IFS Authority for symbolic links

5 pts.
Tags:
IFS
iSeries
Security

I have a problem with IFS security, I’m allowing users to create symbolic links to IFS files which they then cannot remove.

I try to use CHGAUT on the link after creating it so the user have sufficient authority but this does not work, I am guessing this is because if you create a symbolic link you are not the owner of it, it is owned by the owner of the linked-to object. If my assumption is correct then I can’t see a way around the problem.

Anyway, the details are as follows; We have a batch process run by ROBOTUSR that converts output to IFS files, the file authority looks like this:

                                                                             
Object . . . . . . . . . . . . :   /STELLENT/ROBOTRPT/ARCHIVE/1611/S1886620 >
Type . . . . . . . . . . . . . :   STMF                                      
Owner  . . . . . . . . . . . . :   ROBOTUSR                                  
Primary group  . . . . . . . . :   *NONE                                     
Authorization list . . . . . . :   GTPSIFS                                   
                                                                             
Type options, press Enter.                                                   
  1=Add user   2=Change user authority   4=Remove user                       
                                                                             
                   Data     --Object Authorities--                           
Opt  User        Authority  Exist  Mgt  Alter  Ref                           
                                                                             
     *PUBLIC     *RWX         X     X     X     X                            
     ROBOTUSR    *RWX         X     X     X     X

The object authorities are all ‘X’ too, the authorization list also gives everyone maximum authority.So the file remains in an archive, if a user wants to view or email it his program first creates a link to it with a longer file name that will be unique on the target system, the link will look something like this;

  5800 - ADDLNK OBJ('/STELLENT/ROBOTRPT/ARCHIVE/1611/S1886620.pdf')      
  NEWLNK('/GTPSIFS/DOCLNK/6982850004239492.pdf')                         
Link added.  

But after creating it the user cannot give himself authority…. 

  5900 - CHGAUT OBJ('/GTPSIFS/DOCLNK/6982850004239492.pdf') USER(TMCNEIL)
  OBJAUT(*ALL)                                                           
Requested operation not allowed.  Access problem.

And of course it then can’t be removed….

  7800 - RMVLNK OBJLNK('/GTPSIFS/DOCLNK/6982850004239492.pdf')            
Not authorized to object.  Object is /GTPSIFS/DOCLNK/6982850004239492.pdf.

The authority of the link looks like this….

                             Work with Authority                        
                                                                        
Object . . . . . . . . . . . . :   /GTPSIFS/DOCLNK/6982850004239492.pdf 
Type . . . . . . . . . . . . . :   STMF                                 
Owner  . . . . . . . . . . . . :   ROBOTUSR                             
Primary group  . . . . . . . . :   *NONE                                
Authorization list . . . . . . :   GTPSIFS                              
                                                                        
Type options, press Enter.                                              
  1=Add user   2=Change user authority   4=Remove user                  
                                                                        
                   Data     --Object Authorities--                      
Opt  User        Authority  Exist  Mgt  Alter  Ref                      
                                                                        
     *PUBLIC     *RWX         X     X     X     X                       
     ROBOTUSR    *RWX         X     X     X     X                       

Again, *PUBLIC has all the ‘X’s and so does everyone on the authorization list. I’m running V7R2 if that helps.

Thanks,Tony     
0

Answer Wiki

Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

Discuss This Question: 2  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Splat
    Have you tried adding ROBOTUSR as a supplemental group in the end user's profile?
    12,905 pointsBadges:
    report
  • pdraebel
    What about the authority settings on Authorisation List GTPSIFS?
    You may consider running the GRTAUT with adopted authority although I do not know whether IFS works well with adopted authority.
    7,545 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.

Following

Share this item with your network: