Home > IT Answers > AS/400 > Adopt Authority of Files
Help

Question

  Asked: Mar 26 2008   6:42 PM GMT
  Asked by: Lovemyi

Adopt Authority of Files


AS/400 security, AS/400 SOX, *ALLOBJ

I have been asked to secure a completely open system to the users for SOX and just good security practice. I have created a program to call the menu command with a profile with *ALLOBJ authority and specified *OWNER to adopt authority so we can take *ALLOBJ away from users so they only have the access through the menu system and no command line access.

This system was developed years ago with the IBM APD (application program development) which layers the applications with a detailed front end menu and security system.

When we test the access, we get 3 layers down and try to get to another program and it fails with a cpf4101 cannot find file. When we look at the joblog, it shows an authorization error on the file and then tries to find the file in QTEMP and aborts with an RPG1216. When we are at that point, we look at the authorization for the file and we see the normal authoization with one added authorization *ADOPT with User Defined and all object authority except for operational because the *PUBLIC already has *CHANGE authority.

This looks like to me that the added adopted authority should allow this file to be opened but we still get the CPF2189 - Not Authorized to Object xxx in yyy Type *FILE.

Any ideas why this is not working?

Subscribe to Alerts! Get questions and answers delivered to your Inbox.


E-mail me updates on this question



   SUBSCRIBE

hidden modal window
Help

Answer Wiki (Improve, edit or add to this answer)

IMPROVE THIS ANSWER
View History
 RATE THIS ANSWER
0
Click to Vote:
  •   0
  •  0
Last Answered: Mar 26 2008  8:37 PM GMT  by Bvining




Do a DSPPGM of the failing program. Check to see how 'Use adopted authority' is set. I suspect it's *NO.

Bruce
http://www.brucevining.com/
Providing integrated solutions for the System i user community
  • AddThis Social Bookmark Button

Browse more Questions and Answers on AS/400.

Looking for relevant AS/400 Whitepapers? Visit the Search400.com Research Library.


RSS - Discussions Help

Discuss This Answer


You must be logged-in to discuss a question. Log-in/Register

Lovemyi  |   Mar 27 2008  1:41PM GMT

Bruce, I did check that and it was set to *YES on the program that failed to find the file. Any other suggestions?

Thanks

 

Lovemyi  |   Mar 27 2008  3:56PM GMT

Here is the program that is called to show that the adopt authority is yes.
Informations sur un programme

Programme . . . . . . : OUB111 Biblioth}que . . . . . : LIN400P
Propri{taire . . . . . : ADMIN
Attribut du programme : RPG

Informations sur la cr{ation du programme:
Date et heure de cr{ation du programme . . . . . : 04/09/96 02:52:35
Type du programme . . . . . . . . . . . . . . . : OPM
Fichier source . . . . . . . . . . . . . . . . . : QRPGSRC
Biblioth}que . . . . . . . . . . . . . . . . . : LIN400S
Membre source . . . . . . . . . . . . . . . . . : OUB111
Date et heure de modification du fichier source : 04/09/96 02:52:32
Informations observables . . . . . . . . . . . . : *NONE
Profil utilisateur . . . . . . . . . . . . . . . : *USER
Utilisation des droits adopt{s . . . . . . . . . : *YES
Correction des donn{es d{cimales . . . . . . . . : *NO
Espace m{moire @ t{raoctets activ{ . . . . . . . : *NO

A suivre…
Appuyez sur ENTREE pour continuer.

F3=Exit F12=Annuler
(C) COPYRIGHT IBM CORP. 1980, 2003.

Sorry, it is in French but looking at an english ssytem you will see that it is *YES.

Here is the error we get:

Message ID . . . . . . . . . : CPF2189
Message file . . . . . . . . : QCPFMSG
Library . . . . . . . . . : QSYS

Message . . . . : Not authorized to object &1 in &2 type *&3.
Recovery . . . : Obtain authority from security officer or object owner.
Then try the request again.

Compl{ment d’informations sur message

ID message . . . . . . : CPF2189 Gravit{ . . . . . . . : 40
Type de message . . . : Diagnostic
Date d’envoi . . . . . : 25/03/08 Heure d’envoi . . . . : 14:24:23

Message . . . . : Non autoris{ @ l’objet WOUB110 de FICTRAV type *FILE.
Que faire . . . : Demandez les droits au responsable de la s{curit{ ou au
propri{taire de l’objet. Renouvelez ensuite la demande.

Hope this helps.

Thanks.

Bruce B.

 

Gilly400  |   Apr 1 2008  3:41PM GMT

Hi,

Maybe try changing

Profil utilisateur . . . . . . . . . . . . . . . : *USER

to *OWNER?

Regards,

Martin Gilbert.

 

Lovemyi  |   Apr 2 2008  1:24PM GMT

Thanks this would work for this one issue but the entire system would almost need every program changed to accomodate this. The answer you provided in another question where the menu system used group jobs and when we change the first program in the call stack of the transferred job, it now works. Thanks everyone for your input.