WRKDOMSVR

5 pts.
Tags:
AS/400
COMMANDS
IBM iSeries
Lotus Domino
Hi
  I have a User ,Who Supposed to run WRKDOMSVR Command on command line to see DPARs(Domino Servers) are active or not.here is the problem,He is able to run the command,but getting the DPARs status as *UNKNOWN.But when i log on with my ID(qsecofr),I'm able to see DPARs status as *STARTED.Where my Operator(User) not able to see.
I'm not sure what authority i need to provide to my user? and irrespective of his existing authorities i have to make him see the DPARs *STARTED/*ENDED status.
or
What authority /option i need to change on WRKDOMSVR command?
He shouldn't not get any other additional authority while satisifying the above request.
Please help me on this..Thank You!


Software/Hardware used:
V6R1,9117-MMA

Answer Wiki

Thanks. We'll let you know when a new response is added.

I tried DANs suggestion on test box….It is working perfectly after providing *USE authority on QUSRNOTES…but i’m bothering about the security of QUSRNOTES Production Library?

Discuss This Question: 20  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • TomLiotta
    I have no Domino servers, so no WRKDOMSVR command. I'd first suggest reviewing to full help for the command. Pay specific attention to any 'Restriction:' sections. Then I'd suggest looking for any entries in QAUDJRN that show up when the user attempts to use the command. You might see T/AF entries that point to specific objects, but other entries might hold clues. Of course, any joblog messages in the user's job should always be reviewed. Tom
    125,585 pointsBadges:
    report
  • philpl1jb
    You can create a short CL program which issues the required command Have QSECOFC compile the program with *OWNER authority. Give your user authority to run the program. When the user calls the program it will issue the command with QSECOFC authority .. However, that means that the user can probably do whatever is on that work screen. Is there a DSPDOMSVR command???? Phil
    51,365 pointsBadges:
    report
  • TomLiotta
    Phil's suggestion of using an adopted authority' program is the probable solution. Because it's Domino, though, a potential problem would be interaction with IFS objects. The IFS doesn't honor adopted authority. It's worth a try, though, with likely good results. Any obstacles would need investigation through your system audit journal and the user's joblog. Tom
    125,585 pointsBadges:
    report
  • qmaster
    To Tom: Basically my User don't get any authority failure.Because they are able to issue the command and see all ,except the status of the DPAR(Domino Servers).As i stated above,he can see as *UNKNOWN under status column,where they should be able to see as *STARTED/*ENDED.(Only thing is they don't have full authority) To Phil: We don't have DSPDOMSVR cmd badly... I remember couple of months back...i read some where in the forums,there is an option to give full authority on a particular CMD for a particular user..but i lost the track where i looked up..
    1,675 pointsBadges:
    report
  • philpl1jb
    "i read some where in the forums,there is an option to give full authority on a particular CMD for a particular user" That would probably be this suggestion: You can create a short CL program which issues the required command Have QSECOFC compile the program with *OWNER authority. Give your user authority to run the program. When the user calls the program it will issue the command with QSECOFC authority .. But as Tom said, this might not work security is different out around the IFS... Phil
    51,365 pointsBadges:
    report
  • qmaster
    Phil. Could you pls provide me the CL code for that?
    1,675 pointsBadges:
    report
  • DanTheDane
    I have four domino servers on my Power i. I suggest that you use the WRKACTJOB command, like this:
    WRKACTJOB OUTPUT(*)                                
              SBS(DOMINO01 DOMINO02 DOMINO03 DOMINO04) 
    
    I recommend this for two reasons: 1. propably easier for you to give you collegue access to the WRKACTJOB command. 2. your collegue will see if any messages are to be answered and other info that is presented by WRKACTJOB. DanF
    2,555 pointsBadges:
    report
  • philpl1jb
    The CL code would only contain the same command that you would issue from the command line. Qsecofr should compile the program - prompt it and set USER PROFILE (USRPRF) to *OWNER (this step could also be done with CHG Edtobjaut for the program and give your user run authority. Phil
    51,365 pointsBadges:
    report
  • TomLiotta
    Basically my User don’t get any authority failure.Because they are able to issue the command and see all ,except the status of the DPAR(Domino Servers). That's understood. Apparently, the command isn't throwing any authority messages. If T/AF entries exist, they would come internally when the command attempted to access the Domino objects. If it is in fact an authority problem, the command's internal programming would be notified of the failure and would display *UNKNOWN. Totally separate from that activity by the command, the fact that an authority problem happened would be logged as a T/AF entry in the system audit journal. There might be no indication of that in the user's job other than *UNKNOWN being displayed. Now, if no T/AF entries are logged in the audit journal, it would be because of two possibilities -- either your system is configured not to log authority failures or it's not an 'authority' problem. If it's an authority problem with that user (and your system logs authority failures), there will be T/AF entries. And if it's not an authority problem, then it's possibly a Domino configuration issue. Domino might need to be told that the user is approved to perform the action. If that's the case, then an adopted authority program still might not fix it. If the command is programmed explicitly to test the "job user", adopted authority won't help, just as it won't help with IFS authority issues. But that's beside the point that I was making. For clarification... If an adopted authority program works, then it's a reasonable solution -- at least in the short term and possibly long term. It can be risky, though. To know the actual long-term solution, you'll need to know if T/AF entries are logged. If they are, you'll need to know what objects or actions they refer to. If no such entries exist, then that might be useful info to others trying to help. ...my User don’t get any authority failure. So, are you saying that there are no T/AF entries (and you're logging authority failures)? Or are you saying that the WRKDOMSVR command doesn't issue any authority-related messages to the user? Those can be two very different things. Tom
    125,585 pointsBadges:
    report
  • DanD
    It may be that the user just needs *SERVICE *spcaut. That can be dangerous in itself but not if the user is not authorized to other service type commands. It seems like I've seen where a command that requires that special authority may not always throw an AF
    2,865 pointsBadges:
    report
  • DanTheDane
    From the online help-text of WRKDOMSVR :
    Restrictions:                                                        
      1.  To view the Domino server status the user profile must have    
          *USE object authority to the QUSRNOTES library.                
      2.  To run any option from the Work with Domino Servers panel, you 
          must have the authority that the underlying command requires.  
                                                                 
     For example, to run the option 5=Display console, you must  
     have the authorities required by the Display Domino Console 
     (DSPDOMCSL) command.
    
    I hope the above info can be of help to you. DanF
    2,555 pointsBadges:
    report
  • qmaster
    I'm looking for CL solution....i understood it is simple solution,but badly,my box don't have SEU,PDM available to write CL program. I'm Sure,there are already existing programs(CL) in the system,My idea is to copy any one of the CL program ,erase the code and write my code in it and execute it.? am i correct on this? But ,i dont know how to copy the existing program and what parameters need to pass on it ,Can any body help me on this?
    1,675 pointsBadges:
    report
  • philpl1jb
    Ok Assuming that you have Client access and can transfer to a library on the AS/400 Assuming that the library contains a source file (like QCLSRC) 1. Use note pad -- not word pad or Word to type your Source commands - save on your pc. 2. Use Client servier Transfer to System Browse to your PC file Library/File(Member) <-- cirremt library/QCLSRC(new member) Select details 1. Uncheck Use PC file Descirption 2. Create SYSTEM i Object - Yes, create member OK - Transfer -------------- Now you can use the CRTCLPGM command, identify the program and it's final desination library, the source file and its library F9 Change use profile to *OWNER Then you will want to use EDTOBJAUT to give the user authority to use the program. Phil
    51,365 pointsBadges:
    report
  • DanTheDane
    Qmaster, "...but i'm bothering about the security of QUSRNOTES Production Library?". Again from command-helptext (CHGOBJAUT):
    *USE                                  
        Allows access to the object       
        attributes and use of the object. 
        The user cannot change the object. 
    
    So do'nt bother.. DanF
    2,555 pointsBadges:
    report
  • DanTheDane
    ouups... no such command from IBM. I should have referenced cmd EDTOBJAUT in my previous entry. Sorry. DanF
    2,555 pointsBadges:
    report
  • TomLiotta
    … no such command from IBM. If programming is used to change authorities, the command would usually be GRTOBJAUT. When many objects will be changed in one operation, the CHGAUT command can be used with generic* names. CHGAUT doesn't use the same special values as EDTOBJAUT and GRTOBJAUT do, but the mapping between values is usually fairly obvious. For this particular question, EDTOBJAUT looks like a good fit. Tom
    125,585 pointsBadges:
    report
  • qmaster
    I tried to write the CL as you mentioned.. When i tried to send notepad with PGM WRKDOMSVR ENDPGM commands..got error..saying something wrong with Parameters Position. So i tried to send an empty notepad,it transferred fine.. Again,when i prompted CRTCLPGM..and passed the Program name as the one i desired(CLTEST)..it is saying likE below.. File QCLSR1 in library MYLIB with member CLTEST not found... What is wrong in it..?
    1,675 pointsBadges:
    report
  • philpl1jb
    So, what you're saying is you made the file in notepad You closed notepad You tried to upload it into MYLIB/QCLSR1(CLTEST) and you got commands..got error..saying something wrong with Parameters Position. could you be a little more specific. Phil
    51,365 pointsBadges:
    report
  • qmaster
    I was confused to mention(CLTEST) as member..I corrected and all the steps successfully completed. and I'm able to run the command like...CALL WRKDOMSVR.....getting screen wih info what i need.. Thanks a lot Phil,Dan and Tom..
    1,675 pointsBadges:
    report
  • TomLiotta
    One comment... There should be no need for Notepad and file uploads. You can use the EDTF command to enter command strings directly into a streamfile in the IFS. Then use CPYFRMSTMF to load the streamfile into a source member. Tom
    125,585 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following