Sign up to take part
Registered users can ask their own questions, contribute to discussions, and be part of the Community!
I am trying to figure out how user isolation works when using a server file system connection. If I am a DSS end-user A with a mapped unix user unixA when trying to upload a dataset ZZZ into the folder configured into file system connection the file will be uploaded with unixA owner or as dss user owner (being dss user the user that run dss on the linux machine)
Thank you very much.
Thank you very much Andrey for your quick response,
so there is no way even with user isolation enable to upload a file whose owner is the DSS end user mapped Unix User?
My concern here is that dssuser could get access to private or confidential information upload by business users or there is a workound to achive this
No, it's not possible to restrict dssuser from accessing files in the DSS data directory.
dssuser is used for impersonation, meaning he can execute commands as other DSS users, so that means that even if he didn't have direct access to a certain file, he would after impersonation.
As you mentioned dssuser will get access but through dss-enduser/unix user impersonation.
I will try to clarify a bit better with the following scenario:
Lets say there is a server folder connection configured to be outside DSS data dir for instance /data/finance. At server level the folder with be owned by unix user: vfinance and group: finance with the rights 4(user)7(group)0(others)
Considering that user isolation is enabled, I am connected to DSS (dssenduser: mirgar, unixUser:unixmirgar, unixGroup: finance) working on project A and I want to upload a dataset on /data/finance, when doing this task as user isolation is enabled dssuser will impersonate as unixmirgar and upload the file in /data/finance/?
We need to have a clear understanding of how user isolation works.
If user impersonation is enabled and we run a flow, DSS is try to run all the flow as dssenduser-unixuser or only the code recipes?
Thank you very much.