Granting a user SAVSYS authority

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT iSeries Security Changing password security levels and upgrading operating systems on the IBM i Determine the value of parameter UPPWEI in the DSPUSRPRF field Define journal code value "K" Modify content within a journal receiver file Change password parameters on the AS/400 without deactivating user's passwords Prevent insiders with *READ or *USE access from circumventing object authority on IBM i Prevent insiders from obtaining user ids and passwords on the IBM i Change the IBM i system to allow only certain types of SSL protocol versions Authorize a specific user to select files in a separate library Allow a user to view a library prod without granting full access to all data iSeries system and application security Checking in on your IBM i authorization lists Strategies for securing IBM i production files Changing password security levels and upgrading operating systems on the IBM i Determine the value of parameter UPPWEI in the DSPUSRPRF field Define journal code value "K" Modify content within a journal receiver file Change password parameters on the AS/400 without deactivating user's passwords Prevent insiders with *READ or *USE access from circumventing object authority on IBM i Prevent insiders from obtaining user ids and passwords on the IBM i Change the IBM i system to allow only certain types of SSL protocol versions

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary midrange  (Search400.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

What you want to do is have the CL program you've written owned by a profile that has *SAVSYS special authority. Or you could have it owned by the profile that owns the file being saved. Then run the CHGPGM command, specifying the user profile parameter to be *OWNER. Now when the program runs, the program will "adopt" the authority of the program's owner. As long as the program is owned by a profile that has sufficient authority to the object or has *SAVSYS, you should be good to go. Here are some things to remember about adopted authority.

Adopted authority is stack-based. That is, as long as the program is active, or in the program call stack, the adopted authority is in effect. So if you do something like a SBMJOB out of the program that adopts, the adopted authority will not carry over to the new job because there's a new stack.

Because it's stack-based, the adopted authority flows to subsequent programs that are called. So if you would call the API that puts up the command line, the adopted authority flows out to that command line. So it's best to do whatever it is that needs the additional authority and then returns (doesn't do a lot of extra stuff.)

To control who can perform these saves, you'll probably want to set the program to *PUBLIC *EXCLUDE and only authorize selected users or groups to the program.

Hope this helps.