When you say "IFS folders", I assume you mean directories in the root or
QOpenSys file systems? Different file systems treat security
differently... in particular, /QDLS and /QSYS.LIB are very different
from other areas of the IFS.
So, if you don't mean the Root or QOpenSys filesystems, then please let
me know...
Typically you set the authority of a directory using the CHGAUT CL
command. Though, you can accomplish the same thing using QShell
commands or APIs. You did not say how your client is accessing the IFS,
so I'm going to just assume you're doing it through a CL program.
Anyway... Carol Woodbury wrote an article titled "How to Secure the
Integrated File System " which was published in the Sept 2005 issue of
iSeries NEWS magazine. If you have a ProVIP membership to System
iNetwork, you can view that article online at the following link:
http://www.systeminetwork.com/article.cfm?id=20237
Basically, you probably want to set public authority to DTAAUT(*EXCLUDE)
OBJAUT(*NONE) Use WRKLNK '/dirname' and take option 9 to view, change
and verify that the authorities are set up as you want them to be.
Then, I'd create a group user profile and give that group DTAAUT(*RWX)
and OBJAUT(*NONE) to the directory you want them to be able to put docs
in. This gives the group profile the ability to traverse the directory,
view files in the directory, add new files, etc. But does not give them
the ability to delete this directory or give someone else access to it.
I'd ensure that the group profile is associated with the directory in
question. I always do that through Qshell -- I assume there's a native
CL command as well, but not exactly sure what it is. Anyway...
STRQSH CMD('chgrp GROUPPROFILENAME /directory')
Then, I'd add that group profile to the list of supplemental group
profiles for the users who need authority. By default, any new files
created in the directory should have *RW for the owner & group, and no
authority to public.
That's just the default, though. Some software such as IBM's CPYTOSTMF
and CPYTOIMPF override that default behavior when creating files. Also,
programs creating files with the open() API can specify any authorites
they like... but software that just takes the default will grab it's
authorities from the directory.
Dlong400 wrote:
Hi All,
I am about to show off my lack of knowledge here...
I have a client that is on V4R5 and they are trying to limit who can
access folders on the IFS.
Can anyone point me to a reference document that would give some
guidance on accomplishing this?
(They have a BP that is able to make this work on their own 400, but
for some reason, they can not get it to work on our mutal clients
400).
Thanks, DL
As an Amazon Associate we earn from qualifying purchases.