Security Guide > Users and Groups > Managing operating system profiles

Managing operating system profiles

Create and manage operating system profiles on the Security tab of the Administrator tool or from the command line. You can create, edit, and delete operating system profiles. You can assign or change the default operating system profile to users and groups.

If the Data Integration Service is configured to use operating system profiles, it runs mappings, profiles, and workflows with the operating system profile. If the PowerCenter Integration Service is configured to use operating system profiles, it runs workflows with the operating system profile.

Create, edit, and delete operating system profiles in the Operating System Profiles view of the Security tab.

Complete the following steps to create an operating system profile:

1. Enter an operating system profile name and a system user name.
2. Select the Integration Services and configure the operating system profile properties.
3. Optionally, assign permissions on the operating system profile.

You can assign users and groups to operating system profiles and assign a default profile to users and groups after you create an operating system profile.

Operating System Profile Properties for the PowerCenter Integration Service

Service process variables that are set in session properties and parameter files override the operating system profile settings.

The following table describes the operating system profile properties for the PowerCenter Integration Service:

Property	Description
Name	Read-only name of the operating system profile. The name cannot exceed 128 characters. It cannot include spaces or the following special characters: \ / : * ? " < > \| [ ] = + ; ,
System User Name	Read-only name of an operating system user that exists on the machines where the PowerCenter Integration Service runs. The PowerCenter Integration Service runs workflows using the system access of the system user defined for the operating system profile.
$PMRootDir	Root directory accessible by the node. This is the root directory for other service process variables. It cannot include the following special characters: * ? < > “ \| ,
$PMSessionLogDir	Directory for session logs. It cannot include the following special characters: * ? < > “ \| , Default is $PMRootDir/SessLogs.
$PMBadFileDir	Directory for reject files. It cannot include the following special characters: * ? < > “ \| , Default is $PMRootDir/BadFiles.
$PMCacheDir	Directory for index and data cache files. You can increase performance when the cache directory is a drive local to the PowerCenter Integration Service process. Do not use a mapped or mounted drive for cache files. It cannot include the following special characters: * ? < > “ \| , Default is $PMRootDir/Cache.
$PMTargetFileDir	Directory for target files. It cannot include the following special characters: * ? < > “ \| , Default is $PMRootDir/TgtFiles.
$PMSourceFileDir	Directory for source files. It cannot include the following special characters: * ? < > “ \| , Default is $PMRootDir/SrcFiles.
$PmExtProcDir	Directory for external procedures. It cannot include the following special characters: * ? < > “ \| , Default is $PMRootDir/ExtProc.
$PMTempDir	Directory for temporary files. It cannot include the following special characters: * ? < > “ \| , Default is $PMRootDir/Temp.
$PMLookupFileDir	Directory for lookup files. It cannot include the following special characters: * ? < > “ \| , Default is $PMRootDir/LkpFiles.
$PMStorageDir	Directory for run-time files. Workflow recovery files save to the $PMStorageDir configured in the PowerCenter Integration Service properties. Session recovery files save to the $PMStorageDir configured in the operating system profile. It cannot include the following special characters: * ? < > “ \| , Default is $PMRootDir/Storage.
Environment Variables	Name and value of environment variables used by the Integration Service at run time. If you specify the LD_LIBRARY_PATH environment variable in the operating system profile properties, the Integration Service appends the value of this variable to its LD_LIBRARY_PATH environment variable. The Integration Service uses the value of its LD_LIBRARY_PATH environment variable to set the environment variables of the child processes generated for the operating system profile. If you do not specify the LD_LIBRARY_PATH environment variable in the operating system profile properties, the Integration Service uses its LD_LIBRARY_PATH environment variable.

Operating System Profile Properties for the Data Integration Service

The following table describes the operating system profile properties for the Data Integration Service:

Property	Description
Name	Read-only name of the operating system profile. The name cannot exceed 128 characters. It cannot include spaces or the following special characters: % * + \ / ? ; < >
System User Name	Read-only name of an operating system user that exists on the systems where the Data Integration Service runs. The Data Integration Service runs mappings, workflows, and profiling jobs using the system access of the operating system user.
$DISRootDir	Root directory accessible by the node. This is the root directory for other service process variables. It cannot include the following special characters: * ? < > " \| , [ ]
$DISTempDir	Directory for temporary files created when jobs are run. It cannot include the following special characters: * ? < > " \| , [ ] Default is <root directory>/disTemp. Note: If the Data Integration Service is configured to use multiple operating system profiles, specify a common directory for all the profiles because a separate directory for each profile results in excessive usage of disk space.
$DISCacheDir	Directory for index and data cache files for transformations. It cannot include the following special characters: * ? < > " \| , [ ] Default is <root directory>/cache.
$DISSourceDir	Directory for source flat files used in a mapping. It cannot include the following special characters: * ? < > " \| , [ ] Default is <root directory>/source.
$DISTargetDir	Directory for target flat files used in a mapping. It cannot include the following special characters: * ? < > " \| , [ ] Default is <root directory>/target.
$DISRejectedFilesDir	Directory for reject files. Reject files contain rows that were rejected when running a mapping. It cannot include the following special characters: * ? < > " \| , [ ] Default is <root directory>/reject.
$DISLogDir	Directory for logs. It cannot include the following special characters: * ? < > " \| , [ ] Default is <root directory>/disLogs.
Enable Hadoop Impersonation Properties	Indicates that the Data Integration Service uses the Hadoop impersonation user to run mappings, workflows, and profiling jobs in a Hadoop environment. Default Hadoop impersonation user is the logged in user. To specify a different Hadoop impersonation user, select Use the Specified User as Hadoop Impersonation User and enter a user name.
Environment Variables	Name and value of environment variables used by the Integration Service at run time. If you specify the LD_LIBRARY_PATH environment variable in the operating system profile properties, the Integration Service appends the value of this variable to its LD_LIBRARY_PATH environment variable. The Integration Service uses the value of its LD_LIBRARY_PATH environment variable to set the environment variables of the child processes generated for the operating system profile. If you do not specify the LD_LIBRARY_PATH environment variable in the operating system profile properties, the Integration Service uses its LD_LIBRARY_PATH environment variable. Note: On AIX, you must set the LD_LIBRARY_PATH environment variable to INFA_HOME/services/shared/bin for the Data Integration Service to successfully run mappings, profiles, and workflows with operating system profiles.
Flat File Cache Directory	Directory of the flat file cache where the Analyst tool stores uploaded flat files. If the Analyst Service connects to a Data Integration Service that uses operating system profiles, the operating system user specified in the operating system profile must have access to this flat file cache directory. When you import a reference table or flat file source, the Analyst tool uses the files from this directory to create a reference table or flat file data object. Restart the Analyst Service if you change the flat file location.

Operating System Profile Properties for the Metadata Access Service

The following table describes the operating system profile properties for the Metadata Access Service:

Property	Description
Name	Read-only name of the operating system profile. The name cannot exceed 128 characters. It cannot include spaces or the following special characters: % * + \ / ? ; < >
System User Name	Read-only name of an operating system user that exists on the systems where the Metadata Access Service runs. The Metadata Access Service allows the Developer tool to access Hadoop connection information to import and preview metadata using the system access of the operating system user.
Enable Hadoop Impersonation Properties	Indicates that the Metadata Access Service uses the Hadoop impersonation user to import and preview metadata. Default Hadoop impersonation user is the logged in user. To specify a different Hadoop impersonation user, select Use the Specified User as Hadoop Impersonation User and enter a user name.

Creating an Operating System Profile

Create an operating system profile and assign it to users and groups to increase security and to isolate the run-time user environment. You can create one or more operating system profiles. The PowerCenter Integration Service uses the operating system profile to run workflows. The Data Integration Service uses the operating system profile to run mappings, profiles, and workflows. The Metadata Access Service uses the operating system profile to access Hadoop connection information to import and preview metadata.

1. In the Administrator tool, click the Security tab.

2. On the Security Actions menu, click Create Operating System Profile.

The Create Operating System Profile - Step 1 of 3 dialog box appears.

3. Enter the following general properties for the operating system profile:

Property	Description
Name	Name of the operating system profile. The name is not case sensitive and must be unique within the domain. It cannot exceed 128 characters or begin with @. It also cannot contain the following special characters: % * + \ / ? ; < > The name can contain an ASCII space character except for the first and last character. All other space characters are not allowed.
System User Name	Name of an operating system user that exists on the machines where the Integration Service runs. The Integration Service runs workflows or jobs using the system access of the system user defined for the operating system profile. Note: When you create operating system profiles, you cannot specify the system user name as root or use a non-root user with uid==0.

4. Click Next.

The Configure Operating System Profile - Step 2 of 3 dialog box appears.

5. Select the service that will use the operating system profile.

- PowerCenter Integration Service
- Data Integration Service
- Metadata Access Service

6. Configure the operating system profile properties for the selected services. To create an operating system profile for the Metadata Access Service, you must also select Data Integration Service along with Metadata Access Service and specify the $DISRootDir variable for the Data Integration Service.

7. If the services access a Hadoop environment at design time or at run time, configure the Hadoop impersonation properties as follows:

a. Select Enable Hadoop Impersonation Properties.
b. Choose to use the logged in user or specify a Hadoop impersonation user to run Hadoop jobs.

8. Optionally, configure the environment variables.

9. If the Analyst Service connects to a Data Integration Service that uses operating system profiles, configure the Analyst Service properties.

10. Click Next.

The Assign Groups and Users to Operating System Profile - Step 3 of 3 dialog box appears.

11. In the Groups tab, assign groups to the operating system profile as follows:

a. To assign specific groups to the operating system profile, select one or more groups and click Add.
b. To assign all available groups to the operating system profile, click Add All.

12. Optionally, assign the operating system profile as the default profile to one or more groups. To assign a default profile, select Default Profile for the group in the Selected Group(s) list.

13. In the Users tab, assign users to the operating system profile as follows:

a. To assign specific users to the operating system profile, select one or more users and click Add.
b. To assign all available users to the operating system profile, click Add All.

14. Optionally, assign the operating system profile as the default profile to one or more users. To assign a default profile, select Default Profile for the user in the Selected User(s) list.

15. Click Finish.

After you create the operating system profile, the details panel displays the properties of the operating system profile and the groups and users that the profile is assigned to.

Editing an Operating System Profile

You can edit an operating system profile to change the operating system profile properties.

You cannot edit the name or the system user name after you create an operating system profile. If you do not want to use the operating system user specified in the operating system profile, delete the operating system profile.

1. In the Administrator tool, click the Security tab.

2. Select the Operating System Profiles view.

3. Select the operating system profile.

4. In the Properties tab, click Edit.

The Edit Properties dialog box appears.

5. Select the Data Integration Service, the PowerCenter Integration Service , or the Metadata Access Service that you want to configure.

6. Edit the service properties.

7. Click OK.

Assigning a Default Operating System Profile to a User or Group

When a user or group has access to more than one operating system profile, assign a default operating system profile that the Integration Service uses to run jobs and workflows. You can assign any operating system profile with direct permission as the default profile to a user or group. A user or group can have only one default operating system profile. However, you can assign the same operating system profile as the default profile to more than one user or group.

1. On the Security tab, select the Users or Groups view.

2. In the Navigator, select the user or group.

3. In the content panel, select the Permissions view.

4. Click the Operating System Profiles tab.

5. Click the Assign or Change the Default Operating System Profile button.

The Assign or Change the Default Operating System Profile dialog box appears.

6. Select a profile from the Default Operating System Profile list. Or, select Do not assign a default operating system profile from the list to remove the default profile that is assigned to a user or group.

7. Click OK.

In the details panel, the Default Profile column displays Yes (Direct) for the operating system profile.

Deleting an Operating System Profile

To delete an operating system profile, right-click the operating system profile name in the Operating System Profile section of the Navigator and select Delete Profile.

After you delete an operating system profile, assign another operating system profile to the users and groups that the operating system profile was assigned to as the default profile. If the PowerCenter Integration Service uses operating system profiles, assign another operating system profile to the repository folders and workflows that the operating system profile was assigned to.

Working with Operating System Profiles in a Secure Domain

You can use operating system profiles in an Informatica domain that has secure communication enabled.

Consider the following rules and guidelines when you use operating system profiles in a domain that has secure communication enabled:

You must set the following environment variable for the operating system profile:

INFA_TRUSTSTORE: Set the value to the directory that contains the truststore files for the SSL certificates for the secure domain. The directory must contain a truststore file named infa_truststore.pem.
INFA_TRUSTSTORE_PASSWORD: If you use a custom truststore, set the value to the password for the infa_truststore.pem that contains the SSL certificate for the secure domain. The password must be encrypted. Use the command line program pmpasswd to encrypt the password.

Additionally, if the PowerCenter Integration Service uses the Session on Grid option, you must set the following environment variable for the operating system profile:

INFA_KEYSTORE: Set the value to the directory that contains the keystore files for the SSL certificates for the secure domain. The directory must contain a keystore file named infa_keystore.pem.

You can set the environment variables for the operating system profile in the Administrator tool. To set the environment variables for the operating system profile, click Security > Operating System Profiles. Edit the properties of the operating system profile and set the environment variables.

Working with Operating System Profiles in a Domain with Kerberos Authentication

You can use operating system profiles in an Informatica domain that runs on a network with Kerberos authentication.

Consider the following rules and guidelines when you use operating system profiles in a domain that runs on a network with Kerberos authentication:

•The user account for the operating system profile must be a principal in the Active Directory service used for Kerberos authentication and imported into an LDAP security domain in the Informatica domain.
•The user account must have a Kerberos credentials cache file that is accessible to the operating system profile user account. Each operating system profile user account must have a separate credentials cache file.
•The credentials cache file for the operating system profile user account must be forwardable. For example, if you use the kinit utility to create the credentials cache file, you must include the -f option.
•The credentials cache file for the operating system profile user account must be available when you run a workflow that uses an operating system profile.
•The credentials cache file for the operating system profile user account must always have the latest credentials. You can run a job scheduler utility, such as cron, to regularly update the user credentials in the credentials cache file.
•You must set the following environment variables for the operating system profile:

INFA_OSPI_SECURITY_DOMAIN: Set the value to the name of the security domain that contains the user account for the operating system profile. If the user account is in the user realm security domain for Kerberos, you do not need to set this variable. The user realm security domain for Kerberos is the security domain created during installation which has the same name as the Kerberos user realm.
KRB5_CONFIG: Set the value to the path and file name of the Kerberos configuration file. The name of the Kerberos configuration file is krb5.conf.
KRB5CCNAME: Set the value to the path and file name of the Kerberos credentials cache file for the operating system profile user account.