Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

How do I set the Authorisation list when creating an IFS streamfile in RPG?

Posted on 2010-08-23
8
Medium Priority
?
1,059 Views
Last Modified: 2013-11-25
Using the unlink() and open() APIs from IBM, we are creating an IFS streamfile (IBM's open() api page: http://publib.boulder.ibm.com/infocenter/iseries/v6r1m0/index.jsp?topic=/rzasd/sc09250802.htm)

If the streamfile needs to be replaced, the unlink() fails because the IFS object was not created with the authority to be deleted so we end up with either an error message or two conflicting entries in the streamfile (if we supress the error checking on unlink()). All object authorities must be controlled by authorisation lists, due to company security policy.

The authorisation properties of the open() api (and chmod() api) do not allow you to set the authorisation list of the new IFS streamfile, and the page linked above says that "Adopted authority is not used".

How do I set the Authorisation list when creating an IFS streamfile in RPG? Preferably to the same AUTL as the parent directory in the IFS.
0
Comment
Question by:Paul-Bailey
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 35

Accepted Solution

by:
Gary Patterson earned 750 total points
ID: 33500374
CHGAUT command will do the trick
0
 

Author Comment

by:Paul-Bailey
ID: 33500582
But I'll also need to calculate the AUTL name from the parent folder. Is there an easier way?
0
 
LVL 13

Expert Comment

by:_b_h
ID: 33501997
If you use CPYTOSTMF to create an empty file, it will inherit the authorization list from its parent directory if you specify AUT(*INDIR):

CPYTOSTMF FROMMBR('/qsys.lib/qgpl.lib/qclsrc.file/qstrup.mbr') TOSTMF('/mydir/qstrup.txt') AUT(*INDIR)                                        

Not sure if that helps....
Barry
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:Paul-Bailey
ID: 33502034
Nothing wrong with your suggestion, but we are using APIs to create the STMF from within RPG and I want to continue using an API to change the authority or advice on the existing APIs to do what I want.

If it all comes down to running CL commands instead, then so be it.
0
 
LVL 35

Expert Comment

by:Gary Patterson
ID: 33506498
Far as I know thwr isn't an API to do what you want to do.
0
 

Author Closing Comment

by:Paul-Bailey
ID: 33508568
The solution didn't mention anything about how to set the AUTL to that of the parent library, or why an API couldn't be used (without further comments) so full marks were not given.
0
 
LVL 27

Expert Comment

by:tliotta
ID: 38782422
I just ran across this question and felt that a clarifying comment could be added.

The point of adding a *AUTL to a streamfile that exists in a [parent] directory when the parent directory already is listed on the *AUTL isn't clear.

If the *AUTL is intended to control access to the streamfile, then *PUBLIC authority to the directory should be *AUTL and the *AUTL should list *PUBLIC as *EXCLUDE. Only users explicitly listed on the *AUTL would then have any access to the directory. But that directly implies that the access is restricted to the very same users to any streamfile in the directory. If you're excluded from the directory, there is no point to also exclude from objects contained in the directory. It's often unnecessarily redundant. (Not always.)

Further, data authorities are set only once per user on a *AUTL. Authorities are not set separately per object. So, for example, you couldn't set different data authorities for the directory and for the streamfile for a given user. I.e., you couldn't allow *DELETE for a streamfile without also allowing *DELETE for the directory.

But the biggest issue is simply that the CHGAUT command interface is the only way to set an *AUTL for a streamfile. There is no API to do it. And the question didn't ask how to do it with an API anyway. (Other interfaces are interactive, and they call CHGAUT anyway.)

Technically, if an API had to be used, QCMDEXC could be called to execute the CHGAUT command. (QCAPCMD would be best.) But that's worse than binding a CL module into the RPG program in some ways.

As for the issue of adopted authority, it's not used when addressing security elements of the IFS. The general IFS principle is based on UNIX and UNIX doesn't use the adopted authority mechanism of AS/400s. Instead, the various methods of profile switching are used.

Perhaps the most common method is with the Get Profile Handle (QSYGETPH) and Set Profile Handle (QWTSETP, QsySetToProfileHandle) APIs. Other similar APIs can also be used, especially if UNIX compliance is desired..

Switch to an authorized profile, perform the authorized action (ideally all in a secured procedure), and finally switch back to the job profile.

To find the authorization list that is assigned for the parent directory, the Retrieve Users Authorized to an Object (QSYRTVUA) API can be used. Once retrieved, CHGAUT can set the same *AUTL for the streamfile if it's really needed. (There can be reasons to do it. It's just a question of whether it's really meaningful for most situations.)

Tom
0
 

Author Comment

by:Paul-Bailey
ID: 38789093
I'm afraid I don't remember exactly what the issue was and I can no longer check as I no longer work for that particular company, but I vaguely remember using a CL module in the end with the CHGAUT command. I don't know how I solved the issue of which AUTL to use, but your api suggestions are news to me so I'm certain I did not do it that way.

Hopefully the additional information will help someone else in the future. Thanks anyway.


Paul.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you looking for the options available for exporting EDB files to PST? You may be confused as they are different in different Exchange versions. Here, I will discuss some options available.
Here in this article, you will get a step by step guidance on how to restore an Exchange database to a recovery database. Get a brief on Recovery Database and how it can be used to restore Exchange database in this section!
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question