I know that a similar situation occurs in BPCS. Some program in between BPCSMENU and the program that gives you the command line adopts authority and passes it on down the line. Ed's check to see if this is the issue is right on. You can look at all the programs in your call stack to see which one is the culprit (the one with USRPRF(*OWNER)). And then the other pass it on down with USEADPAUT(*YES). If you can figure this out then you'll finally know the difference between these two parameters. Which then begs the question does that particular program owner need access to STRSQL? Or does it really need an owner with *ALLOBJ? That might be easier (and safer) than attempting to modify your ERP package to stop the funky adoption. Rob Berendt -- Group Dekko Services, LLC Dept 01.073 PO Box 2000 Dock 108 6928N 400E Kendallville, IN 46755 http://www.dekko.com Ed Fishel <edfishel@xxxxxxxxxx> Sent by: security400-bounces@xxxxxxxxxxxx 05/27/2004 08:09 AM Please respond to Security Administration on the AS400 / iSeries <security400@xxxxxxxxxxxx> To Security Administration on the AS400 / iSeries <security400@xxxxxxxxxxxx> cc Subject Re: [Security400] object authority problem John wrote on 05/27/2004 03:27:13 AM: > I given object authority *public = exclude for the object STRSQL. When a > user signon to as/400, the ERP application is loading (initial program) and > the user is able to excute the cmd STRSQL. If he signoff and go to main > menu, then it is not allowed. Can u tell me what is happening. The user has > no special authority It sounds to me like the ERP application, or something it uses, has a problem with adopted authority. That is, if the ERP application is displaying a command line that allows the user to run the STRSQL command then it sounds like the adopted authority is being propagated to the command line. To test this, I suggest that you ask the user to enter DSPOBJAUT STRSQL *CMD on that command line. If *ADOPTED is listed in the User column then the authority to the STRSQL command is coming from adopted authority. If *GROUP is displayed, then the authority is coming from one or more of their group profiles. Ed Fishel, edfishel@xxxxxxxxxx _______________________________________________ This is the Security Administration on the AS400 / iSeries (Security400) mailing list To post a message email: Security400@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/mailman/listinfo/security400 or email: Security400-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/security400.
As an Amazon Associate we earn from qualifying purchases.
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.