× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. August 2001

Re: security AGGRAVATION: renaming *devd

  • Subject: Re: security AGGRAVATION: renaming *devd
  • From: "Richard J. Serrano" <rjs@xxxxxxxxxxx>
  • Date: Wed, 8 Aug 2001 14:48:44 -0700
  • Organization: Team400 Inc.
 
The answer is as follows:

1. *CHANGE authority allows the user to read/write data to the device. It
does not allow management of the object. This authority will not allow the
device description to be renamed.
2. The group profile and the user do not have any specific authority to the
device, therefore, they cannot rename it.
3. The object owner, has *ALL authority, so can rename the device.

I recommend changing the operators group profile to the owner of the device
(in this case TB07). They will then be able to manage the device. If all
devices on the system are owned by TB07 this will solve the problem. If the
system operator also needs to be in group LTEIT, or, there are several
different owners of device descriptions then use the supplemental groups
option on the user profile to add operators to other groups.

I would make one comment. It is good idea to change the user profile OWNER
parameter to *GRPPRF. This ensures that all objects created (except those in
the IFS) by the user are owned by the group profile. This makes the
management of objects easier. It has the following advantages:

1. Easier to delete user profiles when an employee leaves the company when
they don't own objects
2. With new employees, putting them in a group immediately gives them the
necessary authority for their job. No special authorities need to be
assigned.
3. If a users changes job within the same organization, all that is required
is to change the group profile to change their authorities on the system.
4. Managing group authorities is easier because there are fewer group
profiles to change it an authority change is required.

Regards

Richard J. Serrano
Team400 Inc.

----- Original Message -----
From: "Bale, Dan" <D.Bale@handleman.com>
To: <MIDRANGE-L@midrange.com>
Sent: Tuesday, August 07, 2001 10:45 AM
Subject: security AGGRAVATION: renaming *devd


This is a continuing thorn in our side.  We've got system operators on
the other side of the pond (the Atlantic) that we have wanted to give
the necessary authority to work with device configurations as needed.
The user profile has the following attributes:
  User class . . . . . . . . . :   *SYSOPR
  Special authority  . . . . . :   *JOBCTL
                                   *SAVSYS
  Group profile  . . . . . . . :   LTEIT
  Owner  . . . . . . . . . . . :   *USRPRF
  Group authority  . . . . . . :   *NONE
  Group authority type . . . . :   *PRIVATE

The profile of group LTEIT shows:
  User class . . . . . . . . . :   *SYSOPR
  Special authority  . . . . . :   *IOSYSCFG
                                   *JOBCTL
                                   *SAVSYS
                                   *SPLCTL
  Group profile  . . . . . . . :   *NONE
  Owner  . . . . . . . . . . . :   *USRPRF

The system operator has tried to rename a device description that was
created via autoconfig.  He was able to vary it off, but 7=Rename was
rejected:
CPF2189: Not authorized to object DSP02 in QSYS type *DEVD.

The object authority for the device description was created as:
  TB07 (the owner) . . . . :   *ALL
  *PUBLIC  . . . . . . . . :   *CHANGE

When I changed *PUBLIC to have *ALL authority, the system operator was
then able to rename the device description.  However, this also opens up
the ability for any user to do this as well.  Which is a no-no.  I
mistakenly thought that *IOSYSCFG would be necessary to do anything
related to configuring devices.  I tested this using a test profile
created as follows:
  User class . . . . . . . . . :   *USER
  Special authority  . . . . . :   *NONE
  Group profile  . . . . . . . :   *NONE
  Owner  . . . . . . . . . . . :   *USRPRF

So, what's the magic combination needed to give our system operators the
ability to work with device configuration and keep end-users from doing
so?  Note that we do not give anyone *ALLOBJ authority.

And, is this question specifically answered in any IBM reference?  Seems
like we get occasional gotcha's caused by the combination of user
authority and object authority.

TIA.

Dan Bale
IT - AS/400
Handleman Company
248-362-4400  Ext. 4952
D.Bale@Handleman.com
  Quiquid latine dictum sit altum viditur.
  (Whatever is said in Latin seems profound.)


+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.