I know that a similar situation occurs in BPCS.  Some program in between 
BPCSMENU and the program that gives you the command line adopts authority 
and passes it on down the line.

Ed's check to see if this is the issue is right on.

You can look at all the programs in your call stack to see which one is 
the culprit (the one with USRPRF(*OWNER)).  And then the other pass it on 
down with USEADPAUT(*YES).  If you can figure this out then you'll finally 
know the difference between these two parameters.

Which then begs the question does that particular program owner need 
access to STRSQL?  Or does it really need an owner with *ALLOBJ?  That 
might be easier (and safer) than attempting to modify your ERP package to 
stop the funky adoption.

Rob Berendt
Group Dekko Services, LLC
Dept 01.073
PO Box 2000
Dock 108
6928N 400E
Kendallville, IN 46755

Ed Fishel <edfishel@xxxxxxxxxx> 
Sent by: security400-bounces@xxxxxxxxxxxx
05/27/2004 08:09 AM
Please respond to
Security Administration on the AS400 / iSeries  <security400@xxxxxxxxxxxx>

Security Administration on the AS400 / iSeries <security400@xxxxxxxxxxxx>

Re: [Security400] object authority problem

John wrote on 05/27/2004 03:27:13 AM:

> I given object authority *public = exclude for the object STRSQL. When a
> user signon to as/400, the ERP application is loading (initial program)
> the user is able to excute the cmd STRSQL. If he signoff and go to main
> menu, then it is not allowed. Can u tell me what is happening. The user
> no special authority

It sounds to me like the ERP application, or something it uses, has a
problem with adopted authority. That is, if the ERP application is
displaying a command line that allows the user to run the STRSQL command
then it sounds like the adopted authority is being propagated to the
command line.

To test this, I suggest that you ask the user to enter  DSPOBJAUT STRSQL
*CMD on that command line. If *ADOPTED is listed in the User column then
the authority to the STRSQL command is coming from adopted authority. If
*GROUP is displayed, then the authority is coming from one or more of 
group profiles.

Ed Fishel,

This is the Security Administration on the AS400 / iSeries (Security400) 
mailing list
To post a message email: Security400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/security400
or email: Security400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/security400.

As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.