Information Server Group security reporting

A forum for discussing DataStage<sup>®</sup> basics. If you're not sure where your question goes, start here.

Moderators: chulett, rschirm, roy

Post Reply
YaleM4208
Participant
Posts: 11
Joined: Tue Dec 09, 2014 2:44 pm

Information Server Group security reporting

Post by YaleM4208 »

We recently implemented AD authentication for our environment following a review by our internal audit department. All InfoSphere Roles and DataStage project permissions are assigned based on group membership, with no permissions being assigned directly to any user. We need to produce a report of roles and permissions assigned to the Groups, but the security report templates under the Administration console only apply to users.

Is there any way, perhaps a query against XMETA, to return a list of roles and project permissions assigned to groups?
qt_ky
Premium Member
Premium Member
Posts: 2895
Joined: Wed Aug 03, 2011 6:16 am
Location: USA

Post by qt_ky »

Try using a DStageWrapper query like in this topic:

viewtopic.php?t=154942&highlight=dstagewrapper
Choose a job you love, and you will never have to work a day in your life. - Confucius
YaleM4208
Participant
Posts: 11
Joined: Tue Dec 09, 2014 2:44 pm

Post by YaleM4208 »

Thanks, qt_ky! That got us pointed in the right direction. Here are the queries we're working with now. We were able to resolve the issue from the other thread about incorrect project roles being listed.

Query for users with given roles

Code: Select all

select U.principalId, R.roleId from U in ASCLModel::User, R in U->has_SystemRole where R.roleId in ('SuiteAdmin','SuiteUser','DataStageAdmin','DataStageUser')
Query for user project permissions

Code: Select all

select U.principalId, P.contextId, R.roleId from U in ASCLModel::User, RA in U->assignedBy_RoleAssignment, P in RA->has_RoleContext, R in RA->definedBy_SystemRole order by U.principalId,P.contextId,R.roleId
Query for groups with given roles

Code: Select all

select G.principalId, R.roleId from G in ASCLModel::UserGroup, R in G->has_SystemRole where R.roleId in ('SuiteAdmin','SuiteUser','DataStageAdmin','DataStageUser')
Query for group project permissions

Code: Select all

select G.principalId, P.contextId, R.roleId from G in ASCLModel::UserGroup, RA in G->assignedBy_RoleAssignment, P in RA->has_RoleContext, R in RA->definedBy_SystemRole order by G.principalId,P.contextId,R.roleId
These seem to be pseudo-queries that iterate the java object models. You can view the compiled class files from the <ISHOME>\ASBNode\lib\java\ASCLModel_api_gen_ecore.jar file to get an idea of the valid values for the select list and "joins". For example, the getGroupName and getGroupType methods from UserGroup.class translate over to

Code: Select all

select groupName, groupType from UserGroup

and the getHas_SystemRole method from the UserGroup parent Principal.class gives way to the "join"

Code: Select all

R in G->has_SystemRole
The data appears to be persisted in the ASCLMODEL_* xmeta tables, so it could probably be queried directly through SQL.

I had opened a case with IBM support about this and they suggested the DirectoryCommand tool with the -list and -details options. It provides similar results and does not require a plaintext password on the command line.
Post Reply