RTVIFSEAUT -- Retrieve IFS Entry Authority

RTVIFSEAUT RETRIEVE IFS ENTRY AUTHORITY TAAIFSN
The Retrieve IFS Entry Authority command returns the current users authority to an IFS object. The path name must be specified. Return values include the owner, authorization list, where the authority comes from (the named user or PUBLIC), and individual authorizations. Authority checking for IFS objects is the same as objects in libraries except that program and group adopt are not used. For a simple check of an object, see the CHKIFSE command. It uses RTVIFSEAUT to provide basic information. The API used is Qp0lGetAttr. A typical sequence of commands would be: DCL &OBJOPR CHAR LEN(1) DCL &READ CHAR LEN(1) DCL &UPD CHAR LEN(1) . RTVIFSEAUT OBJ('/home/test.txt') + OBJOPR(&OBJOPR) + READ(&READ) UPD(&UPD) IF ((&OBJOPR EQ 'X') AND + (&READ EQ 'X') AND + (&UPD EQ 'X')) DO / Is authorized / /************************************/ / / / Your code if the user is / / authorized / / / /************************************/ ENDDO / Is authorized / RTVIFSEAUT escape messages you can monitor for ---------------------------------------------- CPFA0A9 Object not found CPF9898 General escape message. An unrecognized error was returned from the API to retrieve attributes for the IFS entry. Please check the joblog for more information on the error. Escape messages from based on functions will be re-sent. Security discussion ------------------- IFS authority checking follows a different model than checking of objects in libraries. Neither program or group adopt is included. In order to determine the authority to an IFS object, an API is used that requires the user to have OBJMGT rights to the object. Since most users do not have this right, it is necessary to use the 'program adopt' function to determine the users authority. The 'program adopt' function does not operate when using an IFS path name. However, using program adopt allows the program to swap the current profile for QSECOFR during the running of the command and then swap back to the original using profile when the command completes. Swapping occurs by the use of an API. The original user name is searched for in the list of authorities (not the swapped QSECOFR profile name). The swapping of profiles allows a determination of the users authority to the object, but creates a problem in that the user could use system request to 'end request' during the running of the command and henceforth operate as QSECOFR. This is avoided by making the CL program a 'request processor' and monitoring for 'end request'. If 'end request' occurs, the swap of profiles occurs back to the original profile. Command parameters CMD ------------------ OBJ The path name of the object to be retrieved. The object path name can be either a simple name or a name that is qualified with the name of the directory in which the object is located. OBJTYP The object type of the object found on the path. This is an optional return variable that if used must be specified as CHAR LEN(10). OWNER The owner of the object. This is an optional return variable that if used must be specified as CHAR LEN(10). PRFGRP The primary group of the owner of the object. This is an optional return variable that if used must be specified as CHAR LEN(10). AUTL The authorization list of the object. This is an optional return variable that if used must be specified as CHAR LEN(10). RTNAUTTYPE The type of authorization information returned. USER is returned if the user is individually authorized to the object. PUBLIC is returned if the user is not individually authorized to the object, but has rights as a PUBLIC user. Any specific rights that are returned are based on the PUBLIC user. AUTFRMAUTL A YES/NO value for whether the authorization comes from the authorization list. YES is returned if the authority comes from the authorization list. NO is returned if the authority comes from the authorization to the object. This is an optional return variable that if used must be specified as CHAR LEN(4). OBJOPR Object operational rights. Either an X (yes) or blank (no) will be returned. This is an optional return variable that if used must be specified as CHAR LEN(1). OBJMGT Object management rights. Either an X (yes) or blank (no) will be returned. This is an optional return variable that if used must be specified as CHAR LEN(1). OBJEXIST Object existence rights. Either an X (yes) or blank (no) will be returned. This is an optional return variable that if used must be specified as CHAR LEN(1). OBJALTER Object alteration rights. Either an X (yes) or blank (no) will be returned. This is an optional return variable that if used must be specified as CHAR LEN(1). OBJREF Object reference rights. Either an X (yes) or blank (no) will be returned. This is an optional return variable that if used must be specified as CHAR LEN(1). READ Data read rights. Either an X (yes) or blank (no) will be returned. This is an optional return variable that if used must be specified as CHAR LEN(1). ADD Data add rights. Either an X (yes) or blank (no) will be returned. This is an optional return variable that if used must be specified as CHAR LEN(1). UPD Data update rights. Either an X (yes) or blank (no) will be returned. This is an optional return variable that if used must be specified as CHAR LEN(1). DLT Data delete rights. Either an X (yes) or blank (no) will be returned. This is an optional return variable that if used must be specified as CHAR LEN(1). EXECUTE Execute rights. Either an X (yes) or blank (no) will be returned. This is an optional return variable that if used must be specified as CHAR LEN(1). EXCLUDE Exclude. Either an X (yes) or blank (no) will be returned. This is an optional return variable that if used must be specified as CHAR LEN(1). USRPRF The user profile that will be switched to during run time. QSECOFR is the default. For file systems (such as QNTC), CVTIFS will fail if QSECOFR does not exist. CURRENT may be used or a specific user profile, but the profile must have ALLOBJ special authority. Restrictions ------------ None. Prerequisites ------------- The following TAA Tools must be on your system: SNDESCMSG Send escape message Implementation -------------- None, the tool is ready to use. Objects used by the tool ------------------------ Object Type Attribute Src member Src file ------ ---- --------- ---------- ---------- RTVIFSEAUT CMD TAAIFSN QATTCMD TAAIFSNC PGM CLP TAAIFSNC QATTCL TAAIFSNC2 PGM CLP TAAIFSNC2 QATTCL TAAIFSNR *PGM RPGLE TAAIFSNR QATTRPG

RTVIFSEAUT      RETRIEVE IFS ENTRY AUTHORITY           TAAIFSN


The Retrieve  IFS  Entry Authority  command returns  the current  users
authority to an  IFS object.  The path name  must be specified.  Return
values  include  the  owner, authorization  list,  where  the authority
comes   from   (the   named   user   or   *PUBLIC),    and   individual
authorizations.   Authority  checking for  IFS objects  is the  same as
objects  in  libraries except  that  program  and group  adopt  are not
used.

For a simple  check of  an object, see  the CHKIFSE command.   It  uses
RTVIFSEAUT to provide basic information.

The API used is Qp0lGetAttr.

A typical sequence of commands would be:

             DCL           &OBJOPR *CHAR LEN(1)
             DCL           &READ *CHAR LEN(1)
             DCL           &UPD *CHAR LEN(1)
              .
             RTVIFSEAUT   OBJ('/home/test.txt') +
                             OBJOPR(&OBJOPR) +
                             READ(&READ) UPD(&UPD)
             IF            ((&OBJOPR *EQ 'X') *AND +
                             (&READ *EQ 'X') *AND +
                             (&UPD *EQ 'X')) DO /* Is authorized */
                           /**************************************/
                           /*                                    */
                           /*    Your code if the user is        */
                           /*      authorized                    */
                           /*                                    */
                           /**************************************/
             ENDDO         /* Is authorized */

RTVIFSEAUT escape messages you can monitor for
----------------------------------------------

      CPFA0A9    Object not found
      CPF9898    General escape message. An unrecognized error was
                 returned from the API to retrieve attributes for
                 the IFS entry. Please check the joblog for more
                 information on the error.

Escape messages from based on functions will be re-sent.

Security discussion
-------------------

IFS  authority checking  follows  a different  model  than checking  of
objects in libraries.  Neither program or group adopt is included.

In order  to determine the authority  to an IFS object,  an API is used
that requires the  user to have  *OBJMGT rights to the  object.   Since
most  users  do not  have  this  right,  it  is necessary  to  use  the
'program adopt' function to determine the users authority.

The 'program  adopt' function does  not operate when using  an IFS path
name.   However,  using program  adopt allows  the program to  swap the
current profile  for  QSECOFR during  the running  of  the command  and
then  swap  back  to  the  original  using  profile  when  the  command
completes.  Swapping occurs by the use of an API.

The  original user  name  is searched  for in  the list  of authorities
(not the swapped QSECOFR profile name).

The  swapping  of  profiles  allows   a  determination  of  the   users
authority to the object,  but creates a problem in  that the user could
use system  request to 'end request' during  the running of the command
and henceforth operate as  QSECOFR.  This is  avoided by making the  CL
program a  'request processor' and  monitoring for  'end request'.   If
'end  request'  occurs,  the  swap  of  profiles  occurs  back  to  the
original profile.

Command parameters                                    *CMD
------------------

   OBJ           The  path name  of the  object to  be retrieved.   The
                 object path  name can  be either  a simple  name or  a
                 name  that   is  qualified   with  the  name   of  the
                 directory in which the object is located.

   OBJTYP        The  object  type of  the  object found  on  the path.
                 This is  an  optional  return variable  that  if  used
                 must be specified as *CHAR LEN(10).

   OWNER         The owner of  the object.  This is  an optional return
                 variable  that  if  used must  be  specified  as *CHAR
                 LEN(10).

   PRFGRP        The primary group of  the owner of  the object.   This
                 is an  optional return variable  that if used  must be
                 specified as *CHAR LEN(10).

   AUTL          The  authorization list  of the  object.   This  is an
                 optional   return  variable  that   if  used  must  be
                 specified as *CHAR LEN(10).

   RTNAUTTYPE    The type of authorization information returned.

                 *USER  is  returned   if  the  user   is  individually
                 authorized to the object.

                 *PUBLIC is  returned if  the user is  not individually
                 authorized  to   the  object,  but  has  rights  as  a
                 *PUBLIC user.  Any  specific rights that are  returned
                 are based on the *PUBLIC user.

   AUTFRMAUTL    A *YES/*NO  value for whether the  authorization comes
                 from the authorization list.

                 *YES  is  returned if  the  authority  comes from  the
                 authorization list.

                 *NO is  returned  if  the  authority  comes  from  the
                 authorization to the object.

                 This  is an  optional  return  variable that  if  used
                 must be specified as *CHAR LEN(4).

   OBJOPR        Object  operational  rights.   Either  an  X (yes)  or
                 blank  (no)  will be  returned.   This is  an optional
                 return variable  that  if used  must be  specified  as
                 *CHAR LEN(1).

   OBJMGT        Object  management  rights.    Either an  X  (yes)  or
                 blank  (no) will  be  returned.   This is  an optional
                 return variable  that  if used  must be  specified  as
                 *CHAR LEN(1).

   OBJEXIST      Object existence rights.   Either an X  (yes) or blank
                 (no)  will be  returned.  This  is an  optional return
                 variable that  if  used  must be  specified  as  *CHAR
                 LEN(1).

   OBJALTER      Object  alteration  rights.   Either  an  X  (yes)  or
                 blank  (no) will  be returned.    This is  an optional
                 return  variable  that if  used  must be  specified as
                 *CHAR LEN(1).

   OBJREF        Object reference rights.   Either an X (yes)  or blank
                 (no)  will be returned.   This  is an  optional return
                 variable  that  if  used must  be  specified  as *CHAR
                 LEN(1).

   READ          Data read rights.   Either  an X (yes)  or blank  (no)
                 will  be  returned.    This   is  an  optional  return
                 variable  that  if used  must  be  specified as  *CHAR
                 LEN(1).

   ADD           Data add  rights.   Either an  X (yes)  or blank  (no)
                 will  be  returned.    This   is  an  optional  return
                 variable  that  if used  must  be  specified as  *CHAR
                 LEN(1).

   UPD           Data  update rights.  Either an  X (yes) or blank (no)
                 will  be  returned.    This  is  an   optional  return
                 variable  that  if used  must  be  specified as  *CHAR
                 LEN(1).

   DLT           Data  delete rights.  Either an  X (yes) or blank (no)
                 will  be  returned.    This  is  an   optional  return
                 variable  that if  used  must  be specified  as  *CHAR
                 LEN(1).

   EXECUTE       Execute  rights.   Either  an  X (yes)  or  blank (no)
                 will  be  returned.    This  is  an  optional   return
                 variable  that if  used  must  be specified  as  *CHAR
                 LEN(1).

   EXCLUDE       Exclude.   Either  an X  (yes) or  blank (no)  will be
                 returned.   This  is an optional  return variable that
                 if used must be specified as *CHAR LEN(1).

   USRPRF        The user profile that  will be switched to  during run
                 time.   QSECOFR  is  the default.    For file  systems
                 (such  as QNTC), CVTIFS will fail  if QSECOFR does not
                 exist.

                 *CURRENT may be used or  a specific user profile,  but
                 the profile must have *ALLOBJ special authority.

Restrictions
------------

None.

Prerequisites
-------------

The following TAA Tools must be on your system:

     SNDESCMSG       Send escape message

Implementation
--------------

None, the tool is ready to use.

Objects used by the tool
------------------------

   Object        Type    Attribute      Src member    Src file
   ------        ----    ---------      ----------    ----------

   RTVIFSEAUT    *CMD                   TAAIFSN       QATTCMD
   TAAIFSNC      *PGM       CLP         TAAIFSNC      QATTCL
   TAAIFSNC2     *PGM       CLP         TAAIFSNC2     QATTCL
   TAAIFSNR      *PGM       RPGLE       TAAIFSNR      QATTRPG

Added to TAA Productivity tools October 15, 2001

Home Page

Up to Top