AUTL security over IFS objects conundrum

5580 pts.
Tags:
AS/400
IFS
Security
We are still running V5r4, and I'm currently wrestling with securing objects in /Root of the IFS.

Objects are required to be read only in normal circumstances.

an application allows a user to copy the object (document) and removes the readonly attribute from the object using CHMOD called from RPGLE, and CHGAUT

The problem is that objects should be held as read only. a user may amend one by copying it as above, which is fine.  When they come to replace it (after suitable veracity checks etc)  the IFS has no concept of 'rename' so the user needs enough authority to delete the original.  the changed copy is then copied to become the 'original' and generally cleared up.  (in fact, the 'original' is also copied and date stamped as 'replaced')

Did I mention that we have AUTL security on these directories!

 

SO - the problem becomes that of constructing directory ownerships and user AUTL authoriteies such that a user can be restrained from deleting a production object - except when we want to allow them.

In QSYS.lib this is easy to accomplish by runing a pgm with *ADOPT authority for the delete operation, but again, this concept doesn't apply to the IFS.

 

I'm wondering about changing CURUSER on the fly, but I'd be interested to hear any more experiences/opinions.  our 20 years of good solid documentation and redbooks for i5/OS isnt matched for IFS topics.

 

 

 

 

 

 

 

 

 



Software/Hardware used:
i5/OS v5r4m0

Answer Wiki

Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Discuss This Question: 2  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • TomLiotta
    I'm wondering about changing CURUSER on the fly, but I'd be interested to hear any more experiences/opinions. Although the profile switching will work, it should be used only in more controlled situations. What you need to be looking at first is qsysetegid()--Set Effective Group ID. The sequence could use four API calls:
    1. getegid()--Get Effective Group ID
    2. getgrnam()--Get Group Information Using Group Name
    3. qsysetegid()--Set Effective Group ID
    4. qsysetegid()--Set Effective Group ID
    Basically, you first get the effective group of the current job and save it for later use. Then you get the GID of some profile that will supply the authority. Next, set the effective group to the desired GID and do some work. Finally, return the GID back to the one that you saved earlier. Tom
    125,585 pointsBadges:
    report
  • Yorkshireman
    That sounds like a more effective solution Tom I'll build some code.. many thanks - I'll report in with results..
    5,580 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following