|
For V4r5, the command used for this is RNMOBJ. The authority required to use this is (I think) *OBJMGT for an object. If it is any other type, please refer to http://publib.boulder.ibm.com/html/as400/online/v4r5eng.htm OS/400 Security - Reference V4R5, name QB3ALC04, date 10/13/99 12:23:10, document SC41-5302-04 >>> "Bale, Dan" <D.Bale@handleman.com> 08/07/01 01:45PM >>> This is a continuing thorn in our side. We've got system operators on the other side of the pond (the Atlantic) that we have wanted to give the necessary authority to work with device configurations as needed. The user profile has the following attributes: User class . . . . . . . . . : *SYSOPR Special authority . . . . . : *JOBCTL *SAVSYS Group profile . . . . . . . : LTEIT Owner . . . . . . . . . . . : *USRPRF Group authority . . . . . . : *NONE Group authority type . . . . : *PRIVATE The profile of group LTEIT shows: User class . . . . . . . . . : *SYSOPR Special authority . . . . . : *IOSYSCFG *JOBCTL *SAVSYS *SPLCTL Group profile . . . . . . . : *NONE Owner . . . . . . . . . . . : *USRPRF The system operator has tried to rename a device description that was created via autoconfig. He was able to vary it off, but 7=Rename was rejected: CPF2189: Not authorized to object DSP02 in QSYS type *DEVD. The object authority for the device description was created as: TB07 (the owner) . . . . : *ALL *PUBLIC . . . . . . . . : *CHANGE When I changed *PUBLIC to have *ALL authority, the system operator was then able to rename the device description. However, this also opens up the ability for any user to do this as well. Which is a no-no. I mistakenly thought that *IOSYSCFG would be necessary to do anything related to configuring devices. I tested this using a test profile created as follows: User class . . . . . . . . . : *USER Special authority . . . . . : *NONE Group profile . . . . . . . : *NONE Owner . . . . . . . . . . . : *USRPRF So, what's the magic combination needed to give our system operators the ability to work with device configuration and keep end-users from doing so? Note that we do not give anyone *ALLOBJ authority. And, is this question specifically answered in any IBM reference? Seems like we get occasional gotcha's caused by the combination of user authority and object authority. TIA. Dan Bale IT - AS/400 Handleman Company 248-362-4400 Ext. 4952 D.Bale@Handleman.com Quiquid latine dictum sit altum viditur. (Whatever is said in Latin seems profound.) +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +--- +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.