Adopt Authority of Files

2,310 pts.
Tags:
*ALLOBJ
AS/400 security
AS/400 SOX
I have been asked to secure a completely open system to the users for SOX and just good security practice. I have created a program to call the menu command with a profile with *ALLOBJ authority and specified *OWNER to adopt authority so we can take *ALLOBJ away from users so they only have the access through the menu system and no command line access. This system was developed years ago with the IBM APD (application program development) which layers the applications with a detailed front end menu and security system. When we test the access, we get 3 layers down and try to get to another program and it fails with a cpf4101 cannot find file. When we look at the joblog, it shows an authorization error on the file and then tries to find the file in QTEMP and aborts with an RPG1216. When we are at that point, we look at the authorization for the file and we see the normal authoization with one added authorization *ADOPT with User Defined and all object authority except for operational because the *PUBLIC already has *CHANGE authority. This looks like to me that the added adopted authority should allow this file to be opened but we still get the CPF2189 - Not Authorized to Object xxx in yyy Type *FILE. Any ideas why this is not working?
ASKED: March 26, 2008  6:42 PM
UPDATED: April 17, 2010  8:21 AM

Answer Wiki

Thanks. We'll let you know when a new response is added.

Do a DSPPGM of the failing program. Check to see how ‘Use adopted authority’ is set. I suspect it’s *NO.

Bruce
<a href=”http://www.brucevining.com/”>http://www.brucevining.com/</a>
Providing integrated solutions for the System i user community

==================================================================

Also check programs higher in the call stack. If a higher program has USEADPAUT(*NO), that will block adopted authority from being passed to programs lower in the stack. Lower programs would need to re-establish their own adopted authority.

Tom

Discuss This Question: 5  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Lovemyi
    Bruce, I did check that and it was set to *YES on the program that failed to find the file. Any other suggestions? Thanks
    2,310 pointsBadges:
    report
  • Lovemyi
    Here is the program that is called to show that the adopt authority is yes. Informations sur un programme Programme . . . . . . : OUB111 Biblioth}que . . . . . : LIN400P Propri{taire . . . . . : ADMIN Attribut du programme : RPG Informations sur la cr{ation du programme: Date et heure de cr{ation du programme . . . . . : 04/09/96 02:52:35 Type du programme . . . . . . . . . . . . . . . : OPM Fichier source . . . . . . . . . . . . . . . . . : QRPGSRC Biblioth}que . . . . . . . . . . . . . . . . . : LIN400S Membre source . . . . . . . . . . . . . . . . . : OUB111 Date et heure de modification du fichier source : 04/09/96 02:52:32 Informations observables . . . . . . . . . . . . : *NONE Profil utilisateur . . . . . . . . . . . . . . . : *USER Utilisation des droits adopt{s . . . . . . . . . : *YES Correction des donn{es d{cimales . . . . . . . . : *NO Espace m{moire @ t{raoctets activ{ . . . . . . . : *NO A suivre... Appuyez sur ENTREE pour continuer. F3=Exit F12=Annuler (C) COPYRIGHT IBM CORP. 1980, 2003. Sorry, it is in French but looking at an english ssytem you will see that it is *YES. Here is the error we get: Message ID . . . . . . . . . : CPF2189 Message file . . . . . . . . : QCPFMSG Library . . . . . . . . . : QSYS Message . . . . : Not authorized to object &1 in &2 type *&3. Recovery . . . : Obtain authority from security officer or object owner. Then try the request again. Compl{ment d'informations sur message ID message . . . . . . : CPF2189 Gravit{ . . . . . . . : 40 Type de message . . . : Diagnostic Date d'envoi . . . . . : 25/03/08 Heure d'envoi . . . . : 14:24:23 Message . . . . : Non autoris{ @ l'objet WOUB110 de FICTRAV type *FILE. Que faire . . . : Demandez les droits au responsable de la s{curit{ ou au propri{taire de l'objet. Renouvelez ensuite la demande. Hope this helps. Thanks. Bruce B.
    2,310 pointsBadges:
    report
  • Gilly400
    Hi, Maybe try changing Profil utilisateur . . . . . . . . . . . . . . . : *USER to *OWNER? Regards, Martin Gilbert.
    23,730 pointsBadges:
    report
  • Lovemyi
    Thanks this would work for this one issue but the entire system would almost need every program changed to accomodate this. The answer you provided in another question where the menu system used group jobs and when we change the first program in the call stack of the transferred job, it now works. Thanks everyone for your input.
    2,310 pointsBadges:
    report
  • TomLiotta
    ...we look at the authorization for the file and we see the normal authoization... And what was the normal authority at that point? Note that if "normal" authority actually resolved for the user, then maybe that's the authority you should be reviewing. If the user was BOB and authority for BOB was *USE and the requested authority was *CHANGE, then perhaps BOBs authority is inappropriate. In any case, what was the authority that was shown for the object that caused the CPF4101? Note that CPF4101 is "not found" which might or might not be a result or cause of the authorization error. (And what was the authorization error? What was it for?) Tom
    125,585 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following