SOX compliance for DataStage environments
Moderators: chulett, rschirm, roy
SOX compliance for DataStage environments
I am sure that some of you have gone through SOX compliance for DataStage and have designed the policies and controls to achieve SOX compliance.
At my site also, we are going thorugh putting the controls in DEV, QA and PROD environments. There are few points where security team is not happy with the way DataStage works for example:
1. It does not have auditing capability during development.
2. It uses UNIX authentication but allows users to login into DataStage even if their UNIX password has expired.
I will appreciate your inputs, suggestions of best practices around SOX compliance in DataSatge.
Thanks,
Dinesh
At my site also, we are going thorugh putting the controls in DEV, QA and PROD environments. There are few points where security team is not happy with the way DataStage works for example:
1. It does not have auditing capability during development.
2. It uses UNIX authentication but allows users to login into DataStage even if their UNIX password has expired.
I will appreciate your inputs, suggestions of best practices around SOX compliance in DataSatge.
Thanks,
Dinesh
There is an audit table only it is hidden. Version Control will track versions of jobs if used. Automated exports can also satisfy the tracking of changes.
I have never tried logging in with an expired password. I am sure there could be an admin solution to satisfy this need. Maybe a shell script to disable these accounts or force a password change.
I have never tried logging in with an expired password. I am sure there could be an admin solution to satisfy this need. Maybe a shell script to disable these accounts or force a password change.
Mamu Kim
-
- Participant
- Posts: 54607
- Joined: Wed Oct 23, 2002 10:52 pm
- Location: Sydney, Australia
- Contact:
Re: SOX compliance for DataStage environments
I would be very surprised if that were true.dnsjain wrote:2. It uses UNIX authentication but allows users to login into DataStage even if their UNIX password has expired.
IBM Software Services Group
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
I knew that it is hard to believe but it is true(Not Harry Potter!!! The DataStage bug!!!). The password get exppired at the UNIX level, if a user login at the UNIX they will be validated and prompetd for the new password but DataStage uses background process to connect which just validates the user but does not go to extra level.DSguru2B wrote:Logging in with an expired unix id huh, wow, harry potter is real
I have DataStage running on Solaris and there are few developes whose password has expired but they are developing jobs in DataStage without any problem.
Even, I opened a eSupport case with IBM and they agreed on this one and asked me to try PAM security. which I still need to test.
Dinesh
-
- Participant
- Posts: 407
- Joined: Mon Jun 27, 2005 8:54 am
- Location: Walker, Michigan
- Contact:
-
- Participant
- Posts: 54607
- Joined: Wed Oct 23, 2002 10:52 pm
- Location: Sydney, Australia
- Contact:
We are on AIX and do not have that "issue". If your password is expired on Unix, you don't get in. (In fact that has been true for several versions back of DataStage.)dnsjain wrote:DSguru2B wrote:Logging in with an expired unix id huh, wow, harry potter is real
My guess is there is an environmental hole your site could address without IBM having to make changes.
Rick H
Senior Consultant
Senior Consultant
"The Bird"....newtier wrote:We are on AIX and I have also faced this problem. If UNIX account is locked (For example, invalid password entered more than 3 times) DataStage is able to restrict login. But if the password is expired (User not login to for n number of days) or for login with new account created where password need to be changed for the first time login, DataStage is not able to restrict login.dnsjain wrote:We are on AIX and do not have that "issue". If your password is expired on Unix, you don't get in. (In fact that has been true for several versions back of DataStage.)DSguru2B wrote:Logging in with an expired unix id huh, wow, harry potter is real
My guess is there is an environmental hole your site could address without IBM having to make changes.
For SOX compliance, we have put following process in place:
1. For new accounts, user has to login once and reset his password before UNIX administrator can assign secondary group dstage to his id.
2. For expired accounts, our UNIX administrators run a script to remove the users from dstage group.
Hope it helps....
Ultramundane wrote:Do you know if Ascential will fix their bug in the current release or are they going to wait until they give us all "the bird"?
Assume everything I say or do is positive