Chapter 4. Installation and configuration
4.14 Configuring operating system users, groups, and permissions
This section highlights system configurations.
4.14.1 Privileged installation user
IBM InfoSphere Information Server requires a privileged user account for installation.
On UNIX platforms, the installation must be performed by root or by a user account with root privileges.
On Windows environments, the installation must be run from a local administrator account. This user must have read/write access to the target installation
directories. The installation cannot be run from a domain administrator.
4.14.2 Required operating system users
InfoSphere Information Server requires a set of operating system user accounts to install the engine and metadata repository database, which are listed in Table 4-16. These accounts are used by the InfoSphere Information Server engine, and internal domain services.
Table 4-16 Operating system users
User account Default user name Primary group Secondary group Notes
DataStage administrator dsadm dstage
DB2 administration server dasusr1 dasadm1 Only needed for DB2.
DB2 instance owner db2inst1 db2iadm1 dasadm1 Only needed for DB2.
DB2 fenced user db2fenc1 db2fadm1 Only needed for DB2.
Metadata repository owner xmeta xmeta DB2 uses OS authentication.
Information Analyzer analysis database owner
iauser iauser DB2 uses OS authentication.
Important: These users can be created by the installer, but this is not suggested.
The security configuration of many operating systems (for example, AIX) requires new users to log in before an account is activated.
For instructions to create users, see the IBM Information Server Planning,
Installation, and Configuration Guide, GC19-1048-07. You can find a simple
UNIX user setup in “Example user setup for UNIX environments” on page 164.
Operating system user requirements
Because of the way that the InfoSphere Information Server installer parses its parameters, passwords should not include embedded dollar signs ($).
4.14.3 Domain (WebSphere Application Server) user registry
IBM InfoSphere Information Server users log in and authenticate through the domain WebSphere Application Server. During install, two domain accounts must be specified, as listed in Table 4-17.
Table 4-17 Domain accounts
WebSphere Application Server user requirements
WebSphere Application Server has the following user requirements: During the InfoSphere Information Server installation, WebSphere Application Server can be configured to authenticate using an internal registry or using operating system users. This option can be changed later through the WebSphere Application Server Administration Console.
When using OS authentication, user accounts must be created and activated before running the InfoSphere Information Server installation.
WebSphere Application Server does not support the use of NIS as a user registry. The supported user registries are LDAP, OS, or an internal user registry.
When installing in an LDAP environment, choose an internal user registry. LDAP authentication is configured after the InfoSphere Information Server installation.
User account Default user name Notes
WebSphere administrator wasadmin
InfoSphere Information Server administrator
isadmin Should be different from the WebSphere administrator
supported LDAP Servers can be found in the list of WebSphere Application Server software requirements at:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27007256
Because of the way that the InfoSphere Information Server installer parses its parameters, passwords should not include embedded dollar signs ($).
4.14.4 Engine (DataStage) user setup
The IBM InfoSphere Information Server engine must have at least one operating system user defined. DataStage and QualityStage jobs and Information Analyzer jobs run on the engine server using operating system user permissions.
When using the WebSphere Application Server internal user registry, InfoSphere Information Server users must be mapped to at least one operating system user.
When using the WebSphere Application Server OS or LDAP configuration, InfoSphere Information Server can be configured to share the user registry with the engine (DataStage/QualityStage) registry. This eliminates the need to individually map each InfoSphere Information Server user to an operating system or DataStage user.
DataStage supports four basic categories of users:
Managers
Developers Operators Super operators
These are implemented as InfoSphere Information Server roles that can be assigned to each user. The InfoSphere Information Server Console is used to assign either the DataStage Admin or DataStage User to each user. This allows the DataStage Administrator Client to assign each user to a particular role (operator, super operator, developer, and production manager) for a particular project.
Engine (DataStage) user setup on UNIX
DataStage can be administered on a UNIX platform by a special non-root user. This is
dsadm
by default, but you can specify a different administrative user at install. Set up this user before installing DataStage.Each user is then allocated to the product manager, developer, operator, or super operator role (but not to more than one role per project). You can then use the DataStage Administrator to assign the appropriate DataStage user role to the user. For more information, see "User Roles on UNIX Systems" in the IBM
Information Server Administrator Guide, SC18-9929-02. Operators cannot use
the DataStage Designer and only see released jobs in the DataStage Director. Neither operators nor developers can create protected projects or add anything to them.
4.14.5 Engine (DataStage) user setup on Windows
On the Windows 2003 Server, DataStage must be installed by a user that has local administrator rights. This user must also have read/write permission to the target directory used to install the DataStage server.
If you are logged into a domain account, it must be part of the local
administrators group on the server that you are installing, and you must have network access to the Windows domain controller for authentication.