• Subject: RE: Validity checking program for CRTSAVF/CRTLIB
  • From: MBarton@xxxxxxxxxx
  • Date: Mon, 2 Apr 2001 10:50:28 +0100


>since a user with *ALLOBJ has pretty much authority to everything (yes,
everything) I think the better way to go would be to remove >*ALLOBJ from
the user who you don't want to restore the libraries.
>
>It would be very difficult indeed (if not impossible) to secure someone
with *ALLOBJ out of anything, especially if they are a >knowledgeable user.
>
>Authority to CRTLIB is the least of your problems if you are trying to
control a user who has *ALLOBJ and (it sounds like) they won't be
>co-operative.
>
>Cheers
>Evan Harris
>
>At 09:39 AM 04/02/01 +0200, you wrote:
>
>
>    thanks guys.
>    I'm on V4R4. If I revoke authority on e.g. CRTLIB for a specific user
having *ALLOBJ in
>    the userprofile it will not work. Or am I doing something wrong ?
>    Thanks
>    Chris

Chris
     as Ewan correctly says, *ALLOBJ authority over-rides pretty much
everything.
One trick you can do is to create a simple command validation program and
attach
this to the command(s) in question. This program will give a 'Not
authorised' msg to
whoever you want despite the fact that they are actually authorised to use
the command !

Here is a similar program for the UPDDTA command to give u an idea.
As Evan says -if they are knowledgable, this won't work as it is easily
removed.

/******************************************************************************/
/* Program UPDDTAC                                                            */
/******************************************************************************/
/* To Implement:                                                              */
/*  CHGCMD CMD(UPDDTA) VLDCKR({LIBRARY}/UPDDTAC)                              */
/*                                                                            */
/* Note: change IF statement to suit requirements                             */
/*                                                                            */
/******************************************************************************/
             PGM        PARM(&DFUPGM &FILE &MBR &CALLER)

             DCL        VAR(&ERROR) TYPE(*LGL)

             DCL        VAR(&CMDUSR) TYPE(*CHAR) LEN(10)

             DCL        VAR(&DFUPGM) TYPE(*CHAR) LEN(1)
             DCL        VAR(&FILE) TYPE(*CHAR) LEN(20)
             DCL        VAR(&MBR) TYPE(*CHAR) LEN(10)
             DCL        VAR(&CALLER) TYPE(*CHAR) LEN(10)

             CHGVAR     VAR(&ERROR) VALUE('0')

             RTVJOBA    USER(&CMDUSR)

   /* If not QSECOFR, issue 'Not Authorised' Message */

             IF         COND(&CMDUSR *NE 'QSECOFR') THEN(DO)
             SNDPGMMSG  MSGID(CPDAF69) MSGF(QCPFMSG) MSGTYPE(*DIAG)
             CHGVAR     VAR(&ERROR) VALUE('1')
             ENDDO

             IF         COND(&ERROR)  THEN( +
             SNDPGMMSG  MSGID(CPF0002) MSGF(QCPFMSG) MSGTYPE(*ESCAPE))

             RETURN
ENDPGM




+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].