Manage Learn to apply best practices and optimize your operations.

Proper IFS security setting

How do you set the IFS security so a manager can access the IFS files from her PC applications but none of the clerks can? Security expert Carol Woodbury has a suggestion.

The scenario:
Company XYZ has programs (run from the green screen) that generate IFS files. You need to provide authority for the clerk running the program to create these files, but you do not want her to be able to access or view the results via iSeries Access or IFS File Shares.

How do you set the IFS security so the manager can access the files from her PC applications (Word, Excel, etc.), but none of the clerks can?

More Information

The solution:
Carol Woodbury, president, CEO of SkyView Partners, says, "To create an object into a directory, you need *W, so try giving the clerks DTAAUT(*W) and OBJAUT(*NONE) to the directory into which the files are being created.

"To read a file, the manager will need at least *X to the directory and *RX to the file itself. So the manager will need these authorities.

"The problem is the clerk is going to own the file. Even if you specify to have the group own newly created objects, objects created into the IFS ignore this user profile setting and the user creating the object owns it. So you will need some process to sweep the directory and change the ownership of these objects.

"If you are running V5R3, you may be able to take advantage of one of the new file system exit points that allows you to have a program called when objects are created into a directory. You may be able to use this program to immediately change the ownership. Otherwise, you will have to have a process that runs hourly or nightly."

Dig Deeper on iSeries system and application security