× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. January 2017

RE: Questions on USING ADOPTED AUTHORITY

Just throwing out ideas as I've never actually done this, but could you create triggers on all the files that reject the updates? It could really be the same trigger program of all files.




Kevin Bucknum
Senior Programmer Analyst
MEDDATA/MEDTRON
Tel: 985-893-2550

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of a4g atl
Sent: Friday, January 27, 2017 11:07 AM
To: Midrange Systems Technical Discussion
Subject: Re: Questions on USING ADOPTED AUTHORITY

I like the idea of using the exit points.

I have done some reading and googling but maybe missing something with this particular exit.

This exit either allows access or it does not.

I really need an exit that would just prevent the updates from occurring.

The problem is that the code is poorly written and many of the inquiry programs open the files in update mode or the only way to review data is to look at the maintenance program.

Is there another exit that would allow me to prevent the write,update or delete, but allow the reads to occur?

Thank you.

On Thu, Jan 26, 2017 at 12:07 PM, Mark Murphy/STAR BASE Consulting Inc. < mmurphy@xxxxxxxxxxxxxxx> wrote:

But STRDBG requires *SERVICE, or *CHANGE authority to the program.
Probably not a good idea to let users change programs, or to give them
access to *SERVICE.

Mark Murphy
Atlas Data Systems
mmurphy@xxxxxxxxxxxxxxx


-----Don Brown <DBrown@xxxxxxxxxx> wrote: -----
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
From: Don Brown <DBrown@xxxxxxxxxx>
Date: 01/26/2017 05:56AM
Subject: RE: Questions on USING ADOPTED AUTHORITY


Another option would be to have an initial program start debug with
updprod(*no)

Then make sure all libraries that have database files are of type
*PROD

If a user tries to update a file the active debug will not allow the
update.


Don Brown




From: Denis Robitaille <denis_robitaille@xxxxxxxxxxxx>
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Date: 26/01/2017 04:06 PM
Subject: RE: Questions on USING ADOPTED AUTHORITY
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>



Hello,

If you really want to make everything read only, there is a way
without having to touch the programs.

Step one: Change the attribute of the profile that is the owner of the
programs to make sure that it does not have *ALLOBJ, does not have any
private authorities. Do that for every program.
Step two: Make sure that the owner of the data files is different than
the owner of the programs.

If you do that, then the public authority will be applied.


Denis Robitaille
Chef de service TI - Solution d'entreprise Infrastructure et
opérations

CASCADES CENTRE DES TECHNOLOGIES
412 Marie Victorin
Kingsey falls(Québec) Canada J0A 1B0
Tél : 819 363 6100 Poste :52130
Cell : 819 352 9362



-----Message d'origine-----
De : MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] De la part de
a4g atl Envoyé : 25 janvier 2017 15:07 À : Midrange Systems Technical
Discussion <midrange-l@xxxxxxxxxxxx> Objet : Re: Questions on USING
ADOPTED AUTHORITY

I am attempting to make the system READ ONLY. Right now, the adopted
authority gives every users READ-WRITE access.

The menu programs use adopted authority and I do not have source and
the observability has been removed. I need observability to change the
use adopted authority.

A solution may be to change adoption to all programs the menu's call.
Make them have adopt owner authority = *YES and then change the group
profile to have READ rights only.

Darryl.

On Wed, Jan 25, 2017 at 1:38 PM, Rob Berendt <rob@xxxxxxxxx> wrote:

So are you trying to turn off using authority adopted from a program
further up the call stack by doing CHGPGM PGM(RTMENU02)
USEADPAUT(*NO) Is this supposed to your way of stopping people from
running programs they shouldn't? For example, if HANK is not
supposed to use the Item master maintenance application, and you've
already locked him out of doing updates on the data, but the program
continues to allow him to do so, then I think I would come up with
an alternative method than aborting program adoption.

I'm not a big fan of totally trusting menu authority, but if you've
locked them out of updating the data directly then adopted
authority, and a menu system which only allows the users to run the
right programs, I find to be acceptable. For example Infor allows
you to control who can run item master maintenance via their menu options.



Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





From: a4g atl <a4ginatl2@xxxxxxxxx>
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Date: 01/25/2017 01:27 PM
Subject: Re: Questions on USING ADOPTED AUTHORITY
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>



Rob

The few (less than 5) programs causing the problem look line this.


Program creation information:
Program creation date/time . . . . . . . . . . : 08/16/08 14:57:48
Type of program . . . . . . . . . . . . . . . : ILE
Program entry procedure module . . . . . . . . : RTMENU02
Library . . . . . . . . . . . . . . . . . . : QTEMP
Activation group attribute . . . . . . . . . . : *DFTACTGRP
Shared activation group . . . . . . . . . . . : *NO
User profile . . . . . . . . . . . . . . . . . : *USER
Use adopted authority . . . . . . . . . . . . : *YES
Coded character set identifier . . . . . . . . : 65535
Number of modules . . . . . . . . . . . . . . : 1

The joblog has no details. I looked for that. Its just the CPF message.



Program . . . . . . . . . . . . > RTMENU02 Name, generic*, *ALL

Library . . . . . . . . . . . *USRLIBL Name, *USRLIBL

Optimize program . . . . . . . . *NONE *SAME, *YES, *FULL,
*BASIC..
User profile . . . . . . . . . . *USER *SAME, *USER, *OWNER

Use adopted authority . . . . . > *NO *SAME, *YES, *NO

Remove observable info . . . . . > *NONE *SAME, *ALL, *NONE...

+ for more values

Enable performance collection:

Collection level . . . . . . . *SAME *SAME, *NONE, *PEP,
*FULL...
Procedures . . . . . . . . . . *ALLPRC, *NONLEAF

Profiling data . . . . . . . . . *NOCOL *SAME, *NOCOL, *COL,
*CLR...
Teraspace . . . . . . . . . . . *YES *NO, *YES, *SAME

Force program re-creation . . . *NO *NO, *YES, *NOCRT




This is all the info in the joblog.

[image: Inline image 1]

CHGPGM PGM(RTMENU02) USEADPAUT(*NO) RMVOBS(*NONE) Program RTMENU02
in KBM400MFG not changed.

Thanks

Darryl



On Wed, Jan 25, 2017 at 12:42 PM, Rob Berendt <rob@xxxxxxxxx> wrote:

Two things.

One, if we take the time to type up a bunch of stuff (and it's not
like I'm getting paid to do so) it would be kind of you to read it
all. So, replying back with The programs do not use *OWNER and
only use *USER.
and not telling us what the value is for USEADPAUT is might imply
to us that you still think the two are required in pair.

Two, CPF0541 implies there are more details in the joblog as to
why that particular program cannot have CHGPGM ran against it.
However it also
states:
<snip>
The program must be re-created to change the user profile. To be
eligible for re-creation, OPM programs must have all observability
and ILE programs must have all creation data, and the creation
data must be observable. Use the Display Program (DSPPGM) command
to determine whether a program is observable or has all creation data.
</snip>
It also says the same thing about USEADPAUT.

Now, ignoring the OWNER parameter, what is the existing value of
the USEADPAUT attribute of these programs? Because if that is set
to *YES then you are in luck and who cares if you can't change OWNER.
Just
change
the owner of a program higher in the call stack.


Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept
1600 Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please
take a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our
affiliate
link: http://amzn.to/2dEadiD

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please
take a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our
affiliate
link: http://amzn.to/2dEadiD


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please
take a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our
affiliate
link: http://amzn.to/2dEadiD

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related questions.

Help support midrange.com by shopping at amazon.com with our affiliate link: http://amzn.to/2dEadiD

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.