× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. August 2008

RE: Restricting Users with *ALLOBJ in the Advanced Job Scheduler

Authority - How the System Checks it...

When a user attempts to perform an operation on an object, the system
verifies that the user has adequate authority for the operation. The
system first checks authority to the library or directory path that
contains the object. If the authority to the library or directory path
is adequate, the system checks authority to the object itself. In the
case of database files, authority checking is done at the time the file
is opened, not when each individual operation to the file is performed.

During the authority-checking process, when any authority is found (even
if
it is not adequate for the requested operation) authority checking stops
and
access is granted or denied. The adopted authority function is the
exception to this rule.

Adopted authority can override any specific (and inadequate) authority
found.

The system verifies a user's authority to an object in the following
order:

1. Object's authority - fast path

2. User's *ALLOBJ special authority

3. User's specific authority to the object

4. User's authority on the authorization list securing the object

5. Groups' *ALLOBJ special authority

6. Groups' authority to the object

7. Groups' authority on the authorization list securing the object

8. Public authority specified for the object or for the authorization
list securing the object

9. Program owner's authority, if adopted authority is used

Note: Authority from one or more of the user's groups may be accumulated
to find sufficient authority for the object being accessed.


Kenneth
Kenneth E. Graap


-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Michael Ryan
Sent: Friday, August 15, 2008 4:43 AM
To: Midrange Systems Technical Discussion
Subject: Re: Restricting Users with *ALLOBJ in the Advanced Job
Scheduler

Here's how I believe authority checking works. It's a short-circuit
mechanism - the first satisfied scenario causes authority checking to
stop:

1. User *ALLOBJ
2. User Private Authority
3. User on AUTL
4. Group *ALLOBJ
5. Group Private Authority
6. Group on AUTL
7. *PUBLIC


On Fri, Aug 15, 2008 at 7:30 AM, Jerry Adams <Jerry@xxxxxxxxxxxxxxx>
wrote:
I doubt it. I recall attending a security session at COMMON where it
was pointed out that the first thing security checks is *ALLOBJ. If the
answer is 'Yes,' nothing else is checked. *ALLOBJ is God-like; there
are no appeals.

Jerry C. Adams
IBM System i Programmer/Analyst
B&W Wholesale
office: 615-995-7024
email: jerry@xxxxxxxxxxxxxxx

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Burns, Bryan
Sent: Thursday, August 14, 2008 3:45 PM
To: MIDRANGE-L@xxxxxxxxxxxx
Subject: Restricting Users with *ALLOBJ in the Advanced Job Scheduler

Is there a way to restrict a user with *ALLOBJ user profile special
authority from adding a job to the advanced job scheduler? I changed
the function authority to *EXCLUDE for the user but the user can still
add a job.

Bryan Burns
iSeries Specialist
ECHO, Incorporated
Lake Zurich, Illinois

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.