|
Simon & Ed, We used to use adoption as only way to derive authority on our system. This allowed us to secure files to applications combined with users. We did use the end adopt option where necessary (like anyplace that a command line could be exposed). The decision to end adoption in triggers forced us to use profile swapping. In order to get functionality that is as secure and flexible as adoption, I had to jump through quite a few hoops. Swapping group profiles does have some advantages and can do some things that adoption cannot, I just wish it were easier to use. Triggers may be treated like exit programs, but they are not really that similar. I would be happier if you could specify whether a trigger propagated adoption. I can certainly understand why adoption is not propagated through a server exit. David Morris >>> edfishel@us.ibm.com 01/25/02 06:34AM >>> Simon, >The system does support the ability to stop called programs from adopting >via a propogate authority attribute but Rochester haven't seen fit to >expose that. I keep asking for it but I guess I'm alone. This function is there if you are willing to use the Suppress Adopted User Profile option on the Modify Invocation Authority Attributes (MODINVAU), Call External (CALLX), or Transfer Control (XCTL) MI instructions. See http://www.as400.ibm.com/tstudio/tech_ref/mi/ for the latest description of these instructions. >>There are some exceptions that can be significant, like triggers, >>which end adoption. > >I didn't know that. I can understand a trigger not inheriting adopted >authority from earlier in the stack but I doubt they stop the trigger >itself from adopting authority via USRPRF(*OWNER). It is true, OS/400 suppress adopted authority when calling almost all exit programs. As you guessed we do not prevent the called exit program from adopting is owners authority. Ed Fishel, edfishel@US.IBM.COM
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.