ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamv_5.4.0.1/rzamvmenutransition.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Example: Change the menu control environment" />
<meta name="abstract" content="In this example, you are changing the menu control environment for the Order Entry (OEMENU) menu and the associated files and programs." />
<meta name="description" content="In this example, you are changing the menu control environment for the Order Entry (OEMENU) menu and the associated files and programs." />
<meta name="DC.Relation" scheme="URI" content="rzamvmenusecurity.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="menutransition" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Example: Change the menu control environment</title>
</head>
<body id="menutransition"><a name="menutransition"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Example: Change the menu control environment</h1>
<div><p>In this example, you are changing the menu control environment for the Order Entry (OEMENU) menu and the associated files and programs.</p>
<div class="p">This example starts with the following assumptions and requirements: <ul><li>All of the files are in the library ORDERLIB.</li>
<li>You do not know the names of all the files. You also do not know what authority the menu options require to different files.</li>
<li>The menu and all the programs that it calls are in a library called ORDERPGM.</li>
<li>You want everyone who can sign on to your system to be able to view information in all the order files, customer files, and item files (with queries or spreadsheets, for example).</li>
<li>Only users whose current signon menu is the OEMENU should be able to change the files. They must use the programs on the menu to do this.</li>
<li>System users other than the security administrators do not have *ALLOBJ or *SECADM special authority.</li>
</ul>
 </div>
<div class="section">Perform the following steps to change this menu-access-control environment to accommodate the need for queries:</div>
<ol><li class="stepexpand" id="menutransition__step1"><a name="menutransition__step1"><!-- --></a><span>Make a list of the users whose initial menu is the OEMENU. You can use the Print User Profile (PRTUSRPRF *ENVINFO) command to list the environment for every user profile on your system. The report includes the initial menu, initial program, and current library.</span></li>
<li class="stepexpand"><span>Make sure that the OEMENU object (it may be a *PGM object or a *MENU object) is owned by a user profile that is not used for signon. The user profile should be disabled or have a password of *NONE. For this example, assume that OEOWNER owns the OEMENU program object.</span></li>
<li class="stepexpand"><span>Make sure that the user profile that owns the OEMENU program object is not a group profile. You can use the following command: <kbd class="userinput">DSPUSRPRF USRPRF(OEOWNER) TYPE(*GRPMBR)</kbd></span></li>
<li class="stepexpand"><span>Change the OEMENU program to adopt the authority of the OEOWNER user profile. Use the CHGPGM command to change the USRPRF parameter to *OWNER.</span> *MENU objects  cannot adopt authority. If OEMENU is a *MENU object, you can adapt this example by doing one of the following:<ul><li>Create a program to display the menu.</li>
<li>Use adopted authority for the programs that run when the user selects options from the OEMENU menu.</li>
</ul>
</li>
<li class="stepexpand"><span>Set the public authority to all of the files in ORDERLIB to *USE by typing the following two commands:<kbd class="userinput">RVKOBJAUT OBJ(ORDERLIB/*ALL) OBJTYPE(*FILE) USER(*PUBLIC) AUT(*ALL)</kbd><kbd class="userinput">GRTOBJAUT OBJ(ORDERLIB/*ALL) OBJTYPE(*FILE) USER(*PUBLIC) AUT(*USE)</kbd></span> Remember that if you select *USE authority, users can copy the file by using PC file transfer or FTP.</li>
<li class="stepexpand"><span>Give the profile that owns the menu program *ALL authority to the files by typing the following: <kbd class="userinput">GRTOBJAUT OBJ(ORDERLIB/*ALL) OBJTYPE(*FILE) USER(OEOWNER) AUT(*ALL)</kbd></span> For most applications, *CHANGE authority to files is sufficient. However, your applications may perform functions, such as clearing physical file members, that require more authority than *CHANGE. Eventually, you should analyze your applications and provide only the minimum authority that is necessary for the application. However, during the transition period, by adopting *ALL authority, you avoid application failures that may be caused by insufficient authority.</li>
<li class="stepexpand"><span>Restrict authority to the programs in the order library by typing: <kbd class="userinput">GRTOBJAUT OBJ(ORDERPGM/*ALL) OBJTYPE(*PGM) USER(*PUBLIC) AUT(*EXCLUDE)</kbd></span></li>
<li class="stepexpand"><span>Give the OEOWNER profile authority to the programs in the library by typing: <kbd class="userinput">GRTOBJAUT OBJ(ORDERPGM/*ALL) OBJTYPE(*PGM) USER(OEOWNER) AUT(*USE)</kbd></span></li>
<li class="stepexpand"><span>Give the users that you identified in step 1 authority to the menu program by typing the following for each user: <kbd class="userinput">GRTOBJAUT OBJ(ORDERPGM/OEMENU) OBJTYPE(*PGM) USER(user-profile-name) AUT(*USE)</kbd></span></li>
</ol>
<div class="section">When you have completed these steps, all system users who are not explicitly excluded will be able to access (but not change) the files in the ORDERLIB library. Users who have authority to the OEMENU program will be able to use the programs that are on the menu to update files in the ORDERLIB library. Only users who have authority to the OEMENU program will now be able to change the files in this library. A combination of object security and menu access control protects the files.</div>
<div class="section">When you complete similar steps for all the libraries that contain user data, you have created a simple scheme for controlling database updates. This method prevents system users from updating database files except when they use the approved menus and programs. At the same time, you have made database files available for viewing, analyzing, and copying by users with decision support tools or with links from another system or from a PC.<div class="tip"><span class="tiptitle">Tip:</span> When your system participates in a network, *USE authority may provide more authority than you expect. For example, with FTP, you can make a copy of a file to another system (including a PC) if you have *USE authority to the file.</div>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvmenusecurity.htm" title="This article discusses the user profile parameters for setting up menu security.">Set up menu security</a></div>
</div>
</div>
</body>
</html>