|
Hi Thomas
Unfortunately – the bolded lines did not come through or the color red (Im color blind anyway)
However – what is this
* User VCHAVEZTST from client 10.1.200.157 connected to server.
Maybe the user VCHAVEZTST is the problem
Alan Shore
Solutions Architect
IT Supply Chain Execution
[cid:image001.png@01D7BEA7.CD5C67C0]
60 Orville Drive
Bohemia, NY 11716
Phone [O] : (631) 200-5019
Phone [C] : (631) 880-8640
E-mail : ASHORE@xxxxxxxxxxxxxxxxxxxx
‘If you're going through hell, keep going.’
Winston Churchill
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxxxxxxxx] On Behalf Of Thomas Garvey
Sent: Monday, October 11, 2021 1:52 PM
To: midrange-l@xxxxxxxxxxxxxxxxxx
Subject: Re: [EXTERNAL] Object authority issues
Here's how the PC request looks in the Active Jobs list. (I hope the red
color shows. If not, the bolded lines are intended to be highlighted).
Work with Active Jobs
10/11/21 13:43:46 EDT
CPU %: 1.6 Elapsed time: 00:00:48 Active jobs: 412
Type options, press Enter.
2=Change 3=Hold 4=End 5=Work with 6=Release 7=Display message
8=Work with spooled files 13=Disconnect ...
Current
Opt Subsystem/Job User Type CPU % Function Status
QZDASOINIT PYLONOPR PJ .0 TIMW
QZDASOINIT EXTOLOWN PJ .0 TIMW
QZDASOINIT EXTOLOWN PJ .0 TIMW
* QZDASOINIT VCHAVEZTST PJ .0 TIMW **
* QZHQSSRV PYLONOPR PJ .0 TIMW
QZRCSRVS MXAPLUS PJ .0 TIMW
QZRCSRVS MXAPLUS PJ .0 TIMW
QZRCSRVS MXAPLUS PJ .0 TIMW
QZSCSRVS FFAIBER PJ .0 TIMW
More...
Parameters or command
===>
F3=Exit F5=Refresh F7=Find F10=Restart statistics
F11=Display elapsed data F12=Cancel F23=More options F24=More keys
But when the joblog is displayed...
Display Job Log
Job . . : QZDASOINIT User . . : *QUSER***Number . . . : 507835
Job 507835/QUSER/QZDASOINIT started on 10/11/21 at 13:12:11 in
subsystem
QUSRWRK in QSYS. Job entered system on 10/11/21 at 13:12:11.
Printer device PRNT1 not found.
Errors on CHGJOB command for job *507835/QUSER/QZDASOINIT*.
Printer device PRNT1 not found.
Job changed successfully; however errors occurred.
* User VCHAVEZTST from client 10.1.200.157 connected to server.
* Printer device PRNT1 not found.
Job changed successfully; however errors occurred.
Token <END-OF-STATEMENT> was not valid. Valid tokens: ? : USER
CURRENT
DEFAULT SYSTEM_USER.
The following special registers have been set: CLIENT_APPLNAME:
LICKETY-SP
Not authorized to object LICKTYSPLT in LS type *PGM.
Not authorized to object LICKTYSPLT in LS type *PGM.
Bottom
Press Enter to continue.
I noticed this myself yesterday and specifically authorized QUSER to the
program object, and that didn't help either.
I THINK the PC app is VB. But it's the i server that is sending the
message back to the PC app.
Best Regards,
Thomas Garvey
On 10/11/2021 11:48 AM, Alan Shore via MIDRANGE-L wrote:
Hi Thomas--
How is the pc application connecting to the AS/400?
Under what user name?
THAT may be the culprit that does not have authority
Then again - I may be misunderstanding what you have written
Alan Shore
Solutions Architect
IT Supply Chain Execution
[cid:image001.png@01D7BE9E.576AB480]
60 Orville Drive
Bohemia, NY 11716
Phone [O] : (631) 200-5019
Phone [C] : (631) 880-8640
E-mail : ASHORE@xxxxxxxxxxxxxxxxxxxx<mailto:ASHORE@xxxxxxxxxxxxxxxxxxxx>
'If you're going through hell, keep going.'
Winston Churchill
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxxxxxxxx] On Behalf Of Thomas Garvey
Sent: Monday, October 11, 2021 12:45 PM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx<mailto:midrange-l@xxxxxxxxxxxxxxxxxx>>
Subject: [EXTERNAL] Object authority issues
I REALLY hesitate to open up this issue, but I clearly don't understand
something or am missing something obvious.
I have a stored procedure defined in QGPL which calls an SQLRPGLE
program in another library, specified in the procedure.
The program is owned by a specific user (SSA) and is defined as: User
profile *OWNER and Use Adopted Authority as *YES.
A user, whose Group Profile is SSA, calls a PC application program,
which calls the stored procedure but receives an SQL0551 error
SQL0551
Message Text: Not authorized to object &1 in &2 type *&3.
Cause Text: An operation was attempted on object &1 in &2 type *&3. This
operation cannot be
performed without the required authority.
Recovery Text: Obtain the required authority from either the security
officer, the object owner, or a user
that is authorized to the QIBM_DB_SECADM function. If you are not
authorized to a
logical file, obtain the authority to the based-on files of the logical
file. Try the operation
again.
The program has *PUBLIC as *USE, *GROUP SSA has *ALL for object authorities.
My apparently limited grasp of authority tells me that the user has *USE
authority to the program object, and by that authority should then adopt
the authority of the owner, which then allows authority to use the files
and data the object uses.
Why doesn't the user, who is part of the Group Profile that owns the
object, and has *USE authority have authority to use the program?
Further, I've tried changing the object authority on the program *USER
to *ALL, changed the owner of the object to the actual user itself, all
to no avail.
The only thing that works is giving the calling user All Object
authority, and I obviously can't do that.
Using Carol Woodbury's book (i5/OS Security) and Authority Search
Progression chart, authority short of All Object authority, is available
as it is setup, no?
Best Regards,
Thomas Garvey
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxxxxxxxx%3cmailto:MIDRANGE-L@xxxxxxxxxxxxxxxxxx>>
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l<https://lists.midrange.com/mailman/listinfo/midrange-l><https://lists.midrange.com/mailman/listinfo/midrange-l<https://lists.midrange.com/mailman/listinfo/midrange-l>>
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx%3cmailto:MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx>>
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l<https://archive.midrange.com/midrange-l><https://archive.midrange.com/midrange-l<https://archive.midrange.com/midrange-l>>.
Please contact support@xxxxxxxxxxxxxxxxxxxx<mailto:support@xxxxxxxxxxxxxxxxxxxx<mailto:support@xxxxxxxxxxxxxxxxxxxx%3cmailto:support@xxxxxxxxxxxxxxxxxxxx>> for any subscription related questions.
Help support midrange.com by shopping at amazon.com with our affiliate link: https://amazon.midrange.com<https://amazon.midrange.com><https://amazon.midrange.com<https://amazon.midrange.com>>
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxxxxxxxx>
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l<https://lists.midrange.com/mailman/listinfo/midrange-l>
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx>
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l<https://archive.midrange.com/midrange-l>.
Please contact support@xxxxxxxxxxxxxxxxxxxx<mailto:support@xxxxxxxxxxxxxxxxxxxx> for any subscription related questions.
Help support midrange.com by shopping at amazon.com with our affiliate link: https://amazon.midrange.com<https://amazon.midrange.com>
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.