× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Kenneth Graap wrote on 03/24/2006 08:15:52 AM:

> The question I'm trying to answer now is "Why do regular application
> uses require *SAVSYS authority?" None of the developers in my shop can
> answer that question. I need to understand that before I remove this
> special authority from the application's group profile. I was hoping
> that I could get information from the audit journal regarding this. It
> looks like it isn't going to be that easy. I'll probably end up
> recommending that we make the change, see what "breaks" and then address
> each situation as it comes up.

I know that I am late to this discussion but perhaps this information will
help. Chapter 4 of the Security Reference manual has this: "Save system
(*SAVSYS) special authority gives the user the authority to save, restore,
and free storage for all objects on the system, whether the user has object
existence authority to the objects."  So if the regular application users
do not do save and restore operations of objects then they do not need
*SAVSYS. Also, if they are doing save and restore operations then they will
not need *SAVSYS when they have *OBJEXIST authority to the objects.

As Pat said you can find which CL commands require *SAVSYS by searching
Appendix D of the Security Reference manual. A few APIs also require
*SAVSYS. The Authorities and Locks section of the documentation for each
API in the Information Center will indicate if the API user needs *SAVSYS.

Starting in V5R3 the system started writing AF-K audit records when the
user did not have a required special authority. Depending on the order that
authority checking is done by each command or API you may see an AF-K for
not having *SAVSYS special authority or an AF-A for not having *OBJEXIST
authority to the object.

Ed Fishel,
edfishel@xxxxxxxxxx


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.