× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. SECURITY400
  3. June 2004

Re: Job Description Authorities

Ed,

That is very helpful. In this case no swap would be necessary because
it is user(*CURRENT) and not *JOBD so PUBLIC(*USE) will have to be
specified. I am guessing that this is the same limitation applies to
STRDBG, however in that case there is a workaround using DSPMODSRC.

Thanks,

David Morris 

>>> edfishel@xxxxxxxxxx 6/16/2004 10:43:07 AM >>>

David Morris asked:

> I saw that however I interpreted it to mean the user inclusive of
> authorities gained via the group on both sides of the submit. Where
did
> you find the reference that says the group profiles are not used
when
> checking the profile this will run under? Do you have any insight on
why
> this is the case?

Actually there may not be a reference that describes when group
profiles
are not used. One paragraph that comes close is from the Check User
Authority to Object (QSYCUSRA) API. It says: If the user profile is
*CURRENT or the name of the profile that is running currently, the
authority to the user includes any authority specified on the object
(private, group, authorization list, or public) plus any program
adopted
authority. If the user profile is not *CURRENT or the name of the
profile
that is running currently, the authority available to the user is the
authority specified on the object.

In my opinion one reason that the group profiles of the submitted user
are
not used in this type of authority check is that there is no fast and
easy
way to test the authorty of the groups. Normally it is LIC code that
does
authority checks that involve group profiles when checking the
authority of
a thread/process. I do not believe that authority from group profiles
enter
into any other authority checks. (Just checking that user X is
authorized
to an object will not include the group profiles of user X unless the
check
is done for the thread/process where user X is running.) To do that
check
anywhere above LIC in the operating system would require the checker
to
re-implement that same algorithm, or it would require us to swap the
current user profile to the specific user do the authority check and
then
swap back, or it would require some type of changes to LIC.

Ed Fishel,

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.