In the previous installment of APIs by Example, I presented the
Override Group Profile (OVRGRPPRF) command, which enables a temporary
change of a job’s current group profile. To control when and for how
long to make the OVRGRPPRF command available, the command includes an
authorization code parameter that is to be requested from a security
To allow a security administrator to issue an authorization code, the
Add Profile Authorization Code (ADDPRFAUT) command is provided, and
with this week’s version of the OVRGRPPRF command, no user will be
able to run that command without an authorization code.
The new version of the OVRGRPPRF command further addresses two issues
that emerged after publication:
- At security level 40 and above, the command’s “hidden” profile
token parameter would be passed by value the first time the OVRGRPPRF
command was run in a job, causing the command to fail. (However, any
further attempts would succeed.) The passing of the profile token
parameter has been changed and is now performed by means of a
temporary user space.
- In the event that the OVRGRPPRF command was run by a user profile
that had OWNER(*GRPPRF) specified, the system would not allow a change
of the effective group profile, so the command would fail.
By temporarily adding the original group profile to the current job’s
array of supplemental groups, it was possible to address this problem
on systems running V5R2 or later. (Thank you Jean-Marie Sauvageot for
reporting these issues.)