如何檢查使用者對某一物件事否有權限 ?
APIs BY EXAMPLE: CHECK USER AUTHORITY
In this issue of APIs by Example, Carsten Flensburg demonstrates checking a
user's authority to an object.
The first sample program is called CBX5031. It checks to see if a given user
has private authority to an object, such as that provided when a user is
listed in an authorization list. It does not check other sources of
authority.
Here's an example that calls CBX5031 from an ILE RPG program to see if a
user has *ALL authority to object MYLIBRARY/MYOBJECT via an authorization
list:
C Call 'CBX5031'
C Parm 'MYOBJECT' PxObjNam
C Parm 'MYLIBRARY' PxObjLib
C Parm '*AUTL' PxObjTyp
C Parm 'MYUSERID' PxUsrPrf
C Parm '*ALL' PxAut
C Parm PxRtnCod
C if PxRtnCod = '1'
C*** user has authority.
C else
C*** user does not have authority.
C endif
The second sample program is called CBX5032. It checks to see if a given
user has authority to an object. All means of providing authority are taken
into account, including group profiles, adopted authority, *PUBLIC, *ALLOBJ,
and authorization lists.
Here's an example that calls CBX5032 from an ILE RPG program to see if a
user has *USE authority to MYPGM, which is a program that's located in his
library list:
C Call 'CBX5032'
C Parm 'MYPGM' PxObjNam
C Parm '*LIBL' PxObjLib
C Parm '*PGM' PxObjTyp
C Parm 'MYUSERID' PxUsrPrf
C Parm '*USE' PxAut
C Parm PxRtnCod
C if PxRtnCod = '1'
C*** user has authority.
C else
C*** user does not have authority.
C endif
A third sample program, CBX503T, is provided as a demonstration of making
calls to CBX5031 and CBX5032.
The following APIs are demonstrated in this article:
Retrieve User Authority to Object (QSYRUSRA)
http://publib.boulder.ibm.com/iseries/v5r2/ic2924/info/apis/qsyrusra.htm
List Users Authorized to Object (QSYLUSRA)
http://publib.boulder.ibm.com/iseries/v5r2/ic2924/info/apis/qsylusra.htm
You can download the sample code for this article from
http://www.iseriesnetwork.com/noderesources/code/clubtechcode/ChkUsrAut.zip
The above source code was written by Carsten Flensburg. For questions
regarding this tip, contact Carsten at mailto:flensburg@novasol.dk
CBX5031.RPGLE
**
** Program . . : CBX5031
** Description : Check private authority
** Author . . : Carsten Flensburg
** Published . : Club Tech iSeries Programming Tips Newsletter
** Date . . . : April 15, 2004
**
**
** Program summary
** ---------------
**
** Parameters:
** INPUT PxObjNam Object name, the object for which to
** check the specified authorization level.
**
** INPUT PxObjLib Object library.
**
** INPUT PxObjTyp Object type.
**
** INPUT PxAut Authorization level to check for.
**
** Valid values:
** *ALL
** *CHANGE
** *USE
** *EXCLUDE
** *AUTLMGT
**
** INPUT PxUsrPrf Name of user profile having it's
** authority checked.
**
** Special values:
** *CURRENT The user currently running
** the job.
**
** *PUBLIC The public authority for
** the specified object is
** checked.
**
** OUTPUT PxRtnCod A boolean value indicating the result
** of the requested action.
**
** Valid return codes:
** 0 = Authority level not found
** 1 = Authority level found
**
** Security API:
** QSYLUSRA List users authorized Creates a list of users having a
** to object private authority to the object
** specified. The list is put into
** a user space.
**
** Object - User space APIs:
** QUSCRTUS Create user space Creates a user space in either
** user domain or system domain.
** Only user domain user spaces are
** accessible by the user space APIs.
**
** QUSDLTUS Delete user space Deletes the user space specified.
**
** QUSPTRUS Retrieve pointer to The address of the first byte
** user space of the storage allocated by the
** user space requested is returned.
**
**
** Programmer's notes:
** This program checks if a user holds a private authorization of
** the specified level to an object. No other authorization sources
** are taken into account during the authorization check.
**
**
** Compile options:
**
** CrtRpgMod Module( CBX5031 ) DbgView( *LIST )
**
** CrtPgm Pgm( CBX5031 )
** Module( CBX5031 )
**
** **
**-- Header specifications: --------------------------------------------**
H Option( *SrcStmt )
**-- System information: -----------------------------------------------**
D PgmSts SDs
D PsJobUsr 10a Overlay( PgmSts: 254 )
D PsCurUsr 10a Overlay( PgmSts: 358 )
**-- Global variables: -------------------------------------------------**
D Idx s 10i 0
**-- API error data structure: -----------------------------------------**
D ApiError Ds
D AeBytPro 10i 0 Inz( %Size( ApiError ))
D AeBytAvl 10i 0 Inz
**-- Create User Space Parameter: --------------------------------------**
D CuUsrSpcQ Ds
D CuUsrSpcNam 10 Inz( 'AUTLST ' )
D CuUsrSpcLib 10 Inz( 'QTEMP ' )
**-- Entry format USRA0100: --------------------------------------------**
D USRA0100 Ds Based( pLstEnt )
D U1UsrPrf 10a
D U1AutVal 10a
D U1AutLstMgt 1a
D U1ObjOpr 1a
D U1ObjMgt 1a
D U1ObjExs 1a
D U1DtaRead 1a
D U1DtaAdd 1a
D U1DtaUpd 1a
D U1DtaDlt 1a
D U1DtaExe 1a
D 10a
D U1ObjAlt 1a
D U1ObjRef 1a
**-- API format USRA0100: Header information: --------------------------**
D HdrInf Ds Based( pHdrInf )
D HiObjNam 10a
D HiLibNam 10a
D HiObjTyp 10a
D HiOwnNam 10a
D HiAutL 10a
D HiPriGrp 10a
D HiFldAut 1a
D HiAspDevLib 10a
D HiAspDevObj 10a
**-- User Space Generic Header: ---------- -----------------------------**
D UsrSpc Ds Based( pUsrSpc )
D UsOfsHdr 10i 0 Overlay( UsrSpc: 117 )
D UsOfsLst 10i 0 Overlay( UsrSpc: 125 )
D UsNumLstEnt 10i 0 Overlay( UsrSpc: 133 )
D UsSizLstEnt 10i 0 Overlay( UsrSpc: 137 )
**-- Pointers: ---------------------------------------------------------**
D pUsrSpc s * Inz( *Null )
D pHdrInf s * Inz( *Null )
D pLstEnt s * Inz( *Null )
**-- List authorized users: --------------------------------------------**
D LstAutUsr Pr ExtPgm( 'QSYLUSRA' )
D LaSpcNamQ 20a Const
D LaFmtNam 8a Const
D LaObjNamQ 20a Const
D LaObjTyp 10a Const
D LaError 32767a Options( *VarSize )
D LaAspDev 10a Options( *NoPass )
**-- Create user space: -------------------------------------------------**
D CrtUsrSpc Pr ExtPgm( 'QUSCRTUS' )
D CsSpcNamQ 20a Const
D CsExtAtr 10a Const
D CsInzSiz 10i 0 Const
D CsInzVal 1a Const
D CsPubAut 10a Const
D CsText 50a Const
**
D CsReplace 10a Const Options( *NoPass )
D CsError 32767a Options( *NoPass: *VarSize )
**
D CsDomain 10a Const Options( *NoPass )
**
D CsTfrSizRqs 10i 0 Const Options( *NoPass )
D CsOptSpcAlg 1a Const Options( *NoPass )
**-- Retrieve pointer to user space: ------------------------------------**
D RtvPtrSpc Pr ExtPgm( 'QUSPTRUS' )
D RpSpcNamQ 20a Const
D RpPointer *
D RpError 32767a Options( *NoPass: *VarSize )
**-- Delete user space: -------------------------------------------------**
D DltUsrSpc Pr ExtPgm( 'QUSDLTUS' )
D DsSpcNamQ 20a Const
D DsError 32767a Options( *VarSize )
**-- Parameters: -------------------------------------------------------**
D PxObjNam s 10a
D PxObjLib s 10a
D PxObjTyp s 10a
D PxUsrPrf s 10a
D PxAut s 10a
D PxRtnCod s n
**
C *Entry Plist
C Parm PxObjNam
C Parm PxObjLib
C Parm PxObjTyp
C Parm PxUsrPrf
C Parm PxAut
C Parm PxRtnCod
**
**-- Mainline: ---------------------------------------------------------**
**
C Eval PxRtnCod = *Off
**
C If PxUsrPrf = '*CURRENT'
C Eval PxUsrPrf = PsCurUsr
C EndIf
**
C CallP CrtUsrSpc( CuUsrSpcQ
C : *Blanks
C : 65535
C : x'00'
C : '*CHANGE'
C : *Blanks
C : '*YES'
C : ApiError
C )
**
C CallP LstAutUsr( CuUsrSpcQ
C : 'USRA0100'
C : PxObjNam + PxObjLib
C : PxObjTyp
C : ApiError
C )
**
C If AeBytAvl = *Zero
**
C CallP RtvPtrSpc( CuUsrSpcQ
C : pUsrSpc
C )
**
C ExSr ChkUsrAut
C EndIf
**
C CallP DltUsrSpc( CuUsrSpcQ
C : ApiError
C )
**
C Return
**
**-- Check user authority: ---------------------------------------------**
C ChkUsrAut BegSr
**
C Eval pHdrInf = pUsrSpc + UsOfsHdr
C Eval pLstEnt = pUsrSpc + UsOfsLst
**
C For Idx = 1 to UsNumLstEnt
**
C If U1UsrPrf = PxUsrPrf
C ExSr ChkAutVal
**
C Leave
C EndIf
**
C If Idx < UsNumLstEnt
C Eval pLstEnt = pLstEnt + UsSizLstEnt
C EndIf
C EndFor
**
C EndSr
**-- Check authority value: --------------------------------------------**
C ChkAutVal BegSr
**
C Select
C When PxAut = '*ALL ' And
C U1AutVal = '*ALL '
**
C Eval PxRtnCod = *On
**
C When PxAut = '*CHANGE ' And
C U1ObjOpr = 'Y' And
C U1DtaRead = 'Y' And
C U1DtaAdd = 'Y' And
C U1DtaUpd = 'Y' And
C U1DtaDlt = 'Y' And
C U1DtaExe = 'Y'
**
C Eval PxRtnCod = *On
**
C When PxAut = '*USE ' And
C U1ObjOpr = 'Y' And
C U1DtaRead = 'Y' And
C U1DtaExe = 'Y'
**
C Eval PxRtnCod = *On
**
C When PxAut = '*AUTLMGT ' And
C U1AutLstMgt = 'Y'
**
C Eval PxRtnCod = *On
**
C When PxAut = '*EXCLUDE ' And
C U1AutVal = '*EXCLUDE '
**
C Eval PxRtnCod = *On
C EndSl
**
C EndSr
CBX5032.RPGLE
**
** Program . . : CBX5032
** Description : Check object authority
** Author . . : Carsten Flensburg
** Published . : Club Tech iSeries Programming Tips Newsletter
** Date . . . : April 15, 2004
**
**
** Program summary
** ---------------
**
** Parameters:
** INPUT PxObjNam Object name, the object for which to
** check the specified authorization level.
**
** INPUT PxObjLib Object library.
**
** INPUT PxObjTyp Object type.
**
** INPUT PxAut Authorization level to check for.
**
** Valid values:
** *ALL
** *CHANGE
** *USE
** *EXCLUDE
** *AUTLMGT
**
** INPUT PxUsrPrf Name of user profile having it's
** authority checked.
**
** Special values:
** *CURRENT The user currently running
** the job.
**
** *PUBLIC The public authority for
** the specified object is
** checked.
**
** OUTPUT PxRtnCod A boolean value indicating the result
** of the requested action.
**
** Valid return codes:
** 0 = Authority level not found
** 1 = Authority level found
**
** Security API:
** QSYRUSRA Retrieve user Returns a specific user's
** authority to object authority for the specified
** object.
**
**
** Programmer's notes:
** This program checks if a user has the specified authority to an
** object. All authorization sources are taken into account during
** the authorization check (group profile(s), adopted authority as
** well as authorization lists, public and *ALLOBJ authority).
**
** The actual source of authority is specified in the returned data
** structure subfield 'U1AutSrc' as a 2-letter code. Please check
** the Security API manual for the details. It can be found online
** here:
**
** http://publib.boulder.ibm.com/iseries/v5r2/ic2924/info/apis/qsyrusra.htm
**
**
** Compile options:
**
** CrtRpgMod Module( CBX5032 ) DbgView( *LIST )
**
** CrtPgm Pgm( CBX5032 )
** Module( CBX5032 )
**
**
**-----------------------------------------------------------------------**
** Revised . : 00.00.0000
** by . . . :
** Reference :
** Changes . :
**
**-- Header specifications: --------------------------------------------**
H Option( *SrcStmt )
**-- Api Error: --------------------------------------------------------**
D ApiError Ds
D AeBytPrv 10i 0 Inz( %Size( ApiError ))
D AeBytAvl 10i 0
D AeMsgId 7a
D 1a
D AeMsgDta 128a
**-- Receiver format USRA0100: -----------------------------------------**
D USRA0100 Ds
D U1BytRtn 10i 0
D U1BytAvl 10i 0
D U1ObjAut 10a
D U1AutLstMgt 1a
D U1ObjOpr 1a
D U1ObjMgm 1a
D U1ObjExs 1a
D U1DtaRead 1a
D U1DtaAdd 1a
D U1DtaUpd 1a
D U1DtaDlt 1a
D U1AutLst 10a
D U1AutSrc 2a
D U1AdpAut 1a
D U1AdpObjAut 10a
D U1AdpAutLstMg 1a
D U1AdpObjOpr 1a
D U1AdpObjMgm 1a
D U1AdpObjExs 1a
D U1AdpDtaRead 1a
D U1AdpDtaAdd 1a
D U1AdpDtaUpd 1a
D U1AdpDtaDlt 1a
D U1AdpDtaExe 1a
D 10a
D U1AdpObjAlt 1a
D U1AdpObjRef 1a
D 10a
D U1DtaExe 1a
D 10a
D U1ObjAlt 1a
D U1ObjRef 1a
D U1AspDevLib 10a
D U1AspDevObj 10a
**-- Retrieve user authority to object: --------------------------------**
D RtvUsrAut Pr ExtPgm( 'QSYRUSRA' )
D RuRcvVar Like( USRA0100 )
D RuRcvVarLen 10i 0 Const
D RuFmtNam 8a Const
D RuUsrPrf 10a Const
D RuObjNamQ 20a Const
D RuObjTyp 10a Const
D RuError 32767a Options( *VarSize )
D RuAspDev 10a Options( *NoPass )
**-- Parameters: -------------------------------------------------------**
D PxObjNam s 10a
D PxObjLib s 10a
D PxObjTyp s 10a
D PxUsrPrf s 10a
D PxAut s 10a
D PxRtnCod s n
**
C *Entry Plist
C Parm PxObjNam
C Parm PxObjLib
C Parm PxObjTyp
C Parm PxUsrPrf
C Parm PxAut
C Parm PxRtnCod
**
**-- Mainline: ---------------------------------------------------------**
**
C Eval PxRtnCod = *Off
**
C CallP RtvUsrAut( USRA0100
C : %Size( USRA0100 )
C : 'USRA0100'
C : PxUsrPrf
C : PxObjNam + PxObjLib
C : PxObjTyp
C : ApiError
C )
**
C If AeBytAvl = *Zero
**
C Select
C When PxAut = '*ALL ' And
C U1ObjAut = '*ALL '
**
C Eval PxRtnCod = *On
**
C When PxAut = '*CHANGE ' And
C U1ObjOpr = 'Y' And
C U1DtaRead = 'Y' And
C U1DtaAdd = 'Y' And
C U1DtaUpd = 'Y' And
C U1DtaDlt = 'Y' And
C U1DtaExe = 'Y'
**
C Eval PxRtnCod = *On
**
C When PxAut = '*USE ' And
C U1ObjOpr = 'Y' And
C U1DtaRead = 'Y' And
C U1DtaExe = 'Y'
**
C Eval PxRtnCod = *On
**
C When PxAut = '*AUTLMGT ' And
C U1AutLstMgt = 'Y'
**
C Eval PxRtnCod = *On
**
C When PxAut = '*EXCLUDE ' And
C U1ObjAut = '*EXCLUDE '
**
C Eval PxRtnCod = *On
C EndSl
C EndIf
C
C Return
**
CBX503T.RPGLE
**
** Program . . : CBX503T
** Description : Check authority programs - test
** Author . . : Carsten Flensburg
** Published . : Club Tech iSeries Programming Tips Newsletter
** Date . . . : April 15, 2004
**
** Test setup:
** Please replace the object name, library and type as well as
** user profile and authorization level to check for, to values
** appropriate for your enviroment in the two call examples below
** prior to compiling this test program.
**
**
** Compile options:
**
** CrtRpgMod Module( CBX503T ) DbgView( *LIST )
**
** CrtPgm Pgm( CBX503T )
** Module( CBX503T )
**
**-- Header specifications: --------------------------------------------**
H Option( *SrcStmt )
**-- Send program message: ---------------------------------------------**
D SndPgmMsg Pr ExtPgm( 'QMHSNDPM' )
D SpMsgId 7a Const
D SpMsgFq 20a Const
D SpMsgDta 128a Const
D SpMsgDtaLen 10i 0 Const
D SpMsgTyp 10a Const
D SpCalStkE 10a Const Options( *VarSize )
D SpCalStkCtr 10i 0 Const
D SpMsgKey 4a
D SpError 10i 0 Const
**-- Send completion message: ------------------------------------------**
D SndCmpMsg Pr 10i 0
D PxMsgDta 512a Const Varying
**-- Program parameters: -----------------------------------------------**
D PxObjNam s 10a
D PxObjLib s 10a
D PxObjTyp s 10a
D PxUsrPrf s 10a
D PxAut s 10a
D PxRtnCod s n
**
**-- Check private authority:
**
C Call 'CBX5031'
C Parm 'QPWFSERVER' PxObjNam
C Parm 'QSYS' PxObjLib
C Parm '*AUTL' PxObjTyp
C Parm 'QSYS' PxUsrPrf
C Parm '*ALL' PxAut
C Parm PxRtnCod
**
C If PxRtnCod = '1'
**
C CallP SndCmpMsg( 'User profile ' +
C %TrimR( PxUsrPrf ) +
C ' has private authority ' +
C %TrimR( PxAut ) +
C ' to object ' +
C %TrimR( PxObjNam ) +
C '.'
C )
**
C Else
C CallP SndCmpMsg( 'User profile ' +
C %TrimR( PxUsrPrf ) +
C ' did not have ' +
C 'private authority ' +
C %TrimR( PxAut ) +
C ' to object ' +
C %TrimR( PxObjNam ) +
C '.'
C )
C EndIf
**
**-- Check object authority:
**
C Call 'CBX5032'
C Parm 'QCMD' PxObjNam
C Parm '*LIBL' PxObjLib
C Parm '*PGM' PxObjTyp
C Parm '*PUBLIC' PxUsrPrf
C Parm '*USE' PxAut
C Parm PxRtnCod
**
C If PxRtnCod = '1'
**
C CallP SndCmpMsg( 'User profile ' +
C %TrimR( PxUsrPrf ) +
C ' has object authority ' +
C %TrimR( PxAut ) +
C ' to object ' +
C %TrimR( PxObjNam ) +
C '.'
C )
**
C Else
C CallP SndCmpMsg( 'User profile ' +
C %TrimR( PxUsrPrf ) +
C ' did not have ' +
C 'object authority ' +
C %TrimR( PxAut ) +
C ' to object ' +
C %TrimR( PxObjNam ) +
C '.'
C )
C EndIf
**
C Eval *InLr = *On
C Return
**
**-- Send completion message: ------------------------------------------**
P SndCmpMsg B
D Pi 10i 0
D PxMsgDta 512a Const Varying
**
D MsgKey s 4a
**
C CallP(e) SndPgmMsg( 'CPF9897'
C : 'QCPFMSG *LIBL'
C : PxMsgDta
C : %Len( PxMsgDta )
C : '*COMP'
C : '*PGMBDY'
C : 1
C : MsgKey
C : *Zero
C )
**
C If %Error
C Return -1
**
C Else
C Return 0
C EndIf
**
P SndCmpMsg E
星期一, 11月 06, 2023
2004-04-21 如何檢查使用者對某一物件事否有權限 ?
訂閱:
張貼留言 (Atom)
沒有留言:
張貼留言