Configuring and enforcing role separation
The DBSA, or the person who installs the database server, enforces role separation and decides which users are the DBSSO and AAO. To find the group for the DBSA, DBSSO, or AAO, look at the appropriate subdirectory of $INFORMIXDIR on UNIX™ or %INFORMIXDIR% on Windows™.
On Windows, role separation is configured only during installation. On UNIX, you normally configure role separation during installation, but you can also configure it after the installation is complete or after the database server is configured. The OSA who installs the software enforces role separation, and decides which users (Windows) or groups (UNIX) are the DBSSO and AAO. On UNIX, the group that owns $INFORMIXDIR/aaodir is the AAO group; the group that owns $INFORMIXDIR/dbssodir is the DBSSO group. By default, group informix is the DBSSO, AAO, and DBSA group.
On UNIX, if you use the InstallShield MultiPlatform (ISMP) installer in GUI or terminal mode to install the database software, you are asked if you want to configure role separation. If instead you use the scripted bundle installer, then the environment variable INF_ROLE_SEP controls whether you are asked to set up separate roles. If the INF_ROLE_SEP environment variable exists (with or without a value) role separation is enabled and you are asked to specify the DBSSO and AAO groups. (You are not asked about the DBSA group.) If the INF_ROLE_SEP environment variable is not set, then the default group informix is used for all these roles.
You are not required to set INF_ROLE_SEP to a value to enable role
separation. For example, in a C shell, issuing setenv
INF_ROLE_SEP
is sufficient.
After the installation is complete, INF_ROLE_SEP has no effect. You can establish role separation manually by changing the group that owns the aaodir, dbssodir, or etc directories. You can disable role separation by resetting the group that owns these directories to informix. You can have role separation enabled for the AAO without having role separation enabled for the DBSSO.
Role separation control is through the following group memberships:
- Users who can perform the DBSA role are group members of the group that owns the directory $INFORMIXDIR/etc.
- Users who can perform the DBSSO role are group members of the group that owns the $INFORMIXDIR/dbssodir directory.
- Users who can perform the AAO role are group members of the group that owns the $INFORMIXDIR/aaodir directory.
total 14
drwxrwx--- 2 informix ix_aao 512 Nov 21 09:56 aaodir/
drwxr-xr-x 2 informix informix 1536 Nov 30 18:35 bin/
drwxrwx--- 2 informix ix_dbsso 512 Nov 30 10:54 dbssodir/
drwxr-xr-x 10 informix informix 512 Nov 21 09:55 demo/
drwxrwxr-x 2 informix informix 1024 Nov 30 11:37 etc/
In the preceding example, the AAO belongs to the group ix_aao, the DBSSO belongs to the group ix_dbsso, and the DBSA belongs to the group informix.
Users must belong to the correct group to access the database server.
To find the group for database users, you must look at the contents
of the $INFORMIXDIR/dbssodir/seccfg file. For
example, the contents of a typical seccfg file
might be IXUSERS=*
. This group setting means that
all users can connect to the database server. If the file contains
a specific name such as IXUSERS=engineer
, then only
members of the group engineer can gain access to the database
server.
For Windows, role separation control is through the Role Separation dialog box, which opens during installation, and through registry settings. If the Enable Role Separation check box is checked in the Role Separation dialog box, the DBSA can specify different roles.
For more information about environment variables, see the HCL OneDB™ Guide to SQL: Reference. For more information about configuring role separation, see your HCL OneDB Administrator's Guide.