Troubleshooting
Problem
This document shows how to restore authorization to objects secured by authorization lists in QSYS.
Resolving The Problem
During a recent disaster recovery test at our host site, users lost authority to commands that are stored in library QSYS. Why did this happen?
You may use an authorization list to secure IBM-supplied objects in library QSYS. For example, you may want to restrict the use of certain commands to a few users. However, when you perform a complete system recovery, the links between your authorization list and the objects in QSYS are lost.
The only way to restore authorization lists is to restore all user profiles by using the RSTUSRPRF USRPRF(*ALL) command. However, this command will not automatically restore associations between authorization lists and objects in library QSYS because during a complete system recovery, the QSYS library objects are restored before the authorization lists. Each object contains the name of the authorization list it is associated with, but the actual authorization lists are stored with the user profiles. Because the authorization lists are not yet on the system when library QSYS is restored, the associations remain lost.
To re-establish an association between an IBM-supplied object and an authorization list after you recover your system, use the Edit Object Authority (EDTOBJAUT) or Grant Object Authority (GRTOBJAUT) command.
Note: Starting in R730, the links to objects secured with authorization lists in QSYS are preserved and a user will no longer have to run the programs in this document to link the objects in library QSYS to the authorization lists.
The enhancements in R730 are as follows:
o | Authorization list links preserved for objects in QSYS. |
o | The Save System, SAVSYS, and Save Security Data, SAVSECDTA, commands will now save an internal list of objects in library QSYS that are linked to authorization lists. This will increase the duration of the SAVSYS and SAVSECDTA commands. |
o | The Restore User Profile RSTUSRPRF USRPRF(*ALL) and RSTUSRPRF USRPRF(*NEW) commands will restore the internal list. |
o | The Restore Authority (RSTAUT) command will link the objects in library QSYS to the authorization lists if they are not already linked. |
Limitations of Authorization Lists
Authorization lists can be used for objects stored in library QSYS, but special considerations are needed for a total system recovery for these objects. In the event the system must be reloaded, the objects in library QSYS are not attached to an authorization list. The objects are restored with the installation, but the authorization lists are not restored until later when you perform a Restore User Profiles (RSTUSRPRF). Because the objects in library QSYS are restored before the authorization lists, the objects are not associated with the authorization lists.
Special planning is required as part of the system backup procedure to reattach objects in QSYS. Prior to the system backup, a database file that lists all the objects on authorization lists must be produced. This can be done using the program ALLAUTL1 described below.
If you need to perform a total system restore, the objects in library QSYS can be reattached to their authorization list after the authorization lists have been restored (RSTUSRPRF). The information in the file can be used to attach objects back to the authorization lists. The program FIXAUTL1 illustrates the use of this file to reattach objects to authorization lists.
The following programs can be used to attach authorizations lists when objects are restored on a different system or when objects are restored in library QSYS because of a total system rebuild. The security officer runs the command ALLAUTL before the save operation which will create a database file for all objects on all authorization lists. The database file is then saved and restored to the target system. The command FIXAUTL will attach objects to authorization lists.
Caution: This document contains code made available by IBM Corporation on an as is basis. Anyone receiving this document is considered to be licensed under IBM copyrights to use the IBM-provided source code in any way he or she deems fit, including copying it, compiling it, modifying it, and redistributing it, with or without modifications. No license under any IBM patents or patent applications is to be implied from this copyright license. |
A save file containing the programs ALLAUTL1 and FIXAUTL1 as well as the commands ALLAUTL and FIXAUTL has been included with this document. You should FTP the attached save file in binary mode to your system and then restore the objects with the following command.
RSTOBJ OBJ(*ALL) SAVLIB(QGPL) DEV(*SAVF) SAVF(QGPL/FIXAUTL)
After restoring these objects, you can then use the ALLAUTL and FIXAUTL commands to reattach objects to authorization lists.
Message CPF9898 - 00025 Objects not attached 04715 Objects attached to authorization list, may be received after running the FIXAUTL command.
Note: It is the responsibility of the customer to investigate the objects not attached, if any, by reviewing the joblog.
The source for the ALLAUTL1 and FIXAUTL1 can be found below.
ALLAUTL1 - List All Objects on AUTL
*************** Beginning of data **************************************
0001.00 PGM PARM(&PARM1)
0002.00 /**********************************************************************/
0003.00 /* ALLAUTL1-- This program created a database file with all of the */
0004.00 /* authorization list objects name. This database file */
0005.00 /* can be as input to the FIXAUTL1 program to associate */
0006.00 /* objects on an authorization list when restored on a */
0007.00 /* system that was not the same system used to save the */
0008.00 /* objects. */
0009.00 /* INPUT -- Name of the OUTFILE */
0010.00 /* OUTPUT -- Name of the file containing lists of objects and their */
0011.00 /* associated authorization list */
0012.00 /* NOTE -- Program MUST be run by a user with *ALLOBJ authority */
0013.00 /**********************************************************************/
0014.00 DCL VAR(&MSGID) TYPE(*CHAR) LEN(7)
0015.00 DCL VAR(&MSGDTA) TYPE(*CHAR) LEN(50)
0016.00 DCL VAR(&MSGF) TYPE(*CHAR) LEN(10)
0017.00 DCL VAR(&MSGLIB) TYPE(*CHAR) LEN(10)
0018.00 DCL VAR(&RTNTYPE) TYPE(*CHAR) LEN(2)
0019.00 DCL VAR(&ERROR) TYPE(*LGL)
0020.00 DCL VAR(&PARM1) TYPE(*CHAR) LEN(20)
0021.00 DCL VAR(&OUTFILE) TYPE(*CHAR) LEN(10)
0022.00 DCL VAR(&OUTLIB) TYPE(*CHAR) LEN(10)
0023.00 DCL VAR(&MBROPT) TYPE(*CHAR) LEN(10) +
0024.00 VALUE(*REPLACE)
0025.00 DCLF FILE(QADSPOBJ)
0026.00 /************** START OF PROGRAM **************/
0027.00 MONMSG MSGID(CPF0000) EXEC(GOTO CMDLBL(ERROR))
0028.00 CHGVAR VAR(&OUTFILE) VALUE(%SST(&PARM1 1 10))
0029.00 CHGVAR VAR(&OUTLIB) VALUE(%SST(&PARM1 11 10))
0030.00 DSPOBJD OBJ(QSYS/*ALL) OBJTYPE(*AUTL) +
0031.00 OUTPUT(*OUTFILE) OUTFILE(QTEMP/AUTL)
0032.00 OVRDBF FILE(QADSPOBJ) TOFILE(QTEMP/AUTL)
0033.00 READ: RCVF
0034.00 MONMSG MSGID(CPF0864) EXEC(GOTO CMDLBL(EOF))
0035.00 DSPAUTLOBJ AUTL(&ODOBNM) OUTPUT(*OUTFILE) +
0036.00 OUTFILE(&OUTLIB/&OUTFILE) OUTMBR(*FIRST +
0037.00 &MBROPT)
0038.00 MONMSG MSGID(CPF6250 CPF9800) EXEC(GOTO CMDLBL(READ))
0039.00 CHGVAR VAR(&MBROPT) VALUE('*ADD')
0040.00 GOTO CMDLBL(READ)
0041.00 EOF: GOTO CMDLBL(EXIT)
0042.00 ERROR: /******************* ERROR HANDLING ROUTINE ************/
0043.00 IF COND(&ERROR) THEN(GOTO CMDLBL(EXIT))
0044.00 CHGVAR VAR(&ERROR) VALUE('1')
0045.00 RECEIVE: RCVMSG MSGTYPE(*ANY) MSGDTA(&MSGDTA) MSGID(&MSGID) +
0046.00 RTNTYPE(&RTNTYPE) MSGF(&MSGF) +
0047.00 MSGFLIB(&MSGLIB)
0048.00 IF COND(&RTNTYPE *NE '15') THEN(DO) /* NOT +
0049.00 ESCAPE MESSAGE */
0050.00 SNDPGMMSG MSGID(&MSGID) MSGF(&MSGF) MSGDTA(&MSGDTA) +
0051.00 MSGTYPE(*DIAG)
0052.00 GOTO CMDLBL(RECEIVE)
0053.00 ENDDO
0054.00 SNDPGMMSG MSGID(&MSGID) MSGF(&MSGF) MSGDTA(&MSGDTA) +
0055.00 MSGTYPE(*ESCAPE)
0056.00 EXIT: ENDPGM
****************** End of data **************************************
FIXAUTL1 - Add Objects to AUTL
*************** Beginning of data **************************************
0001.00 PGM PARM(&PARM1)
0002.00 /**********************************************************************/
0003.00 /* FIXAUTL1-- This program reads the database file with all of the */
0004.00 /* object names on the authorization lists. This program */
0005.00 /* will grant the objects to the specified authorization */
0006.00 /* list. */
0007.00 /* INPUT -- Name of the file containing list of objects and their */
0008.00 /* associated authorization list */
0009.00 /* NOTE -- Program MUST be run by user with *ALLOBJ authority */
0010.00 /**********************************************************************/
0011.00 DCL VAR(&MSGID) TYPE(*CHAR) LEN(7)
0012.00 DCL VAR(&MSGDTA) TYPE(*CHAR) LEN(50)
0013.00 DCL VAR(&MSGF) TYPE(*CHAR) LEN(10)
0014.00 DCL VAR(&MSGLIB) TYPE(*CHAR) LEN(10)
0015.00 DCL VAR(&RTNTYPE) TYPE(*CHAR) LEN(2)
0016.00 DCL VAR(&ERROR) TYPE(*LGL)
0017.00 DCL VAR(&PARM1) TYPE(*CHAR) LEN(20)
0018.00 DCL VAR(&OUTFILE) TYPE(*CHAR) LEN(10)
0019.00 DCL VAR(&OUTLIB) TYPE(*CHAR) LEN(10)
0020.00 DCL VAR(&TOTAL) TYPE(*DEC) LEN(5 0) VALUE(0)
0021.00 DCL VAR(&FAIL) TYPE(*DEC) LEN(5 0) VALUE(0)
0022.00 DCL VAR(&TOTALC) TYPE(*CHAR) LEN(5)
0023.00 DCL VAR(&FAILC) TYPE(*CHAR) LEN(5)
0024.00 DCLF FILE(QADALO)
0025.00 /******* START OF PROGRAM ***************/
0026.00 MONMSG MSGID(CPF0000) EXEC(GOTO CMDLBL(ERROR))
0027.00 CHGVAR VAR(&OUTFILE) VALUE(%SST(&PARM1 1 10))
0028.00 CHGVAR VAR(&OUTLIB) VALUE(%SST(&PARM1 11 10))
0029.00 OVRDBF FILE(QADALO) TOFILE(&OUTLIB/&OUTFILE)
0030.00 READ: RCVF
0031.00 MONMSG MSGID(CPF0864) EXEC(GOTO CMDLBL(EOF))
0032.00 CHGVAR VAR(&TOTAL) VALUE(&TOTAL + 1.0)
0033.00 GRTOBJAUT OBJ(&AOLIB/&AONAME) OBJTYPE(&AOTYPE) +
0034.00 AUTL(&AOANAM)
0035.00 MONMSG MSGID(CPF0000) EXEC(DO)
0036.00 CHGVAR VAR(&FAIL) VALUE(&FAIL + 1.0)
0037.00 GOTO CMDLBL(READ)
0038.00 ENDDO
0039.00 GRTOBJAUT OBJ(&AOLIB/&AONAME) OBJTYPE(&AOTYPE) +
0040.00 USER(*PUBLIC) AUT(*AUTL)
0041.00 GOTO CMDLBL(READ)
0042.00 EOF: GOTO CMDLBL(EXIT)
0043.00 ERROR: /********* ERROR HANDLIG ROUTINE *******************/
0044.00 IF COND(&ERROR) THEN(GOTO CMDLBL(EXIT))
0045.00 CHGVAR VAR(&ERROR) VALUE('1')
0046.00 RECEIVE: RCVMSG MSGTYPE(*ANY) MSGDTA(&MSGDTA) MSGID(&MSGID) +
0047.00 RTNTYPE(&RTNTYPE) MSGF(&MSGF) +
0048.00 MSGFLIB(&MSGLIB)
0049.00 IF COND(&RTNTYPE *NE '15') THEN(DO) /* NOT +
0050.00 ESCAPE MESSAGE */
0051.00 SNDPGMMSG MSGID(&MSGID) MSGF(&MSGF) MSGDTA(&MSGDTA) +
0052.00 MSGTYPE(*DIAG)
0053.00 GOTO CMDLBL(RECEIVE)
0054.00 ENDDO
0055.00 SNDPGMMSG MSGID(&MSGID) MSGF(&MSGF) MSGDTA(&MSGDTA) +
0056.00 MSGTYPE(*ESCAPE)
0057.00 EXIT: CHGVAR VAR(&TOTAL) VALUE(&TOTAL - &FAIL)
0058.00 CHGVAR VAR(&TOTALC) VALUE(&TOTAL)
0059.00 IF COND(&FAIL *NE 0) THEN(DO)
0060.00 CHGVAR VAR(&FAILC) VALUE(&FAIL)
0061.00 SNDPGMMSG MSGID(CPF9898) MSGF(QCPFMSG) MSGDTA(&FAILC +
0062.00 || ' Objects not attached ' || &TOTALC +
0063.00 || ' Objects attached to authorization +
0064.00 list') MSGTYPE(*ESCAPE)
0065.00 ENDDO
0066.00 SNDPGMMSG MSGID(CPF9898) MSGF(QCPFMSG) MSGDTA(&TOTALC +
0067.00 || ' Objects attached to authorization +
0068.00 list') MSGTYPE(*COMP)
0069.00 ENDPGM
****************** End of data **************************************
ALLAUTL -- Build List of Objects on Authorization Lists
CRTCMD ALLAUTL PGM(ALLAUTL1)
*************** Beginning of data ***************************************
0001.00 CMD PROMPT('List All Objects on AUTL')
0002.00 PARM KWD(OUTFILE) TYPE(Q1) MIN(1) PROMPT('Output +
0003.00 File Name')
0004.00 Q1: QUAL TYPE(*NAME) LEN(10)
0005.00 QUAL TYPE(*NAME) LEN(10) DFT(*CURLIB) +
0006.00 SPCVAL((*CURLIB) (*LIBL)) PROMPT('Library')
****************** End of data ******************************************
FIXAUTL -- Attach Objects to Authorization Lists
CRTCMD FIXAUTL PGM(FIXAUTL1)
*************** Beginning of data ****************************************
0001.00 CMD PROMPT('Fix Authorization List')
0002.00 PARM KWD(FILE) TYPE(Q1) MIN(1) PROMPT('File')
0003.00 Q1: QUAL TYPE(*NAME) LEN(10)
0004.00 QUAL TYPE(*NAME) LEN(10) DFT(*LIBL) +
0005.00 SPCVAL((*CURLIB) (*LIBL)) PROMPT('Library')
****************** End of data *******************************************
Historical Number
19810209
Was this topic helpful?
Document Information
Modified date:
18 December 2019
UID
nas8N1017745