|
But STRDBG requires *SERVICE, or *CHANGE authority to the program.--
Probably not a good idea to let users change programs, or to give them
access to *SERVICE.
Mark Murphy
Atlas Data Systems
mmurphy@xxxxxxxxxxxxxxx
-----Don Brown <DBrown@xxxxxxxxxx> wrote: -----
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
From: Don Brown <DBrown@xxxxxxxxxx>
Date: 01/26/2017 05:56AM
Subject: RE: Questions on USING ADOPTED AUTHORITY
Another option would be to have an initial program start debug with
updprod(*no)
Then make sure all libraries that have database files are of type
*PROD
If a user tries to update a file the active debug will not allow the
update.
Don Brown
From: Denis Robitaille <denis_robitaille@xxxxxxxxxxxx>
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Date: 26/01/2017 04:06 PM
Subject: RE: Questions on USING ADOPTED AUTHORITY
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>
Hello,
If you really want to make everything read only, there is a way
without having to touch the programs.
Step one: Change the attribute of the profile that is the owner of the
programs to make sure that it does not have *ALLOBJ, does not have any
private authorities. Do that for every program.
Step two: Make sure that the owner of the data files is different than
the owner of the programs.
If you do that, then the public authority will be applied.
Denis Robitaille
Chef de service TI - Solution d'entreprise Infrastructure et
opérations
CASCADES CENTRE DES TECHNOLOGIES
412 Marie Victorin
Kingsey falls(Québec) Canada J0A 1B0
Tél : 819 363 6100 Poste :52130
Cell : 819 352 9362
-----Message d'origine-----
De : MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] De la part de
a4g atl Envoyé : 25 janvier 2017 15:07 À : Midrange Systems Technical
Discussion <midrange-l@xxxxxxxxxxxx> Objet : Re: Questions on USING
ADOPTED AUTHORITY
I am attempting to make the system READ ONLY. Right now, the adopted
authority gives every users READ-WRITE access.
The menu programs use adopted authority and I do not have source and
the observability has been removed. I need observability to change the
use adopted authority.
A solution may be to change adoption to all programs the menu's call.
Make them have adopt owner authority = *YES and then change the group
profile to have READ rights only.
Darryl.
On Wed, Jan 25, 2017 at 1:38 PM, Rob Berendt <rob@xxxxxxxxx> wrote:
So are you trying to turn off using authority adopted from a programlist
further up the call stack by doing CHGPGM PGM(RTMENU02)
USEADPAUT(*NO) Is this supposed to your way of stopping people from
running programs they shouldn't? For example, if HANK is not
supposed to use the Item master maintenance application, and you've
already locked him out of doing updates on the data, but the program
continues to allow him to do so, then I think I would come up with
an alternative method than aborting program adoption.
I'm not a big fan of totally trusting menu authority, but if you've
locked them out of updating the data directly then adopted
authority, and a menu system which only allows the users to run the
right programs, I find to be acceptable. For example Infor allows
you to control who can run item master maintenance via their menu options.
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com
From: a4g atl <a4ginatl2@xxxxxxxxx>
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Date: 01/25/2017 01:27 PM
Subject: Re: Questions on USING ADOPTED AUTHORITY
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>
Rob
The few (less than 5) programs causing the problem look line this.
Program creation information:
Program creation date/time . . . . . . . . . . : 08/16/08 14:57:48
Type of program . . . . . . . . . . . . . . . : ILE
Program entry procedure module . . . . . . . . : RTMENU02
Library . . . . . . . . . . . . . . . . . . : QTEMP
Activation group attribute . . . . . . . . . . : *DFTACTGRP
Shared activation group . . . . . . . . . . . : *NO
User profile . . . . . . . . . . . . . . . . . : *USER
Use adopted authority . . . . . . . . . . . . : *YES
Coded character set identifier . . . . . . . . : 65535
Number of modules . . . . . . . . . . . . . . : 1
The joblog has no details. I looked for that. Its just the CPF message.
Program . . . . . . . . . . . . > RTMENU02 Name, generic*, *ALL
Library . . . . . . . . . . . *USRLIBL Name, *USRLIBL
Optimize program . . . . . . . . *NONE *SAME, *YES, *FULL,
*BASIC..
User profile . . . . . . . . . . *USER *SAME, *USER, *OWNER
Use adopted authority . . . . . > *NO *SAME, *YES, *NO
Remove observable info . . . . . > *NONE *SAME, *ALL, *NONE...
+ for more values
Enable performance collection:
Collection level . . . . . . . *SAME *SAME, *NONE, *PEP,
*FULL...
Procedures . . . . . . . . . . *ALLPRC, *NONLEAF
Profiling data . . . . . . . . . *NOCOL *SAME, *NOCOL, *COL,
*CLR...
Teraspace . . . . . . . . . . . *YES *NO, *YES, *SAME
Force program re-creation . . . *NO *NO, *YES, *NOCRT
This is all the info in the joblog.
[image: Inline image 1]
CHGPGM PGM(RTMENU02) USEADPAUT(*NO) RMVOBS(*NONE) Program RTMENU02
in KBM400MFG not changed.
Thanks
Darryl
On Wed, Jan 25, 2017 at 12:42 PM, Rob Berendt <rob@xxxxxxxxx> wrote:
Two things.change
One, if we take the time to type up a bunch of stuff (and it's not
like I'm getting paid to do so) it would be kind of you to read it
all. So, replying back with The programs do not use *OWNER and
only use *USER.
and not telling us what the value is for USEADPAUT is might imply
to us that you still think the two are required in pair.
Two, CPF0541 implies there are more details in the joblog as to
why that particular program cannot have CHGPGM ran against it.
However it also
states:
<snip>
The program must be re-created to change the user profile. To be
eligible for re-creation, OPM programs must have all observability
and ILE programs must have all creation data, and the creation
data must be observable. Use the Display Program (DSPPGM) command
to determine whether a program is observable or has all creation data.
</snip>
It also says the same thing about USEADPAUT.
Now, ignoring the OWNER parameter, what is the existing value of
the USEADPAUT attribute of these programs? Because if that is set
to *YES then you are in luck and who cares if you can't change OWNER.
Just
the owner of a program higher in the call stack.list
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept
1600 Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing
To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,--
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please
take a moment to review the archives at
http://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our
affiliate
link: http://amzn.to/2dEadiD
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please
take a moment to review the archives at
http://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our
affiliate
link: http://amzn.to/2dEadiD
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing
To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,--
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please
take a moment to review the archives at
http://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our
affiliate
link: http://amzn.to/2dEadiD
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.