RE: How to retrieve all user profiles in an IFS object's authority -- MIDRANGE-L

I like that idea. We don't do much with data queues here, but we already
use the SPAWN api a few places. I wonder if that is enough of a sandbox.
Spawn a new process that changes the user. I will have to test that.

Kevin Bucknum
Senior Programmer Analyst
MEDDATA/MEDTRON
Tel: 985-893-2550

-----Original Message-----

From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf
Of Rob Berendt
Sent: Tuesday, September 11, 2018 8:38 AM
To: Midrange Systems Technical Discussion
Subject: RE: How to retrieve all user profiles in an IFS object's

authority

Kevin,

Good concern. I don't think the OP was getting that we recommended
profile switching and fixing the authority automatically.

Kevin, one way to get around your concern is to start up a new job

under the

proper user. When it's done it could communicate back to the other

program

that it's done. This avoid profile switching as it would use a

separate job.

One way the communication could be done is via a data queue.

Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600

Mail

to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com

From: "Kevin Bucknum" <Kevin@xxxxxxxxxxxxxxxxxxx>
To: "Midrange Systems Technical Discussion"

<midrange-l@xxxxxxxxxxxx>

Date: 09/11/2018 08:29 AM
Subject: RE: How to retrieve all user profiles in an IFS

object's

authority
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>

The program that I copied that source out of runs as *OWNER. That
doesn't help with authorities on the IFS, but at another point in the
program it uses the QSYGETPH and QWTSETP api's to swap the running job
to a profile with the proper authorities. It then swaps back to the
users profile. When you do that, you need to be very careful that you
trap all errors and deal with them. If something blows up while

switched

and the user gets a command line, then they have the authority of the
profile with elevated privileges.

Kevin Bucknum
Senior Programmer Analyst
MEDDATA/MEDTRON
Tel: 985-893-2550

-----Original Message-----

From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On

Behalf

Of Dan
Sent: Monday, September 10, 2018 7:54 PM
To: Midrange Systems Technical Discussion
Subject: Re: How to retrieve all user profiles in an IFS object's

authority

Thanks Scott. Apparently, this happens often enough that the

support

people are tired of tracking this down and fixing it. Also, when

the

users are

halted from continuing, it quickly becomes a human metrics issue.

If the application runs into the issue where a user doesn't have

sufficient

authority to remove others' authorities or to add *PUBLIC

DTAAUT(*RWX)

OBJAUT(*ALL), the application could capture that and send an email

support. I'm not sure how the users are set up authority-wise on

production.

- Dan

On Mon, Sep 10, 2018 at 3:43 PM, Scott Klement <midrange-
l@xxxxxxxxxxxxxxxx>
wrote:

Dan,

Personally, I would catch the error, and then pop up a message

telling

the user to contact the administrator (or whomever is appropriate)

for

assistance. Someone familiar with authorities should be able to

very

easily look at the files and fix the authority problems.

If you really need to get a listing of all user authorities (which
seems like a much more complicated solution) you could do so with

the

Qp0lGetAttr() API. You could loop through the responses and

remove

those authorities... but, to my mind, this seems like overkill.

And, of course, the user would need sufficient authority to remove

the

other users' authority (remember, adopted authority won't work

here)

which makes this even more complicated.

-SK

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)

mailing

list

To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please

take

a moment to review the archives at
https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our

affiliate

link: http://amzn.to/2dEadiD

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list

To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD