Hi,
I am going to set up 2 projects for 2 seperated teams on the same box using Datastage Administrator.
here is the requirement:
I need to set up 2 projects, say project1 and project2 for user1 and user2, so that user1 can ONLY access project1 and user2 can only access project2.
I need to set it up during this weekend, but it seems that ascential's help desk does not open now. Can anyone help me with this?
thank you so much
how do I set up user permissions to protect projects
Moderators: chulett, rschirm, roy
-
- Participant
- Posts: 54607
- Joined: Wed Oct 23, 2002 10:52 pm
- Location: Sydney, Australia
- Contact:
DataStage access security is based around operating system groups, not user IDs.
You will need to create separate groups, let's say dsproj1 and dsproj2, and put user1 in one and user2 in the other.
In the Administrator client, configure the security for project1 so that group dsproj1 is in the Developer role and group dsproj2 is in no role, and configure the security for project2 so that group dsproj1 is in no role, and group dsproj2 is in the Developer role.
Make sure both users' umask is set to 002 (perhaps in .profile), so that other members of the same developer group can access objects created.
And that's it as far as DataStage is concerned. You might like to configure yet another group as Operator role, so that "operators" can execute jobs without being able to modify the designs thereof and, of course, to remove all other groups from the Developer role.
This security information is preserved in hidden files .developer.adm and .operator.adm in the project directory on the server. You can edit these directly if you prefer. They contain a simple list of operating system group names.
You will need to create separate groups, let's say dsproj1 and dsproj2, and put user1 in one and user2 in the other.
In the Administrator client, configure the security for project1 so that group dsproj1 is in the Developer role and group dsproj2 is in no role, and configure the security for project2 so that group dsproj1 is in no role, and group dsproj2 is in the Developer role.
Make sure both users' umask is set to 002 (perhaps in .profile), so that other members of the same developer group can access objects created.
And that's it as far as DataStage is concerned. You might like to configure yet another group as Operator role, so that "operators" can execute jobs without being able to modify the designs thereof and, of course, to remove all other groups from the Developer role.
This security information is preserved in hidden files .developer.adm and .operator.adm in the project directory on the server. You can edit these directly if you prefer. They contain a simple list of operating system group names.
IBM Software Services Group
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
Great! This information is extremely helpful. Thank you!
ray.wurlod wrote:DataStage access security is based around operating system groups, not user IDs.
You will need to create separate groups, let's say dsproj1 and dsproj2, and put user1 in one and user2 in the other.
In the Administrator client, configure the security for project1 so that group dsproj1 is in the Developer role and group dsproj2 is in no role, and configure the security for project2 so that group dsproj1 is in no role, and group dsproj2 is in the Developer role.
Make sure both users' umask is set to 002 (perhaps in .profile), so that other members of the same developer group can access objects created.
And that's it as far as DataStage is concerned. You might like to configure yet another group as Operator role, so that "operators" can execute jobs without being able to modify the designs thereof and, of course, to remove all other groups from the Developer role.
This security information is preserved in hidden files .developer.adm and .operator.adm in the project directory on the server. You can edit these directly if you prefer. They contain a simple list of operating system group names.
-
- Premium Member
- Posts: 483
- Joined: Thu Jun 12, 2003 4:47 pm
- Location: St. Louis, Missouri USA
We wanted more restrictive access so we added the new project. We added a UNIX group named dstage2.
This makes nobody from either group able to look at the others jobs unless they are in both groups in /etc/group. You probably need to stop and start DataStage too.
Code: Select all
cd $DSHOME
vi dsenv
# add umask 007
vi sample/ds.rc
# change umask to 007
chmod -R 777 catdir sql DS_LICENSE
cd ../Projects
chmod -R 4770 .
chmod 4770 .
cd NewProject
chgrp -R dstage2 .
vi .developer.adm .prodmgr.adm .operator.adm
# add dstage2
Mamu Kim