May be a little technical...
My actual question is the last line.
There are two parts of program adoption which are somewhat independent.
One is "User profile".
The other is "Use Adopted authority".
"User profile" is only for the program currently being executed. It allows a program to run under a different user profile, perhaps with higher authority.
"Use Adopted authority" is used by programs further down the call stack.
For example, let's say you have a program called BPCSMENU and it has "User profile" set to *OWNER instead of *USER. And the owner of that object is SSA. Now let's say that BPCSMENU calls ORD123. ORD123 may have "User profile" set to *USER and "Use Adopted authority" set to *YES. Basically this says that ORD123 will continue to use the adoption authority of the program immediately up the call stack, in this case BPCSMENU.
Many people do not understand the difference between "User profile" and "Use Adopted authority" and just set them to *OWNER and *YES. And assume they need to be set so that either both are on or both are off.
If you set this right this will allow you to set the data in your file library so that SSA has *all authority and *public has *exclude. Now no user can manipulate the data outside of the programs, providing you did NOT make SSA a group profile and put everyone in that group. The program owner should never be a group profile. This is called "application only access". Where you run into trouble is those BI users who want query access to the data, so you may set them up as *USE. Another big roadblock is submitting jobs. I'm mainly concerned about those programs in BPCS which are self submitting. If your SBMJOB does a CALL ORD123B (as in Batch) then it breaks the call stack. Therefore if ORD123B is not "User profile" *owner and owned by SSA then it will no longer have adopted authority and it will fail in this scenario. I would think that ORD123B would need to have "User profile" set to *OWNER for this to work.
By default almost all programs from Infor are sent with "Use Adopted authority" set to *yes to ease using the "application only access" method.
The number of programs shipped from Infor without "Use Adopted authority" set to *yes can be counted on one hand.
SYSCMDL - "Call command line without adopting authority" is pretty self explanatory.
This one may help to ensure that the user is only looking at their jobs:
SYS901C - "Work with Submitted Jobs for *USER"
I noticed a difference between ERPLXO and ERPLXPTFO for SYS901C. ERPLXO has it with "Use adopted authority" *yes while ERPLXPTFO has it with *no. Since the title is " Wrk w/Spool Files List Panel" maybe they wanted to fix it to ensure they weren't looking at spool files with any special authority.
Not sure about this other one:
SYS503C - "Miscellaneous functions for SYS500". Should it be "Use adopted authority" *yes?
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com
As an Amazon Associate we earn from qualifying purchases.