IFS Folders permission not working

2880 pts.
Tags:
AS/400
IFS
iSeries
I have created a folder(MAIN) in the root directory of IFS in our iSeries system. I set the permission to this MAIN folder by iNav as full permission for public users. Inside this MAIN folder there are two folder like sub tree folder name called SUB1 and SUB2. Now I set the permissions only to one AS/400 Users Group called ACCOUNTS to folder SUB1. another AS400 User Group called DELIVERY to folder SUB2. Now a AS/400 user XXX from delivery group is connected to the IFS folder by map network drive in windows using the share path \iseriesnameMAIN. But this XXX can able to read/write in both of the SUB folders. whereas XXX don't have any permission on folder SUB1. Can you please tell me how to solve this permission problem?
0

Answer Wiki

Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

Discuss This Question: 17  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • pdraebel
    Check *PUBLIC authority to both subfolders. Also the Owner of SUB1 should be checked. The user should also not be member of both groups. A printout of the Folder Permissions could prove helpful.
    7,545 pointsBadges:
    report
  • Sureyz
    Even the print out Authority giving the same result. Before i must confirm something. The folder permission on iSeries IFS is same like Windows Server Folder File Permission? I mean any user dont have permission on SUB1 folder and have access on MAIN folder. Could be able to access SUB1 ?
    2,880 pointsBadges:
    report
  • pdraebel
    In order for a person to have access to a Subfolder he needs at least read rights into all folders in the path. In case user XXX has no private rights to the folder SUB1 authority checking will check *PUBLIC authority, authority from Authorisation Lilsts or authority from group profiles. There is a document on the web describing the sequence used in authority checking. One main rule is: once a authority check returns with a positive result (authority= Yes) checking stops an the user is authorised.
    7,545 pointsBadges:
    report
  • pdraebel
    Authority is not only given to the Individual User, but could also be derived from the Groups the user is in, authorisation lists or the *PUBLIC authority. If you want to block the user from SUB1 add the user with rights *EXCLUDE.
    7,545 pointsBadges:
    report
  • Sureyz
    I have tried that too. I have added the user with *EXCLUDE right for the SUB1 folder. still he can see and open the folder SUB1. I really dont understand where is the problem.  please help..
    2,880 pointsBadges:
    report
  • TheRealRaven
    You told us some things about the authorities, but you need to show us the authority settings. We can't tell if there is a small detail that you left out. Maybe you didn't know that a detail was important. We need to see what is there.

    Rather than trying to tell us about some of the authorities, copy/paste listings of the complete authorities here. Then we can make useful comments. Otherwise we can only make guess after guess about everything we've ever learned about authorities, and maybe none of it applies here.
    34,990 pointsBadges:
    report
  • Sureyz
    Thanks for the suggestion. Here the output of WRKAUT '/MAIN'
    
                   Data     --Object Authorities--
     User        Authority  Exist  Mgt  Alter  Ref
                                                  
     *PUBLIC     *EXCLUDE                         
     SUREY       *RWX         X     X     X     X 
     DELIVERY   *RW                              
     QDIRSRV     *X              
    
    Can you please tell me if ever i should use any other commands to identify the authority.
    
    
                      
    2,880 pointsBadges:
    report
  • pdraebel
    Are there any SPECIAL authorities granted to the user ? (*ALLOBJ)
    7,545 pointsBadges:
    report
  • Sureyz
     User        Group       *ALL  *AUD  SYS  *JOB  *SAV  *SEC  *SER  *SPL  User 
     Profile     Profiles       OBJ      IT     CFG   CTL   SYS   ADM  VICE   CTL  Class
     ATCHIA   *NONE         X                                                                          *USER
     AZHAR                      X                                                                           *USER
     AZIM        *NONE        X                                                                           *USER
     AZUR       *NONE        X                                                                           *USER
     BANO       *NONE        X                                                                            *USER



    Yes.. all the users having *ALLOBJ authority. Above the sample.
    It would be easier if we can attach the files in this forum.


    2,880 pointsBadges:
    report
  • pdraebel
    Users that have *ALLOBJ authority would autmatically have access rights to All the Objects on the system, regardless of any other settings.
    7,545 pointsBadges:
    report
  • Sureyz
    Thank you very much for this information.

    Before i change anything in the user profile, can u please tell me where it  will affect a user if i remove the special authority.

    In our case all the end users having *ALLOBJ special authority and the user class is *USER. We are using level 30 system security.

    Surey.
    2,880 pointsBadges:
    report
  • pdraebel
    In Case ALL your users are Having *ALLOBJ you need to review your security settings and setup. Removing *ALLOBJ should be done ASAP, but you need to prepare. How will users access system data ? Are they authorised to call programs ? Start with a test user of your own and see what you need to change in order to be able to remove the *ALLOBJ authorities. Depending on your setup this is going to be a huge job.
    7,545 pointsBadges:
    report
  • Sureyz
    When i remove the *ALLOBJ authority i got CPC1249 Not authorized to library LIBR001 in library list.

    Is there any other way we can give the authority to the users to call the programs.
    2,880 pointsBadges:
    report
  • Sureyz
    After removing the *ALLOBJ authority, the same user can not get access on the IFS through Map Network Drive.
    2,880 pointsBadges:
    report
  • pdraebel
    In order to remove the *ALLOBJ authority from a user you would need to ensure another way of granting authority to the user is there.
    At our shop we use INFOR ERP and that software uses (among other ways) "Adopted Authority". Users (*PUBLIC) authority for program and program ojects (DSPF PRTF) is set to *USE. Data Base Files have a setting of *PUBLIC *EXCLUDE, but users get authority through the Adopted Authority setting of the programs.
    In order to access data files from "outside sources" (ODBC etc.) we have set up Authorisation Lists for the files. Now it is easy to change the user's authority to the data files.
    You will have to make a proper analysis of your applications and come up with a method that is easy and flexible to use. One thing to avoid is granting individual profiles rights to files. This so called "Private Authority" comes with a severe penalty on saving your security data. If at all possible use Group Profiles and authorisation list to organise your security setup.
    7,545 pointsBadges:
    report
  • Sureyz
    Thank you very much for the detail explanation about the User Authorities. Now i must check the possible way around to do the same.
     
    2,880 pointsBadges:
    report
  • TheRealRaven
    If users have *ALLOBJ, there is no reason to try to set authorities on any objects. The *ALLOBJ special authority overrides the detail authority that you set on "ALL OBJects".

    Any user with *ALLOBJ can ignore the authority that you assign for the directories. That's the major purpose of *ALLOBJ. And that's why a system should only have very few users with *ALLOBJ.

    A user with *ALLOBJ can often obtain any other authority.

    If *ALLOBJ is needed in order to run normal applications, the applications should have their authorities corrected. If not, you need to assume that the only security that the system has is basic logon authentication. Once authenticated, there is no security inside the system. Setting authorities on directories, libraries, programs, etc., has no effect because all users automatically override whatever you set.
    34,990 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.

Following

Share this item with your network: