Controlling Access to the iProcess Engine (for UNIX)

Note: This section only applies to the UNIX version of the iProcess Engine. It is not relevant to the Windows version.

Line 12 contains three settings (at the end of the line) that control access to iProcess Engine.

1\GROUPNAME\0\666\swuser\staffwar\7

Individual entries are separated by a backslash character (\). The following table describes the meaning of each entry.

Position

Example

Description

1

1

Reserved for internal use - do not change.

2

GROUPNAME

Reserved for internal use - do not change.

3

1

Reserved for internal use - do not change.

4

666

Reserved for internal use - do not change.

5

swuser

The iProcess RPC Server account name. The default value is swuser.

6

staffwar

The iProcess group name. The default value is staffwar.

7

7

The iProcess security umask value, which controls “world” access to iProcess files in and under SWDIR. “World” permissions on each file installed by or created by the iProcess Suite are set to the iProcess group name permissions for the file, modified by this umask value. For example, if this value is:

7 for high security. “World” has no access to iProcess files in and under SWDIR. This is the default.
0 for low security. “World” has the same access to each file in and under SWDIR as the staffwar group.

To change the iProcess RPC Server account name, iProcess group name, or iProcess security umask value at any time after installation, perform the following steps:

1. Log in to iProcess Engine as a background user.
2. Stop iProcess Engine (if it is running).
3. Change the appropriate value on line 12 of the staffpms file.
4. Run fixperms, which is located in the SWDIR\bin directory, to reset the ownership and permissions information on all files in and under SWDIR.
5. Restart iProcess Engine.

The implications of these security values in staffpms are:

You must be logged in to iProcess Engine as a background user to start or stop the iProcess Engine. See Starting iProcess Engine.
All iProcess processes run with the UID of an iProcess Engine background user, even if the process is started by root. The only exceptions are the runcmd utility, which is located in the SWDIR\util directory, and the RPC_UDP_LI process, which runs as root.
All iProcess files and directories (that is, all files in and under SWDIR) are owned by either root or the iProcess Engine background user. Their group ID is set to the iProcess group (staffwar).
“World” access to iProcess files and directories is restricted. On a new installation, “World” has no access (security umask is set to 7).
All iProcess users who need access to iProcess files and directories must be members of the iProcess group (staffwar). For example, users who need to run swutil, or to use the SERVERRUN commands that access files under SWDIR.