IBM Support

Considerations for Adopted Authority When Utilizing User Profile *OWNER in a Program

Troubleshooting


Problem

This document contains considerations for Adopted authority when utilizing user profile *OWNER in a program.

Resolving The Problem

Under normal circumstances, it is fair to assume that when specifying *OWNER for the user profile at either compile time of a CLP or using the CHGPGM command, the authorities for both the user running the program and the object owner will be utilized.

There is a minor caveat, however, when utilizing either the CRTUSRPRF or CHGUSRPRF commands in your CLP.

There is a restriction that has been in existence since release 7 of the System 38 operating system that requires the user running the CLP to have authorization to any associated group profiles being referenced in the command.

A very simple program to help demonstrate this scenario follows:

PGM

CRTUSRPRF USRPRF(GOPHERS) GRPPRF(GAWGRP) +
SUPGRPPRF(GAWGRP1 GAWGRP2)
DLYJOB DLY(600)
WRKACTJOB

ENDPGM

After compiling this program and specifying *owner for the user profile parameter, DSPPGM results in the following information:

                       Display Program Information                    
                                                                         
Program  . . . . . . . :   MSGTEST       Library  . . . . . . . :   GEOFF
Owner  . . . . . . . . :   V8GEOFFW                                      
Program attribute  . . :   CLP                                          
                                                                         
Program creation information:                                            
  Program creation date/time . . . . . . . . . . . :   12/04/08  11:22:41
  Type of program  . . . . . . . . . . . . . . . . :   OPM              
  Source file  . . . . . . . . . . . . . . . . . . :   QCLSRC            
    Library  . . . . . . . . . . . . . . . . . . . :     GEOFF          
  Source member  . . . . . . . . . . . . . . . . . :   MSGTEST          
  Source file change date/time . . . . . . . . . . :   12/04/08  11:05:27
  Observable information . . . . . . . . . . . . . :   *ALL              
  User profile . . . . . . . . . . . . . . . . . . :   *OWNER           
  Use adopted authority  . . . . . . . . . . . . . :   *YES              
  Log commands (CL program)  . . . . . . . . . . . :   *JOB              
  Allow RTVCLSRC (CL program)  . . . . . . . . . . :   *YES              
  Fix decimal data . . . . . . . . . . . . . . . . :   *NO              

An assumption now exists that since *OWNER has been specified for the user profile, when this program is run by another user, the owner's (V8GEOFFW) authorities will be utilized as well as the user running the application. However, when this program is run by user GEOFF3, the following error occurs:

   Job 235653/GEOFF3/QPADEV000J started on 12/04/08 at 11:42:00 in subsystem
      QINTER in QSYS. Job entered system on 12/04/08 at 11:42:00.            
  > /*      */                                                              
3 > call geoff/msgtest                                                      
    Not authorized to object GAWGRP in QSYS.                                
    CPF9802 received by MSGTEST at 200. (C D I R)                            
  ? C                                                                        
    Function check. CPF9802 unmonitored by MSGTEST at statement 200,        
      instruction X'000C'.                                                  

                       Display Message Details                          
                                                                             
 Message ID . . . . . . :   CPF9802       Severity . . . . . . . :   40      
 Date sent  . . . . . . :   12/04/08      Time sent  . . . . . . :   11:36:04
 Message type . . . . . :   Escape                                          
 From . . . . . . . . . :   GEOFF3        CCSID  . . . . . . . . :   65535  
                                                                             
 From program . . . . . . . . . :   QSYUP                                    
   From library . . . . . . . . :     QSYS                                  
   Instruction  . . . . . . . . :     3748                                  
                                                                             
 To program . . . . . . . . . . :   MSGTEST                                  
   To library . . . . . . . . . :     GEOFF                                  
   Instruction  . . . . . . . . :     000C                                  
                                                                             
 Time sent  . . . . . . . . . . :   11:36:04.940400

You now find yourself wondering just what in the world is going on? You check the present object authorities for the group profile and find the following:

  Edit Object Authority                        
                                                                           
 Object . . . . . . . :   GAWGRP          Owner  . . . . . . . :   V8GEOFFW
   Library  . . . . . :     QSYS          Primary group  . . . :   *NONE  
 Object type  . . . . :   *USRPRF         ASP device . . . . . :   *SYSBAS
                                                                           
                                                                           
                          Object                                          
 User        Group       Authority                                        
 *PUBLIC                 *EXCLUDE                                          
 V8GEOFFW                *ALL                                             
 GAWGRP                  USER DEF                                          
 GEOFF9                  USER DEF

                                                             
                         Object    ----------Object-----------
User        Group       Authority  Opr  Mgt  Exist  Alter  Ref
*PUBLIC                 *EXCLUDE                              
V8GEOFFW                *ALL  X      X       X         X        X
GAWGRP                  USER DEF    X    X                    
GEOFF9                  USER DEF    X    X                    

                                                                     
                         Object    ---------------Data---------------
User        Group       Authority  Read  Add  Update  Delete  Execute
*PUBLIC                 *EXCLUDE                                    
V8GEOFFW                *ALL        X     X     X       X        X  
GAWGRP                  USER DEF    X     X     X       X        X  
GEOFF9                  USER DEF    X     X     X       X            

Why didn't this work?

Back to the earlier statement dealing with the restriction on the CRTUSRPRF and CHGUSRPRF commands. If these commands are utilized within your program, you will need to ensure that the user running the program has the proper authority to the group profiles. Assuming that the owner's authorities will satisfy this is an incorrect assumption, due to the restriction.

Internal Use Only

OS/400 BASE (5722SS100)

[{"Product":{"code":"SGYQGH","label":"IBM i"},"Business Unit":{"code":"BU009","label":"Systems - Server"},"Component":"Security","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"5.4.5;6.1;6.1.1;7.1;5.3.0;5.3.5;5.4.0;5.4.5;6.1.0;6.1.1;7.1.0","Edition":""},{"Product":{"code":"SSC3X7","label":"IBM i 6.1"},"Business Unit":{"code":"BU009","label":"Systems - Server"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":""},{"Product":{"code":"SSC52E","label":"IBM i 7.1"},"Business Unit":{"code":"BU009","label":"Systems - Server"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":""}]

Historical Number

508148661

Document Information

Modified date:
17 June 2018

UID

nas8N1013328