Yeah, I think QCRTAUT is a good start, but it sets *PUBLIC authority to
a newly created object vs. anything having to do with your users.
Where is this library situated in the library lists? If it's in the
QSYSLIBL or QUSRLIBL it would be more likely to have locking issues. If
it's not in a library list, and still has locks, then something is
programmatically pointing to objects in that library.
I think the best thing about SQL is that you can do it interactively. CL
and RPG need to go through the compile steps, and debugging and the
like. Generally the job log will tell you about any errors in your SQL
statement when they happen.
I'm sure you could find a contractor to do this investigation if you
don't have in-house support.
Dave
-----Original Message-----
From: security400-bounces@xxxxxxxxxxxx
[
mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of Burns, Bryan
Sent: Wednesday, June 13, 2007 9:24 AM
To: Security Administration on the AS400 / iSeries
Cc: Dorsey, Tim; Dunne,Patrick
Subject: Re: [Security400] Private authority report
Well, I anticipated locks so I did the GRTOBJAUT on a Sunday when users
aren't on the system and it actually worked better than I thought it
would have (Authority given to 5886, not given to 49). The joblog shows
some items couldn't be granted authority because they were "in use"
(locks). I suspect that's why 49 items were not given the authority.
So some way or another, I'll figure out how to add authority to the 49
items. But what about the future? How can I ensure new items are given
a *USE for user ODBCUSER? Change SYSVAL QCRTAUT?
Don't know SQL but maybe I should learn it before I tackle more in-depth
CL or basic RPG?
Thanks,
Bryan
-----Original Message-----
From: security400-bounces@xxxxxxxxxxxx
[
mailto:security400-bounces@xxxxxxxxxxxx]On Behalf Of Turnidge, Dave
Sent: Wednesday, June 13, 2007 8:57 AM
To: Security Administration on the AS400 / iSeries
Subject: Re: [Security400] Private authority report
I want to repeat an earlier comment about "locks". If you have objects
that are in use when you do your GRTOBJAUT, the command will fail on
those objects. Therefore, you need to schedule that action.
Do you know how to use SQL? If so, you could dump your information to
temporary files and examine them without having to do any "programming."
Object level security takes some level of organization, but is well
worth the effort - especially when compared with the alternative...
Dave
-----Original Message-----
From: security400-bounces@xxxxxxxxxxxx
[
mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of Burns, Bryan
Sent: Tuesday, June 12, 2007 3:40 PM
To: Security Administration on the AS400 / iSeries
Subject: Re: [Security400] Private authority report
John,
I did that by searching for "in use" but would have to search 49 times.
And I only got a job log because I had time to request one while it the
GRTOBJAUT was running. Hate to think where I'd be without a joblog.
I'd also hate to implement object level security if it's so difficult to
get such a list.
Bryan
-----Original Message-----
From: security400-bounces@xxxxxxxxxxxx
[
mailto:security400-bounces@xxxxxxxxxxxx]On Behalf Of John Earl
Sent: Tuesday, June 12, 2007 3:32 PM
To: Security Administration on the AS400 / iSeries
Subject: Re: [Security400] Private authority report
Absent a Vendor provided security tool that will list the authorities of
objects in the library, you can review your joblog to see which items
were not changed.
jte
--
John Earl, VP and Chief Technology Officer
PowerTech: 253-872-7788
Direct: 253-479-1408
Mobile: 206-669-3336
John.Earl@xxxxxxxxxxxxx
Email is an excellent way to communicate material that is not time
sensitive. If your communication is of a more urgent nature, please
call.
===========================
This email message and any attachments are intended only for the use of
the intended recipient named above and may contain information that is
privileged and confidential. If you are not the intended recipient, any
dissemination, distribution, or copying is strictly prohibited. If you
received this email message in error, please immediately notify the
sender by replying to this email message or by telephone and delete the
message from your email system. Thank you.
-----Original Message-----
From:
security400-bounces+john.earl=powertech.com@xxxxxxxxxxxx
[mailto:security400-bounces+john.earl=powertech.com@xxxxxxxxxx
om] On Behalf Of Burns, Bryan
Sent: Tuesday, June 12, 2007 12:36 PM
To: security400@xxxxxxxxxxxx
Subject: [Security400] Private authority report
I performed a GRTOBJAUT OBJ(AMFLIBE/*ALL) OBJTYPE(*FILE)
USER(ODBCUSER) AUT(*USE) and the joblog shows "Authority given to 5886
objects. Not given to 49 objects". How can I get a list of just the
49 files in library AMFLIBE that weren't given authority?
The files for most of the 5886 objects that were given authority look
like this:
User Authority
*PUBLIC *CHANGE
AMAPICS *ALL
ODBCUSER *USE
I need a list of just the 49 files in library AMFLIBE in which
ODBCUSER has no private authority.
Bryan Burns
IBM Certified Specialist - iSeries System Command Operations
V5R2 M.I.S. Department ECHO, Incorporated www.echo-usa.com
_______________________________________________
This is the Security Administration on the AS400 / iSeries
(Security400) mailing list To post a message email:
Security400@xxxxxxxxxxxx To subscribe, unsubscribe, or change list
options,
visit: http://lists.midrange.com/mailman/listinfo/security400
or email: Security400-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/security400.
midrange.com
