DSPADP -- Display Adopt

DSPADP DISPLAY WITH ADOPT TAAADPA
The Display with adopt tool is a series of DSP commands that perform the same function as system commands except that they adopt the security officer's profile while in execution. This allows a user who is authorized to the TAADSPADP authorization list to display the object description or attribute level of information regardless of the security on the object or library. This is useful for auditors or for programmers who require something less than ALLOBJ authority. None of the commands allow the user to display any data (data base or data areas) nor can the user make any changes to the objects. No No user (unless he has ALLOBJ authority) can use the commands unless explicitly authorized to TAADSPADP. The following are the commands provided: TAA System Command Description Command ------- ------------ ------- DSPCLSA Display class DSPCLS DSPCMDA Display command DSPCMD DSPDBRA Display data base relations DSPDBR DSPFDA Display file description DSPFD DSPFFDA Display file field description DSPFFD DSPJOBDA Display job description DSPJOBD DSPLIBA Display library DSPLIB DSPOBJAUTA Display object authority DSPOBJAUT DSPOBJDA Display object description DSPOBJD DSPPGMA Display program DSPPGM DSPPGMADPA Display program adopt DSPPGMADP DSPPGMREFA Display program references DSPPGMREF DSPSAVFA Display save file DSPSAVF DSPSBSDA Display subsystem description DSPSBSD DSPUSRPRFA Display user profile DSPUSRPRF The commands allow an authorized user to perform a reasonable degree of trouble shooting on the system or allow a user to perform system wide functions that in most cases will not negate security requirements. For example, there are many cases where private libraries exist and a function is needed to operate across the entire system. Many of the TAA tools such as PRTDBFEXP and PRTLIBANL require a user who has ALLOBJ authority to operate on all libraries. These TAA tools use the DSPxxxA commands and therefore only require authority to the TAADSPADP authorization list. See the section on tools which require DSPADP. The DSPxxxA commands use the same prompts as the DSPxxx command they are emulating. A typical command might be to review all of the job descriptions in a library. The user of the command (assuming he has authorization to TAADSPADP) does not need any authorization to the library or objects. DSPOBJDA OBJ(xxx/ALL) OBJTYPE(JOBD) All of the commands in the above list that support outfiles can be used to create data base files. Command parameters CMD ------------------ See the command being emulated. Security considerations ----------------------- DSPADP is owned by QSECOFR. The profile is adopted during execution. To use one of the commands, a user must be authorized to the TAADSPADP authorization list. None of the DSPxxxA commands allow any change capability nor do they allow a user to see any data within the objects. For example, no data base file can be read, a data area cannot be displayed, a message file or message queue cannot be read etc. You must review the list of commands and decide whether you consider any of the capabilities to be security sensitive. In most situations, displays of object level information or the detail description of an object like a job description would not be considered security sensitive. Commands which create an outfile require that if the file exists, the same format be used. Therefore, it is impossible to delete application data unless it was originally created using the same format as the outfile. TAA tools which require DSPADP ------------------------------ Several TAA tools require that the DSPxxxA commands exist in order to be created. If the user of a tool like PRTDBFEXP specifies a single library, the tool checks to see if he is authorized to TAADSPADP. If not, the normal DSPFD command is executed using the users own authority. If the user is not authorized to the library or the objects, an error will occur. If the user is authorized to TAADSPADP, the DSPFDA command is executed. In order to specify LIB(ALL), the user must be authorized to TAADSPADP. If the user has ALLOBJ authority, the user is already authorized to the TAADSPADP and does not need specific authority. The following describes the tools that use one or more of the DSPADP commands (this list may not be complete). TAA tool DSPADP command dependency -------- ------------------------- CHKDBD DSPFDA CHKOBJDMG DSPOBJDA CHKSAV DSPOBJDA, DSPFDA PRTDBFEXP DSPFDA PRTLIBANL DSPFDA, DSPOBJDA, DSPUSRPRFA PRTSAVSTS DSPOBJDA Restrictions ------------ The user must have USE authority to the TAADSPADP authorization list. Prerequisites ------------- The following TAA Tools must be on your system: EXTLST Extract list EXTLST2 Extract list 2 SNDCOMPMSG Send completion message Implementation -------------- The tool is ready to use, but the users of the commands must be authorized to the the TAADSPADP authorization list. Use either EDTAUTL or specify: ADDAUTLE AUTL(TAADSPADP) USER(xxxx) AUT(USE) If you want to review the objects that use the authorization list, use DSPAUTL or EDTAUTL and the F15 key. If you want to prevent the use of one of the DSPxxxA commands, you can remove it from the authorization list. You must do this on each release. Use the EDTOBJAUT list on both the command and the CPP to change the authorization list to NONE. Objects used by the tool ------------------------ Object Type Attribute Src member Src file ------ ---- --------- ---------- ---------- DSPCLSA CMD TAAADPA4 QATTCMD DSPCMDA CMD TAAADPA14 QATTCMD DSPDBRA CMD TAAADPA12 QATTCMD DSPFDA CMD TAAADPA7 QATTCMD DSPFFDA CMD TAAADPA8 QATTCMD DSPJOBDA CMD TAAADPA3 QATTCMD DSPLIBA CMD TAAADPA2 QATTCMD DSPOBJAUTA CMD TAAADPA15 QATTCMD DSPOBJDA CMD TAAADPA QATTCMD DSPPGMA CMD TAAADPA5 QATTCMD DSPPGMADPA CMD TAAADPA11 QATTCMD DSPPGMREFA CMD TAAADPA9 QATTCMD DSPSAVF CMD TAAADPA13 QATTCMD DSPSBSDA CMD TAAADPA6 QATTCMD DSPUSRPRFA CMD TAAADPA10 QATTCMD TAAADPAC PGM CLP TAAADPAC QATTCL TAAADPAC2 PGM CLP TAAADPAC2 QATTCL TAAADPAC3 PGM CLP TAAADPAC3 QATTCL TAAADPAC4 PGM CLP TAAADPAC4 QATTCL TAAADPAC5 PGM CLP TAAADPAC5 QATTCL TAAADPAC6 PGM CLP TAAADPAC6 QATTCL TAAADPAC7 PGM CLP TAAADPAC7 QATTCL TAAADPAC8 PGM CLP TAAADPAC8 QATTCL TAAADPAC9 PGM CLP TAAADPAC9 QATTCL TAAADPAC10 PGM CLP TAAADPAC10 QATTCL TAAADPAC11 PGM CLP TAAADPAC11 QATTCL TAAADPAC12 PGM CLP TAAADPAC12 QATTCL TAAADPAC13 PGM CLP TAAADPAC13 QATTCL TAAADPAC14 PGM CLP TAAADPAC14 QATTCL TAAADPAC15 PGM CLP TAAADPAC15 QATTCL TAAADPAC22 PGM CLP TAAADPAC22 QATTCL Structure --------- Command CPP ------- --- DSPCLSA TAAADPAC4 DSPCMDA TAAADPAC14 DSPDBRA TAAADPAC12 DSPFDA TAAADPAC7 DSPFFDA TAAADPAC8 DSPJOBDA TAAADPAC3 DSPLIBA TAAADPAC2 DSPOBJAUTA TAAADPAC15 DSPOBJDA TAAADPAC DSPPGMA TAAADPAC5 DSPPGMADPA TAAADPAC11 DSPPGMREFA TAAADPAC9 DSPSAVFA TAAADPAC13 DSPSBSDA TAAADPAC6 DSPUSRPRFA TAAADPAC10 The sub program TAAADPAC22 which is used to execute the EXTLST command is used by TAAADPAC and TAAADPAC2.

DSPADP          DISPLAY WITH ADOPT                         TAAADPA


The Display with  adopt tool is a  series of DSP commands  that perform
the  same  function  as system  commands  except  that  they adopt  the
security  officer's profile  while in  execution.   This allows  a user
who is authorized  to the TAADSPADP  authorization list to display  the
object  description or  attribute  level of  information regardless  of
the security on the object or library.

This  is useful for  auditors or for programmers  who require something
less than *ALLOBJ authority.

None of the commands allow the  user to display any data (data base  or
data areas) nor can the user make any changes to the objects.

No  No user  (unless he  has *ALLOBJ  authority) can  use the  commands
unless explicitly authorized to TAADSPADP.

The following are the commands provided:

      TAA                                              System
    Command          Description                       Command
    -------          ------------                      -------

    DSPCLSA          Display class                     DSPCLS
    DSPCMDA          Display command                   DSPCMD
    DSPDBRA          Display data base relations       DSPDBR
    DSPFDA           Display file description          DSPFD
    DSPFFDA          Display file field description    DSPFFD
    DSPJOBDA         Display job description           DSPJOBD
    DSPLIBA          Display library                   DSPLIB
    DSPOBJAUTA       Display object authority          DSPOBJAUT
    DSPOBJDA         Display object description        DSPOBJD
    DSPPGMA          Display program                   DSPPGM
    DSPPGMADPA       Display program adopt             DSPPGMADP
    DSPPGMREFA       Display program references        DSPPGMREF
    DSPSAVFA         Display save file                 DSPSAVF
    DSPSBSDA         Display subsystem description     DSPSBSD
    DSPUSRPRFA       Display user profile              DSPUSRPRF

The  commands allow an authorized  user to perform  a reasonable degree
of trouble shooting  on the system  or allow a user  to perform  system
wide  functions   that  in   most  cases   will  not  negate   security
requirements.

For example,  there are many cases where private  libraries exist and a
function  is needed to operate  across the entire system.   Many of the
TAA tools  such  as PRTDBFEXP  and  PRTLIBANL require  a  user who  has
*ALLOBJ authority  to operate  on all libraries.   These TAA  tools use
the  DSPxxxA  commands  and therefore  only  require  authority  to the
TAADSPADP authorization list.  See  the section on tools which  require
DSPADP.

The DSPxxxA  commands use the same  prompts as the DSPxxx  command they
are emulating.

A typical  command might be to review all of  the job descriptions in a
library.  The  user of the  command (assuming he  has authorization  to
TAADSPADP) does not need  any authorization to the library  or objects.

        DSPOBJDA    OBJ(xxx/*ALL) OBJTYPE(*JOBD)

All  of the commands  in the  above list  that support outfiles  can be
used to create data base files.

Command parameters                                    *CMD
------------------

See the command being emulated.

Security considerations
-----------------------

DSPADP  is owned by QSECOFR.   The profile is adopted during execution.

To  use  one of  the  commands,  a  user  must  be  authorized  to  the
TAADSPADP authorization list.

None of  the DSPxxxA commands allow  any change capability  nor do they
allow  a user  to see  any data  within the objects.   For  example, no
data base  file  can  be read,  a  data  area cannot  be  displayed,  a
message file or message queue cannot be read etc.

You must  review the list of  commands and decide whether  you consider
any   of  the  capabilities  to   be  security  sensitive.     In  most
situations,  displays  of  object  level  information  or  the   detail
description  of  an  object  like  a  job   description  would  not  be
considered security sensitive.

Commands which  create an outfile require that if  the file exists, the
same   format  be  used.    Therefore,   it  is  impossible  to  delete
application  data unless  it  was  originally created  using  the  same
format as the outfile.

TAA tools which require DSPADP
------------------------------

Several TAA tools  require that the DSPxxxA commands  exist in order to
be created.

If  the user of a  tool like PRTDBFEXP specifies  a single library, the
tool checks  to see if  he is  authorized to  TAADSPADP.   If not,  the
normal DSPFD  command is executed  using the users  own authority.   If
the  user is  not authorized to  the library  or the objects,  an error
will occur.    If the  user  is  authorized to  TAADSPADP,  the  DSPFDA
command is executed.   In order to specify LIB(*ALL), the  user must be
authorized to TAADSPADP.

If the  user has *ALLOBJ  authority, the user is  already authorized to
the TAADSPADP and does not need specific authority.

The  following describes the tools  that use one or  more of the DSPADP
commands (this list may not be complete).

     TAA tool       DSPADP command dependency
     --------       -------------------------

     CHKDBD         DSPFDA
     CHKOBJDMG      DSPOBJDA
     CHKSAV         DSPOBJDA, DSPFDA
     PRTDBFEXP      DSPFDA
     PRTLIBANL      DSPFDA, DSPOBJDA, DSPUSRPRFA
     PRTSAVSTS      DSPOBJDA

Restrictions
------------

The user  must  have  *USE  authority to  the  TAADSPADP  authorization
list.

Prerequisites
-------------

The following TAA Tools must be on your system:

          EXTLST        Extract list
          EXTLST2       Extract list 2
          SNDCOMPMSG    Send completion message

Implementation
--------------

The  tool is  ready  to use,  but the  users  of the  commands  must be
authorized  to  the  the  TAADSPADP  authorization  list.   Use  either
EDTAUTL or specify:

       ADDAUTLE      AUTL(TAADSPADP) USER(xxxx) AUT(*USE)

If you  want to review  the objects  that use  the authorization  list,
use DSPAUTL or EDTAUTL and the F15 key.

If you  want to  prevent the use  of one of  the DSPxxxA  commands, you
can remove  it from the authorization  list.  You must  do this on each
release.  Use the  EDTOBJAUT list on  both the command  and the CPP  to
change the authorization list to *NONE.

Objects used by the tool
------------------------

   Object        Type        Attribute      Src member    Src file
   ------        ----        ---------      ----------    ----------

   DSPCLSA       *CMD                       TAAADPA4      QATTCMD
   DSPCMDA       *CMD                       TAAADPA14     QATTCMD
   DSPDBRA       *CMD                       TAAADPA12     QATTCMD
   DSPFDA        *CMD                       TAAADPA7      QATTCMD
   DSPFFDA       *CMD                       TAAADPA8      QATTCMD
   DSPJOBDA      *CMD                       TAAADPA3      QATTCMD
   DSPLIBA       *CMD                       TAAADPA2      QATTCMD
   DSPOBJAUTA    *CMD                       TAAADPA15     QATTCMD
   DSPOBJDA      *CMD                       TAAADPA       QATTCMD
   DSPPGMA       *CMD                       TAAADPA5      QATTCMD
   DSPPGMADPA    *CMD                       TAAADPA11     QATTCMD
   DSPPGMREFA    *CMD                       TAAADPA9      QATTCMD
   DSPSAVF       *CMD                       TAAADPA13     QATTCMD
   DSPSBSDA      *CMD                       TAAADPA6      QATTCMD
   DSPUSRPRFA    *CMD                       TAAADPA10     QATTCMD
   TAAADPAC      *PGM           CLP         TAAADPAC      QATTCL
   TAAADPAC2     *PGM           CLP         TAAADPAC2     QATTCL
   TAAADPAC3     *PGM           CLP         TAAADPAC3     QATTCL
   TAAADPAC4     *PGM           CLP         TAAADPAC4     QATTCL
   TAAADPAC5     *PGM           CLP         TAAADPAC5     QATTCL
   TAAADPAC6     *PGM           CLP         TAAADPAC6     QATTCL
   TAAADPAC7     *PGM           CLP         TAAADPAC7     QATTCL
   TAAADPAC8     *PGM           CLP         TAAADPAC8     QATTCL
   TAAADPAC9     *PGM           CLP         TAAADPAC9     QATTCL
   TAAADPAC10    *PGM           CLP         TAAADPAC10    QATTCL
   TAAADPAC11    *PGM           CLP         TAAADPAC11    QATTCL
   TAAADPAC12    *PGM           CLP         TAAADPAC12    QATTCL
   TAAADPAC13    *PGM           CLP         TAAADPAC13    QATTCL
   TAAADPAC14    *PGM           CLP         TAAADPAC14    QATTCL
   TAAADPAC15    *PGM           CLP         TAAADPAC15    QATTCL
   TAAADPAC22    *PGM           CLP         TAAADPAC22    QATTCL

Structure
---------

     Command             CPP
     -------             ---

     DSPCLSA             TAAADPAC4
     DSPCMDA             TAAADPAC14
     DSPDBRA             TAAADPAC12
     DSPFDA              TAAADPAC7
     DSPFFDA             TAAADPAC8
     DSPJOBDA            TAAADPAC3
     DSPLIBA             TAAADPAC2
     DSPOBJAUTA          TAAADPAC15
     DSPOBJDA            TAAADPAC
     DSPPGMA             TAAADPAC5
     DSPPGMADPA          TAAADPAC11
     DSPPGMREFA          TAAADPAC9
     DSPSAVFA            TAAADPAC13
     DSPSBSDA            TAAADPAC6
     DSPUSRPRFA          TAAADPAC10

The  sub  program  TAAADPAC22 which  is  used  to  execute  the  EXTLST
command is used by TAAADPAC and TAAADPAC2.

Added to TAA Productivity tools April 1, 1995

Home Page

Up to Top