CHGGRPPRF -- Change Group Profile - Switches GrpPrf During Job

CHGGRPPRF CHANGE GROUP PROFILE DURING A JOB TAASECJ
The Change Group Profile during a job command allows the user to switch to a different group profile during a job. This provides a form of multiple group profiles. The command must be entered by the user who wants to change to a different group profile. A typical command would be entered as: CHGGRPPRF GRPPRF(xxxxx) After the command is run, the user's profile reflects the new group profile name and the job will operate under the new group profile. Any authority from the previous group profile would not be included in the system authorization checking. The CHGGRPPRF command differs from the system support of multiple group profiles. The system support allows the permanent naming of multiple group profiles for any user. There are disadvantages of the system support: There is increased overhead to perform security checking when multiple group profiles exist. The user has access at any time to the objects that are authorized to the group profiles. For example, the user may run a Query against a data file authorized to the group profile. CHGGRPPRF provides a solution that avoids security problems when a production function is running, but does not allow the user to have access outside of the production job. The user issuing the command must have explicit authority to the user profile being changed to. The following commands would allow USERA to use CHGGRPPRF to switch back and forth between GROUP1 and GROUP2. GRTOBJAUT OBJ(GROUP1) OBJTYPE(USRPRF) USER(USERA) AUT(OBJMGT OBJOPR READ ADD DLT UPD) GRTOBJAUT OBJ(GROUP2) OBJTYPE(USRPRF) USER(USERA) AUT(OBJMGT OBJOPR READ ADD DLT UPD) All rights except OBJEXIST must be granted. No error occurs if the current group profile is already the existing group profile. If the current job is a group job, the group profile may not match the group profile in the user profile. Therefore, if the job is a group job, the group profile is always changed as requested. The command is implemented by using CHGUSRPRF to change to the new group profile and then using API support to change the user profile of the job to the current user. This causes the system to re-establish the group profile. Command parameters CMD ------------------ GRPPRF The user profile which is to be the new group profile. The special value NONE may be entered if no group profile is required. Restrictions ------------ The user must issue the command from within his own job to change to the new group profile. The user must be authorized to all profiles that need to be changed to. See the previous sample commands. All rights except OBJEXIST must be granted. The command processing program must adopt the authority of a user with ALLOBJ and SECADM special authority. Therefore, the tool can only be created by a user with these special authorities. Prerequisites ------------- None. Implementation -------------- None, the tool is ready to use. Objects used by the tool ------------------------ Object Type Attribute Src member Src file ------ ---- --------- ---------- ---------- CHGGRPPRF CMD TAASECJ QATTCMD TAASECJC PGM CLP TAASECJC QATTCL

CHGGRPPRF       CHANGE GROUP PROFILE DURING A JOB      TAASECJ


The  Change Group  Profile during  a  job command  allows  the user  to
switch  to a different  group profile  during a  job.  This  provides a
form of multiple group profiles.

The  command  must be  entered by  the user  who wants  to change  to a
different group profile.

A typical command would be entered as:

       CHGGRPPRF    GRPPRF(xxxxx)

After the command  is run,  the user's profile  reflects the new  group
profile  name and the  job will  operate under  the new  group profile.
Any  authority from  the previous group  profile would  not be included
in the system authorization checking.

The CHGGRPPRF  command  differs from  the  system support  of  multiple
group profiles.   The  system support  allows the  permanent naming  of
multiple group  profiles for any user.   There are disadvantages of the
system support:

  **   There is increased  overhead to perform  security checking  when
       multiple group profiles exist.

  **   The  user  has access  at  any  time  to the  objects  that  are
       authorized  to the group  profiles.   For example, the  user may
       run  a  Query  against  a  data  file  authorized  to  the group
       profile.   CHGGRPPRF provides  a solution  that avoids  security
       problems  when a production  function is  running, but  does not
       allow the user to have access outside of the production job.

The  user issuing the command must have  explicit authority to the user
profile being changed  to.   The following commands  would allow  USERA
to use  CHGGRPPRF to switch back  and forth between GROUP1  and GROUP2.

       GRTOBJAUT    OBJ(GROUP1) OBJTYPE(*USRPRF) USER(USERA)
                      AUT(*OBJMGT *OBJOPR *READ *ADD *DLT *UPD)

       GRTOBJAUT    OBJ(GROUP2) OBJTYPE(*USRPRF) USER(USERA)
                      AUT(*OBJMGT *OBJOPR *READ *ADD *DLT *UPD)

All rights except *OBJEXIST must be granted.

No  error occurs if the  current group profile is  already the existing
group profile.  If the  current job is a  group job, the group  profile
may not  match the group  profile in the  user profile.   Therefore, if
the  job  is a  group  job,  the group  profile  is  always changed  as
requested.

The  command is  implemented by  using CHGUSRPRF  to change to  the new
group profile and  then using  API support to  change the user  profile
of  the  job  to  the  current   user.    This  causes  the  system  to
re-establish the group profile.

Command parameters                                    *CMD
------------------

   GRPPRF        The  user  profile  which  is  to  be  the  new  group
                 profile.  The  special value *NONE  may be entered  if
                 no group profile is required.

Restrictions
------------

The user must  issue the command from  within his own job  to change to
the new group profile.

The  user must be  authorized to all  profiles that need  to be changed
to.  See  the previous sample  commands.  All  rights except  *OBJEXIST
must be granted.

The command  processing  program must  adopt the  authority  of a  user
with *ALLOBJ  and *SECADM special  authority.  Therefore,  the tool can
only be created by a user with these special authorities.

Prerequisites
-------------

None.

Implementation
--------------

None, the tool is ready to use.

Objects used by the tool
------------------------

   Object        Type        Attribute      Src member    Src file
   ------        ----        ---------      ----------    ----------

   CHGGRPPRF     *CMD                       TAASECJ       QATTCMD
   TAASECJC      *PGM           CLP         TAASECJC      QATTCL

Added to TAA Productivity tools April 1, 1995

Home Page

Up to Top