Running Query Without Adopted Authority
February 9, 2005 Hey, Ted
Because of the Sarbanes/Oxley Act, we are tightening our security. One problem we have is using AS/400 Query. Several of our menus include options that run the Work with Queries command. The problem is that a user who takes one of these options is running WRKQRY under adopted authority, and therefore has access to files that should from now on be secured. How can we change the WRKQRY command so that the user does not have adopted authority?
You can’t change the command. You may be able to change the command-processing program, QSYS/QQUDA, but I don’t like to monkey with IBM-created objects. I’m so conservative, I wear a belt and suspenders, and I have no idea what might happen.
Here’s what I suggest you do. First, create a new CL source member from your CL program template. (You do have a template, don’t you? If not, use this one.) You will need only one CL command in the regular routine: WRKQRY.
Compile the new CL program. It should run as either an OPM program or an ILE program.
If necessary, transfer ownership of the new program to the user who owns your applications.
CHGOBJOWN OBJ(mylib/mypgm) OBJTYPE(*PGM) NEWOWN(newowner)
Then change the program not to use adopted authority.
CHGPGM PGM(mylib/mypgm) USRPRF(*USER) USEADPAUT(*NO)
The parameter USRPRF(*USER) says that the program uses the current user’s authority only when it runs. USEADPAUT(*NO) does not allow the program to adopt authority from programs higher in the call stack.
Click here to contact Ted Holt by e-mail.