David Morris asked: > I saw that however I interpreted it to mean the user inclusive of > authorities gained via the group on both sides of the submit. Where did > you find the reference that says the group profiles are not used when > checking the profile this will run under? Do you have any insight on why > this is the case? Actually there may not be a reference that describes when group profiles are not used. One paragraph that comes close is from the Check User Authority to Object (QSYCUSRA) API. It says: If the user profile is *CURRENT or the name of the profile that is running currently, the authority to the user includes any authority specified on the object (private, group, authorization list, or public) plus any program adopted authority. If the user profile is not *CURRENT or the name of the profile that is running currently, the authority available to the user is the authority specified on the object. In my opinion one reason that the group profiles of the submitted user are not used in this type of authority check is that there is no fast and easy way to test the authorty of the groups. Normally it is LIC code that does authority checks that involve group profiles when checking the authority of a thread/process. I do not believe that authority from group profiles enter into any other authority checks. (Just checking that user X is authorized to an object will not include the group profiles of user X unless the check is done for the thread/process where user X is running.) To do that check anywhere above LIC in the operating system would require the checker to re-implement that same algorithm, or it would require us to swap the current user profile to the specific user do the authority check and then swap back, or it would require some type of changes to LIC. Ed Fishel, edfishel@xxxxxxxxxx
As an Amazon Associate we earn from qualifying purchases.
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.