Currently the DDM agents are running with global admin privileges to delete data from any site. To prevent accidental deletions from MSS, it would be better to define a new SiteDB role for them, and corresponding restricted datasvc abilities. Something like:
hufnagel
commented
9 years ago
Currently the DDM agents are running with global admin privileges to delete data from any site. To prevent accidental deletions from MSS, it would be better to define a new SiteDB role for them, and corresponding restricted datasvc abilities. Something like:
auth: datasvcsubscribe:^(T1.Disk|T2.|T3.)$:cert:DDM:DataOps auth: datasvcdelete:^(T1.Disk|T2.|T3.)$:cert:DDM:DataOps
See also the similar ticket for Tier-0
https://github.com/dmwm/PHEDEX/issues/994