I have some questions on the security model in version 8.x.x
The security model that focuses on IIS user registry
It is my understanding that if one elects to use the IIS user registry then ONE CANNOT SHARE it with the websphere user registry.
That means security credentials have to be mapped on a user or group basis. I understand the roles mappings and how we can assign various roles.
So we essentially have to tie a datastage OS user to each of these groups.
To me that does not make a whole lot of worth. How would one trouble shoot if they are N users sharing the the same DS account.
I am hoping there are others who have setup the IIS user registry
More importantly this model simply shifts the burden of user management from the UNIX level the the tool level but at the cost of difficult to troubleshoot as in unix it will be all the same account for a bunch of individuals.
Does it even makes sense or do most customers of the product use the websphere user registry and manager users at the OS level
Security Model - IIS user registry ( does it make sense)
Moderators: chulett, rschirm, roy
-
- Participant
- Posts: 54607
- Joined: Wed Oct 23, 2002 10:52 pm
- Location: Sydney, Australia
- Contact:
It is not necessary that operating system user IDs exist. DataStage users can be created as ordinary Information Server users and the roles and credentials managed through Information Server. Such is the site where I am currently working.
IBM Software Services Group
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
This is what I found out
For information Analyser you can setup user in the console without needing any datastage users ( and may be that is what you meant.. sorry if I misunderstood your response)
For datastage and qualitystage user setup for most part we still have the pirmary model of 7.5.x under the hood, so unix accounts are needed and have to be managed as part of unix groups.
We could get away by creating groups and users based on only a few unix accounts and groups
The group concept in the console is different and is not the same as creating a unix group
For information Analyser you can setup user in the console without needing any datastage users ( and may be that is what you meant.. sorry if I misunderstood your response)
For datastage and qualitystage user setup for most part we still have the pirmary model of 7.5.x under the hood, so unix accounts are needed and have to be managed as part of unix groups.
We could get away by creating groups and users based on only a few unix accounts and groups
The group concept in the console is different and is not the same as creating a unix group