TAA Tools
PGMADP          PROGRAM ADOPT                          TAAPGOA

The Program  Adopt tool provides  a series of  commands to help  manage
the  programs that  adopt  a user  profile  during the  running  of the
program.   This allows  a review and  approval of these  programs and a
method of monitoring for changes.

To use the tool, you must  first create the required files and  run the
Convert command.   The  Work command lets  you approve a  program after
reviewing  it.  The Display command may  be used periodically to ensure
that all  programs  that were  converted  and  approved have  not  been
changed.

The Convert  command must be  run periodically to  keep the file  up to
date with new programs that adopt.

Only  a user  with  *ALLOBJ special  authority can  use  the CVTPGMADP,
WRKPGMADP, or DSPPGMADP3 commands.

You may have  different PGMADP files  (only one set  per library)  such
as a set  for each application area or  one set for the  entire system.

The  TAATOOL  library  programs   are  implicitly  omitted.    Use  the
CHKTAAAUT  command to  check TAA  programs that  adopt and  the shipped
authorizations.

The system program adopt function
---------------------------------

The system  program adopt function  allows users  to execute a  program
that  performs   functions  that  you  do  not   want  to  specifically
authorize  an end user  to.  For  example, you may have  a program that
clears a member, but only if  certain conditions are met.  Rather  than
allow end users  to be authorized (CLRPFM  requires *OBJMGT authority),
you can  write a program that  ensures the conditions are  met and then
does CLRPFM.    By creating  the  program as  a  user who  has  *OBJMGT
authority, and  specifying USRPRF(*OWNER),  the program adopt  function
will allow clearing  the member if an end user  calls the program.  Not
authorizing  an end user to *OBJMGT  will eliminate the potential error
of the user accidentally or maliciously clearing the member.

The program adopt option exists  on many commands.  It is  specified by
the USRPRF parameter  which defaults to *USER, but  allows *OWNER to be
specified.

*OWNER  means   the  the  program  will  run  under  a  combination  of
authorities.  It  includes both the  user running the  program and  the
owner of the program.   By default, any programs  higher in the program
stack  that  also  specify  USRPRF(*OWNER)  are  also included  in  the
authorization checking.

Thus a  single  program  could  run  with  the  combined  use  of  many
different user profiles.   The major  use of allowing a  program higher
in the  stack to control the authority  to subsequently called programs
is  to  allow a  main program  to adopt  and not  have to  consider the
authorization requirements of the programs it calls.

The function  that allows programs  higher in  the stack to  contribute
to the authorization  checking may be eliminated by the  use of the the
CHGPGM  command.  This  allows the USEADPAUT parameter  which should be
specified as  *NO.   Specifying  *NO  creates  a 'security  wall'  that
prevents programs higher  in the stack from  contributing their adopted
authority  to programs  that are  specified  as USEADPAUT(*NO)  and any
programs that they call.

Using USEADPAUT(*NO) is important if  you have an adopted program  that
calls a  sub-program  that allows  a command  line or  does a  function
such  as WRKOUTQ.   If  a command  line is  available  and the  user is
LMTCPB(*NO),  the end user will be able to  enter commands.  If the end
user is LMTCPB(*YES),  the system will  prevent the user from  entering
a  non-valid command  on a  command line  even with  adopted authority.
However,  if  the owner  of  the  adopted program  has  *JOBCTL special
authority, a  command  such  as WRKOUTQ  will  allow the  end  user  to
operate on all the spooled files displayed.

A  single program  could specify  USRPRF(*OWNER) and  allow the  owners
authority  to be  used  on sub  programs, but  also be  set  to prevent
adoption from  higher  programs  in  the  stack  by  specifying  CHGPGM
USEADPAUT(*NO).   If  you  are creating  a  program that  uses  adopted
authority  that will  have  many  sub-functions that  are  performed in
sub-programs,  the use of USEADPAUT(*NO)  could prevent some unintended
functions from occurring.

The USRPRF  parameter  appears on  many  different Create  commands  as
well as CHGPGM.  It operates on different object types such as:

          *PGM
          *SRVPGM

Getting started and giving it a try
-----------------------------------

It  is usually  best to  first try  the PGMADP  function with  a unique
test library.

Create  the library and  a QCLSRC source  file which will  allow you to
have a few simple  CL programs that can be  created and modified.   For
example, the  following CL  source could  be used  in members  TSTCLPA,
TSTCLPB, ...

             PGM
             SNDPGMMSG   MSG(HI)
             ENDPGM

Create test *AUTLs that you can test with such as:

             CRTAUTL  AUTL(TSTPGMADP)
             CRTAUTL  AUTL(TSTPGMADP2) AUT(*EXCLUDE)

Create  the programs  in the  same library  with USRPRF(*OWNER).   Vary
the AUT parameter on CRTCLPGM from  *CHANGE to *USE and specify one  of
the *AUTLs for some.

To use the PGMADP tool, do the following:

  **   Create the files PGMADP  and PGMADPL in a specific  library that
       is  on  your library  list.   It  does  not have  to  be in  the
       library where the programs reside.

               CRTPGMADP   PGMADPLIB(xxx)

  **   Run  the Convert  command to  capture the  information about the
       programs that adopt from one or more libraries.

       This is a slow  running command.  If  you have many programs  to
       be converted, it should be submitted to batch.

               CVTPGMADP  LIB(aaa bbb)

       The programs in  the named libraries would be  checked to see if
       they  use   program  adopt  (USRPRF  =  *OWNER).    If  so,  the
       information about  the program  is  placed in  a record  in  the
       PGMADPP file.   A listing is produced of the  programs that were
       added.

       An  OMITLIB parameter also  exists to  allow specified libraries
       to be  omitted.   The  TAATOOL  library is  implicitly  omitted.
       See the later discussion of the TAATOOL library.

       CVTPGMADP should be run  on a periodic basis to  ensure that all
       programs  that  adopt are  included.    CVTPGMADP  will add  new
       programs,  check existing  programs, and delete  any records for
       programs  that no  longer  adopt.   Specifying  a  job  schedule
       entry for the  use of CVTPGMADP during off-shift  hours would be
       a   good  choice.     See  the  later   comments  about  running
       DSPPGMADP3 at the same time.

  **   Use WRKPGMADP to review the programs that adopt.

            WRKPGMADP

       The options let you display various aspects of the program.

       If the program has never  been approved, the approval date  will
       be  blank.   If the  source has  changed since  the program  was
       approved,  or the  authorization  information has  changed since
       the program information was converted,  or the program has  been
       re-created after  the program  was approved,  the approval  date
       field is displayed with high intensity.

       The approval  date field is  also displayed with  high intensity
       if  the program no longer adopts  or the USEADPAUT attribute has
       changed.

       Option 5 lets  you see  more of the  important details and  will
       describe  what  has  changed  if  the approval  date  field  was
       displayed with high intensity.

       Option  2 lets you approve a program.   You should do this after
       reviewing the program.  See  the later section on how to  review
       a program to ensure that it is safe for adoption.

  **   To display a listing of the same information do

             DSPPGMADP3

       It will  flag the same type  of changes that are  displayed with
       WRKPGMADP.

Note  that  each  time WRKPGMADP  or  DSPPGMADP3  is  run, the  current
information about the  program is  retrieved and compared  to the  last
time  the  program  was   approved.    This  makes  the   commands  run
considerably slower than just displaying the records in the file.

A  good technique  to use  would be  to include  the use  of DSPPGMADP3
both  before and after CVTPGMADP  as part of a  job schedule entry such
as the following CL program:

             PGM
             DSPPGMADP3
             CVTPGMADP     LIB(xxx)
             DSPPGMADP3
             ENDPGM

The  first  use  of  DSPPGMADP3  will  describe  any  exceptions  which
includes programs  that use  to adopt,  but no longer  adopt.   It will
also  describe any programs where the  USEADPAUT attribute has changed.
This allows  you to  ensure that  the USRPRF  and USEADPAUT  attributes
are what you had intended before the file is refreshed.

The CVTPGMADP  will refresh the file  with the current  information for
all new programs that adopt.

The  second use of  DSPPGMADP3 will describe  any exceptions such  as a
new program that adopts that has not been approved.

Program adoption can be abused
------------------------------

While program  adoption can  be  used successfully  to allow  users  to
perform  secure functions  in  a  controlled  manner, it  can  also  be
abused  by users who  are attempting to  perform functions you  are not
aware of.

Assume  you  have a  program that  adopts the  authority of  QSECOFR to
perform  a security  sensitive  function.    If your  program  does  an
unqualified call  to a sub program by  the name of ABC,  it is possible
for  a  user  to create  his  own  ABC program  to  perform  an illegal
function and get it  to run during the running  of your program.   This
could occur by getting  the bogus ABC program in front of  yours on the
library  list.   To write a  secure program  that adopts you  must code
your program in such a manner to prevent bogus functions.

The  next  sections  describe   how  to  prevent   the  use  of   bogus
situations.

Also see  the section on 'Approving  a program' as  a check list  to be
used prior to approval.

Control of the QSYS Library
---------------------------

The QSYS  library should be  the first library  on the library  list or
you  should have rigid  control over any  objects that are  placed in a
library in front of QSYS.   This is important because if you  allow any
program to  appear in  front of  QSYS, then bogus  programs may  be run
(including system programs).

You can determine the system portion of the library list by:

             DSPSYSVAL   SYSVAL(QSYSLIBL)

If you  have a library in front of QSYS,  it should be specified so the
*PUBLIC user  has only *USE  authority and  cannot add  objects to  the
library.  You can check this with:

            DSPOBJAUT    OBJ(xxx) OBJTYPE(*LIB)

You should specifically  control what users are allowed  to add objects
to the library.

If you  have a library in front of QSYS,  you will need to periodically
check what is in the  library.  In general, it  is a lot safer to  keep
QSYS at the front of the library list.

CHGSYSLIBL Command
------------------

The CHGSYSLIBL  command allows users  to change  the system portion  of
the  library list for  the current job.   When  a library is  added, it
goes at the top of the list in front of QSYS.

The  command  is shipped  so the  *PUBLIC user  is  *EXCLUDE.   You can
ensure this by:

            DSPOBJAUT   OBJ(CHGSYSLIBL) OBJTYPE(*CMD)

If you  have  users  who are  authorized,  it  would be  worthwhile  to
review why they are allowed this powerful capability.

*ALLOBJ users
-------------

When a  user profile  is given the  special authority of  *ALLOBJ, they
have  the keys to the  entire system.  Obviously,  you want to minimize
the number of users who have *ALLOBJ authority.

There is nothing  that can be  done to control  what *ALLOBJ users  do.
While  the  system  does  support  the  *SECADM  special  authority  to
control  the  creation  and deletion  of  user  profiles,  a user  with
*ALLOBJ authority could easily  get around this if  he wanted to.   You
can  audit  what  *ALLOBJ  users  do  (see  the  AUDITING  tool  for  a
discussion).

You can review who has *ALLOBJ special authority with:

             DSPSECRVW  SPCAUT(*ALLOBJ)

Reviewing program source to ensure a security safe program
----------------------------------------------------------

To  prevent bogus  functions from  occurring in  a program  that adopts
the  owner's profile, you must  qualify the use of  objects used in the
program.

Any CALL  commands, or  user commands (including  TAA commands)  should
be qualified to the specific library such as:

             CALL    PGM(LIBA/PGM1)
     TAATOOL/RTVDAT  ...

Note  that the  CALL may  also come  from a  HLL program  such  as RPG.
These calls should also be library qualified.

A  good technique to  use is  to use a  constant with  a qualified name
and then  refer to the  constant name  rather than  the actual  program
name on the CALL.

Any  OVRDBF commands  should  also be  library  qualified  and use  the
SECURE parameter such as:

             OVRDBF   FILE(FILEA) TOFILE(LIBA/FILEA)
                        SECURE(*YES)

The SECURE  parameter prevents an override higher  in the program stack
from being used instead of the override specified in the program.

If you  have a  sensitive file  that is  being worked  on  in an  adopt
program, but  does  not do  an OVRDBF  command, your  program would  be
safer  if  you added  an  Override.   RPG  does not  allow  a qualified
library  name when  it opens  a file, but  RPGLE does.   However, RPGLE
does not provide  a SECURE(*YES)  function so a  program higher in  the
stack  could direct the  program to  operate on  a different  file with
either  RPG compiler.   Adding an OVRDBF with  SECURE(*YES) will ensure
that the program is working on the file that it was intended to.

Creating user commands
----------------------

Any user commands  that are created where  the CPP (command  processing
program) is  an adopt program  should specify  a qualified name  of the
CPP when the command is created such as:

             CRTCMD    CMD(xxx) PGM(LIBA/PGM1) ...

Some  users think that  if they control  the library list  that they do
not have to  library qualify anything.   This  is not valid.   Even  if
you  set the  library  list  to your  safe  libraries and  qualify  the
invocation of a user command, a user command that is specified as:

             CRTCMD    CMD(ABC) PGM(*LIBL/PGM1) ...

could  be exposed to  a bogus  use.   A user could  create his  own ABC
command as:

             CRTCMD    CMD(ABC) PGM(DEF/PGM1) PRDLIB(DEF)

and  invoke his command  which calls the program  that adopts.  Because
PRDLIB is used,  the DEF library would  be placed in the  program stack
between the system  portion and the current library  (ahead of the user
portion  of the library  list).  By  some sneaky  programming, the user
could get his own version of PGM1 to run.

The  CRTCMD  command  also  allows   for  a  prompt  override   program
(PMTOVRPGM)  and a  validity  checking program  (VLDCKR).    If one  of
these  parameters   is  used,  the  program   should  also  be  library
qualified.

You can check for  unqualified use of programs  specified on a  command
with:

             CHKCMDQLFN

It will  operate on  a single  program, a single  library, or  multiple
libraries   and  describe   which  command   parameters   that  support
qualified  names  are  not  being  used.    The  parameters  that  have
security implications are:

             PGM         (CPP)
             PMTOVRPGM
             VLDCKR

Attempting to  control  the  library  list will  guarantee  that  bogus
programs  cannot be  used.   You need  to qualify  the  parameters that
invoke  programs.  Setting  the PRDLIB  parameter on a  user command is
not required  if  you library  qualify.   TAA  commands do  both  (some
exceptions exist).

Preventing the use of debug
---------------------------

Another exposure  with programs that adopt  is that you  should prevent
the  use  of debugging  tools  if the  program  is  security sensitive.
Allowing a user to  debug the program will  allow him to change  values
during the  program  execution.   For example,  while in  debug a  user
could change the value of a field to be updated in a data base.

There are two ways to prevent the use of debug for *PUBLIC users:

  **   Set  the authorization to  the program  for the *PUBLIC  user to
       *USE.    The default  used by  CRT  program commands  is *CHANGE
       which means  that when you  take the  default, you are  allowing
       anyone authorized  to the STRDBG  command to debug  the program.
       With  only  *USE authority,  you can  prevent  the use  of debug
       functions.

  **   You can  remove the observability  of a  program by  the use  of
       the CHGPGM command such as:

             CHGPGM   PGM(xxx) RMVOBS(*ALL)

       Once  the  program is  debugged,  it  is  better to  remove  the
       observability  to prevent  even *ALLOBJ  users from  using debug
       for malicious actions.

       CHGPGM will also  allow all  programs or  generic program  names
       in a library to be changed.

Authorizations to the program
-----------------------------

If you have a program  that adopts, it may do so because  it performs a
simple  function that  requires a  specific  authorization that  you do
not  want to give  to the *PUBLIC user.   For example,  you may want to
allow any  user to  display the  text  description of  a user  profile.
Without a  program that  adopts, the user  must have *USE  authority to
the  user  profile  to  access  the  text  description.    If the  only
functions performed by  the program are  non-security sensitive, it  is
perfectly  valid  to   have  the  program  authorized   to  allow  *USE
authority to the *PUBLIC user.

But you  may also have other programs  that must be rigidly controlled.
For example, you may have a  program that creates a user profile  using
the CRTUSRPRF  command which you  want certain users  to use, but  only
via your program.   In this case, you want  to prevent the *PUBLIC user
from running the program.

There  are two  methods of preventing  the *PUBLIC user  from running a
program:

  **   You can specify the *PUBLIC user as *EXCLUDE.

  **   You can  specify  the  *PUBLIC user  as  *AUTL and  control  the
       authorizations  via an  Authorization List  and specify  *PUBLIC
       *EXCLUDE to the *AUTL.

TAATOOL Library
---------------

The TAATOOL library is implicitly omitted when CVTPGMADP is run.

The  TAATOOL  library has  many programs  that  adopt the  ownership of
QSECOFR.

Some are simple non-security sensitive  programs such as that  provided
by the DUPTAADBF  command which allows the CRTDUPOBJ command  to be run
on  specific  *FILE objects  in  TAATOOL.   This  is used  by  many TAA
commands that create  outfiles.  CRTDUPOBJ  requires *OBJMGT  authority
to the file.   Without program adoption, the *FILE  *OBJMGT right would
have to  be made available  to the *PUBLIC  user or a  requirement that
an *ALLOBJ user run the command.

Some  TAA programs are considered security  sensitive such as that used
by the INZPWD command.   This allows an  authorized user to be able  to
initialize  most user  profiles to  a default  or random  password when
users  forget their passwords.   The command requires  that the user of
the command and  program be authorized  to the TAAINZPWD  authorization
list.

You can review  the INZPWD source to  see how qualified names  are used
by:

             DSPTAA   TAASECXC

The  TAA programs are  thoroughly checked  to ensure that  the programs
are safe.   A  bogus program  cannot be  used to  bypass your  security
intent.  All programs that adopt do the following:

        - All CALL commands are library qualified
        - All TAA commands are library qualified
        - All OVRDBF commands use qualified names and SECURE(*YES)
        - All CRT/CHGUSRPRF commands are library qualified to QSYS
        - All calls to non-QSYS programs in HLLs are qualified
        - All programs prevent debug
             - Programs are shipped unobservable
             - Programs are shipped as *PUBLIC *USE
        - All TAA commands qualify the library of the CPP, and
               any prompt override or validity checking programs
        - TAA commands specify PRDLIB(TAATOOL)
             - Some exceptions exist
        - All TAA *AUTL objects are shipped as *PUBLIC *EXCLUDE
        - All TAA objects that use an *AUTL specify *PUBLIC *AUTL

Sensitive security functions  require either *ALLOBJ authority,  or are
tied to an *AUTL with *PUBLIC as *AUTL.

Ensuring the TAATOOL library
----------------------------

To  ensure that the  programs and authorizations  are set the  way they
are   shipped,  the  CHKTAAAUT  command  may   be  used.    To  support
CHKTAAAUT, a file of  specific authorizations and programs  which adopt
is  shipped  with  the product  and  is  used  to compare  against  the
current information on the system.  Any differences are noted.

CHKTAAAUT  will also find  commands and programs that  exist in TAATOOL
that have the same  name as commands and  programs in other  libraries.

To just check the  Authorization Lists to ensure that  they are all set
to *PUBLIC = *EXCLUDE, enter:

             CHKTAAAUT

Approving a program that adopts
-------------------------------

If you  are the person to  approve the use of  programs that adopt, you
should do the following:

  **   After  CVTPGMADP  has   been  run,  use   either  WRKPGMADP   or
       DSPPGMADP3 to determine what programs need to be reviewed.

  **   Determine  if   the   function  being   performed  is   security
       sensitive.

  **   Determine  if  any  sub  programs  are called  using  DSPPGMREF.
       Each  sub program must also be  reviewed even if the function is
       not security sensitive as a sub-sub program may be.

  **   Determine the source member used for the program.

  **   If  a CL  program  is  being  used, CHK400CMD  will  describe  a
       listing  of any  user commands.   Each  user  command represents
       another  program that is being called as  a sub program and must
       also be checked.

       If a TAA command is  being invoked, TAA commands are  considered
       safe to  use if they  are library qualified  to TAATOOL.   It is
       not  necessary to check  the command processing  program used as
       they are safe to use.

       If you  are  dealing with  a  security sensitive  function,  any
       user commands should be library qualified such as:

             xxx/USRCMDA   ...

       You should  check  the command  to ensure  that qualified  names
       are used for the commands that support program names.

            CHKCMDQLFN  LIB(xxx) CMD(yyy)

       Scan  the  source  for OVRDBF  commands  and  if  they exist,  a
       library  qualifier should be  used along with  SECURE(*YES).  In
       some cases,  the user  may input the  file or  file and  library
       name.  In  this case, you will need to  ensure that the function
       being  performed is appropriate for  any file.  You  may want to
       reject certain files or libraries.

       In some  cases,  you may  need to  add  an OVRDBF  command  with
       SECURE(*YES) to ensure that the right file is processed.

  **   Review the authorizations  to the program with  DSPOBJAUT and if
       an  *AUTL is  specified  for the  *PUBLIC user,  then  the *AUTL
       should be  reviewed with  DSPAUTL.   Sensitive functions  should
       not allow the *PUBLIC  user any access.  It should  be *PUBLIC =
       *EXCLUDE.

  **   For sensitive  security programs, you should prevent  the use of
       debug   by  removing  the  observability  to  the  program  with
       CHGPGM.

Tips
----

  **   If a program  adopts the QSECOFR profile  and you want to  check
       within the program  if the user is authorized  to some function,
       the  user will  always be authorized  because of  adoption.  You
       can check using a  tool like UNADOPT.   This allows you to  pass
       a command to  a program that uses USEADPAUT(*NO).   For example,
       you could say:

           TAATOOL/UNADOPT  CMD(CHKOBJ ...)

The   CHKOBJ  command   runs  without  the   benefit  of   the  QSECOFR
authorization.

  **   If you have  a program that  adopts, but should  only be  called
       from  a  specific  program, the  RTVPGMNAM  command  will  allow
       return  variables of the  program that  called the  sub program.
       For example, your code could look like:

         TAATOOL/RTVPGMNAM   CALLINGPGM(&PGM) CALLINGLIB(&PGML)
         IF          ((&PGM *NE 'xxx') *OR +
                       (&PGML *NE 'yyy')) DO /* Bad */
         SNDESCMSG   MSG('Invalid use of program zzz')
         ENDDO       /* Bad */

CRTPGMADP escape messages you can monitor for
---------------------------------------------

None.  Escape messages from based on functions will be re-sent.

DLTPGMADP escape messages you can monitor for
---------------------------------------------

None.  Escape messages from based on functions will be re-sent.

CVTPGMADP escape messages you can monitor for
---------------------------------------------

      TAA9892    No programs were found in the specified libraries

Escape messages from based on functions will be re-sent.

WRKPGMADP escape messages you can monitor for
---------------------------------------------

None.  Escape messages from based on functions will be re-sent.

DSPPGMADP3 escape messages you can monitor for
----------------------------------------------

None.  Escape messages from based on functions will be re-sent.

CRTPGMADP Command parameters                         *CMD
----------------------------

   PGMADPLIB     The  library where the PGMADPP  and PGMADPL files will
                 be created.

   SRCLIB        The  source  library  to  use  for  the  QATTDDS  file
                 source.   The  default is  *TAAARC to  use  the source
                 from the TAA Archive.

                 A  specific user library may be  named, but the source
                 file must be QATTDDS.

   AUT           The  authority  given  to  the  *PUBLIC  user  of  the
                 files.  *USE is the default.

                 *CHANGE, or *EXCLUDE may be specified.

                 Note  that an  *ALLOBJ  user is  required  to use  the
                 CVTPGMADP, WRKPGMADP, and DSPPGMADP3 commands.


DLTPGMADP Command parameters                         *CMD
----------------------------

   PGMADPLIB     The  library  where  the  PGMADPP  and  PGMADPL  files
                 exist.


CVTPGMADP Command parameters                         *CMD
----------------------------

   LIB           The list  of libraries  to be  processed.   Up to  300
                 libraries  may be  entered  (including generic  names)
                 or  the   special  values  *LIBL,  *USRLIBL,  *CURLIB,
                 *ALLUSR, *ALLUSR2, *ALLNONQ, *IBM, or ALL.

                 For  *LIBL and *USRLIBL, if  a current library exists,
                 it will  be written  as  a record  before the  records
                 for  the user  portion of  the library  list.   If the
                 current  library is also  part of the  user portion of
                 the library  list, it  will only  appear  once (it  is
                 removed from the user portion list).

                 *ALLUSR  omits certain  # libraries  such as  #RPGLIB.
                 *ALLUSR  also  omits  all  Q  libraries  with  certain
                 exceptions such as QGPL.   See the  help text for  the
                 SAVLIB command  for  a complete  list.   Note that  if
                 you have  your own library which begins  with Q, it is
                 omitted.

                 *IBM  causes  all libraries  to  be included  based on
                 the definition for DSPOBJD LIB(*IBM).

                 *ALLUSR2 is similar to  *ALLUSR.  It omits the  same #
                 libraries, but  also omits any  library beginning with
                 Q.    Note that  if you  have  your own  library which
                 begins with Q, it is omitted.

                 *ALLNONQ means any  library that  does not begin  with
                 the  letter  Q.    If *ALLNONQ  is  used,  the  ASPDEV
                 parameter must use the default.

   ASPDEV        Specifies  the  auxiliary  storage  pool (ASP)  device
                 name where  storage  for the  library  containing  the
                 object is  allocated.   If the  library resides in  an
                 ASP  that is  not part  of  the thread's  library name
                 space,  this  parameter  must be  specified  to ensure
                 the correct library is searched.

                 The parameter  can  be  specified  as a  list  of  two
                 values  (elements)   or  as  a  single   value.    The
                 possible single values are:

                 *  = The ASPs that are  currently part of the thread's
                 library name  space  will be  searched to  locate  the
                 library.   This includes the  system ASP (ASP  1), all
                 defined  basic  user  ASPs (ASPs  2-32),  and,  if the
                 thread has  an ASP  group, the  primary and  secondary
                 ASPs in the thread's ASP group.

                 *ALLAVL = All  available ASPs will be searched.   This
                 includes  the system  ASP (ASP  1), all  defined basic
                 user  ASPs (ASPs 2-32), and  all available primary and
                 secondary  ASPs,  (ASPs  33-255)  with  a   status  of
                 'Available'.

                 *CURASPGRP  = If  the  thread has  an  ASP group,  the
                 primary  and secondary ASPs in  the thread's ASP group
                 will  be  searched.    The  system  ASP  (ASP  1)  and
                 defined  basic  user  ASPs (ASPs  2-32)  will  not  be
                 searched.   If  no ASP  group  is associated  with the
                 thread, an error will be issued.

                 *SYSBAS =  The  system ASP  (ASP  1) and  all  defined
                 basic  user  ASPs  (ASPs 2-32)  will  be  searched  to
                 locate  the library.    No primary  or  secondary ASPs
                 will  be  searched  even  if  the  thread  has  an ASP
                 group.

                 Element 1: Device

                 The device  name of the  primary or  secondary ASP  to
                 be searched.   The primary or secondary  ASP must have
                 been  activated  (by varying  on the  ASP  device) and
                 have a status  of 'Available'.   The  system ASP  (ASP
                 1) and  defined user basic  ASPs (ASPs 2-32)  will not
                 be searched.

                 Element 2: Search type

                 *ASP  =  Specifies  that  only  the  single  auxiliary
                 storage pool (ASP)  device named  in element  1 is  to
                 be searched.

                 *ASPGRP  = Specifies  that  the  entire group  of  the
                 primary auxiliary  storage pool (ASP)  device named in
                 element 1 is to be searched.

   ASPNBR        The  ASP  number  for  the libraries  that  are  to be
                 converted.  The default is *ALL.

                 A number  in  the  range of  1-99  may be  entered  to
                 subset the  libraries that are  output by the  LIB and
                 ASPDEV parameters.

   OMITLIB       A  list  of up  to  300 libraries  or  generic library
                 names that should be omitted.   *NONE is the  default.

                 The TAATOOL library is implicitly omitted.

                 An omit list may not be entered for LIB(*CURLIB).

                 No check occurs  to see if an omit  library would have
                 been   selected.    For  example,   if  LIB(*LIBL)  is
                 entered with OMITLIB(ABC)  and library ABC  is not  on
                 the library list, no error occurs.

   PGMADPLIB     The  library  where  the  PGMADPP  and  PGMADPL  files
                 exist.  *LIBL is the default.


WRKPGMADP Command parameters                         *CMD
----------------------------

   PGMADPLIB     The  library  where  the  PGMADPP  and  PGMADPL  files
                 exist.  *LIBL is the default.

   OWNER         Whether  to  select a  specific  owner.   *ALL  is the
                 default.

                 If an owner  is named, selection  occurs on the  basis
                 of  the value at  the time  of the  original CVTPGMADP
                 when  the program  was added  or when the  program was
                 approved.  This  may not be the  current owner of  the
                 program.

   PGM           The  program  to   be  displayed.    The   default  is
                 *ALL/*ALL  for all programs in  all libraries found in
                 the PGMADPP file.

                 A specific program name or  generic name may be  used.
                 A specific library may be named.


DSPPGMADP3 Command parameters                        *CMD
-----------------------------

   PGMADPLIB     The  library  where  the  PGMADPP  and  PGMADPL  files
                 exist.  *LIBL is the default.

   OWNER         Whether  to select  a  specific  owner.   *ALL  is the
                 default.

                 If  an owner is  named, selection occurs  on the basis
                 of the  value at  the time of  the original  CVTPGMADP
                 when  the program was  added or  when the  program was
                 approved.   This may  not be the current  owner of the
                 program.

   PGM           The  program  to  be   displayed.    The  default   is
                 *ALL/*ALL for all  programs in all libraries  found in
                 the PGMADPP file.

                 A specific  program name or generic  name may be used.
                 A specific library may be named.

   OUTPUT        How to  output  the results.    * is  the  default  to
                 display the  spooled file  if the  command is  entered
                 interactively.   The spooled file is  deleted after it
                 is displayed.

                 If  the  command  is  entered in  batch  or  *PRINT is
                 specified, the  spooled file is  output and  retained.

Restrictions
------------

Only  a user  with *ALLOBJ  special  authority may  use the  CVTPGMADP,
WRKPGMADP, and DSPPGMADP3 commands.

The  WRKPGMADP and DSPPGMADP3 commands do  not attempt to determine all
programs that  adopt.   They  only  process  those programs  that  were
converted by the CVTPGMADP command.

WRKPGMADP  and DSPPGMADP3  have  an OWNER  parameter.    If a  specific
owner  is named,  selection occurs  on the  basis of  the value  at the
time of the original CVTPGMADP when  the program was added or when  the
program  was approved.    This may  not  be the  current  owner of  the
program.

The  checking  for  debug capability  assumes  the  use  of *CHANGE  of
object authority will be used and not *USRDFN.

*SQLPKG object types are not checked.

The  TAATOOL  library  is  implicitly  bypassed.    See  the  CHKTAAAUT
command and the previous discussion.

Prerequisites
-------------

The following TAA Tools must be on your system:

     CHKALLOBJ       Check *ALLOBJ special authority
     CHKDUPLST       Check duplicates in list
     CHKGENERC       Check generic
     CHKGENOBJ       Check generic object
     CHKOBJ3         Check object 3
     CMPLSTPARM      Compare list parm
     CPYTAADDS       Copy TAA DDS source
     CRTDUPPF        Create duplicate PF
     CVTPGMA         Convert program attributes
     CVTTIM          Convert time
     DSPOBJD2        Display object description 2
     EDTVAR          Edit variable
     EXTLST          Extract list
     EXTLST2         Extract list 2
     RTVOBJAUT       Retrieve object authority
     RTVPGMA         Retrieve program attribute
     RTVPUBAUT       Retrieve public authority
     RTVSYSVAL3      Retrieve system value 3
     SNDCOMPMSG      Send completion message
     SNDESCINF       Send escape information
     SNDESCMSG       Send escape message
     SNDJLGMSG       Send job log message
     SNDSTSMSG       Send status message
     UPDPFILE        Update PF keyword

Implementation
--------------

None, the tool is ready to use.

Objects used by the tool
------------------------

   Object        Type    Attribute      Src member    Src file
   ------        ----    ---------      ----------    ----------

   CRTPGMADP     *CMD                   TAAPGOA       QATTCMD
   DLTPGMADP     *CMD                   TAAPGOA2      QATTCMD
   CVTPGMADP     *CMD                   TAAPGOA3      QATTCMD
   WRKPGMADP     *CMD                   TAAPGOA4      QATTCMD
   DSPPGMADP3    *CMD                   TAAPGOA5      QATTCMD
   TAAPGOAC      *PGM       CLP         TAAPGOAC      QATTCL
   TAAPGOAC2     *PGM       CLP         TAAPGOAC2     QATTCL
   TAAPGOAC3     *PGM       CLP         TAAPGOAC3     QATTCL
   TAAPGOAC4     *PGM       CLP         TAAPGOAC4     QATTCL
   TAAPGOAC5     *PGM       CLP         TAAPGOAC5     QATTCL
   TAAPGOAC13    *PGM       CLP         TAAPGOAC13    QATTCL
   TAAPGOAC14    *PGM       CLP         TAAPGOAC14    QATTCL
   TAAPGOAC15    *PGM       CLP         TAAPGOAC15    QATTCL
   TAAPGOAR3     *PGM       RPG         TAAPGOAR3     QATTRPG
   TAAPGOAR4     *PGM       RPG         TAAPGOAR4     QATTRPG
   TAAPGOAR5     *PGM       RPG         TAAPGOAR5     QATTRPG
   TAAPGOAD      *FILE      DSPF        TAAPGOAD      QATTDDS
   TAAPGOAP      *FILE      PF          TAAPGOAP      QATTDDS
   TAAPGOAL      *FILE      LF          TAAPGOAL      QATTDDS

Structure
---------

CRTPGMADP   Cmd
   TAAPGOAC   CL pgm

DLTPGMADP   Cmd
   TAAPGOAC2  CL pgm

CVTPGMADP   Cmd
   TAAPGOAC3  CL pgm
     TAAPGOAR3  RPG pgm
       TAAPGOAC13  CL pgm

WRKPGMADP   Cmd
   TAAPGOAC4  CL pgm
     TAAPGOAR4  RPG pgm
       TAAPGOAC14  CL pgm

DSPPGMADP3  Cmd
   TAAPGOAC5  CL pgm
     TAAPGOAR5  RPG pgm
       TAAPGOAC15  CL pgm
					

Added to TAA Productivity tools July 15, 2009


Home Page Up to Top