Q
Manage Learn to apply best practices and optimize your operations.

Moving files to new libraries allows access to only groups or users that are authorized

If you have a file in AS/400 that needs to be replaced in a library, but get an error message indicating that a user cannot access a library, the best option is to create a new library and give access only to the group that needs access.

I have taken away all object authority from all my users. All has been going well until I try to run a query that is creating a file (*replace) and I get a message that the user is not authorized to the library, and thus is not able to replace the file. It was suggested that I put the file in a different library. If I create a different library, am I giving the ownership to this library to the person or group profile to whom will be replacing the file? Please let me know what the steps are to giving the user authority to replace a file using the query. This query is in a CL procedure. She has *Change access to the Library that the file is in and *all authority to run the query.
You have a couple of options. You could either have the CL procedure adopt the authority of a powerful profile and then only grant authority the CL procedure to the users you want to run the query. Or you could move the query to another library.

I prefer moving the file to another library. That way, it's easier to control who can see the results of running...

the queries. You can set the *PUBLIC authority of the library to *EXCLUDE and have the owner of the library be the group to which the user(s) belong. Then, I'd set the CRTAUT (Create authority) value for this library to *ALL. That will cause any file that gets created into the library to be set to *PUBLIC *ALL. Then, regardless of who is running the query, they will be able to delete and re-create the file. This method allows you to separate out who can use the results of the query. I like to create a query library for each role (or group) on the system – one for accounting, another on for HR, etc. That way, each role's information can only be viewed by other users in that role.

This was last published in August 2008

Dig Deeper on iSeries system and application security

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchDataCenter

Close