Simon & Ed,

We used to use adoption as only way to derive authority
on our system. This allowed us to secure files to applications
combined with users. We did use the end adopt option where
necessary (like anyplace that a command line could be
exposed). The decision to end adoption in triggers forced
us to use profile swapping.

In order to get functionality that is as secure and flexible as
adoption, I had to jump through quite a few hoops. Swapping
group profiles does have some advantages and can do
some things that adoption cannot, I just wish it were easier
to use.

Triggers may be treated like exit programs, but they are not
really that similar. I would be happier if you could specify
whether a trigger propagated adoption. I can certainly
understand why adoption is not propagated through a
server exit.

David Morris

>>> edfishel@us.ibm.com 01/25/02 06:34AM >>>

Simon,

>The system does support the ability to stop called programs from
adopting
>via a propogate authority attribute but Rochester haven't seen fit to
>expose that.  I keep asking for it but I guess I'm alone.

This function is there if you are willing to use the Suppress Adopted
User
Profile option on the Modify Invocation Authority Attributes
(MODINVAU),
Call External (CALLX), or Transfer Control (XCTL) MI instructions. See
http://www.as400.ibm.com/tstudio/tech_ref/mi/ for the latest
description of
these instructions.

>>There are some exceptions that can be significant, like triggers,
>>which end adoption.
>
>I didn't know that.  I can understand a trigger not inheriting
adopted
>authority from earlier in the stack but I doubt they stop the trigger
>itself from adopting authority via USRPRF(*OWNER).

It is true, OS/400 suppress adopted authority when calling almost all
exit
programs. As you guessed we do not prevent the called exit program
from
adopting is owners authority.

Ed Fishel,
edfishel@US.IBM.COM



As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.