We are still running V5r4, and I'm currently wrestling with securing objects in /Root of the IFS.
Objects are required to be read only in normal circumstances.
an application allows a user to copy the object (document) and removes the readonly attribute from the object using CHMOD called from RPGLE, and CHGAUT
The problem is that objects should be held as read only. a user may amend one by copying it as above, which is fine. When they come to replace it (after suitable veracity checks etc) the IFS has no concept of 'rename' so the user needs enough authority to delete the original. the changed copy is then copied to become the 'original' and generally cleared up. (in fact, the 'original' is also copied and date stamped as 'replaced')
Did I mention that we have AUTL security on these directories!
SO - the problem becomes that of constructing directory ownerships and user AUTL authoriteies such that a user can be restrained from deleting a production object - except when we want to allow them.
In QSYS.lib this is easy to accomplish by runing a pgm with *ADOPT authority for the delete operation, but again, this concept doesn't apply to the IFS.
I'm wondering about changing CURUSER on the fly, but I'd be interested to hear any more experiences/opinions. our 20 years of good solid documentation and redbooks for i5/OS isnt matched for IFS topics.