Changing Sub Tree Authorities In An IFS Folder
Published: October 31, 2012
I need to change access authority for all the objects in a specific AS/400 Integrated File System (AS/400 IFS) folder and all its sub-folders. What' the best way to do this? I'm running IBM i 6.1.
Changing authorities for an IFS folder and its entire sub tree (objects and sub-folders) is a relatively easy task to accomplish. You just have to remember three things when updating this authority.
- You must change the folder's authorities using the green-screen Change Authority (CHGAUT) command. I haven't been able to find any way to change sub tree authorities in Systems i Navigator V7R1Mx (OpsNav), so you must use the green-screen for this task.
- The default CHGAUT parameters do not apply authority changes to all objects in a folder's sub tree. You need to change the default CHGAUT parameters to affect sub tree objects.
- The rules are different when trying to change authorities for Symbolic Link objects under a folder. Symbolic link authority changes are governed by a different CHGAUT parameter.
Here's how changing IFS sub tree authorities plays out in an IBM i 6.1 environment.
To change the default *PUBLIC authority for all subfolders and objects under the '/home/joeh' AS/400 IFS folder, for example, I would use the following CHGAUT command.
CHGAUT OBJ('/home/joeh') USER(*PUBLIC) DTAAUT(*EXCLUDE)
The CHGAUT command can be used to alter IFS data and object authorities for an individual user, a group user profile, an authorization list, and the *PUBLIC user (for users who do not have explicitly defined authority to an IFS object). The CHGAUT example shown here uses the New Data Authorities (DTAAUT) and the New Object Authorities (OBJAUT) parameters to remove all data and object rights for the *PUBLIC user to both the '/home/joeh' folder and to all the objects contained in the folder's sub tree.
I took away the folder's sub-tree rights by explicitly changing the command's Directory Sub Tree (SUBTREE) parameter to *ALL. SUBTREE is set to *NONE by default, which means that CHGAUT will only change the authorities on the specific AS/400 IFS object named in the Object (OBJ) parameter. So the basic rule in using CHGAUT for sub tree authority changes is to change the SUBTREE parameter to *ALL. Once that's done, all your CHGAUT parameters will also flow down to the folder's sub tree objects.
You can also modify this command to change the authorities on all the folder's sub tree objects while leaving the parent folder's authorities intact. To do that, modify our CHGAUT command to look like this.
CHGAUT OBJ('/home/joeh/*') USER(*PUBLIC) DTAAUT(*EXCLUDE)
By changing the OBJ parameter to '/home/joeh/*' instead of '/home/joeh', I'm telling the command to only act on the sub tree objects in the folder without touching the parent folder authorities. You might use this command when you want to provide sub-tree data and object read/write authorities while retaining read only authorities for the parent folder.
You should also note that you can use the CHGAUT command to grant or revoke data and object authorities for a number of IBM i users at the same time. You can do this implicitly by specifying the name of a user group profile in the User parameter (USER), like this.
CHGAUT OBJ('/home/joeh') USER( group_name) DTAAUT(*EXCLUDE)
Where group_name is a group user profile name that you want to assign or deny rights to for the folder and for all its sub tree objects. Any users assigned to this group will automatically receive the changed folder rights, unless one of the group profile members has explicit rights that override the user group folder rights.
If you want to change authorities for all users listed in a specific IBM i authorization list, you would enter the command this way, where the name of the list is specified in the Authorization list (AUTL) parameter and the USER parameter is not used.
CHGAUT OBJ('/home/joeh') DTAAUT(*EXCLUDE) OBJAUT(*NONE)
In this case, the OS will use the user names and authorities listed in the authorization_list name to secure the changed objects.
If you want to change sub tree authorities for multiple users that don't belong to a group profile or an authorization list, you can run the following CHGAUT command to change folder access rights for several individual users at one time.
CHGAUT OBJ('/home/joeh') USER(user1 user2 user3)
Where user1, user2, user3 equal the user names that you want to change access for. You can use this CHGAUT command to assign or deny rights for up to 50 users in the User parameter (USER). So you're not limited to running this command for only a single user or a group user profile.
The only thing you should be aware of is that there is a different parameter for changing the authorities on symbolic link objects using CHGAUT. For changing sub-tree symbolic links, you use the Symbolic Link parameter, SYMLINK, to tell CHGAUT to change the authorities on any symbolic links it encounters. CHGAUT also behaves a little differently when modifying symbolic links as opposed to other AS/400 IFS objects. For more information on using CHGAUT to change symbolic links and other sub tree objects under a folder, see IBM's CHGAUT document in the i5/OS Information Center.
Post this story to del.icio.us
Post this story to Digg
Post this story to Slashdot