Re: Simulating adopted authority with IFS -- MIDRANGE-L

Hi David,

I am using qsysetegid() API to change the "efective group" of the job. The
program has ative "adopted authority" with QSECOFR owner. This work fine,
the group change correctly. I have read this API has an effect on IFS
objects.

After change of effective group, it seems that a user without permissions
can use IFS objects. But this does not always happen.

CL commands like DSPF or EDTF don't work. AIX commands, like 'sftp' don't
work correctly.

Is there any documentation that explains these issues?

Is it impossible to "simulate adopted authority" for IFS objects?

Thank you for your help.

Javier Mora

El sáb, 1 jun 2024 a las 21:39, David Gibbs via MIDRANGE-L (<
midrange-l@xxxxxxxxxxxxxxxxxx>) escribió:

You need to use the user profile handle switching apis.

The profile invoking the apis needs to have authority to the profile being
switched to, but you can use adopted authority with the program doing the
profile switching.

See
https://www.ibm.com/docs/en/i/7.4?topic=programs-example-using-profile-handles
for info.

David

On Jun 1, 2024, at 12:36 PM, datil400 <datil400@xxxxxxxxx> wrote:

Hello guys,

I am trying to simulate in my ERP the adopted authority to treat IFS

objets

in transparent way. I don´t want users have access to certain IFS
directories and files outside the application program.

I know that the adopted authority does not work in the IFS, but I think

it

can be simulated. I am using qsysetegid(), gsysetgid() and qsysetregid()

to

change the job primary group.

In addition, all IFS objects have the primary group (PGP) set with the
application's owner group (i.e. the group set with the qsysetegid API).
*PUBLIC authorization is *EXCLUDE.

I have done some tests and it seems to work fine, but I have encountered
some problems with some CL and Qshell/PASE commands. For example, EDTF or
DSPF don´t work, they need at least *X authorization on the whole

directory

path.

On the other hand, the SFTP command does not work either due to an
authorization issue on the key files (for example).

Am I trying to do something impossible?

Is there any documentation on that subject?

Are the exceptions documented?

Any suggestions?

Best regards

Javier Mora
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list

To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription

related questions.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.