Resolving group profile and user profile in iSeries folder
We encountered a problem during our end of day batch processing. by the way to give a short background, we have an i-series model 820 running on V5R3 OS. Going back, during our end of day batch, there was an error and the details "Not authorized to access document LMAS0513.TXT in folder LNDOWN". The immediate remedy we applied was to use WRKFLR then do option 14(authority) on LNDOWN then enroll the group profile(i.e.COUGRP)where the ID(i.e. I851S002) running the end of day batch belongs. I.D. I851S002 was already previously enrolled with *ALL authority. When COUGRP was enrolled, this was given *ALL authority level to LNDOWN. When the error was replied with R (RETRY), the same error appears as mentioned above. Since this could not be resolved, we just returned back to the original setting of ID I851S002 which has the *ALLOBJ special authority. Our objective here is to remove the *ALLOBJ from the operator id(I851S002) and link this to a group profile(COUGRP) having the special authority *IOSYSCFG, *SPLCTL, JOBCTL, and *SAVSYS. Our system auditor wants the *ALLOBJ deactivated from all operator ids. We have also change the special authority of operator id to *NONE since it is linked to group profile(COUGRP). So, can you give me a technical advice in addressing this Authorization issue on Folder LNDOWN given that group profile COUGRP and operator id I851S002 have *ALL authority level? Thanks.
Software/Hardware used:
i-series model 820 OS V5R3
Software/Hardware used:
i-series model 820 OS V5R3
ASKED:
May 18, 2011 9:51 AM
UPDATED:
May 23, 2011 10:28 AM
Answer Wiki:
if you want to removed the *allobj from operator's ID i think the solution is to create an ID for batching purposes only.
i agree with HMSSL2K "explain why they need it and send it to them in an email"
Sir:
The operator's id we have here already has the *ALLOBJ special authority which was designed to run our end of day batch but the external audit team that the company hired wants this removed. Our Security Admin Unit already explained to them why the operator IDs need this *ALLOBJ but the audit team still insist on removing this since in their view, this pose as a risk to the company. Creating another id even if it is intended for batch processing with *ALLOBJ authority will still be scrutinized by the external system audit team.
To see all answers submitted to the Answer Wiki: View Answer History.
I have PDC/OPS user ID’s that need *ALLOBJ just to run/submit their jobs throughout the day & night. When I was asked by our auditors, OCC & internal, about *ALLOBJ, all I needed to do was to explain why they need it and send it to them in an email. They were fine with that. The auditor’s makes suggestions as to want they have been trained on. If you can explain it to them they are usually fine with it. The company I work for is a Bank.
I’m guessing that the message ID was CPF8A83; you didn’t say what it was.
Can you tell us what function was being attempted against the document? Is LNDOWN the top-level folder?
The process would probably be much easier if folders and documents were not used. If the folders could be copied out of /QDLS and into a directory in the /root file system, these issues would be much easier to handle. The /QDLS file system should have been abandoned a decade or more ago.
Tom
Yeah, i’m working in a bank and the external Auditing team hired by the bank
requires that the *ALLOBJ be removed from the operator id’s special authority
because they consider it as risk for the bank. As to the message id sir, it
is “IWS1612″ and when i check this using “WRKMSGF MSGF(QCPFMSG)”, this
message id is not there. I checked on “CPF8A83″ and this refers to “Not authorized to
access document &2 in folder &1″, but the operator id and the group profile have been
granted with *ALL in folder LNDOWN, so i guess that this doesn’t apply. Sir, when you
asked “Is LNDOWN the top-level folder?”, it’s just one of the folders in QDLS where
this folder contains text files related to Loans which are extracted after the end of
day batch and inputed in one of our GL windows application. If the operator id
is tagged with *ALLOBJ special authority, it can update the text files here
but when the *ALLOBJ is removed, the error occurs. We thought before hand that
if you grant *ALL to the group profile COUGRP in folder LNDOWN, this is sufficient
enough to enable the operator id with group profile COUGRP to update the text files
in LNDOWN. It’s an important folder since the text files in here are updated every
time the end of day batch is processed. Sir, our online banking system is designed
to utilize the folders in QDLS, so the folder here have different functions but to
sum up the folder functions, they serve as “cache basin” of text files covering reports,
text file data for extraction to other windows application, etc. So with this
situation how do i resolve again the error “Not authorized to access document
LMAS0513.TXT in folder LNDOWN.” Thanks.
As to the message id sir, it is “IWS1612″…
Message ID IWS1612 would come from message file QIWSMSG in QSYS. But the basic text of IWS1612 is “Member &1 not copied to PC document.” The secondary text has related info.
I suspect that IWS1612 was actually the final message that indicated that the function didn’t work, and that message ID CPF8A83 was sent first as an explanation of why IWS1612 was being signalled. But that’s probably irrelevant now.
The fact that this is an ‘IWS’ message is possibly taking us closer.
Please run DSPAUTL QPWFSERVER and tell us what users have what authorities. There might be a temporary way around your problem. (Maybe.)
It’s potentially temporary because the procedures are using functions that are on the verge of complete obsolescence. Any future version of Windows, for example, or even a Windows update, could make this stop working altogether. The network protocols don’t support this old DOS file system very well.
Tom
Sir:
“Please run DSPAUTL QPWFSERVER……”
Display Authorization List
Object . . . . . . . : QPWFSERVER Owner . . . . . . . : QSYS
Library . . . . . : QSYS Primary group . . . : *NONE
Object List ———-Object———–
User Authority Mgt Opr Mgt Exist Alter Ref
*PUBLIC *USE X
QSYS *ALL X X X X X X
COUGRP *ALL X X X X X
Display Authorization List
Object . . . . . . . : QPWFSERVER Owner . . . . . . . : QSYS
Library . . . . . : QSYS Primary group . . . : *NONE
Object —————Data—————
User Authority Read Add Update Delete Execute
*PUBLIC *USE X X
QSYS *ALL X X X X X
COUGRP *ALL X X X X X
So sir, as you can see in my included DSPAUTL QPWFSERVER, COUGRP really has all the level of authority. So, is there a workaround in dealing with the error “Not authorized to access document LMAS0513.TXT in folder LNDOWN.” Thanks.
as you can see in my included DSPAUTL QPWFSERVER, COUGRP really has all the level of authority.
Now, can you show the authority assignments for the LNDOWN folder? Please use this command:
The first screen will show us the basic authority structure. The press F13=’Display authorized users’ and also show us the list from that screen.
Those two screens should give us the complete picture.
Tom
“…….DSPDLOAUT DLO(LNDOWN)”
Display Authorized Users Folder . . . . . . . . . . . . : LNDOWN In folder . . . . . . . . . : *NONE User Group Authority User Group Authority I851S099 *ALL I851S005 *ALL COUGRP *ALL I851S009 *ALL I851S003 *ALL I851S002 *ALL Sir, i was already able to solve this erorr “Not authorized to access document LMAS0513.TXT in folder LNDOWN.” The text file LMAS0513.TXT was generated previously last year with a different group profile authority and when it was regenerated last May 13, it didn't allow the operator id because it was replaced with a new group profile(COUGRP). To resolve this, the next text files (ex. LMAS0514.TXT ) was removed from the LNDOWN folder prior to the end of day batch and during the end of day batch processing it just generated the text file. No more error message, just a simple clean up of similarly named text files and bingo, the error disappeared. Thanks for the advices you shared here, because of it, i was able to come up with the idea of doing a clean up in the QDLS folder.