ibmi-brunch-learn

Announcement

Collapse
No announcement yet.

RSTLIB -- Doesn't work

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    RSTLIB -- Doesn't work

    Here's the basic gist:

    1) My user profile has a user class of *PGMR and user group GRPTEST.

    2) GRPTEST is a group for programmers (as well as "test" users for training purposes). It has *USE authority to production librs so programmers don't accidently do a clrpfm or something similar on a production libr.

    3) The code below is a procedure to delete the test libr and restore it again from the most recent backup.
    Code:
    DLTLIB     TESTLIB
RSTLIB     SAVLIB(PRODLIB) DEV(TAP01) RSTLIB(TESTLIB)
GRTOBJAUT  OBJ(TESTLIB) OBJTYPE(*LIB) USER(GRPTEST) +
                          AUT(*ALL)
GRTOBJAUT  OBJ(TESTLIB/*ALL) OBJTYPE(*ALL) +
                          USER(GRPTEST) AUT(*ALL)
    4) When I create the program that does the procedure (see #3), this is how it's done:
    Code:
    CRTBNDCL   MYLIBR/SETUPTEST  SRCFILE(MYLIBR/QSRC)
CHGPGM     MYLIBR/SETUPTEST  USRPRF(*OWNER)
    This program is created with user profile QSECOFR.

    5) When I try to run SETUPTEST with my user profile, it allows me to delete the libr but it blows up saying "not authorized do a RSTLIB." Doesn't CHGPGM mean the person is running the program "as if" they were QSECOFR?

    6) My main goal is to be able to run the procedure with my user profile. I try to avoid signing on as QSECOFR whenever possible.
    http://www.linkedin.com/in/chippermiller
    Tags: None
  • #2
    Re: RSTLIB -- Doesn't work

    Originally posted by Chipper View Post
    Here's the basic gist:

    1) My user profile has a user class of *PGMR and user group GRPTEST.

    2) GRPTEST is a group for programmers (as well as "test" users for training purposes). It has *USE authority to production librs so programmers don't accidently do a clrpfm or something similar on a production libr.

    3) The code below is a procedure to delete the test libr and restore it again from the most recent backup.
    Code:
    DLTLIB     TESTLIB
RSTLIB     SAVLIB(PRODLIB) DEV(TAP01) RSTLIB(TESTLIB)
GRTOBJAUT  OBJ(TESTLIB) OBJTYPE(*LIB) USER(GRPTEST) +
                          AUT(*ALL)
GRTOBJAUT  OBJ(TESTLIB/*ALL) OBJTYPE(*ALL) +
                          USER(GRPTEST) AUT(*ALL)
    4) When I create the program that does the procedure (see #3), this is how it's done:
    Code:
    CRTBNDCL   MYLIBR/SETUPTEST  SRCFILE(MYLIBR/QSRC)
CHGPGM     MYLIBR/SETUPTEST  USRPRF(*OWNER)
    This program is created with user profile QSECOFR.

    5) When I try to run SETUPTEST with my user profile, it allows me to delete the libr but it blows up saying "not authorized do a RSTLIB." Doesn't CHGPGM mean the person is running the program "as if" they were QSECOFR?

    6) My main goal is to be able to run the procedure with my user profile. I try to avoid signing on as QSECOFR whenever possible.
    then don't sign on as QSECOFR just use SBMJOB CMD(CALL SETUPTEST) USER(QSECOFR)
    I'm not anti-social, I just don't like people -Tommy Holden

    Comment

    • #3
      Re: RSTLIB -- Doesn't work

      Does your profile have any special authority ? to run RSTLIB you should atleast have *SECADM user class authority on lib should be atleast *change

      Comment

      • #4
        Re: RSTLIB -- Doesn't work

        Originally posted by Chipper View Post
        5) When I try to run SETUPTEST with my user profile, it allows me to delete the libr but it blows up saying "not authorized do a RSTLIB."
        What is the message id ?

        Does QSECOFR have the *SAVSYS special authority ?
        Jean-Michel

        Comment

        • #5
          Re: RSTLIB -- Doesn't work

          Originally posted by Chipper View Post
          Here's the basic gist:
          Doesn't CHGPGM mean the person is running the program "as if" they were QSECOFR?
          No. Doing a CHGPGM simply tells the OS which authority checking is used at run time for access to objects. If objects on your system are secured by authorization lists or user profiles then some programs will be compiled with adopted authority to allow a user to run a program that has access to something that the calling user profile does not have access to on their own.

          It does not give you special authorities (SPCAUT on the CRTUSRPRF command) that are inherent to the owner of the object, however, and that is for good reason.

          tomholden had the right answer. If you want to accomplish this probably the best way is to simply use the USER portion on the SBMJOB command that will act the way you were expecting it to work on the CHGPGM. Depending on your security the object may need some special attention to accomplish this task.

          Personally, I don't recommend QSECOFR. In my world, QSECOFR is "holy" and only QSECOFR gets access to it. If I want regular users, power users or programmers to run something I have special profiles set up accordingly with various levels of access, but many shops are comfortable just using QSECOFR to accomplish those tasks.
          Last edited by egami; March 30, 2009, 07:30 AM.

          Comment

          • #6
            Re: RSTLIB -- Doesn't work

            USER(QSECOFR) isn't allowed in SBMJOB
            Jean-Michel

            Comment

            • #7
              Re: RSTLIB -- Doesn't work

              Originally posted by jmp View Post
              USER(QSECOFR) isn't allowed in SBMJOB
              Good, it shouldn't be really. I wouldn't know first hand because it's a bad idea to begin with.

              In my shops I always create internal user profiles with the appropriate authority.

              Comment

              • #8
                Re: RSTLIB -- Doesn't work

                Hi there

                maybe the user running the restore CLP is not added into the directory entries.

                Comment

                • #9
                  Re: RSTLIB -- Doesn't work

                  Originally posted by jmp View Post
                  USER(QSECOFR) isn't allowed in SBMJOB

                  Actually it is.
                  We have a JobScdE that has to run under QSysOpr Due to the Group ID of the profile and the Group ID on the device we are connecting to.

                  But the only way to use QSecOfr is to be signed on as that profile.
                  This way prevents abuse of the profile.
                  Hunting down the future ms. Ex DeadManWalks. *certain restrictions apply

                  Comment

                  • #10
                    Re: RSTLIB -- Doesn't work

                    I don't have authority to see it, but if you go to iseries ops navigator as QSECOFR (or secadm?) there is an option under BRMS to allow access to restore commands based on user groups. You can then set a group up to have the RSTLIB access and control it from there. As I have no authority I can't get you screen shots - but I have seen it in ther past, also you can allow a user to check joblogs of other users without giving them *ALLOBJ authority from in there somewhere.
                    Greg Craill: "Life's hard - Get a helmet !!"

                    Comment

                    Previous template Next
                    Working...
                    X