Configuring DataStage for use by Multiple Users.

When you install DataStage, the software directories are created and configured automatically for secure and proper
operation of the software. You should never change the permissions or owners of the files in any of the software
directories, except for the project directories, unless told to do so by Ascential Software support. This document is
intended as a supplement to those instructions given in the “DataStage Install and Upgrade Guide.”

File Ownership and Permission for Project Directories.

When the install creates the projects, the files are assigned ownership to the dsadm user, and the dsadm user’s primary
group. To allow users other than the dsadm user to properly use DataStage, you need to do the following steps. For
these steps, we will assume that the dsadm user’s primary group is ‘dstage’.

1. For each user id, make sure it is a member of the group ‘dstage’.
2. As the root user, edit the ds.rc file in the DSEngine/sample directory, find the line near the top of the file which
reads #umask 002 and edit this line to remove the comment character ‘#’. After making this change, the root user
needs to stop the DataStage engine and restart it.
3. As the dsadm user, go to each project directory and set its SGID bit, which forces files created in that directory to
have the same group id as the directory in which they were created. This can be done with the following UNIX
command: chmod g+s dirpath where dirpath is the absolute path of the DataStage project
directory.

Once these steps are complete, DataStage is ready to use in a multiple user environment. If there has been user activity
in the DataStage project prior to these steps being done, you may also need to reassign the group id and permissions of
the files in the project directory. This can be done with the following UNIX commands:

chgrp –R dstage dirpath

chmod –R g+w dirpath

In these commands, ‘dstage’ is the dsadm user’s primary group and ‘dirpath’ is the absolute path of the project directory.

Limiting User access to DataStage projects.

The permissions documented above are required for the software to function properly. If you wish to control access at a
project level, this will require one UNIX group per project in addition to the single UNIX group to which the software itself is
assigned. Consider the following scenario as an example:

The ACME Company has a UNIX server with DataStage installed on it. They want to have a test project and a
production project on the same machine. They do not want the test users to be able to edit the jobs in production,
and they do not want the production users to be able to edit the jobs in the test project.

When they installed DataStage, they created the dsadm user with the primary group of ‘dstage’. During the install
they created a project called ‘prod’ and second project called ‘test’. After the install, all the files in both projects are
owned by the dsadm user, and the group is dstage.

First, the superuser (root) must create two new UNIX groups, one called ‘dstest’ and one called ‘dsprod’. Next, the
superuser must a make the dsadm user a member of BOTH of these new groups. Next, the superuser must
make all the test users a member of both the dstage group and the dstest group, and make the production users a
member of the dstage group and the dsprod group. Finally, the superuser must complete step 2 from the
instructions above.

Once the superuser’s tasks are finished, the dsadm user can now change the group of all the files in the test
project so that their group is now ‘dstest’. Next, the dsadm user would change the group of all the files in the
production project so that their group is now ‘dsprod’. Finally, the dsadm user should complete step 3 above on
both the test and prod projects.