The instructions in https://support.sas.com/kb/38/040.html are very clear.
For changes to take effect in workspace server, the umash option has to be in ObjectSpawner.sh.
Now about "Is there a service or server that needs to be restarted in order for the changes to take effect?". The answer is no.
Be aware that umask of 007 means a permission of 770. 

Following a umask of 007, a standard user creates a file with 660 - rw- rw- --- permission profile as required by the default permissions at creation step. See for Linux https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_basic_syst...

Following the same umask, a directory is created with 770 (rwx rwx ---) permission profile. 

It's standard security on Unix/Linux not to grant execution permission by default to a file, it must be set explicitly unless you are root. 

Hi Greg,

That's exactly it. We tried changing the umask in both:

• WorkspaceServer_usermods.sh
• ObjectSpawner_usermods.sh

...and the umask remains unaffected in new sessions. I'm thinking ObjectSpawner.sh should be tried next, althoough I'm not exactly sure where to include the umask instruction.  

For the USERMODS_OPTIONS= line, should we just remove it then? 

Thanks

[sas@trcv003 WorkspaceServer]$ umask
0002
[sas@trcv003 WorkspaceServer]$ ./WorkspaceServer.sh -nodms -nonews
NOTE: Copyright (c) 2016 by SAS Institute Inc., Cary, NC, USA. 
...
NOTE: AUTOEXEC processing completed.

  1? x "touch /tmp/testfile";
  2? endsas;
...   
[sas@trcv003 WorkspaceServer]$ ls -l /tmp/testfile
-rw-rw-r-- 1 sas sas 0 Aug 19 14:56 /tmp/testfile
[sas@trcv003 WorkspaceServer]$ echo "umask 007" >> WorkspaceServer_usermods.sh 
[sas@trcv003 WorkspaceServer]$ ./WorkspaceServer.sh -nodms -nonews
NOTE: Copyright (c) 2016 by SAS Institute Inc., Cary, NC, USA. 
...
  1? x "touch /tmp/testfile2";
  2? endsas;
...
[sas@trcv003 WorkspaceServer]$ ls -l /tmp/testfile2
-rw-rw---- 1 sas sas 0 Aug 19 14:57 /tmp/testfile2
[sas@trcv003 WorkspaceServer]$ 

Ok, I confirm that no matter the value I put in WorkspaceServer_usermods.sh, it is not taken into account. The files created with 'touch' systematically have -rw-rw-r-- permissions. This would corresponding to umask=002 if I'm not mistaken, but this 002 is neither the default umask on the Unix system, nor the default in WorkspaceServer_usermods.sh.

Just to recap, here's what I did:

#!/bin/sh -p
#
# WorkspaceServer_usermods.sh
#
# This script extends WorkspaceServer.sh.  Add local environment variables
# to this file so they will be preserved.
#

USERMODS_OPTIONS=

if [ "$LOGNAME" = myuser ]
then
        echo "Setting umask 007"  # to make sure the code is included -- it is
        umask 007
else
        umask 022
fi

I also tried without conditions, giving umask 007 for everyone for a brief moment, but it still didn't change a thing.

So something else is interfering somehow... setfacl is not a command that is available on this installation (Aix 6.1). Not sure if that rules out the ACL avenue though...

If you do these commands outside of the Workspace Server does it behave as expected (i.e. umask 007; touch somefile)?

The AIX ACL commands are acledit and aclget it looks like.

https://www.ibm.com/docs/en/aix/7.1?topic=acledit-command

https://www.ibm.com/docs/en/aix/7.1?topic=aclget-command

Yes the umask / touch commands behave as expected in a SSH session.

If I type aclget . in my home directory, I get:

*
* ACL_type AIXC
*
attributes:
base permissions
owner(myuser): rwx
group(staff): --x
others: ---
extended permissions
disabled

Not sure what to look for next... thanks for your guidance!

EDIT: The active umask in the SAS session appears to be 003, not 002, since a directory created with x mkdir has permissions drwxrwxr--.