DSXchange

Hi all,

The DataStage Administrator guide describes the Operator role as someone who has permission to run and manage DataStage jobs. I'm assuming that this simply means that an operator is not allowed to modify a job.

What I'm after is a way of allowing someone to run jobs, look at logs but not be able to view the data. Is this at all possible? It would seem to me not but maybe someone out there has come up with a way.


Thanks in advance.

Since access to data is determined by a userid (an OS one or a database one) I don't think it is possible - since a user needs to read the data in order to run a job it is impossible to keep that user from reading the data outside of DS. If you implement a system using parameters and computed userids/passwords or time-dependant acces it might be possible, but it would still be capable of circumvention.

Thanks Arnd,

I thought that might be the case but I was hoping someone out there would suggest a "sudo for Windows" type solution.

Curious, Jim...what do you mean by "view the data"? What data, exactly?

Curious, Jim...what do you mean by "view the data"? What data, exactly?

The data being transformed is what is called sensitive data. An example of this would be HR information about employees. The customer wants to be able to have operators (perhaps even from offshore companies) run the jobs and view the logs but they do not want these operators to actually view the data that is being transformed. This means that they should not be able to go to the actual data files and open them. In the case of database tables, they should be prevented from loging in to the database and viewing the actual tables.

Jim,
Viewing of data through Datastage is not possible through Director (Atleast I havent figured out a way of doing it).

As far as securing the file locations and database connections, they can be stored as encrypted user-defined environment variables.

So if only director is installed on the operators' workstations, they should not have access to any data..

I think, if you install with the Operator's licence (xxxxxx-DSDIR) on the Operator's PC, you will get pretty much exactly what you want. The Operator role only allows the running of released jobs (at least up to version 7.0) and does not allow viewing of log entries that might contain data (unless this is explicitly permitted via a check box in the Administrator client).

Viewing of data through Datastage is not possible through Director (Atleast I havent figured out a way of doing it).

I think, if you install with the Operator's licence (xxxxxx-DSDIR) on the Operator's PC, you will get pretty much exactly what you want. The Operator role only allows the running of released jobs (at least up to version 7.0) and does not allow viewing of log entries that might contain data (unless this is explicitly permitted via a check box in the Administrator client).

I think I left out one important detail in explaining the problem. The environment is Windows and everyone uses Terminal Service to connect remotely to the box. This includes developers and operators. This means that everyone has access to OS level files.

However, I think that your solution is probably the best we'll get. We are just going to have to insist that the operators use remote clients to run the jobs.


Thanks everyone for your input.