1.  Home
  2. MIDRANGE-L
  3. May 2016

Re: object ownership

On 27-May-2016 10:17 -0500, Gerald Magnuson wrote:
so say we have a library, and those objects are owned by a group
profile like: "ERPSYS",

however, our users are in groups like "PURCHASC" and "OPERATNS"...

when _they_ create objects in our main library (they rarely do), the
objects are owned by their group, not the group "ERPSYS"...

I am not sure it matters from a security standpoint, but we would
like all objects owned by "ERPSYS".

Consider using resource authority that prevents users from creating objects into that /main/ library. Then provide a separate feature that allows /moving/ the object into that library [while also making the appropriate ownership\authority changes], using adopted authority; e.g. a command MVTOERPLIB OBJ() OBJTYPE() SETAUT().

Doing that, also ensures that a Move Object (MOVOBJ) request could not circumvent the stated intent; i.e. without *LIB resource security preventing the *ADD of an object, just as a create-into that library is possible, so too are requests to move-into that library. Dealing only with /creates/ overlooks another path to get objects into that library [with /incorrect/ ownership].


what do we need to change so when a USER creates Files, they will be
owned by the ERPSYS group?

While accurate, probably not helpful: Given a USRPRF(SomeUser) GRPPRF(PURCHASC) OWNER(*USRPRF), that effect is possible, by issuing effectively the following Change User Profile request [albeit with the conspicuous caveat of the effects more generally, versus effect merely for that library]:

CHGUSRPRF USRPRF(SomeUser) GRPPRF(ERPSYS ) OWNER(*GRPPRF)
SUPGRPPRF(+ PURCHASC)

Note: there is no valid '+' syntax as shown; that is merely specified as an implication, that the value needs to be an added element rather than an element-value\specification that might replace existing element-value(s). Such an /additive/ capability is something I have always thought would be somewhat worthwhile for a CL syntax enhancement.

FWiW: A job that processes the audit journal for T-CO entries [and T-OM entries for moves; scanning for that library name as target], could enqueue [or directly repeat until success] the work required to change the ownership [and authorities] to whatever is desired.

FWiW: If "files" means database files, then if that /main/ library is journaled per Start Journal Library (STRJRNLIB) [or similar effect via the QDFTJRN Data Area (DTAARA)], then a job that processes the journal that implicitly journals the files could effect similar to the aforementioned [using the file-journal instead of the audit-journal.

Note: Background processes that change just-created\just-moved objects can have a negative impact on jobs making those requests that do other work on the same file immediately after creation; i.e. may interfere with follow-on work in the job.

So FWiW, scheduled\batched processing to effect changes after-the-fact may be preferable. That is, the use of Change Object Owner (CHGOBJOWN) and any Grant Object Authority (GRTOBJAUT) and\or Revoke Object Authority (RVKOBJAUT) performed during a time known not to conflict with jobs using files in that library may be more appropriate than such actions performed asynchronous to the run-time create\move activity.

FWiW: Given a UDF named fixERPownr that both exists in the path and is coded to effect the ownership\authority [re]assignments, a job could be scheduled to process any objects not owned by ERPSYS in whatever is the actual name of the /main/ library [instead of the name MAIN_LIBR in the following]:


sbmjob cmd( runsql
'create table qtemp/fixownr as
( select os.*, fixERPownr(OBJNAME, OBJTYPE)
from table( object_statistics(''MAIN_LIBR'', ''*ALL'')
) as os
where OBJOWNER != ''ERPSYS''
) with data'
commit(*none) naming(*sys)
) job(fixERPownr) scddate('...') scdtime('...')


-- not to suggest use of SQL; just an example, for PoC,
-- or at least to enable testing prior invocation
create function fixERPownr
( on varchar(10), ot varchar(10) )
returns integer
language sql modifies sql data
begin
declare exit handler for sqlexception return null ;
call qcmdexc('chgobjown MAIN_LIBR/' concat on
concat ' objtype(' concat ot
concat ') newown(ERPSYS)' ) ;
return 1 ;
end



As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.