Q: Some of our Office/400 users secure their documents with option 14 (authority) on either the "Work with Documents in Folders" or "Work with Folders" displays. When these users go on vacation or are not available, other users have to take over part of their work and cannot access the documents. How can I prevent users from taking option 14? Restricting access to the Change DLO Authority (CHGDLOAUT) and Edit DLO Authority (EDTDLOAUT) commands used to secure documents does not solve the problem.
A: Your attempt to secure the CHGDLOAUT and EDTDLOAUT commands would seem to be the correct solution, but I contacted IBM development and discovered that they are using an internal interface for PDM option 14 and not the CL commands. There is no way to prevent use of option 14 by securing the commands if users are allowed to access Work with Documents in Folders or Work with Folders.
On many IBM menus, when an internal interface is used, the code checks access to the command. I recommend that you report this problem to IBM.
Q: I have a similar question to your discussion of Display Station Pass-Through in the January 1994 Security Patrol. We use pass-through between our AS/400 and S/36. I have the AS/400 system value QRMTSIGN set to *SAMEPRF and specify RMTUSER and RMTPWD when trying to connect to the S/36 from the AS/400, but I still get the sign-on screen.
A: Your system values and the Start Pass-Through (STRPASTHR) command are the correct choice to bypass the sign-on. However, the sign-on screen can only be bypassed when both the source and target systems are AS/400s. If either of the systems is a S/36 or a S/38, the users will be required to sign on. The S/36 and S/38 operating systems do not accept the sign-on information.
Q:When I use the Display Object Authority (DSPOBJAUT) command, I sometimes see *ADOPTED or *GROUP in the USER field. What do these terms mean? I could not find them described in the AS/400 Security Reference manual.
A: The *ADOPTED entry shows that the job has a program running that adopts authority. The adopted authority applies to the object being displayed. The *GROUP entry shows the authority that comes from the group profile of the user who issued the DSPOBJAUT command.
Most IBM screens-such as Display Object Authority-support online help. In this case, it is displayed by placing the cursor anywhere in the USER column and pressing the Help key. When you get another field that you do not understand, you can use online help to provide information on the data value descriptions.
Q:I would like to know if a user can be set up as a user class *SECOFR with *ALLOBJ authority, but be excluded from a specific library?
A:If a user has *ALLOBJ authority, then that user has *ALL authority to every object on the system, including libraries. The user cannot be excluded. The system checks for *ALLOBJ authority before checking for the object authority.