It's a common practice to grant authority to a specific program by adopting the authority of the owner. This way, no matter who is running the program, the user's authority is supplemented by that of the owner. This process takes place at program creation time or through the Change Program (CHGPGM) command. You use the value of *OWNER in the User Profile (USRPRF) parameter instead of the default value of *USER.
This OS/400 security feature makes it easy to override the security restrictions that exist for a program. However, adopting authority of the owner carries through to every program that may be called. This means the user running the program with adopted authority may get access to more programs than you would like (e.g., QCMD).
The Check User Authority (CHKUSRAUT) command determines if the user is authorized to an object independently of any adopted authorization. CHKUSRAUT can be used to determine whether a user operating with adopted authorities is in fact authorized to a particular object.
If the user issuing the command is not authorized to the specified object for the specified authority or authorities, escape message CPF9898 is sent to the program issuing the command.
Specify the qualified name of the object to check. The possible library values are:
*LIBL: The library list is used to locate the object to be checked.
library-name: Specify the name of the library where the object to be checked is located.
object-name: Specify the name of the object to be checked.
Specify the type of object to be checked. This must be a valid AS/400 object type.
Specify one or more authorities that are to be checked for the user issuing the command against the specified object. You must specify at least one authority.
*OBJEXIST: Check for object existence authority.
*OBJMGT: Check for object management authority.
*OBJOPR: Check for object operational authority.
*READ: Check for read rights for a file object.
*UPD: Check for update rights for a file object.
*ADD: Check for add rights for a file object.
*DLT: Check for delete rights for a file object.
Specify whether or not an authorization list for the object should also be checked.
*YES: The authorization list for the object should also be checked. This parameter is ignored if no authorization list exists for the object.
*NO: The authorization list for the object is not checked.
CHKUSRAUT OBJECT(MYLIB/MYFILE) + OBJTYP(*FILE) AUT(*OBJEXIST)
This command checks the file object MYFILE located in library MYLIB to determine if the user issuing the command has object existence rights for the object. By default, the authorization list for the object, if any, is checked.
If the user issuing the command does not have the specified authority, escape message CPF9898 is returned to the program.
One QUSRTOOL tool, EXTLST, must reside on your system prior to creating CHKUSRAUT.
INFO: CHKUSRAUT (QATTINFO) CDO: TAASECA (QATTCMD) CPP: TAASECAC (QATTCL)
The foregoing article was adapted from Midrange Computing's QUSRTOOL Command Reference. The manual contains explanations and syntax diagrams for more than 300 obscure yet useful tools.
Installing a QUSRTOOL Tool
The tool discussed in this article is part of the QUSRTOOL library, which includes more than 300 useful AS/400 tools and is shipped free with every AS/400.
If library TAATOOL does not exist on your system, run:
CRTLIB LIB(TAATOOL) CRTCLPGM PGM(TAATOOL/TAATOLAC) + SRCFILE(QUSRTOOL/QATTCL) CALL PGM(TAATOOL/TAATOLAC)
Next, you'll create the tool. But first you need to check if there are any prerequisite QUSRTOOLs to be created. These are listed in the source member of the same name as the tool in QUSRTOOL/QATTINFO. Run the following command for each prerequisite first. Then, run it again for the tool itself.
CRTTAATOOL TOOL(tool name)
If disk space is not a concern, you can create all the tools in one step with:
The Check User Authority (CHKUSRAUT) Command
Figure 1 The Check User Authority (CHKUSRAUT) Command
UNABLE TO REPRODUCE GRAPHICS