Solved

How do I set the Authorisation list when creating an IFS streamfile in RPG?

Posted on 2010-08-23
8
1,027 Views
Last Modified: 2013-11-25
Using the unlink() and open() APIs from IBM, we are creating an IFS streamfile (IBM's open() api page: http://publib.boulder.ibm.com/infocenter/iseries/v6r1m0/index.jsp?topic=/rzasd/sc09250802.htm)

If the streamfile needs to be replaced, the unlink() fails because the IFS object was not created with the authority to be deleted so we end up with either an error message or two conflicting entries in the streamfile (if we supress the error checking on unlink()). All object authorities must be controlled by authorisation lists, due to company security policy.

The authorisation properties of the open() api (and chmod() api) do not allow you to set the authorisation list of the new IFS streamfile, and the page linked above says that "Adopted authority is not used".

How do I set the Authorisation list when creating an IFS streamfile in RPG? Preferably to the same AUTL as the parent directory in the IFS.
0
Comment
Question by:Paul-Bailey
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 35

Accepted Solution

by:
Gary Patterson earned 250 total points
ID: 33500374
CHGAUT command will do the trick
0
 

Author Comment

by:Paul-Bailey
ID: 33500582
But I'll also need to calculate the AUTL name from the parent folder. Is there an easier way?
0
 
LVL 13

Expert Comment

by:_b_h
ID: 33501997
If you use CPYTOSTMF to create an empty file, it will inherit the authorization list from its parent directory if you specify AUT(*INDIR):

CPYTOSTMF FROMMBR('/qsys.lib/qgpl.lib/qclsrc.file/qstrup.mbr') TOSTMF('/mydir/qstrup.txt') AUT(*INDIR)                                        

Not sure if that helps....
Barry
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 

Author Comment

by:Paul-Bailey
ID: 33502034
Nothing wrong with your suggestion, but we are using APIs to create the STMF from within RPG and I want to continue using an API to change the authority or advice on the existing APIs to do what I want.

If it all comes down to running CL commands instead, then so be it.
0
 
LVL 35

Expert Comment

by:Gary Patterson
ID: 33506498
Far as I know thwr isn't an API to do what you want to do.
0
 

Author Closing Comment

by:Paul-Bailey
ID: 33508568
The solution didn't mention anything about how to set the AUTL to that of the parent library, or why an API couldn't be used (without further comments) so full marks were not given.
0
 
LVL 27

Expert Comment

by:tliotta
ID: 38782422
I just ran across this question and felt that a clarifying comment could be added.

The point of adding a *AUTL to a streamfile that exists in a [parent] directory when the parent directory already is listed on the *AUTL isn't clear.

If the *AUTL is intended to control access to the streamfile, then *PUBLIC authority to the directory should be *AUTL and the *AUTL should list *PUBLIC as *EXCLUDE. Only users explicitly listed on the *AUTL would then have any access to the directory. But that directly implies that the access is restricted to the very same users to any streamfile in the directory. If you're excluded from the directory, there is no point to also exclude from objects contained in the directory. It's often unnecessarily redundant. (Not always.)

Further, data authorities are set only once per user on a *AUTL. Authorities are not set separately per object. So, for example, you couldn't set different data authorities for the directory and for the streamfile for a given user. I.e., you couldn't allow *DELETE for a streamfile without also allowing *DELETE for the directory.

But the biggest issue is simply that the CHGAUT command interface is the only way to set an *AUTL for a streamfile. There is no API to do it. And the question didn't ask how to do it with an API anyway. (Other interfaces are interactive, and they call CHGAUT anyway.)

Technically, if an API had to be used, QCMDEXC could be called to execute the CHGAUT command. (QCAPCMD would be best.) But that's worse than binding a CL module into the RPG program in some ways.

As for the issue of adopted authority, it's not used when addressing security elements of the IFS. The general IFS principle is based on UNIX and UNIX doesn't use the adopted authority mechanism of AS/400s. Instead, the various methods of profile switching are used.

Perhaps the most common method is with the Get Profile Handle (QSYGETPH) and Set Profile Handle (QWTSETP, QsySetToProfileHandle) APIs. Other similar APIs can also be used, especially if UNIX compliance is desired..

Switch to an authorized profile, perform the authorized action (ideally all in a secured procedure), and finally switch back to the job profile.

To find the authorization list that is assigned for the parent directory, the Retrieve Users Authorized to an Object (QSYRTVUA) API can be used. Once retrieved, CHGAUT can set the same *AUTL for the streamfile if it's really needed. (There can be reasons to do it. It's just a question of whether it's really meaningful for most situations.)

Tom
0
 

Author Comment

by:Paul-Bailey
ID: 38789093
I'm afraid I don't remember exactly what the issue was and I can no longer check as I no longer work for that particular company, but I vaguely remember using a CL module in the end with the CHGAUT command. I don't know how I solved the issue of which AUTL to use, but your api suggestions are news to me so I'm certain I did not do it that way.

Hopefully the additional information will help someone else in the future. Thanks anyway.


Paul.
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
As400 - reports 9 141
Setup SFTP for internal iSeries servers 8 1,531
AS/400 ODBC Connection 4 83
iSeries, AS/400 GUI 9 177
The world seems to conceive of a curious bubble separating IT from “the business.”  More so than just about any other pursuit in the commercial world, people think of IT as some kind of an island.
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question