My company has programs (run from the green screen) that generate IFS files. I need to provide authority for the clerk running the program to create these files, but I do not want her to be able to access or view the results via iSeries Access or IFS File Shares. Is there some way I can set the IFS security so the manager can access the files from her PC applications (Word, Excel, etc.), but none of the clerks can?
You can try the following:

To create an object into a directory, you need *W, so try giving the clerks DTAAUT(*W) and OBJAUT(*NONE) to the directory into which the files are being created.

To read a file, the manager will need at least *X to the directory and *RX to the file itself. So the manager will need these authorities.

The problem is the clerk is going to own the file (even if you specify to have the group own newly created objects, objects created into the IFS ignore this user profile setting and the user creating the object owns it. So you will need some process to sweep the directory and change the ownership of these objects. If you are running V5R3, you may be able to take advantage of one of the new file system exit points that allows you to have a program called when objects are created into a directory. You may be able to use this program to immediately change the ownership. Otherwise, you will have to have a process that runs hourly or nightly, etc.

==================================
MORE INFORMATION ON THIS TOPIC
==================================

The Best Web Links: tips, tutorials and more.

Search400's targeted search engine: Get relevant information on security.

Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.

Check out this Search400.com Featured Topic: Top ten security tips

Visit the ITKnowledge Exchange and get answers to your security questions fast.

This was first published in February 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: