Adopt Authority of Files
Home > IT Answers > AS/400 > Adopt Authority of Files
Lovemyi
1455 pts.
0
Q:
Adopt Authority of Files
AS/400 security, *ALLOBJ, AS/400 SOX
I have been asked to secure a completely open system to the users for SOX and just good security practice. I have created a program to call the menu command with a profile with *ALLOBJ authority and specified *OWNER to adopt authority so we can take *ALLOBJ away from users so they only have the access through the menu system and no command line access.

This system was developed years ago with the IBM APD (application program development) which layers the applications with a detailed front end menu and security system.

When we test the access, we get 3 layers down and try to get to another program and it fails with a cpf4101 cannot find file. When we look at the joblog, it shows an authorization error on the file and then tries to find the file in QTEMP and aborts with an RPG1216. When we are at that point, we look at the authorization for the file and we see the normal authoization with one added authorization *ADOPT with User Defined and all object authority except for operational because the *PUBLIC already has *CHANGE authority.

This looks like to me that the added adopted authority should allow this file to be opened but we still get the CPF2189 - Not Authorized to Object xxx in yyy Type *FILE.

Any ideas why this is not working?
ASKED: Mar 26 2008  6:42 PM GMT
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
RELATED QUESTIONS
0
TomLiotta
7670 pts.
0
A:
 RATE THIS ANSWER
0
Click to Vote:
  •   0
  •  0
  • AddThis Social Bookmark Button
Do a DSPPGM of the failing program. Check to see how 'Use adopted authority' is set. I suspect it's *NO.

Bruce
http://www.brucevining.com/
Providing integrated solutions for the System i user community

==================================================================

Also check programs higher in the call stack. If a higher program has USEADPAUT(*NO), that will block adopted authority from being passed to programs lower in the stack. Lower programs would need to re-establish their own adopted authority.

Tom
Last Answered: Oct 20 2009  10:20 PM GMT by TomLiotta   7670 pts.
Latest Contributors: Bvining   4875 pts.
  •   
0
0
RSS - Discussions Help
Discuss This Answer:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _



_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Lovemyi   1455 pts.  |   Mar 27 2008  1:41PM GMT

Bruce, I did check that and it was set to *YES on the program that failed to find the file. Any other suggestions?

Thanks

 

Lovemyi   1455 pts.  |   Mar 27 2008  3:56PM GMT

Here is the program that is called to show that the adopt authority is yes.
Informations sur un programme

Programme . . . . . . : OUB111 Biblioth}que . . . . . : LIN400P
Propri{taire . . . . . : ADMIN
Attribut du programme : RPG

Informations sur la cr{ation du programme:
Date et heure de cr{ation du programme . . . . . : 04/09/96 02:52:35
Type du programme . . . . . . . . . . . . . . . : OPM
Fichier source . . . . . . . . . . . . . . . . . : QRPGSRC
Biblioth}que . . . . . . . . . . . . . . . . . : LIN400S
Membre source . . . . . . . . . . . . . . . . . : OUB111
Date et heure de modification du fichier source : 04/09/96 02:52:32
Informations observables . . . . . . . . . . . . : *NONE
Profil utilisateur . . . . . . . . . . . . . . . : *USER
Utilisation des droits adopt{s . . . . . . . . . : *YES
Correction des donn{es d{cimales . . . . . . . . : *NO
Espace m{moire @ t{raoctets activ{ . . . . . . . : *NO

A suivre…
Appuyez sur ENTREE pour continuer.

F3=Exit F12=Annuler
(C) COPYRIGHT IBM CORP. 1980, 2003.

Sorry, it is in French but looking at an english ssytem you will see that it is *YES.

Here is the error we get:

Message ID . . . . . . . . . : CPF2189
Message file . . . . . . . . : QCPFMSG
Library . . . . . . . . . : QSYS

Message . . . . : Not authorized to object &1 in &2 type *&3.
Recovery . . . : Obtain authority from security officer or object owner.
Then try the request again.

Compl{ment d’informations sur message

ID message . . . . . . : CPF2189 Gravit{ . . . . . . . : 40
Type de message . . . : Diagnostic
Date d’envoi . . . . . : 25/03/08 Heure d’envoi . . . . : 14:24:23

Message . . . . : Non autoris{ @ l’objet WOUB110 de FICTRAV type *FILE.
Que faire . . . : Demandez les droits au responsable de la s{curit{ ou au
propri{taire de l’objet. Renouvelez ensuite la demande.

Hope this helps.

Thanks.

Bruce B.

 

Gilly400   23625 pts.  |   Apr 1 2008  3:41PM GMT

Hi,

Maybe try changing

Profil utilisateur . . . . . . . . . . . . . . . : *USER

to *OWNER?

Regards,

Martin Gilbert.

 

Lovemyi   1455 pts.  |   Apr 2 2008  1:24PM GMT

Thanks this would work for this one issue but the entire system would almost need every program changed to accomodate this. The answer you provided in another question where the menu system used group jobs and when we change the first program in the call stack of the transferred job, it now works. Thanks everyone for your input.

 
0