× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. August 2001

security AGGRAVATION: renaming *devd

  • Subject: security AGGRAVATION: renaming *devd
  • From: "Bale, Dan" <D.Bale@xxxxxxxxxxxxx>
  • Date: Tue, 7 Aug 2001 13:45:54 -0400
  • Thread-Index: AcEfaM4wTTxgO8o8SDmSPTJZF+vE5w==
  • Thread-Topic: security AGGRAVATION: renaming *devd
 
This is a continuing thorn in our side.  We've got system operators on
the other side of the pond (the Atlantic) that we have wanted to give
the necessary authority to work with device configurations as needed.
The user profile has the following attributes:
  User class . . . . . . . . . :   *SYSOPR
  Special authority  . . . . . :   *JOBCTL  
                                   *SAVSYS  
  Group profile  . . . . . . . :   LTEIT    
  Owner  . . . . . . . . . . . :   *USRPRF  
  Group authority  . . . . . . :   *NONE    
  Group authority type . . . . :   *PRIVATE 

The profile of group LTEIT shows:
  User class . . . . . . . . . :   *SYSOPR  
  Special authority  . . . . . :   *IOSYSCFG
                                   *JOBCTL  
                                   *SAVSYS  
                                   *SPLCTL  
  Group profile  . . . . . . . :   *NONE    
  Owner  . . . . . . . . . . . :   *USRPRF  

The system operator has tried to rename a device description that was
created via autoconfig.  He was able to vary it off, but 7=Rename was
rejected:
CPF2189: Not authorized to object DSP02 in QSYS type *DEVD.

The object authority for the device description was created as:
  TB07 (the owner) . . . . :   *ALL
  *PUBLIC  . . . . . . . . :   *CHANGE

When I changed *PUBLIC to have *ALL authority, the system operator was
then able to rename the device description.  However, this also opens up
the ability for any user to do this as well.  Which is a no-no.  I
mistakenly thought that *IOSYSCFG would be necessary to do anything
related to configuring devices.  I tested this using a test profile
created as follows:
  User class . . . . . . . . . :   *USER  
  Special authority  . . . . . :   *NONE  
  Group profile  . . . . . . . :   *NONE  
  Owner  . . . . . . . . . . . :   *USRPRF

So, what's the magic combination needed to give our system operators the
ability to work with device configuration and keep end-users from doing
so?  Note that we do not give anyone *ALLOBJ authority.

And, is this question specifically answered in any IBM reference?  Seems
like we get occasional gotcha's caused by the combination of user
authority and object authority.

TIA.

Dan Bale
IT - AS/400
Handleman Company
248-362-4400  Ext. 4952
D.Bale@Handleman.com
  Quiquid latine dictum sit altum viditur.
  (Whatever is said in Latin seems profound.)

+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.