|
Hi Patrick As others have mentioned - and much to my chagrin also - adopting authorities is not supported. I also found that the group profile ownership parameter does not appear supported which is a real b*tch. In my view IBM could significantly enhance the usefulness and security of the IFS by supporting these two features, maybe by adding some switches to the directory.... Another thing that bought me undone was the way authorities to new objects are assigned to the creator of the object. I found this nugget (presuming I have interpreted it correctly) after searching the IBM knowledge database for a couple of days; I only turned up one document relevent to IFS and authority. I don't have the reference so here's my summary of the contents: When creating a new file in the IFS, the creator of the file receives the same authorities to the file as the owner of the directory has to the directory (yes, read that again !). This behaviour is why not having the group ownership thing happening is such a pain. For processes that create lots of processes (remember you don't adopt, and group ownership doesn't work) a server type process with the right profile is almost mandatory to have any kind of security. I found out the hard way that the creator of a file does not automatically get all rights. Since I routinely delete rights of the owner of an objects in QSYS from the authority display (in my view they are redundant since owner gets all rights) I happened to do the same thing to an object in the IFS, after all the owner will be able to do anything he/she likes, right ? Wrong... You need to test this and see what happens, but one side effect is that the owner can't later delete the file. I realise I'm grouping the *RWX behaviours with the object behaviours but I don't have access to a machine right at this moment to provide more details. Basically, we came to the conclusion that the way to go was maintain authorisation lists and that part of the file creation had to be the assignment of an authorisation list and any authority duties required. This is not (in my view at least) all that different from what we do QSYS although it seems a little foreign. In our case we create files/libraries with particular owners and we compile programs with Hope this helps a little. regards Evan Harris >I am struggling to understand IFS file security. I've been using the CHGAUT >command to add and change user authorities. But it is not working quite like >I would think. For example, if a program is owned by QSECOFR and adopts user >authority, it may not have the authority needed to add or change an >authority on an IFS file. Weird. Does anyone know a good publication that >describes IFS file security? I understand *RWX UNIX authority concepts, just >need help with how to manage this stuff from an AS/400 application >perspective. Any thoughts would be appreciated. > >TIA, >Patrick
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.