• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • Changing Sub Tree Authorities In An IFS Folder

    October 31, 2012 Hey, Joe

    I need to change access authority for all the objects in a specific AS/400 Integrated File System (AS/400 IFS) folder and all its sub-folders. What’ the best way to do this? I’m running IBM i 6.1.

    –Pete

    Changing authorities for an IFS folder and its entire sub tree (objects and sub-folders) is a relatively easy task to accomplish. You just have to remember three things when updating this authority.

    • You must change the folder’s authorities using the green-screen Change Authority (CHGAUT) command. I haven’t been able to find any way to change sub tree authorities in Systems i Navigator V7R1Mx (OpsNav), so you must use the green-screen for this task.
    • The default CHGAUT parameters do not apply authority changes to all objects in a folder’s sub tree. You need to change the default CHGAUT parameters to affect sub tree objects.
    • The rules are different when trying to change authorities for Symbolic Link objects under a folder. Symbolic link authority changes are governed by a different CHGAUT parameter.

    Here’s how changing IFS sub tree authorities plays out in an IBM i 6.1 environment.

    To change the default *PUBLIC authority for all subfolders and objects under the ‘/home/joeh’ AS/400 IFS folder, for example, I would use the following CHGAUT command.

    CHGAUT OBJ('/home/joeh') USER(*PUBLIC) DTAAUT(*EXCLUDE) 
    OBJAUT(*NONE) SUBTREE(*ALL)
    

    The CHGAUT command can be used to alter IFS data and object authorities for an individual user, a group user profile, an authorization list, and the *PUBLIC user (for users who do not have explicitly defined authority to an IFS object). The CHGAUT example shown here uses the New Data Authorities (DTAAUT) and the New Object Authorities (OBJAUT) parameters to remove all data and object rights for the *PUBLIC user to both the ‘/home/joeh’ folder and to all the objects contained in the folder’s sub tree.

    I took away the folder’s sub-tree rights by explicitly changing the command’s Directory Sub Tree (SUBTREE) parameter to *ALL. SUBTREE is set to *NONE by default, which means that CHGAUT will only change the authorities on the specific AS/400 IFS object named in the Object (OBJ) parameter. So the basic rule in using CHGAUT for sub tree authority changes is to change the SUBTREE parameter to *ALL. Once that’s done, all your CHGAUT parameters will also flow down to the folder’s sub tree objects.

    You can also modify this command to change the authorities on all the folder’s sub tree objects while leaving the parent folder’s authorities intact. To do that, modify our CHGAUT command to look like this.

    CHGAUT OBJ('/home/joeh/*') USER(*PUBLIC) DTAAUT(*EXCLUDE) 
    OBJAUT(*NONE) SUBTREE(*ALL)
    

    By changing the OBJ parameter to ‘/home/joeh/*’ instead of ‘/home/joeh’, I’m telling the command to only act on the sub tree objects in the folder without touching the parent folder authorities. You might use this command when you want to provide sub-tree data and object read/write authorities while retaining read only authorities for the parent folder.

    You should also note that you can use the CHGAUT command to grant or revoke data and object authorities for a number of IBM i users at the same time. You can do this implicitly by specifying the name of a user group profile in the User parameter (USER), like this.

    CHGAUT OBJ('/home/joeh') USER( group_name) DTAAUT(*EXCLUDE) 
    OBJAUT(*NONE) SUBTREE(*ALL)
    

    Where group_name is a group user profile name that you want to assign or deny rights to for the folder and for all its sub tree objects. Any users assigned to this group will automatically receive the changed folder rights, unless one of the group profile members has explicit rights that override the user group folder rights.

    If you want to change authorities for all users listed in a specific IBM i authorization list, you would enter the command this way, where the name of the list is specified in the Authorization list (AUTL) parameter and the USER parameter is not used.

    CHGAUT OBJ('/home/joeh') DTAAUT(*EXCLUDE) OBJAUT(*NONE) 
    AUTL(authorization_list) SUBTREE(*ALL)
    

    In this case, the OS will use the user names and authorities listed in the authorization_list name to secure the changed objects.

    If you want to change sub tree authorities for multiple users that don’t belong to a group profile or an authorization list, you can run the following CHGAUT command to change folder access rights for several individual users at one time.

    CHGAUT OBJ('/home/joeh') USER(user1 user2 user3) 
    DTAAUT(*EXCLUDE) OBJAUT(*NONE)SUBTREE(*ALL)
    

    Where user1, user2, user3 equal the user names that you want to change access for. You can use this CHGAUT command to assign or deny rights for up to 50 users in the User parameter (USER). So you’re not limited to running this command for only a single user or a group user profile.

    The only thing you should be aware of is that there is a different parameter for changing the authorities on symbolic link objects using CHGAUT. For changing sub-tree symbolic links, you use the Symbolic Link parameter, SYMLINK, to tell CHGAUT to change the authorities on any symbolic links it encounters. CHGAUT also behaves a little differently when modifying symbolic links as opposed to other AS/400 IFS objects. For more information on using CHGAUT to change symbolic links and other sub tree objects under a folder, see IBM‘s CHGAUT document in the i5/OS Information Center.

    –Joe



                         Post this story to del.icio.us
                   Post this story to Digg
        Post this story to Slashdot

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags:

    Sponsored by
    Raz-Lee Security

    Raz-Lee Security is the leader in security and compliance solutions that guard business-critical information on IBM i servers. We are committed to providing the best and most comprehensive solutions for compliance, auditing, and protection from threats and ransomware. We have developed cutting-edge solutions that have revolutionized analysis and fortification of IBM i servers.

    Raz-Lee’s flagship iSecurity suite of products is comprised of solutions that help your company safeguard and monitor valuable information assets against intrusions. Our state-of-the-art products protect your files and databases from both theft and extortion attacks. Our technology provides visibility into how users access data and applications, and uses sophisticated user tracking and classification to detect and block cyberattacks, unauthorized users and malicious insiders.

    With over 35 years of exclusive IBM i security focus, Raz-Lee has achieved outstanding development capabilities and expertise. We work hard to help your company achieve the highest security and regulatory compliance.

    Key Products:

    • AUDIT
    • FIREWALL
    • ANTIVIRUS
    • ANTI-RANSOMWARE
    • MULTI-FACTOR AUTHENTICATION
    • AP-JOURNAL
    • DB-GATE
    • FILESCOPE
    • COMPLIANCE MANAGER
    • FIELD ENCRYPTION

    Learn about iSecurity Products at https://www.razlee.com/isecurity-products/

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Sponsored Links

    Sirius Computer Solutions:  A comprehensive, cost-effective cloud solution for IBM i users
    BCD:  FREE Webinar: Making the Business Case for Web Enabling Your Green Screens. Nov 1
    ITJ Bookstore:  Bookstore BLOWOUT!! Up to 50% off all titles! Everything must go! Shop NOW

    IT Jungle Store Top Book Picks

    Bookstore Blowout! Up to 50% off all titles!

    The iSeries Express Web Implementer's Guide: Save 50%, Sale Price $29.50
    The iSeries Pocket Database Guide: Save 50%, Sale Price $29.50
    Easy Steps to Internet Programming for the System i: Save 50%, Sale Price $24.97
    The iSeries Pocket WebFacing Primer: Save 50%, Sale Price $19.50
    Migrating to WebSphere Express for iSeries: Save 50%, Sale Price $24.50
    Getting Started with WebSphere Express for iSeries: Save 50%, Sale Price $24.50
    The All-Everything Operating System: Save 50%, Sale Price $17.50
    The Best Joomla! Tutorial Ever!: Save 50%, Sale Price $9.98

    Watson Gets Schooled By College Students And Professors IBM i Top Concerns: Build Skills, Add High Availability, Serve Users

    Leave a Reply Cancel reply

Volume 12, Number 26 -- October 31, 2012
THIS ISSUE SPONSORED BY:

ProData Computer Services
WorksRight Software
Adsero Optima

Table of Contents

  • Running IBM i Access 7.1 and Windows 8
  • Data Structures Make Good Status Parameters
  • Changing Sub Tree Authorities In An IFS Folder

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • Security Still Top Concern, IBM i Marketplace Study Says
  • Bob Langieri Shares IBM i Career Trends Outlook for 2023
  • Kisco Brings Native SMS Messaging to IBM i
  • Four Hundred Monitor, February 1
  • 2023 IBM i Predictions, Part 4
  • Power Systems Did Indeed Grow Revenues Last Year
  • The IBM Power Trap: Three Mistakes That Leave You Stuck
  • Big Blue Decrees Its 2023 IBM Champions
  • As I See It: The Good, the Bad, And The Mistaken
  • IBM i PTF Guide, Volume 25, Number 5

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2022 IT Jungle

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.