Swap Group Profile...Help

It does not sound like the program is set to adopt its owners authority. My guess is that your program has Use adopted authority (USEADPAUT) set to *YES and User profile (USRPRF) set to *USER. The USEADPAUT parameter is used to allow your program to use adopted authority that comes from the program that called your program. The USRPRF parameter is used to cause your program to adopt its owners authority or not. To adopt QSECOFR the program must be owned by QSECOFR and it needs to have USRPRF set to *OWNER. Ed Fishel

Swap Group Profile...Help

Ed I have the program adopting the owners authority. I typed the USERPRF *yes when I should have typed *Owner. I corrected my original topic. <> User profile . . . . . . . . . . . . . . . . . . : *OWNER >> Use adopted authority . . . . . . . . . . . . . : *YES Log commands (CL program) . . . . . . . . . . . : *JOB Allow RTVCLSRC (CL program) . . . . . . . . . . : *YES Fix decimal data . . . . . . . . . . . . . . . . : *NO

Swap Group Profile...Help

Claris, After you corrected the original question I discussed it with a coworker and she reminded me that *OBJMGT authority cannot come from adopted authority for the GRPPRF parameter on CHGUSRPRF and CRTUSRPRF. To add a group profile you need to have *OBJMGT, *OBJOPR, *READ, *ADD, *UPD, and *DLT authority to the group profile. This restriction is documented in Appendix D of the security reference manual. You can get around this restriction by using the adopted authority to call the get profile handle API to get a profile handle for QSECFOR. You can then use the profile handle to swap to that user profile and then do the function. Be sure the program always swaps back to the original user profile. Swapping user profile can be risky. A safer solution may be to only add group profiles when you have signed on as a security officer. Ed Fishel

Swap Group Profile...Help

Ed, You wrote "Swapping user profile can be risky", which is true. There are ways to really make this a very very small risk (down to pulling the power plug during the execution of a few statements). That is all I have found at least. You can search the archives for this site to see a complete discussion on this subject about 2-3 months ago. Basically, you need to also register a cancel and error exit routine. You also wrote "A safer solution may be to only add group profiles when you have signed on as a security officer". Why would you want to swap when you are signed on as the security officer? David Morris

Swap Group Profile...Help

David,

>You can search the archives for this site to see a complete discussion on this subject about 2-3 months ago. Basically, you need to also register a cancel and error exit routine.<<

Yes, you and I and others discussed this two to three months ago. The risk of swapping user profiles is still there and that risk varies depending on how much work is done while the profiles are swapped. I only mentioned the risk to point out that it should be considered before making a change to swap user profiles.

>Why would you want to swap when you are signed on as the security officer?<<

You wouldn't. When you are signed on as a security officer you can use the CHGUSRPRF command directly instead of from a program that is adopting QSECOFR and then swapping to QSECOFR. That way you avoid both the risk of using adopted authority and the risk of swapping user profiles. Ed Fishel

Swap Group Profile...Help

ED >>>>To add a group profile you need to have *OBJMGT, *OBJOPR, *READ, *ADD, *UPD, and *DLT authority to the group profile. This solved my problem, thank you.