One thing to remember is that there are numerous exceptions to the rules
for authority in the stream file part of the IFS.
Search IBM for Knowledge base document 18314911. You'll see references
to:
Integrated File System Authority Considerations
IBM iSeries NetServer Security
User Creates Directory But Does Not have Authority to Access It
All of these require a software support sign in.
Software support search link (for this week anyway)
http://www-912.ibm.com/ImprovedSearch/searchoptions.jsp
One of the big things is that using the security of the parent directory
is not always done for child directories or files. You're better off
using Primary Group Profiles than authorization lists. See the command
CHGPGP.
Now, I prefer authorization lists. I've found that using supplemental
groups and crap like that can make my SAVSYS jump from 4 minutes to 45
minutes. And IBM verified that supplemental groups were the culprit with
PRTPVTAUT. It's just that in some cases, (like in the stream file part of
the IFS), authorization lists have a lot of disrespect.
Rob Berendt
midrange.com
