Hi,
We have created a secondary group DSNOLOGIN, changed primary group of all the users under this secondary group to 'psoft' ( As per DS admin guide The primary
group must stay the same as for the administrative user, 'psoft' is the primary group of dsadm) and assigned Datastage <None> role in Datastage Administrator using dsadm user id to DSNOLOGIN group.
But the users under DSNOLOGIN still able to login to Datastage client. Is there any additional step needs to be done to prevent the access to these users?
I've also seen in Datastage Administrator guide that "When you have done this (after assigning the datastage role to secondary group), set the user role for the primary group to <None>." Page 3-3.
If we do this, how can dsadm will be able to login to datastage client later?
Please help me on these issue.
Datastage security group setup issue in Unix
Moderators: chulett, rschirm, roy
-
- Participant
- Posts: 20
- Joined: Fri May 16, 2008 3:00 am
- Location: bangalore
Datastage security group setup issue in Unix
Thanks,
Tirumal G
Tirumal G
-
- Participant
- Posts: 54607
- Joined: Wed Oct 23, 2002 10:52 pm
- Location: Sydney, Australia
- Contact:
Users who need access to DataStage need to be in the group that has access to a DataStage role, as set in Administrator.
Users who need to be denied access to DataStage must not be in any group that has access to a DataStage role. This applies to every UNIX group to which the user has been assigned (primary and others).
Users who need to be denied access to DataStage must not be in any group that has access to a DataStage role. This applies to every UNIX group to which the user has been assigned (primary and others).
IBM Software Services Group
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
If you want to lock it down tight then you need to change UNIX permissions so they cannot read the project directories. Default permissions are rwxrwxr-x. Need to be rwxrwx---. To allow users read but cannot run or compile then that is a different issue. The manual is trying to explain how to keep groups from reading other projects or compiling. Say dsadm is the user which installed DataStage and the primary group is dstage for dsadm. Then all DataStage users need have dstage as primary group or secondary group. Then they could have whatever group for a specific project. Say you have payroll group as a project where only a couple users have access to. Add this group as a secondary group to those users only. Create the project. Change the group to payroll at the UNIX level and all files in the project directory.
Next make sure in desnv you have
umask 007
I would also add this line to the startup script for DataStage. It is usually called uv.rc.
Next make sure in desnv you have
umask 007
I would also add this line to the startup script for DataStage. It is usually called uv.rc.
Mamu Kim
-
- Participant
- Posts: 54607
- Joined: Wed Oct 23, 2002 10:52 pm
- Location: Sydney, Australia
- Contact:
Kim is living in the past. These days (since version 6.0) the DataStage startup script is usually called ${DSHOME}/sample/ds.rc. Other "auto start" scripts are links to this, as the uv -admin -info command will reveal.
IBM Software Services Group
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.