× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. January 2008

Re: Creating IFS folders (& limiting access to those folders).

When you say "IFS folders", I assume you mean directories in the root or
QOpenSys file systems? Different file systems treat security
differently... in particular, /QDLS and /QSYS.LIB are very different
from other areas of the IFS.

So, if you don't mean the Root or QOpenSys filesystems, then please let
me know...

Typically you set the authority of a directory using the CHGAUT CL
command. Though, you can accomplish the same thing using QShell
commands or APIs. You did not say how your client is accessing the IFS,
so I'm going to just assume you're doing it through a CL program.

Anyway... Carol Woodbury wrote an article titled "How to Secure the Integrated File System " which was published in the Sept 2005 issue of iSeries NEWS magazine. If you have a ProVIP membership to System iNetwork, you can view that article online at the following link:
http://www.systeminetwork.com/article.cfm?id=20237

Basically, you probably want to set public authority to DTAAUT(*EXCLUDE) OBJAUT(*NONE) Use WRKLNK '/dirname' and take option 9 to view, change and verify that the authorities are set up as you want them to be.

Then, I'd create a group user profile and give that group DTAAUT(*RWX) and OBJAUT(*NONE) to the directory you want them to be able to put docs in. This gives the group profile the ability to traverse the directory, view files in the directory, add new files, etc. But does not give them the ability to delete this directory or give someone else access to it.

I'd ensure that the group profile is associated with the directory in question. I always do that through Qshell -- I assume there's a native CL command as well, but not exactly sure what it is. Anyway...

STRQSH CMD('chgrp GROUPPROFILENAME /directory')

Then, I'd add that group profile to the list of supplemental group profiles for the users who need authority. By default, any new files created in the directory should have *RW for the owner & group, and no authority to public.

That's just the default, though. Some software such as IBM's CPYTOSTMF and CPYTOIMPF override that default behavior when creating files. Also, programs creating files with the open() API can specify any authorites they like... but software that just takes the default will grab it's authorities from the directory.


Dlong400 wrote:
Hi All,

I am about to show off my lack of knowledge here...


I have a client that is on V4R5 and they are trying to limit who can
access folders on the IFS.

Can anyone point me to a reference document that would give some
guidance on accomplishing this?


(They have a BP that is able to make this work on their own 400, but
for some reason, they can not get it to work on our mutal clients
400).

Thanks, DL


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.