Oh yeah, its definitely not going to be easy! An authority collection captures a lot of details, but you have to run it either against a user profile (so which ones?) or against objects. It's an interesting requirement.
Original Message:
Sent: Tue March 26, 2024 03:58 PM
From: Robert Berendt
Subject: Retrieving the Various User Profiles for a running Job on IBM i
Well, Bob's looking for the 4 user profiles for a given job during it's runtime.
I'm not saying that the audit journal isn't a possibility. The problem with that is the timing. You have to look for an entry that it is running under adopted authority and ensure there is no matching record that it is no longer running under adopted authority. Some call stacks can be really fluid as to that adopted authority.
Joining the stack_info with the program info from each entry in the stack can be laborious also.
------------------------------
Robert Berendt IBMChampion
Original Message:
Sent: Tue March 26, 2024 02:18 PM
From: Steven Riedmueller
Subject: Retrieving the Various User Profiles for a running Job on IBM i
I think the *ADOPT only shows up because your job is running under adopted authority which is the source of your *ALL authority on the file. Similar thing happens with *GROUP whenever your authority to an object is the result of your membership in a group. I still think the audit journal has the details that you're looking for.
------------------------------
Steven Riedmueller
Certified IBM i Admin
Speaker, Mentor, and Advocate
Original Message:
Sent: Tue March 26, 2024 01:30 PM
From: Robert Berendt
Subject: Retrieving the Various User Profiles for a running Job on IBM i
Here's an odd thing...
EDTF FILE(ROB/QPGMSRC) MBR(DELETEME)
pgm
DSPOBJAUT OBJ(ROB/TEST) OBJTYPE(*FILE)
endpgm
CRTCLPGM PGM(ROB/DELETEME) SRCFILE(ROB/QPGMSRC)
CHGPGM PGM(ROB/DELETEME) USRPRF(*OWNER)
CHGOBJOWN OBJ(ROB/DELETEME) OBJTYPE(*PGM) NEWOWN(ADOPT)
CRTUSRPRF USRPRF(DUMMY) PASSWORD(redacted) -- On supported versions of the os password defaults to *none
Sign on as DUMMY
CALL ROB/DELETEME
Object . . . . . . . : TEST
Library . . . . . : ROB
Object type . . . . : *FILE
Object secured by authorization l
Object
User Group Authority
*ADOPT *ALL
*PUBLIC *EXCLUDE
PROGRAMMER *ALL
ADOPT *ALL
See that *ADOPT? IDK if there's some way to programmatically determine that.
Some of this stuff is available in authority collection like
https://www.ibm.com/docs/en/i/7.5?topic=collection-authority-views
------------------------------
Robert Berendt IBMChampion
Original Message:
Sent: Fri March 22, 2024 12:53 PM
From: Robert Cozzi
Subject: Retrieving the Various User Profiles for a running Job on IBM i
I need to retrieve the up to 4 user Profiles for a given job during runtime.
I know how to get the Job's User and the Current User. The job User is the User who started the job. The Current user is the user that a SWAP USRPRF API was run and is now the current user. But I also need the user profile when the job has run a program that has Adopt authority passed on. So if a (for example) CL program was compiled with OWNER(QPGMR) and USRPRF(*OWNER) it is running at both the current User and the Adopted User (i.e., the owner of the program. I can't find a way to locate that last user. Does anyone know which API it is supposed to return it? I don't think there is one.
For the record, I'm trying to get all 4 of the following:
- User that started the job
- User under which the job is currently running when a SWAP User Profile is done
- User the Job is Adopting Authority from (i.e., the Owner of a *PGM that has USRPRF(*OWNER) for the "run as" attribute.
- User ID for a Client Job running
------------------------------
Robert Cozzi
------------------------------