SOD (Seperation of duties ) conflicts

[kalyanvinnakota]

We have 3 user id's(ex:A,B,C) all belonging to primary group dstage.

A - Code is owned by A and jobs run under this id. This is the dsadm id.
B - Code is moved to production system using this id(Has production manager role)
C - This user id is used by our team to monitor the job runs. We also need to connect to Designer and check data many a times.(This id has Developer role, the projects are protected).

ours is a small team, we develop the code and also moniter the jobs in production.

Problem is:

user id B and C are in group dstage. I need write access to user id B(part of group dstage and moves code) but no write to C(since support team should not be able to run jobs).

I have written a script which changes the ownership from B to A after code is moved by B. Also this script gives 754 to all the newlymoved code.
This looks ok. By doing this, user id A gets back the ownership and runs the jobs, C which is part of group has no write privilege and can only monitor the data.

Problem now happens, when the existing jobs have to be over written. Since it is 754, B cannot move the code anymore.

I tried many options and I see, if I don't give write privilege to RT_LOG file and 774 to all the remaining files, new code can be moved on top of existing code with no problem. When people in "group" try to access the job, it throws an error.

But this does not look like a good way of implementing this.

I want to know, how SOD conflicts can be avoided as the same functional id cannot be shared between code moves, support and ownership.

Thanks in advance,
-kalyan

[dganeshm]

I think having 3 different roles/groups would make your life easier..

[kalyanvinnakota]

We are using different roles.

The problem is

The team who owns id A and re-runs the jobs(on failure) does not know anything about Datastage. That is the reason why development team has to login to designer to check jobs on failure.

So C has a developer role and B which moves the code into the protected project has a production mgr role.

Regards,
-Kalyan

[kalyanvinnakota]

Hi All,

I came up with a plan to implement this in our project. Seems to work with one small problem.

1. Made all datastage code belong to group G1(different from dstage).
2. Users A and B are part of this secondary group G1.
3. User C falls in the others category but part of group G2 which has developer rights for the project.
4. Giving all code 775 access.

A and B have equal rights to the code. A can run jobs, B can move code.
C can connect to Datastage designer, but cannot run jobs, since there is no write access.

Also, others in our system cannot access datastage, since they have to either belong to G1 or G2- which they are not.

One problem that I see is when user C gets connected to Designer and checks the data in a hash file, the moment I click "close"- the connection is gone.

-Regards,
Kalyan