Mac OS X operating systemsOracle Solaris operating systemsLinux operating systemsAIX operating systems

Enable non-root users to manage shared data

In some cases, it is necessary to have a group of non-root users who can back up data to and restore data from a shared node. To accomplish this task, create a stanza in the dsm.sys file by specifying a unique node name and password directory. The users who are allowed to use this node are controlled by adding the users to a shared UNIX group, and granting permission to the saved password files for this group.

Example dsm.sys file stanza

In the following example stanza, a node name is specified that is shared among the group of non-root users. This node name is different from other node names that can also be used on the system by different users. For example, there might be a different stanza that the root user uses. Also, the directory that is specified by the passworddir option must be different from the password directory that is used by other stanzas in the dsm.sys file that are intended for different users.

Different stanzas can reference different IBM Spectrum® Protect servers. If the same group of non-root users requires access to all of these servers, each stanza can reference the same password directory.

As the root user, create a stanza like the following example:

servername spserver_dbgrp
  tcps tapsrv14
  tcpp 1500
  nodename server1_dbgrp
  passworddir /etc/spdbgrp
  passworda generate
AIX operating systemsFor AIX®, use the following passworddir option:
passworddir /etc/security/spdbgrp

After the stanza is created, as the root user, run the query session command to create the new password directory and initial stored passwords. For example, if the server name is tapsrv14, you would issue the following command:

dsmc query session -server=tapsrv14_dbgrp

Assign group permissions to the newly created password directory

To allow a group of users to share the common password files, create a group. The users are assigned to this new group as a secondary group, and the permissions of the stored passwords are modified. This modification allows the new group to read and modify the stored password without allowing users outside the group to have access. Review the example for your operating system:

AIX operating systemsAIX example

In this example, the group dbadm represents an existing database group that is the primary group. A secondary group that is named spdbgrp is created for control access to the IBM Spectrum Protect password files.

mkgroup spdbgrp
usermod -g dbadm -G spdbgrp user1
usermod -g dbadm -G spdbgrp user2

To grant group permission to the password files, you would run the following commands:

chmod 770 /etc/security/spdbgrp
chmod -R 660 /etc/security/spdbgrp/*
chmod 770 /etc/security/spdbgrp/Nodes
chgrp -R spdbgrp /etc/security/spdbgrp
Linux operating systemsLinux® example

In this example, the group dbadm represents an existing database group that is the primary group. A secondary group that is named spdbgrp is created for control access to the IBM Spectrum Protect password files.

mkgroup spdbgrp
usermod user1 -g dbadm -G spdbgrp
usermod user2 -g dbadm -G spdbgrp

To grant group permission to the password files, you would run the following commands:

chmod 770 /etc/spdbgrp
chmod -R 660 /etc/spdbgrp/*
chmod 770 /etc/spdbgrp/Nodes
chgrp -R spdbgrp /etc/spdbgrp