Re: Service program authority adoption

["David Morris" <David.Morris@xxxxxxxxxxxxx>]

Simon & Ed,

We used to use adoption as only way to derive authority
on our system. This allowed us to secure files to applications
combined with users. We did use the end adopt option where
necessary (like anyplace that a command line could be
exposed). The decision to end adoption in triggers forced
us to use profile swapping.

In order to get functionality that is as secure and flexible as
adoption, I had to jump through quite a few hoops. Swapping
group profiles does have some advantages and can do
some things that adoption cannot, I just wish it were easier
to use.

Triggers may be treated like exit programs, but they are not
really that similar. I would be happier if you could specify
whether a trigger propagated adoption. I can certainly
understand why adoption is not propagated through a
server exit.

David Morris

>>> edfishel@us.ibm.com 01/25/02 06:34AM >>>

Simon,

>The system does support the ability to stop called programs from
adopting
>via a propogate authority attribute but Rochester haven't seen fit to
>expose that.  I keep asking for it but I guess I'm alone.

This function is there if you are willing to use the Suppress Adopted
User
Profile option on the Modify Invocation Authority Attributes
(MODINVAU),
Call External (CALLX), or Transfer Control (XCTL) MI instructions. See
http://www.as400.ibm.com/tstudio/tech_ref/mi/ for the latest
description of
these instructions.

>>There are some exceptions that can be significant, like triggers,
>>which end adoption.
>
>I didn't know that.  I can understand a trigger not inheriting
adopted
>authority from earlier in the stack but I doubt they stop the trigger
>itself from adopting authority via USRPRF(*OWNER).

It is true, OS/400 suppress adopted authority when calling almost all
exit
programs. As you guessed we do not prevent the called exit program
from
adopting is owners authority.

Ed Fishel,
edfishel@US.IBM.COM