IBM Hub/Switch Installation Manual page 86

Chapter 2 HPSS Planning
In UNIX-style accounting, each user has one and only one account index, their UID. This, combined
with their Cell Id, uniquely identifies how the information may be charged.
In Site-style accounting, each user may have more than one account index, and may switch between
them at runtime.
A site must also decide if it wishes to validate account index usage. Prior to HPSS 4.2, no validation
was performed. For Site-style accounting, this meant that any user could use any account index
they wished without authorization checking. UNIX-style accounting performs de facto
authorization checking since only a single account can be used and it must be the user's UID.
If Account Validation is enabled, additional authorization checks are performed when files or
directories are created, their ownership changed, their account index changed, or when a user
attempts to use an account index other than their default. If the authorization check fails, the
operation fails as well with a permission error.
Using Account Validation is highly recommended if a site will be accessing HPSS systems at remote
sites, now or in the future, in order to keep account indexes consistent. Event if this is not the case,
if a site is using Site-style accounting, Account Validation is recommended if there is a desire by the
site to keep consistent accounting information.
For UNIX-style accounting, at least one Gatekeeper server must be configured and maintained. No
other direct support is needed.
For Site-style accounting, an Account Validation metadata file must also be created, populated and
maintained with the valid user account indexes. See Section 12.2.23: hpss_avaledit — Account
Validation Editor on page 366 of the HPSS Management Guide for details on using the Account
Validation Editor.
If the Require Default Account field is enabled with Site-style accounting and Account Validation,
a user will be required to have a valid default account index before they are allowed to perform
almost any client API action. If this is disabled (which is the default behavior) the user will only be
required to have a valid account set when they perform an operation which requires an account to
be validated, such as a create, an account change operation or an ownership change operation.
When using Site-style accounting with Account Validation if the Account Inheritance field is
enabled, newly created files and directories will automatically inherit their account index from
their parent directory. The account indexes may then be changed explicitly by users. This is useful
when individual users have not had default accounts set up for them or if entire trees need to be
charged to the same account. When Account Inheritance is disabled (which is the default) newly
created files and directories will obtain their account from the user's current session account, which
initially starts off as the user's default account index and may be changed by the user during the
session.
A site may decide to implement their own style of accounting customized to their site's need. One
example would be a form of Group (GID) accounting. In most cases the site should enable Account
Validation with Site-style accounting and implement their own site policy module to be linked with
the Gatekeeper. See Section 2.6.6: Gatekeeper on page 68 as well as the appropriate sections of the
HPSS Programmers Reference Vol. 2 for more information.
Account Validation is disabled (bypassed) by default and is the equivalent to behavior in releases
of HPSS prior to 4.2. If it is disabled, the style of accounting is determined for each individual user
by looking up their DCE account information in the DCE registry. The following instructions
describe how to set up users in this case.
86 September 2002 HPSS Installation Guide
Release 4.5, Revision 2