To read a file, the manager will need at least *X to the directory and *RX to the file itself. So the manager will need these authorities.The problem is the clerk is going to own the file (even if you specify to have the group own newly created objects, objects created into the IFS ignore this user profile setting and the user creating the object owns it. So you will need some process to sweep the directory and change the ownership of these objects. If you are running V5R3, you may be able to take advantage of one of the new file system exit points that allows you to have a program called when objects are created into a directory. You may be able to use this program to immediately change the ownership. Otherwise, you will have to have a process that runs hourly or nightly, etc.
================================== MORE INFORMATION ON THIS TOPIC ==================================
The Best Web Links: tips, tutorials and more.
Search400's targeted search engine: Get relevant information on security.
Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.
Check out this Search400.com Featured Topic: Top ten security tips
Visit the ITKnowledge Exchange and get answers to your security questions fast.
This was first published in February 2005