TAA Tools
RTVIFSEAUT      RETRIEVE IFS ENTRY AUTHORITY           TAAIFSN

The Retrieve  IFS  Entry Authority  command returns  the current  users
authority to an  IFS object.  The path name  must be specified.  Return
values  include  the  owner, authorization  list,  where  the authority
comes   from   (the   named   user   or   *PUBLIC),    and   individual
authorizations.   Authority  checking for  IFS objects  is the  same as
objects  in  libraries except  that  program  and group  adopt  are not
used.

For a simple  check of  an object, see  the CHKIFSE command.   It  uses
RTVIFSEAUT to provide basic information.

The API used is Qp0lGetAttr.

A typical sequence of commands would be:

             DCL           &OBJOPR *CHAR LEN(1)
             DCL           &READ *CHAR LEN(1)
             DCL           &UPD *CHAR LEN(1)
              .
             RTVIFSEAUT   OBJ('/home/test.txt') +
                             OBJOPR(&OBJOPR) +
                             READ(&READ) UPD(&UPD)
             IF            ((&OBJOPR *EQ 'X') *AND +
                             (&READ *EQ 'X') *AND +
                             (&UPD *EQ 'X')) DO /* Is authorized */
                           /**************************************/
                           /*                                    */
                           /*    Your code if the user is        */
                           /*      authorized                    */
                           /*                                    */
                           /**************************************/
             ENDDO         /* Is authorized */

RTVIFSEAUT escape messages you can monitor for
----------------------------------------------

      CPFA089    Pattern not allowed in path name
      CPFA0A9    Object not found
      CPF9898    General escape message

Escape messages from based on functions will be re-sent.

Security discussion
-------------------

IFS  authority checking  follows  a different  model  than checking  of
objects in libraries.  Neither program or group adopt is included.

In order  to determine the authority  to an IFS object,  an API is used
that requires the  user to have  *OBJMGT rights to the  object.   Since
most  users  do not  have  this  right,  it  is necessary  to  use  the
'program adopt' function to determine the users authority.

The 'program  adopt' function does  not operate when using  an IFS path
name.   However,  using program  adopt allows  the program to  swap the
current profile  for  QSECOFR during  the running  of  the command  and
then  swap  back  to  the  original  using  profile  when  the  command
completes.  Swapping occurs by the use of an API.

The  original user  name  is searched  for in  the list  of authorities
(not the swapped QSECOFR profile name).

The  swapping  of  profiles  allows   a  determination  of  the   users
authority to the object,  but creates a problem in  that the user could
use system  request to 'end request' during  the running of the command
and henceforth operate as  QSECOFR.  This is  avoided by making the  CL
program a  'request processor' and  monitoring for  'end request'.   If
'end  request'  occurs,  the  swap  of  profiles  occurs  back  to  the
original profile.

Command parameters                                    *CMD
------------------

   OBJ           The  path name  of the  object to  be retrieved.   The
                 object path  name can  be either  a simple  name or  a
                 name  that   is  qualified   with  the  name   of  the
                 directory in which the object is located.

   OBJTYP        The  object  type of  the  object found  on  the path.
                 This is  an  optional  return variable  that  if  used
                 must be specified as *CHAR LEN(10).

   OWNER         The owner of  the object.  This is  an optional return
                 variable  that  if  used must  be  specified  as *CHAR
                 LEN(10).

   PRFGRP        The primary group of  the owner of  the object.   This
                 is an  optional return variable  that if used  must be
                 specified as *CHAR LEN(10).

   AUTL          The  authorization list  of the  object.   This  is an
                 optional   return  variable  that   if  used  must  be
                 specified as *CHAR LEN(10).

   RTNAUTTYPE    The type of authorization information returned.

                 *USER  is  returned   if  the  user   is  individually
                 authorized to the object.

                 *PUBLIC is  returned if  the user is  not individually
                 authorized  to   the  object,  but  has  rights  as  a
                 *PUBLIC user.  Any  specific rights that are  returned
                 are based on the *PUBLIC user.

   AUTFRMAUTL    A *YES/*NO  value for whether the  authorization comes
                 from the authorization list.

                 *YES  is  returned if  the  authority  comes from  the
                 authorization list.

                 *NO is  returned  if  the  authority  comes  from  the
                 authorization to the object.

                 This  is an  optional  return  variable that  if  used
                 must be specified as *CHAR LEN(4).

   OBJOPR        Object  operational  rights.   Either  an  X (yes)  or
                 blank  (no)  will be  returned.   This is  an optional
                 return variable  that  if used  must be  specified  as
                 *CHAR LEN(1).

   OBJMGT        Object  management  rights.    Either an  X  (yes)  or
                 blank  (no) will  be  returned.   This is  an optional
                 return variable  that  if used  must be  specified  as
                 *CHAR LEN(1).

   OBJEXIST      Object existence rights.   Either an X  (yes) or blank
                 (no)  will be  returned.  This  is an  optional return
                 variable that  if  used  must be  specified  as  *CHAR
                 LEN(1).

   OBJALTER      Object  alteration  rights.   Either  an  X  (yes)  or
                 blank  (no) will  be returned.    This is  an optional
                 return  variable  that if  used  must be  specified as
                 *CHAR LEN(1).

   OBJREF        Object reference rights.   Either an X (yes)  or blank
                 (no)  will be returned.   This  is an  optional return
                 variable  that  if  used must  be  specified  as *CHAR
                 LEN(1).

   READ          Data read rights.   Either  an X (yes)  or blank  (no)
                 will  be  returned.    This   is  an  optional  return
                 variable  that  if used  must  be  specified as  *CHAR
                 LEN(1).

   ADD           Data add  rights.   Either an  X (yes)  or blank  (no)
                 will  be  returned.    This   is  an  optional  return
                 variable  that  if used  must  be  specified as  *CHAR
                 LEN(1).

   UPD           Data  update rights.  Either an  X (yes) or blank (no)
                 will  be  returned.    This  is  an   optional  return
                 variable  that  if used  must  be  specified as  *CHAR
                 LEN(1).

   DLT           Data  delete rights.  Either an  X (yes) or blank (no)
                 will  be  returned.    This  is  an   optional  return
                 variable  that if  used  must  be specified  as  *CHAR
                 LEN(1).

   EXECUTE       Execute  rights.   Either  an  X (yes)  or  blank (no)
                 will  be  returned.    This  is  an  optional   return
                 variable  that if  used  must  be specified  as  *CHAR
                 LEN(1).

   EXCLUDE       Exclude.   Either  an X  (yes) or  blank (no)  will be
                 returned.   This  is an optional  return variable that
                 if used must be specified as *CHAR LEN(1).

   USRPRF        The user profile that  will be switched to  during run
                 time.   QSECOFR  is  the default.    For file  systems
                 (such  as QNTC), CVTIFS will fail  if QSECOFR does not
                 exist.

                 *CURRENT may be used or  a specific user profile,  but
                 the profile must have *ALLOBJ special authority.

Restrictions
------------

None.

Prerequisites
-------------

The following TAA Tools must be on your system:

     SNDESCMSG       Send escape message

Implementation
--------------

None, the tool is ready to use.

Objects used by the tool
------------------------

   Object        Type    Attribute      Src member    Src file
   ------        ----    ---------      ----------    ----------

   RTVIFSEAUT    *CMD                   TAAIFSN       QATTCMD
   TAAIFSNC      *PGM       CLP         TAAIFSNC      QATTCL
   TAAIFSNC2     *PGM       CLP         TAAIFSNC2     QATTCL
   TAAIFSNR      *PGM       RPGLE       TAAIFSNR      QATTRPG
					

Added to TAA Productivity tools October 15, 2001


Home Page Up to Top