RE: Not authorized to STRDBG on Production, so can't use VisualExplain -- MIDRANGE-L

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of CRPence
Sent: Wednesday, October 10, 2007 9:19 AM
To: midrange-l@xxxxxxxxxxxx
Subject: Re: Not authorized to STRDBG on Production, so can't
use VisualExplain

Although lack of authority to STRDBG gave no T-AF
Authority Failure audit entry due to use of CHKOBJ instead of
an explicit attempt to use the object and that the authority
error CPF9802 was logged in the joblog, that did not prevent
my ability to use Visual Explain; it was a simple SELECT *
test. If however, my user did not have *JOBCTL special
authority, I could not perform the Visual Explain function,
and that logged a T-AF audit entry. This is because that
authority is required to perform a STRDBMON, which _is_
required for Visual Explain. I wonder if debug being active,
is required only for explaining CQE queries.? Or perhaps the
issue experienced is in regard only to the missing optimizer
messages, rather than a visual presentation.? My simple test
was surely going to the SQE.

I'm confused, you say you got the CPF9802 in the joblog but "that did not prevent my ability to use
Visual Explain".

So you were able to run Visual Explain?

My profile does have *JOBCTL. But when I get the CPF9802 - Not authorized to object STRDBG in QSYS.
Visual explain doesn't run.

I'm on v5r2, perhaps something has change in a later release?

FWiW the QSYS/STRDBG [hopefully it is properly coded as
such] is performed by an SQL CALL something.QCMDEXC; either
the defined QSYS2 external procedure referencing
QSYS/QCMDEXC, or directly to the *PGM QSYS/QCMDEXC. Knowing
that could enable intercepting the request; of course
replacing STRDBG with an effective Trojan Horse which is
publicly authorized, and that performs some logic to
determine if the request should be allowed, before either
adopting to perform STRDBG or failing with a /disallowed/ message.

How could I intercept the request if it is a qualified call?

Unless you are talking about replacing the QSYS version of the object? Not sure I could get the ok
for that! <grin>

BTW, if you were to find that *LIBL/STRDBG were being used
instead of either *SYSTEM/STRDBG or *NLVLIBL/STRDBG, then
rather than trying to take advantage of it [because that
effect should be expected to be changed/corrected], be sure
to report it as a defect.

I understand, but didn't IBM still use *LIBL at v5r2? I was thinking they started tighting this in
later releases.

Thanks!

Charles

This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.