Solved

How do I set the Authorisation list when creating an IFS streamfile in RPG?

Posted on 2010-08-23
8
1,002 Views
Last Modified: 2013-11-25
Using the unlink() and open() APIs from IBM, we are creating an IFS streamfile (IBM's open() api page: http://publib.boulder.ibm.com/infocenter/iseries/v6r1m0/index.jsp?topic=/rzasd/sc09250802.htm)

If the streamfile needs to be replaced, the unlink() fails because the IFS object was not created with the authority to be deleted so we end up with either an error message or two conflicting entries in the streamfile (if we supress the error checking on unlink()). All object authorities must be controlled by authorisation lists, due to company security policy.

The authorisation properties of the open() api (and chmod() api) do not allow you to set the authorisation list of the new IFS streamfile, and the page linked above says that "Adopted authority is not used".

How do I set the Authorisation list when creating an IFS streamfile in RPG? Preferably to the same AUTL as the parent directory in the IFS.
0
Comment
Question by:Paul-Bailey
8 Comments
 
LVL 34

Accepted Solution

by:
Gary Patterson earned 250 total points
Comment Utility
CHGAUT command will do the trick
0
 

Author Comment

by:Paul-Bailey
Comment Utility
But I'll also need to calculate the AUTL name from the parent folder. Is there an easier way?
0
 
LVL 13

Expert Comment

by:_b_h
Comment Utility
If you use CPYTOSTMF to create an empty file, it will inherit the authorization list from its parent directory if you specify AUT(*INDIR):

CPYTOSTMF FROMMBR('/qsys.lib/qgpl.lib/qclsrc.file/qstrup.mbr') TOSTMF('/mydir/qstrup.txt') AUT(*INDIR)                                        

Not sure if that helps....
Barry
0
 

Author Comment

by:Paul-Bailey
Comment Utility
Nothing wrong with your suggestion, but we are using APIs to create the STMF from within RPG and I want to continue using an API to change the authority or advice on the existing APIs to do what I want.

If it all comes down to running CL commands instead, then so be it.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 34

Expert Comment

by:Gary Patterson
Comment Utility
Far as I know thwr isn't an API to do what you want to do.
0
 

Author Closing Comment

by:Paul-Bailey
Comment Utility
The solution didn't mention anything about how to set the AUTL to that of the parent library, or why an API couldn't be used (without further comments) so full marks were not given.
0
 
LVL 27

Expert Comment

by:tliotta
Comment Utility
I just ran across this question and felt that a clarifying comment could be added.

The point of adding a *AUTL to a streamfile that exists in a [parent] directory when the parent directory already is listed on the *AUTL isn't clear.

If the *AUTL is intended to control access to the streamfile, then *PUBLIC authority to the directory should be *AUTL and the *AUTL should list *PUBLIC as *EXCLUDE. Only users explicitly listed on the *AUTL would then have any access to the directory. But that directly implies that the access is restricted to the very same users to any streamfile in the directory. If you're excluded from the directory, there is no point to also exclude from objects contained in the directory. It's often unnecessarily redundant. (Not always.)

Further, data authorities are set only once per user on a *AUTL. Authorities are not set separately per object. So, for example, you couldn't set different data authorities for the directory and for the streamfile for a given user. I.e., you couldn't allow *DELETE for a streamfile without also allowing *DELETE for the directory.

But the biggest issue is simply that the CHGAUT command interface is the only way to set an *AUTL for a streamfile. There is no API to do it. And the question didn't ask how to do it with an API anyway. (Other interfaces are interactive, and they call CHGAUT anyway.)

Technically, if an API had to be used, QCMDEXC could be called to execute the CHGAUT command. (QCAPCMD would be best.) But that's worse than binding a CL module into the RPG program in some ways.

As for the issue of adopted authority, it's not used when addressing security elements of the IFS. The general IFS principle is based on UNIX and UNIX doesn't use the adopted authority mechanism of AS/400s. Instead, the various methods of profile switching are used.

Perhaps the most common method is with the Get Profile Handle (QSYGETPH) and Set Profile Handle (QWTSETP, QsySetToProfileHandle) APIs. Other similar APIs can also be used, especially if UNIX compliance is desired..

Switch to an authorized profile, perform the authorized action (ideally all in a secured procedure), and finally switch back to the job profile.

To find the authorization list that is assigned for the parent directory, the Retrieve Users Authorized to an Object (QSYRTVUA) API can be used. Once retrieved, CHGAUT can set the same *AUTL for the streamfile if it's really needed. (There can be reasons to do it. It's just a question of whether it's really meaningful for most situations.)

Tom
0
 

Author Comment

by:Paul-Bailey
Comment Utility
I'm afraid I don't remember exactly what the issue was and I can no longer check as I no longer work for that particular company, but I vaguely remember using a CL module in the end with the CHGAUT command. I don't know how I solved the issue of which AUTL to use, but your api suggestions are news to me so I'm certain I did not do it that way.

Hopefully the additional information will help someone else in the future. Thanks anyway.


Paul.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

A procedure for exporting installed hotfix details of remote computers using powershell
A safe way to clean winsxs folder from your windows server 2008 R2 editions
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video discusses moving either the default database or any database to a new volume.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now