× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. September 2006

Re: Locking down library

albartell wrote:

I am trying to lock down a library so only one profile can access it.  I did
a WRKOBJ MYLIB and then option 2 to edit the authority and I changed it to
PUBLIC *EXCLUDE and gave my profile *ALL.  I then signed in with another
profile that _should_ have been locked out of MYLIB but I was able to see
the objects data.


Al:

First thing we need to know is how do you "see the objects data"?
Do you simply run RUNQRY from a command line? Do you take an application menu option? Do you call a program? 

Far too many possibilities here.
Could be that the other profile has *ALLOBJ. Could be the other profile has inherited *ALLOBJ from one of its group profiles. Could be a routing program has changed job characteristics such as current user. Could be a called program has changed job current user. Could be an initial program owned by a *ALLOBJ user that has the USRPRF(*OWNER) attribute and runs GO MAIN so it appears that the initial program has ended. I can think of others.
These are pretty much the point of adopted and inherited authorities (so they're not exactly "wrong"). You take authority away from the user in order to help ensure that access is through an interface that you control. You supply the necessary authority within the interface.
As Joe mentioned, it can be tricky to keep authority away from the owning profile. Generally, the owner has the authority to grant/revoke authority to others (otherwise, why be the owner?) I.e., an owner can generally grant authority to him/herself. I haven't reviewed that for a long time; I usually just keep owner profiles separate, without passwords. 

Tom Liotta

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.