ADSM-L
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ADSM-L] DSMJ and Authorized User

2008-03-28 16:12:58
Subject: Re: [ADSM-L] DSMJ and Authorized User
From: Laurent Bendavid <bendavid.laurent AT FREE DOT FR>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Fri, 28 Mar 2008 21:10:34 +0100 
Hello,

I think to an other way you could synchronize some os login with grant in TSM
database. You could use role NODE for the logical node (a set of file tree) you
want to delgate restoration task.

So you use the http GUI for this usage.

Selon Richard Sims <rbs AT BU DOT EDU>:

> Marc -
>
> Thanks for the details on the objectives.
>
> Before expending effort on making dsmj accomplish all that you want,
> is the overall approach really viable?  In the client manual, review
> the table of "Root and authorized user tasks", particularly for the
> Restore task.  The show-stopper for the use of the Authorized User
> approach would be the inability to restore the files to their
> original ownership - if that user can indeed write to that location.
> Carefully consider all the ramifications.
>
> In your rigged execution of dsmj, you may not be seeing into
> directories because of basic ownership issues.  In a standard TSM set-
> up, with a backup performed by root, an ordinary user likewise cannot
> see into TSM-stored directories because of ownership/permissions
> issues.  If the Authorized User had performed the backup of the
> objects under the directory, then I should think the AU should be
> able to see them via dsmj - but likely not if the backup had been
> done by root.  As Andy advises, try the command line client as a
> comparator: do a thorough 'dsmc query backup' on the area, and see if
> contents are revealed in that.
>
> Note that where a GUI like dsmj is not tenable, the compromise
> approach of 'dsmc -pick' may be acceptable.
>
> In your objections to sudo, you talk of "ACLs set everywhere".  Sudo
> does not necessarily grant root access: with -u invocation, it
> operates as a single non-root user, as can be used in restoring just
> their files.  Personally, I would approach this by having root-run
> TSM scheduled backups, and use sudo -u for individual user restores,
> which keeps the operator away from dangerous root stuff.
>
> Others will likely have good suggestions based upon their experiences.
>
>     Richard Sims
>
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ADSM-L] $5 if you provide answer to prob with Tivoli Continuous Data Protection for Files, Remco Post
Next by Date:  Re: [ADSM-L] Where can I find the downloadable TSM 5.5 documentation?, Gee, Norman
Previous by Thread:  Re: [ADSM-L] DSMJ and Authorized User, Richard Sims
Next by Thread:  [ADSM-L] AIX/Linux Lpar, Vio Server and Lanfree, Francisco Molero
Indexes:  [Date] [Thread] [Top] [All Lists]