× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



On 2/7/11 12:26 PM, Charles Wilt wrote:
<<SNIP>>

Why would you need to be able to move or rename an object just to
see the current authority set for it? Shouldn't *USE be enough?

I'd love to hear what Chuck or one of the other (former) IBM'ers
has to say...


The "native" authority requirements and requirements specific to the APIs and interfaces to the full Integrated File System need not be the same since the former addresses a pre-IFS native file system with its own rules, and the latter must satisfy a converged set of authorization concepts. Quoting [two snippets from] a non-IBM source:

http://www.sans.org/reading_room/whitepapers/mainframes/introduction-implementing-object-level-security-ibm-os-400-comparisons-windows-and_1642

<quote>
Object and data authority
-------------------------
Authority in the IFS is managed using the Change Authority
(CHGAUT) and Work with Authority (WRKAUT) commands, and via
iSeries Navigator File systems. A unique aspect of these
file systems is that authority checking must satisfy all
three conditions, OS/400, PC, and Unix. This requires
Unix-like permissions with an object twist to them.
Because of this mix of Unix-like and OS/400-type
authorities/permissions, managing authority in these file
systems can be bewildering to OS/400-oriented users and to
Unix-oriented users alike.

<<SNIP>>

Individual object authorities
*OBJEXIST–delete, save, or restore a file
*OBJMGT–rename, move, or look at authorities (but not set
–this is different from QSYS.LIB)
</quote>

The non-native file system is one thing about the OS that I mostly ignored except to implement the capabilities as required by\of the database, and to occasionally utilize; even if mostly just as a share. The inability to use adopted authority mostly assured I would never make use of what the IFS provided. A SWAG... is that POSIX standards are the fault for the difference in requirements. IIRC the object [operational] authority *OBJOPR enables viewing\accessing the data rights [data authority] to the object natively, which is the first requirement of *USE since that object right must exist to even know\test of any data rights. The object [management] authority *OBJMGT as a requirement for displaying authority via an IFS [non-native naming] API is presumably an attempt to mimic similar limitations that would be imposed on a *nix system.?

Regards, Chuck

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.