Table of Contents

Search

  1. Preface
  2. Analyst Service
  3. Content Management Service
  4. Data Integration Service
  5. Data Integration Service Architecture
  6. Data Integration Service Management
  7. Data Integration Service Grid
  8. Data Integration Service Applications
  9. Mass Ingestion Service
  10. Metadata Access Service
  11. Metadata Manager Service
  12. Model Repository Service
  13. PowerCenter Integration Service
  14. PowerCenter Integration Service Architecture
  15. High Availability for the PowerCenter Integration Service
  16. PowerCenter Repository Service
  17. PowerCenter Repository Management
  18. PowerExchange Listener Service
  19. PowerExchange Logger Service
  20. SAP BW Service
  21. Search Service
  22. System Services
  23. Test Data Manager Service
  24. Test Data Warehouse Service
  25. Web Services Hub
  26. Application Service Upgrade
  27. Application Service Databases
  28. Connecting to Databases from Windows
  29. Connecting to Databases from UNIX
  30. Updating the DynamicSections Parameter of a DB2 Database

Operating System Profiles for the Data Integration Service

Operating System Profiles for the Data Integration Service

An operating system profile is a type of security that the Data Integration Service uses to run mappings, workflows, and profiling jobs. Use operating system profiles to increase security and to isolate the run-time environment for users. If the Data Integration Service runs on UNIX or Linux, create operating system profiles and configure the Data Integration Service to use operating system profiles.
The operating system profile contains the operating system user name, service process variables, Hadoop impersonation properties, the Analyst Service properties, environment variables, and permissions.
To increase security, create operating system profiles to divide users into specific groups. Each group is defined by the operating system profile and the configured operating system user. The groups manage mapping runs and control access to directories by specifying permissions for the operating system user in each operating system profile. The operating system user has read and write permissions to certain controlled directories. The operating system profile configuration must adequately control the directories where users have read and write permissions in order to mitigate security attacks that can result due to directory traversal. For example, if the operating system profile does not properly assign directory permissions, certain users can access files in unassigned directories.
When you configure the Data Integration Service to use operating system profiles, the Data Integration Service runs jobs with the permissions of the operating system user that you define in the operating system profile. The operating system user must have access to the directories you configure in the profile and the directories the Data Integration Service accesses at run time.
By default, the Data Integration Service process runs all jobs, mappings, and workflows using the permissions of the operating system user that starts Informatica Services. The jobs have access only to the directories where the operating system user has read and write permissions. The Data Integration Service writes output files to a single shared location specified in the Data Integration Service execution options.
Before you run a mapping with a Lookup transformation, Sqoop source, or Sqoop target in the Hadoop run-time environment, verify that the operating system user has read, write, and execute permissions on the following directory:
<Informatica installation directory>/tomcat/temp/<Data Integration Service name>/temp
If the Analyst Service and the Data Integration Service run on different nodes, the operating system profiles must be configured for both nodes.

Operating System Profile Example

An I.T. organization has some developers that work with sensitive data from Human Resources. The organization needs to restrict other developers in the organization from accessing any HR file or directory that the HR developers own.
The organization enables operating system profiles to limit access to data. Each developer group has an operating system profile. The developers in the HR operating system profile can read and write data in the restricted directories on the UNIX machine.