× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. July 2001

Re: OUTQ Security

  • Subject: Re: OUTQ Security
  • From: afvaiv <afvaiv@xxxxxxxxxx>
  • Date: Fri, 27 Jul 2001 09:31:00 +0200
 
Hi, Kirk
I'm not sure this is what you want to do, but it might give you some
ideas

In one of our customers, users are also authorized to *SPLCTL, etc, but
they want to make sure some of the OUTQ's can only be managed by some
specific users...

The way they worked until now was:  everybody can use (thru a Menu
option, since they have Limited capabilities... ) the WRKOUTQ command.
Normally they call it without any parms in it, so WRKOUTQ *ALL is
executed. From there, users select a given OUTQ, select (Option 5? I
don't remember by heart) and it gives them that specific OUTQ's files
that belong to them for them to manage. That's how they were working
until now.

But even though a user may have some listings in a certain OUTQ, they
asked me to "prevent" users (except for some specific users...) to
access to some specific OUTQ's.

Obviously, what follows only prevents them from accessing WRKOUTQ   XXXX
, and would not prevent them if doing WRKSPLF ... but since they only
access their listings thru WRKOUTQ ... this was good enough. And they
did NOT want to change the way they're working ...

Source code follows these comments

I created a file VALOUTQ where they enter specific users allowed to
manage specific OUTQs

Then a small CL program "CHECKER". I changed IBM's WRKOUTQ command
(CHGCMD) to use this CHECKER program as "Command Validating Program"...
since the original has *NONE.
I know this is NOT recommended, but you could create your own "clone"
and have it "before" IBM's one in the Library List...

Anyway, when calling WRKOUTQ
- if it is a WRKOUTQ *ALL, then it does nothing, so everything works as
normal
- if it is a WRKOUTQ  OutQname ... the CL  CHECKER program will call the
RPG program, that checks if that OUTQ is one of the restricted ones, and
if so, then checks if the user is allowed to it. Depending on the
answer, the CL   CHECKER program returns (without doing nothing) to its
caller (the Command  WRKOUTQ OutQname) or rejects it, sending a DIAG
message followed an ESCAPE message which will be handled automatically
by the WRKOUTQ command, so the user gets a "standar" answer if his
display...

Of course, RPG code is very limited for the testing, but you could
elaborate more on it.

Hope this helps, Antonio
---------------------------------------------------------------------------------------------------------------------------

     A                                               UNIQUE
     A          R RVALOUTQ
     A              OUTQ             10
     A              LIB                  10
     A              USER              10
     A              AUT                  1
     A          K OUTQ
     A          K LIB
     A          K USER
---------------------------------------------------------------------------------------------------------------------------

    PGM         (&P1   &OUTQLIB   &P3)
    DCL        &P1                *CHAR  1
    DCL        &OUTQLIB   *CHAR 20
    DCL        &P3                *CHAR  1

    DCL        &ALL             *CHAR 20  VALUE('*ALL')
    DCL        &OUTQ         *CHAR 10
    DCL        &LIB              *CHAR 10
    DCL        &RC               *CHAR  1

    IF   (&OUTQLIB *NE &ALL)   THEN(DO)
             CALL CHECKER10 (&OUTQLIB &RC)

    IF (&RC *NE '1') THEN(DO)
            CHGVAR     &OUTQ   %SST(&OUTQLIB  1 10)
            CHGVAR     &LIB    %SST(&OUTQLIB 11 10)
            SNDPGMMSG  MSGID(CPD0006) MSGF(QCPFMSG) MSGTYPE(*DIAG)     +

                                 MSGDTA('0000 NOT AUTHORIZED to OutQ'
*BCAT     +
                                &OUTQ *BCAT 'in Library' *BCAT &LIB)
            SNDPGMMSG  MSGID(CPF0002) MSGF(QCPFMSG) MSGTYPE(*ESCAPE)
     ENDDO
  ENDDO
---------------------------------------------------------------------------------------------------------------------------

     FVALOUTQ IF  E           K        DISK
      ****************************************************
     IQL          DS
     I                                        1  10 OUTQ
     I                                       11  20 LIB
      *
     I           SDS
     I                                      254 263 USER
       * Sample "restricted Queues" for testing purposes
     I              'PRTPC105  QUSRSYS   'C         KP5A
     I              'PRTPC105  *LIBL           'C         KP5B
        ****************************************************
     C           KEY          KLIST
     C                             KFLD           OUTQ
     C                             KFLD           LIB
     C                             KFLD           USER
        *
     C           *ENTRY    PLIST
     C                              PARM           QL     20
     C                              PARM           AUT     1
        * Assume authorized...
     C                              MOVE '1'       AUT
        * Check if restricted OUTQ
     C           QL              IFEQ KP5A
     C           QL             OREQ KP5B
     C                              MOVE '  '       AUT
        * CHAIN will return specific ReturnCode ...
     C           KEY           CHAINRVALOUTQ             18
     C                              ENDIF
        *
     C                              SETON                     LR
     C                              RETRN
---------------------------------------------------------------------------------------------------------------------------



KirkG@PacInfoSys.com escribió:

>
> I have a client that somewhere in the past has given the majority of
> the users *SPLCTL authority so they can control there own
> outqs/writers etc. Now they have a new app that they want to secure
> the output to only 6 or so users. From what I can read *SPLCTL trumps
> most if not all security placed on the outq.
>
> The 1st step appears to remove *SPLCTL and to change *PUBLIC to
> *EXCLUDE but then what is the best way to allow users to control
> selected outqs?
>
> Grant each user specific authority to the outq, AuthorityList?  ??
>
> ---------------------------------
> Kirk Goins
> IBM Certified AS/400 Technical Solutions
> DataMirror High Availability Certified
> Pacific Information Systems - An IBM Premier Business Partner
> 503-674-2985             kirkg@pacinfosys.com
> "WE KNOW TECHNOLOGY"
> ---------------------------------

--
-------------------------
Antonio Fernandez-Vicenti
afvaiv@wanadoo.es


+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.