?
Solved

How do I set the Authorisation list when creating an IFS streamfile in RPG?

Posted on 2010-08-23
8
Medium Priority
?
1,045 Views
Last Modified: 2013-11-25
Using the unlink() and open() APIs from IBM, we are creating an IFS streamfile (IBM's open() api page: http://publib.boulder.ibm.com/infocenter/iseries/v6r1m0/index.jsp?topic=/rzasd/sc09250802.htm)

If the streamfile needs to be replaced, the unlink() fails because the IFS object was not created with the authority to be deleted so we end up with either an error message or two conflicting entries in the streamfile (if we supress the error checking on unlink()). All object authorities must be controlled by authorisation lists, due to company security policy.

The authorisation properties of the open() api (and chmod() api) do not allow you to set the authorisation list of the new IFS streamfile, and the page linked above says that "Adopted authority is not used".

How do I set the Authorisation list when creating an IFS streamfile in RPG? Preferably to the same AUTL as the parent directory in the IFS.
0
Comment
Question by:Paul-Bailey
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 35

Accepted Solution

by:
Gary Patterson earned 750 total points
ID: 33500374
CHGAUT command will do the trick
0
 

Author Comment

by:Paul-Bailey
ID: 33500582
But I'll also need to calculate the AUTL name from the parent folder. Is there an easier way?
0
 
LVL 13

Expert Comment

by:_b_h
ID: 33501997
If you use CPYTOSTMF to create an empty file, it will inherit the authorization list from its parent directory if you specify AUT(*INDIR):

CPYTOSTMF FROMMBR('/qsys.lib/qgpl.lib/qclsrc.file/qstrup.mbr') TOSTMF('/mydir/qstrup.txt') AUT(*INDIR)                                        

Not sure if that helps....
Barry
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 

Author Comment

by:Paul-Bailey
ID: 33502034
Nothing wrong with your suggestion, but we are using APIs to create the STMF from within RPG and I want to continue using an API to change the authority or advice on the existing APIs to do what I want.

If it all comes down to running CL commands instead, then so be it.
0
 
LVL 35

Expert Comment

by:Gary Patterson
ID: 33506498
Far as I know thwr isn't an API to do what you want to do.
0
 

Author Closing Comment

by:Paul-Bailey
ID: 33508568
The solution didn't mention anything about how to set the AUTL to that of the parent library, or why an API couldn't be used (without further comments) so full marks were not given.
0
 
LVL 27

Expert Comment

by:tliotta
ID: 38782422
I just ran across this question and felt that a clarifying comment could be added.

The point of adding a *AUTL to a streamfile that exists in a [parent] directory when the parent directory already is listed on the *AUTL isn't clear.

If the *AUTL is intended to control access to the streamfile, then *PUBLIC authority to the directory should be *AUTL and the *AUTL should list *PUBLIC as *EXCLUDE. Only users explicitly listed on the *AUTL would then have any access to the directory. But that directly implies that the access is restricted to the very same users to any streamfile in the directory. If you're excluded from the directory, there is no point to also exclude from objects contained in the directory. It's often unnecessarily redundant. (Not always.)

Further, data authorities are set only once per user on a *AUTL. Authorities are not set separately per object. So, for example, you couldn't set different data authorities for the directory and for the streamfile for a given user. I.e., you couldn't allow *DELETE for a streamfile without also allowing *DELETE for the directory.

But the biggest issue is simply that the CHGAUT command interface is the only way to set an *AUTL for a streamfile. There is no API to do it. And the question didn't ask how to do it with an API anyway. (Other interfaces are interactive, and they call CHGAUT anyway.)

Technically, if an API had to be used, QCMDEXC could be called to execute the CHGAUT command. (QCAPCMD would be best.) But that's worse than binding a CL module into the RPG program in some ways.

As for the issue of adopted authority, it's not used when addressing security elements of the IFS. The general IFS principle is based on UNIX and UNIX doesn't use the adopted authority mechanism of AS/400s. Instead, the various methods of profile switching are used.

Perhaps the most common method is with the Get Profile Handle (QSYGETPH) and Set Profile Handle (QWTSETP, QsySetToProfileHandle) APIs. Other similar APIs can also be used, especially if UNIX compliance is desired..

Switch to an authorized profile, perform the authorized action (ideally all in a secured procedure), and finally switch back to the job profile.

To find the authorization list that is assigned for the parent directory, the Retrieve Users Authorized to an Object (QSYRTVUA) API can be used. Once retrieved, CHGAUT can set the same *AUTL for the streamfile if it's really needed. (There can be reasons to do it. It's just a question of whether it's really meaningful for most situations.)

Tom
0
 

Author Comment

by:Paul-Bailey
ID: 38789093
I'm afraid I don't remember exactly what the issue was and I can no longer check as I no longer work for that particular company, but I vaguely remember using a CL module in the end with the CHGAUT command. I don't know how I solved the issue of which AUTL to use, but your api suggestions are news to me so I'm certain I did not do it that way.

Hopefully the additional information will help someone else in the future. Thanks anyway.


Paul.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We are witnesses that everyone is saying that our children shouldn't "play" with a technology because it is dangerous. This article is going to prove that they are wrong.
Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question