Authority Collection for Users: Objects in the IFS – Using Authority Collection to Reduce Users’ Authority
What if your service account accesses objects in the IFS? The collection for the profile requires a slightly different configuration. Unlike objects in libraries, where you can be very specific, you can only specify the object types for which you wish to collect the profile’s access. See Figure 6.4.
Figure 6.4: STRAUTCOL for user CWOODBURYT for all directory and stream file objects.
By the way, while I’ve separated out the analysis of which objects a user is accessing in a library versus IFS objects, I did so to make my examples easier. There’s nothing technical stopping you from configuring to collect the access of both at the same time.
The approach for analyzing what’s collected is the same as when the profile accesses objects in libraries, with one exception. You don’t need to eliminate the Authority Collection entries having to do with adopted authority because adopted authority is ignored by the IFS. As you can see in Figure 6.5, because we could only specify the object types we wanted to collect the access of and not specific paths, we get a lot of what I call “extraneous” entries. While you can check the *PUBLIC authority to be sure, entries for objects in /QIBM* directories should be able to be ignored because they’re typically representative of access that’s provided via *PUBLIC authority.
Figure 6.5: Authority Collection results when profile CWOODBURYT accesses *DIR and *STMF objects.
This SQL gets rid of access via the /QIBM directory and allows you to focus on the *DIR and *STMF objects to which the profile will need to have access granted if *PUBLIC authority won’t be sufficient once *ALLOBJ is removed.
The other issue with the collection is that the authorities listed aren’t the authorities you’ll have to use on the Change Authority (CHGAUT) command. CHGAUT and any other command that sets authorities on IFS objects use *R (read), *W (write), and *X (execute) for the data authorities.
Here’s a table that will help you make the translation from the authorities shown and what you’ll have to set. (*OBJMGT, *OBJEXIST, *OBJALT, and *OBJREF are specified in the Object authorities for IFS objects and require no translation.)
Table 6.1: Authorities to use on CHGAUT, based on authorities in the Authority Collection.