The Integrated File System APIs include some powerful security functions that form the basis for this installment of APIs by Example. In this article, I will present the Override Group Profile (OVRGRPPRF) command.
The purpose of the OVRGRPPRF command is to provide an easy, controllable way to grant temporary access to objects that, due to security procedures or audit requirements, someone might not normally have. For example, a programmer might be given temporary access to a file to fix a problem with the system.
Providing this authorization by means of a group profile offers some advantages over alternative methods because the true identity of the user actually running the job is preserved. The job’s current user profile remains the same. Only the primary group is replaced.
Another advantage of this approach is the ability to exclude a user profile that inherits a group profile’s *ALLOBJ special authority from accessing certain objects using the regular object authorization facilities.
A user profile that, itself, has *ALLOBJ authority is able to access any object on the system. When *ALLOBJ special authority is detected in the current user profile, the system’s object authorization lookup algorithm grants access immediately, bypassing all other authority checks.
Since private authorities to an object are evaluated prior to the group authority, a user profile having *EXCLUDE private authority to an object will not be able to access that object, even if the user’s group has *ALLOBJ special authority. The authorization lookup process never reaches the step where group authority is checked because it terminates as soon as it finds that the private authority is excluded.
Therefore, you will be able to prevent a given user profile from accessing a command or object, even if the group has *ALLOBJ authority, by setting the user’s authority to *EXCLUDE.