UNIX and Linux® client root and authorized user tasks
An authorized user is any non-root user who has read and write access to the stored password (TSM.sth file), or anyone who knows the password and enters it interactively. Authorized users use the passworddir option to define the directory where their copy of the password file is saved.
Table 1 shows the tasks that can and cannot be performed by the root user, authorized users, and other users.
| Task | Root user | Authorized user |
|---|---|---|
| Log on to the IBM Spectrum Protect server, using an LDAP server to authenticate credentials. | Yes | Yes |
| Register new nodes with the IBM Spectrum Protect server (if registration is set to open on the server). | Yes | Yes |
| Set or re-create the IBM Spectrum Protect password for client workstations | Yes | Yes |
| Backup | Yes Note: The IBM Spectrum® Protect administrator can specify an
option on either the Register Node or Update Node commands to
specify who is allowed to back up data for a node. Setting BACKUPINITiation to
root restricts backups so that only root or authorized users can back up files on a
node. Setting BACKUPINITiation to all allows any user to back
up data on a node. For information about these commands and options, see the IBM Spectrum Protect server documentation.
|
Yes, if you have read permission, regardless of ownership |
| Restore | Yes; when restoring to a new location or the same location, file permission and ownership are preserved | Yes; however, the operating system prevents writing to the same location if the file has read only permission. When restoring to the same location, file permissions and ownership are preserved. When restoring to a different location, the permissions of the restored file are preserved but the ownership changed to the current user. |
| Archive | Yes | Yes, if you have read permission, regardless of ownership |
| Retrieve | Yes. When retrieving to a new location or to the same location, file permissions and ownership are preserved. | Yes. However, the operating system prevents writing to the same location if the file has read only permission. Ownership of all retrieved objects is changed to the current user. |
| Client scheduler | Yes |
Yes, if not using the client acceptor daemon. You must be root to manage the client acceptor daemon. A non-root authorized user can use the scheduler (dsmc sched). |
| Grant user access to files on the IBM Spectrum Protect server | Yes | Yes |
| Delete IBM Spectrum Protect server file spaces | Yes, if the node is granted backup or archive delete authority by the IBM Spectrum Protect server administrator | Yes, if the node is granted backup or archive delete authority by the IBM Spectrum Protect server administrator |
On Mac OS X systems, a system administrator is any user that is allowed to administer the system. You can check your account type using the tool. System Administrators have an account type of Admin.
The system administrator is responsible for configuring the backup-archive client
so non-administrators can manage their own data. Non-administrators (or non-authorized users) meet
the following criteria:
- They do not have a user ID of 0. They are not the root user.
- They have a user account that has not been configured as a system administrator.
When a task requires additional authority to complete, you must use the
authorization application to start the backup-archive client. This allows the client to run with
sufficient system privileges to complete the task. The following table lists the authorization tools
to use.
| Mac OS X authorization tool | Associated IBM Spectrum Protect application |
|---|---|
| IBM Spectrum Protect For Administrators |
IBM
Spectrum Protect StartCad.sh StopCad.sh |
| sudo | dsmc |