Skip to Main Content
IBM Power Ideas Portal


This portal is to open public enhancement requests against IBM Power Systems products, including IBM i. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Not under consideration
Workspace IBM i
Created by Guest
Created on Nov 2, 2020

set owner of files created in ifs to group profile (IFS security)

(i know this is old and might interfere with POSIX APis but it still is important)

when a user profile has grpprf(someprf) owner(*grpprf) and creates an object in IFS (e.g. with CPYTOIMPF), the IFS file has owner (theprofile) and primary group (the grpprofile). So the storage used is not added to the group profile but to the user profile which sometimes does impact storage restriction for group profiles.

A CHGOWN NEWOWN(grpprf) to this file is rejected with CPFA0A2 as soon as "grpprf" is group profile for any user profile (IIRC due to POSIX API). In my opinion this should be changed or at least allowed as the group profile is nothing special than a storage holding user profile in that case.

There is a very annoying workaround of

a) Create the object
b) find group profile for current user profile
c) CHGPGP NEWPGP(*none)
d) CHGOWN NEWOWN(grpprf)

but this can be annoying in CL programs as one first must find group profile and then run c) and d)


Use Case:

to be consistent with owner handling on qsys.lib objects, the IFS interface should be adjusted to do the same ownership handling.


Idea priority Medium
  • Guest
    Reply
    |
    Dec 23, 2020

    Thanks for your comments which is what i somewhat expected as this would make a very deep change. But i can use this to discuss security and authority issues with customers who try to transform the "group profile" thinking from QSYS.LIB to other parts of the IFS - mostly some software companies...

  • Guest
    Reply
    |
    Dec 17, 2020

    Thank you for submitting this request.

    As you stated, your request directly conflicts with the POSIX semantics enforced by the file system, which state that a new object's owner shall be the effective user ID of the process. Changing the way we operate in this regard would lead to failures in many current applications and impede migration of applications to our platform. Therefore, we must decline this request.

    However, you do have more control over the primary group assigned to new objects and this could help you eliminate step (c) of the workaround you described. The following is the help text for the "Set effective group ID" attribute from the Display Attributes (DSPATR) command:

    Set effective group ID
    Set effective group ID (GID) at execution time. The possible values
    are as follows:

    Yes
    If the object is a file, the group ID (GID) is set at execution
    time. If the object is a directory, the group ID (GID) of
    objects created in the directory is set to the GID of the parent
    directory.

    No
    If the object is a file, the group ID (GID) is not set at
    execution time. If the object is a directory in the "root" (/),
    QOpenSys, and user-defined file systems, the group ID (GID) of
    objects created in the directory is set to the effective GID of
    the thread creating the object. This value cannot be set for
    other file systems.

    By setting the parent directory's primary group to *NONE and setting the "Set effective group ID" attribute for the parent directory to 'Yes', new objects will be created in the directory with no primary group assigned. Therefore, you will not have to use the Change Primary Group (CHGPGP) command to set the group to *NONE before changing the owner of the object to the desired value.

    As you also note, you cannot set the owner and the primary group of an object to be the same user profile. This is a system-wide restriction and applies to all objects and interfaces, not just file system objects and interfaces. The file system cannot change or bypass this restriction, so we must also decline this portion of the request.

  • Guest
    Reply
    |
    Nov 9, 2020

    Due to processing by IBM, this request was reassigned to have the following updated attributes:
    Brand - Servers and Systems Software
    Product family - Power Systems
    Product - IBM i
    Component - IFS (Integrated File System) and Servers
    Operating system - IBM i
    Source - Client

    For recording keeping, the previous attributes were:
    Brand - Servers and Systems Software
    Product family - Power Systems
    Product - IBM i
    Component - Core OS
    Operating system - IBM i
    Source - Client