|
So if you make sure that none of the programs are owned by anyone with
untoward access you should be good.
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com
From: a4g atl <a4ginatl2@xxxxxxxxx>
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Date: 01/25/2017 04:25 PM
Subject: Re: Questions on USING ADOPTED AUTHORITY
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>
Right now it is KBM_SECOFR with all rights.
The group profile I set up is KBM_USER with minimum user rights only.
Darrryl
On Wed, Jan 25, 2017 at 3:55 PM, Rob Berendt <rob@xxxxxxxxx> wrote:
What *OWNER does the programs have? For example, if it was BPCS thedown
initial program would have SSA. Just make SSA *USE.
Can you run this?
CHGOBJOWN OBJ(MYLIB/*ALL) OBJTYPE(*PGM) NEWOWN(PUTZ)
And make sure that PUTZ is only *USE?
This doesn't have any of the restrictions that CHGPGM has.
See also DSPFD
Allow read operation . . . . . . . . . . . : Yes
Allow write operation . . . . . . . . . . . : Yes
Allow update operation . . . . . . . . . . : ALWUPD *YES
Allow delete operation . . . . . . . . . . : ALWDLT *YES
Not sure how you manipulate that. There are very few files with those
changed. Normally IBM is the only one who does that kind of stuff and
then it takes access to special APIs to update the file.
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com
From: a4g atl <a4ginatl2@xxxxxxxxx>
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Date: 01/25/2017 03:31 PM
Subject: Re: Questions on USING ADOPTED AUTHORITY
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>
Rob
I agree programs will crash if they run ORD500.
My situation is we do not have time or funding to spend time locking
the system. It is now an archive system only. The system like BPCS hasauthority
menu
control and programs that use data for update, "should" not get added to
menu's going forward. If they do, then its a bad good way to stop the
users. Not my choice but the best solution for now.
Darryl.
On Wed, Jan 25, 2017 at 3:18 PM, Rob Berendt <rob@xxxxxxxxx> wrote:
I really think you're doing this the wrong way.
Let's say I call a program called ORD500.
And ORD500 places orders.
So I do not want these users placing orders but just reading orders.
So I go ahead and make sure that the program no longer adopts
<midrange-l@xxxxxxxxxxxx>and now the users only have READ capability to the data.
You do realize that ORD500 will blow to kingdom come and will not even
open the files because it will try to open the files for UPDATE?
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com
From: a4g atl <a4ginatl2@xxxxxxxxx>
To: Midrange Systems Technical Discussion
theDate: 01/25/2017 03:07 PM
Subject: Re: Questions on USING ADOPTED AUTHORITY
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>
I am attempting to make the system READ ONLY. Right now, the adopted
authority gives every users READ-WRITE access.
The menu programs use adopted authority and I do not have source and
profileobservability has been removed. I need observability to change the useMake
adopted authority.
A solution may be to change adoption to all programs the menu's call.
them have adopt owner authority = *YES and then change the group
programsto
have READ rights only.
Darryl.
On Wed, Jan 25, 2017 at 1:38 PM, Rob Berendt <rob@xxxxxxxxx> wrote:
So are you trying to turn off using authority adopted from a program
further up the call stack by doing
CHGPGM PGM(RTMENU02) USEADPAUT(*NO)
Is this supposed to your way of stopping people from running
so,theymaster
shouldn't? For example, if HANK is not supposed to use the Item
maintenance application, and you've already locked him out of doing
updates on the data, but the program continues to allow him to do
itemthenprogram
I think I would come up with an alternative method than aborting
toadoption.locked
I'm not a big fan of totally trusting menu authority, but if you've
them out of updating the data directly then adopted authority, and amenu
system which only allows the users to run the right programs, I find
be
acceptable. For example Infor allows you to control who can run
*ALL<midrange-l@xxxxxxxxxxxx>master maintenance via their menu options.
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com
From: a4g atl <a4ginatl2@xxxxxxxxx>
To: Midrange Systems Technical Discussion
14:57:48Date: 01/25/2017 01:27 PM
Subject: Re: Questions on USING ADOPTED AUTHORITY
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>
Rob
The few (less than 5) programs causing the problem look line this.
Program creation information:
Program creation date/time . . . . . . . . . . : 08/16/08
message.Type of program . . . . . . . . . . . . . . . : ILE
Program entry procedure module . . . . . . . . : RTMENU02
Library . . . . . . . . . . . . . . . . . . : QTEMP
Activation group attribute . . . . . . . . . . : *DFTACTGRP
Shared activation group . . . . . . . . . . . : *NO
User profile . . . . . . . . . . . . . . . . . : *USER
Use adopted authority . . . . . . . . . . . . : *YES
Coded character set identifier . . . . . . . . : 65535
Number of modules . . . . . . . . . . . . . . : 1
The joblog has no details. I looked for that. Its just the CPF
Program . . . . . . . . . . . . > RTMENU02 Name, generic*,
*FULL,
Library . . . . . . . . . . . *USRLIBL Name, *USRLIBL
Optimize program . . . . . . . . *NONE *SAME, *YES,
*OWNER*BASIC..
User profile . . . . . . . . . . *USER *SAME, *USER,
*PEP,*NONE...
Use adopted authority . . . . . > *NO *SAME, *YES, *NO
Remove observable info . . . . . > *NONE *SAME, *ALL,
+ for more values
Enable performance collection:
Collection level . . . . . . . *SAME *SAME, *NONE,
*COL,*FULL...
Procedures . . . . . . . . . . *ALLPRC, *NONLEAF
Profiling data . . . . . . . . . *NOCOL *SAME, *NOCOL,
toSo,*CLR...like
Teraspace . . . . . . . . . . . *YES *NO, *YES, *SAME
Force program re-creation . . . *NO *NO, *YES, *NOCRT
This is all the info in the joblog.
[image: Inline image 1]
CHGPGM PGM(RTMENU02) USEADPAUT(*NO) RMVOBS(*NONE)
Program RTMENU02 in KBM400MFG not changed.
Thanks
Darryl
On Wed, Jan 25, 2017 at 12:42 PM, Rob Berendt <rob@xxxxxxxxx> wrote:
Two things.
One, if we take the time to type up a bunch of stuff (and it's not
I'm getting paid to do so) it would be kind of you to read it all.
replying back with
The programs do not use *OWNER and only use *USER.
and not telling us what the value is for USEADPAUT is might imply
whyus
that you still think the two are required in pair.
Two, CPF0541 implies there are more details in the joblog as to
datathatalso
particular program cannot have CHGPGM ran against it. However it
states:
<snip>
The program must be re-created to change the user profile. To be
eligible for re-creation, OPM programs must have all observability
and ILE programs must have all creation data, and the creation
data.must be observable. Use the Display Program (DSPPGM) command to
determine whether a program is observable or has all creation
the</snip>
It also says the same thing about USEADPAUT.
Now, ignoring the OWNER parameter, what is the existing value of
mailing*YESUSEADPAUT attribute of these programs? Because if that is set to
mailingthen you are in luck and who cares if you can't change OWNER. Justchange
the owner of a program higher in the call stack.
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
affiliatelist
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our
link: http://amzn.to/2dEadiD--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
affiliatelist
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our
mailinglink: http://amzn.to/2dEadiD
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
affiliatelist
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our
listlistlink: http://amzn.to/2dEadiD--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
To post a message email: MIDRANGE-L@xxxxxxxxxxxx--
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
To post a message email: MIDRANGE-L@xxxxxxxxxxxx--
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.