how do I set up user permissions to protect projects

acool · Post by **acool** » Fri Aug 27, 2004 10:24 pm

Hi,

I am going to set up 2 projects for 2 seperated teams on the same box using Datastage Administrator.

here is the requirement:
I need to set up 2 projects, say project1 and project2 for user1 and user2, so that user1 can ONLY access project1 and user2 can only access project2.

I need to set it up during this weekend, but it seems that ascential's help desk does not open now. Can anyone help me with this?

thank you so much

ray.wurlod · Post by **ray.wurlod** » Fri Aug 27, 2004 10:39 pm

DataStage access security is based around operating system groups, not user IDs.

You will need to create separate groups, let's say dsproj1 and dsproj2, and put user1 in one and user2 in the other.

In the Administrator client, configure the security for project1 so that group dsproj1 is in the Developer role and group dsproj2 is in no role, and configure the security for project2 so that group dsproj1 is in no role, and group dsproj2 is in the Developer role.

Make sure both users' umask is set to 002 (perhaps in .profile), so that other members of the same developer group can access objects created.

And that's it as far as DataStage is concerned. You might like to configure yet another group as Operator role, so that "operators" can execute jobs without being able to modify the designs thereof and, of course, to remove all other groups from the Developer role.

This security information is preserved in hidden files .developer.adm and .operator.adm in the project directory on the server. You can edit these directly if you prefer. They contain a simple list of operating system group names.

acool · Post by **acool** » Fri Aug 27, 2004 10:56 pm

Great! This information is extremely helpful. Thank you!

ray.wurlod wrote:DataStage access security is based around operating system groups, not user IDs.

You will need to create separate groups, let's say dsproj1 and dsproj2, and put user1 in one and user2 in the other.

In the Administrator client, configure the security for project1 so that group dsproj1 is in the Developer role and group dsproj2 is in no role, and configure the security for project2 so that group dsproj1 is in no role, and group dsproj2 is in the Developer role.

Make sure both users' umask is set to 002 (perhaps in .profile), so that other members of the same developer group can access objects created.

And that's it as far as DataStage is concerned. You might like to configure yet another group as Operator role, so that "operators" can execute jobs without being able to modify the designs thereof and, of course, to remove all other groups from the Developer role.

This security information is preserved in hidden files .developer.adm and .operator.adm in the project directory on the server. You can edit these directly if you prefer. They contain a simple list of operating system group names.

tonystark622 · Post by **tonystark622** » Sun Aug 29, 2004 8:12 am

I might suggest one other thing. You might want to make sure that the DataStage administrator user, 'dsadm', is a member of both groups.

Tony

WoMaWil · Post by **WoMaWil** » Fri Sep 03, 2004 12:43 am

and beside that it is important, that for the DataStageEngine itsself you have a fourth or sixth group where all develepers of all projects belong to as their secondary group and as well the operators and the dsadm.

Wolfgang

kduke · Post by **kduke** » Wed Oct 06, 2004 1:51 pm

We wanted more restrictive access so we added the new project. We added a UNIX group named dstage2.

Code: Select all

cd $DSHOME
vi dsenv
# add umask 007
vi sample/ds.rc
# change umask to 007
chmod -R 777 catdir sql DS_LICENSE

cd ../Projects
chmod -R 4770 .
chmod 4770 .
cd NewProject
chgrp -R dstage2 .
vi .developer.adm .prodmgr.adm .operator.adm
# add dstage2

This makes nobody from either group able to look at the others jobs unless they are in both groups in /etc/group. You probably need to stop and start DataStage too.