TAA Tools
CHKIFSE              CHECK IFS ENTRY                   TAAIFSO

The  Check  IFS  Entry  command  checks  for  object  existence  and/or
verifies the user's  authority to an object in the  IFS.  If the object
exists  and  the user  has  the correct  authority  to the  object, the
command completes  normally.   The CHKIFSE  command is  similar to  the
system CHKOBJ  command, but does not  check for program  or group adopt
(IFS restriction).

A typical CHK command would be:

     CHKIFSE OBJ('/home/myhome/mydoc.doc') AUT(*NONE)

         or

     CHKIFSE OBJ('/home/myhome/mydoc.doc') AUT(*CHANGE)

If  the object  exists and  the AUT parameter  is satisfied  (either by
*NONE or the user has  the specified authority), the command  completes
normally (no message is sent).

If the object is not found, an escape message sent.

If the  object is  found, but  the AUT parameter  is not  satisfied, an
escape message is sent.

Security discussion
-------------------

IFS  authority  checking follows  a  different model  than  checking of
objects in  libraries.   Program adoption  and group  adopting are  not
included.

In order to  determine the authority  to an IFS object,  a sub-function
(TAA  RTVIFSEAUT command) uses  an API that  requires the user  to have
*OBJMGT  rights  to the  object.   Since most  users  do not  have this
right,  it  is  necessary  to  use  the  'program  adopt'  function  to
determine the users authority.

The 'program  adopt' function does not  operate when using an  IFS path
name.   However,  using program  adopt allows the  program to  swap the
current profile  for QSECOFR  during  the running  of the  command  and
then  swap  back  to  the  original  using  profile  when  the  command
completes.  Swapping occurs by the use of an API.

The  original user  name is  searched  for in  the list  of authorities
(not the swapped QSECOFR profile name).

The  swapping  of  profiles  allows   a  determination  of  the   users
authority to the object,  but creates a problem in that  the user could
use system  request to 'end request' during the  running of the command
and  henceforth operate as QSECOFR.   This is avoided  by making the CL
program a  'request processor' and  monitoring for  'end request'.   If
'end  request'  occurs,  the  swap  of  profiles  occurs  back  to  the
original profile.

CHKIFSE escape messages you can monitor for
-------------------------------------------

   CPFA0A9     Object not found.
   CPF9898     General escape message. An unrecognized error was
               returned from the API to retrieve attributes for
               the IFS entry. Please check the joblog for more
               information on the error.
   TAA9891     Not authorized to object.

Command parameters                                    *CMD
------------------

   OBJ           Specify  the path  name of  the object to  be checked.
                 The object path  name can be either  a simple name  or
                 a  name  that  is  qualified  with  the  name  of  the
                 directory in which the object is located.

                 A /QSYS.LIB object can be checked.

   AUT           Specifies  the  authorities  to  be  checked for  this
                 user.  The default is *NONE.

                 Authority  checking   using  the   IFS  differs   from
                 authority checking  of  objects in  libraries such  as
                 done  by the  system CHKOBJ  command.   The difference
                 is  that  no  Program  or  Group  adopt  functions are
                 considered.

                 The possible values are  as follows and have  the same
                 meaning as  on the system  CHKOBJ command plus  the PC
                 oriented values such as *RWX:

                   *NONE
                   *ALL
                   *CHANGE
                   *USE
                   *EXCLUDE
                   *OBJALTER
                   *OBJEXIST
                   *OBJMGT
                   *OBJOPR
                   *OBJREF
                   *ADD
                   *DLT
                   *EXECUTE
                   *READ
                   *UPD
                   *RWX - Read, write (add, upd, dlt), and execute
                   *RW  - Read, write (add, upd, dlt)
                   *WX  - Write (add, upd, dlt), execute
                   *R   - Read
                   *W   - Write (add, upd, dlt)
                   *X   - Execute

   USRPRF        The  user profile that will be  switched to during run
                 time.   QSECOFR  is the  default.   For  file  systems
                 (such  as QNTC),  CHKIFSE will  fail  if QSECOFR  does
                 not exist.

                 *CURRENT may  be used or a  specific user profile, but
                 the profile must have *ALLOBJ special authority.

Restrictions
------------

None, the tool is ready to use.

Prerequisites
-------------

The following TAA Tools must be on your system:

     EXTLST          Extract list
     RTVIFSEAUT      Retrieve IFS entry authority
     RTVSPCAUT       Retrieve special authority
     SNDESCMSG       Send escape message

Implementation
--------------

None, the tool is ready to use.

Objects used by the tool
------------------------

   Object        Type    Attribute      Src member    Src file
   ------        ----    ---------      ----------    ----------

   CHKIFSE       *CMD                   TAAIFSO       QATTCMD
   TAAIFSOC      *PGM    CLP            TAAIFSOC      QATTCL
					

Added to TAA Productivity tools October 15, 2001


Home Page Up to Top