Resolving group profile and user profile in iSeries folder

370 pts.
Tags:
Batch jobs
GPRPRF
iSeries
USRPRF
V5R3
WRKFLR
We encountered a problem during our end of day batch processing. by the way to give a short background, we have an i-series model 820 running on V5R3 OS. Going back, during our end of day batch, there was an error and the details "Not authorized to access document LMAS0513.TXT in folder LNDOWN". The immediate remedy we applied was to use WRKFLR then do option 14(authority) on LNDOWN then enroll the group profile(i.e.COUGRP)where the ID(i.e. I851S002) running the end of day batch belongs. I.D. I851S002 was already previously enrolled with *ALL authority. When COUGRP was enrolled, this was given *ALL authority level to LNDOWN. When the error was replied with R (RETRY), the same error appears as mentioned above. Since this could not be resolved, we just returned back to the original setting of ID I851S002 which has the *ALLOBJ special authority. Our objective here is to remove the *ALLOBJ from the operator id(I851S002) and link this to a group profile(COUGRP) having the special authority *IOSYSCFG, *SPLCTL, JOBCTL, and *SAVSYS. Our system auditor wants the *ALLOBJ deactivated from all operator ids. We have also change the special authority of operator id to *NONE since it is linked to group profile(COUGRP). So, can you give me a technical advice in addressing this Authorization issue on Folder LNDOWN given that group profile COUGRP and operator id I851S002 have *ALL authority level? Thanks.

Software/Hardware used:
i-series model 820 OS V5R3
ASKED: May 18, 2011  9:51 AM
UPDATED: May 23, 2011  10:28 AM

Answer Wiki

Thanks. We'll let you know when a new response is added.

if you want to removed the *allobj from operator’s ID i think the solution is to create an ID for batching purposes only.

i agree with HMSSL2K “explain why they need it and send it to them in an email”

Sir:
The operator’s id we have here already has the *ALLOBJ special authority which was designed to run our end of day batch but the external audit team that the company hired wants this removed. Our Security Admin Unit already explained to them why the operator IDs need this *ALLOBJ but the audit team still insist on removing this since in their view, this pose as a risk to the company. Creating another id even if it is intended for batch processing with *ALLOBJ authority will still be scrutinized by the external system audit team.

Discuss This Question: 7  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • HMSSL2K
    I have PDC/OPS user ID's that need *ALLOBJ just to run/submit their jobs throughout the day & night. When I was asked by our auditors, OCC & internal, about *ALLOBJ, all I needed to do was to explain why they need it and send it to them in an email. They were fine with that. The auditor’s makes suggestions as to want they have been trained on. If you can explain it to them they are usually fine with it. The company I work for is a Bank.
    3,175 pointsBadges:
    report
  • TomLiotta
    I'm guessing that the message ID was CPF8A83; you didn't say what it was. Can you tell us what function was being attempted against the document? Is LNDOWN the top-level folder? The process would probably be much easier if folders and documents were not used. If the folders could be copied out of /QDLS and into a directory in the /root file system, these issues would be much easier to handle. The /QDLS file system should have been abandoned a decade or more ago. Tom
    125,585 pointsBadges:
    report
  • danmd5systemad
    Yeah, i'm working in a bank and the external Auditing team hired by the bank requires that the *ALLOBJ be removed from the operator id's special authority because they consider it as risk for the bank. As to the message id sir, it is "IWS1612" and when i check this using "WRKMSGF MSGF(QCPFMSG)", this message id is not there. I checked on "CPF8A83" and this refers to "Not authorized to access document &2 in folder &1", but the operator id and the group profile have been granted with *ALL in folder LNDOWN, so i guess that this doesn't apply. Sir, when you asked "Is LNDOWN the top-level folder?", it's just one of the folders in QDLS where this folder contains text files related to Loans which are extracted after the end of day batch and inputed in one of our GL windows application. If the operator id is tagged with *ALLOBJ special authority, it can update the text files here but when the *ALLOBJ is removed, the error occurs. We thought before hand that if you grant *ALL to the group profile COUGRP in folder LNDOWN, this is sufficient enough to enable the operator id with group profile COUGRP to update the text files in LNDOWN. It's an important folder since the text files in here are updated every time the end of day batch is processed. Sir, our online banking system is designed to utilize the folders in QDLS, so the folder here have different functions but to sum up the folder functions, they serve as "cache basin" of text files covering reports, text file data for extraction to other windows application, etc. So with this situation how do i resolve again the error "Not authorized to access document LMAS0513.TXT in folder LNDOWN." Thanks.
    370 pointsBadges:
    report
  • TomLiotta
    As to the message id sir, it is “IWS1612″... Message ID IWS1612 would come from message file QIWSMSG in QSYS. But the basic text of IWS1612 is "Member &1 not copied to PC document." The secondary text has related info. I suspect that IWS1612 was actually the final message that indicated that the function didn't work, and that message ID CPF8A83 was sent first as an explanation of why IWS1612 was being signalled. But that's probably irrelevant now. The fact that this is an 'IWS' message is possibly taking us closer. Please run DSPAUTL QPWFSERVER and tell us what users have what authorities. There might be a temporary way around your problem. (Maybe.) It's potentially temporary because the procedures are using functions that are on the verge of complete obsolescence. Any future version of Windows, for example, or even a Windows update, could make this stop working altogether. The network protocols don't support this old DOS file system very well. Tom
    125,585 pointsBadges:
    report
  • danmd5systemad
    Sir: "Please run DSPAUTL QPWFSERVER......" Display Authorization List Object . . . . . . . : QPWFSERVER Owner . . . . . . . : QSYS Library . . . . . : QSYS Primary group . . . : *NONE Object List ----------Object----------- User Authority Mgt Opr Mgt Exist Alter Ref *PUBLIC *USE X QSYS *ALL X X X X X X COUGRP *ALL X X X X X Display Authorization List Object . . . . . . . : QPWFSERVER Owner . . . . . . . : QSYS Library . . . . . : QSYS Primary group . . . : *NONE Object ---------------Data--------------- User Authority Read Add Update Delete Execute *PUBLIC *USE X X QSYS *ALL X X X X X COUGRP *ALL X X X X X So sir, as you can see in my included DSPAUTL QPWFSERVER, COUGRP really has all the level of authority. So, is there a workaround in dealing with the error “Not authorized to access document LMAS0513.TXT in folder LNDOWN.” Thanks.
    370 pointsBadges:
    report
  • TomLiotta
    as you can see in my included DSPAUTL QPWFSERVER, COUGRP really has all the level of authority. Now, can you show the authority assignments for the LNDOWN folder? Please use this command:
    DSPDLOAUT DLO(LNDOWN)
    The first screen will show us the basic authority structure. The press F13='Display authorized users' and also show us the list from that screen. Those two screens should give us the complete picture. Tom
    125,585 pointsBadges:
    report
  • danmd5systemad
    ".......DSPDLOAUT DLO(LNDOWN)"
                                Display Authorized Users                            
                                                                                    
     Folder . . . . . . . . . . . . :   LNDOWN                                      
       In folder  . . . . . . . . . :     *NONE                                     
                                                                                    
                                                                                    
     User        Group       Authority        User        Group       Authority     
     I851S099                    *ALL                                                   
     I851S005                    *ALL                                                   
     COUGRP                    *ALL                                                   
     I851S009                   *ALL                                                   
     I851S003                   *ALL                                                   
     I851S002                   *ALL                                                   
    
    Sir, i was already able to solve this erorr “Not authorized to access document LMAS0513.TXT in folder LNDOWN.” The text file LMAS0513.TXT was generated previously last year with a different group profile authority and when it was regenerated last May 13, it didn't allow the operator id because it was replaced with a new group profile(COUGRP). To resolve this, the next text files (ex. LMAS0514.TXT ) was removed from the LNDOWN folder prior to the end of day batch and during the end of day batch processing it just generated the text file. No more error message, just a simple clean up of similarly named text files and bingo, the error disappeared. Thanks
    for the advices you shared here, because of it, i was able to come up with the idea of doing a clean up in the QDLS folder.
    370 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following