Establishing Security for DataMigrator

Topics:

If only a single DataMigrator user will be designing flows, no alterations to the DataMigrator Server configuration are necessary. However, if the DataMigrator Server supports multiple users, the server administrator may need to establish separate user IDs and profiles to control access to DM application directories.

Note: Establishing security for iWay Servers, including the DataMigrator Server on z/OS requires additional consideration. For details, refer to Step 7. Configure Server Security in Chapter 4, Server Installation for z/OS in the Server Installation manual.

Running Flows

The iWay agent created when you connect to a DataMigrator Server has an associated logon user ID. Local file, directory, and resource security is controlled by that user ID.

For scheduled flows, the DM components that a user ID can see and run from its Application Path are controlled from sched_run_id option, accessible using the Type setting in the New Tenant dialog box, accessed from the Manage Scheduler Userids dialog box.

When sched_run_id is set to:

  • server_admin_id. Scheduled DM jobs are run under the first ID that appears in the list of server administrators displayed on the Access Control page. If the ID does not have a password specified in the Access Control tab, a profile for that user ID must be created. server_admin_id is the default.
  • user. Scheduled DM jobs are run under the user ID that was used to save the flow. The Application Path specified in the user profile is utilized.
  • RunID. Scheduled DM jobs will run under the specified user ID. If you select this option, an additional drop-down menu appears where you can select a user ID from a list of configured user IDs.

If security is ON and you set sched_run_id to user to run a scheduled flow for a certain user ID:

  1. The user ID must be a valid user on the system.
  2. The user ID must be set to an access level of either SERVER or APPLICATION from the Access Control page.
  3. The password for the user must be set. A SERVER-level administrator can set the password for a SERVER-level ID from the Access Control page when adding a user.

If a DataMigrator user with an APPLICATION-level ID wants to run scheduler requests:

  1. A SERVER administrator must make them an APP administrator from the Access Control page.
  2. The user must set their password on the User Information page.
  3. The scheduler must be restarted. (Restarting the server will also restart the scheduler.)

For more information, see Scheduler Configuration Page.

Restricting the Application Paths Available to a User

By default, the server profile (EDASPROF.PRF) is run for all users when they connect to the DataMigrator Server to provide access to all application directories in the servers search path. However, an administrator can control a user's access to application directories by creating individual user profiles. Each user can then:

  • Access only the application directories specified in the Application Path specified for that profile.
  • Use synonyms in the specified Application Path.

For details, see Authorizing DataMigrator Server Usage and Administration.

It follows that the user ID that a flow runs under determines the user profile that is run. The profile controls the application directories available to the flow, as well as access to relational databases or source servers.

  • If there is a profile associated with the user ID, then it is used.
  • If there is no profile, then EDASPROF is used instead.

The user can only access the application directories defined in the profile being used.

You can set the Application Path from the DMC or the Web Console. For information on setting the Application Path from the DMC, see Managing Application Directories and Configuring the Application Path. For information on setting the Application Path from the Web Console, see the Server Administration manual or the Web Console online help.

Running Scheduled Flows Under a User ID

How to:

By default, scheduled flows are run using the server admin ID.

To run all scheduled flows under the user ID that saved them, you need to:

  1. Define a scheduler tenant and change the sched_scan_id and scan_run_id.
  2. Create a new user (if the user ID does not already exist). This procedure will depend on your operating system.
  3. Add users who can run flows as an Application Administrator.
  4. Have the new users change their security settings.
  5. Connect to the server as the new user in the DMC, schedule a flow, and save it.

Procedure: How to Define a Scheduler Tenant and Change the sched_scan_id and scan_run_id

  1. Connect to the server with a Server Administration user ID.
  2. In the navigation pane, expand the server, followed by the Workspace folder.
  3. Expand the Special Services and Listeners folder.

    Note: If there is a Start option, the scheduler is not running. To run the scheduler, click Start.

  4. Right-click SCHEDULER and click Manage Tenants.

    The Manage Scheduler Userids dialog box opens.

  5. Click New.

    The New Tenant .

  6. To set the sched_scan_id for the tenant, select a user ID from the ScanID drop-down menu, which lists the configured user IDs from admin.cfg.
  7. To set the sched_run_id for the tenant, select one of the following options from the Type drop-down menu:
    • Select server_admin_id to run all jobs as the Server Admin ID, which is the first user ID in admin.cfg.
    • Select user to run each job as the user that saved the flow.
    • Select RunID to specify a user ID for all jobs. If you select this option, an additional drop-down menu appears where you can select a user ID from a list of configured user IDs.
  8. Click OK to configure the tenant.
  9. Click Save and Restart Scheduler.

Note: It is recommended that each ScanID has its own Application Path set in their user profile. The same application directory should not appear in the application path of more than one ScanID.

Procedure: How to Add the New User as an Application Administrator

Note: If you want to run all scheduled flows under a user ID that does not already exist, you must create one using an operating system-specific procedure.

  1. In the DMC, expand a server and then expand the Access Control folder.
  2. Expand the Roles folder, right-click Application Administrator, and click Register PTH <internal> User.

    The User Registration dialog box opens.

  3. In the User ID box, type the new user name.
  4. Optionally, type a description and the email address of the user.
  5. Click Next.

    The User Registration dialog box opens.

  6. From the Inherit Privileges from drop-down menu, select Application Administrator.
  7. Click Register.
  8. Click OK to save your changes and register as a new user.

Procedure: How to Change a Password for Running Scheduled Flows

  1. Log in to the DMC with an Administrator user ID.
  2. In the navigation pane, expand the server and then the Access Control folder.
  3. Expand the Roles folder and then expand the folder of the desired Role.
  4. Right-click the user ID you want to manage and click Properties.
  5. In the Optional password for scheduled runs section, type the new password, and re-type it to confirm the password.
  6. Click Update.

Procedure: How to Connect to the Server as a New User and Schedule a Flow

  1. In the DMC, right-click the server and click Properties.
  2. Change the User ID and Password boxes in the Security section to the new values and click Save.
  3. Disconnect and reconnect the server.
  4. Open a process flow in the DMC and add a Schedule to the Start object.
  5. Save the flow.

The Scheduled Events report will now list scheduled flows by the user ID that saved them.

WebFOCUS

Feedback