Tweet
We have set the file authority as follows: File XXXXXXXX is owned by user USER and *PUBLIC is *EXCLUDE the private authority for USER is *CHANGE Access to the file is done via adopted authority (user USER) This all works fine untill a program tries to do a CRTDUPOBJ or CLRPFM or any other command that requires management rights to the file. *change won't let you do these operations. How can this be prevented. I want to keep *change against the file but do not want to change all programs that do a crtdupobj etc... Thanks - Frank Fleer
-
-
CRTDUPOBJ
You can't clear a file with just *change authority. What you could do is create the programs that clear or crtdupobj to use the *owners authority rather than the user. As long as the programs DO NOT ALLOW anyone to access a command line you will ok. (the owner must have *all authority to the file or "*all object" authority). If you don't allow any users(other that all object or secofer etc.) to have the authority to clear the file even adopted authority will not work, the authority being adopted must have enough authority to clear the file, *change won't do. -
CRTDUPOBJ
CRTDUPOBJ needs *OBJMGT authority to the source object because the duplication procedure has to read the authorizations on the source object in order to duplicate them to the target object. A couple of options might be: 1) Give the USER *CHANGE + *OBJMGT to the file. 2) Create a duplicate (empty) file and give USER *CHANGE + *OBJMGT to the duplicate. Then do the CRTDUPOBJ on the duplicate file + a CPYF on the original file (complicated, and would only work with files, not with programs). 3) Have the program that does the CRTDUPOBJ adopt some additional authority. hth, jteComment
Comment