Re: COMMAND AUTHORITY LOGIC -- MIDRANGE-L

Well, the official answer is - you don't. There may be a few individuals who could change that back, but I don't think they would want to spread that knowledge around.

If you tried to restore the individual object from a SAVSYS backup you would end up having to patch the system entry point table to refer to the restored object instead of the original one. Not as complicated as changing the program to system state, but not something you probably want to attempt, or I would want to encourage.

SO, that leaves option 3. You put the original command back by doing a SLIP install of the operating system.
- Manual IPL
- At selection screen, Install Operating System
- If restored from IBM CD's (and not your own SAVSYS taken after you last applied PTF's), reapply latest PTF cum package and any other individual PTF's you have applied.

If I were you, I would just live with your circumvention (granting Use authority to Public) until you resolve the situation by upgrading to a new release.
Would be interesting to see if someone doing a security audit could spot it ! :-)

...Aloha

Neil Palmer DPS Data Processing Services Canada Ltd.
50 Acadia Avenue, Ste.102 AS/400~~~~~
Markham, Ontario, Canada. ____________ ___ ~
Phone:(905) 474-4890 x303 |OOOOOOOOOO| ________ o|__||=
Cell.:(416) 565-1682 x303 |__________|_|______|_|______)
Fax: (905) 474-4898 oo oo oo oo OOOo=o\
mailto:NeilP@DPSlink.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.DPSlink.com iSeries 400 The Ultimate Business Server

"oludare" <oludare@ix.netcom.com>
Sent by: owner-midrange-l@midrange.com

2000/12/11 13:06
Please respond to MIDRANGE-L

To: "AS/400 Midrange Usergroup" <MIDRANGE-L@midrange.com>
cc:
Subject: Re: COMMAND AUTHORITY LOGIC

Neil,

How do I change the parameter "State used to call program" from *USER to
*SYSTEM. The parm only shows when a DSPOBJ is issue on QLICHLIB.

Thanks

Oludare

----- Original Message -----
From: "John Earl" <johnearl@400security.com>
To: <MIDRANGE-L@midrange.com>
Sent: Friday, December 08, 2000 3:56 PM
Subject: Re: COMMAND AUTHORITY LOGIC

> I believe this issue arises when you modify a system domain object
> (the CHGLIBL command). When you modify it, the command becomes
> "user domain" and is no longer eligble to directly reference a
> system state program.
>
> You can verify this if you have QAUDJRN turned on. Look for
> Journal Code "T" and journal type "AF". Then scan the first byte
> of the data structure for the violation code of either "C" or
> "D". If you find these litter uglies, then I've correctly
> diagnosed the problem.
>
> However, all of this assumes that you're at QSECURITY level 40 or
> 50. If you're not, then I'm dead wrong. :)
>
> jte
>
> oludare wrote:
>
> > Hey guys, I am on OS400 V4R3M0 Current CUM. I ran into a problem
> > this morning when I changed an IBM object CHGLIBL command. I
> > change the parameter call "program to process the command", by
> > mistake, and change it back to what it was but users ran into
> > problem with "Not authorized to QLICHLIB program". The program
> > authority for users is *EXCLUDE before and after the change. In
> > the end, I had to change QLICHLIB to PUBLIC *USE for them to
> > have access again. Question: How did user gain access to
> > QLICHLIB prior to the change.