Hi all,
The DataStage Administrator guide describes the Operator role as someone who has permission to run and manage DataStage jobs. I'm assuming that this simply means that an operator is not allowed to modify a job.
What I'm after is a way of allowing someone to run jobs, look at logs but not be able to view the data. Is this at all possible? It would seem to me not but maybe someone out there has come up with a way.
Thanks in advance.
Data security
Moderators: chulett, rschirm, roy
Since access to data is determined by a userid (an OS one or a database one) I don't think it is possible - since a user needs to read the data in order to run a job it is impossible to keep that user from reading the data outside of DS. If you implement a system using parameters and computed userids/passwords or time-dependant acces it might be possible, but it would still be capable of circumvention.
<a href=http://www.worldcommunitygrid.org/team/ ... TZ9H4CGVP1 target="WCGWin">
</a>
</a>
The data being transformed is what is called sensitive data. An example of this would be HR information about employees. The customer wants to be able to have operators (perhaps even from offshore companies) run the jobs and view the logs but they do not want these operators to actually view the data that is being transformed. This means that they should not be able to go to the actual data files and open them. In the case of database tables, they should be prevented from loging in to the database and viewing the actual tables.Curious, Jim...what do you mean by "view the data"? What data, exactly?
Jim Paradies
-
- Charter Member
- Posts: 166
- Joined: Wed Mar 16, 2005 6:52 am
- Location: Mumbai, India
Jim,
Viewing of data through Datastage is not possible through Director (Atleast I havent figured out a way of doing it).
As far as securing the file locations and database connections, they can be stored as encrypted user-defined environment variables.
So if only director is installed on the operators' workstations, they should not have access to any data..
Viewing of data through Datastage is not possible through Director (Atleast I havent figured out a way of doing it).
As far as securing the file locations and database connections, they can be stored as encrypted user-defined environment variables.
So if only director is installed on the operators' workstations, they should not have access to any data..
Amey Vaidya<i>
I am rarely happier than when spending an entire day programming my computer to perform automatically a task that it would otherwise take me a good ten seconds to do by hand.</i>
<i>- Douglas Adams</i>
I am rarely happier than when spending an entire day programming my computer to perform automatically a task that it would otherwise take me a good ten seconds to do by hand.</i>
<i>- Douglas Adams</i>
-
- Participant
- Posts: 54607
- Joined: Wed Oct 23, 2002 10:52 pm
- Location: Sydney, Australia
- Contact:
I think, if you install with the Operator's licence (xxxxxx-DSDIR) on the Operator's PC, you will get pretty much exactly what you want. The Operator role only allows the running of released jobs (at least up to version 7.0) and does not allow viewing of log entries that might contain data (unless this is explicitly permitted via a check box in the Administrator client).
IBM Software Services Group
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
Viewing of data through Datastage is not possible through Director (Atleast I havent figured out a way of doing it).
I think, if you install with the Operator's licence (xxxxxx-DSDIR) on the Operator's PC, you will get pretty much exactly what you want. The Operator role only allows the running of released jobs (at least up to version 7.0) and does not allow viewing of log entries that might contain data (unless this is explicitly permitted via a check box in the Administrator client).
I think I left out one important detail in explaining the problem. The environment is Windows and everyone uses Terminal Service to connect remotely to the box. This includes developers and operators. This means that everyone has access to OS level files.
However, I think that your solution is probably the best we'll get. We are just going to have to insist that the operators use remote clients to run the jobs.
Thanks everyone for your input.
Jim Paradies