DataStage 7.5 - Restrict access to particular user

matrix2682 · Post by **matrix2682** » Wed Mar 16, 2011 9:16 am

Hi,

We need to restrict particular user (Read only access) to a project. So, do we need to assign "DataStage Operator" role to the Group to which that user belongs to? Is that sufficient?

Or, do we need to set some specific permission at OS level?

Please advise.

Thanks.

chulett · Post by **chulett** » Wed Mar 16, 2011 9:35 am

Please define for us exactly what 'read only' means in your case.

matrix2682 · Post by **matrix2682** » Wed Mar 16, 2011 10:43 am

Craig,

We have one common DataStage project to which we need to restrict access to few users.

Those users should only have Read only access to all the jobs in that particular project.

They should not be allowed to modify/create jobs in that project.

Please let me know if we make the group to which those users belong as "DataStage Operator", will that be fine?

Thanks.

chulett · Post by **chulett** » Wed Mar 16, 2011 11:03 am

An 'Operator' could still attempt to run the job, would that be a problem?

matrix2682 · Post by **matrix2682** » Wed Mar 16, 2011 11:07 am

No issues with that, Craig.

They should not modify any existing jobs in that project.

So, adding those user group as "Operator" would suffice? Do we need to do more at AIX level?

chulett · Post by **chulett** » Wed Mar 16, 2011 11:26 am

I'm pretty sure that would be ok and all that you'd need to do but not anywhere I could verify. Check your docs as the Operator role went through changes over time, so you'd need to verify what exactly it enforces in your version. Should be easy enough to test it, I would imagine.

matrix2682 · Post by **matrix2682** » Wed Mar 16, 2011 11:43 am

Thanks Craig.

I tested it by creating a group "testgrp" and added a user id "test" to it.

In DS Administrator, I assigned "DataStage Operator" role to that "testgrp".

When I am trying to login, the following error message is appearing.

"Record D80FBFBF-2CD3-4DC3-B823-FF6D0AAB73E2-SYSTEM3:700570 on file 29 cannot be written"

Is this something with permission at OS level?

chulett · Post by **chulett** » Wed Mar 16, 2011 12:51 pm

Probably... does the group the new user belongs to have enough permissions into the project? Specifically for system objects like the DS_AUDIT hashed file? I'm not sure exactly what might get written to upon logon, I'm sure others here will, however.

I'm guessing you may still not be able to logon even with a different role assigned to that user.

cecilia · Post by **cecilia** » Wed Mar 16, 2011 2:15 pm

Hi
I don't think Operator role will help you. DataStage Operators only can see jobs that had been released (option Release job). Whe you release a job, it is added subfix numbers to job's name (something like MyJob.15.1.0), this requests that you change the sequence job name that could be calling the job to get the last version (MyJob.15.1.1).
In your case, I suggest you restrict permission from OS level, even when the users will get errors when they attempt to do an invalid option.
Regards,
Cecilia

matrix2682 · Post by **matrix2682** » Wed Mar 16, 2011 3:02 pm

Thanks Cecilia.

Where should I restrict the user at OS level?

Is that okay if I set permissions like (chmod 744) to the project directory alone?

Or do I need to restrict in some other path too?

chulett · Post by **chulett** » Wed Mar 16, 2011 3:07 pm

Farg! Forgot about the old 'released jobs only' crappola in your version, sorry. So yes, you'll need to play permissions games or perhaps use a restrictive group.

chulett · Post by **chulett** » Wed Mar 16, 2011 3:10 pm

cecilia wrote:When you release a job, it is added subfix numbers to job's name (something like MyJob.15.1.0), this requests that you change the sequence job name that could be calling the job to get the last version (MyJob.15.1.1).

Not to derail the thread but this is a common misconception and not at all true. You can still refer to the 'base' or regular (unreleased) name of the job and it will automagically run the highest version it can find in the Project.

ray.wurlod · Post by **ray.wurlod** » Wed Mar 16, 2011 3:42 pm

You're doing well so far. All users need write permission to the DS_LICENSE hashed file in the DSEngine directory. This is the "file 29" that the error message was complaining about.

matrix2682 · Post by **matrix2682** » Wed Mar 16, 2011 4:01 pm

Thanks Ray and Craig.

Yes, after setting "write" permission to all users to DS_LICENSE file, that error was resolved.

Currently, the "test" user is in "testgrp" only. So, do I need to add the "test" user to "dstage" group (dsadm group) also, to allow the user to login to DataStage Designer?

ray.wurlod · Post by **ray.wurlod** » Wed Mar 16, 2011 4:11 pm

Does the dstage group have Developer role in the project? If so, adding this user to that group would defeat your objective. You need to add this user or group to the DataStage roles using Adminstrator client. You may also need to ensure that all users have read access (and "x" to directories) throughout the project directory.