Solved

How do I set the Authorisation list when creating an IFS streamfile in RPG?

Posted on 2010-08-23
8
1,008 Views
Last Modified: 2013-11-25
Using the unlink() and open() APIs from IBM, we are creating an IFS streamfile (IBM's open() api page: http://publib.boulder.ibm.com/infocenter/iseries/v6r1m0/index.jsp?topic=/rzasd/sc09250802.htm)

If the streamfile needs to be replaced, the unlink() fails because the IFS object was not created with the authority to be deleted so we end up with either an error message or two conflicting entries in the streamfile (if we supress the error checking on unlink()). All object authorities must be controlled by authorisation lists, due to company security policy.

The authorisation properties of the open() api (and chmod() api) do not allow you to set the authorisation list of the new IFS streamfile, and the page linked above says that "Adopted authority is not used".

How do I set the Authorisation list when creating an IFS streamfile in RPG? Preferably to the same AUTL as the parent directory in the IFS.
0
Comment
Question by:Paul-Bailey
8 Comments
 
LVL 34

Accepted Solution

by:
Gary Patterson earned 250 total points
ID: 33500374
CHGAUT command will do the trick
0
 

Author Comment

by:Paul-Bailey
ID: 33500582
But I'll also need to calculate the AUTL name from the parent folder. Is there an easier way?
0
 
LVL 13

Expert Comment

by:_b_h
ID: 33501997
If you use CPYTOSTMF to create an empty file, it will inherit the authorization list from its parent directory if you specify AUT(*INDIR):

CPYTOSTMF FROMMBR('/qsys.lib/qgpl.lib/qclsrc.file/qstrup.mbr') TOSTMF('/mydir/qstrup.txt') AUT(*INDIR)                                        

Not sure if that helps....
Barry
0
 

Author Comment

by:Paul-Bailey
ID: 33502034
Nothing wrong with your suggestion, but we are using APIs to create the STMF from within RPG and I want to continue using an API to change the authority or advice on the existing APIs to do what I want.

If it all comes down to running CL commands instead, then so be it.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 34

Expert Comment

by:Gary Patterson
ID: 33506498
Far as I know thwr isn't an API to do what you want to do.
0
 

Author Closing Comment

by:Paul-Bailey
ID: 33508568
The solution didn't mention anything about how to set the AUTL to that of the parent library, or why an API couldn't be used (without further comments) so full marks were not given.
0
 
LVL 27

Expert Comment

by:tliotta
ID: 38782422
I just ran across this question and felt that a clarifying comment could be added.

The point of adding a *AUTL to a streamfile that exists in a [parent] directory when the parent directory already is listed on the *AUTL isn't clear.

If the *AUTL is intended to control access to the streamfile, then *PUBLIC authority to the directory should be *AUTL and the *AUTL should list *PUBLIC as *EXCLUDE. Only users explicitly listed on the *AUTL would then have any access to the directory. But that directly implies that the access is restricted to the very same users to any streamfile in the directory. If you're excluded from the directory, there is no point to also exclude from objects contained in the directory. It's often unnecessarily redundant. (Not always.)

Further, data authorities are set only once per user on a *AUTL. Authorities are not set separately per object. So, for example, you couldn't set different data authorities for the directory and for the streamfile for a given user. I.e., you couldn't allow *DELETE for a streamfile without also allowing *DELETE for the directory.

But the biggest issue is simply that the CHGAUT command interface is the only way to set an *AUTL for a streamfile. There is no API to do it. And the question didn't ask how to do it with an API anyway. (Other interfaces are interactive, and they call CHGAUT anyway.)

Technically, if an API had to be used, QCMDEXC could be called to execute the CHGAUT command. (QCAPCMD would be best.) But that's worse than binding a CL module into the RPG program in some ways.

As for the issue of adopted authority, it's not used when addressing security elements of the IFS. The general IFS principle is based on UNIX and UNIX doesn't use the adopted authority mechanism of AS/400s. Instead, the various methods of profile switching are used.

Perhaps the most common method is with the Get Profile Handle (QSYGETPH) and Set Profile Handle (QWTSETP, QsySetToProfileHandle) APIs. Other similar APIs can also be used, especially if UNIX compliance is desired..

Switch to an authorized profile, perform the authorized action (ideally all in a secured procedure), and finally switch back to the job profile.

To find the authorization list that is assigned for the parent directory, the Retrieve Users Authorized to an Object (QSYRTVUA) API can be used. Once retrieved, CHGAUT can set the same *AUTL for the streamfile if it's really needed. (There can be reasons to do it. It's just a question of whether it's really meaningful for most situations.)

Tom
0
 

Author Comment

by:Paul-Bailey
ID: 38789093
I'm afraid I don't remember exactly what the issue was and I can no longer check as I no longer work for that particular company, but I vaguely remember using a CL module in the end with the CHGAUT command. I don't know how I solved the issue of which AUTL to use, but your api suggestions are news to me so I'm certain I did not do it that way.

Hopefully the additional information will help someone else in the future. Thanks anyway.


Paul.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
php iseries 3 219
Calling an iSeries system API (QWDRSBSD) from C# 4 442
iSeries - Add Users to a Group 1 164
I am trying to building a ddl statement off a cobol layout 3 118
Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
Note: This is the third blog post in a series on email clearinghouses (https://www.xmatters.com/alert-management/blog-email-has-failed-us?utm_campaign=70138000000ydLoAAI&utm_source=exex&utm_medium=article&utm_content=blog-post).   We’ve been talki…
A company’s greatest vulnerability is their email. CEO fraud, ransomware and spear phishing attacks are the no1 threat to a company’s security. Cybercrime is responsible for the largest loss of money to companies today with losses projected to r…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now