To read a file, the manager will need at least *X to the directory and *RX to the file itself. So the manager will need these authorities.The problem is the clerk is going to own the file (even if you specify to have the group own newly created objects, objects created into the IFS ignore this user profile setting and the user creating the object owns it. So you will need some process to sweep the directory and change the ownership of these objects. If you are running V5R3, you may be able to take advantage of one of the new file system exit points that allows you to have a program called when objects are created into a directory. You may be able to use this program to immediately change the ownership. Otherwise, you will have to have a process that runs hourly or nightly, etc.
MORE INFORMATION ON THIS TOPIC
The Best Web Links: tips, tutorials and more.
Search400's targeted search engine: Get relevant information on security.
Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.
Check out this Search400.com Featured Topic: Top ten security tips
Visit the ITKnowledge Exchange and get answers to your security questions fast.
Dig deeper on iSeries system and application security
Related Q&A from Carol Woodbury
Before changing password levels and upgrading operating systems on the AS/400, ensure the clients connecting to the NetServer do not need the old ...continue reading
Look in the audit journal (QAUDJRN) on the AS/400 for an authority failure message with the name of the library as the object name. Use the ...continue reading
When error messages arise concerning attempts to use a permanent system object without authority, find the source of the issue by looking for an AF ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.