AS400 IFS Mapped Drive File Permissions - Need to be able to Move but not Delete Files

Our AS400 (Version 6, Release 1, Mod 0) has some shared folders in the Integrated File System that we map as drives from Windows XP PCs.  These folders serve as our "production" folders for our engraving department.  We take orders from customers, the AS400 creates a PDF of the order which goes into the IFS which we can access from our PCs.  We have a series of sub-folders that we use to move files through the stages of production.  We add other Excel and Illustrator files to these folders as orders move through the production process.

My problem:  When you delete a file or folder in this environment (accidentally or otherwise) there is no "undo" or "recycle bin" at all (as far as I know).  The file or folder (and all sub-folders) is just gone.  Nightly backups of the files wouldn't help much because it's the files we are currently working on that have the most value (by the time we backed them up the order would be complete, so the files wouldn't be worth much).

I am hoping that one of these options is possible (but I'm all ears to other ideas, of course):

1.  Is there a way to give users permission to Move files but not Delete files?  (I am guessing "No" because you either have read/write access or read-only access, I think).

2.  Is there a way to send all files deleted from the IFS to a "Recycle Bin" of some kind?  If someone accidentally deleted something it wouldn't be a big deal if we could retrieve it from somewhere.

3.  Is there a way to password protect the ability to Delete files from the IFS via a Windows XP shared folder? (but not impede the Moving or Changing of files within the shared folder)

We move a lot of files around in a fast paced production environment with daily deadlines...we'd like to restrict the ability to Delete these files altogether, but we don't want to impede the ability to Move files from folder to folder, Change files, or save new files to these folders.

We probably shouldn't be using the AS400 IFS as our production folders at all, but we don't have a Windows Server of any kind, just a NAS that we use to share files (we're small time...half of our PCs are XP Home, not Professional).  So I'm hoping there is an AS400-based solution.

Thank you very much for any advice you might have, and I apologize for surely leaving out important details.  I'm not an AS400 expert at all, but my co-workers think I am for some reason...which is why I'm here looking for a real expert.  :-)


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Are you looking to restrict object existence authority entirely for the PDFs? That is, do you want to stop the deletion of the PDFs by users or do you only want to stop deletion of a PDF during the time it resides within one or more specific folders?

Note that moving a file from one directory to another is similar (but not the same as) to creating a copy and 'deleting' the original.

I haven't put much thought into it, but the first thing that comes to mind is the possibility of presenting users only with a "hard link" to the PDF, never with the PDF itself.

Think about a directory named /PDFRecycle which might be where _every_ PDF is physically created. Immediately after creation, run a ADDLNK LNKTYPE(*HARD) to create a 'hard' link in your usual PDF directory that links to the actual document.

Users might never notice the difference. They should be able to do most, if not all, current work against the hard link object. They can move it to different directories, copy it, even delete it. But the real physical streamfile PDF will still be in /PDFRecycle.

Only when all 'hard' links are removed will the actual streamfile be deleted. The original streamfile is itself a hard link.

I'd need to experiment, but maybe it's a possibility that can help. You might have additional details to give in response to this. Maybe I can work up a useful authority scheme that is more appropriate.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jon_at_jonesAuthor Commented:
Hi Tom,

Thank you very much for your reply.  The "hard link" option is interesting, but since there are user-created Excel and Illustrator files that are added to the folders (based on the info in the PDF, as part of our production process) I'm not sure this would cover everything.  These Excel and Illustrator production files are the ones we're most interested in protecting from accidental deletion.

"Are you looking to restrict object existence authority entirely for the PDFs? That is, do you want to stop the deletion of the PDFs by users or do you only want to stop deletion of a PDF during the time it resides within one or more specific folders?"
I only want to stop the Deletion of any file (not just PDFs) in one or more specific folders.  I created a sub-folder called "Delete" and have tried to train my users to never delete anything, but rather just move things to the Delete folder...which works great except when a user accidentally deletes something.

I think I might need to look into this "Existence Authority" more closely.  Looking at the Permissions for the shared folder (screen shot attached) I see Read, Write, Execute, Management, Existence, Alter, Reference, Exclude and From AUTL.

If I deselect the "Existence" Permission check box for the folder in question, will that prevent users from deleting anything in that folder? (but still allow them to change and move files withing the folder and sub-folders, and let them add files to the folder?  I'm going to go ahead an test it now on a test folder.

Thanks again for your help!



I believe you will need and “exit program”.  You can attach an exit program to “exit points”.  

Your exit program would get called each time a user attempts to do something with and IFS object.  You could programmatically determine the response.

One thing came to mind; you could copy to another protected place all new files.  That way if someone deleted an important file you would have it elsewhere.

If this sound like something you want to do, let me know.  I have more details to give.

Steve Bowdoin
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Operating Systems

From novice to tech pro — start learning today.