× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Hi David,

I am using qsysetegid() API to change the "efective group" of the job. The
program has ative "adopted authority" with QSECOFR owner. This work fine,
the group change correctly. I have read this API has an effect on IFS
objects.

After change of effective group, it seems that a user without permissions
can use IFS objects. But this does not always happen.

CL commands like DSPF or EDTF don't work. AIX commands, like 'sftp' don't
work correctly.

Is there any documentation that explains these issues?

Is it impossible to "simulate adopted authority" for IFS objects?

Thank you for your help.

Javier Mora

El sáb, 1 jun 2024 a las 21:39, David Gibbs via MIDRANGE-L (<
midrange-l@xxxxxxxxxxxxxxxxxx>) escribió:

You need to use the user profile handle switching apis.

The profile invoking the apis needs to have authority to the profile being
switched to, but you can use adopted authority with the program doing the
profile switching.

See
https://www.ibm.com/docs/en/i/7.4?topic=programs-example-using-profile-handles
for info.

David

On Jun 1, 2024, at 12:36 PM, datil400 <datil400@xxxxxxxxx> wrote:

Hello guys,

I am trying to simulate in my ERP the adopted authority to treat IFS
objets
in transparent way. I don´t want users have access to certain IFS
directories and files outside the application program.

I know that the adopted authority does not work in the IFS, but I think
it
can be simulated. I am using qsysetegid(), gsysetgid() and qsysetregid()
to
change the job primary group.

In addition, all IFS objects have the primary group (PGP) set with the
application's owner group (i.e. the group set with the qsysetegid API).
*PUBLIC authorization is *EXCLUDE.

I have done some tests and it seems to work fine, but I have encountered
some problems with some CL and Qshell/PASE commands. For example, EDTF or
DSPF don´t work, they need at least *X authorization on the whole
directory
path.

On the other hand, the SFTP command does not work either due to an
authorization issue on the key files (for example).

Am I trying to do something impossible?

Is there any documentation on that subject?

Are the exceptions documented?

Any suggestions?

Best regards

Javier Mora
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription
related questions.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.