Manage Learn to apply best practices and optimize your operations.

Granting a user SAVSYS authority

I Series security expert Carol Woodbury explains how to give a user authority to complete a save.

I have software running at a client's site and want to allow a user to run a CL program that basically performs a backup to a save file as part of a processing routine. The user receives a CPF3770 error message stating they do not have authority to save the objects. I don't want them to have complete SAVSYS authority but would like to allow whoever has access to this option to be able to complete the save. What are my options to have them complete this task?
What you want to do is have the CL program you've written owned by a profile that has *SAVSYS special authority. Or you could have it owned by the profile that owns the file being saved. Then run the CHGPGM command, specifying the user profile parameter to be *OWNER. Now when the program runs, the program will "adopt" the authority of the program's owner. As long as the program is owned by a profile that has sufficient authority to the object or has *SAVSYS, you should be good to go. Here are some things to remember about adopted authority.

Adopted authority is stack-based. That is, as long as the program is active, or in the program call stack, the adopted authority is in effect. So if you do something like a SBMJOB out of the program that adopts, the adopted authority will not carry over to the new job because there's a new stack.

Because it's stack-based, the adopted authority flows to subsequent programs that are called. So if you would call the API that puts up the command line, the adopted authority flows out to that command line. So it's best to do whatever it is that needs the additional authority and then returns (doesn't do a lot of extra stuff.)

To control who can perform these saves, you'll probably want to set the program to *PUBLIC *EXCLUDE and only authorize selected users or groups to the program.

Hope this helps.

Dig Deeper on iSeries system and application security

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.