Hello dsxchange,
I have a client that has installed a new installation of DataStage on windows environment. Because of local security policies, they could not perform the installation as Administrator. Rather the installation was done under another id in the local administrator group.
DataStage engine and services are currently running under system id.
We didn't setup any additional groups and bind these to the datastage roles yet as described in the Administrator guide.
Under our current setup, all members of the local administrator group can connect to datastage cients including the Administrator client. Removing individual developer ids from the local administrator group prevents connecting to any of the DataStage clients.
My question:
Is the inability to connect to the Designer client with id not belonging to local administrator group an impact of not installing as Administrator id, or is it because we have not done the binding of datastage roles to windows groups as described in the Administrator guide, or is this potentially some other membership issue?
Thanks in advance.
Greg
Installation - Role Separation Issues
Moderators: chulett, rschirm, roy
-
ray.wurlod
- Participant
- Posts: 54595
- Joined: Wed Oct 23, 2002 10:52 pm
- Location: Sydney, Australia
- Contact:
Thanks you for your response Ray.
I have provided some more information that outlines my situation in greater detail.
I have a project called X.
I created 2 groups on windows server (X_DEV, X_OP).
I created an id called dev and added this to three groups on the DataStage server environment (X_DEV, X_OP, Users).
I then binded X_DEV to DataStage Designer on the Admin permission properites panel for project X, and X_OP to DataStage Operator. I then set the everyone to the <none> setting. Now all entries other than X_OP and X_DEV are set to <none>.
I now have situation where when connecting to project X with userid dev, I get the following error:
Adding dev to the Administrator's group, then allows me to connect to the environment, and of course gives me the unwanted (by management) ability to connect with the administrator client.
I wish to be able to connect with id dev, without giving membership to Administrator group. As far as I know, I have followed the Administrator permissioning guidlines and they are not working.
Perhaps there is some other group that dev requires that Administrator is indirectly providing membership?
Does anybody have any suggestions?
Thanks in advance,
Greg
I have provided some more information that outlines my situation in greater detail.
I have a project called X.
I created 2 groups on windows server (X_DEV, X_OP).
I created an id called dev and added this to three groups on the DataStage server environment (X_DEV, X_OP, Users).
I then binded X_DEV to DataStage Designer on the Admin permission properites panel for project X, and X_OP to DataStage Operator. I then set the everyone to the <none> setting. Now all entries other than X_OP and X_DEV are set to <none>.
I now have situation where when connecting to project X with userid dev, I get the following error:
Failed to connect to host: <hostname>, project: X
(Internal Error (39204))
Adding dev to the Administrator's group, then allows me to connect to the environment, and of course gives me the unwanted (by management) ability to connect with the administrator client.
I wish to be able to connect with id dev, without giving membership to Administrator group. As far as I know, I have followed the Administrator permissioning guidlines and they are not working.
Perhaps there is some other group that dev requires that Administrator is indirectly providing membership?
Does anybody have any suggestions?
Thanks in advance,
Greg
-
ray.wurlod
- Participant
- Posts: 54595
- Joined: Wed Oct 23, 2002 10:52 pm
- Location: Sydney, Australia
- Contact:
Did you restart DataStage services after effecting these changes?
Are the changes reflected in the .operator.adm and .developer.adm hidden files in the project folder on the server? That is, were your changes successfully saved?
PS Does your nick imply Air Force?
Are the changes reflected in the .operator.adm and .developer.adm hidden files in the project folder on the server? That is, were your changes successfully saved?
PS Does your nick imply Air Force?
IBM Software Services Group
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
ray.wurlod wrote:Did you restart DataStage services after effecting these changes?
No. I'll try that, but it will take another day to schedule a restart. Too many developers working overtime.
ray.wurlod wrote: Are the changes reflected in the .operator.adm and .developer.adm hidden files in the project folder on the server? That is, were your changes successfully saved?
The operator.adm, developer.adm files are both empty. However, when I close my connection to the administrator console, and log back into Administrator, the permissions still represent the changes I made. Are you suggesting that this might be in memory changes that have not taken effect yet?
Thanks again.
Greg
-
ray.wurlod
- Participant
- Posts: 54595
- Joined: Wed Oct 23, 2002 10:52 pm
- Location: Sydney, Australia
- Contact:
... or they may be registry entries nowadays - who knows what "they" did for 7.5x2? Though I couldn't find any likely candidates on a registry search (using regedt32).
IBM Software Services Group
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
An Update:
Server has been rebooted since the change. Permission panel from Administrator displays the change settings after reboot. Error message when connecting user dev to project X after reboot is the same.
I've read in other postings that advice was given to change permissions the project subfolders, as well as the ds_license folder. This advice was given in a Unix environment context. Would somebody suggest something similar for Windows?
Anybody have any other suggestions?
Thanks,
Greg
Server has been rebooted since the change. Permission panel from Administrator displays the change settings after reboot. Error message when connecting user dev to project X after reboot is the same.
I've read in other postings that advice was given to change permissions the project subfolders, as well as the ds_license folder. This advice was given in a Unix environment context. Would somebody suggest something similar for Windows?
Anybody have any other suggestions?
Thanks,
Greg