Discussion:
User read only authority over files on a library
(too old to reply)
CENTRINO
2009-01-27 15:44:13 UTC
Permalink
I have just created a library with QSECOFR named let's say MYLIB

Edited MYLIB authorities with EDTOBJAUT and added NEWUSER with *USE
authority.

*PUBLIC authority is set to*CHANGE

Then created a couple of files with QSECOFR.

Now, NEWUSER, is able to add or modify records of any file in MYLIB with
for instance , DFU! , but is not able to change CHGPF FILE(MYLIB/MYFILE)
MAXMBRS(*NOMAX) which for me is is OK


I intended that NEWUSER, could only read files on MYLIB by setting the
library MYLYB with NEWUSER *USE authority.

NEWUSER does not belong to any group nor has *ALLOBJ nor MYLIB is protected
by any athoritation list.

¿ Am I missing something ?

Thanks in advance.
Marc Rauzier
2009-01-27 18:46:04 UTC
Permalink
Post by CENTRINO
I have just created a library with QSECOFR named let's say MYLIB
Edited MYLIB authorities with EDTOBJAUT and added NEWUSER with
*USE authority.
This is the authority of NEWUSER on the object QSYS/MYLIB *LIB. It will
prevent NEWUSER, for example, to create objects in MYLIB.
Post by CENTRINO
*PUBLIC authority is set to*CHANGE
Then created a couple of files with QSECOFR.
The files probably have their *PUBLIC authority set to *CHANGE, which
is the default value.
Post by CENTRINO
Now, NEWUSER, is able to add or modify records of any file in
MYLIB with for instance , DFU! , but is not able to change CHGPF
FILE(MYLIB/MYFILE) MAXMBRS(*NOMAX) which for me is is OK
I intended that NEWUSER, could only read files on MYLIB by setting
the library MYLYB with NEWUSER *USE authority.
NEWUSER does not belong to any group nor has *ALLOBJ nor MYLIB is
protected by any athoritation list.
¿ Am I missing something ?
The authority *USE must be set on the file MYLIB/MYFILE for NEWUSER.
Post by CENTRINO
Thanks in advance.
--
Cordialement
Marc Rauzier
(pour me répondre, ne pas utiliser le from mais le reply-to)
CENTRINO
2009-01-27 19:03:24 UTC
Permalink
So ... is there no way to prevent from library permissions the update add or
change of data belonging to files in one given library just in one go having
to individually assign objets (files in my case) permission?

Thanks
Post by Marc Rauzier
Post by CENTRINO
I have just created a library with QSECOFR named let's say MYLIB
Edited MYLIB authorities with EDTOBJAUT and added NEWUSER with
*USE authority.
This is the authority of NEWUSER on the object QSYS/MYLIB *LIB. It will
prevent NEWUSER, for example, to create objects in MYLIB.
Post by CENTRINO
*PUBLIC authority is set to*CHANGE
Then created a couple of files with QSECOFR.
The files probably have their *PUBLIC authority set to *CHANGE, which
is the default value.
Post by CENTRINO
Now, NEWUSER, is able to add or modify records of any file in
MYLIB with for instance , DFU! , but is not able to change CHGPF
FILE(MYLIB/MYFILE) MAXMBRS(*NOMAX) which for me is is OK
I intended that NEWUSER, could only read files on MYLIB by setting
the library MYLYB with NEWUSER *USE authority.
NEWUSER does not belong to any group nor has *ALLOBJ nor MYLIB is
protected by any athoritation list.
¿ Am I missing something ?
The authority *USE must be set on the file MYLIB/MYFILE for NEWUSER.
Post by CENTRINO
Thanks in advance.
--
Cordialement
Marc Rauzier
(pour me répondre, ne pas utiliser le from mais le reply-to)
j***@yahoo.co.nz
2009-01-27 20:10:55 UTC
Permalink
Post by CENTRINO
So ... is there no way to prevent from library permissions the update add or
change of data belonging to files in one given library just in one go having
to individually assign objets (files in my case) permission?
Thanks
Post by Marc Rauzier
Post by CENTRINO
I have just created a library with QSECOFR named let's say MYLIB
Edited MYLIB authorities with EDTOBJAUT and added  NEWUSER with
*USE authority.
This is the authority of NEWUSER on the object QSYS/MYLIB *LIB. It will
prevent NEWUSER, for example, to create objects in MYLIB.
Post by CENTRINO
*PUBLIC authority is set to*CHANGE
Then created a couple of files with QSECOFR.
The files probably have their *PUBLIC authority set to *CHANGE, which
is the default value.
Post by CENTRINO
Now,  NEWUSER, is able to add or modify records of any file in
MYLIB with for instance , DFU! , but is not able to change CHGPF
FILE(MYLIB/MYFILE) MAXMBRS(*NOMAX) which for me is  is OK
I intended that NEWUSER, could only read files on MYLIB by setting
the library MYLYB  with NEWUSER *USE authority.
NEWUSER does not belong to any group nor has *ALLOBJ  nor MYLIB is
protected by any athoritation list.
¿ Am I missing something ?
The authority *USE must be set on the file MYLIB/MYFILE for NEWUSER.
Post by CENTRINO
Thanks in advance.
--
Cordialement
Marc Rauzier
(pour me répondre, ne pas utiliser le from mais le reply-to)
The authority on the library will determine what they can do at the
library level (e.g. create objects in the library, delete files etc).
It is the object level authority that determines what a person can do
on the object. You need to specify the authority at an object level
to control that.

You can use the GRTOBJAUT command, which supports wild cards or *ALL
to perform the operation on all objects in the library.

As an aside, why are you using QSECOFR for this?
Karl Hanson
2009-01-27 20:49:08 UTC
Permalink
Post by j***@yahoo.co.nz
Post by CENTRINO
So ... is there no way to prevent from library permissions the update add or
change of data belonging to files in one given library just in one go having
to individually assign objets (files in my case) permission?
Thanks
Post by Marc Rauzier
Post by CENTRINO
I have just created a library with QSECOFR named let's say MYLIB
Edited MYLIB authorities with EDTOBJAUT and added NEWUSER with
*USE authority.
This is the authority of NEWUSER on the object QSYS/MYLIB *LIB. It will
prevent NEWUSER, for example, to create objects in MYLIB.
Post by CENTRINO
*PUBLIC authority is set to*CHANGE
Then created a couple of files with QSECOFR.
The files probably have their *PUBLIC authority set to *CHANGE, which
is the default value.
Post by CENTRINO
Now, NEWUSER, is able to add or modify records of any file in
MYLIB with for instance , DFU! , but is not able to change CHGPF
FILE(MYLIB/MYFILE) MAXMBRS(*NOMAX) which for me is is OK
I intended that NEWUSER, could only read files on MYLIB by setting
the library MYLYB with NEWUSER *USE authority.
NEWUSER does not belong to any group nor has *ALLOBJ nor MYLIB is
protected by any athoritation list.
¿ Am I missing something ?
The authority *USE must be set on the file MYLIB/MYFILE for NEWUSER.
Post by CENTRINO
Thanks in advance.
--
Cordialement
Marc Rauzier
(pour me répondre, ne pas utiliser le from mais le reply-to)
The authority on the library will determine what they can do at the
library level (e.g. create objects in the library, delete files etc).
It is the object level authority that determines what a person can do
on the object. You need to specify the authority at an object level
to control that.
You can use the GRTOBJAUT command, which supports wild cards or *ALL
to perform the operation on all objects in the library.
As an aside, why are you using QSECOFR for this?
Check into the CRTAUT parameter of CRTLIB/CHGLIB, along with
AUT(*LIBCRTAUT) on commands like CRTPF. Another mechanism is the
authorization list (eg CRTAUTL command) and using AUT(<autl-name>) on
commands like CRTPF.

http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp?topic=/rzamv/rzamvauthlists.htm

--
Karl Hanson
Marc Rauzier
2009-01-27 21:02:12 UTC
Permalink
Post by CENTRINO
So ... is there no way to prevent from library permissions the
update add or change of data belonging to files in one given
library just in one go having to individually assign objets (files
in my case) permission?
I do think that you have to properly setup the authority at both the
library and object levels.

(check out this redbook, you will find interesting information:
http://www.redbooks.ibm.com/abstracts/sg246668.html?Open)

My favorite way is to use authorization lists at library and object
levels.
The one at library level is setup the following
*PUBLIC *AUTL
The authorization list contains:
*PUBLIC *EXCLUDE
GROUP1 *USE
GROUP2 *USE

The one at object level is setup the following
*PUBLIC *AUTL
The authorization list contains:
*PUBLIC *USE

A dedicated user profile owns all the objects of the application and
the first program of the application adopts authority of the owner.

Using this way, only authorized groups profiles have access to the
application and nobody can update data outside of the application.
Post by CENTRINO
Thanks
--
Cordialement
Marc Rauzier
(pour me répondre, ne pas utiliser le from mais le reply-to)
JTF
2009-01-28 01:04:07 UTC
Permalink
Post by CENTRINO
I have just created a library with QSECOFR named let's say MYLIB
Edited MYLIB authorities with EDTOBJAUT and added  NEWUSER with *USE
authority.
*PUBLIC authority is set to*CHANGE
Then created a couple of files with QSECOFR.
Now,  NEWUSER, is able to add or modify records of any file in MYLIB with
for instance , DFU! , but is not able to change CHGPF FILE(MYLIB/MYFILE)
MAXMBRS(*NOMAX) which for me is  is OK
I intended that NEWUSER, could only read files on MYLIB by setting the
library MYLYB  with NEWUSER *USE authority.
NEWUSER does not belong to any group nor has *ALLOBJ  nor MYLIB is protected
by any athoritation list.
¿ Am I missing something ?
Thanks in advance.
You said that the user could USE your library by setting the
permissions on the library object, which they are doing. Now you need
to set the permissions on the file object.

Loading...