× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. April 2003

*SAVSYS vs Granting authority to an object owner

I recently removed *ALLOBJ from a group of people here.  Seems they have 
this EDI process (of which they informed me I originally wrote it years 
ago).  This EDI process takes a save file full of files and restores them 
to QTEMP.  This allows the files to be empty, with the logicals pointed 
right, and in QTEMP.  If they try to submit a run 'on-the-fly' versus 
using the scheduled method (which runs a lot of stuff they don't want for 
this interrupted recovery), then they will get an error CPF3757.  Seems 
that the files are owned by a particular user of which they do not have 
access to.  According to the CPF3757 I either grant them add authority to 
that user profile, or I give them *SAVSYS special authority.

The concern I have with *SAVSYS is that I believe that they could save 
sensitive data and restore it to a system of which they have higher 
authority.  (Physically possible without leaving their desk.)

I want to make sure that if I give them the authority they need to the 
user profile owning the objects that they do not adopt any of the special 
authority given to that user profile.  We had a fiasco here in which these 
people were given that profile as a supplemental group and lo and behold 
they now had all special authority that the group profile had, including 
*ALLOBJ.
What, exactly, does CPF3757 mean by add authority?

Pro's and con's either way?

Please change subject if you respond to anything below this line.

I know that we violated a few things here, but we are trying to clean them 
up.  Like group profiles should not run jobs.  For example EDIONR may be a 
valid group profile.  But the scheduled jobs should run under something 
else, like EDIJOB.
CHGUSRPRF USRPRF(EDIONR) 
          PASSWORD(*none) 
          USRCLS(*USER) 
          INLMNU(*SIGNOFF)
          LMTCPB(*YES) 
          SPCAUT(*NONE) 
          GRPPRF(*NONE) 
          OWNER(*USRPRF) 
CHGUSRPRF USRPRF(EDIJOB)
          PASSWORD(*none) 
          USRCLS(*USER) 
          INLMNU(*SIGNOFF)
          LMTCPB(*YES) 
          SPCAUT(minimal amount needed) 
          GRPPRF(EDIONR)
          OWNER(*GRPPRF) 

Rob Berendt
-- 
"They that can give up essential liberty to obtain a little temporary 
safety deserve neither liberty nor safety." 
Benjamin Franklin

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.