Using different groups

ogmios · Post by **ogmios** » Sun Jun 29, 2003 4:21 am

Does anyone have a solution for the following: in DataStage v6.0 running on Unix. We have 2 (unix) groups, one group would have full access, the other group would only be allowed read access in DataStage.

We're not using releasing of jobs (this would make it possible to differentiate between operator and developer in DataStage), but we've had some bad experiences with it. Does anyone actually use releasing of jobs?

I have been thinking of giving the 2 groups developer access. but on a UNIX level keep all of the project files/directories on the first group while giving read access to world, so that the read-only group can login and read via Director but can't do anything else useful.

Or does anyone have other ideas on how to solve such a situation?

Regards,
Ogmios

roy · Post by **roy** » Sun Jun 29, 2003 5:48 am

Hi,
you can acheive a operator/developer distinction quite easy with DS.

in your DSAdministrator select your project then properties.
in there you'll see the permitions tab.

once there you can asosiate each group on your machine to 1 of developer/operator & none.

Hope this helps[:)]

Roy R.

kduke · Post by **kduke** » Sun Jun 29, 2003 7:37 am

Ogmios

If you think that someone who runs a job only needs read access then you are wrong. DataStage Administrator has the ability to make a user so they can only run jobs as operators. It does work. You can set permissions so that it is read only for a group and assign users to that group. They will be able to view jobs but not run them. If one of these read only users looks at a job in Designer then that job is locked by DataStage because it does not need write permission to lock a job. These users typically do not understand the importance of locked jobs. If you have 3 projects like DEV, TEST and PROD then let them have access to TEST. The least amount of problems will be caused by giving them access to TEST. Developers should not have access to PROD only the DataStage admin user.

Thanks Kim.

Kim Duke
DwNav - ETL Navigator
www.Duke-Consulting.com

ogmios · Post by **ogmios** » Sun Jun 29, 2003 8:17 am

I know the distinction between operator and developer in DataStage, but if I put a user (actually the group the user is in) to operator he can only see released jobs.

And since we're not releasing jobs the operator rights are pretty useless. Hence the id of giving both developer rights, but putting all of the project files under the first group id, while giving only read access to the other group id.

Ogmios

roy · Post by **roy** » Sun Jun 29, 2003 9:51 am

if that is hte case then the only thing that might help is OS previlages control.
grant only read and access permitions to the operator's group and full permitions to the developer's group.

hope that will do [:)]

Roy R.

ray.wurlod · Post by **ray.wurlod** » Sun Jun 29, 2003 4:31 pm

There's yet another check box that you need in the Administrator client. In the project properties (Permissions tab) check the box labelled "DataStage Operator can view full log".

Ray Wurlod
Education and Consulting Services
ABN 57 092 448 518

kduke · Post by **kduke** » Sun Jun 29, 2003 5:39 pm

ogmios

I was talking about UNIX control. You will need to change the umask to 002. I would do this in .dsenv. You need to stop and start DataStage to do this. It would be a lot of work but you need to write to all the RT files. Lets say a developer is in group dsdev and operators in dsrun. I would change &PH& to a type 19 file. At TCL:
RESIZE &PH& 19

umask 002 in .dsenv

cd projectdir
chmod -R 4777 *RT*
chmod -R 4777 &PH&

I would NOT recommend this but this should work. Everytime you add a new job or maybe even recompile a job then you need to chmod again. Good luck.

Thanks Kim.

Kim Duke
DwNav - ETL Navigator
www.Duke-Consulting.com