Authorization question [Archive] - CNX Corporation Support and Information Forums

View Full Version : Authorization question

rclay

09-09-2009, 01:17 PM

Installed Valence 2.0 RC2 this morning. We want to use the System i authentication so that we don't have multiple logins to maintain.

I set up the Apache server instance with:

# login method (can be VALENCE, SYSTEMI or SPECIAL)
#SetEnv LOGIN_METHOD VALENCE
SetEnv LOGIN_METHOD SYSTEMI
PassEnv LOGIN_METHOD

# Override CGI job to System i user active
#SetEnv OVERRIDE_JOB_USER N
SetEnv OVERRIDE_JOB_USER Y
PassEnv OVERRIDE_JOB_USER

Stopped and re-started the server.

When I attempt to set up a new Valence user, I don't see a field for the System i User Profile and I get this message when saving:

Profile QTMHHTP1 Needs *USE Authority to this User Profile

In order for Valence jobs to run with the authority of this
user profile, profile QTMHHTP1 requires *USE authority to
user xxxxxxxx. Would you like Valence to automatically
grant this authority to the profile now? Click Yes to add the
authority or No to skip.

Yes No

How should I answer this question? The Valence manual is a bit ambiguous.

Should I have used SPECIAL instead?

Thanks in advance for any help.

Robert

richard.milone

09-09-2009, 01:32 PM

If you want to use the SYSTEMI login method you must answer Yes to that message when creating a profile. This automatically gives *USE authority of the profile to QTMHHTP1. You can of course answer No to this message as long as you give *USE authority to the profile in some other manner, like through an authorization list.

The *USE authority is required because the Apache CGI jobs stay running constantly and must handle requests from multiple logins at random. So on each call the CGI job must be switched by Valence (through VVCALL) to the correct user profile. It uses IBM i APIs to perform this function and it requires that the current profile of the job (QTMHHTP1) have *USE authority to the profile it's switching to.

rclay

09-09-2009, 01:46 PM

Okay. I can do that.

But shouldn't there be some way to link the Valence user to the System i user profile? I saw it for the first Valence user that I created (before switching the authentication method and locking out vvadmin) but I don't see it for subsequent users.

Thanks,
Robert

richard.milone

09-09-2009, 01:53 PM

When in SYSTEMI mode, the Valence user IS the System i user so there wouldn't be a cross reference. When you switch to SYSTEMI mode, the vvadmin profile becomes useless, unless you create a VVADMIN user on your System i.