On 04-Aug-2015 13:30 -0600, Bryan Dietz wrote:
CRPence wrote on 8/4/2015 1:57 PM:
On 04-Aug-2015 11:24 -0600, rob wrote:
On 04-Aug-2015 10:59 -0600, Dan wrote:
<<SNIP>> We also do not have access to CRTLIB / CPYLIB here.
<<SNIP>>

CRTLIB just may be because they want to have a formal process
which asks questions like:
<<SNIP>>

Of course the hack is the SQL statement CREATE SCHEMA.


A user can not circumvent the inability of a user to create a
library [due to restricted authority to the CRTLIB command] by
using the SQL CREATE statement; if such a /hack/ were enabled, then
that would be considered a system-integrity defect:

[http://www.ibm.com/support/knowledgecenter/ssw_ibm_i_71/db2/rbafzxcschema.htm]


CREATE SCHEMA
"...
Authorization

The privileges held by the authorization ID of the statement must
include at least one of the following:

• The *USE system authority to the following CL commands:
• Create Library (CRTLIB)
...
..."

you can also try the MKDIR '/qsys.lib/NEWLIB.lib' (or MD) from the
command line or the "mkdir" command from qsh


That method being enabled to effect the Create Library even without the user having any authority to the CRTLIB *CMD is not considered a defect because the rules are reflecting the nature of the file system(s) being mimicked under the IFS; the authority control for the the Make Directory command is determined first by the authority to the MKDIR command and then by the authority to the parent directory [or directories in the path?, I do not recall].

I only know for sure that the DB2 for i SQL deemed that level of consistency was a required level of security\protection from user access to a user interface from which access for the user was apparently explicitly revoked; i.e. if CRTLIB is disallowed, then the CREATE COLLECTION also should be prevented. Further control is available via the authority to the user to the QSYS library; much like for MKDIR with the authority to the user [¿to the root directory and?] to the /QSYS.LIB directory.


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.