For embedded SQL, created with the CRTSQLxxxI commands, there are two separate "adopt user profiles" you must deal with:
User profile . . . . . . . . . . USRPRF         *NAMING              Dynamic user profile . . . . . . DYNUSRPRF      *USER                
The "Dynamic" one is used, as I understand it, when you use dynamically PREPAREd and EXECUTEd SQL statements, versus normal static SQL.
Hope that helps,
Mark S. Waterbury
On Monday, October 11, 2021, 12:45:14 PM EDT, Thomas Garvey <tgarvey@xxxxxxxxxx> wrote:

I REALLY hesitate to open up this issue, but I clearly don't understand
something or am missing something obvious.

I have a stored procedure defined in QGPL which calls an SQLRPGLE
program in another library, specified in the procedure.
The program is owned by a specific user (SSA) and is defined as: User
profile *OWNER and Use Adopted Authority as *YES.

A user, whose Group Profile is SSA, calls a PC application program,
which calls the stored procedure but receives an SQL0551 error

Message Text: Not authorized to object &1 in &2 type *&3.
Cause Text: An operation was attempted on object &1 in &2 type *&3. This
operation cannot be
performed without the required authority.
Recovery Text: Obtain the required authority from either the security
officer, the object owner, or a user
that is authorized to the QIBM_DB_SECADM function. If you are not
authorized to a
logical file, obtain the authority to the based-on files of the logical
file. Try the operation

The program has *PUBLIC as *USE, *GROUP SSA has *ALL for object authorities.

My apparently limited grasp of authority tells me that the user has *USE
authority to the program object, and by that authority should then adopt
the authority of the owner, which then allows authority to use the files
and data the object uses.

Why doesn't the user, who is part of the Group Profile that owns the
object, and has *USE authority have authority to use the program?
Further, I've tried changing the object authority on the program *USER
to *ALL, changed the owner of the object to the actual user itself, all
to no avail.

The only thing that works is giving the calling user All Object
authority, and I obviously can't do that.

Using Carol Woodbury's book (i5/OS Security) and Authority Search
Progression chart, authority short of All Object authority, is available
as it is setup, no?

Best Regards,

Thomas Garvey

As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.