Query400 authorizations

100 pts.
Tags:
AS/400 Authorization List
AS/400 Query
AS/400 Query Security
Query/400
We have used a generic user ID for our support persons to sign on to a data center. Due to audit requirements we were forced to elimiate the Generic User. Many queries were created over the years for customers and were saved with *CHANGE auhority instead of *ALL. Now that the generic user is no longer capable of interactive sign on, all queries owned by that ID saved without *ALL authority cannot be saved after modification by other user IDs. What would be suggested to alter existing queries from *CHANGE to *ALL owned by a user that is no longer available.

Software/Hardware used:
iOS V6.1, 5761-QU1

Answer Wiki

Thanks. We'll let you know when a new response is added.

Will you be having any other user IDs which are having access to all objects(similar like Admin logins). If so, you may have access to change the Authority of the objects under that Generic user.
If you dont have any option like Admin logins, I guess, you will need to request Audit team for enabling the Generic user ID which Support guys are using atleast for changing the Authorities of the Objects.
I hope, first option is quite possible.

Pradeep.

Discuss This Question: 8  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • TomLiotta
    ...owned by a user that is no longer available. It's not clear why the user is not available. It is clear why the Generic User can no longer be used by general users to sign on to the system, but that shouldn't be reason to delete that Generic User profile. Aside from that, this is another reason why the Query product is unsuitable. One underlying problem is that you might be using the wrong product for an audited environment. Change to QM queries and make them flexible to eliminate the need to change them. If the environment must be audited, users shouldn't be changing queries that will be run by other (unsuspecting) users. Nor should queries be created when the internals of the queries themselves cannot effectively be audited. Since users shouldn't be changing and saving those queries, the task should be assigned to a 'query administrator' who has the authority to set an appropriate owner or an appropriate authority on the query that allows it to be run by others. Tom .
    125,585 pointsBadges:
    report
  • TomLiotta
    ...for our support persons to sign on to a data center. If these are 'support' users, then they should definitely have their own user IDs. Change the ownership of those queries to a profile named SUPPORT (or a similar name). Make the support users be a member of that group and set their profiles as OWNER(*GRPPRF). Objects created by those profiles will be owned by SUPPORT (or whatever group you create). Tom
    125,585 pointsBadges:
    report
  • Kellyd
    The Generic ID exists on a data center, has been set to password *none to allow use by jobs. The queries were created for the end user, it is thier responsibility to control who can change them. Our Support users are already set to a group profile, sounds like the simplest solution is to change the query ownership to the support group, then have support change to *all to allow end users to change them. The end users are restricted to menu only, so only those who have been authorized to query options are able to make changes. I fully agree with using QM, but, getting both support and end users to buy into that is another matter entirely. Thanks, for your imput, much appreciated
    100 pointsBadges:
    report
  • TomLiotta
    Okay, it's a little more clear, I think. Support creates the queries initially, but end users then take them over to change as they wish? Also, any queries changed by end users should remain available to all end users? Tom
    125,585 pointsBadges:
    report
  • Kellyd
    Yes, the end user will request a general query template. They will then change sort fields or select criteria, etc. to produce the desired results. Currently they have to recreate the queries, and save with *all. Was wondering if there was a way to change all queries to permisions *all without having to recreate them.
    100 pointsBadges:
    report
  • wpoulin
    Kellyd, Look at the command Grant Object Authority, GRTOBJAUT. This should allow you to change the authority on your queries. Hope this helps, Bill Poulin
    2,480 pointsBadges:
    report
  • TomLiotta
    Are there many end users who should not have access to those queries? Tom
    125,585 pointsBadges:
    report
  • Kellyd
    Thanks for the responses, been on the road. The authority of who have the change capabilites is handled by a internal menu security system. No users have command line access, WRKQRY or other commands are restricted to menu option authorization. So the answer to Are there many end users who should not have access to those queries? is No, the query object authorization doesn't matter.
    100 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following