IBM Support

SI49837 - IMAGEPLUS-INCORROUT PROPAGATION OF AUTHORITY LIST ON OBJECTS

PTF ( Program Temporary Fixes ) Cover letter


Order this fix

Abstract

IMAGEPLUS-INCORROUT PROPAGATION OF AUTHORITY LIST ON OBJECTS


Pre/Co-Requisite PTF / Fix List

REQ  LICENSED      PTF/FIX  LEVEL

TYPE PROGRAM  REL  NUMBER   MIN/MAX  OPTION
---- -------- ---  -------  -------  ------
DIST 5722VI1  530  SI28249   NONE     0001
DIST 5722VI1  530  SI28301   NONE     0001



NOTICE:
-------
Application of this PTF may disable or render ineffective programs that
use system memory addresses not generated by the IBM translator,
including programs that circumvent control technology designed to limit
interactive capacity to purchased levels.  This PTF may be a prerequisite
for future PTFs.  By applying this PTF you authorize and agree to the
foregoing.

This PTF is subject to the terms of the license agreement which
accompanied, or was contained in, the Program for which you are obtaining
the PTF.  You are not authorized to install or use the PTF except as part
of a Program for which you have a valid Proof of Entitlement.

SUBJECT TO ANY WARRANTIES WHICH CAN NOT BE EXCLUDED OR EXCEPT AS EXPLICITLY
AGREED TO IN THE APPLICABLE LICENSE AGREEMENT OR AN APPLICABLE SUPPORT
AGREEMENT, IBM MAKES NO WARRANTIES OR CONDITIONS EITHER EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OR CONDITIONS OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON INFRINGEMENT,
REGARDING THE PTF.

The applicable license agreement may have been provided to you in printed
form and/or may be viewed using the Work with Software Agreements (WRKSFWAGR)
CL command.





APAR Error Description / Circumvention

-----------------------------------------------
When authorization list is on an IFS directory/sub-directory
path where CM will write newly scanned or imported objects, the
authorization list will not propagate or inherit to the object
if the CM group profile (EKDGROUP is example) is in the
authorization list with *CHANGE authority. When the object is
created and stored into the directory, the EKD0080 file gets a
record with VICS6052 as the error and in the error extended data
field, CS00A RTV A09C with the IFS path showing. A09C is
CPFA09C:
Message . . . . : Not authorized to object. Object is &1.
Cause . . . . . : You do not have the correct authority for
object &1 or for
one of the directories in the object path.
The authorization list will not be on the newly created object
and *PUBLIC authority will be *RWX rather than *RX as it was on
the directory/sub-directory in sample testing.
This message goes away if the group profile has *ALL authority
in the authorization list but this is a security exposure to the
customer. The Admin profile (EKDADMIN as an example) does have
*ALL in the authorization list, yet it apparently is not used
for the changing required to put authorization list on the newly
created object.

CORRECTION FOR APAR SE55052 :
-----------------------------
Program EKDRTVDIRI incorrectly propagated directory authorities
when creating new files. The program has been corrected.

CIRCUMVENTION FOR APAR SE55052 :
--------------------------------
None.


Activation Instructions


None.




Special Instructions


********************************************************************
THE FOLLOWING ARE SUPERSEDED SPECIAL INSTRUCTIONS. IF THE SUPERSEDED
PTF HAS ALREADY BEEN APPLIED AND ITS SPECIAL INSTRUCTION FOLLOWED,
IT IS NOT NECESSARY TO FOLLOW THAT SPECIAL INSTRUCTION AGAIN.
********************************************************************

SPECIAL INSTRUCTIONS FOR SUPERSEDED PTF SI36605 :
=================================================

When authorization lists are associated with a CM directory, one of the
functions for CM during import and/or scan is to retrieve the
authorization list and than to assign the authorization list to the
object.  In order for CM to be able to add this security, the
import/scan user must have the following authorities:

1.  The user must have *USE authority to the CHGAUT command.
2   Minimal Data Authority *X to the root directory
3.  Data Authority *ALL to the subdirectory and the object.

The user's authority to the subdirectory can be via a group profile or
an authorization list.

If the user does not have the proper authorities, the object will be
store into CM, however, the authorization list will not be assigned to
the object and users may have problems displaying the document because
he/she does not have the proper authorities.

SPECIAL INSTRUCTIONS FOR SUPERSEDED PTF SI28248 :
=================================================

For the Read This First on how to implement permanent Days on DASD, go
to

ftp://ftp.software.ibm.com/as400/products/contentmanager/v530/server/Da
ysonDASD.readme.doc


Default Instructions

THIS PTF CAN BE APPLIED IMMEDIATE OR DELAYED.



Supersedes

PTF/FIX NO(S).  APAR TITLE LINE
--------------  ------------------------------------------------------------
   SI38723      IMAGEPLUS-INCORROUT PGM EKDRTVDIRI IS SENDING MESSAGES TO QS
   SI36605      OSP-PAR-940XCOM *PUBLIC NOW RECEIVES *RX AUTHORITY TO CM OBJ
   SI35654      IMAGEPLUS OBJECTS CREATED IN DIRECTORY DIDN'T INHERIT THE AU
   SI35392      IMAGEPLUS-INCORROUT BATCH IMPORT DOES NOT PROCESS ALL RECORD
   SI30940      OSP-MSGMCH3601-PAR-940XCOM BATCH IMPORT PROCESS FAILS WITH M
   SI27719      IMAGEPLUS-F/QC2IO-T/EKDOBJIMPP-MSGMCH3601 MCH3601 IN
   SI18441      OSP-PAR EKD-9786 AND FRN6912A ERRORS MAY INTERMITTENTLY OCCU
   SI17708      OSP-PAR CM/400 HOST BATCH IMPORT JOB QVI_IM0101 WRITES DATA
   SI14133      OSP Batch Import does not properly start 10 jobs
   SI10877      OSP-PAR CM/400 BATCH IMPORT PROBLEM W/ SKIPPED RECORD(S) WHE
   SI10877      IMAGEPLUS QIBM_VI_IMP_CREATED USER EXIT: NUMBER OF ATTRIBUTE
   SI10441      OSP Batch Import not properly beginning items on a process
   SI09947      OSP-PAR CORRECT RESULTS NOT PRODUCED WHEN MULTIPLE DIRECTORI
   SI35526      IMAGEPLUS OBJECT BEING DELETED WHEN TARGET PATH DIDN'T EXIST
   SI35497      IMAGEPLUS-INCORROUT CPF1ED7 RECEIVED BY EKDRTVDIRI; DOCUMENT
   SI35161      OSP OBJECTS RETRIEVAL FROM OPTICAL INTO DASD INHERIT THE AUT
   SI34301      IMAGEPLUS-INCORROUT INCORRECT OPTICAL VOLUME IDS IN EKD0310
   SI28248      OSP Allow documents to always remain on DASD
   SI25954      IMAGEPLUS DUTCH LANGUAGE, INDEX CLASS SET FOR AUTO FOLDERING
   SI22373      OSP-PAR KEYFIELD MAY BE REMOVED FROM AN INDEX CLASS PROFILE
   SI15730      IMAGEPLUS OPTICAL RETRIEVE FAILS OR ERROR RC=0629 IS RECEIVE
   SI10753      OSP-PAR user id fields not properly updated in 320 and 322
   SI10753      OSP-PAR delete processor does not work properly.
   SI10753      OSP-PAR Optical batch retrieve processor fails w/ MCH3401.
   SI09965      OSP-PAR Index Class Maintenance working with incorrect file
   SI09965      OSP Optical Distribution, and Optical Store fail due to

Summary Information

System.............................. i
Models..............................
Release............................. V5R3M0
Licensed Program............... 5722VI1
APAR Fixed.......................... SE55052
Superseded by:......................
Recompile........................... N
Library............................. QVI
MRI Feature ........................ NONE
Cum Level........................... C3298710


IBM i Support

IBM disclaims all warranties, whether express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. By furnishing this document, IBM grants no licenses to any related patents or copyrights. Copyright © 1996,1997,1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019 IBM Corporation. Any trademarks and product or brand names referenced in this document are the property of their respective owners. Consult the Terms of use link for trademark information.

Document information

More support for: i family

Software version: V5R3M0

Operating system(s): OS/400

Reference #: SI49837

Modified date: 12 June 2013