Changing authority to access /qntc files
Hello.
i have written an rpg/iv program that allows users to maintain certain network pc files from a greenscreen. it uses the /qntc file system to access those pc files. the problem i ran across is: unless the i5 userid and password is identical to the network userid and password, the program is unable to see the files.
i tried compiling as usrprf(*owner) with a profile whose userid and password are the same on both i5 and network, but that didn't seem to have any effect.
i'm looking for api/api's to change the authority the program runs under to a userid/password that has access to those network pc files, and am extremely confused. i see "set job user identity" api's, "set profile handle" api's, "set user profile" api's, "profile token" api's...... and can't tell by their descriptions what i should use.
i'd greatly appreciate a nudge in the right direction.
thanks!!
rick metzger
DTR Industries, Inc.
Software/Hardware used:
i5os v5r4, rpgile
i have written an rpg/iv program that allows users to maintain certain network pc files from a greenscreen. it uses the /qntc file system to access those pc files. the problem i ran across is: unless the i5 userid and password is identical to the network userid and password, the program is unable to see the files.
i tried compiling as usrprf(*owner) with a profile whose userid and password are the same on both i5 and network, but that didn't seem to have any effect.
i'm looking for api/api's to change the authority the program runs under to a userid/password that has access to those network pc files, and am extremely confused. i see "set job user identity" api's, "set profile handle" api's, "set user profile" api's, "profile token" api's...... and can't tell by their descriptions what i should use.
i'd greatly appreciate a nudge in the right direction.
thanks!!
rick metzger
DTR Industries, Inc.
Software/Hardware used:
i5os v5r4, rpgile
ASKED:
August 23, 2010 2:26 PM
UPDATED:
October 22, 2010 9:45 PM
Answer Wiki:
<i>i tried compiling as usrprf(*owner) with a profile whose userid and password are the same on both i5 and network, but that didn't seem to have any effect.</i>
The IFS access methods do not honor adopted authority. The file systems have no concept of 'adopted authority'.
<i>i see "set job user identity" api's, "set profile handle" api's, "set user profile" api's, "profile token" api's...... and can't tell by their descriptions what i should use.</i>
If the program can't run under users who have matching profiles/passwords, the simplest route is to go with the <a href="http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp?topic=/apis/QWTSETP.htm">Set Profile Handle (QWTSETP, QsySetToProfileHandle) API</a> and the related APIs. The API will change the job's 'current user' until you set it back to the original user.
If you need basic examples, I can supply them. The 'profile handle' APIs are pretty simple, but there might be a couple confusions.
Tom
To see all answers submitted to the Answer Wiki: View Answer History.
So you have verified with a valid user profile that you can see the network/server via QNTC using wrklnk ‘qntc/yourserver’ from a command line?
Tom, the “get/set/release profile handle” api’s worked perfectly. thank you for clearing that up for me!
whatis23, i didn’t notice your post until just now. in answer to your question, yes i did verify that a user with proper rights and same i5 and network userid and password could see the files in qntc. as you can see from my note to tom, the api’s he recommended worked just like he said they would. having said that, thanks for the idea anyway. sorry i didn’t notice it sooner.
rick
Rick:
As long as you maintain a profile that can be (temporarily) switched to and then released back to the original user, and it’s a matching profile/password for /QNTC, then it should be fairly easy to create a SwitchTo module and a SwitchBack module. Put those into a *SRVPGM compiled as USRPRF(*OWNER) and have it owned by a profile with enough authority to allow the switches in both directions.
The owning profile can’t supply adopted authority for the /QNTC work, but it can supply authority from the profile-handle APIs. In cases where your /QNTC profile might not have authority to switch back to the original job user, the *OWNER profile should make it possible.
The *SRVPGM can then be used in many ways. It might switch to different profiles for different purposes.
Tom
I had the same issue. Adopted authority or compiling to the owner does not do it. I resolved it by using the “User” keyword to indicate what user profile to use on the submit job command (sbmjob). The user profile and password must be the same on the microsoft active directory. You must have rights to use the profile. Works great.