IBM Hub/Switch - page 86

Chapter 2 HPSS Planning

86 September 2002 HPSS Installation Guide

Release 4.5, Revision 2

InUNIX-style accounting, each user has one and only one account index, their UID. This, combined

with their Cell Id, uniquely identiﬁes how the information may be charged.

InSite-style accounting, each user may have more than one account index, and may switch between

them at runtime.

Asite must also decide if it wishes to validate account index usage. Prior to HPSS 4.2, no validation

was performed. For Site-style accounting, this meant that any user could use any account index

they wished without authorization checking. UNIX-style accounting performs de facto

authorization checking since only a single account can be used and it must be the user's UID.

If Account Validation is enabled, additional authorization checks are performed when ﬁles or

directories are created, their ownership changed, their account index changed, or when a user

attempts to use an account index other than their default. If the authorization check fails, the

operation fails as well with a permission error.

UsingAccount Validation is highly recommended if a site will be accessing HPSS systems at remote

sites,now or in the future, in order to keep account indexes consistent. Event if this is not the case,

ifa site is using Site-style accounting, Account Validation is recommended if there is a desire by the

site to keep consistent accounting information.

ForUNIX-style accounting, at least one Gatekeeper server must be conﬁgured and maintained. No

other direct support is needed.

ForSite-style accounting, an Account Validation metadata ﬁle must also be created, populated and

maintained with the valid user account indexes. See Section 12.2.23: hpss_avaledit — Account

Validation Editor on page 366 of the HPSS Management Guidefor details on using the Account

Validation Editor.

Ifthe Require Default Account ﬁeld is enabled with Site-style accounting and Account Validation,

a user will be required to have a valid default account index before they are allowed to perform

almostany client API action. If this is disabled (which is the default behavior) the user will only be

requiredto have a valid account set when they perform an operation which requires an account to

be validated, such as a create, an account change operation or an ownership change operation.

When using Site-style accounting with Account Validation if theAccount Inheritance ﬁeld is

enabled, newly created ﬁles and directories will automatically inherit their account index from

theirparent directory. The account indexes may then be changed explicitly by users. This is useful

when individual users have not had default accounts set up for them or if entire trees need to be

charged to the same account. WhenAccount Inheritance is disabled (which is the default) newly

createdﬁles and directories will obtain their account from the user's current session account, which

initially starts off as the user's default account index and may be changed by the user during the

session.

Asite may decide to implement their own style of accounting customized to their site's need. One

examplewould be a form of Group (GID) accounting. In most cases the site should enable Account

Validationwith Site-style accounting and implement their own site policy module to be linked with

the Gatekeeper. See Section 2.6.6:Gatekeeper on page 68 as well as the appropriate sections of the

HPSS Programmers Reference Vol. 2for more information.

Account Validation is disabled (bypassed) by default and is the equivalent to behavior in releases

ofHPSS prior to 4.2. If it is disabled, the style of accounting is determined for each individual user

by looking up their DCE account information in the DCE registry. The following instructions

describe how to set up users in this case.