Unix user group setup for Datastage implementation

avi21st · Post by **avi21st** » Wed Sep 27, 2006 11:54 am

Hi

I am setting up the Unix groups for my organization- we are implementing Datastage for the first time. I wanted some input on this. Also this is how I plan to setup the user.

First I have a etl level admin id.

User id : etladm
Id desc: this is the owner of all the Unix level directories for ETL
groups=etladmin, etldba, etlbo, project level development group, project level manager group

Then I have project level admin Ids:
User id : project_cd>adm
Id desc: this is the owner of all the Unix level directories for a project but would be always under the ETL directory
groups=dsadmin, project level development group, project level manager group

Then I have the datastage administrator:

User id : dsadm
Id desc: this is the datastage administrator
groups=dsadmin, project level development group, project level manager group

Atlast I have the general user

User id : user name
Id desc: this is the individual user
groups=project level development group (or/and) project level manager group

Please guide me.

kduke · Post by **kduke** » Wed Sep 27, 2006 3:30 pm

Start with one group like dstage. Put all developers including dsadm in this one group.

ray.wurlod · Post by **ray.wurlod** » Wed Sep 27, 2006 3:48 pm

Use the Permissions tab in Project Properties in Administrator to assign DataStage roles to your group.

Create the dsadm user identity for administering DataStage.

avi21st · Post by **avi21st** » Thu Sep 28, 2006 11:37 am

ray.wurlod wrote:Use the Permissions tab in Project Properties in Administrator to assign DataStage roles to your group.

Create the dsadm user identity for administering DataStage.

Which user group should "dsadm" lie- should it be in all user group where the Datastage users are present?

avi21st · Post by **avi21st** » Thu Sep 28, 2006 11:52 am

Hi

I am still unable to log on to Datastage.........do I need to restart the Datastage server after changing the User groups in Unix. What else I need to do...

There are two files in /applications/Ascential/DataStage/DSEngine- .developer.adm and .dsadmin. In these files do I need to add the user groups

This is the user group plan...and the actual structure in UNIX....etc/group

User id : etladm
Id desc: this is the owner of all the Unix level directories for ETL
groups =etladmin, etldba, etlbo, project level development group, project level manager group

Then I have project level admin Ids:
User id : project_cd>adm
Id desc : this is the owner of all the Unix level directories for a project but would be always under the ETL directory
groups =dsadmin, project level development group, project level manager group

Then I have the datastage administrator:

User id : dsadm
Id desc : this is the datastage administrator
groups =dsadmin, project level development group, project level manager group

Atlast I have the general user

User id : user name
Id desc : this is the individual user
groups =project level development group (or/and) project level manager group

Code: Select all

system:!:0:root,iwatson,erose
staff:!:1:ipsec,dasusr1,db2inst1,db2fenc1,iwatson,sshd,erose,dmaxk1,dmsxa1
bin:!:2:root,bin
sys:!:3:root,bin,sys,erose
adm:!:4:bin,adm,erose
uucp:!:5:uucp,nuucp
mail:!:6:
security:!:7:root
cron:!:8:root
printq:!:9:lp
audit:!:10:root
ecs:!:28:
nobody:!:4294967294:nobody,lpd
usr:!:100:guest
perf:!:20:
shutdown:!:21:
lp:!:11:root,lp
invscout:!:12:invscout
snapp:!:13:snapp
ipsec:!:200:
dmusers:!:201:dmtxg1
dmadmin:!:14:dmsxs1,dmaxk1,dmsxa1,dsadm,etladm
dsdevel:!:203:dmdxw1,wlrxg1,wlsxr1,wllxn1,kbaxs1,kbnxc1,kbsmk1,kbvxg1,dmdxk1,dmmxy1,dmaxm1,kbsxa1,kbbxd1,ddradm,kbnxa1,kbsxs1,dmdxk1,dmmxy1,dmaxm1
dsoper:!:204:dmdxw1,wlsapp,dbaadm,boadm
dsprdmgr:!:205:dmdxw1,wlsapp,kbbxd1,kbsxa1,kbnxa1,kbsxs1,ddradm,oriadm,wlsadmin,dmdxk1,dmmxy1,dmaxm1,dsadm,etladm
dasadm1:!:101:dasusr1,db2inst1,wlsapp
db2iadm1:!:102:wlsapp
db2fadm1:!:103:db2fenc1,wlsapp
sshd:!:209:sshd
dsadmin:!:15:ddradm,oriadm,wlsadmin,dmdxk1,dsadm,dmaxm1,dmmxy1,etladm
etladmin:!:210:etladm,ddradm,oriadm,wlsadmin,dmdxk1,dmmxy1,dmaxm1,dsadm
etldba:!:211:dbaadm,etladm
etlbo:!:212:boadm,etladm
oridev:!:213:kbaxs1,kbnxc1,kbsmk1,kbvxg1,etladm,oriadm,dsadm,dmdxk1,dmmxy1,dmaxm1,kbsxa1,kbbxd1,kbnxa1,kbsxs1
ddrdev:!:214:kbaxs1,kbnxc1,kbsmk1,kbvxg1,etladm,dsadm,dmdxk1,dmmxy1,dmaxm1,kbsxa1,kbbxd1,ddradm,kbnxa1,kbsxs1
ddrmgnr:!:215:etladm,dsadm,kbnxa1,kbsxs1,ddradm,kbbxd1,kbsxa1
wlsdev:!:216:etladm,wlsadmin,dsadm,dmdxk1,dmmxy1,dmaxm1
wlsmgnr:!:217:etladm,dsadm,wlsadmin
orimgnr:!:218:etladm,dsadm,kbnxa1,kbsxs1,oriadm

ray.wurlod · Post by **ray.wurlod** » Thu Sep 28, 2006 3:39 pm

Open your Administrator client and check on the Permissions tab for each project which DataStage roles are associated with each of the operating system group names that you mentioned. This information is what's stored in files like .developer.adm and .operator.adm.
Without that information we are fumbling in the dark.

avi21st · Post by **avi21st** » Thu Sep 28, 2006 11:17 pm

ray.wurlod wrote:Open your Administrator client and check on the Permissions tab for each project which DataStage roles are associated with each of the operating system group names that you mentioned. This information is what's stored in files like .developer.adm and .operator.adm.
Without that information we are fumbling in the dark.

Hi Ray

hanks for your help. I would post the present structure of the .developer.adm and .operator.adm. file

Meanwhile I had a question- do I need to restart the Datastage server to make the changes in .developer.adm and .operator.adm. ieffective

ray.wurlod · Post by **ray.wurlod** » Thu Sep 28, 2006 11:27 pm

I would assume yes. I make it a practice to do so, but can not recall reading anywhere that it is necessary. However, the authentication mechanism within dsrpcd has to pick them up from somewhere, and I believe it only reads these files when it is (re-)started.

avi21st · Post by **avi21st** » Thu Sep 28, 2006 11:35 pm

ray.wurlod wrote:I would assume yes. I make it a practice to do so, but can not recall reading anywhere that it is necessary. However, the authentication mechanism within dsrpcd has to pick them up from somewhere, and I believe it only reads these files when it is (re-)started.

Thanks Ray..I would restart the server and would post if it works..

I had another question

If you look at the user group setting in Unix...I have dsadm id as a user in multiple group...would it affect Datastage log in permission in anyway..I mean it is correct to have developers and dsadm in same user group?

ray.wurlod · Post by **ray.wurlod** » Fri Sep 29, 2006 1:21 am

It's perfectly fine to have the user dsadm as a member of any group that has access to DataStage projects.

Typically you make dsadm the owner in those projects (since you're logged in as dsadm when creating new projects), so it's not strictly necessary to have the dsadm ID in the groups.

avi21st · Post by **avi21st** » Fri Sep 29, 2006 2:11 pm

ray.wurlod wrote:Open your Administrator client and check on the Permissions tab for each project which DataStage roles are associated with each of the operating system group names that you mentioned. This information is what's stored in files like .developer.adm and .operator.adm.
Without that information we are fumbling in the dark.

Hi Ray

I restarted the Datastage server-I am still unable to log in to Administrator or Designer. I am getting the message-

Code: Select all

Error calling subroutine: DSR_PROJECT (Action=17); check DataStage is set up correctly in project DDR_DEV
(Subroutine failed to complete successfully (30107))

I have my id added in the group via Unix as well as thru datastage properties permission tab. My unix id is "dmaxm1" as seen by the Unix group setting I am providing below. Please help me on this. Again Please help.

I have provided the Unix group info in my last email still I would add it here again. Do I need to restart the Unix server itself to apply the changes??

I would also like to provide structure for .developer.adm , .dsadmin, .prodmgr.adm files. I could not see the .operator.adm in the DSHOME which is /applications/Ascential/DataStage/DSEngine in the development Unix box
This is the .developer.adm file in my project. I have added manually some Usergroups

Code: Select all

system
staff
bin
sys
adm
uucp
mail
security
cron
printq
audit
ecs
nobody
usr
perf
shutdown
lp
invscout
snapp
ipsec
dmusers
dmadmin
DataStage
etladmin
dsdevel
ddrmgnr
ddrdev
oridev
orimgnr
wlsdev
wlsmgnr
dsadmin

Next is the .prodmgr.adm file.

Code: Select all

dmadmin
DataStage
etladmin
dsprdmgr
ddrmgnr
orimgnr
wlsmgnr
dsadmin

The last is the .dsadmin file

Code: Select all

# Required by DataStage Engine - DO NOT DELETE (Oct 14 2005 12:02:11)
dsadm

Finally this is my Unix group structure from etc/group

Code: Select all

system:!:0:root,iwatson,erose
staff:!:1:ipsec,dasusr1,db2inst1,db2fenc1,iwatson,sshd,erose,dmaxk1,dmsxa1
bin:!:2:root,bin
sys:!:3:root,bin,sys,erose
adm:!:4:bin,adm,erose
uucp:!:5:uucp,nuucp
mail:!:6:
security:!:7:root
cron:!:8:root
printq:!:9:lp
audit:!:10:root
ecs:!:28:
nobody:!:4294967294:nobody,lpd
usr:!:100:guest
perf:!:20:
shutdown:!:21:
lp:!:11:root,lp
invscout:!:12:invscout
snapp:!:13:snapp
ipsec:!:200:
dmusers:!:201:dmtxg1
dmadmin:!:14:dmsxs1,dmaxk1,dmsxa1,dsadm,etladm
dsdevel:!:203:dmdxw1,wlrxg1,wlsxr1,wllxn1,kbaxs1,kbnxc1,kbsmk1,kbvxg1,dmdxk1,dmmxy1,dmaxm1,kbsxa1,kbbxd1,ddradm,kbnxa1,kbsxs1,dmdxk1,dmmxy1,dmaxm1
dsoper:!:204:dmdxw1,wlsapp,dbaadm,boadm
dsprdmgr:!:205:dmdxw1,wlsapp,kbbxd1,kbsxa1,kbnxa1,kbsxs1,ddradm,oriadm,wlsadmin,dmdxk1,dmmxy1,dmaxm1,dsadm,etladm
dasadm1:!:101:dasusr1,db2inst1,wlsapp
db2iadm1:!:102:wlsapp
db2fadm1:!:103:db2fenc1,wlsapp
sshd:!:209:sshd
dsadmin:!:15:ddradm,oriadm,wlsadmin,dmdxk1,dsadm,dmaxm1,dmmxy1,etladm
etladmin:!:210:etladm,ddradm,oriadm,wlsadmin,dmdxk1,dmmxy1,dmaxm1,dsadm
etldba:!:211:dbaadm,etladm
etlbo:!:212:boadm,etladm
oridev:!:213:kbaxs1,kbnxc1,kbsmk1,kbvxg1,etladm,oriadm,dsadm,dmdxk1,dmmxy1,dmaxm1,kbsxa1,kbbxd1,kbnxa1,kbsxs1
ddrdev:!:214:kbaxs1,kbnxc1,kbsmk1,kbvxg1,etladm,dsadm,dmdxk1,dmmxy1,dmaxm1,kbsxa1,kbbxd1,ddradm,kbnxa1,kbsxs1
ddrmgnr:!:215:etladm,dsadm,kbnxa1,kbsxs1,ddradm,kbbxd1,kbsxa1
wlsdev:!:216:etladm,wlsadmin,dsadm,dmdxk1,dmmxy1,dmaxm1
wlsmgnr:!:217:etladm,dsadm,wlsadmin
orimgnr:!:218:etladm,dsadm,kbnxa1,kbsxs1,oriadm

[/code]

avi21st · Post by **avi21st** » Fri Sep 29, 2006 4:09 pm

Hi Ray

I restarted the Datastage Server using uv -admin start and stop
but the .developer.adm , .dsadmin, .prodmgr.adm files are not picked up

I changed my primary user group to a old user group and I can access the datastage. But still other developers cannot.

Do we manully update .developer.adm , .dsadmin, .prodmgr.adm files or there is a datastage application to add the unix groups to this files

Please let me know

ray.wurlod · Post by **ray.wurlod** » Fri Sep 29, 2006 4:14 pm

As I already said, these files are maintained from the Permissions tab in the Adminstrator client. You can edit them manually if you prefer.

avi21st · Post by **avi21st** » Fri Sep 29, 2006 4:20 pm

ray.wurlod wrote:As I already said, these files are maintained from the Permissions tab in the Adminstrator client. You can edit them manually if you prefer.

I understand Ray- but that is for a particular project- I did that for each project-still it did not reflect in the .developer.adm ,and .prodmgr.adm files

So had to manually do that.

Then I restarted the datastage server. still nothing improved..so i changed my primary user group to a old one and that worked.