User Accounts
Top
User Account Overview
Admin User Overview
$NSTADMIN
$NSTDBA
$NSTGROUP
$SRVADM
DBO
Worksheet
Overview of User Types in LeasePak
There are two broad categories of LeasePak users: administrative users, who maintain and operate the system, such as $NSTADM and $NSTDBA, and non-administrative users, who use the system to perform their job functions. Non-administrative users belong to one of two classes: Dedicated and Hosted. Unless the site has a license that includes the Shared User module, all non-administrative users are Dedicated users, and there is no Proxy user. The LeasePak Supervisor, regular users, restricted users, and partially restricted users, plus a proxy user and hosted users, if licensed, are discussed in the following pages.
The table below shows the different user types and classes, and how each is characterized by a set of four on/off features:
User Features
- Admin?
-
Is this an Administrative User?"
Is this a preset NetSol role?
- OS?
-
Is this an operating system user?
Does this user have an OS account?
- DBMS?
-
Is this a DBMS user?
Does this user have a DBMS account?
- RSC?
-
Is this an RSC user?
Does this user have a LeasePak Security Record?
In each discussion of a user-type, these four flags are presented together on a line following the discussion's headers, in a form like this:
These on/off (Y/N) flags are presented below with the discussions of user classes and types. This is to emphasize that these characteristics are the overriding means of identifying the user classes and types.
Topics
- Environments
- production environment
- test environment
- visitor environment
- setup_new_env
- Hosts
- dbms host
- application host
- LLDB
- LLDB properties
- database system
- database server
- LeasePak
- General
- Users & Roles
- LeasePak administrative users
- $NSTADMIN
- LeasePak release administrator
- $NSTDBA
- LeasePak database administrator
- $SRVADM
- Database Server Administrator
- DBO
- Non-Administrative Users
- Non-Administrative User Classes
-
Dedicated users
-
Hosted Users
- Non-Administrative User Types
-
Regular users
-
Report users
-
Partial Update users
-
LeasePak Supervisor
-
Proxy user
- Naming convention
- Loose convention
- Strict convention
| User Class |
User Name/Type |
Admin? |
OS? |
DBMS? |
RSC? |
| Administrative Users |
| ADMIN |
NSTADMIN |
Y |
Y |
N |
N |
|
NSTDBA |
Y |
Y |
N |
N |
|
SRVADM |
Y |
N |
Y |
N |
|
DBO |
Y |
N |
Y |
N |
| Non-Administrative Users |
| DEDICATED |
Regular |
N |
Y |
Y |
Y |
|
Reports |
N |
Y |
Y |
Y |
|
PartialUpd |
N |
Y |
Y |
Y |
|
LpSup |
N |
Y |
Y |
Y |
|
Proxy |
N |
Y |
Y |
N |
HOSTED |
Regular |
N |
N |
N |
Y |
|
Reports |
N |
N |
N |
Y |
|
PartialUpd |
N |
N |
N |
Y |
|
LpSup |
N |
Y |
Y |
Y |
Administrative User Accounts
Top
User Account Overview
Admin User Overview
$NSTADMIN
$NSTDBA
$NSTGROUP
$SRVADM
DBO
Worksheet
Administrative Accounts Are Used to Perform System Functions Related to LeasePak
This secion discusses the requirements for the LeasePak administrative account, including:
-
$NSTADMIN – The LeasePak Release Administrator - responsible for the configuration and maintenance of the LeasePak release and environments on the application host.
-
$NSTDBA – The easePak Database Administrator - responsible for the configuration and maintenance of all of the LLDBs connected to the LeasePak environments.
-
$NSTGROUP – The LeasePak Login Group - all OS users connected with LeasePak must have this group as their primary login group; that is, this group must be the one listed in /etc/passwd for every LeasePak user OS user account. The administrator must specify the login group when setting up a user account on the application host, and not allow the system to create a separate group for every LeasePak user, as some systems are set up to do.
-
$SRVADM – The Database Server Administrator - The LeasePak role designed to perform low-risk tasks under the supervision of the administrator or the DBMS root user (sysdba or sa), allocating disk space to LLDBs, and setting up DBMS users.
-
$DBOWNER – The LLDB owner, or DBO, is a database user, and is neither an OS user, nor a LeasePak user. It is a role more than an actual person. Typically, the $NSTDBA will wield the credentials of the DBO. The DBMSs used by LeasePak both require the concept of an owner of the LLDB (the schema in Oracle and the database in Sybase). In the case of Oracle, the schema is a user, and therefore, the LLDB and the DBO are one and the same. In Sybase, any DBMS user can be made the owner of a database, however for interoperability with Oracle, in LeasePak under Sybase, db_create usually creates the DBO as a database user with the same name as the LLDB.
IMPORTANT NOTE
So Many Administrators!!
How to tell them apart...
| Title |
Name |
OS User |
DBMS User |
Comments |
|
System Administrator |
root |
Y |
N |
For the purposes of this documentation, the System Administrator is a person who wields the credentials of the root account on the Application host or on the DBMS Host. It is assumed that persons in charge of the operation of the host systems will be a System Administrators.
There are certain tasks assigned to the System Administrator which require root credentials. These include installing LeasePak, managing LeasePak's services, creating new OS user accounts, and others.
|
Database System Root User
Database Administrator
DBA
|
sa (Sybase)
sysdba (Oracle)
|
N |
Y |
Each Database System has its own super-user, an entity who has complete and ultimate authority over the Database System, over its configuration and contents and over the access of other personnel to it.
The Database System Root User's credentials are wielded by a physical person, often called the DBA, or Database Administrator, and sometimes more than one person, depending on site security policies.
|
|
Database Server Administrator
|
$SRVADM
srvadm
|
N |
Y |
Each installed database system used by LeasePak should have one role named srvadm. SETUP creates this role unless its creation has been disabled (see
Disabling db_add_srvadm).
The $SRVADM is a delegate of the Database System Root User, and exists to perform tasks for LeasePak that involve allocating database system resources or granting users database system access.
|
|
LLDB Owner
|
$DBOWNER
DBO
|
N |
Y |
A DBMS role that is in charge of the LLDB. Certain DBMS functions must be performed by this role. Typically the $NSTDBA wields the credentials of this role.
|
|
LeasePak Release Administrator
|
$NSTADMIN
nsadm77a
|
Y |
N |
Each installed instance of LeasePak on an application host should have its own $NSTADMIN.
The $NSTADMIN is responsible for administering the side of the LeasePak installation.
This role should never be a Database user or a LeasePak user.
|
|
LeasePak Database Administrator
|
$NSTDBA
nsdba77a
|
Y |
N |
Each installed instance of LeasePak on a host should have its own $NSTDBA.
The $NSTDBA is responsible for administering the database system side of the LeasePak installation.
This role should never be a Database user or a LeasePak user. All interaction by this role with the DBMS is performed using the $SRVADM or the DBO.
|
This section covering LeasePak administrative users does not present any commands to be executed by the administrator or operator. This is because either the user accounts must be created by the System Administrator before LeasePak is installed, or the user accounts are created by the installation process itself.
$NSTADMIN
Top
User Account Overview
Admin User Overview
$NSTADMIN
$NSTDBA
$NSTGROUP
$SRVADM
DBO
Worksheet
LeasePak Release Administrator
-
During installation of LeasePak, the
SETUP program asks the System Administrator to enter the name of the $NSTADMIN user at the prompt: NetSol Admin login name [nsadm77a]. The administrator may accept the [default] or enter any name here that is allowed by the selected naming convention. The user must have an OS user account. This user should not be a user with any other LeasePak functions.
-
NetSol recommends that the System Administrator use a name ending in
*adm77a for the $NSTADMIN role.
-
SETUP does not create the $NSTADMIN user. Therefore the Syatem Administrator must create this role before LeasePak can be installed.
-
The selected user name is available to all LeasePak processes via the
environment variable
$NSTADMIN.
-
$NSTADMIN is the owner of most files within the LeasePak release structure. It is the only LeasePak user who can execute certain commands: cfg_gen, change_env, configure_rels, db_setup_job, eop_suite II, linkpoint, set_access, setup_new_env, setup_rels_dirs, and upgrade_env. It owns the whole Queue Manager installation, and alone can start and stop the Queues.
$NSTDBA
Top
User Account Overview
Admin User Overview
$NSTADMIN
$NSTDBA
$NSTGROUP
$SRVADM
DBO
Worksheet
LeasePak Database Administrator
During installation of LeasePak, the SETUP program asks the System Administrator to enter the name of the $NSTDBA user at the prompt: NetSol DBA login name [nsdba77a]. The administrator may enter any name here which is allowed by the selected naming convention. The user must have an OS user account. This user should not be a user with any other LeasePak functions.
NetSol recommends that the System Administrator use a name ending in *dba77a for the $NSTDBA role.
SETUP does not create the $NSTDBA user. The Administrator must create this role before LeasePak can be installed.
The selected user name is available to all LeasePak processes via the $NSTDBA environment variable.
$NSTDBA is the owner of all datasets. It is the only LeasePak user who can execute the db_* LLDB maintenance and management programs.
$NSTGROUP
Top
User Account Overview
Admin User Overview
$NSTADMIN
$NSTDBA
$NSTGROUP
$SRVADM
DBO
Worksheet
LeasePak Primary Login Group
-
The
$NSTADMIN and $NSTDBA users, as well as all LeasePak users, must have $NSTGROUP as their primary login group. During installation of LeasePak, the SETUP program asks the system administrator to enter the name of the $NSTGROUP group at the prompt: NetSol group name [nst]. The administrator may enter any name here which is allowed by the selected naming convention and which is an established OS group name listed in /etc/group.
-
NetSol recommends that the system administrator use
nst or similar as the name of the $NSTGROUP group.
-
The group
$NSTGROUP must be listed in /etc/group, but the members of the $NSTGROUP group should not be listed in /etc/group, since their group membership is already established by /etc/passwd giving it as their primary login group.
Some LeasePak users have reported that they have used the same
UID and
user name for both the
$NSTADMIN and
$NSTDBA users without serious side-effects. NetSol believes that their assumptions are correct; however, NetSol has not performed testing under this arrangement, and cannot express any further opinion about it.
IMPORTANT NOTE
$NSTADMIN and $NSTDBA
These are highly specialized accounts. Their environment variables should always point to the administrative environment (adm_ora or adm_syb) where SETUP initially placed them. Do not change the environment for either of these accounts manually or by using change_env or set either of them up as LeasePak users.
Because these accounts must remain as configured by SETUP, NetSol strongly recommends that separate $NSTADMIN and $NSTDBA users be set up for each LeasePak release, and that they follow a naming convention that embeds the LeasePak release version in the user names. For example: nsadm77a and nsdba77a.
$SRVADM
Top
User Account Overview
Admin User Overview
$NSTADMIN
$NSTDBA
$NSTGROUP
$SRVADM
DBO
Worksheet
Database Server Administrator
-
The Database Server Administrator is a DBMS-only user (has no OS user account) who is accorded a number of privileges beyond what ordinary DBMS users get, in order for the System Administrator and the Database System Administrator (such as sa or sysdba) to delegate the tasks required by LeasePak to a user without divulging the Database System Administrator's password.
-
The
$SRVADM role is too powerful for some sites' security policies; the $SRVADM can be pre-created before installation with SETUP and SETUP can be instructed to not prompt for the $SRVADM's password, and to not create the $SRVADM account. See Disabling db_add_srvadm.
-
During installation of LeasePak, the SETUP program asks the System Administrator to enter the name of the
$SRVADM user at the prompt: DBMS server administrator name [srvadm]. The administrator may enter any name here that is allowed by the selected naming convention and that does not have an OS user account. This role should not be a user with any other LeasePak functions.
-
NetSol strongly recommends that the System Administrator use the name
srvadm or similar for the $SRVADM role, and avoid tying the name to any particular release of LeasePak.
-
SETUP creates the $SRVADM user in each installed database system on the application host. When it does so, the administrator will be prompted for the password of the database system root user for each installed DBMS. The database system root user is:
- for Oracle:
/ as sysdba
- for Sybase:
sa
The administrator will also be prompted for a password for the $SRVADM user; the same name and password will be used for each installed DBMS.
-
The selected user name is available to all LeasePak processes via the environment variable
$SRVADM.
-
The
$SRVADM user is a database system-only user, and should have no OS user account; because the $SRVADM user does not execute any LeasePak /util menu items or LeasePak utility scripts, no OS user account is needed.
-
Because the name of the
$SRVADM user is available to all LeasePak processes, the administrator never has to remember or use it. However, a number of LeasePak db_* commands require the operator to provide the $SRVADM password, because they run SQL commands under the database server using the $SRVADM database system user account. The administrator does not need to remember which commands require the $SRVADM password, because the commands that require it will always prompt for it.
DBO
Top
User Account Overview
Admin User Overview
$NSTADMIN
$NSTDBA
$NSTGROUP
$SRVADM
DBO
Worksheet
Database Owner
-
Sybase has a role called "dbo", or database owner. This role can be fulfilled by any Sybase user. Oracle's schemas are actually users. All LeasePak users, except the
DBO in an Oracle LLDB, have no space allotted to them to make their own tables. The Oracle user that bears the same name as the LLDB has as much space as is required to implement LeasePak.
-
Accordingly, the
DBO in both DBMSes has a range of privileges within the LLDB. Because the Oracle schema (aka LeasePak database) and its owner are synonymous, no DBO needs to be created. In Sybase, once the database is created, it is owned by sa or $SRVADM. An owner must be found. An existing Sybase user can be made the DBO. However, to simplify administration, LeasePak will create an owner with the same name as the database, essentially duplicating (outwardly) the arrangement found in Oracle. See $SYB_AUTODBO.
If the site maintains
DBMS hosts separate from the , the same name should be used for the $SRVADM role on all hosts. It is not necessary to maintain separate user names for each LeasePak release, as it is for the
$NSTADMINand
$NSTDBA users.
IMPORTANT NOTE
$NSTADMIN, $NSTDBA, and $SRVADM...
The functions performed, and the scope of the data controlled, by these three LeasePak administrative users are quite specialized. NetSol strongly recommends that the $NSTADMIN and $NSTDBA users be kept unique for each LeasePak release, and that the $SRVADM role not be combined with either role.
Attempting to reduce the complexity of LeasePak administration by making untested shortcuts and combinations cannot fully succeed: the LeasePak software will still observe the distinctions among the different roles.
The only shortcut that NetSol recognizes is to simply assign the same password to each role; then regardless of the role prompted for, the password will be the same. This is not recommended, but is possible and outside the scope of the software to govern. Good management practices should encourage the System Administrator to capitalize on LeasePak's security features and incorporate them into the over-all corporate security infrastructure.
Administrative User Account Worksheet
Top
User Account Overview
Admin User Overview
$NSTADMIN
$NSTDBA
$NSTGROUP
$SRVADM
DBO
Worksheet
Use this worksheet to help plan for the required Administrative User Accounts
Use this worksheet to help plan for the required Administrative User Accounts:
| Role |
Name to Enter in SETUP (with suggested value) |
OS Acct? |
DBMS Acct? |
by SETUP? |
Password |
Notes |
$NSTGROUP |
nst |
yes |
no |
no |
(none) |
OS group that must have been created before running SETUP; must be
the primary login group for all LeasePak OS users
|
$NSTADMIN |
nsadm77a |
yes |
no |
no |
|
The LeasePak Release Administrator ($NSTADMIN) is an OS user that must have been created before running SETUP; must have $NSTGROUP as its primary login group.
|
$NSTDBA |
nsdba77a |
yes |
no |
no |
|
The LeasePak Database Administrator is an OS user that must have been created before running SETUP; must have $NSTGROUP as its primary login group.
|
$SRVADM |
srvadm |
no |
yes |
yes |
|
The $SRVADM is not an OS user, but is strictly a user within the installed database systems. It is granted sufficient authority to allow it to allocate resources to LLDBs, to create an LLDB, to create dbos to own and manage them, and to grant users access to the database systems.
|
The $NSTGROUP of course has no password, while the 3 user roles do. The System Administrator should assign passwords to these users in accordance with site password policies, and in accordance with appropriate OS and database system guidelines.
The
$NSTADMIN and
$NSTDBA do not require
translated passwords; they require a single OS password each. These users do not need to log on to the database servers as themselves, because nearly all of the LeasePak commands that they execute use
$SRVADM or the DBO for access.
