The Program Adopt tool provides a series of commands to help manage
the programs that adopt a user profile during the running of the
program. This allows a review and approval of these programs and a
method of monitoring for changes.
To use the tool, you must first create the required files and run the
Convert command. The Work command lets you approve a program after
reviewing it. The Display command may be used periodically to ensure
that all programs that were converted and approved have not been
changed.
The Convert command must be run periodically to keep the file up to
date with new programs that adopt.
Only a user with *ALLOBJ special authority can use the CVTPGMADP,
WRKPGMADP, or DSPPGMADP3 commands.
You may have different PGMADP files (only one set per library) such
as a set for each application area or one set for the entire system.
The TAATOOL library programs are implicitly omitted. Use the
CHKTAAAUT command to check TAA programs that adopt and the shipped
authorizations.
The system program adopt function
---------------------------------
The system program adopt function allows users to execute a program
that performs functions that you do not want to specifically
authorize an end user to. For example, you may have a program that
clears a member, but only if certain conditions are met. Rather than
allow end users to be authorized (CLRPFM requires *OBJMGT authority),
you can write a program that ensures the conditions are met and then
does CLRPFM. By creating the program as a user who has *OBJMGT
authority, and specifying USRPRF(*OWNER), the program adopt function
will allow clearing the member if an end user calls the program. Not
authorizing an end user to *OBJMGT will eliminate the potential error
of the user accidentally or maliciously clearing the member.
The program adopt option exists on many commands. It is specified by
the USRPRF parameter which defaults to *USER, but allows *OWNER to be
specified.
*OWNER means the the program will run under a combination of
authorities. It includes both the user running the program and the
owner of the program. By default, any programs higher in the program
stack that also specify USRPRF(*OWNER) are also included in the
authorization checking.
Thus a single program could run with the combined use of many
different user profiles. The major use of allowing a program higher
in the stack to control the authority to subsequently called programs
is to allow a main program to adopt and not have to consider the
authorization requirements of the programs it calls.
The function that allows programs higher in the stack to contribute
to the authorization checking may be eliminated by the use of the the
CHGPGM command. This allows the USEADPAUT parameter which should be
specified as *NO. Specifying *NO creates a 'security wall' that
prevents programs higher in the stack from contributing their adopted
authority to programs that are specified as USEADPAUT(*NO) and any
programs that they call.
Using USEADPAUT(*NO) is important if you have an adopted program that
calls a sub-program that allows a command line or does a function
such as WRKOUTQ. If a command line is available and the user is
LMTCPB(*NO), the end user will be able to enter commands. If the end
user is LMTCPB(*YES), the system will prevent the user from entering
a non-valid command on a command line even with adopted authority.
However, if the owner of the adopted program has *JOBCTL special
authority, a command such as WRKOUTQ will allow the end user to
operate on all the spooled files displayed.
A single program could specify USRPRF(*OWNER) and allow the owners
authority to be used on sub programs, but also be set to prevent
adoption from higher programs in the stack by specifying CHGPGM
USEADPAUT(*NO). If you are creating a program that uses adopted
authority that will have many sub-functions that are performed in
sub-programs, the use of USEADPAUT(*NO) could prevent some unintended
functions from occurring.
The USRPRF parameter appears on many different Create commands as
well as CHGPGM. It operates on different object types such as:
*PGM
*SRVPGM
Getting started and giving it a try
-----------------------------------
It is usually best to first try the PGMADP function with a unique
test library.
Create the library and a QCLSRC source file which will allow you to
have a few simple CL programs that can be created and modified. For
example, the following CL source could be used in members TSTCLPA,
TSTCLPB, ...
PGM
SNDPGMMSG MSG(HI)
ENDPGM
Create test *AUTLs that you can test with such as:
CRTAUTL AUTL(TSTPGMADP)
CRTAUTL AUTL(TSTPGMADP2) AUT(*EXCLUDE)
Create the programs in the same library with USRPRF(*OWNER). Vary
the AUT parameter on CRTCLPGM from *CHANGE to *USE and specify one of
the *AUTLs for some.
To use the PGMADP tool, do the following:
** Create the files PGMADP and PGMADPL in a specific library that
is on your library list. It does not have to be in the
library where the programs reside.
CRTPGMADP PGMADPLIB(xxx)
** Run the Convert command to capture the information about the
programs that adopt from one or more libraries.
This is a slow running command. If you have many programs to
be converted, it should be submitted to batch.
CVTPGMADP LIB(aaa bbb)
The programs in the named libraries would be checked to see if
they use program adopt (USRPRF = *OWNER). If so, the
information about the program is placed in a record in the
PGMADPP file. A listing is produced of the programs that were
added.
An OMITLIB parameter also exists to allow specified libraries
to be omitted. The TAATOOL library is implicitly omitted.
See the later discussion of the TAATOOL library.
CVTPGMADP should be run on a periodic basis to ensure that all
programs that adopt are included. CVTPGMADP will add new
programs, check existing programs, and delete any records for
programs that no longer adopt. Specifying a job schedule
entry for the use of CVTPGMADP during off-shift hours would be
a good choice. See the later comments about running
DSPPGMADP3 at the same time.
** Use WRKPGMADP to review the programs that adopt.
WRKPGMADP
The options let you display various aspects of the program.
If the program has never been approved, the approval date will
be blank. If the source has changed since the program was
approved, or the authorization information has changed since
the program information was converted, or the program has been
re-created after the program was approved, the approval date
field is displayed with high intensity.
The approval date field is also displayed with high intensity
if the program no longer adopts or the USEADPAUT attribute has
changed.
Option 5 lets you see more of the important details and will
describe what has changed if the approval date field was
displayed with high intensity.
Option 2 lets you approve a program. You should do this after
reviewing the program. See the later section on how to review
a program to ensure that it is safe for adoption.
** To display a listing of the same information do
DSPPGMADP3
It will flag the same type of changes that are displayed with
WRKPGMADP.
Note that each time WRKPGMADP or DSPPGMADP3 is run, the current
information about the program is retrieved and compared to the last
time the program was approved. This makes the commands run
considerably slower than just displaying the records in the file.
A good technique to use would be to include the use of DSPPGMADP3
both before and after CVTPGMADP as part of a job schedule entry such
as the following CL program:
PGM
DSPPGMADP3
CVTPGMADP LIB(xxx)
DSPPGMADP3
ENDPGM
The first use of DSPPGMADP3 will describe any exceptions which
includes programs that use to adopt, but no longer adopt. It will
also describe any programs where the USEADPAUT attribute has changed.
This allows you to ensure that the USRPRF and USEADPAUT attributes
are what you had intended before the file is refreshed.
The CVTPGMADP will refresh the file with the current information for
all new programs that adopt.
The second use of DSPPGMADP3 will describe any exceptions such as a
new program that adopts that has not been approved.
Program adoption can be abused
------------------------------
While program adoption can be used successfully to allow users to
perform secure functions in a controlled manner, it can also be
abused by users who are attempting to perform functions you are not
aware of.
Assume you have a program that adopts the authority of QSECOFR to
perform a security sensitive function. If your program does an
unqualified call to a sub program by the name of ABC, it is possible
for a user to create his own ABC program to perform an illegal
function and get it to run during the running of your program. This
could occur by getting the bogus ABC program in front of yours on the
library list. To write a secure program that adopts you must code
your program in such a manner to prevent bogus functions.
The next sections describe how to prevent the use of bogus
situations.
Also see the section on 'Approving a program' as a check list to be
used prior to approval.
Control of the QSYS Library
---------------------------
The QSYS library should be the first library on the library list or
you should have rigid control over any objects that are placed in a
library in front of QSYS. This is important because if you allow any
program to appear in front of QSYS, then bogus programs may be run
(including system programs).
You can determine the system portion of the library list by:
DSPSYSVAL SYSVAL(QSYSLIBL)
If you have a library in front of QSYS, it should be specified so the
*PUBLIC user has only *USE authority and cannot add objects to the
library. You can check this with:
DSPOBJAUT OBJ(xxx) OBJTYPE(*LIB)
You should specifically control what users are allowed to add objects
to the library.
If you have a library in front of QSYS, you will need to periodically
check what is in the library. In general, it is a lot safer to keep
QSYS at the front of the library list.
CHGSYSLIBL Command
------------------
The CHGSYSLIBL command allows users to change the system portion of
the library list for the current job. When a library is added, it
goes at the top of the list in front of QSYS.
The command is shipped so the *PUBLIC user is *EXCLUDE. You can
ensure this by:
DSPOBJAUT OBJ(CHGSYSLIBL) OBJTYPE(*CMD)
If you have users who are authorized, it would be worthwhile to
review why they are allowed this powerful capability.
*ALLOBJ users
-------------
When a user profile is given the special authority of *ALLOBJ, they
have the keys to the entire system. Obviously, you want to minimize
the number of users who have *ALLOBJ authority.
There is nothing that can be done to control what *ALLOBJ users do.
While the system does support the *SECADM special authority to
control the creation and deletion of user profiles, a user with
*ALLOBJ authority could easily get around this if he wanted to. You
can audit what *ALLOBJ users do (see the AUDITING tool for a
discussion).
You can review who has *ALLOBJ special authority with:
DSPSECRVW SPCAUT(*ALLOBJ)
Reviewing program source to ensure a security safe program
----------------------------------------------------------
To prevent bogus functions from occurring in a program that adopts
the owner's profile, you must qualify the use of objects used in the
program.
Any CALL commands, or user commands (including TAA commands) should
be qualified to the specific library such as:
CALL PGM(LIBA/PGM1)
TAATOOL/RTVDAT ...
Note that the CALL may also come from a HLL program such as RPG.
These calls should also be library qualified.
A good technique to use is to use a constant with a qualified name
and then refer to the constant name rather than the actual program
name on the CALL.
Any OVRDBF commands should also be library qualified and use the
SECURE parameter such as:
OVRDBF FILE(FILEA) TOFILE(LIBA/FILEA)
SECURE(*YES)
The SECURE parameter prevents an override higher in the program stack
from being used instead of the override specified in the program.
If you have a sensitive file that is being worked on in an adopt
program, but does not do an OVRDBF command, your program would be
safer if you added an Override. RPG does not allow a qualified
library name when it opens a file, but RPGLE does. However, RPGLE
does not provide a SECURE(*YES) function so a program higher in the
stack could direct the program to operate on a different file with
either RPG compiler. Adding an OVRDBF with SECURE(*YES) will ensure
that the program is working on the file that it was intended to.
Creating user commands
----------------------
Any user commands that are created where the CPP (command processing
program) is an adopt program should specify a qualified name of the
CPP when the command is created such as:
CRTCMD CMD(xxx) PGM(LIBA/PGM1) ...
Some users think that if they control the library list that they do
not have to library qualify anything. This is not valid. Even if
you set the library list to your safe libraries and qualify the
invocation of a user command, a user command that is specified as:
CRTCMD CMD(ABC) PGM(*LIBL/PGM1) ...
could be exposed to a bogus use. A user could create his own ABC
command as:
CRTCMD CMD(ABC) PGM(DEF/PGM1) PRDLIB(DEF)
and invoke his command which calls the program that adopts. Because
PRDLIB is used, the DEF library would be placed in the program stack
between the system portion and the current library (ahead of the user
portion of the library list). By some sneaky programming, the user
could get his own version of PGM1 to run.
The CRTCMD command also allows for a prompt override program
(PMTOVRPGM) and a validity checking program (VLDCKR). If one of
these parameters is used, the program should also be library
qualified.
You can check for unqualified use of programs specified on a command
with:
CHKCMDQLFN
It will operate on a single program, a single library, or multiple
libraries and describe which command parameters that support
qualified names are not being used. The parameters that have
security implications are:
PGM (CPP)
PMTOVRPGM
VLDCKR
Attempting to control the library list will guarantee that bogus
programs cannot be used. You need to qualify the parameters that
invoke programs. Setting the PRDLIB parameter on a user command is
not required if you library qualify. TAA commands do both (some
exceptions exist).
Preventing the use of debug
---------------------------
Another exposure with programs that adopt is that you should prevent
the use of debugging tools if the program is security sensitive.
Allowing a user to debug the program will allow him to change values
during the program execution. For example, while in debug a user
could change the value of a field to be updated in a data base.
There are two ways to prevent the use of debug for *PUBLIC users:
** Set the authorization to the program for the *PUBLIC user to
*USE. The default used by CRT program commands is *CHANGE
which means that when you take the default, you are allowing
anyone authorized to the STRDBG command to debug the program.
With only *USE authority, you can prevent the use of debug
functions.
** You can remove the observability of a program by the use of
the CHGPGM command such as:
CHGPGM PGM(xxx) RMVOBS(*ALL)
Once the program is debugged, it is better to remove the
observability to prevent even *ALLOBJ users from using debug
for malicious actions.
CHGPGM will also allow all programs or generic program names
in a library to be changed.
Authorizations to the program
-----------------------------
If you have a program that adopts, it may do so because it performs a
simple function that requires a specific authorization that you do
not want to give to the *PUBLIC user. For example, you may want to
allow any user to display the text description of a user profile.
Without a program that adopts, the user must have *USE authority to
the user profile to access the text description. If the only
functions performed by the program are non-security sensitive, it is
perfectly valid to have the program authorized to allow *USE
authority to the *PUBLIC user.
But you may also have other programs that must be rigidly controlled.
For example, you may have a program that creates a user profile using
the CRTUSRPRF command which you want certain users to use, but only
via your program. In this case, you want to prevent the *PUBLIC user
from running the program.
There are two methods of preventing the *PUBLIC user from running a
program:
** You can specify the *PUBLIC user as *EXCLUDE.
** You can specify the *PUBLIC user as *AUTL and control the
authorizations via an Authorization List and specify *PUBLIC
*EXCLUDE to the *AUTL.
TAATOOL Library
---------------
The TAATOOL library is implicitly omitted when CVTPGMADP is run.
The TAATOOL library has many programs that adopt the ownership of
QSECOFR.
Some are simple non-security sensitive programs such as that provided
by the DUPTAADBF command which allows the CRTDUPOBJ command to be run
on specific *FILE objects in TAATOOL. This is used by many TAA
commands that create outfiles. CRTDUPOBJ requires *OBJMGT authority
to the file. Without program adoption, the *FILE *OBJMGT right would
have to be made available to the *PUBLIC user or a requirement that
an *ALLOBJ user run the command.
Some TAA programs are considered security sensitive such as that used
by the INZPWD command. This allows an authorized user to be able to
initialize most user profiles to a default or random password when
users forget their passwords. The command requires that the user of
the command and program be authorized to the TAAINZPWD authorization
list.
You can review the INZPWD source to see how qualified names are used
by:
DSPTAA TAASECXC
The TAA programs are thoroughly checked to ensure that the programs
are safe. A bogus program cannot be used to bypass your security
intent. All programs that adopt do the following:
- All CALL commands are library qualified
- All TAA commands are library qualified
- All OVRDBF commands use qualified names and SECURE(*YES)
- All CRT/CHGUSRPRF commands are library qualified to QSYS
- All calls to non-QSYS programs in HLLs are qualified
- All programs prevent debug
- Programs are shipped unobservable
- Programs are shipped as *PUBLIC *USE
- All TAA commands qualify the library of the CPP, and
any prompt override or validity checking programs
- TAA commands specify PRDLIB(TAATOOL)
- Some exceptions exist
- All TAA *AUTL objects are shipped as *PUBLIC *EXCLUDE
- All TAA objects that use an *AUTL specify *PUBLIC *AUTL
Sensitive security functions require either *ALLOBJ authority, or are
tied to an *AUTL with *PUBLIC as *AUTL.
Ensuring the TAATOOL library
----------------------------
To ensure that the programs and authorizations are set the way they
are shipped, the CHKTAAAUT command may be used. To support
CHKTAAAUT, a file of specific authorizations and programs which adopt
is shipped with the product and is used to compare against the
current information on the system. Any differences are noted.
CHKTAAAUT will also find commands and programs that exist in TAATOOL
that have the same name as commands and programs in other libraries.
To just check the Authorization Lists to ensure that they are all set
to *PUBLIC = *EXCLUDE, enter:
CHKTAAAUT
Approving a program that adopts
-------------------------------
If you are the person to approve the use of programs that adopt, you
should do the following:
** After CVTPGMADP has been run, use either WRKPGMADP or
DSPPGMADP3 to determine what programs need to be reviewed.
** Determine if the function being performed is security
sensitive.
** Determine if any sub programs are called using DSPPGMREF.
Each sub program must also be reviewed even if the function is
not security sensitive as a sub-sub program may be.
** Determine the source member used for the program.
** If a CL program is being used, CHK400CMD will describe a
listing of any user commands. Each user command represents
another program that is being called as a sub program and must
also be checked.
If a TAA command is being invoked, TAA commands are considered
safe to use if they are library qualified to TAATOOL. It is
not necessary to check the command processing program used as
they are safe to use.
If you are dealing with a security sensitive function, any
user commands should be library qualified such as:
xxx/USRCMDA ...
You should check the command to ensure that qualified names
are used for the commands that support program names.
CHKCMDQLFN LIB(xxx) CMD(yyy)
Scan the source for OVRDBF commands and if they exist, a
library qualifier should be used along with SECURE(*YES). In
some cases, the user may input the file or file and library
name. In this case, you will need to ensure that the function
being performed is appropriate for any file. You may want to
reject certain files or libraries.
In some cases, you may need to add an OVRDBF command with
SECURE(*YES) to ensure that the right file is processed.
** Review the authorizations to the program with DSPOBJAUT and if
an *AUTL is specified for the *PUBLIC user, then the *AUTL
should be reviewed with DSPAUTL. Sensitive functions should
not allow the *PUBLIC user any access. It should be *PUBLIC =
*EXCLUDE.
** For sensitive security programs, you should prevent the use of
debug by removing the observability to the program with
CHGPGM.
Tips
----
** If a program adopts the QSECOFR profile and you want to check
within the program if the user is authorized to some function,
the user will always be authorized because of adoption. You
can check using a tool like UNADOPT. This allows you to pass
a command to a program that uses USEADPAUT(*NO). For example,
you could say:
TAATOOL/UNADOPT CMD(CHKOBJ ...)
The CHKOBJ command runs without the benefit of the QSECOFR
authorization.
** If you have a program that adopts, but should only be called
from a specific program, the RTVPGMNAM command will allow
return variables of the program that called the sub program.
For example, your code could look like:
TAATOOL/RTVPGMNAM CALLINGPGM(&PGM) CALLINGLIB(&PGML)
IF ((&PGM *NE 'xxx') *OR +
(&PGML *NE 'yyy')) DO /* Bad */
SNDESCMSG MSG('Invalid use of program zzz')
ENDDO /* Bad */
CRTPGMADP escape messages you can monitor for
---------------------------------------------
None. Escape messages from based on functions will be re-sent.
DLTPGMADP escape messages you can monitor for
---------------------------------------------
None. Escape messages from based on functions will be re-sent.
CVTPGMADP escape messages you can monitor for
---------------------------------------------
TAA9892 No programs were found in the specified libraries
Escape messages from based on functions will be re-sent.
WRKPGMADP escape messages you can monitor for
---------------------------------------------
None. Escape messages from based on functions will be re-sent.
DSPPGMADP3 escape messages you can monitor for
----------------------------------------------
None. Escape messages from based on functions will be re-sent.
CRTPGMADP Command parameters *CMD
----------------------------
PGMADPLIB The library where the PGMADPP and PGMADPL files will
be created.
SRCLIB The source library to use for the QATTDDS file
source. The default is *TAAARC to use the source
from the TAA Archive.
A specific user library may be named, but the source
file must be QATTDDS.
AUT The authority given to the *PUBLIC user of the
files. *USE is the default.
*CHANGE, or *EXCLUDE may be specified.
Note that an *ALLOBJ user is required to use the
CVTPGMADP, WRKPGMADP, and DSPPGMADP3 commands.
DLTPGMADP Command parameters *CMD
----------------------------
PGMADPLIB The library where the PGMADPP and PGMADPL files
exist.
CVTPGMADP Command parameters *CMD
----------------------------
LIB The list of libraries to be processed. Up to 300
libraries may be entered (including generic names)
or the special values *LIBL, *USRLIBL, *CURLIB,
*ALLUSR, *ALLUSR2, *ALLNONQ, *IBM, or ALL.
For *LIBL and *USRLIBL, if a current library exists,
it will be written as a record before the records
for the user portion of the library list. If the
current library is also part of the user portion of
the library list, it will only appear once (it is
removed from the user portion list).
*ALLUSR omits certain # libraries such as #RPGLIB.
*ALLUSR also omits all Q libraries with certain
exceptions such as QGPL. See the help text for the
SAVLIB command for a complete list. Note that if
you have your own library which begins with Q, it is
omitted.
*IBM causes all libraries to be included based on
the definition for DSPOBJD LIB(*IBM).
*ALLUSR2 is similar to *ALLUSR. It omits the same #
libraries, but also omits any library beginning with
Q. Note that if you have your own library which
begins with Q, it is omitted.
*ALLNONQ means any library that does not begin with
the letter Q. If *ALLNONQ is used, the ASPDEV
parameter must use the default.
ASPDEV Specifies the auxiliary storage pool (ASP) device
name where storage for the library containing the
object is allocated. If the library resides in an
ASP that is not part of the thread's library name
space, this parameter must be specified to ensure
the correct library is searched.
The parameter can be specified as a list of two
values (elements) or as a single value. The
possible single values are:
* = The ASPs that are currently part of the thread's
library name space will be searched to locate the
library. This includes the system ASP (ASP 1), all
defined basic user ASPs (ASPs 2-32), and, if the
thread has an ASP group, the primary and secondary
ASPs in the thread's ASP group.
*ALLAVL = All available ASPs will be searched. This
includes the system ASP (ASP 1), all defined basic
user ASPs (ASPs 2-32), and all available primary and
secondary ASPs, (ASPs 33-255) with a status of
'Available'.
*CURASPGRP = If the thread has an ASP group, the
primary and secondary ASPs in the thread's ASP group
will be searched. The system ASP (ASP 1) and
defined basic user ASPs (ASPs 2-32) will not be
searched. If no ASP group is associated with the
thread, an error will be issued.
*SYSBAS = The system ASP (ASP 1) and all defined
basic user ASPs (ASPs 2-32) will be searched to
locate the library. No primary or secondary ASPs
will be searched even if the thread has an ASP
group.
Element 1: Device
The device name of the primary or secondary ASP to
be searched. The primary or secondary ASP must have
been activated (by varying on the ASP device) and
have a status of 'Available'. The system ASP (ASP
1) and defined user basic ASPs (ASPs 2-32) will not
be searched.
Element 2: Search type
*ASP = Specifies that only the single auxiliary
storage pool (ASP) device named in element 1 is to
be searched.
*ASPGRP = Specifies that the entire group of the
primary auxiliary storage pool (ASP) device named in
element 1 is to be searched.
ASPNBR The ASP number for the libraries that are to be
converted. The default is *ALL.
A number in the range of 1-99 may be entered to
subset the libraries that are output by the LIB and
ASPDEV parameters.
OMITLIB A list of up to 300 libraries or generic library
names that should be omitted. *NONE is the default.
The TAATOOL library is implicitly omitted.
An omit list may not be entered for LIB(*CURLIB).
No check occurs to see if an omit library would have
been selected. For example, if LIB(*LIBL) is
entered with OMITLIB(ABC) and library ABC is not on
the library list, no error occurs.
PGMADPLIB The library where the PGMADPP and PGMADPL files
exist. *LIBL is the default.
WRKPGMADP Command parameters *CMD
----------------------------
PGMADPLIB The library where the PGMADPP and PGMADPL files
exist. *LIBL is the default.
OWNER Whether to select a specific owner. *ALL is the
default.
If an owner is named, selection occurs on the basis
of the value at the time of the original CVTPGMADP
when the program was added or when the program was
approved. This may not be the current owner of the
program.
PGM The program to be displayed. The default is
*ALL/*ALL for all programs in all libraries found in
the PGMADPP file.
A specific program name or generic name may be used.
A specific library may be named.
DSPPGMADP3 Command parameters *CMD
-----------------------------
PGMADPLIB The library where the PGMADPP and PGMADPL files
exist. *LIBL is the default.
OWNER Whether to select a specific owner. *ALL is the
default.
If an owner is named, selection occurs on the basis
of the value at the time of the original CVTPGMADP
when the program was added or when the program was
approved. This may not be the current owner of the
program.
PGM The program to be displayed. The default is
*ALL/*ALL for all programs in all libraries found in
the PGMADPP file.
A specific program name or generic name may be used.
A specific library may be named.
OUTPUT How to output the results. * is the default to
display the spooled file if the command is entered
interactively. The spooled file is deleted after it
is displayed.
If the command is entered in batch or *PRINT is
specified, the spooled file is output and retained.
Restrictions
------------
Only a user with *ALLOBJ special authority may use the CVTPGMADP,
WRKPGMADP, and DSPPGMADP3 commands.
The WRKPGMADP and DSPPGMADP3 commands do not attempt to determine all
programs that adopt. They only process those programs that were
converted by the CVTPGMADP command.
WRKPGMADP and DSPPGMADP3 have an OWNER parameter. If a specific
owner is named, selection occurs on the basis of the value at the
time of the original CVTPGMADP when the program was added or when the
program was approved. This may not be the current owner of the
program.
The checking for debug capability assumes the use of *CHANGE of
object authority will be used and not *USRDFN.
*SQLPKG object types are not checked.
The TAATOOL library is implicitly bypassed. See the CHKTAAAUT
command and the previous discussion.
Prerequisites
-------------
The following TAA Tools must be on your system:
CHKALLOBJ Check *ALLOBJ special authority
CHKDUPLST Check duplicates in list
CHKGENERC Check generic
CHKGENOBJ Check generic object
CHKOBJ3 Check object 3
CMPLSTPARM Compare list parm
CPYTAADDS Copy TAA DDS source
CRTDUPPF Create duplicate PF
CVTPGMA Convert program attributes
CVTTIM Convert time
DSPOBJD2 Display object description 2
EDTVAR Edit variable
EXTLST Extract list
EXTLST2 Extract list 2
RTVOBJAUT Retrieve object authority
RTVPGMA Retrieve program attribute
RTVPUBAUT Retrieve public authority
RTVSYSVAL3 Retrieve system value 3
SNDCOMPMSG Send completion message
SNDESCINF Send escape information
SNDESCMSG Send escape message
SNDJLGMSG Send job log message
SNDSTSMSG Send status message
UPDPFILE Update PF keyword
Implementation
--------------
None, the tool is ready to use.
Objects used by the tool
------------------------
Object Type Attribute Src member Src file
------ ---- --------- ---------- ----------
CRTPGMADP *CMD TAAPGOA QATTCMD
DLTPGMADP *CMD TAAPGOA2 QATTCMD
CVTPGMADP *CMD TAAPGOA3 QATTCMD
WRKPGMADP *CMD TAAPGOA4 QATTCMD
DSPPGMADP3 *CMD TAAPGOA5 QATTCMD
TAAPGOAC *PGM CLP TAAPGOAC QATTCL
TAAPGOAC2 *PGM CLP TAAPGOAC2 QATTCL
TAAPGOAC3 *PGM CLP TAAPGOAC3 QATTCL
TAAPGOAC4 *PGM CLP TAAPGOAC4 QATTCL
TAAPGOAC5 *PGM CLP TAAPGOAC5 QATTCL
TAAPGOAC13 *PGM CLP TAAPGOAC13 QATTCL
TAAPGOAC14 *PGM CLP TAAPGOAC14 QATTCL
TAAPGOAC15 *PGM CLP TAAPGOAC15 QATTCL
TAAPGOAR3 *PGM RPG TAAPGOAR3 QATTRPG
TAAPGOAR4 *PGM RPG TAAPGOAR4 QATTRPG
TAAPGOAR5 *PGM RPG TAAPGOAR5 QATTRPG
TAAPGOAD *FILE DSPF TAAPGOAD QATTDDS
TAAPGOAP *FILE PF TAAPGOAP QATTDDS
TAAPGOAL *FILE LF TAAPGOAL QATTDDS
Structure
---------
CRTPGMADP Cmd
TAAPGOAC CL pgm
DLTPGMADP Cmd
TAAPGOAC2 CL pgm
CVTPGMADP Cmd
TAAPGOAC3 CL pgm
TAAPGOAR3 RPG pgm
TAAPGOAC13 CL pgm
WRKPGMADP Cmd
TAAPGOAC4 CL pgm
TAAPGOAR4 RPG pgm
TAAPGOAC14 CL pgm
DSPPGMADP3 Cmd
TAAPGOAC5 CL pgm
TAAPGOAR5 RPG pgm
TAAPGOAC15 CL pgm
|
