the individual user
groups =project level development group (or/and) project level manager group
Code: Select all
system:!:0:root,iwatson,erose
staff:!:1:ipsec,dasusr1,db2inst1,db2fenc1,iwatson,sshd,erose,dmaxk1,dmsxa1
bin:!:2:root,bin
sys:!:3:root,bin,sys,erose
adm:!:4:bin,adm,erose
uucp:!:5:uucp,nuucp
mail:!:6:
security:!:7:root
cron:!:8:root
printq:!:9:lp
audit:!:10:root
ecs:!:28:
nobody:!:4294967294:nobody,lpd
usr:!:100:guest
perf:!:20:
shutdown:!:21:
lp:!:11:root,lp
invscout:!:12:invscout
snapp:!:13:snapp
ipsec:!:200:
dmusers:!:201:dmtxg1
dmadmin:!:14:dmsxs1,dmaxk1,dmsxa1,dsadm,etladm
dsdevel:!:203:dmdxw1,wlrxg1,wlsxr1,wllxn1,kbaxs1,kbnxc1,kbsmk1,kbvxg1,dmdxk1,dmmxy1,dmaxm1,kbsxa1,kbbxd1,ddradm,kbnxa1,kbsxs1,dmdxk1,dmmxy1,dmaxm1
dsoper:!:204:dmdxw1,wlsapp,dbaadm,boadm
dsprdmgr:!:205:dmdxw1,wlsapp,kbbxd1,kbsxa1,kbnxa1,kbsxs1,ddradm,oriadm,wlsadmin,dmdxk1,dmmxy1,dmaxm1,dsadm,etladm
dasadm1:!:101:dasusr1,db2inst1,wlsapp
db2iadm1:!:102:wlsapp
db2fadm1:!:103:db2fenc1,wlsapp
sshd:!:209:sshd
dsadmin:!:15:ddradm,oriadm,wlsadmin,dmdxk1,dsadm,dmaxm1,dmmxy1,etladm
etladmin:!:210:etladm,ddradm,oriadm,wlsadmin,dmdxk1,dmmxy1,dmaxm1,dsadm
etldba:!:211:dbaadm,etladm
etlbo:!:212:boadm,etladm
oridev:!:213:kbaxs1,kbnxc1,kbsmk1,kbvxg1,etladm,oriadm,dsadm,dmdxk1,dmmxy1,dmaxm1,kbsxa1,kbbxd1,kbnxa1,kbsxs1
ddrdev:!:214:kbaxs1,kbnxc1,kbsmk1,kbvxg1,etladm,dsadm,dmdxk1,dmmxy1,dmaxm1,kbsxa1,kbbxd1,ddradm,kbnxa1,kbsxs1
ddrmgnr:!:215:etladm,dsadm,kbnxa1,kbsxs1,ddradm,kbbxd1,kbsxa1
wlsdev:!:216:etladm,wlsadmin,dsadm,dmdxk1,dmmxy1,dmaxm1
wlsmgnr:!:217:etladm,dsadm,wlsadmin
orimgnr:!:218:etladm,dsadm,kbnxa1,kbsxs1,oriadm
Avishek Mukherjee
Data Integration Architect
Chicago, IL, USA.
Data Integration Architect
Chicago, IL, USA.
-
- Participant
- Posts: 54607
- Joined: Wed Oct 23, 2002 10:52 pm
- Location: Sydney, Australia
- Contact:
Open your Administrator client and check on the Permissions tab for each project which DataStage roles are associated with each of the operating system group names that you mentioned. This information is what's stored in files like .developer.adm and .operator.adm.
Without that information we are fumbling in the dark.
Without that information we are fumbling in the dark.
IBM Software Services Group
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
Hi Rayray.wurlod wrote:Open your Administrator client and check on the Permissions tab for each project which DataStage roles are associated with each of the operating system group names that you mentioned. This information is what's stored in files like .developer.adm and .operator.adm.
Without that information we are fumbling in the dark.
hanks for your help. I would post the present structure of the .developer.adm and .operator.adm. file
Meanwhile I had a question- do I need to restart the Datastage server to make the changes in .developer.adm and .operator.adm. ieffective
Avishek Mukherjee
Data Integration Architect
Chicago, IL, USA.
Data Integration Architect
Chicago, IL, USA.
-
- Participant
- Posts: 54607
- Joined: Wed Oct 23, 2002 10:52 pm
- Location: Sydney, Australia
- Contact:
I would assume yes. I make it a practice to do so, but can not recall reading anywhere that it is necessary. However, the authentication mechanism within dsrpcd has to pick them up from somewhere, and I believe it only reads these files when it is (re-)started.
IBM Software Services Group
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
Thanks Ray..I would restart the server and would post if it works..ray.wurlod wrote:I would assume yes. I make it a practice to do so, but can not recall reading anywhere that it is necessary. However, the authentication mechanism within dsrpcd has to pick them up from somewhere, and I believe it only reads these files when it is (re-)started.
I had another question
If you look at the user group setting in Unix...I have dsadm id as a user in multiple group...would it affect Datastage log in permission in anyway..I mean it is correct to have developers and dsadm in same user group?
Avishek Mukherjee
Data Integration Architect
Chicago, IL, USA.
Data Integration Architect
Chicago, IL, USA.
-
- Participant
- Posts: 54607
- Joined: Wed Oct 23, 2002 10:52 pm
- Location: Sydney, Australia
- Contact:
It's perfectly fine to have the user dsadm as a member of any group that has access to DataStage projects.
Typically you make dsadm the owner in those projects (since you're logged in as dsadm when creating new projects), so it's not strictly necessary to have the dsadm ID in the groups.
Typically you make dsadm the owner in those projects (since you're logged in as dsadm when creating new projects), so it's not strictly necessary to have the dsadm ID in the groups.
IBM Software Services Group
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
Hi Rayray.wurlod wrote:Open your Administrator client and check on the Permissions tab for each project which DataStage roles are associated with each of the operating system group names that you mentioned. This information is what's stored in files like .developer.adm and .operator.adm.
Without that information we are fumbling in the dark.
I restarted the Datastage server-I am still unable to log in to Administrator or Designer. I am getting the message-
Code: Select all
Error calling subroutine: DSR_PROJECT (Action=17); check DataStage is set up correctly in project DDR_DEV
(Subroutine failed to complete successfully (30107))
I have provided the Unix group info in my last email still I would add it here again. Do I need to restart the Unix server itself to apply the changes??
I would also like to provide structure for .developer.adm , .dsadmin, .prodmgr.adm files. I could not see the .operator.adm in the DSHOME which is /applications/Ascential/DataStage/DSEngine in the development Unix box
This is the .developer.adm file in my project. I have added manually some Usergroups
Code: Select all
system
staff
bin
sys
adm
uucp
mail
security
cron
printq
audit
ecs
nobody
usr
perf
shutdown
lp
invscout
snapp
ipsec
dmusers
dmadmin
DataStage
etladmin
dsdevel
ddrmgnr
ddrdev
oridev
orimgnr
wlsdev
wlsmgnr
dsadmin
Code: Select all
dmadmin
DataStage
etladmin
dsprdmgr
ddrmgnr
orimgnr
wlsmgnr
dsadmin
Code: Select all
# Required by DataStage Engine - DO NOT DELETE (Oct 14 2005 12:02:11)
dsadm
Code: Select all
system:!:0:root,iwatson,erose
staff:!:1:ipsec,dasusr1,db2inst1,db2fenc1,iwatson,sshd,erose,dmaxk1,dmsxa1
bin:!:2:root,bin
sys:!:3:root,bin,sys,erose
adm:!:4:bin,adm,erose
uucp:!:5:uucp,nuucp
mail:!:6:
security:!:7:root
cron:!:8:root
printq:!:9:lp
audit:!:10:root
ecs:!:28:
nobody:!:4294967294:nobody,lpd
usr:!:100:guest
perf:!:20:
shutdown:!:21:
lp:!:11:root,lp
invscout:!:12:invscout
snapp:!:13:snapp
ipsec:!:200:
dmusers:!:201:dmtxg1
dmadmin:!:14:dmsxs1,dmaxk1,dmsxa1,dsadm,etladm
dsdevel:!:203:dmdxw1,wlrxg1,wlsxr1,wllxn1,kbaxs1,kbnxc1,kbsmk1,kbvxg1,dmdxk1,dmmxy1,dmaxm1,kbsxa1,kbbxd1,ddradm,kbnxa1,kbsxs1,dmdxk1,dmmxy1,dmaxm1
dsoper:!:204:dmdxw1,wlsapp,dbaadm,boadm
dsprdmgr:!:205:dmdxw1,wlsapp,kbbxd1,kbsxa1,kbnxa1,kbsxs1,ddradm,oriadm,wlsadmin,dmdxk1,dmmxy1,dmaxm1,dsadm,etladm
dasadm1:!:101:dasusr1,db2inst1,wlsapp
db2iadm1:!:102:wlsapp
db2fadm1:!:103:db2fenc1,wlsapp
sshd:!:209:sshd
dsadmin:!:15:ddradm,oriadm,wlsadmin,dmdxk1,dsadm,dmaxm1,dmmxy1,etladm
etladmin:!:210:etladm,ddradm,oriadm,wlsadmin,dmdxk1,dmmxy1,dmaxm1,dsadm
etldba:!:211:dbaadm,etladm
etlbo:!:212:boadm,etladm
oridev:!:213:kbaxs1,kbnxc1,kbsmk1,kbvxg1,etladm,oriadm,dsadm,dmdxk1,dmmxy1,dmaxm1,kbsxa1,kbbxd1,kbnxa1,kbsxs1
ddrdev:!:214:kbaxs1,kbnxc1,kbsmk1,kbvxg1,etladm,dsadm,dmdxk1,dmmxy1,dmaxm1,kbsxa1,kbbxd1,ddradm,kbnxa1,kbsxs1
ddrmgnr:!:215:etladm,dsadm,kbnxa1,kbsxs1,ddradm,kbbxd1,kbsxa1
wlsdev:!:216:etladm,wlsadmin,dsadm,dmdxk1,dmmxy1,dmaxm1
wlsmgnr:!:217:etladm,dsadm,wlsadmin
orimgnr:!:218:etladm,dsadm,kbnxa1,kbsxs1,oriadm
Avishek Mukherjee
Data Integration Architect
Chicago, IL, USA.
Data Integration Architect
Chicago, IL, USA.
Hi Ray
I restarted the Datastage Server using uv -admin start and stop
but the .developer.adm , .dsadmin, .prodmgr.adm files are not picked up
I changed my primary user group to a old user group and I can access the datastage. But still other developers cannot.
Do we manully update .developer.adm , .dsadmin, .prodmgr.adm files or there is a datastage application to add the unix groups to this files
Please let me know
I restarted the Datastage Server using uv -admin start and stop
but the .developer.adm , .dsadmin, .prodmgr.adm files are not picked up
I changed my primary user group to a old user group and I can access the datastage. But still other developers cannot.
Do we manully update .developer.adm , .dsadmin, .prodmgr.adm files or there is a datastage application to add the unix groups to this files
Please let me know
Avishek Mukherjee
Data Integration Architect
Chicago, IL, USA.
Data Integration Architect
Chicago, IL, USA.
-
- Participant
- Posts: 54607
- Joined: Wed Oct 23, 2002 10:52 pm
- Location: Sydney, Australia
- Contact:
I understand Ray- but that is for a particular project- I did that for each project-still it did not reflect in the .developer.adm ,and .prodmgr.adm filesray.wurlod wrote:As I already said, these files are maintained from the Permissions tab in the Adminstrator client. You can edit them manually if you prefer.
So had to manually do that.
Then I restarted the datastage server. still nothing improved..so i changed my primary user group to a old one and that worked.
Avishek Mukherjee
Data Integration Architect
Chicago, IL, USA.
Data Integration Architect
Chicago, IL, USA.