TAA Tools
DSPADP          DISPLAY WITH ADOPT                         TAAADPA

The Display with  adopt tool is a  series of DSP commands  that perform
the  same  function  as system  commands  except  that  they adopt  the
security  officer's profile  while in  execution.   This allows  a user
who is authorized  to the TAADSPADP  authorization list to display  the
object  description or  attribute  level of  information regardless  of
the security on the object or library.

This  is useful for  auditors or for programmers  who require something
less than *ALLOBJ authority.

None of the commands allow the  user to display any data (data base  or
data areas) nor can the user make any changes to the objects.

No  No user  (unless he  has *ALLOBJ  authority) can  use the  commands
unless explicitly authorized to TAADSPADP.

The following are the commands provided:

      TAA                                              System
    Command          Description                       Command
    -------          ------------                      -------

    DSPCLSA          Display class                     DSPCLS
    DSPCMDA          Display command                   DSPCMD
    DSPDBRA          Display data base relations       DSPDBR
    DSPFDA           Display file description          DSPFD
    DSPFFDA          Display file field description    DSPFFD
    DSPJOBDA         Display job description           DSPJOBD
    DSPLIBA          Display library                   DSPLIB
    DSPOBJAUTA       Display object authority          DSPOBJAUT
    DSPOBJDA         Display object description        DSPOBJD
    DSPPGMA          Display program                   DSPPGM
    DSPPGMADPA       Display program adopt             DSPPGMADP
    DSPPGMREFA       Display program references        DSPPGMREF
    DSPSAVFA         Display save file                 DSPSAVF
    DSPSBSDA         Display subsystem description     DSPSBSD
    DSPUSRPRFA       Display user profile              DSPUSRPRF

The  commands allow an authorized  user to perform  a reasonable degree
of trouble shooting  on the system  or allow a user  to perform  system
wide  functions   that  in   most  cases   will  not  negate   security
requirements.

For example,  there are many cases where private  libraries exist and a
function  is needed to operate  across the entire system.   Many of the
TAA tools  such  as PRTDBFEXP  and  PRTLIBANL require  a  user who  has
*ALLOBJ authority  to operate  on all libraries.   These TAA  tools use
the  DSPxxxA  commands  and therefore  only  require  authority  to the
TAADSPADP authorization list.  See  the section on tools which  require
DSPADP.

The DSPxxxA  commands use the same  prompts as the DSPxxx  command they
are emulating.

A typical  command might be to review all of  the job descriptions in a
library.  The  user of the  command (assuming he  has authorization  to
TAADSPADP) does not need  any authorization to the library  or objects.

        DSPOBJDA    OBJ(xxx/*ALL) OBJTYPE(*JOBD)

All  of the commands  in the  above list  that support outfiles  can be
used to create data base files.

Command parameters                                    *CMD
------------------

See the command being emulated.

Security considerations
-----------------------

DSPADP  is owned by QSECOFR.   The profile is adopted during execution.

To  use  one of  the  commands,  a  user  must  be  authorized  to  the
TAADSPADP authorization list.

None of  the DSPxxxA commands allow  any change capability  nor do they
allow  a user  to see  any data  within the objects.   For  example, no
data base  file  can  be read,  a  data  area cannot  be  displayed,  a
message file or message queue cannot be read etc.

You must  review the list of  commands and decide whether  you consider
any   of  the  capabilities  to   be  security  sensitive.     In  most
situations,  displays  of  object  level  information  or  the   detail
description  of  an  object  like  a  job   description  would  not  be
considered security sensitive.

Commands which  create an outfile require that if  the file exists, the
same   format  be  used.    Therefore,   it  is  impossible  to  delete
application  data unless  it  was  originally created  using  the  same
format as the outfile.

TAA tools which require DSPADP
------------------------------

Several TAA tools  require that the DSPxxxA commands  exist in order to
be created.

If  the user of a  tool like PRTDBFEXP specifies  a single library, the
tool checks  to see if  he is  authorized to  TAADSPADP.   If not,  the
normal DSPFD  command is executed  using the users  own authority.   If
the  user is  not authorized to  the library  or the objects,  an error
will occur.    If the  user  is  authorized to  TAADSPADP,  the  DSPFDA
command is executed.   In order to specify LIB(*ALL), the  user must be
authorized to TAADSPADP.

If the  user has *ALLOBJ  authority, the user is  already authorized to
the TAADSPADP and does not need specific authority.

The  following describes the tools  that use one or  more of the DSPADP
commands (this list may not be complete).

     TAA tool       DSPADP command dependency
     --------       -------------------------

     CHKDBD         DSPFDA
     CHKOBJDMG      DSPOBJDA
     CHKSAV         DSPOBJDA, DSPFDA
     PRTDBFEXP      DSPFDA
     PRTLIBANL      DSPFDA, DSPOBJDA, DSPUSRPRFA
     PRTSAVSTS      DSPOBJDA

Restrictions
------------

The user  must  have  *USE  authority to  the  TAADSPADP  authorization
list.

Prerequisites
-------------

The following TAA Tools must be on your system:

          EXTLST        Extract list
          EXTLST2       Extract list 2
          SNDCOMPMSG    Send completion message

Implementation
--------------

The  tool is  ready  to use,  but the  users  of the  commands  must be
authorized  to  the  the  TAADSPADP  authorization  list.   Use  either
EDTAUTL or specify:

       ADDAUTLE      AUTL(TAADSPADP) USER(xxxx) AUT(*USE)

If you  want to review  the objects  that use  the authorization  list,
use DSPAUTL or EDTAUTL and the F15 key.

If you  want to  prevent the use  of one of  the DSPxxxA  commands, you
can remove  it from the authorization  list.  You must  do this on each
release.  Use the  EDTOBJAUT list on  both the command  and the CPP  to
change the authorization list to *NONE.

Objects used by the tool
------------------------

   Object        Type        Attribute      Src member    Src file
   ------        ----        ---------      ----------    ----------

   DSPCLSA       *CMD                       TAAADPA4      QATTCMD
   DSPCMDA       *CMD                       TAAADPA14     QATTCMD
   DSPDBRA       *CMD                       TAAADPA12     QATTCMD
   DSPFDA        *CMD                       TAAADPA7      QATTCMD
   DSPFFDA       *CMD                       TAAADPA8      QATTCMD
   DSPJOBDA      *CMD                       TAAADPA3      QATTCMD
   DSPLIBA       *CMD                       TAAADPA2      QATTCMD
   DSPOBJAUTA    *CMD                       TAAADPA15     QATTCMD
   DSPOBJDA      *CMD                       TAAADPA       QATTCMD
   DSPPGMA       *CMD                       TAAADPA5      QATTCMD
   DSPPGMADPA    *CMD                       TAAADPA11     QATTCMD
   DSPPGMREFA    *CMD                       TAAADPA9      QATTCMD
   DSPSAVF       *CMD                       TAAADPA13     QATTCMD
   DSPSBSDA      *CMD                       TAAADPA6      QATTCMD
   DSPUSRPRFA    *CMD                       TAAADPA10     QATTCMD
   TAAADPAC      *PGM           CLP         TAAADPAC      QATTCL
   TAAADPAC2     *PGM           CLP         TAAADPAC2     QATTCL
   TAAADPAC3     *PGM           CLP         TAAADPAC3     QATTCL
   TAAADPAC4     *PGM           CLP         TAAADPAC4     QATTCL
   TAAADPAC5     *PGM           CLP         TAAADPAC5     QATTCL
   TAAADPAC6     *PGM           CLP         TAAADPAC6     QATTCL
   TAAADPAC7     *PGM           CLP         TAAADPAC7     QATTCL
   TAAADPAC8     *PGM           CLP         TAAADPAC8     QATTCL
   TAAADPAC9     *PGM           CLP         TAAADPAC9     QATTCL
   TAAADPAC10    *PGM           CLP         TAAADPAC10    QATTCL
   TAAADPAC11    *PGM           CLP         TAAADPAC11    QATTCL
   TAAADPAC12    *PGM           CLP         TAAADPAC12    QATTCL
   TAAADPAC13    *PGM           CLP         TAAADPAC13    QATTCL
   TAAADPAC14    *PGM           CLP         TAAADPAC14    QATTCL
   TAAADPAC15    *PGM           CLP         TAAADPAC15    QATTCL
   TAAADPAC22    *PGM           CLP         TAAADPAC22    QATTCL

Structure
---------

     Command             CPP
     -------             ---

     DSPCLSA             TAAADPAC4
     DSPCMDA             TAAADPAC14
     DSPDBRA             TAAADPAC12
     DSPFDA              TAAADPAC7
     DSPFFDA             TAAADPAC8
     DSPJOBDA            TAAADPAC3
     DSPLIBA             TAAADPAC2
     DSPOBJAUTA          TAAADPAC15
     DSPOBJDA            TAAADPAC
     DSPPGMA             TAAADPAC5
     DSPPGMADPA          TAAADPAC11
     DSPPGMREFA          TAAADPAC9
     DSPSAVFA            TAAADPAC13
     DSPSBSDA            TAAADPAC6
     DSPUSRPRFA          TAAADPAC10

The  sub  program  TAAADPAC22 which  is  used  to  execute  the  EXTLST
command is used by TAAADPAC and TAAADPAC2.
					

Added to TAA Productivity tools April 1, 1995


Home Page Up to Top