0% found this document useful (0 votes)

2K views822 pages

V7R1 Security Reference

Uploaded by

psychostan

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

2K views822 pages

V7R1 Security Reference

Uploaded by

psychostan

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 822

IBM i

Security Security reference

7.1
SC41-5302-11

IBM i

Security Security reference

7.1
SC41-5302-11

Note Before using this information and the product it supports, read the information in Appendix I, Notices, on page 723.

This edition applies to IBM i 7.1 (product number 5770-SS1) and to all subsequent releases and modifications until otherwise indicated in new editions. This version does not run on all reduced instruction set computer (RISC) models nor does it run on CISC models. This edition replaces SC41-5302-10. Copyright IBM Corporation 1996, 2010. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

Copyright IBM Corp. 1996, 2010

iii

IBM i: Security Security reference

Contents
iii What's new for IBM i 7.1 . . . . . . . xiii Chapter 1. Introduction to System i security . . . . . . . . . . . . . . . 1
Physical security . . . . Keylock security . . . . Security level . . . . . System values . . . . . Signing . . . . . . . Single sign-on enablement . User profiles . . . . . Group profiles . . . . . Resource security . . . . Security audit journal . . Common Criteria security . Independent disk pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2 2 3 3 3 4 4 5 6 6 6 Limit Security Officer (QLMTSECOFR) . . . . Maximum Sign-On Attempts (QMAXSIGN) . . Action When Sign-On Attempts Reached (QMAXSGNACN) . . . . . . . . . . . Retain Server Security (QRETSVRSEC) . . . . Remote power-on and restart (QRMTIPL) . . . Remote Sign-On Control (QRMTSIGN) . . . . Scan File Systems (QSCANFS) . . . . . . . Scan File Systems Control (QSCANFSCTL) . . . Share Memory Control (QSHRMEMCTL) . . . Use Adopted Authority (QUSEADPAUT) . . . Security-related system values . . . . . . . . Automatic Device Configuration (QAUTOCFG) Automatic Configuration of Virtual Devices (QAUTOVRT) . . . . . . . . . . . . Device Recovery Action (QDEVRCYACN) . . . Disconnected Job Time-Out Interval (QDSCJOBITV) . . . . . . . . . . . . Remote Service Attribute (QRMTSRVATR) . . . Secure Sockets Layer (SSL) cipher specification list (QSSLCSL) . . . . . . . . . . . . Secure Sockets Layer (SSL) cipher control (QSSLCSLCTL) . . . . . . . . . . . . Secure Sockets Layer (SSL) protocols (QSSLPCL) Security-related restore system values . . . . . Verify Object on Restore (QVFYOBJRST). . . . Force Conversion on Restore (QFRCCVNRST) . . Allow Restoring of Security-Sensitive Objects (QALWOBJRST) . . . . . . . . . . . . System values that apply to passwords . . . . . Block Password Change (QPWDCHGBLK) . . . Password Expiration Interval (QPWDEXPITV). . Password Expiration Warning (QPWDEXPWRN) Password Level (QPWDLVL) . . . . . . . Minimum Length of Passwords (QPWDMINLEN) . . . . . . . . . . . Maximum Length of Passwords (QPWDMAXLEN) . . . . . . . . . . . Required Difference in Passwords (QPWDRQDDIF) . . . . . . . . . . . Restricted Characters for Passwords (QPWDLMTCHR) . . . . . . . . . . . Restriction of Consecutive Digits for Passwords (QPWDLMTAJC) . . . . . . . . . . . Restriction of Repeated Characters for Passwords (QPWDLMTREP) . . . . . . . . . . . Character Position Difference for Passwords (QPWDPOSDIF) . . . . . . . . . . . . Requirement for Numeric Character in Passwords (QPWDRQDDGT) . . . . . . . Password Rules (QPWDRULES) . . . . . . Password Approval Program (QPWDVLDPGM) Using a password approval program . . . . System values that control auditing . . . . . . Auditing Control (QAUDCTL) . . . . . . . Auditing End Action (QAUDENDACN) . . . . 29 30 30 31 32 32 33 33 34 35 36 37 37 38 38 39 39 40 40 41 41 43 44 46 47 47 48 48 50 50 51 51 52 52 53 53 54 60 60 64 65 66

Chapter 2. Using System Security (QSecurity) system value . . . . . . . 9

Security level 10 . . . . . . . . . . . . . Security level 20 . . . . . . . . . . . . . Changing to level 20 from level 10. . . . . . Changing to level 20 from a higher level . . . Security level 30 . . . . . . . . . . . . . Changing to level 30 from a lower level . . . . Security level 40 . . . . . . . . . . . . . Preventing the use of unsupported interfaces . . Protecting job descriptions . . . . . . . . Signing on without a user ID and password . . Enhanced hardware storage protection . . . . Protecting a programs associated space . . . . Protecting a jobs address space . . . . . . Validating parameters . . . . . . . . . . Validation of programs being restored . . . . Changing to security level 40 . . . . . . . Disabling security level 40 . . . . . . . . Security level 50 . . . . . . . . . . . . . Restricting user domain objects . . . . . . . Restricting message handling . . . . . . . Preventing modification of internal control blocks Changing to security level 50 . . . . . . . Disabling security level 50 . . . . . . . . 12 12 12 13 13 13 14 15 16 16 17 17 17 17 17 18 19 19 19 20 20 20 21

Chapter 3. Security system values . . . 23

General security system values . . . . . . . Allow User Domain Objects (QALWUSRDMN) Authority for New Objects (QCRTAUT) . . . Display Sign-On Information (QDSPSGNINF) . Inactive Job Time-Out Interval (QINACTITV) . Inactive Job Time-Out Message Queue (QINACTMSGQ) . . . . . . . . . . Limit Device Sessions (QLMTDEVSSN) . . .
Copyright IBM Corp. 1996, 2010

. 24 25 . 26 . 26 . 27 . 28 . 29

Auditing Auditing Auditing Auditing

Force Level (QAUDFRCLVL) . . Level (QAUDLVL) . . . . . . Level Extension (QAUDLVL2) . . for New Objects (QCRTOBJAUD) .

. . . .

66 67 69 70

Chapter 4. User profiles . . . . . . . 73

Roles of the user profile . . . . . Group profiles . . . . . . . . User-profile parameter fields . . . User profile name . . . . . . Password . . . . . . . . . Set password to expired . . . . Status . . . . . . . . . . User class . . . . . . . . . Assistance level . . . . . . . Current library . . . . . . . Initial program . . . . . . . Initial menu . . . . . . . . Limit capabilities . . . . . . Text . . . . . . . . . . . Special authority . . . . . . *ALLOBJ special authority . . *SECADM special authority . . *JOBCTL special authority . . *SPLCTL special authority . . *SAVSYS special authority . . *SERVICE special authority . . Granting access to traces . . *AUDIT special authority. . . *IOSYSCFG special authority . Special environment . . . . . Display sign-on information . . . Password expiration interval . . Block Password Change . . . . Local password management . . Limit device sessions . . . . . Keyboard buffering . . . . . . Maximum storage . . . . . . Priority limit . . . . . . . . Job description . . . . . . . Group profile . . . . . . . . Owner . . . . . . . . . . Group authority . . . . . . . Group authority type . . . . . Supplemental groups . . . . . Accounting code . . . . . . Document password . . . . . Message queue . . . . . . . Delivery . . . . . . . . . Severity . . . . . . . . . Print device . . . . . . . . Output queue . . . . . . . Attention-Key-Handling program Sort Sequence . . . . . . . Language identifier . . . . . Country or region identifier . . Coded character set identifier . . Character identifier control . . . Job attributes . . . . . . . Locale . . . . . . . . . . User Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 . 74 . 74 . 75 . 76 . 77 . 78 . 79 . 80 . 81 . 81 . 82 . 83 . 84 . 84 . 85 . 85 . 85 . 86 . 86 . 86 . 87 . 88 . 88 . 88 . 90 . 91 . 92 . 92 . 93 . 93 . 94 . 95 . 96 . 96 . 97 . 98 . 98 . 99 . 100 . 100 . 101 . 101 . 102 . 103 . 103 . 104 . 104 . 105 . 105 . 106 . 106 . 107 . 107 . 108

| |

User identification number . . . . . . . . Group identification number . . . . . . . Home directory . . . . . . . . . . . EIM association. . . . . . . . . . . . User expiration date . . . . . . . . . . User expiration interval . . . . . . . . . Authority. . . . . . . . . . . . . . Object auditing . . . . . . . . . . . . . Action auditing. . . . . . . . . . . . . Additional information associated with a user profile . . . . . . . . . . . . . . . . Private authorities . . . . . . . . . . . Primary group authorities . . . . . . . . Owned object information . . . . . . . . Digital ID authentication . . . . . . . . . Working with user profiles . . . . . . . . . Creating user profiles. . . . . . . . . . Using the Work with User Profiles command Using the Create User Profile command . . Using the Work with User Enrollment option Copying user profiles. . . . . . . . . . Copying from the Work with User Profiles display . . . . . . . . . . . . . Copying from the Work with User Enrollment display . . . . . . . . . Copying private authorities . . . . . . Changing user profiles . . . . . . . . . Deleting user profiles. . . . . . . . . . Using the Delete User Profile command . . Using the Remove User option . . . . . Working with Objects by Private Authorities Working with Objects by Primary Group . . . Enabling a user profile . . . . . . . . . Listing user profiles . . . . . . . . . . Displaying an individual profile . . . . . Listing all profiles . . . . . . . . . . Types of user profile displays . . . . . . Types of user profile reports . . . . . . Renaming a user profile . . . . . . . . . Working with user auditing . . . . . . . Working with profiles in CL programs . . . . User profile exit points . . . . . . . . . IBM-supplied user profiles . . . . . . . . Changing passwords for IBM-supplied user profiles . . . . . . . . . . . . . Working with service tools user IDs . . . . System password . . . . . . . . . .

108 109 109 110 111 111 112 112 113 115 115 116 116 116 117 117 117 118 118 119 119 120 121 122 122 122 123 124 124 125 125 125 125 126 126 126 127 128 128 128 129 129 130

Chapter 5. Resource security

. . . . 131
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 132 133 135 135 135 136 137

Defining who can access information . . Defining how information can be accessed Commonly used authorities . . . . Defining what information can be accessed Library security . . . . . . . . Library security and library lists . . Field authorities . . . . . . . . Security and the System/38 Environment Recommendation for System/38 Environment . . . . . . . . Directory security . . . . . . . . Authorization list security . . . . .

. 137 . 138 . 138

IBM i: Security Security reference

Authorization list management . . . . . Using authorization lists to secure IBM-supplied objects . . . . . . . . . Authority for new objects in a library . . . . . Create Authority (CRTAUT) risks. . . . . . Authority for new objects in a directory . . . . Object ownership . . . . . . . . . . . . Group ownership of objects . . . . . . . Primary group for an object . . . . . . . Default Owner (QDFTOWN) user profile . . . Assigning authority and ownership to new objects. . . . . . . . . . . . . . . Objects that adopt the owner's authority . . . . Adopted authority risks and recommendations Programs that ignore adopted authority . . . . Authority holders . . . . . . . . . . . . Authority holders and System/36 Migration . . Authority holder risks . . . . . . . . . Working with authority . . . . . . . . . . Authority displays . . . . . . . . . . Authority reports . . . . . . . . . . . Working with libraries . . . . . . . . . Creating objects . . . . . . . . . . . Working with individual object authority . . . Specifying user-defined authority. . . . . Giving authority to new users . . . . . . Removing a user's authority . . . . . . Working with authority for multiple objects . . Working with object ownership . . . . . . Working with primary group authority . . . . Using a referenced object . . . . . . . . Copying authority from a user . . . . . . Working with authorization lists . . . . . . Advantages of using an authorization list Creating an authorization list . . . . . . Giving users authority to an authorization list . . . . . . . . . . . . . . . Securing objects with an authorization list Setting up an authorization list . . . . . Deleting an authorization list . . . . . . How the system checks authority. . . . . . . Authority checking flowcharts. . . . . . . Flowchart 1: Main authority checking process Flowchart 2: Fast path for object authority checking . . . . . . . . . . . . . Flowchart 3: How user authority to an object is checked . . . . . . . . . . . . Flowchart 4: How owner authority is checked . . . . . . . . . . . . . Flowchart 5: Fast path for user authority checking . . . . . . . . . . . . . Flowchart 6: How group authority is checked Flowchart 7: How public authority is checked Flowchart 8: How adopted authority is checked . . . . . . . . . . . . . Authority checking examples . . . . . . . Case 1: Using private group authority . . . Case 2: Using primary group authority . . . Case 3: Using public authority. . . . . . Case 4: Using public authority without searching private authority . . . . . . .

138 139 139 140 140 142 143 144 145 145 149 152 152 153 154 154 154 154 157 157 158 159 160 160 161 162 163 164 165 165 165 166 166 167 167 168 169 169 169 170 172 174 175 176 179 181 182 186 186 187 189 189

Case 5: Using adopted authority . . . . Case 6: User and group authority . . . Case 7: Public authority without private authority . . . . . . . . . . . . Case 8: Adopted authority without private authority . . . . . . . . . . . . Case 9: Using an authorization list . . . Case 10: Using multiple groups . . . . Case 11: Combining authorization methods Authority cache . . . . . . . . . . .

. 190 . 191 . 191 . 192 . 193 . 194 195 . 197

Chapter 6. Work management security 199

Job initiation . . . . . . . . . . . . . Starting an interactive job . . . . . . . . Starting a batch job . . . . . . . . . . Adopted authority and batch jobs . . . . . Workstations . . . . . . . . . . . . . Ownership of device descriptions . . . . . Signon screen display file . . . . . . . . . Changing the signon screen display . . . . . Display file source for the signon screen . . Changing the signon display file . . . . . Subsystem descriptions . . . . . . . . . . Controlling how jobs enter the system . . . . Job descriptions . . . . . . . . . . . . System operator message queue . . . . . . . Library lists . . . . . . . . . . . . . . Security risks of library lists . . . . . . . Change in function . . . . . . . . . Unauthorized access to information . . . . Recommendations for system portion of library list . . . . . . . . . . . . . . . . Recommendations for product library . . . . Recommendations for the current library . . . Recommendations for the user portion of the library list . . . . . . . . . . . . . Printing . . . . . . . . . . . . . . . Securing spooled files . . . . . . . . . Display Data (DSPDTA) parameter of output queue . . . . . . . . . . . . . . Authority to Check (AUTCHK) parameter of output queue . . . . . . . . . . . Operator Control (OPRCTL) parameter of output queue . . . . . . . . . . . Output queue and parameter authorities required for printing . . . . . . . . . . Examples: Output queue . . . . . . . . Network attributes . . . . . . . . . . . Job Action (JOBACN) network attribute . . . Client Request Access (PCSACC) network attribute . . . . . . . . . . . . . . Risks and recommendations . . . . . . DDM Request Access (DDMACC) network attribute . . . . . . . . . . . . . . Save and restore operations . . . . . . . . Restricting save and restore operations . . . . Example: Restricting save and restore commands . . . . . . . . . . . . . Performance tuning . . . . . . . . . . . Restricting jobs to batch . . . . . . . . . 199 199 200 200 201 203 204 204 204 204 205 205 206 207 207 208 208 209 209 209 210 210 211 211 211 212 212 212 213 214 214 215 215 216 216 216 217 217 218

Contents

vii

Chapter 7. Designing security . . . . 219

Overall recommendations for security design. . . Planning password level changes . . . . . . . Considerations for changing QPWDLVL from 0 to 1. . . . . . . . . . . . . . . . Considerations for changing QPWDLVL from 0 or 1 to 2 . . . . . . . . . . . . . . Considerations for changing QPWDLVL from 2 to 3. . . . . . . . . . . . . . . . Changing QPWDLVL to a lower password level Planning libraries . . . . . . . . . . . . Planning applications to prevent large profiles Library lists . . . . . . . . . . . . . Controlling the user library list . . . . . Changing the system library list . . . . . Describing library security . . . . . . . . Planning menus . . . . . . . . . . . . Describing menu security . . . . . . . . Using adopted authority in menu design . . . Ignoring adopted authority . . . . . . . System request menu. . . . . . . . . . Planning command security . . . . . . . . Planning file security . . . . . . . . . . . Securing logical files . . . . . . . . . . Overriding files . . . . . . . . . . . File security and SQL. . . . . . . . . . Planning group profiles . . . . . . . . . . Considerations for primary groups for objects Considerations for multiple group profiles . . Accumulating special authorities for group profile members . . . . . . . . . . Using an individual profile as a group profile Comparison of group profiles and authorization lists . . . . . . . . . . . . . . . . Planning security for programmers . . . . . . Managing source files . . . . . . . . . Protecting Java class files and jar files in the integrated file system. . . . . . . . . . Planning security for system programmers or managers. . . . . . . . . . . . . . Using validation lists . . . . . . . . . . . Limit access to program function . . . . . . . 220 221 222 222 223 223 225 226 226 227 227 228 228 229 230 232 233 235 236 236 239 239 239 240 240 240 241 241 242 242 243 243 243 244

Chapter 9. Auditing security on System i . . . . . . . . . . . . . 257

Checklist for security officers and auditors . . . Physical security . . . . . . . . . . . System values . . . . . . . . . . . . IBM-supplied user profiles . . . . . . . . Password control . . . . . . . . . . . User and group profiles . . . . . . . . . Authorization control. . . . . . . . . . Unauthorized access . . . . . . . . . . Unauthorized programs . . . . . . . . . Communications . . . . . . . . . . . Using the security audit journal . . . . . . . Planning security auditing . . . . . . . . Planning the auditing of actions . . . . . Action auditing values . . . . . . . Security auditing journal entries . . . . Planning the auditing of object access . . . Displaying object auditing . . . . . . Setting default auditing for objects . . . Preventing loss of auditing information . . Choosing not to audit QTEMP objects . . . Using CHGSECAUD to set up security auditing Setting up security auditing . . . . . . . Managing the audit journal and journal receivers . . . . . . . . . . . . . . Saving and deleting audit journal receivers System-managed journal receivers . . . User-managed journal receivers . . . . Stopping the audit function . . . . . . . Analyzing audit journal entries . . . . . . Viewing audit journal entries . . . . . . Analyzing audit journal entries with query or a program . . . . . . . . . . . . Relationship of object Change Date/Time to audit records . . . . . . . . . . . . . . . Other techniques for monitoring security . . . . Monitoring security messages . . . . . . . Using the history log . . . . . . . . . . Using journals to monitor object activity . . . Analyzing user profiles . . . . . . . . . Printing selected user profiles . . . . . . Examining large user profiles . . . . . . Analyzing object and library authorities . . . Analyzing programs that adopt authority . . . Checking for objects that have been altered . . Checking the operating system . . . . . . Auditing the security officers actions . . . . 257 258 258 258 259 260 261 262 262 262 262 263 263 264 269 286 288 288 288 289 290 290 292 293 294 294 294 295 295 296 298 299 299 299 300 301 302 302 303 303 304 304 305

Chapter 8. Backup and recovery of security information . . . . . . . . 245

How security information is stored . . . . . Saving security information . . . . . . . Recovering security information . . . . . . Restoring user profiles . . . . . . . . Restoring objects . . . . . . . . . . Restoring authority . . . . . . . . . Restoring programs . . . . . . . . . Restoring licensed programs . . . . . . Restoring authorization lists . . . . . . Recovering the authorization list . . . . Recovering the association of objects to the authorization list . . . . . . . . . Restoring the operating system . . . . . *SAVSYS special authority . . . . . . . . Auditing save and restore operations . . . . . . . . . . . . . . . . . . 246 247 248 248 249 252 252 253 254 254 255 255 256 256

Appendix A. Security commands . . . 309

Authority holders commands . . . . Authority lists commands . . . . . Object authority and auditing commands Passwords commands . . . . . . User profiles commands . . . . . . Related user profile commands . . . Auditing commands . . . . . . . Document library objects commands . Server authentication entries commands System distribution directory commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 309 310 311 311 312 313 313 314 314

viii

IBM i: Security Security reference

Validation lists commands . . . . . Function usage information commands . Auditing security tools commands . . Authority security tools commands . . System security tools commands . . .

. . . . .

314 315 315 315 316

Appendix B. IBM-supplied user profiles . . . . . . . . . . . . . . 317

Default values for user profiles IBM-supplied user profiles . . . . . . . . . . . . . . . 317 . 319

Appendix C. Commands shipped with public authority *EXCLUDE . . . . . 325 Appendix D. Authority required for objects used by commands . . . . . 337
Command usage assumptions . . . . . . . . General rules for object authorities on commands Common commands for most objects . . . . . Access path recovery commands . . . . . . . Advanced Function Presentation (AFP) commands AF_INET sockets over SNA commands. . . . . Alerts commands . . . . . . . . . . . . Application development commands . . . . . Authority holder commands . . . . . . . . Authorization list commands . . . . . . . . Binding directory commands . . . . . . . . Change request description commands . . . . . Chart commands . . . . . . . . . . . . Class commands . . . . . . . . . . . . Class-of-service commands . . . . . . . . . Cluster commands . . . . . . . . . . . Command (*CMD) commands. . . . . . . . Commitment control commands . . . . . . . Communications side information commands . . Configuration commands . . . . . . . . . Configuration list commands . . . . . . . . Connection list commands . . . . . . . . . Controller description commands. . . . . . . Cryptography commands . . . . . . . . . Data area commands . . . . . . . . . . . Data queue commands . . . . . . . . . . Device description commands . . . . . . . . Device emulation commands . . . . . . . . Directory and directory shadowing commands . . Directory server commands . . . . . . . . Disk commands . . . . . . . . . . . . Display station pass-through commands . . . . Distribution commands . . . . . . . . . . Distribution list commands . . . . . . . . . Document library object commands . . . . . . Domain Name System commands . . . . . . Double-byte character set commands . . . . . Edit description commands. . . . . . . . . Environment variable commands . . . . . . . Extended wireless LAN configuration commands File commands . . . . . . . . . . . . . Filter commands . . . . . . . . . . . . Finance commands . . . . . . . . . . . i5/OS graphical operations commands . . . . . 339 339 341 348 349 350 350 351 352 352 353 353 354 354 354 355 359 360 360 361 362 362 363 364 365 366 366 368 369 369 370 370 371 372 372 376 378 378 378 379 379 386 387 387

Graphics symbol set commands . . . . . . Host server commands . . . . . . . . . Image catalog commands . . . . . . . . Integrated file system commands . . . . . . Interactive data definition commands . . . . Internetwork Packet Exchange (IPX) commands Information search index commands . . . . IPL attribute commands . . . . . . . . . Java commands . . . . . . . . . . . Job commands . . . . . . . . . . . . Job description commands . . . . . . . . Job queue commands. . . . . . . . . . Job schedule commands . . . . . . . . . Journal commands . . . . . . . . . . Journal receiver commands . . . . . . . . Kerberos commands . . . . . . . . . . Language commands . . . . . . . . . . Library commands . . . . . . . . . . License key commands . . . . . . . . . Licensed program commands . . . . . . . Line description commands . . . . . . . Local Area Network (LAN) commands . . . . Locale commands . . . . . . . . . . . Mail server framework commands . . . . . Media commands . . . . . . . . . . . Menu and panel group commands . . . . . Message commands . . . . . . . . . . Message description commands . . . . . . Message file commands . . . . . . . . . Message queue commands . . . . . . . . Migration commands . . . . . . . . . . Mode description commands . . . . . . . Module commands . . . . . . . . . . NetBIOS description commands . . . . . . Network commands . . . . . . . . . . Network file system commands . . . . . . Network interface description commands . . . Network server commands . . . . . . . . Network server configuration commands . . . Network server description commands . . . . Node list commands . . . . . . . . . . Office services commands . . . . . . . . Online education commands . . . . . . . Operational assistant commands . . . . . . Optical commands . . . . . . . . . . Output queue commands . . . . . . . . Package commands . . . . . . . . . . Performance commands . . . . . . . . . Print descriptor group commands . . . . . Print Services Facility configuration commands . Problem commands . . . . . . . . . . Program commands . . . . . . . . . . QSH shell interpreter commands . . . . . . Query commands . . . . . . . . . . . Question and answer commands . . . . . . Reader commands. . . . . . . . . . . Registration facility commands . . . . . . Relational database commands . . . . . . Resource commands . . . . . . . . . . Remote Job Entry (RJE) commands . . . . . Security attributes commands . . . . . . .
Contents

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

388 388 388 390 408 408 409 409 409 410 413 414 415 415 419 420 422 428 432 433 433 435 435 436 436 437 438 439 439 439 440 440 441 441 442 443 444 444 446 446 447 447 448 448 449 452 453 453 459 459 460 461 464 464 466 467 467 467 468 468 472

Server authentication entry commands . . . . . Service commands. . . . . . . . . . . . Spelling aid dictionary commands . . . . . . Sphere of control commands . . . . . . . . Spooled file commands . . . . . . . . . . Subsystem description commands . . . . . . System commands. . . . . . . . . . . . System reply list commands . . . . . . . . System value commands . . . . . . . . . System/36 environment commands . . . . . . Table commands . . . . . . . . . . . . TCP/IP commands . . . . . . . . . . . Time zone description commands . . . . . . User index, user queue, and user space commands User-defined file system commands . . . . . . User profile commands . . . . . . . . . . Validation list commands . . . . . . . . . Workstation customization commands . . . . . Writer commands . . . . . . . . . . . .

473 473 478 478 479 481 483 483 484 484 487 487 488 489 489 490 493 494 494

Appendix E. Object operations and auditing . . . . . . . . . . . . . . 497

Operations common to all object types . . . . . Operations for Access Path Recovery Times . . . Operations for Alert Table (*ALRTBL) . . . . . Operations for Authorization List (*AUTL) . . . Operations for Authority Holder (*AUTHLR). . . Operations for Binding Directory (*BNDDIR) . . . Operations for Configuration List (*CFGL) . . . Operations for Special Files (*CHRSF) . . . . . Operations for Chart Format (*CHTFMT) . . . . Operations for C Locale Description (*CLD) . . . Operations for Change Request Description (*CRQD) . . . . . . . . . . . . . . . Operations for Class (*CLS) . . . . . . . . Operations for Command (*CMD) . . . . . . Operations for Connection List (*CNNL) . . . . Operations for Class-of-Service Description (*COSD) . . . . . . . . . . . . . . . Operations for Communications Side Information (*CSI) . . . . . . . . . . . . . . . . Operations for Cross System Product Map (*CSPMAP) . . . . . . . . . . . . . . Operations for Cross System Product Table (*CSPTBL) . . . . . . . . . . . . . . Operations for Controller Description (*CTLD) . . Operations for Device Description (*DEVD) . . . Operations for Directory (*DIR) . . . . . . . Operations for Directory Server . . . . . . . Operations for Document Library Object (*DOC or *FLR) . . . . . . . . . . . . . . . . Operations for Data Area (*DTAARA) . . . . . Operations for Interactive Data Definition Utility (*DTADCT) . . . . . . . . . . . . . . Operations for Data Queue (*DTAQ) . . . . . Operations for Edit Description (*EDTD) . . . . Operations for Exit Registration (*EXITRG) . . . Operations for Forms Control Table (*FCT) . . . Operations for File (*FILE) . . . . . . . . . Operations for First-in First-out Files (*FIFO) . . . Operations for Folder (*FLR) . . . . . . . . 497 500 501 501 502 502 503 503 503 504 504 505 505 506 507 507 507 508 508 509 510 512 514 517 518 518 519 519 520 520 523 523

Operations for Font Resource (*FNTRSC) . . . . Operations for Form Definition (*FORMDF) . . . Operations for Filter Object (*FTR) . . . . . . Operations for Graphics Symbols Set (*GSS) . . . Operations for Double-byte Character Set Dictionary (*IGCDCT) . . . . . . . . . . Operations for Double-byte Character Set Sort (*IGCSRT) . . . . . . . . . . . . . . Operations for Double-byte Character Set Table (*IGCTBL) . . . . . . . . . . . . . . Operations for Job Description (*JOBD). . . . . Operations for Job Queue (*JOBQ) . . . . . . Operations for Job Scheduler Object (*JOBSCD) . . Operations for Journal (*JRN) . . . . . . . . Operations for Journal Receiver (*JRNRCV) . . . Operations for Library (*LIB) . . . . . . . . Operations for Line Description (*LIND) . . . . Operations for Mail Services . . . . . . . . Operations for Menu (*MENU) . . . . . . . Operations for Mode Description (*MODD) . . . Operations for Module Object (*MODULE) . . . Operations for Message File (*MSGF) . . . . . Operations for Message Queue (*MSGQ) . . . . Operations for Node Group (*NODGRP) . . . . Operations for Node List (*NODL) . . . . . . Operations for NetBIOS Description (*NTBD) . . Operations for Network Interface (*NWID) . . . Operations for Network Server Description (*NWSD) . . . . . . . . . . . . . . . Operations for Output Queue (*OUTQ). . . . . Operations for Overlay (*OVL) . . . . . . . Operations for Page Definition (*PAGDFN) . . . Operations for Page Segment (*PAGSEG) . . . . Operations for Print Descriptor Group (*PDG) . . Operations for Program (*PGM) . . . . . . . Operations for Panel Group (*PNLGRP) . . . . Operations for Product Availability (*PRDAVL) . . Operations for Product Definition (*PRDDFN) . . Operations for Product Load (*PRDLOD) . . . . Operations for Query Manager Form (*QMFORM) Operations for Query Manager Query (*QMQRY) Operations for Query Definition (*QRYDFN) . . . Operations for Reference Code Translate Table (*RCT). . . . . . . . . . . . . . . . Operations for Reply List . . . . . . . . . Operations for Subsystem Description (*SBSD) . . Operations for Information Search Index (*SCHIDX) . . . . . . . . . . . . . . Operations for Local Socket (*SOCKET) . . . . Operations for Spelling Aid Dictionary (*SPADCT) Operations for Spooled Files . . . . . . . . Operations for SQL Package (*SQLPKG) . . . . Operations for Service Program (*SRVPGM) . . . Operations for Session Description (*SSND) . . . Operations for Server Storage Space (*SVRSTG) Operations for Stream File (*STMF) . . . . . . Operations for Symbolic Link (*SYMLNK). . . . Operations for S/36 Machine Description (*S36) Operations for Table (*TBL) . . . . . . . . Operations for User Index (*USRIDX) . . . . . Operations for User Profile (*USRPRF) . . . . .

524 524 524 525 525 526 526 526 527 528 528 530 530 531 532 533 533 533 534 535 536 536 536 537 538 538 539 540 540 540 540 542 542 543 543 543 544 544 545 545 546 547 548 550 550 552 552 553 553 553 555 556 557 557 558

IBM i: Security Security reference

Operations Operations Operations Operations (*WSCST)

for for for for .

User Queue (*USRQ). . User Space (*USRSPC) . Validation List (*VLDL) . Workstation Customizing . . . . . . . . .

. . . . . . . . . Object . . .

. 559 . 559 . 560 . 560

Appendix F. Layout of audit journal entries . . . . . . . . . . . . . . 561

Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) . . . . . . Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) . . . . . . Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) . . . . . . Audit Journal (QAUDJRN) entry types . . . . . AD (Auditing Change) journal entries . . . . . AF (Authority Failure) journal entries . . . . . AP (Adopted Authority) journal entries . . . . AU (Attribute Changes) journal entries . . . . . CA (Authority Changes) journal entries . . . . CD (Command String) journal entries . . . . . CO (Create Object) journal entries . . . . . . CP (User Profile Changes) journal entries . . . . CQ (*CRQD Changes) journal entries . . . . . CU (Cluster Operations) journal entries . . . . CV (Connection Verification) journal entries . . . CY (Cryptographic Configuration) journal entries DI (Directory Server) journal entries . . . . . . DO (Delete Operation) journal entries . . . . . DS (IBM-Supplied Service Tools User ID Reset) journal entries . . . . . . . . . . . . . EV (Environment Variable) journal entries . . . . GR (Generic Record) journal entries . . . . . . GS (Give Descriptor) journal entries . . . . . . IM (Intrusion Monitor) journal entries . . . . . IP (Interprocess Communication) journal entries IR (IP Rules Actions) journal entries . . . . . . IS (Internet Security Management) journal entries JD (Job Description Change) journal entries . . . JS (Job Change) journal entries . . . . . . . KF (Key Ring File) journal entries . . . . . . LD (Link, Unlink, Search Directory) journal entries ML (Mail Actions) journal entries. . . . . . . NA (Attribute Change) journal entries . . . . . ND (APPN Directory Search Filter) journal entries NE (APPN End Point Filter) journal entries . . . OM (Object Management Change) journal entries OR (Object Restore) journal entries . . . . . . OW (Ownership Change) journal entries . . . . O1 (Optical Access) journal entries . . . . . . O2 (Optical Access) journal entries . . . . . . O3 (Optical Access) journal entries . . . . . . PA (Program Adopt) journal entries . . . . . . PG (Primary Group Change) journal entries . . . PO (Printer Output) journal entries . . . . . . PS (Profile Swap) journal entries . . . . . . . PW (Password) journal entries. . . . . . . . RA (Authority Change for Restored Object) journal entries . . . . . . . . . . . . . . . . RJ (Restoring Job Description) journal entries . . . 562 563 565 566 568 571 577 577 578 581 582 584 587 587 589 591 594 599 601 602 603 608 609 612 613 615 617 618 623 626 628 628 629 630 630 634 638 640 641 642 643 645 648 649 651 652 654

RO (Ownership Change for Restored Object) journal entries . . . . . . . . . . . . . RP (Restoring Programs that Adopt Authority) journal entries . . . . . . . . . . . . . RQ (Restoring Change Request Descriptor Object) journal entries . . . . . . . . . . . . . RU (Restore Authority for User Profile) journal entries . . . . . . . . . . . . . . . . RZ (Primary Group Change for Restored Object) journal entries . . . . . . . . . . . . . SD (Change System Distribution Directory) journal entries . . . . . . . . . . . . . . . . SE (Change of Subsystem Routing Entry) journal entries . . . . . . . . . . . . . . . . SF (Action to Spooled File) journal entries . . . . SG (Asychronous Signals) journal entries . . . . SK (Secure Sockets Connections) journal entries SM (Systems Management Change) journal entries SO (Server Security User Information Actions) journal entries . . . . . . . . . . . . . ST (Service Tools Action) journal entries . . . . SV (Action to System Value) journal entries . . . VA (Change of Access Control List) journal entries VC (Connection Start and End) journal entries . . VF (Close of Server Files) journal entries . . . . VL (Account Limit Exceeded) journal entries . . . VN (Network Log On and Off) journal entries . . VO (Validation List) journal entries . . . . . . VP (Network Password Error) journal entries. . . VR (Network Resource Access) journal entries . . VS (Server Session) journal entries . . . . . . VU (Network Profile Change) journal entries . . . VV (Service Status Change) journal entries . . . X0 (Network Authentication) journal entries . . . X1 (Identity Token) journal entries . . . . . . XD (Directory Server Extension) journal entries . . YC (Change to DLO Object) journal entries . . . YR (Read of DLO Object) journal entries . . . . ZC (Change to Object) journal entries . . . . . ZR (Read of Object) journal entries . . . . . . Numeric codes for access types . . . . . . .

655 657 659 659 660 662 663 664 668 669 671 672 673 678 679 679 680 681 682 683 684 685 686 687 688 689 693 695 696 697 698 701 704

Appendix G. Commands and menus for security commands . . . . . . . 705

Options on the Security Tools menu . . . . . How to use the Security Batch menu . . . . Options on the security batch menu . . . . Commands for customizing security. . . . . Values that are set by the Configure System Security command. . . . . . . . . . . Changing the program . . . . . . . . What the Revoke Public Authority command does Changing the program . . . . . . . . . . . . 705 707 709 713

. 714 . 716 716 . 717

Appendix H. Related information for i5/OS security reference . . . . . . . 719 Appendix I. Notices . . . . . . . . . 723
Programming Interface Information . Trademarks . . . . . . . . . . . . . . . . . . 725 . 725

Contents

Terms and conditions.

. 725

Index . . . . . . . . . . . . . . . 727

xii

IBM i: Security Security reference

What's new for IBM i 7.1

Read about new or significantly changed information for the Security reference topic collection. User profile expiration date parameter The User expiration date field allows a security administrator to indicate that the user profile will expire on a specific date. If User expiration interval is used, this date is calculated by the system.

How to see what's new or changed

To help you see where technical changes have been made, the information center uses: v The image to mark where new or changed information begins. image to mark where new or changed information ends. v The In PDF files, you might see revision bars (| or +) in the left margin of new and changed information.

Copyright IBM Corp. 1996, 2010

xiii

xiv

IBM i: Security Security reference

Chapter 1. Introduction to System i security

The IBM Systems family covers a wide range of users. Security on the System i platform is flexible enough to meet the requirements of this wide range of users and situations. A small system might have three to five users, and a large system might have several thousand users. Some installations have all their workstations in a single, relatively secure, area. Others have widely distributed users, including users who connect by dialing in and indirect users connected through personal computers or system networks. You need to understand the features and options available so that you can adapt them to your own security requirements. System security has three important objectives: Confidentiality: v Protecting against disclosing information to unauthorized people v Restricting access to confidential information v Protecting against curious system users and outsiders Integrity: v Protecting against unauthorized changes to data v Restricting manipulation of data to authorized programs v Providing assurance that data is trustworthy Availability: v Preventing accidental changes or destruction of data v Protecting against attempts by outsiders to abuse or destroy system resources System security is often associated with external threats, such as hackers or business rivals. However, protection against system accidents by authorized system users is often the greatest benefit of a well-designed security system. In a system without good security features, pressing the wrong key might result in deleting important information. System security can prevent this type of accident. The best security system functions cannot produce good results without good planning. Security that is set up in small pieces, without planning, can be confusing. It is difficult to maintain and to audit. Planning does not imply designing the security for every file, program, and device in advance. It does imply establishing an overall approach to security on the system and communicating that approach to application designers, programmers, and system users. As you plan security on your system and decide how much security you need, consider these questions: v Is there a company policy or standard that requires a certain level of security? v Do the company auditors require some level of security? v How important is your system and the data on it to your business? v How important is the error protection provided by the security features? v What are your company security requirements for the future? To facilitate installation, many of the security capabilities on your system are not activated when your system is shipped. Recommendations are provided in this topic collection to bring your system to a reasonable level of security. Consider the security requirements of your own installation as you evaluate the recommendations.
Copyright IBM Corp. 1996, 2010

Physical security
Physical security includes protecting the system unit, system devices, and backup media from accidental or deliberate damage. Most measures you take to ensure the physical security of your system are external to the system. However, the system is equipped with a keylock that prevents unauthorized functions at the system unit. Note: You must order the keylock feature on some models. Related information Planning physical security

Keylock security
You can retrieve and change the keylock position by using the Retrieve IPL Attributes (QWCRIPLA) API or the Change IPL Attributes (CHGIPLA) command. The keylock on the 940x control panel controls access to various system control panel functions. The keylock feature allows the remote user access to additional functions available at the control panel. For example, it controls where the machine will IPL from and to what environment, either i5/OS or Dedicated Service Tools (DST). The i5/OS system value, QRMTSRVATR, controls the remote access. This value is shipped defaulted to off which will not allow the keylock to be overridden. The system value can be changed to allow remote access, but does require *SECADM and *ALLOBJ special authorities to change. Related reference Remote Service Attribute (QRMTSRVATR) on page 39 The Remote Service Attribute (QRMTSRVATR) controls the remote system service problem analysis ability. The value allows the system to be analyzed remotely.

Security level
The System i platform offers five levels of security. You can choose which level of security you want the system to enforce by setting the security level (QSECURITY) system value. Level 10: Level 10 is no longer supported. Level 20: The system requires a user ID and password for sign-on. All users are given access to all objects. Level 30: The system requires a user ID and password for sign-on. The security of resources is enforced. Level 40: The system requires a user ID and password for sign-on. The security of resources is enforced. Additional integrity protection features are also enforced. Level 50: The system requires a user ID and password for sign-on. The security of resources is enforced. Level 40 integrity protection and enhanced integrity protection are enforced. Security level 50 is intended for System i platforms with high security requirements, and it is designed to meet Common Criteria (CC) security requirements.

IBM i: Security Security reference

Related reference Chapter 2, Using System Security (QSecurity) system value, on page 9 You can choose how much security you want the system to enforce by setting the security level (QSECURITY) system value.

System values
System values provide customization on many characteristics of your System i platform. You can use system values to define system-wide security settings. For example, you can specify the following settings: v How many sign-on attempts you allow at a device. v Whether the system automatically signs off an inactive workstation. v How often passwords need to be changed. v The length and composition of passwords. Related concepts Chapter 3, Security system values, on page 23 System values allow you to customize many characteristics of your system. A group of system values are used to define system-wide security settings.

Signing
You can reinforce integrity by signing software objects that you use. A key component of security is integrity: being able to trust that objects on the system have not been tampered with or altered. Your System i operating system software is protected by digital signatures. Signing your software object is particularly important if the object has been transmitted across the Internet or stored on media which you feel might have been modified. The digital signature can be used to detect if the object has been altered. Digital signatures, and their use for verification of software integrity, can be managed according to your security policies using the Verify Object Restore (QVFYOBJRST) system value, the Check Object Integrity (CHKOBJITG) command, and the Digital Certificate Manager tool. Additionally, you can choose to sign your own programs (all licensed programs shipped with the system are signed). You can restrict adding digital signatures to a digital certificate store using the Add Verifier API and restrict resetting passwords on the digital certificate store. System Service Tools (SST) provides a new menu option, entitled "Work with system security" where you can restrict adding digital certificates. Related information Using digital signatures to protect software integrity Digital Certificate Manager

Single sign-on enablement

Single sign-on is an authentication process in which a user can access more than one system by entering a single user ID and password. In today's heterogeneous networks with partitioned systems and multiple platforms, administrators must cope with the complexities of managing identification and authentication for network users. To enable a single sign-on environment, IBM provides two technologies that work together to enable users to sign in with their Windows user name and password and be authenticated to System i platforms in the network. Network Authentication Service (NAS) and Enterprise Identity Mapping (EIM)
Chapter 1. Introduction to System i security

are the two technologies that an administrator must configure to enable a single sign-on environment. Windows 2000, Windows XP, AIX, and z/OS use Kerberos protocol to authenticate users to the network. A secure, centralized system, called a key distribution center, authenticates principals (Kerberos users) to the network. While Network Authentication Service (NAS) allows a System i platform to participate in the Kerberos realm, EIM provides a mechanism for associating these Kerberos principals to a single EIM identifier that represents that user within the entire enterprise. Other user identities, such as an i5/OS user name, can also be associated with this EIM identifier. When a user signs on to the network and accesses a System i platform, that user is not prompted for a user ID and password. If the Kerberos authentication is successful, applications can look up the association to the EIM identifier to find the i5/OS user name. The user no longer needs a password to sign on to System i platform because the user is already authenticated through the Kerberos protocol. Administrators can centrally manage user identities with EIM while network users need only to manage one password. You can enable single sign-on by configuring Network Authentication Service (NAS) and Enterprise Identity Mapping (EIM) on your system. Related information Scenario: Creating a single signon test environment

User profiles
On the i5/OS operating system, every system user has a user profile. At security level 10, the system automatically creates a profile when a user first signs on. At higher security levels, you must create a user profile before a user can sign on. The user profile is a powerful and flexible tool. It controls what the user can do and customizes the way the system appears to the user. The following list describes some of the important security features of the user profile: Special authority Special authorities determine whether the user is allowed to perform system functions, such as creating user profiles or changing the jobs of other users. Initial menu and initial program The initial menu and program determine what the user sees after signing on the system. You can limit a user to a specific set of tasks by restricting the user to an initial menu. Limit capabilities The limit capabilities field in the user profile determines whether the user can enter commands and change the initial menu or initial program when signing on. Related concepts Chapter 4, User profiles, on page 73 User profiles are a powerful and flexible tool. Designing them well can help you protect your system and customize it for your users.

Group profiles
A group profile is a special type of user profile. Rather than giving authority to each user individually, you can use a group profile to define authority for a group of users. A group profile can own objects on the system. You can also use a group profile as a pattern when creating individual user profiles by using the copy profile function.

IBM i: Security Security reference

Related concepts Planning group profiles on page 239 A group profile is a useful tool when several users have similar security requirements. You can directly create group files or you can make an existing profile into a group profile. When you use group profiles, you can manage authority more efficiently and reduce the number of individual private authorities for objects. Group ownership of objects on page 143 This topic provides detailed information about the group ownership of objects. Primary group for an object on page 144 You can specify a primary group for an object. Copying user profiles on page 119 You can create a user profile by copying another user profile or a group profile.

Resource security
The ability to access an object is called authority. Resource security on the i5/OS operating system enables you to control object authorities by defining who can use which objects and how those objects can be used. You can specify detailed authorities, such as adding records or changing records. Or you can use the system-defined subsets of authorities: *ALL, *CHANGE, *USE, and *EXCLUDE. Files, programs, and libraries are the most common objects requiring security protection, but you can specify authority for any object on the system. The following list describes the features of resource security: Group profiles A group of similar users can share the same authority to use objects. Authorization lists Objects with similar security needs can be grouped in one list. Authority can be granted to the list rather than to the individual objects. Object ownership Every object on the system has an owner. Objects can be owned by an individual user profile or by a group profile. Correct assignment of object ownership helps you manage applications and delegate responsibility for the security of your information. Primary group You can specify a primary group for an object. The primary groups authority is stored with the object. Using primary groups may simplify your authority management and improve authority checking performance. Library authority You can put files and programs that have similar protection requirements into a library and restrict access to that library. This is often easier than restricting access to each individual object. Directory authority You can use directory authority in the same way that you use library authority. You can group objects in a directory and secure the directory rather than the individual objects. Object authority In cases where restricting access to a library or directory is not specific enough, you can restrict authority to access individual objects. Public authority For each object, you can define what kind of access is available for any system user who does not have any other authority to the object. Public authority is an effective means for securing information and provides good performance.
Chapter 1. Introduction to System i security

Adopted authority Adopted authority adds the authority of a program owner to the authority of the user running the program. Adopted authority is a useful tool when a user needs different authority for an object, depending on the situation. Authority holder An authority holder stores the authority information for a program-described database file. The authority information remains, even when the file is deleted. Authority holders are commonly used when converting from the System/36, because System/36 applications often delete files and create them again. Field level authority Field level authorities are given to individual fields in a database file. You can use SQL statements to manage this authority. Related concepts Chapter 5, Resource security, on page 131 This section describes each of the components of resource security and how they work together to protect information about your system. It also explains how to use CL commands and displays to set up resource security on your system.

Security audit journal

You can use security audit journals to audit the effectiveness of security on your system. The i5/OS operating system provides the ability to log selected security-related events in a security audit journal. Several system values, user profile values, and object values control which events are logged. Related concepts Chapter 9, Auditing security on System i, on page 257 This section describes techniques for auditing the effectiveness of security on your system.

Common Criteria security

Common Criteria is a framework for independent assessment, analysis, and testing of products to a set of security requirements. On August 10, 2005, IBM received Common Criteria certification of i5/OS V5R3M0 at Evaluated Assurance Level (EAL) 4 augmented with ALC_FLR.2 of the Controlled Access Protection Profile (CAPP), Version 1.d, 8 October 1999. To order the evaluated system, order Common Criteria FC 1930 under 5722-SS1. Only customers who must run within a Common Criteria configuration should order this feature number. The product is posted on the Validated Products List page at the Common Criteria Evaluation and Validation SchemeWeb site (http://www.niap-ccevs.org/cc-scheme/).

Independent disk pool

Independent disk pools provide the ability to group together storage that can be taken offline or brought online independent of system data or other unrelated data. The terms independent auxiliary storage pool (iASP) and independent disk pool are synonymous. An independent disk pool can be either switchable among multiple systems in a clustering environment or privately connected to a single system. As of V5R2, functional changes to independent disk pools have security implications on your system. For example, when you perform a CRTUSRPRF, you cannot create a user profile (*USRPRF) into an independent disk pool. However, when a user is privately authorized to an object in the independent disk pool, is the owner of an object on an independent disk pool, or is the

IBM i: Security Security reference

primary group of an object on an independent disk pool, the name of the profile is stored on the independent disk pool. If the independent disk pool is moved to another system, the private authority, object ownership, and primary group entries will be attached to the profile with the same name on the target system. If a profile does not exist on the target system, a profile will be created. The user will not have any special authorities and the password will be set to *NONE. Independent disk pools support many library-based objects and user-defined file systems. However, several objects are not allowed on independent disk pools. In IBM i V5R1, you can use independent disk pools only with user-defined file systems. Related information Supported and unsupported object types

Chapter 1. Introduction to System i security

IBM i: Security Security reference

Chapter 2. Using System Security (QSecurity) system value

You can choose how much security you want the system to enforce by setting the security level (QSECURITY) system value.

Overview
Purpose: Specify level of security to be enforced on the system. How To: WRKSYSVAL *SEC (Work with System Values command) or Menu SETUP, option 1 (Change System Options) Authority: *ALLOBJ and *SECADM Journal Entry: SV Note: Before changing on a production system, read appropriate section on migrating from one level to another.

Levels of security
The system offers five levels of security: 10 No system-enforced security Note: You cannot set the system value QSECURITY to security level 10. 20 30 40 50 Sign-on security Sign-on and resource security Sign-on and resource security; integrity protection Sign-on and resource security; enhanced integrity protection.

Your system is shipped at level 40, which provides sign-on and resource security and provides integrity protection. For more information, see Security level 40 on page 14. If you want to change the security level, use the Work with System Values (WRKSYSVAL) command. The minimum security level you should use is 30. However, level 40 or higher is recommended. The change takes effect the next time you perform an initial program load (IPL). Table 1 compares the levels of security on the system:
Table 1. Security levels: function comparison Function User name required to sign on. Password required to sign on. Password security active. Menu and initial program security active. Limit capabilities support active. Resource security active. Level 20 Yes Yes Yes Yes Yes No
1

Level 30 Yes Yes Yes Yes Yes Yes

Level 40 Yes Yes Yes Yes Yes Yes

Level 50 Yes Yes Yes Yes1 Yes Yes

Copyright IBM Corp. 1996, 2010

Table 1. Security levels: function comparison (continued) Function Access to all objects. User profile created automatically. Security auditing capabilities available. Programs that contain restricted instructions cannot be created or recompiled. Programs that use unsupported interfaces fail at run time. Enhanced hardware storage protection is enforced for all storage. Library QTEMP is a temporary object. *USRSPC, *USRIDX, and *USRQ objects can be created only in libraries specified in the QALWUSRDMN system value. Pointers used in parameters are validated for user domain programs running in system state. Message handling rules are enforced between system and user state programs. A programs associated space cannot be directly modified. Internal control blocks are protected.
1 2

Level 20 Yes No Yes Yes No No No Yes No No No No

Level 30 No No Yes Yes No No No Yes No No No No

Level 40 No No Yes Yes Yes Yes No Yes Yes No Yes Yes

Level 50 No No Yes Yes Yes Yes No Yes Yes Yes Yes Yes
2

When LMTCPB(*YES) is specified in the user profile. At level 50, more protection of internal control blocks is enforced than at level 40. See Preventing modification of internal control blocks on page 20.

Default special authorities

The system security level determines what the default special authorities are for each user class. When you create a user profile, you can select special authorities based on the user class. Special authorities are also added and removed from user profiles when you change security levels. These special authorities can be specified for a user: *ALLOBJ All-object special authority gives a user authority to perform all operations on objects. *AUDIT Audit special authority allows a user to define the auditing characteristics of the system, objects, and system users. *IOSYSCFG System configuration special authority allows a user to configure input and output devices on the system. *JOBCTL Job control special authority allows a user to control batch jobs and printing on the system. *SAVSYS Save system special authority allows a user to save and restore objects. *SECADM Security administrator special authority allows a user to work with user profiles on the system. *SERVICE Service special authority allows a user to perform software service functions on the system.

IBM i: Security Security reference

*SPLCTL Spool control special authority allows unrestricted control of batch jobs and output queues on the system. You can also restrict users with *SECADM and *ALLOBJ authorities from changing this security related system value with the CHGSYSVAL command. You can specify this restriction in the System Service Tools (SST) with the "Work with system security" option. Note: This restriction applies to several other system values. For details on how to restrict changes to security system values and a complete list of the affected system values, see Security system values. Table 2 shows the default special authorities for each user class. The entries indicate that the authority is given at security levels 10 and 20 only, at all security levels, or not at all.
Table 2. Default special authorities for user classes by security level User classes Special authority *SECOFR *ALLOBJ *AUDIT *IOSYSCFG *JOBCTL *SAVSYS *SECADM *SERVICE *SPLCTL All All All All All All All All 10 or 20 10 or 20 All 10 or 20 10 or 20 All All 10 or 20 *SECADM 10 or 20 *PGMR 10 or 20 *SYSOPR 10 or 20 *USER 10 or 20

Note: The topics User class on page 79 and Special authority on page 84 provide more information about user classes and special authorities.

Considerations
Security level 30 or higher is recommended because the system does not automatically give users access to all resources. At lower security levels, all users are given *ALLOBJ special authority. At security level 30 (or below), users can call system interfaces that exchange to QSECOFR user profile or allow users access to resources that they are not normally allowed to access. At security level 40, users are not allowed to directly call these interfaces. Therefore, security level 40 or higher is strongly recommended. Security level 40 provides additional integrity protection without affecting system performance. Applications that do not run at security level 40 have a negative effect on performance at security level 30. They cause the system to respond to domain violations. Security level 50 is intended for systems with very high security requirements. If you run your system at security level 50, you might notice some performance effect because of the additional checking that the system performs. Even if you want to give all users access to all information, consider running your system at security level 30. You can use the public authority capability to give users access to information. Using security level 30 from the beginning gives you the flexibility of securing a few critical resources when you need to without having to test all of your applications again.
Chapter 2. Using System Security (QSecurity) system value

Related concepts Security level on page 2 The System i platform offers five levels of security. You can choose which level of security you want the system to enforce by setting the security level (QSECURITY) system value. Related tasks Disabling security level 50 on page 21 After changing to security level 50, you might find you need to move back to security level 30 or 40 temporarily. For example, you might need to test new applications for integrity errors; or you might discover integrity problems that did not appear at lower security levels.

Security level 10
At security level 10, you have no security protection. Therefore, security level 10 is not recommended. Beginning in Version 4 Release 3, you cannot set your security level to 10. If your system is currently at level 10, your system will remain at level 10 when you install Version 4 Release 3. If you change the system level to some other value, you cannot change it back to level 10. When a new user signs on, the system creates a user profile with the profile name equal to the user ID specified on the sign-on display. If the same user signs on later with a different user ID, a new user profile is created. Appendix B, IBM-supplied user profiles, on page 317 shows the default values that are used when the system automatically creates a user profile. The system performs authority checking at all levels of security. Because all user profiles created at security level 10 are given *ALLOBJ special authority, users successfully pass almost every authority check and have access to all resources. If you want to test the effect of moving to a higher security level, you can remove *ALLOBJ special authority from user profiles and grant those profiles the authority to use specific resources. However, this does not give you any security protection. Anyone can sign on with a new user ID, and a new profile is created with *ALLOBJ special authority. You cannot prevent this at security level 10.

Security level 20
Security level 20 provides more security functions than level 10. However, because at security level 20 all profiles are created with *ALLOBJ special authority by default, security level 20 is not recommended either. Security level 20 provides the following security functions: v Both user ID and password are required to sign on. v Only a security officer or someone with *SECADM special authority can create user profiles. v The limit capabilities value specified in the user profile is enforced.

Changing to level 20 from level 10

When you change from level 10 to level 20, any user profiles that were automatically created at level 10 are preserved. The password for each user profile that was created at level 10 is the same as the user profile name. No changes are made to the special authorities in the user profiles. Consider performing the following list of recommended activities if you plan to change from level 10 to level 20 after your system has been in production: v List all the user profiles on the system using the Display Authorized User (DSPAUTUSR) command. v Either create new user profiles with standardized names or copy the existing profiles and give them new, standardized names. v Set the password to expired in each existing profile, forcing each user to assign a new password.

IBM i: Security Security reference

v Set password composition system values to prevent users from assigning trivial passwords. v Review the default values in Default values for user profiles on page 317 in Appendix B, IBM-supplied user profiles, on page 317 for any changes you want to make to the profiles automatically created at security level 10.

Changing to level 20 from a higher level

When you change from a higher security level to level 20, special authorities are added to the user profiles. By doing this, the user has, at least, the default special authority for the user class. When you change to level 20 from a higher security level, the system adds *ALLOBJ special authority to every user profile. This allows users to view, change, or delete any object on the system. Refer to Table 2 on page 11 to see how special authorities differ between level 20 and higher security levels.

Security level 30
Security level 30 provides more security functions than security level 20. Level 30 provides the following security functions, in addition to what is provided at level 20: v Users must be specifically given authority to use resources on the system. v Only user profiles created with the *SECOFR security class are given *ALLOBJ special authority automatically.

Changing to level 30 from a lower level

When you change to security level 30 from a lower security level, the system changes all user profiles to update special authorities the next time you perform an initial program load (IPL). Special authorities that the user was given at 10 or 20, but didn't have at 30 or above, are removed. Special authorities that the user was given that are not associated with their user class are not changed. For example, *ALLOBJ special authority is removed from all user profiles except those with a user class of *SECOFR. See Table 2 on page 11 for a list of the default special authorities and the differences between level 10 or 20 and the higher security levels. If your system has been running applications at a lower security level, you should set up and test resource security before changing to security level 30. Consider performing the following recommended activities: v For each application, set the appropriate authorities for application objects. v Test each application by using either actual user profiles or special test user profiles. Remove *ALLOBJ special authority from the user profiles that are used for testing. Grant appropriate application authorities to the user profiles. Run the application using the user profiles. Check for authority failures either by looking for error messages or by using the security audit journal. v When all applications run successfully with the test profiles, grant appropriate authorities for application objects to the production user profiles that should have access to the application. v If the QLMTSECOFR (limit security officer) system value is 1 (Yes), users with *ALLOBJ or *SERVICE special authority must be specifically authorized to devices at security level 30 or higher. You can give these users *CHANGE authority to selected devices, give QSECOFR *CHANGE authority to the devices, or change the QLMTSECOFR system value to 0. v Change the security level on your system and perform an initial program load (IPL).

Chapter 2. Using System Security (QSecurity) system value

If you want to change to level 30 without defining individual object authorities, make the public authority for application objects high enough to run the application. Run application tests to make sure no authority failures occur. Related reference Defining how information can be accessed on page 132 You can define what operations can be preformed on objects, data, and fields.

Security level 40
Security level 40 prevents potential integrity or security risks from programs that can circumvent security in special cases. Security level 50 provides enhanced integrity protection for installations with strict security requirements. Table 3 compares how security functions are supported at levels 30, 40, and 50.
Table 3. Comparison of security levels 30, 40, and 50 Scenario description A program attempts to access objects using interfaces that are not supported. A program attempts to use a restricted instruction. The user submitting a job does not have *USE authority to the user profile specified in the job description. A user attempts default sign-on without a user ID and a password. A *USER state program attempts to write to the system area of disk that is defined as read-only or no access. An attempt is made to restore a program that does not have a validation value. 2 Level 30 AF journal entry
1

Level 40 AF journal entry ; operation fails. AF journal entry 1; operation fails.

Level 50 AF journal entry 1; operation fails. AF journal entry 1; operation fails.

AF journal entry 1; operation fails. AF journal entry

AF journal entry 1; job AF journal entry 1; job does not run. does not run. AF journal entry 1; sign-on is not successful.
1

AF journal entry

AF journal entry 1; sign-on is not successful. AF journal entry; operation fails.

Attempt may succeed. AF journal entry; operation fails. No validation is performed. Program must be converted before it can be used. Program validation is performed. Attempt is successful. Attempt is successful. Attempt is successful.

No validation is performed. Program must be converted before it can be used. Program validation is performed. AF journal entry;1 operation fails. AF journal entry;1 operation fails. AF journal entry;1 operation fails. Operation fails.

An attempt is made to restore a program that has a validation value. An attempt is made to change a programs associated space. An attempt is made to change a jobs address space. A user state program attempts to call or transfer control to a system domain program. An attempt is made to create a user domain object of type *USRSPC, *USRIDX, or *USRQ in a library not included in the QALWUSRDMN system value. A user state program sends an exception message to a system state program that is not immediately above it in the call stack. A parameter is passed to a user domain program running in the system state.

Operation fails.

Attempt is successful.

Operation fails.

Attempt is successful.

Parameter validation is performed.

IBM i: Security Security reference

Table 3. Comparison of security levels 30, 40, and 50 (continued) Scenario description Level 30 Level 40 AF journal entry; operation fails.3
1 , 3

Level 50 AF journal entry;1, 3 operation fails. 3

An IBM-supplied command is changed to Attempt is successful. run a different program using the CHGCMD command. The command is changed again to run the original IBM-supplied program, which is a system domain program. A user attempts to run the command.
1

An authority failure (AF) type entry is written to the audit (QAUDJRN) journal, if the auditing function is active. See Chapter 9, Auditing security on System i, on page 257 for more information about the audit function. Programs created before Version 1 Release 3 do not have a validation value. When you change an IBM-supplied command, it can no longer call a system domain program.

2 3

If you use the auditing function at lower security levels, the system logs journal entries for most of the actions shown in Table 3 on page 14, except those detected by the enhanced hardware protection function. You receive warnings in the form of journal entries for potential integrity violations. At level 40 and higher, integrity violations cause the system to fail the attempted operation.

Preventing the use of unsupported interfaces

At security level 40 or higher, the system prevents attempts to directly call system programs that are not documented as call-level interfaces. For example, directly calling the command processing program for the SIGNOFF command fails. The system uses the domain attribute of an object and the state attribute of a program to enforce this protection. v Domain: Every object belongs to either the *SYSTEM domain or the *USER domain. *SYSTEM domain objects can be accessed only by *SYSTEM state programs or by *INHERIT state programs that are called by *SYSTEM state programs. You can display the domain of an object by using the Display Object Description (DSPOBJD) command and specifying DETAIL(*FULL). You can also use the following commands: Display Program (DSPPGM) to display the domain of a program Display Service Program (DSPSRVPGM) to display the domain of a service program v State: Programs are either *SYSTEM state, *INHERIT state, or *USER state. The *USER state programs can directly access only *USER domain objects. You can access objects that are *SYSTEM domain by using the appropriate command or application programming interface (API). The *SYSTEM and *INHERIT states are reserved for IBM-supplied programs. You can display the state of a program by using the Display Program (DSPPGM) command. You can display the state of a service program by using the Display Service Program (DSPSRVPGM) command. Table 4 shows the domain and state access rules:
Table 4. Domain and state access Object domain Program state *USER *USER YES *SYSTEM NO
1

Chapter 2. Using System Security (QSecurity) system value

Table 4. Domain and state access (continued) Object domain Program state *SYSTEM
1

*USER YES

*SYSTEM YES

A domain or state violation causes the operation to fail at security level 40 and higher. At all security levels, an AF type entry is written to the audit journal if the auditing function is active.

Journal entry: When the following conditions are met, an authority failure (AF) entry, violation type D or R, is written to the QAUDJRN journal: v The auditing function is active v The QAUDLVL system value includes *PGMFAIL v An attempt is made to use an unsupported interface

Protecting job descriptions

If a user profile name is used as the value for the User field in a job description, any jobs submitted with the job description can run under that user profile. Thus an unauthorized user might submit a job to run under the user profile specified in the job description. At security level 40 and higher, the job will fail unless the user submitting the job has *USE authority to both the job description and the user profile specified in the job description. At security level 30, the job runs if the submitter has *USE authority to the job description. Journal entry: When the following conditions are met, an AF entry, violation type J, is written to the QAUDJRN journal: v The auditing function is active v The QAUDLVL system value includes *AUTFAIL v A user submits a job, while the user is not authorized to the user profile in the job description

Signing on without a user ID and password

Your security level determines how the system controls signing on without a user ID and password. At security level 30 and below, signing on by pressing the Enter key without a user ID and password is possible with certain subsystem descriptions. At security level 40 and higher, the system stops any attempt to sign on without a user ID and password. Journal entry: When the following conditions are met, an AF entry, violation type S, is written to the QAUDJRN journal: v The auditing function is active v The QAUDLVL system value includes *AUTFAIL v A user attempts to sign on without entering a user ID and password and the subsystem description allows it Note that the attempt fails at security level 40 and higher.

IBM i: Security Security reference

Related concepts Subsystem descriptions on page 205 The subsystem descriptions perform several functions on the system.

Enhanced hardware storage protection

Enhanced hardware storage protection allows blocks of system information that are located on the memory to be defined as read-write, read-only, or no access. At security level 40 and higher, the system controls how *USER state programs access these protected blocks. Enhanced hardware storage protection is supported on all System i models. Journal entry: When the following conditions are met, an AF entry, violation type R, is written to the QAUDJRN journal: v The auditing function is active v The QAUDLVL system value includes *PGMFAIL v A program attempts to write to an area of memory protected by the enhanced hardware storage protection feature

Protecting a programs associated space

For original program model (OPM) programs, at security level 40 and higher, the associated space of a program object cannot be directly changed by user state programs. For integrated language environment (ILE) programs, the associated space of a program object cannot be changed by user state programs at any security level.

Protecting a jobs address space

At security level 50, a user state program cannot obtain the address for another job on the system. Therefore, a user state program cannot directly manipulate objects associated with another job.

Validating parameters
Interfaces to the i5/OS operating system are system state programs in the user domain. When parameters are passed between user state and system state programs, those parameters must be checked to prevent any unexpected values from jeopardizing the integrity of the operating system. When you run your system at security level 40 or 50, the system specifically checks every parameter passed between a user state program and a system state program in the user domain. This is required for your system to separate the system and user domain, and to meet the requirements of a Common Criteria level of security. You might notice some performance effect because of this additional checking.

Validation of programs being restored

When a program is created, the system calculates a validation value, which is stored with the program. When the program is restored, the validation value is calculated again and compared to the validation value that is stored with the program. If the validation values do not match, the system takes action according to the Force Conversion on Restore (QFRCCVNRST) and Allow Object Restore (QALWOBJRST) system values. In addition to a validation value, a program might optionally have a digital signature that can be verified on restore. Any system actions related to digital signatures are controlled by the QVFYOBJRST and
Chapter 2. Using System Security (QSecurity) system value

QFRCCVNRST system values. The three system values, Verify Object on Restore (QVFYOBJRST), QFRCCVNRST and QALWOBJRST, act as a series of filters to determine whether a program will be restored without change, whether it will be re-created (converted) as it is restored, or whether it will not be restored to the system. Note: System state programs must have a valid IBM digital signature. Otherwise, they cannot be restored, no matter how the system values are set The first filter is the QVFYOBJRST system value. It controls the restore operation on some objects that can be digitally signed. After an object is successfully checked and is validated by this system value, the object proceeds to the second filter, the QFRCCVNRST system value. With this system value you specify whether to convert programs, service programs, or module objects during a restore operation. This system value also prevents certain objects from being restored. Only when the objects have passed the first two filters do they proceed to the final filter, the QALWOBJRST system value. This system value controls whether objects with security sensitive attributes can be restored. Notes: 1. Programs created for the i5/OS operating system can contain information that allows the program to be re-created at restore time, without requiring the program source. 2. Programs created for i5/OS Version 5, Release 1 and later, contain the information needed for re-creation even when the observability of the program is removed. 3. Programs created for releases before Version 5, Release 1 can only be re-created at restore time if the observability of the program has not been deleted. Related reference Security-related system values on page 36 This topic introduces the security-related system values on your i5/OS operating system.

Changing to security level 40

Before migrating to level 40, make sure that all of your applications run successfully at security level 30. Security level 30 gives you the opportunity to test resource security for all of your applications. Follow these steps to migrate to security level 40: 1. Activate the security auditing function, if you have not already done so. The topic Setting up security auditing on page 290 gives complete instructions for setting up the auditing function. 2. Make sure that the QAUDLVL system value includes *AUTFAIL and *PGMFAIL. *PGMFAIL logs journal entries for any access attempts that violate the integrity protection at security level 40. 3. Monitor the audit journal for *AUTFAIL and *PGMFAIL entries while running all of your applications at security level 30. Pay particular attention to the following detailed entries in AF type entries: C D J R Object validation failure Unsupported interface (domain) violation Job-description and user-profile authorization failure Attempt to access protected area of disk (enhanced hardware storage protection)

S Default sign-on attempt These codes indicate the presence of integrity exposures in your applications. At security level 40, these programs fail. 4. If you have any programs that were created before Version 1 Release 3, use the CHGPGM command with the FRCCRT parameter to create validation values for those programs. At security level 40, the system translates any program that is restored without a validation value. This can add considerable time to the restore process. See the topic Validation of programs being restored on page 17 for more information about program validation.

IBM i: Security Security reference

Note: Restore program libraries as part of your application test. Check the audit journal for validation failures. 5. Based on the entries in the audit journal, take steps to correct your applications and prevent program failures. 6. Change the QSECURITY system value to 40 and perform an IPL.

Disabling security level 40

You might want to move back to level 30 from level 40 temporarily because you need to test new applications for integrity errors. Or, you might discover you did not test well enough before changing to security level 40. You can change from security level 40 to level 30 without jeopardizing your resource security. No changes are made to special authorities in user profiles when you move from level 40 to level 30. After you have tested your applications and resolved any errors in the audit journal, you can move back to level 40. Attention: If you move from level 40 to level 20, some special authorities are added to all user profiles. (See Table 2 on page 11.) This removes resource security protection.

Security level 50
Security level 50 is designed to meet some of the requirements defined by the Controlled Access Protection Profile (CAPP) for Common Criteria (CC) compliance. Security level 50 provides enhanced integrity protection, in addition to what is provided by security level 40, for installations with strict security requirements. The security functions included for security level 50 are described in the topics that follow: v Restricting user domain object types (*USRSPC, *USRIDX, and *USRQ) v Restricting message handling between user and system state programs v Preventing modification of all internal control blocks

Restricting user domain objects

Most objects are created in the system domain. When you run your system at security level 40 or 50, system domain objects can be accessed only by using the commands and APIs provided. These object types can be either system or user domain: v User space (*USRSPC) v User index (*USRIDX) v User queue (*USRQ) Objects of type *USRSPC, *USRIDX, and *USRQ in user domain can be manipulated directly without using system-provided APIs and commands. This allows a user to access an object without creating an audit record. Note: Objects of type *PGM, *SRVPGM and *SQLPKG can also be in the user domain. Their contents cannot be manipulated directly, and they are not affected by the restrictions. At security level 50, a user must not be permitted to pass security-relevant information to another user without the ability to write an audit record. To enforce this: v At security level 50, no job can get addressability to the QTEMP library for another job. Therefore, if user domain objects are stored in the QTEMP library, they cannot be used to pass information to another user.

Chapter 2. Using System Security (QSecurity) system value

v To provide compatibility with existing applications that use user domain objects, you can specify additional libraries in the QALWUSRDMN system value. The QALWUSRDMN system value is enforced at all security levels. See Allow User Domain Objects (QALWUSRDMN) on page 25 for more information. Related tasks Changing to security level 50 If your current security level is 10 or 20, change the security level to 40 before you change it to 50. If your current security level is 30 or 40, you need to evaluate the QALWUSRDMN value and recompile some programs to prepare for security level 50.

Restricting message handling

Messages sent between programs provide the potential for integrity exposures. At security level 50, you are able to restrict the messages sent between programs to protect the integrity of your system. The following applies to message handling at security level 50: v Any user state program can send a message of any type to any other user state program. v Any system state program can send a message of any type to any user or system state program. v A user state program can send a non-exception message to any system state program. v A user state program can send an exception type message (status, notify, or escape) to a system state program if one of the following is true: The system state program is a request processor. The system state program called a user state program. Note: The user state program sending the exception message does not need to be the program called by the system state program. For example, in this call stack, an exception message can be sent to Program A by Program B, C, or D:
Program A Program B Program C Program D System state User state User state User state

v When a user state program receives a message from an external source (*EXT), any pointers in the message replacement text are removed.

Preventing modification of internal control blocks

At security level 40, some internal control blocks, such as the work control block, cannot be modified by a user state program. At security level 50, no system internal control blocks can be modified. This includes the open data path (ODP), the spaces for CL commands and programs, and the S/36 environment job control block.

Changing to security level 50

If your current security level is 10 or 20, change the security level to 40 before you change it to 50. If your current security level is 30 or 40, you need to evaluate the QALWUSRDMN value and recompile some programs to prepare for security level 50. Most of the additional security measures that are enforced at security level 50 do not cause audit journal entries at lower security levels. Therefore, an application cannot be tested for all possible integrity error conditions before changing to security level 50.

IBM i: Security Security reference

The actions that cause errors at security level 50 are uncommon in normal application software. Most software that runs successfully at security level 40 also runs at security level 50. If you are currently running your system at security level 30, complete the steps described in Changing to security level 40 on page 18 to prepare for changing to security level 50. If you are currently running your system at security level 30 or 40, do the following to prepare for security level 50: v Evaluate the QALWUSRDMN system value. Controlling user domain objects is important to system integrity. v Recompile any COBOL programs that assign the device in the SELECT clause to WORKSTATION if the COBOL programs were compiled using a pre-V2R3 compiler. v Recompile any S/36 environment COBOL programs that were compiled using a pre-V2R3 compiler. v Recompile any RPG/400 or System/38 environment RPG* programs that use display files if they were compiled using a pre-V2R2 compiler. You can go directly from security level 30 to security level 50. Running at security level 40 as an intermediate step does not provide significant benefits for testing. If you are currently running at security level 40, you can change to security level 50 without extra testing. Security level 50 cannot be tested in advance. The additional integrity protection that is enforced at security level 50 does not produce error messages or journal entries at lower security levels. Related concepts Restricting user domain objects on page 19 Most objects are created in the system domain. When you run your system at security level 40 or 50, system domain objects can be accessed only by using the commands and APIs provided.

Disabling security level 50

After changing to security level 50, you might find you need to move back to security level 30 or 40 temporarily. For example, you might need to test new applications for integrity errors; or you might discover integrity problems that did not appear at lower security levels. You can change from security level 50 to level 30 or 40 without jeopardizing your resource security. No changes are made to special authorities in user profiles when you move from level 50 to level 30 or 40. After you have tested your applications and resolved any errors in the audit journal, you can move back to level 50. Attention: If you move from level 50 to level 20, some special authorities are added to all user profiles. This removes resource security protection. Related reference Chapter 2, Using System Security (QSecurity) system value, on page 9 You can choose how much security you want the system to enforce by setting the security level (QSECURITY) system value.

Chapter 2. Using System Security (QSecurity) system value

IBM i: Security Security reference

Chapter 3. Security system values

System values allow you to customize many characteristics of your system. A group of system values are used to define system-wide security settings. You can restrict users from changing the security-related system values. System service tools (SST) and dedicated service tools (DST) provide an option to lock these system values. By locking the system values, you can prevent even a user with *SECADM and *ALLOBJ authority from changing these system values with the CHGSYSVAL command. In addition to restricting changes to these system values, you can also restrict adding digital certificates to digital certificate store with the Add Verifier API and restrict password resetting on the digital certificate store. Note: If you lock the security-related system values and need to perform a restore operation as part of a system recovery, be aware that you need to unlock the system values to complete the restore operation. This ensures that the system values are free to be changed during the initial program load (IPL). You can restrict the following system values by using the lock option:
Table 5. System values that can be locked QALWJOBITP QALWOBJRST QALWUSRDMN QAUDCTL QAUTORMT QAUTOVRT QCRTAUT QCRTOBJAUD QDEVRCYACN QDSPSGNINF QDSCJOBITV QFRCCVNRST QINACTMSGQ QLMTDEVSSN QLMTSECOFR QMAXSGNACN QMAXSIGN QPWDCHGBLK QPWDEXPITV QPWDEXPWRN QPWDLMTAJC QPWDLMTCHR QPWDLMTREP QPWDLVL QPWDMAXLEN QPWDMINLEN QPWDPOSDIF QPWDRQDDGT QPWDRQDDIF QPWDRULES QPWDVLDPGM QRETSVRSEC QRMTSIGN QRMTSRVATR QSCANFS QSCANFSCTL QSECURITY QSHRMEMCTL QUSEADPAUT QVFYOBJRST

@ QAUDENDACN
QAUDFRCLVL QAUDLVL QAUDLVL2 QAUTOCFG

You can use system service tools (SST) or dedicated service tools (DST) to lock and unlock the security-related system values. However, you must use DST if you are in recovery mode because SST is not available during this mode. Otherwise, use SST to lock or unlock the security-related system values. To lock or unlock security-related system values with the Start System Service Tools (STRSST) command, follow these steps: Note: You must have a service tools user ID and password to lock or unlock the security-related system values. 1. Open a character-based interface. 2. On the command line, type STRSST. 3. Type your service tools user ID and password. 4. Select option 7 (Work with system security). 5. Type 1 to unlock security-related system values or 2 to lock security-related system values in the Allow system value security changes parameter. To lock or unlock security-related system values using dedicated service tools (DST) during an attended IPL of a system recovery, follow these steps:
Copyright IBM Corp. 1996, 2010

1. From the IPL or Install the System display, select option 3 (Use Dedicated Service Tools). Note: This step assumes that you are in recovery mode and are performing an attended IPL. 2. Sign on to DST using your service tools user ID and password. 3. Select option 13 (Work with system security). 4. Type 1 to unlock security-related system values or 2 to lock security-related system values in the Allow system value security changes parameter. Related concepts System values on page 3 System values provide customization on many characteristics of your System i platform. You can use system values to define system-wide security settings.

General security system values

This topic introduces the general system values that you can use to control security on your i5/OS operating system. Overview: General security system values allow you to set security function to support the decisions you made when developing your security policy. For example, in your security policy you state that systems containing confidential information, such as customer accounts or payroll inventories, need a stricter level of security than systems used for testing applications that are developed within your company. You can then plan and set a security level on these systems that corresponds with the decisions you made while developing your security policy. Purpose: Specify system values that control security on the system. How To: WRKSYSVAL *SEC (Work with System Values command) Authority: *ALLOBJ and *SECADM Journal Entry: SV Note: Changes take effect immediately. IPL is required only when changing the security level (QSECURITY system value) or password level (QPWDLVL system value).

General system values that control security on your system are as follows: QALWUSRDMN Allow user domain objects in the libraries QCRTAUT Create default public authority QDSPSGNINF Display sign-on information QFRCCVNRST Force conversion on restore QINACTITV Inactive job time-out interval QINACTMSGQ Inactive job message queue

IBM i: Security Security reference

QLMTDEVSSN Limit device sessions QLMTSECOFR Limit security officer QMAXSIGN Maximum sign-on attempts QMAXSGNACN Action when maximum sign-on attempts exceeded QRETSVRSEC Retain Server Security QRMTSIGN Remote sign-on requests QSCANFS Scan file systems QSCANFSCTL Scan file systems control QSECURITY Security level QSHRMEMCTL Shared memory control QUSEADPAUT Use Adopted Authority QVFYOBJRST Verify object on restore

Allow User Domain Objects (QALWUSRDMN)

All objects are assigned a domain attribute when they are created. A domain is a characteristic of an object that controls how programs can access the object. The Allow User Domain Objects (QALWUSRDMN) system value specifies which libraries are allowed to contain user domain objects of type *USRSPC, *USRIDX, and *USRQ. Systems with high security requirements require the restriction of user *USRSPC, *USRIDX, *USRQ objects. The system cannot audit the movement of information to and from user domain objects. The restriction does not apply to user domain objects of type program (*PGM), server program (*SRVPGM), and SQL packages (*SQLPKG). Note: This system value is a restricted value. See Security system values for details on how to restrict changes to security system values and a complete list of the restricted system values.
Table 6. Possible values for the QALWUSRDMN system value: *ALL *DIR library- name User domain objects are allowed in all libraries and directories on the system. This is the shipped value. User domain objects are allowed in all directories on the system. The names of up to 50 libraries that can contain user domain objects of type *USRSPC, *USRIDX, and *USRQ. If individual libraries are listed, the library QTEMP must be included in the list.

Recommended value: For most systems, the recommended value is *ALL. If your system has a high security requirement, you should allow user domain objects only in the QTEMP library.
Chapter 3. Security system values

Some systems have application software that relies on object types *USRSPC, *USRIDX, or *USRQ. For those systems, the list of libraries for the QALWUSRDMN system value should include the libraries that are used by the application software. The public authority of any library placed in QALWUSRDMN, except QTEMP, should be set to *EXCLUDE. This limits the number of users that can use MI interface to read or change the data in user domain objects in these libraries without being audited. Note: If you run the Reclaim Storage (RCLSTG) command, user domain objects might need to be moved in and out of the QRCL (reclaim storage) library. To run the RCLSTG command successfully, you might need to add the QRCL library to the QALWUSRDMN system value. To protect system security, set the public authority to the QRCL library to *EXCLUDE. Remove the QRCL library from the QALWUSRDMN system value when you have finished running the RCLSTG command.

Authority for New Objects (QCRTAUT)

The Authority for New Objects (QCRTAUT) system value specifies the public authority for a newly created object. The QCRTAUT system value is used to determine the public authority for a newly created object if the following conditions are met: v The create authority (CRTAUT) for the library of the new object is set to *SYSVAL. v The new object is created with public authority (AUT) of *LIBCRTAUT. Note: This system value is a restricted value. See Security system values for details on how to restrict changes to security system values and a complete list of the restricted system values.
Table 7. Possible values for the QCRTAUT system value: *CHANGE *USE *ALL *EXCLUDE The public can change newly created objects. The public may view, but not change, newly created objects. The public may perform any function on new objects. The public is not allowed to use new objects.

Recommended value: *CHANGE The QCRTAUT system value is not used for objects created in directories in the enhanced file system. Attention: Several IBM-supplied libraries, including QSYS, have a CRTAUT value of *SYSVAL. If you change the QCRTAUT system value to something other than *CHANGE, you might encounter problems with signing on at new or automatically created devices. To avoid these problems when you change QCRTAUT to something other than *CHANGE, make sure that all device descriptions and their associated message queues have a PUBLIC authority of *CHANGE. One way to accomplish this is to change the CRTAUT value for library QSYS to *CHANGE from *SYSVAL.

Display Sign-On Information (QDSPSGNINF)

The Display Sign-On Information (QDSPSGNINF) system value determines whether the Sign-on Information display is shown after signing on. The Sign-on Information display shows: v Date of last sign-on v Any password verifications that were not valid v The number of days until the password expires (if the password is due to expire within the password expiration warning days (QPWDEXPWRN)))

IBM i: Security Security reference

Sign-on Information Previous sign-on . . . . . . . . . . . . . : Password verifications not valid . . . . . : Days until password expires . . . . . . . : 10/30/91 3 5 System: 14:15:00

Recommended value: 1 (Display is shown) is recommended so that users can monitor attempted use of their profiles and know when a new password is needed. Note: Display sign-on information can also be specified in individual user profiles.

Inactive Job Time-Out Interval (QINACTITV)

The Inactive Job Time-Out Interval (QINACTITV) system value specifies in minutes how long the system allows a job to be inactive before taking action. A workstation is considered inactive if it is in display wait (DSPW) status, or if it is waiting for message input with no user interaction. Some examples of user interaction are: v Using the Enter key v Using the paging function v Using function keys v Using the Help key Emulation sessions through System i Access are included. Local jobs that are signed on to a remote system are excluded. Jobs that are connected by file transfer protocol (FTP) are excluded. To control the time-out of FTP connections, change the INACTTIMO parameter on the Change FTP Attribute (CHGFTPA) command. To control the time-out of telnet sessions before V4R2, use the Change Telnet Attribute (CHGTELNA) command. The following examples show how the system determines which jobs are inactive: v A user uses the system request function to start a second interactive job. A system interaction, such as the Enter key, on either job causes both jobs to be marked as active. v A System i Access job might appear inactive to the system if the user is performing PC functions, such as editing a document, without interacting with the system. The QINACTMSGQ system value determines what action the system takes when an inactive job exceeds the specified interval. When the system is started, it checks for inactive jobs at the interval specified by the QINACTITV system value. For example, if the system is started at 9:46 in the morning and the QINACTITV system value is 30 minutes, it checks for inactive jobs at 10:16, 10:46, 11:16, and so on. If it discovers a job that has been

Chapter 3. Security system values

inactive for 30 minutes or more, it takes the action specified by the QINACTMSGQ system value. In this example, if a job becomes inactive at 10:17, it will not be acted on until 11:16. At the 10:46 check, it has been inactive for only 29 minutes. The QINACTITV and QINACTMSGQ system values provide security by preventing users from leaving inactive workstations signed on. An inactive workstation might allow an unauthorized person access to the system.
Table 9. Possible values for the QINACTITV system value: *NONE: interval-in-minutes The system does not check for inactive jobs. Specify a value of 5 through 300. When a job has been inactive for that number of minutes, the system takes the action specified in QINACTMSGQ.

Recommended value: 60 minutes

Inactive Job Time-Out Message Queue (QINACTMSGQ)

The Inactive Job Time-Out Message Queue (QINACTMSGQ) system value specifies what action the system takes when the inactive job time-out interval for a job has been reached. Note: This system value is a restricted value. See Security system values for details on how to restrict changes to security system values and a complete list of the restricted system values.
Table 10. Possible values for QINACTMSGQ system value: *ENDJOB Inactive jobs are ended. If the inactive job is a group job,1 all jobs associated with the group are also ended. If the job is part of a secondary job,1 both jobs are ended. The action taken by *ENDJOB is equal to running the command ENDJOB JOB(name) OPTION (*IMMED) ADLINTJOBS(*ALL) against the inactive job. The inactive job is disconnected, as are any secondary or group jobs1 associated with it. The disconnected job time-out interval (QDSCJOBITV) system value controls whether the system eventually ends disconnected jobs. See Disconnected Job Time-Out Interval (QDSCJOBITV) on page 38 for more information. Attention: The system cannot disconnect some jobs, such as PC Organizer and PC text-assist function (PCTA). If the system cannot disconnect an inactive job, it ends the job instead. message-queue-name Message CPI1126 is sent to the specified message queue when the inactive job time-out interval is reached. This message states: Job &3/&2/&1; has not been active. The message queue must exist before it can be specified for the QINACTMSGQ system value. This message queue is automatically cleared during an IPL. If you assign QINACTMSGQ as the user's message queue, all messages in the user's message queue are lost during each IPL.
1

*DSCJOB

The Work management topic describes group jobs and secondary jobs.

Recommended value: *DSCJOB is recommended unless your users run System i Access jobs. Using *DSCJOB when some System i Access jobs are running is the equivalent of ending the jobs. It can cause significant loss of information. Use the message-queue option if you have the System i Access licensed program. The CL Programming topic shows an example of writing a program to handle messages. Using a message queue: A user or a program can monitor the message queue and take action as needed, such as ending the job or sending a warning message to the user. Using a message queue allows you to

IBM i: Security Security reference

make decisions about particular devices and user profiles, rather than treating all inactive devices in the same way. This method is recommended when you use the System i Access licensed program. If a workstation with two secondary jobs is inactive, two messages are sent to the message queue (one for each secondary job). A user or program can use the End Job (ENDJOB) command to end one or both secondary jobs. If an inactive job has one or more group jobs, a single message is sent to the message queue. Messages continue to be sent to the message queue for each interval that the job is inactive.

Limit Device Sessions (QLMTDEVSSN)

The Limit Device Sessions (QLMTDEVSSN) system value specifies whether the number of device sessions allowed for a user is limited. This value does not restrict the System Request menu or a second sign-on from the same device. If a user has a disconnected job, the user is allowed to sign on to the system with a new device session. Note: This system value is a restricted value. See Security system values for details on how to restrict changes to security system values and a complete list of the restricted system values.
Table 11. Possible values for the QLMTDEVSSN system value: 0 1 2-9 The user is not limited to a specific number of device sessions. The user is limited to a single device session. The user is limited to the specified number of device sessions.

Recommended value: 1 (Yes) is recommended because limiting users to a single device reduces the likelihood of sharing passwords and leaving devices unattended. Note: Limiting device sessions can also be specified in individual user profiles.

Limit Security Officer (QLMTSECOFR)

The Limit Security Officer (QLMTSECOFR) system value controls whether a user with all-object (*ALLOBJ) or service (*SERVICE) special authority can sign on to any workstation. Limiting powerful user profiles to certain well-controlled workstations provides security protection. The QLMTSECOFR system value is only enforced at security level 30 and higher. Workstations on page 201 provides more information about the authority required to sign on at a workstation. You can always sign on at the console with the QSECOFR, QSRV, and QSRVBAS profiles, no matter how the QLMTSECOFR value is set. Note: This system value is a restricted value. See Security system values for details on how to restrict changes to security system values and a complete list of the restricted system values.
Table 12. Possible values for the QLMTSECOFR system value: 1 A user with *ALLOBJ or *SERVICE special authority can sign on at a workstation only if that user is specifically authorized (that is, given *CHANGE authority) to the workstation or if user profile QSECOFR is authorized (given *CHANGE authority) to the workstation. This authority cannot come from public authority. Users with *ALLOBJ or *SERVICE special authority can sign on at any workstation for which they have *CHANGE authority. They can receive *CHANGE authority through private or public authority or because they have *ALLOBJ special authority.

Chapter 3. Security system values

Recommended value: 1 (Yes)

Maximum Sign-On Attempts (QMAXSIGN)

The Maximum Sign-On Attempts (QMAXSIGN) system value controls the number of consecutive sign-on or password verification attempts that are not correct by local and remote users. Incorrect sign-on or password verification attempts can be caused by a user ID that is not correct, a password that is not correct, or inadequate authority to use the workstation. When the maximum number of sign-on or password verification attempts is reached, the QMAXSGNACN system value is used to determine the action to be taken. A CPF1393 message is sent to the QSYSOPR message queue (and QSYSMSG message queue if it exists in library QSYS) to notify the security officer of a possible intrusion. If you create the QSYSMSG message queue in the QSYS library, messages about critical system events are sent to that message queue as well as to QSYSOPR. The QSYSMSG message queue can be monitored separately by a program or a system operator. This provides additional protection of your system resources. Critical system messages in QSYSOPR are sometimes missed because of the volume of messages sent to that message queue. Note: This system value is a restricted value. See Security system values for details on how to restrict changes to security system values and a complete list of the restricted system values.
Table 13. Possible values for the QMAXSIGN system value: 3 *NOMAX A user can try a maximum of 3 sign-on or password verification attempts. The system allows an unlimited number of incorrect sign-on or password verification attempts. This gives a potential intruder unlimited opportunities to guess a valid user ID and password combination. Specify a value from 1 through 25. The recommended number of sign-on or password verification attempts is three. Typically, three attempts are enough to correct typing errors but low enough to help prevent unauthorized access.

limit

Recommended value: 3

Action When Sign-On Attempts Reached (QMAXSGNACN)

The Action When Sign-On Attempts Reached (QMAXSGNACN) system value determines what the system does when the maximum number of sign-on or password verification attempts is reached at a workstation. Note: This system value is a restricted value. See Security system values for details on how to restrict changes to security system values and a complete list of the restricted system values.
Table 14. Possible values for the QMAXSGNACN system value: 3 1 2 Disable both the user profile and device. Disable the device only. Disable the user profile only.

The system disables a device by varying it off. The device is disabled only if the sign-on attempts that are not valid are consecutive on the same device. One valid sign-on resets the count of incorrect sign-on attempts for the device.

IBM i: Security Security reference

The system disables a user profile by changing the Status parameter to *DISABLED. The user profile is disabled when the number of incorrect sign-on attempts for the user reaches the value in the QMAXSIGN system value, regardless of whether the incorrect sign-on attempts were from the same or different devices. One valid sign-on or password verification resets the count of incorrect sign-on attempts in the user profile. If you create the QSYSMSG message queue in QSYS, the message sent (CPF1397) contains the user and device name. Therefore, it is possible to control the disabling of the device based on the device being used. Maximum Sign-On Attempts (QMAXSIGN) on page 30 provides more information about the QSYSMSG message queue. If the QSECOFR profile is disabled, you may sign on as QSECOFR at the console and enable the profile. If the console is varied off and no other user can vary it on, you must IPL the system to make the console available. Recommended value: 3

Retain Server Security (QRETSVRSEC)

The Retain Server Security (QRETSVRSEC) system value determines whether decryptable authentication information associated with user profiles or validation list (*VLDL) entries can be retained on the host system. This does not include the System i user profile password. If you change the value from 1 to 0, the system disables access to the authentication information. If you change the value back to 1, the system reenables access to the authentication information. The authentication information can be removed from the system by setting the QRETSVRSEC system value to 0 and running the Clear Server Security Data (CLRSVRSEC) command. If you have a large number of user profiles or validation lists on your system the CLRSVRSEC command might run for an extensive period of time. The encrypted data field of a validation list entry is typically used to store authentication information. Applications specify whether to store the encrypted data in a decryptable or non-decryptable form. If the applications choose a decryptable form and the QRETSVRSEC value is changed from 1 to 0, the encrypted data field information is not accessible from the entry. If the encrypted data field of a validation list entry is stored in a non-decryptable from, it is not affected by the QRETSVRSEC system value. Note: This system value is a restricted value. See Security system values for details on how to restrict changes to security system values and a complete list of the restricted system values.
Table 15. Possible values for the QRETSVRSEC system value: 0 1 Server security data is not retained. Server security data is retained.

Recommended value: 0

Chapter 3. Security system values

Related concepts Using validation lists on page 243 Validation list objects provide a method for applications to securely store user-authentication information.

Remote power-on and restart (QRMTIPL)

One part of your system security plan is to determine whether you will allow remote users to power-on and restart the system. The Remote power-on and restart (QRMTIPL) system value provides you the ability to start the remote system by using your telephone and a modem or the SPCN signal. When QRMTIPL is set to 1 (Yes), any telephone call causes the system to restart. Even though this system value deals with restart options of your system, it has security implications. Obviously you do not want someone inadvertently restarting your systems. However, if you use a remote system to administer your system you will need to allow remote restart.
Table 16. Possible values for the remote power-on and restart system value (QRMTIPL) 0 1 Do not allow remote power-on and restart Allow remote power-on and restart

Related information Restart system values: Allow remote power-on and restart

Remote Sign-On Control (QRMTSIGN)

The Remote Sign-On Control (QRMTSIGN) system value specifies how the system handles remote sign-on requests. Examples of remote sign-on are display station pass-through from another system, the workstation function of the System i Access licensed program, and TELNET access. Note: This system value is a restricted value. See Security system values for details on how to restrict changes to security system values and a complete list of the restricted system values.
Table 17. Possible values for the QRMTSIGN system value: *FRCSIGNON *SAMEPRF Remote sign-on requests must go through the normal sign-on process. When the source and target user profile names are the same, the sign-on display can be bypassed if automatic sign-on is requested. Password verification occurs before the target pass-through program is used. If a password that is not valid is sent on an automatic sign-on attempt, the pass-through session always ends and an error message is sent to the user. However, if the profile names are different, *SAMEPRF indicates that the session ends with a security failure even if the user entered a valid password for the remote user profile. The sign-on display appears for pass-through attempts not requesting automatic sign-on. *VERIFY The *VERIFY value allows you to bypass the sign-on display of the target system if valid security information is sent with the automatic sign-on request. If the password is not valid for the specified target user profile, the pass-through session ends with a security failure. If the target system has a QSECURITY value of 10, any automatic sign-on request is allowed. The sign-on display appears for pass-through attempts not requesting automatic sign-on. *REJECT No remote sign-on is permitted.

IBM i: Security Security reference

Table 17. Possible values for the QRMTSIGN system value: (continued) For TELNET access, there is no action for *REJECT. program-name library-name The program specified runs at the start and end of every pass-through session.

Recommended value: *REJECT is recommended if you do not want to allow any pass-through or System i Access access. If you do allow pass-through or System i Access access, use *FRCSIGNON or *SAMEPRF. book contains detailed information about the QRMTSIGN system The Remote Workstation Support value. It also contains the requirements for a remote sign-on program and an example.

Scan File Systems (QSCANFS)

The Scan File Systems (QSCANFS) system value allows you the option to specify the integrated file system in which objects will be scanned. For example, you can use this option to scan for a virus. Integrated file system scanning is enabled when exit programs are registered with any of the integrated file system scan-related exit points. The QSCANFS system value specifies the integrated file systems in which objects will be scanned when exit programs are registered with any of the integrated file system scan-related exit points. The integrated file system scan-related exit points are: v QIBM_QP0L_SCAN_OPEN Integrated file system scan on open exit. v QIBM_QP0L_SCAN_CLOSE Integrated file system scan on close exit. For more information about integrated file systems, see the Integrated file system topic.
Table 18. Possible values for the QSCANFS system value: *NONE *ROOTOPNUD No integrated file system objects will be scanned. Objects of type *STMF that are in *TYPE2 directories in the "root" (/), QOpenSys, and user-defined file systems will be scanned.

Recommended value: The recommended value is *ROOTOPNUD so that the "root" (/), QOpenSys and user-defined file systems are scanned when anyone registers exit programs with the integrated file system scan-related exit points. Related reference Scan File Systems Control (QSCANFSCTL) The Scan File Systems Control (QSCANFSCTL) system value controls the integrated file system scanning that is enabled when exit programs are registered with any of the integrated file system scan-related exit points. Related information *TYPE2 directories

Scan File Systems Control (QSCANFSCTL)

The Scan File Systems Control (QSCANFSCTL) system value controls the integrated file system scanning that is enabled when exit programs are registered with any of the integrated file system scan-related exit points. QSCANFSCTL works with the scan file systems system value to provide granular controls on how and what is scanned in the integrated file system. You can choose different scanning options or you can select to use default scan options. Also, you can select several scan options which control how and what the registered exit programs will scan. These options are described in following table:
Chapter 3. Security system values

Table 19. Possible values for the QSCANFSCTL system value: *NONE *ERRFAIL No controls are being specified for the integrated file system scan-related exit points. If there are errors when calling the exit program (for example, program not found or the exit program signals an error), the system will fail the request which triggered the exit program call. If this is not specified, the system will skip the exit program and treat it as if the object was not scanned. Only accesses through the file servers will be scanned. For example, accesses through Network File System will be scanned as well as other file server methods. If this is not specified, all accesses will be scanned. The system will not fail the close requests with an indication of scan failure, even if the object failed a scan which was done as part of the close processing. Also, this value will override the *ERRFAIL specification for the close processing, but not for any other scan-related exit points. After objects are restored, they will not be scanned just because they were restored. If the object attribute is that "the object will not be scanned", the object will not be scanned at any time. If the object attribute is that "the object will be scanned only if it has been modified since the last time it was scanned", the object will only be scanned if it is modified after being restored. If *NOPOSTRST is not specified, objects will be scanned at least once after being restored. If the object attribute is that "the object will not be scanned", the object will be scanned once after being restored. If the object attribute is that "the object will be scanned only if it has been modified since the last time it was scanned", the object will be scanned after being restored because the restore will be treated as a modification to the object. In general, it may be dangerous to restore objects without scanning them at least once. It is best to use this option only when you know that the objects were scanned before they were saved or they came from a trusted source. *NOWRTUPG The system will not attempt to upgrade the access for the scan descriptor passed to the exit program to include write access. If this is not specified, the system will attempt to do the write access upgrade. The system will use the specification of the "object change only" attribute to only scan the object if it has been modified (not also because scan software has indicated an update). If this is not specified, this "object change only" attribute will not be used, and the object will be scanned after it is modified and when scan software indicates an update.

*FSVRONLY

*NOFAILCLO

*NOPOSTRST

*USEOCOATR

Recommended value: If you want the most restrictive values specified for integrated file system scanning, then the recommended settings are *ERRFAIL and *NOWRTUPG. This ensures that any failure from the scan exit programs prevent the associated operations, as well as not give the exit program additional access levels. However, the *NONE value is a good option for most users. When installing code that is shipped from a trusted source, it is recommended that *NOPOSTRST be specified during that install time period. Related reference Scan File Systems (QSCANFS) on page 33 The Scan File Systems (QSCANFS) system value allows you the option to specify the integrated file system in which objects will be scanned.

Share Memory Control (QSHRMEMCTL)

The Share Memory Control (QSHRMEMCTL) system value defines which users are allowed to use shared memory or mapped memory that has write capability.

IBM i: Security Security reference

Your environment may contain applications, each running different jobs, but sharing pointers within these applications. Using these APIs provides for better application performance and streamlines the application development by allowing shared memory and stream files among these different applications and jobs. However, use of these APIs might potentially pose a risk to your system and assets. A programmer can have write access and can add, change, and delete entries in the shared memory or stream file. To change this system value, users must have *ALLOBJ and *SECADM special authorities. A change to this system value takes effect immediately. Note: This system value is a restricted value. See Security system values for details on how to restrict changes to security system values and a complete list of the restricted system values.
Table 20. Possible values for the QSHRMEMCTL system value: 0 Users cannot use shared memory, or use mapped memory that has write capability. This value means that users cannot use shared-memory APIs (for example, shmat() Shared Memory Attach API), and cannot use mapped memory objects that have write capability (for example, mmap() Memory Map a File API provides this function). Use this value in environments with higher security requirements. 1 Users can use shared memory or mapped memory that has write capability. This value means that users can use shared-memory APIs (for example, shmat() Shared Memory Attach API), and can use mapped memory objects that have write capability (for example, mmap() Memory Map a File API provides this function).

Recommended value: 1

Use Adopted Authority (QUSEADPAUT)

The Use Adopted Authority (QUSEADPAUT) system value defines which users can create programs with the use adopted authority (*USEADPAUT(*YES)) attribute. All users authorized by the QUSEADPAUT system value can create or change programs and service programs to use adopted authority if the user has the necessary authority to the program or service program. The system value can contain the name of an authorization list. The user's authority is checked against this list. If the user has at least *USE authority to the named authorization list, the user can create, change, or update programs or service programs with the USEADPAUT(*YES) attribute. The authority to the authorization list cannot come from adopted authority. If an authorization list is named in the system value and the authorization list is missing, the function being attempted will not complete. A message is sent indicating this. However, if the program is created with the QPRCRTPG API, and the *NOADPAUT value is specified in the option template, the program creates successfully even if the authorization list does not exist. If more than one function is requested on the command or API, and the authorization list is missing, the function is not performed. Note: This system value is a restricted value. See Security system values for details on how to restrict changes to security system values and a complete list of the restricted system values.
Chapter 3. Security system values

Table 21. Possible values for the QUSEADPAUT system value: authorization list name A diagnostic message is signaled to indicate that the program is created with USEADPAUT(*NO) if all of the following are true: v The user does not have authority to the specified authorization list. v There are no other errors when the program or service program is created. *NONE
1

All users can create, change, or update programs and service programs to use the authority of the program which called them if the user has the necessary authority to the program or service program. *NONE indicates that no authorization list is used and by default all users will be allowed to access programs that use adopted authority.

Recommended value: For production machines, create an authorization list with authority of *PUBLIC(*EXCLUDE). Specify this authorization list for the QUSEADPAUT system value. This prevents anyone from creating programs that use adopted authority. You should carefully consider the security design of your application before creating the authorization list for QUSEADPAUT system value. This is especially important for application development environments.

Security-related system values

This topic introduces the security-related system values on your i5/OS operating system. Overview: Purpose: Specify system values that relate to security on the system. How To: WRKSYSVAL (Work with System Values command) Authority: *ALLOBJ and *SECADM Journal Entry: SV Note: Changes take effect immediately. IPL is not required.

The following information are descriptions of additional system values that relate to security on your system. These system values are not included in the *SEC group on the Work with System Values display. QAUTOCFG Automatic device configuration QAUTOVRT Automatic configuration of virtual devices QDEVRCYACN Device recovery action QDSCJOBITV Disconnected job time-out interval Note: This system value is also discussed in the Jobs system values: Time-out interval for disconnected jobs topic. QRMTSRVATR Remote service attribute

IBM i: Security Security reference

QSSLCSL Secure Sockets Layer (SSL) cipher specification list QSSLCSLCTL Secure Sockets Layer (SSL) cipher control QSSLPCL Secure Sockets Layer (SSL) protocols Related concepts Validation of programs being restored on page 17 When a program is created, the system calculates a validation value, which is stored with the program. When the program is restored, the validation value is calculated again and compared to the validation value that is stored with the program.

Automatic Device Configuration (QAUTOCFG)

The Automatic Device Configuration (QAUTOCFG) system value automatically configures locally attached devices. The value specifies whether devices that are added to the system are configured automatically. Note: This system value is a restricted value. See Security system values for details on how to restrict changes to security system values and a complete list of the restricted system values.
Table 22. Possible values for the QAUTOCFG system value: 0 1 Automatic configuration is off. You must configure manually any new local controllers or devices that you add to your system. Automatic configuration is on. The system automatically configures any new local controllers or devices that you add to your system. The operator receives a message that indicates the changes to the systems configuration.

Recommended value: When initiating system setup or when adding many new devices, the system value should be set to 1. At all other times the system value should be set at 0.

Automatic Configuration of Virtual Devices (QAUTOVRT)

The Automatic Configuration of Virtual Devices (QAUTOVRT) system value specifies whether pass-through virtual devices and TELNET full screen virtual devices (as opposed to the workstation function virtual device) are automatically configured. A virtual device is a device description that does not have hardware associated with it. It is used to form a connection between a user and a physical workstation attached to a remote system. Allowing the system to automatically configure virtual devices makes it easier for users to break into your system using pass-through or telnet. Without automatic configuration, a user attempting to break in has a limited number of attempts at each virtual device. The limit is defined by the security officer using the QMAXSIGN system value. With automatic configuration active, the actual limit is higher. The system sign-on limit is multiplied by the number of virtual devices that can be created by the automatic configuration support. This support is defined by the QAUTOVRT system value. Note: This system value is a restricted value. See Security system values for details on how to restrict changes to security system values and a complete list of the restricted system values.
Table 23. Possible values for the QAUTOVRT system value: 0 No virtual devices are created automatically.

Chapter 3. Security system values

Table 23. Possible values for the QAUTOVRT system value: (continued) number-of- virtual- devices Specify a value 1 through 9999. If fewer than the specified number of devices are attached to a virtual controller and no device is available when a user attempts pass-through or full screen TELNET, the system configures a new device.

Recommended value: 0 Related information Remote Workstation Support TCP/IP setup

Device Recovery Action (QDEVRCYACN)

The Device Recovery Action (QDEVRCYACN) system value specifies what action to take when an I/O error occurs for an interactive jobs workstation. Note: This system value is a restricted value. See Security system values for details on how to restrict changes to security system values and a complete list of the restricted system values.
Table 24. Possible values for the QDEVRCYACN system value: *DSCMSG *MSG *DSCENDRQS *ENDJOB Disconnects the job. When signing on again, an error message is sent to the users application program. Signals the I/O error message to the user's application program. The application program performs error recovery. Disconnects the job. When signing on again, a cancel request function is performed to return control of the job back to the last request level. Ends the job. A job log is produced for the job. A message indicating that the job ended because of the device error is sent to the job log and the QHST log. To minimize the performance effect of the ending job, the job's priority is lowered by 10, the time slice is set to 100 milliseconds and the purge attribute is set to yes. Ends the job. A job log is not produced for the job. A message is sent to the QHST log indicating that the job ended because of the device error.

*ENDJOBNOLIST

When a value of *MSG or *DSCMSG is specified, the device recovery action is not performed until the job performs the next I/O operation. In an LAN/WAN environment, this allows one device to disconnect and another to connect, using the same address, before the next I/O operation for the job occurs. The job can recover from the I/O error message and continue running to the second device. To avoid this, specify a device recovery action of *DSCENDRQS, *ENDJOB, or *ENDJOBNOLIST. These device recovery actions are performed immediately when an I/O error, such as a power-off operation, occurs. Recommended value: *DSCMSG Note: *ALLOBJ and *SECADM special authorities are not required to change this value.

Disconnected Job Time-Out Interval (QDSCJOBITV)

The Disconnected Job Time-Out Interval (QDSCJOBITV) system value determines if and when the system ends a disconnected job. The interval is specified in minutes. If you set the QINACTMSGQ system value to disconnect inactive jobs (*DSCJOB), you should set the QDSCJOBITV to end the disconnected jobs eventually. A disconnected job uses up system resources, as well as retaining any locks on objects.

IBM i: Security Security reference

Note: This system value is a restricted value. See Security system values for details on how to restrict changes to security system values and a complete list of the restricted system values.
Table 25. Possible values for the QDSCJOBITV system value: 240 *NONE time-in-minutes The system ends a disconnected job after 240 minutes. The system does not automatically end a disconnected job. Specify a value between 5 and 1440.

Recommended value: 120

Remote Service Attribute (QRMTSRVATR)

The Remote Service Attribute (QRMTSRVATR) controls the remote system service problem analysis ability. The value allows the system to be analyzed remotely. Note: This system value is a restricted value. See Security system values for details on how to restrict changes to security system values and a complete list of the restricted system values. The values allowed for the QRMTSRVATR system value are:
Table 26. Possible values for the QRMTSRVATR system value: 0 1 Remote service attribute is off. Remote service attribute is on.

Recommended value: 0 Related concepts Keylock security on page 2 You can retrieve and change the keylock position by using the Retrieve IPL Attributes (QWCRIPLA) API or the Change IPL Attributes (CHGIPLA) command.

Secure Sockets Layer (SSL) cipher specification list (QSSLCSL)

The Secure Sockets Layer cipher specification list (QSSLCSL) system value determines what cipher specification list will be supported by System SSL. System SSL uses the sequence of the values in QSSLCSL to order the System SSL default cipher specification list. The default cipher specification list entries are system defined and can be changed on release boundaries. If a default cipher suite is removed from the QSSLCSL system value, it is also removed from the default cipher specification list. The default cipher suite is added back to the default cipher specification list when the cipher suite is added back into the QSSLCSL system value. You cannot add other cipher suites to the default cipher specification list beyond the system defined set for the release. Besides, a cipher suite cannot be added to QSSLCSL if the required SSL protocol value for the cipher suite is not set for the QSSLPCL (SSL protocol list) system value. The values of the QSSLCSL system value are read-only unless the SSL cipher control (QSSLCSLCTL) system value is set to *USRDFN. The values allowed for the QSSLCSL system value are as follows: v *RSA_AES_128_CBC_SHA v v v v *RSA_RC4_128_SHA *RSA_RC4_128_MD5 *RSA_AES_256_CBC_SHA *RSA_3DES_EDE_CBC_SHA
Chapter 3. Security system values

v v v v v

RSA_DES_CBC_SHA RSA_EXPORT_RC4_40_MD5 RSA_EXPORT_RC2_CBC_40_MD5 RSA_NULL_SHA *RSA_NULL_MD5

v *RSA_RC2_CBC_128_MD5 v *RSA_3DES_EDE_CBC_MD5 v *RSA_DES_CBC_MD5 Note: You must have *IOSYSCFG, *ALLOBJ, and *SECADM special authorities to change this system value. You can refer to the Secure Sockets Layer cipher specification list topic in the System values topic collection for more information about the shipped values. Related information Security system values: Secure Sockets Layer cipher specification list System SSL Properties

Secure Sockets Layer (SSL) cipher control (QSSLCSLCTL)

The Secure Sockets Layer cipher control (QSSLCSLCTL) system value specifies whether the system or the user controls the Secure Sockets Layer cipher specification list (QSSLCSL) system value. The values allowed for the QSSLCSLCTL system value are as follows: v *OPSYS v *USRDFN Note: You must have *IOSYSCFG, *ALLOBJ, and *SECADM special authorities to change this system value. You can refer to the Secure Sockets Layer cipher control topic in the System values topic collection for more information about the shipped values. Related information Security system values: Secure Sockets Layer cipher control

Secure Sockets Layer (SSL) protocols (QSSLPCL)

The Secure Sockets Layer protocols (QSSLPCL) system value specifies the Secure Sockets Layer (SSL) protocols supported by the System SSL. The values allowed for the QSSLPCL system value are as follows: v *OPSYS v *TLSV1 v *SSLV2 v *SSLV3 Note: You must have *IOSYSCFG, *ALLOBJ, and *SECADM special authorities to change this system value. You can refer to the Secure Sockets Layer protocols topic in the System values topic collection for more information about the shipped values.

IBM i: Security Security reference

Related information Security system values: Secure Sockets Layer protocols

Security-related restore system values

This topic introduces the security-related restore system values on your i5/OS operating system. Overview: Purpose: Controls how and which security-related objects are restored on the system. How To: WRKSYSVAL*SEC (Work with System Values command) Authority: *ALLOBJ and *SECADM Journal Entry: SV Note: Changes take effect immediately. IPL is not required.

The following information are descriptions of system values that relate to restoring security-related objects on the system which should be considered when restoring objects as well. See Table 19 on page 34 for more information about the QSCANFSCTL *NOPOSTRST system value. QVFYOBJRST Verify object on restore QFRCCVNRST Force conversion on restore QALWOBJRST Allow restoring of security sensitive objects Descriptions of these system values follow. For each value, the possible choices are shown. The choices that are underlined are the system-supplied defaults. Related concepts Restoring programs on page 252 Restoring programs to your system that are obtained from an unknown source poses a security exposure. This topic provides information about the factors that should be taken into consideration when restoring programs.

Verify Object on Restore (QVFYOBJRST)

The Verify Object on Restore (QVFYOBJRST) system value determines whether objects are required to have digital signatures in order to be restored to your system. You can prevent anyone from restoring an object, unless that object has a correct digital signature from a trusted software provider. This value applies to objects of types: *PGM, *SRVPGM, *SQLPKG, *CMD and *MODULE. It also applies to *STMF objects which contain Java programs. When an attempt is made to restore an object onto the system, three system values work together as filters to determine if the object is allowed to be restored. The first filter is the Verify Object on Restore (QVFYOBJRST) system value. It is used to control the restore of some objects that can be digitally signed. The second filter is the Force Conversion on Restore (QFRCCVNRST) system value. This system value allows you to specify whether to convert programs, service programs, SQL packages, and module objects during the restore. It can also prevent some objects from being restored. Only objects that can get past the
Chapter 3. Security system values

first two filters are processed by the third filter. The third filter is the Allow Object on Restore (QALWOBJRST) system value. It specifies whether objects with security-sensitive attributes can be restored. If Digital Certificate Manager (i5/OS option 34) is not installed on the system, all objects except those signed by a system trusted source are treated as unsigned when determining the effects of the QVFYOBJRST system value during a restore operation. Program, service program and module objects that are created or converted on a system with a release before V6R1 are treated as unsigned when they are restored to a V6R1 or later system. Likewise, program, service program and module objects that are created or converted on a V6R1 or later release are treated as unsigned when they are restored to a system before V6R1. A change to this system value takes effect immediately. Notes: 1. This system value is a restricted value. See Security system values for details on how to restrict changes to security system values and a complete list of the restricted system values. 2. Objects that have the system-state attribute and objects that have the inherit-state attribute are required to have a valid signature from a system-trusted source. Objects in Licensed Internal Code PTFs are also required to have a valid signature from a system-trusted source. If these objects do not have a valid signature, they cannot be restored, regardless of the value of the QVFYOBJRST system value. Attention: When your system is shipped, the QVFYOBJRST system value is set to 3. If you change the value of QVFYOBJRST, it is important to set the QVFYOBJRST value to 3 or lower before installing a new release of the i5/OS operating system.
Table 27. Possible values for the QVFYOBJRST system value: 1 Do not verify signatures on restore. Restore all user-state objects regardless of their signature. Do not use this value unless you have signed objects to restore which will fail their signature verification for some acceptable reason. 2 Verify objects on restore. Restore unsigned commands and user-state objects. Restore signed commands and user-state objects, even if the signatures are not valid. Use this value only if certain objects that you want to restore contain signatures that are not valid. In general, it is not recommended to restore objects with signatures that are not valid on your system. 3 Verify signatures on restore. Restore unsigned commands and user-state objects. Restore signed commands and user-state objects only if the signatures are valid. Use this value for normal operations, when you expect some of the objects you restore to be unsigned, but you want to ensure that all signed objects have signatures that are valid. Commands and programs you have created or purchased before digital signatures were available will be unsigned. This value allows those commands and programs to be restored. This is the default value. 4 Verify signatures on restore. Do not restore unsigned commands and user-state objects. Restore signed commands and user-state objects, even if the signatures are not valid. Use this value only if certain objects that you want to restore contain signatures that are not valid, but you do not want the possibility of unsigned objects being restored. In general, it is not recommended to restore objects with signatures that are not valid on your system.

IBM i: Security Security reference

Table 27. Possible values for the QVFYOBJRST system value: (continued) 5 Verify signatures on restore. Do not restore unsigned commands and user-state objects. Restore signed commands and user-state objects only if the signatures are valid. This value is the most restrictive value and should be used when the only objects you want to be restored are those which have been signed by trusted sources

Some commands use a signature that does not include all parts of the object. Some parts of the command are not signed while other parts are only signed when they contain a non-default value. This type of signature allows some changes to be made to the command without invalidating its signature. Examples of changes that will not invalidate these types of signatures include: v Changing command defaults. v Adding a validity checking program to a command that does not have one. v Changing the "where allowed to run" parameter. v Changing the "allow limited user" parameter. If you like, you can add your own signature to these commands that includes these areas of the command object. Recommended value: 3

Force Conversion on Restore (QFRCCVNRST)

The Force Conversion on Restore (QFRCCVNRST) system value can force the conversion of some object types during a restore. This system value can also prevent some objects from being restored. The QFRCCVNRST system value specifies whether to convert the following object types during a restore: v program (*PGM) v service program (*SRVPGM) v SQL Package (*SQLPKG) v module (*MODULE) An object which is specified to be converted by the system value, but cannot be converted because it does not contain sufficient creation data, will not be restored. The *SYSVAL value for the FRCOBJCVN parameter on the restore commands (RST, RSTLIB, RSTOBJ, RSTLICPGM) uses the value of this system value. Therefore, you can turn on and turn off conversion for the entire system by changing the QFRCCVNRST value. However, the FRCOBJCVN parameter overrides the system value in some cases. Specifying *YES and *ALL on the FRCOBJCVN will override all settings of the system value. Specifying *YES and *RQD on the FRCOBJCVN parameter is the same as specifying '2' for this system value and can override the system value when it is set to 0 or 1. QFRCCVNRST is the second of three system values that work consecutively as filters to determine if an object is allowed to be restored, or if it is converted during the restore. The first filter, Verify Object on Restore (QVFYOBJRST) system value, controls the restore of some objects that can be digitally signed. Only objects that can get past the first two filters are processed by the third filter, the Allow Object Restore (QALWOBJRST) system value, which specifies whether objects with security-sensitive attributes can be restored. If Digital Certificate Manager (i5/OS option 34) is not installed on the system, all objects except those signed by a system trusted source are treated as unsigned when determining the effects of the QFRCCNVRST system value during a restore operation.
Chapter 3. Security system values

Program, service program and module objects that are created or converted on a system with a release before V6R1 are treated as unsigned when they are restored to a V6R1 or later system. Likewise, program, service program and module objects that are created or converted on a V6R1 or later release are treated as unsigned when they are restored to a system before V6R1. The shipped value of QFRCCVNRST is 1. For all values of QFRCCVNRST an object which should be converted but cannot be converted will not be restored. Objects digitally signed by a system trusted source are restored without conversion for all values of this system value. Note: This system value is a restricted value. See Security system values for details on how to restrict changes to security system values and a complete list of the restricted system values. The following table summarizes the allowed values for QFRCCVNRST:
Table 28. QFRCCVNRST values 0 1 2 3 Do not convert anything. Do not prevent anything from being restored. Objects with validation errors will be converted. Objects will be converted if their conversion is required for the current operating system or the current machine, or if they have a validation error. Objects which are suspected of having been tampered with, objects which contain validation errors, and objects which require conversion to be used on the current version of the operating system or on the current machine will be converted. Objects which contain sufficient creation data to be converted and do not have valid digital signatures will be converted. An object that does not contain sufficient creation data will be restored without conversion. Note: Objects (signed and unsigned) that have validation errors, are suspected of having been tampered with, or require conversion to be used on the current version of the operating system or on the current machine will be converted; or will fail to restore if they do not convert. Objects that contain sufficient creation data will be converted. An object that does not contain sufficient creation data to be converted will be restored. Note: Objects that have validation errors, are suspected of having been tampered with, or require conversion to be used on the current version of the operating system or on the current machine that cannot be converted will not restore. All objects which do not have a valid digital signature will be converted. Note: An object with a valid digital signature that also has a validation error or is suspected of having been tampered with will be converted, or if it cannot be converted, it will not be restored. Every object will be converted.

When an object is converted, its digital signature is discarded. The state of the converted object is user state. Converted objects will have a good validation value and are not suspected of having been tampered with.

Recommended value: 3 or higher

Allow Restoring of Security-Sensitive Objects (QALWOBJRST)

The Allow Restoring of Security-Sensitive Objects (QALWOBJRST) system value determines whether objects that are security-sensitive may be restored to your system. When an attempt is made to restore an object onto the system, three system values work together as filters to determine if the object is allowed to be restored, or if it is converted during the restore. The first filter is the Verify Object on Restore (QVFYOBJRST) system value. It is used to control the restore of some

IBM i: Security Security reference

objects that can be digitally signed. The second filter is the Force Conversion on Restore (QFRCCVNRST) system value. This system value allows you to specify whether to convert programs, service programs, SQL packages, and module objects during the restore. It can also prevent some objects from being restored. Only objects that can get past the first two filters are processed by the third filter. The third filter is the Allow Object on Restore (QALWOBJRST) system value. It specifies whether objects with security-sensitive attributes can be restored. You can use it to prevent anyone from restoring a system state object or an object that adopts authority. When your system is shipped, the QALWOBJRST system value is set to *ALL. This value is necessary to install your system successfully. ATTENTION: It is important to set the QALWOBJRST value to *ALL before performing some system activities, such as: v Installing a new release of the i5/OS licensed program. v Installing new licensed programs. v Recovering your system. These activities may fail if the QALWOBJRST value is not *ALL. To ensure system security, return the QALWOBJRST value to your normal setting after completing the system activity. Note: This system value is a restricted value. See Security system values for details on how to restrict changes to security system values and a complete list of the restricted system values. You can specify multiple values for the QALWOBJRST system value, unless you specify *ALL or *NONE.
Table 29. Possible values for the QALWOBJRST system value: *ALL *NONE *ALWSYSSTT *ALWPGMADP *ALWPTF Any object can be restored to your system by a user with the correct authority. Security-sensitive objects, such as system state programs or programs that adopt authority, cannot be restored to the system. System and inherit state objects can be restored to the system. Objects that adopt authority can be restored to the system. System and inherit state objects, objects that adopt authority, objects that have the S_ISUID(set-user-ID) attribute enabled, and objects that have S_ISGID (set-group-ID) attribute enabled can be restored to the system during PTF install. Allow restore of files that have the S_ISUID (set-user-ID) attribute enabled. Allow restore of files that have the S_ISGID (set-group-ID) attribute enabled. Allow restore of objects that do not pass the object validation tests. If the setting of QFRCCVNRST system value causes the object to be converted, its validation errors will have been corrected.

ALWSETUID ALWSETGID *ALWVLDERR

Recommended value: The QALWOBJRST system value provides a method to protect your system from programs that may cause serious problems. For normal operations, consider setting this value to *NONE. Remember to change it to *ALL before performing the activities listed previously. If you regularly restore programs and applications to your system, you might need to set the QALWOBJRST system value to *ALWPGMADP.

Chapter 3. Security system values

System values that apply to passwords

This topic describes the system values that apply to passwords. These system values require users to change passwords regularly and help prevent users from assigning trivial, easily guessed passwords. They can also make sure passwords meet the requirements of your communications network. Overview: Purpose: Specify system values to set requirements for the passwords users assign. How To: WRKSYSVAL *SEC (Work with System Values command) Authority: *ALLOBJ and *SECADM Journal Entry: SV Note: Changes take effect immediately (except for QPWDLVL). IPL is not required.

The system values control passwords: QPWDCHGBLK Block password change QPWDEXPITV Expiration interval QPWDEXPWRN Password expiration warning QPWDLVL Password level QPWDLMTCHR Restricted characters QPWDLMTAJC Restrict adjacent characters QPWDLMTREP Restrict repeating characters QPWDMINLEN Minimum length QPWDMAXLEN Maximum length QPWDPOSDIF Character position difference QPWDRQDDIF Required difference QPWDRQDDGT Require numeric character QPWDRULES Password rules QPWDVLDPGM Password validation program

IBM i: Security Security reference

The password-composition system values are enforced only when the password is changed using the CHGPWD command, the ASSIST menu option to change a password, or the QSYCHGPW application programming interface (API). They are not enforced when the password is set using the CRTUSRPRF or CHGUSRPRF command. The system prevents a user from setting the password equal to the user profile name using the CHGPWD command, the ASSIST menu, or the QSYCHGPW API in any of the following conditions. v The Password Rules (QPWDRULES) system value has a value of *PWDSYSVAL and the Password Minimum Length (QPWDMINLEN) system value has a value other than 1. v The Password Rules (QPWDRULES) system value has a value of *PWDSYSVAL and the Password Maximum Length (QPWDMAXLEN) system value has a value other than 10. v The Password Rules (QPWDRULES) system value has a value of *PWDSYSVAL and you change any of the other password-control system values from the defaults. If a password is forgotten, the security officer can use the Change User Profile (CHGUSRPRF) command to set the password equal to the profile name or to any other value. The Set password to expired field in the user profile can be used to require that a password be changed the next time the user signs on. Related information System values: Password overview

Block Password Change (QPWDCHGBLK)

The Block Password Change (QPWDCHGBLK) system value specifies the time period during which a password is blocked from being changed after the prior successful password change operation. A change to this system value takes effect immediately. Note: This system value is a restricted value. Refer to the Security System Values topic for details on how to restrict changes to security system values and a complete list of the restricted system values.
Table 30. Possible values for the QPWDCHGBLK system value: *NONE 1 - 99 The password can be changed at any time. A password cannot be changed within the specified number of hours after the prior successful password changed operation.

Password Expiration Interval (QPWDEXPITV)

The Password Expiration Interval (QPWDEXPITV) system value controls the number of days allowed before a password must be changed. If a user attempts to sign on after the password has expired, the system shows a display requiring that the password be changed before the user is allowed to sign on.
Sign-on Information Password has expired. request. System: Password must be changed to continue sign-on

Previous sign-on . . . . . . . . . . . . . : Sign-on attempts not valid . . . . . . . . :

10/30/99 3

14:15:00

Table 31. Possible values for the QPWDEXPITV system value: *NOMAX limit-in-days Users are not required to change their passwords. Specify a value from 1 through 366.

Recommended value: 30 to 90 Note: A password expiration interval can also be specified in individual user profiles.

Password Expiration Warning (QPWDEXPWRN)

The Password Expiration Warning (QPWDEXPWRN) system value specifies the number of days before a password expiration to begin displaying the password expiration warning messages when a user signs on. A change to this system value takes effect immediately. Note: This system value is a restricted value. Refer to the Security System Values topic for details on how to restrict changes to security system values and a complete list of the restricted system values.
Table 32. Possible values for the QPWDEXPWRN system value: 7 Specifies that the password expiration warning message should start to be displayed 7 days before the password expiration. Specifies the number of days before the password expiration to begin displaying the password expiration warning message.

1 - 99

Recommended value: 14 (days)

Password Level (QPWDLVL)

The password level of the system can be set to allow for user profile passwords from 1-10 characters or to allow for user profile passwords from 1-128 characters. The password level can be set to allow a passphrase as the password value. The term passphrase is sometimes used in the computer industry to describe a password value which can be very long and has few, if any, restrictions on the characters used in the password value. Blanks can be used between letters in a passphrase, which allows you to have a password value that is a sentence or sentence fragment. The only restrictions on a passphrase are that it cannot start with an asterisk (*) and trailing blanks will be removed. Before changing the password level of your system, review the section Planning password level changes. Note: This system value is a restricted value. See Security system values for details on how to restrict changes to security system values and a complete list of the restricted system values.

IBM i: Security Security reference

Table 33. Possible values for the QPWDLVL system value: 0 The system supports user profile passwords with a length of 1-10 characters. The allowable characters are A-Z, 0-9 and characters $, @, # and underline. v QPWDLVL 0 should be used if your system communicates with other System i platforms in a network and those systems are running with either a QPWDLVL value of 0 or an operating system release less than V5R1M0. v QPWDLVL 0 should be used if your system communicates with any other system that limits the length of passwords from 1-10 characters. v QPWDLVL 0 must be used if your system communicates with the i5/OS Support for Windows Network Neighborhood i5/OS NetServer) product and your system communicates with other systems using passwords from 1-10 characters. When the QPWDLVL value of the system is set to 0, the operating system will create the encrypted password for use at QPWDLVL 2 and 3. The password value that can be used at QPWDLVL 2 and 3 will be the same password as is being used at QPWDLVL 0 or 1. 1 QPWDLVL 1 is the equivalent support of QPWDLVL 0 with the following exception: i5/OS NetServer passwords for Windows 95/98/ME clients will be removed from the system. Note: The i5/OS NetServer product will work with Windows NT/2000/XP/Vista clients when the password level is 1 or 3. Unless the Windows 95/98/ME clients are configured to use NTLMv2 passwords, you cannot use QPWDLVL value 1 to connect those clients to the i5/OS NetServer product. QPWDLVL 1 improves the security of System i platforms by removing all LAN manager passwords from the system. 2 The system supports user profile passwords from 1-128 characters. Upper and lower case characters are allowed. Passwords can consist of any character and the password will be case sensitive. QPWDLVL 2 is viewed as a compatibility level. This level allows for a move back to QPWDLVL 0 or 1 as long as the password created on QPWDLVL 2 or 3 meets the length and syntax requirements of a password valid on QPWDLVL 0 or 1. v QPWDLVL 2 can be used if your system communicates with the i5/OS Support for Windows Network Neighborhood i5/OS NetServer) product as long as your password is 1-14 characters in length. v QPWDLVL 2 cannot be used if your system communicates with other System i platforms in a network and those systems are running with either a QPWDLVL value of 0 or 1 or an operating system release less than V5R1M0. v QPWDLVL 2 cannot be used if your system communicates with any other system that limits the length of passwords from 1-10 characters. No encrypted passwords are removed from the system when QPWDLVL is changed to 2. 3 The system supports user profile passwords from 1-128 characters. Upper and lower case characters are allowed. Passwords can consist of any character and the password will be case sensitive. v QPWDLVL 3 cannot be used if your system communicates with other System i platforms in a network and those systems are running with either a QPWDLVL value of 0 or 1 or an operating system release less than V5R1M0. v QPWDLVL 3 cannot be used if your system communicates with any other system that limits the length of passwords from 1-10 characters. v QPWDLVL 3 cannot be used if your system communicates with the i5/OS Support for Windows Network Neighborhood i5/OS NetServer product. Note: The i5/OS Netserver product will work with Windows NT/2000/XP/Vista clients when the password level is 1 or 3. All user profile passwords that are used at QPWDLVL 0 and 1 are removed from the system when QPWDLVL is 3. Changing from QPWDLVL 3 back to QPWDLVL 0 or 1 requires a change to QPWDLVL 2 before going to 0 or 1. QPWDLVL 2 allows for the creation of user profile passwords that can be used at QPWDLVL 0 or 1 as long as the length and syntax requirements for the password meet the QPWDLVL 0 or 1 rules.

Chapter 3. Security system values

Changing the password level of the system from 1-10 character passwords to 1-128 character passwords requires careful consideration. If your system communicates with other systems in a network, then all systems must be able to handle the longer passwords. A change to this system value takes effect at the next IPL. To see the current and pending password level values, use the Display Security Attributes (DSPSECA) command .

Minimum Length of Passwords (QPWDMINLEN)

The Minimum Length of Passwords (QPWDMINLEN) system value controls the minimum number of characters in a password. Notes: 1. This system value is a restricted value. See Security system values for details on how to restrict changes to security system values and a complete list of the restricted system values. 2. If the QPWDRULES system value is any value other than *PWDSYSVAL, this system value cannot be changed and its value will be ignored when new passwords are checked to see if they are formed correctly.
Table 34. Possible values for the QPWDMINLEN system value: 6 A minimum of six characters are required for passwords.

minimum-number-of-characters Specify a value of 1 through 10 when the password level (QPWDLVL) system value is 0 or 1. Specify a value of 1 through 128 when the password level (QPWDLVL) system value is 2 or 3.

Recommended value: 6 is recommended to prevent users from assigning passwords that are easily guessed, such as initials or a single character.

Maximum Length of Passwords (QPWDMAXLEN)

The Maximum Length of Passwords (QPWDMAXLEN) system value controls the maximum number of characters in a password. This provides additional security by preventing users from specifying passwords that are too long and need to be recorded somewhere because they cannot be easily remembered. Some communications networks require a password that is 8 characters or less. Use this system value to ensure that passwords meet the requirements of your network. Notes: 1. This system value is a restricted value. See Security system values for details on how to restrict changes to security system values and a complete list of the restricted system values. 2. If the QPWDRULES system value specifies any value other than *PWDSYSVAL, this system value cannot be changed and its value will be ignored when new passwords are checked to see if they are formed correctly.
Table 35. Possible values for the QPWDMAXLEN system value: 8 maximum-number-of-characters A maximum of eight characters for a password are allowed. Specify a value of 1 through 10 when the password level (QPWDLVL) system value is 0 or 1. Specify a value of 1 through 128 when the password level (QPWDLVL) system value is 2 or 3.

Recommended value: 8

IBM i: Security Security reference

Required Difference in Passwords (QPWDRQDDIF)

The Required Difference in Passwords (QPWDRQDDIF) system value controls whether the password must be different from previous passwords. This value provides additional security by preventing users from specifying passwords that were used previously. It also prevents a user whose password has expired from changing it and then immediately changing it back to the old password. Note: The value of the QPWDRQDDIF system value determines how many of these previous passwords are checked for a duplicate password. This system value is a restricted value. See Security system values for details on how to restrict changes to security system values and a complete list of the restricted system values.
Table 36. Possible values for the QPWDRQDDIF system value: Value 0 1 2 3 4 5 6 7 8 Number of previous passwords checked for duplicates 0 Duplicate passwords are allowed. 32 24 18 12 10 8 6 4

Recommended value: Select a value of 5 or less to prevent the use of repeated passwords. Use a combination of the Required Difference in Passwords (QPWDRQDDIF) system value and the Password Expiration Interval (QPWDEXPITV) system value to prevent a password from being reused for at least 6 months. For example, set the QPWDEXPITV system value to 30 (days) and the QPWDRQDDIF system value to 5 (10 unique passwords). This means a typical user, who changes passwords when warned by the system, will not repeat a password for approximately 9 months.

Restricted Characters for Passwords (QPWDLMTCHR)

The Restricted Characters for Passwords (QPWDLMTCHR) system value limits the use of certain characters in a password. This value provides additional security by preventing users from using specific characters, such as vowels, in a password. Restricting vowels prevents users from forming actual words for their passwords. The QPWDLMTCHR system value is not enforced when the password level (QPWDLVL) system value has a value of 2 or 3. The QPWDLMTCHR system value can be changed at QPWDLVL 2 or 3, but will not be enforced until QPWDLVL is changed to a value of 0 or 1. Notes: 1. This system value is a restricted value. See Security system values for details on how to restrict changes to security system values and a complete list of the restricted system values. 2. If the QPWDRULES system value specifies any value other than *PWDSYSVAL, this system value cannot be changed and its value will be ignored when new passwords are checked to see if they are formed correctly.

Chapter 3. Security system values

Table 37. Possible values for the QPWDLMTCHR system value: *NONE restricted-characters There are no restricted characters for passwords. Specify up to 10 restricted characters. The valid characters are A through Z, 0 through 9, and special characters pound (#), dollar ($), at (@), and underline (_).

Recommended value: A, E, I, O, or U. You might also want to prevent special characters (#, $, and @) for compatibility with other systems.

Restriction of Consecutive Digits for Passwords (QPWDLMTAJC)

The Restriction of Consecutive Digits for Passwords (QPWDLMTAJC) system value limits the use of numeric characters next to each other (adjacent) in a password. This value provides additional security by preventing users from using birthdays, telephone numbers, or a sequence of numbers as passwords. Notes: 1. This system value is a restricted value. See Security system values for details on how to restrict changes to security system values and a complete list of the restricted system values. 2. If the QPWDRULES system value specifies any value other than *PWDSYSVAL, this system value cannot be changed and its value will be ignored when new passwords are checked to see if they are formed correctly.
Table 38. Possible values for the QPWDLMTAJC system value: 0 1 Numeric characters are allowed next to each other in passwords. Numeric characters are not allowed next to each other in passwords.

Restriction of Repeated Characters for Passwords (QPWDLMTREP)

The Restriction of Repeated Characters for Passwords (QPWDLMTREP) system value limits the use of repeating characters in a password. This value provides additional security by preventing users from specifying passwords that are easy to guess, such as the same character repeated several times. When the password level (QPWDLVL) system value has a value of 2 or 3, the test for repeated characters is case sensitive. This means that a lowercase 'a' is not the same as an uppercase 'A'. Notes: 1. This system value is a restricted value. See Security system values for details on how to restrict changes to security system values and a complete list of the restricted system values. 2. If the QPWDRULES system value specifies any value other than *PWDSYSVAL, this system value cannot be changed and its value will be ignored when new passwords are checked to see if they are formed correctly.
Table 39. Possible values for the QPWDLMTREP system value: 0 1 2 The same characters can be used more than once in a password. The same character cannot be used more than once in a password. The same character cannot be used consecutively in a password.

Table 40 on page 53 shows examples of what passwords are allowed based on the QPWDLMTREP system value.

IBM i: Security Security reference

Table 40. Passwords with repeating characters with QPWDLVL 0 or 1 Password example A11111 BOBBY AIRPLANE N707UK QPWDLMTREP value of 0 QPWDLMTREP value of 1 Allowed Allowed Allowed Allowed Not allowed Not allowed Not allowed Not allowed QPWDLMTREP value of 2 Not allowed Not allowed Allowed Allowed

Table 41. Passwords with repeating characters with QPWDLVL 2 or 3 Password example j222222 ReallyFast Mom'sApPlePie AaBbCcDdEe QPWDLMTREP value of 0 QPWDLMTREP value of 1 Allowed Allowed Allowed Allowed Not allowed Not allowed Not allowed Allowed QPWDLMTREP value of 2 Not allowed Not allowed Allowed Allowed

Character Position Difference for Passwords (QPWDPOSDIF)

The Character Position Difference for Passwords (QPWDPOSDIF) system value controls each position in a new password. This system value provides additional security by preventing users from using the same character (alphabetic or numeric) in a position corresponding to the same position in the previous password. When the password level (QPWDLVL) system value has a value of 2 or 3, the test for the same character is case sensitive. This means that a lowercase 'a' is not the same as an uppercase 'A'. Notes: 1. This system value is a restricted value. See Security system values for details on how to restrict changes to security system values and a complete list of the restricted system values. 2. If the QPWDRULES system value specifies any value other than *PWDSYSVAL, this system value cannot be changed and its value will be ignored when new passwords are checked to see if they are formed correctly.
Table 42. Possible values for the QPWDPOSDIF system value: 0 1 The same characters can be used in a position corresponding to the same position in the previous password. The same character cannot be used in a position corresponding to the same position in the previous password.

Requirement for Numeric Character in Passwords (QPWDRQDDGT)

The Requirement for Numeric Character in Passwords (QPWDRQDDGT) system value controls whether a numeric character is required in a new password. This value provides additional security by preventing users from using all alphabetic characters. Notes: 1. This system value is a restricted value. See Security system values for details on how to restrict changes to security system values and a complete list of the restricted system values. 2. If the QPWDRULES system value specifies any value other than *PWDSYSVAL, this system value cannot be changed and its value will be ignored when new passwords are checked to see if they are formed correctly.
Chapter 3. Security system values

Table 43. Possible values for the QPWDRQDDGT system value: 0 1 Numeric characters are not required in new passwords. One or more numeric characters are required in new passwords.

Recommended value: 1

Password Rules (QPWDRULES)

The Password Rules (QPWDRULES) system value specifies the rules used to check whether a password is formed correctly. You can specify more than one value for the QPWDRULES system value, unless you specify *PWDSYSVAL. Changes made to this system value take effect the next time a password is changed. Note: This system value is a restricted value. Refer to the Security System Values topic for details on how to restrict changes to security system values and a complete list of the restricted system values.
Table 44. Possible values for the QPWDRULES system value: *PWDSYSVAL This value specifies that the QPWDRULES system value is ignored and the other password system values are used to check whether a password is formed correctly. These other password system values include QPWDLMTAJC, QPWDLMTCHR, QPWDLMTREP, QPWDMAXLEN, QPWDMINLEN, QPWDPOSDIF, and QPWDQDDGT. Note: If any value other than *PWDSYSVAL is specified for QPWDRULES, the QPWDLMTAJC, QPWDLMTCHR, QPWDLMTREP, QPWDMAXLEN, QPWDMINLEN, QPWDPOSDIF, and QPWDRQDDGT system values are ignored when a new password is checked to see if it is formed correctly. In addition, any attempt to change these system values will be rejected as long as the QPWDRULES system value contains a value other than *PWDSYSVAL. The value specifies that a password cannot contain 2 or more occurrences of the same character that are positioned adjacent to each other. This value performs the same function as specifying a value of 2 for the QPWDLMTREP system value. If the *CHRLMTREP value was specified, this value cannot be specified. Examples: Better.test fix11bugs @12/A78 A1234A1234 *CHRLMTREP not valid - tt not valid - 11 valid valid

*CHRLMTAJC

The value specifies that a password cannot contain 2 or more occurrences of the same character. This value performs the same function as specifying a value of 1 for the QPWDLMTREP system value. If the *CHRLMTAJC value was specified, this value cannot be specified. Examples: John.Jones THISONEOK @12/A78 AaCcEeFfGg not valid - J o n not valid - O valid valid

IBM i: Security Security reference

Table 44. Possible values for the QPWDRULES system value: (continued) *DGTLMTAJC The value specifies that a password cannot contain 2 or more adjacent digit characters. Examples: @12/A78 !@#$%a1234. THISONEOK A1B2C3DE5 *DGTLMTFST not valid not valid valid valid

The value specifies that the first character of a password cannot be a digit character. If *LTRLMTFST and *SPCCHRLMTFST values were specified, this value cannot be specified. If the system is operating at password level 0 or 1, the system functions like the *DGTLMTFST value is specified. Examples: 16ST-SW-Roch 99BottlesOfBeer @12/A78 Allow-this.1 not valid - 1 not valid - 9 valid valid

*DGTLMTLST

The value specifies that the last character of the password cannot be a digit character. If *LTRLMTLST and *SPCCHRLMTLFST values were specified, this value cannot be specified. Examples: John.doe12 @12/A78 THISONEOK A1234b123. not valid - 2 not valid - 8 valid valid

*DGTMAXn

The value specifies the maximum number of digit characters that can occur in the password. The n is a number from 0 to 9. Only one *DGTMAXn value can be specified. If a *DGTMINn value is also specified, the n value specified for *DGTMAXn must be greater than or equal to the n value specified for *DGTMINn. Examples: for *DGTMAX2 Q12345678 3-2-1->Go Rick1 Ed1-Jeff3 not valid - 6 digits too many not valid - 1 digit too many valid valid

*DGTMINn

The value specifies the minimum number of digit characters that must occur in the password. The n is a number from 0 to 9. Only one *DGTMINn value can be specified. If a *DGTMAXn value is also specified, the n value specified for *DGTMAXn must be greater than or equal to the n value specified for *DGTMINn. Examples: for *DGTMIN3 Rick1 Ed1-Jeff3 3-2-1->Go Q12345678 not valid - only 1 digit not valid - only 2 digits valid valid

Chapter 3. Security system values

Table 44. Possible values for the QPWDRULES system value: (continued) *LMTSAMPOS The same character cannot be used in a position corresponding to the same position in the previous password. This value performs the same function as the QPWDPOSDIF system value. When the password is set by the Change User Profile (CHGUSRPRF) or Create User Profile (CRTUSRPRF) command, this password rule cannot be checked because the previous password value is not supplied. Examples: for *LMTSAMPOS when Vote4Me was previous password: Victory1 Mine2love vOTE-mE Allisgood *LMTPRFNAME not valid - V in position 1 not valid - e in position 4 valid (case is different) valid

The uppercase password value cannot contain the complete user profile name in consecutive positions. Examples: for *LMTPRFNAME with profile name is JOHNB: bigJOHNB9 JohnB78 J_ohn_B234 john_b not valid - positions 4-8 not valid - positions 1-5 valid valid

*LTRLMTAJC

The value specifies a password cannot contain 2 or more adjacent letter characters. Examples: John.Smith THISONEOK @12/A78 A1234b1234 not valid not valid valid valid

*LTRLMTFST

The value specifies the first character of the password cannot be a letter character. If *DGTLMTFST and *SPCCHRLMTFST values were specified, this value cannot be specified. If the system is operating with a QPWDLVL value of 0 or 1, *LTRLMTFST and *SPCCHRLMTFST cannot both be specified. Examples: John.Smith THISONEOK @12/A78 16ST-SW-Roch not valid - J not valid - T valid valid

*LTRLMTLST

The value specifies the last character of the password cannot be a letter character. If *DGTLMTLST and *SPCCHRLMTLST values were specified, this value cannot be specified Examples: John.Smith 1Allow.It @12/A78 (pay*rate) not valid - h not valid - t valid valid

IBM i: Security Security reference

Table 44. Possible values for the QPWDRULES system value: (continued) *LTRMAXn The value specifies the maximum number of letter characters that can occur in the password. The n is a number from 0 to 9. Only one *LTRMAXn value can be specified. If a *LTRMINn value is also specified, the n value specified for *LTRMAXn must be greater than or equal to the n value specified for *LTRMINn. If a *MIXCASEn value is also specified, the n value specified for *LTRMAXn must be greater than or equal to 2 times the n value specified for *MIXCASEn. Examples: for *LTRMAX4 THISONEOK John.Smith1 John1423 A1b2.#456 *LTRMINn not valid - 5 letters too many not valid - 5 letters too many valid valid

The value specifies the minimum number of letter characters that must occur in the password. The n is a number from 0 to 9. Only one *LTRMINn value can be specified. If a *LTRMAXn value was specified, the n value specified for *LTRMAXn must be greater than or equal to the n value specified for *LTRMINn. Examples: for *LTRMIN2 @12/A78 !@#$%a1234 THISONEOK A1234b1234 not valid - only 1 letter not valid - only 1 letter valid valid

*MAXLENnnn

The value specifies the maximum number of characters in a password. The nnn is a number from 1 to 128 (without leading zeros). This value performs the same function as the QPWDMAXLEN system value. If the system is operating at QPWDLVL 0 or 1, the valid range is from 1 to 10. If the system is operating at QPWDLVL 2 or 3, the valid range is from 1 to 128. The nnn value specified must be large enough to accommodate all *MIXCASEn, *DGTMAXn, *LTRMAXn, *SPCCHRMAXn, first and last character restrictions, and non-adjacent character requirements. If *MINLENnnn is also specified, the nnn value specified for *MAXLENnnn must be greater than or equal to the nnn value specified for *MINLENnnn. If no *MAXLENnnn value is specified, a value of *MAXLEN10 is assumed if the system is operating with a QPWDLVL value of 0 or 1 or a value of *MAXLEN128 is assumed if the system is operating with a QPWDLVL value of 2 or 3.

Chapter 3. Security system values

Table 44. Possible values for the QPWDRULES system value: (continued) *MINLENnnn The value specifies the minimum number of characters in a password. The nnn is a number from 1 to 128 (without leading zeros). If the system is operating at QPWDLVL 0 or 1, the valid range is from 1 to 10. If the system is operating at QPWDLVL 2 or 3, the valid range is from 1 to 128. If *MAXLENnnn is also specified, the nnn value specified for *MAXLENnnn must be greater than or equal to the nnn value specified for *MINLENnnn. If no *MINLENnnn value is specified, a value of *MINLEN1 is assumed. *MIXCASEn The value specifies a password must contain at least n uppercase and n lowercase letters. The n is a number from 0 to 9. This value is rejected if the system is operating with a QPWDLVL value of 0 or 1 because passwords are required to be uppercase. Only one *MIXCASEn value can be specified. If a *LTRMAXn value was specified, the n value specified for *LTRMAXn must be greater than or equal to two times the n value specified for *MIXCASEn. Examples: for *MIXCASE2 @12/A78bC THISONEOK ThisIsOkay Allow-It *REQANY3 not valid - missing 1 lowercase not valid - missing 2 lowercase valid valid

The value specifies a password must contain characters from at least three of the following four types of characters. v Uppercase letters v Lowercase letters v Digits v Special characters When the system is operating with a QPWDLVL of 0 or 1, *REQANY3 has the same effect as if *DGTMIN1, *LTRMIN1, and *SPCCHRMIN1 were all specified. Examples: THISONEOK @12/-78 A1234b1234 John.Smith peter(21) not valid - only 1 type not valid - only 2 types valid - upper, lower, digit valid - upper, lower, special valid - lower, special, digit

*SPCCHRLMTAJC

The value specifies a password cannot contain 2 or more adjacent (consecutive) special characters. A character is considered as a special character if its equivalent unicode character has the property of not being a letter nor a digit. Examples: Big//Box this->way @12/A78 John.Smith not valid not valid valid valid

IBM i: Security Security reference

Table 44. Possible values for the QPWDRULES system value: (continued) *SPCCHRLMTFST The value specifies the first character of the password cannot be a special character. A character is considered as a special character if its equivalent unicode character has the property of not being a letter nor a digit. If *DGTLMTFST and *LTRLMTFST values were specified, this value cannot be specified. If the system is operating with a QPWDLVL value of 0 or 1, *LTRLMTFST and *SPCCHRLMTFST cannot both be specified. Examples: (2+2equals4) #fred/#charlie 1Good->one12 A1234b1234 *SPCCHRLMTLST not valid - ( not valid - # valid valid

The value specifies the last character of the password cannot be a special character. A character is considered as a special character if its equivalent unicode character has the property of not being a letter nor a digit. If *DGTLMTLST and *LTRLMTLST values were specified, this value cannot be specified. Examples: A1234b123. >John.Doe< THISONEOK @12/A78 not valid - . not valid - < valid valid

*SPCCHRMAXn

The value specifies the maximum number of special characters that may occur in the password. The n is a number from 0 to 9. A character is considered as a special character if its equivalent unicode character has the property of not being a letter nor a digit. Only one *SPCCHRMAXn value can be specified. If a *SPCCHRMINn value was specified, the n value specified for *SPCCHRMAXn must be greater than or equal to the n value specified for *SPCCHRMINn. Examples: for *SPCCHRMAX3 @12/A78.b# !@#$%a1234 THISONEOK A1234b-234 not valid - 1 too many not valid - 2 too many valid valid

*SPCCHRMINn

The value specifies the minimum number of special characters that must occur in the password. The n is a number from 0 to 9. A character is considered as a special character if its equivalent unicode character has the property of not being a letter nor a digit. Only one *SPCCHRMINn value can be specified. If a *SPCCHRMAXn value was specified, the n value specified for *SPCCHRMAXn must be greater than or equal to the n value specified for *SPCCHRMINn. Examples: for *SPCCHRMIN4 Su@us.ibm.com 123+45=168 A.B@us.ibm.com (24/8=3) not valid - 1 too few not valid - 2 too few valid valid

Chapter 3. Security system values

Password Approval Program (QPWDVLDPGM)

You can specify the Password Approval Program (QPWDVLDPGM) to control the validation of new passwords. If *REGFAC or a program name is specified in the QPWDVLDPGM system value, the system runs one or more programs after the new password has passed any validation tests you specify in the password-control system values. You can use the programs to do additional checking of user-assigned passwords before they are accepted by the system. A password approval program must be in the system auxiliary storage pool (ASP) or a basic user ASP. Note: This system value is a restricted value. See Security system values for details on how to restrict changes to security system values and a complete list of the restricted system values.
Table 45. Possible values for the QPWDVLDPGM system value: *NONE *REGFAC No user-written program is used. This includes any password approval programs registered in the exit registration facility. The validation program is retrieved from the registration facility, exit point QIBM_QSY_VLD_PASSWRD. More than one validation program can be specified in the registration facility. Each program will be called until one of them indicates that the password should be rejected or all of them have indicated the password is valid. Specify the name of the user-written validation program, from 1 through 10 characters. A program name cannot be specified when the current or pending value of the password level (QPWDLVL) system value is 2 or 3. Specify the name of the library where the user-written program is located. If the library name is not specified, the library list (*LIBL) of the user changing the system value is used to search for the program. QSYS is the recommended library.

program-name

library-name

Using a password approval program

If *REGFAC or a program name is specified in the QPWDVLDPGM system value, one or more programs are called by the Change Password (CHGPWD) command or Change Password (QSYCHGPW) API. The programs are called only if the new password has passed all other tests specified in the password-control system values. In case it is necessary to recover your system from a disk failure, place the password approval program in library QSYS. This way the password approval program is loaded when you restore library QSYS. If a program name is specified in the QPWDVLDPGM system value, the system passes the following parameters to the password approval program:
Table 46. Parameters for password approval program Position 1 2 3 4 1
1

Type CHAR CHAR CHAR CHAR

Length 10 10 1 10

Description The new password entered by the user. The user's old password. Return code: 0 for valid password; not 0 for incorrect password. The name of the user.

Position 4 is optional.

IBM i: Security Security reference

If *REGFAC is specified in the QPWDVLDPGM system value, refer to the Security Exit Program information in the System API manual for information about the parameters passed to the validation program. If your program determines that the new password is not valid, you can either send your own exception message (using the SNDPGMMSG command ) or set the return code to a value other than 0 and let the system display an error message. Exception messages that are signaled by your program must be created with the DMPLST(*NONE) option of the Add Message Description (ADDMSGD) command. The new password is accepted only if the user-written program ends with no escape message and a return code of 0. Because the return code is initially set for passwords that are not valid (not zero), the approval program must set the return code to 0 before the password can be changed. Attention: The current and new password are passed to the validation program without encryption. The validation program can store passwords in a database file and compromise security on the system. Make sure the functions of the validation program are reviewed by the security officer and that changes to the program are strictly controlled. The following control language (CL) program is an example of a password approval program when a program name is specified for QPWDVLDPGM. This example checks to make sure the password is not changed more than once in the same day. Additional calculations can be added to the program to check other criteria for passwords: Note: By using the code examples, you agree to the terms of the Chapter 10, Code license and disclaimer information, on page 307.
/**************************************************/ /* NAME: PWDVALID - Password Validation */ /* */ /* FUNCTION: Limit password change to one per */ /* day unless the password is expired */ /**************************************************/ PGM (&NEW &OLD &RTNCD &USER) DCL VAR(&NEW) TYPE(*CHAR) LEN(10) DCL VAR(&OLD) TYPE(*CHAR) LEN(10) DCL VAR(&RTNCD) TYPE(*CHAR) LEN(1) DCL VAR(&USER) TYPE(*CHAR) LEN(10) DCL VAR(&JOBDATE) TYPE(*CHAR) LEN(6) DCL VAR(&PWDCHGDAT) TYPE(*CHAR) LEN(6) DCL VAR(&PWDEXP) TYPE(*CHAR) LEN(4) /* Get the current date and convert to YMD format */ RTVJOBA DATE(&JOBDATE) CVTDAT DATE(&JOBDATE) TOVAR(&JOBDATE) + TOFMT(*YMD) TOSEP(*NONE) /* Get date password last changed and whether */ /* password is expired from user profile */ RTVUSRPRF USRPRF(&USER) PWDCHGDAT(&PWDCHGDAT)+ PWDEXP(&PWDEXP) /* Compare two dates */ /* if equal and password not expired */ /* then send *ESCAPE message to prevent change */ /* else set return code to allow change */ IF (&JOBDATE=&PWDCHGDAT *AND &PWDEXP=*NO ) + SNDPGMMSG MSGID(CPF9898) MSGF(QCPFMSG) + MSGDTA(Password can be changed only + once per day) + MSGTYPE(*ESCAPE) ELSE CHGVAR &RTNCD 0 ENDPGM

The following control language (CL) program is an example of a password approval program when *REGFAC is specified for QPWDVLDLVL.
Chapter 3. Security system values

This example checks to make sure the new password is in CCSID 37 (or if it is in CCSID 13488 it converts the new password to CCSID 37), that the new password does not end in a numeric character, and that the new password does not contain the user profile name. The example assumes that a message file (PWDERRORS) has been created and message descriptions (PWD0001 and PWD0002) have been added to the message file. Additional calculations can be added to the program to check other criteria for passwords:
/**********************************************************/ /* */ /* NAME: PWDEXITPGM1 - Password validation exit 1 */ /* */ /* Validates passwords when *REGFAC is specified for */ /* QPWDVLDPGM. Program is registered using the ADDEXITPGM*/ /* CL command for the QIBM_QSY_VLD_PASSWRD exit point. */ /* */ /* */ /* ASSUMPTIONS: If CHGPWD command was used, password */ /* CCSID will be job default (assumed to be CCSID 37). */ /* If QSYCHGPW API was used, password CCSID will be */ /* UNICODE CCSID 13488. */ /**********************************************************/ PGM PARM(&EXINPUT &RTN) DCL &EXINPUT *CHAR 1000 DCL &RTN *CHAR 1 DCL DCL DCL DCL DCL DCL DCL DCL &UNAME &NEWPW &NPOFF &NPLEN &INDX &INDX2 &INDX3 &UNLEN *CHAR 10 *CHAR 256 *DEC 5 0 *DEC 5 0 *DEC 5 0 *DEC 5 0 *DEC 5 0 *DEC 5 0 *CHAR 2 VALUE(X0000) *DEC 5 0 *CHAR 255 VALUE(............................... + !"#$%&()*+,-./0123456789:;<=>?+ @ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_+ `ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~.+ ................................+ ................................+ ................................+ ...............................) *CHAR 255 VALUE(...............................+ ................................+ ................................+ ................................+ .ABCDEFGHI.......JKLMNOPQR......+ ..STUVWXYZ......................+ ................................+ ................................)

DCL &XLTCHR2 DCL &XLTCHR DCL &XLATEU

DCL &XLATEC

/*********************************************************************/ /* FORMAT OF EXINPUT IS: */ /* */ /* POSITION DESCRIPTION */ /* 001 - 020 EXIT POINT NAME */ /* 021 - 028 EXIT POINT FORMAT NAME */ /* 029 - 032 PASSWORD LEVEL (binary) */ /* 033 - 042 USER PROFILE NAME */ /* 043 - 044 RESERVED */ /* 045 - 048 OFFSET TO OLD PASSWORD (binary) */ /* 049 - 052 LENGTH OF OLD PASSWORD (binary) */ /* 053 - 056 CCSID OF OLD PASSWORD (binary) */

IBM i: Security Security reference

/* 057 - 060 OFFSET TO NEW PASSWORD (binary) */ /* 061 - 064 LENGTH OF NEW PASSWORD (binary) */ /* 065 - 068 CCSID OF NEW PASSWORD (binary) */ /* ??? - ??? OLD PASSWORD */ /* ??? - ??? NEW PASSWORD */ /* */ /*********************************************************************/ /*********************************************************************/ /* Establish a generic monitor for the program. */ /*********************************************************************/ MONMSG CPF0000 /* Assume new password is valid */ CHGVAR &RTN VALUE(0) /* accept */ /* Get new password length, offset and value. Also get user name */ CHGVAR &NPLEN VALUE(%BIN(&EXINPUT 61 4)) CHGVAR &NPOFF VALUE(%BIN(&EXINPUT 57 4) + 1) CHGVAR &UNAME VALUE(%SST(&EXINPUT 33 10)) CHGVAR &NEWPW VALUE(%SST(&EXINPUT &NPOFF &NPLEN)) /* If CCSID is 13488, probably used the QSYCHGPW API which converts */ /* the passwords to UNICODE CCSID 13488. So convert to CCSID 37, if */ /* possible, else give an error */ IF COND(%BIN(&EXINPUT 65 4) = 13488) THEN(DO) CHGVAR &INDX2 VALUE(1) CHGVAR &INDX3 VALUE(1) CVT1: CHGVAR &XLTCHR VALUE(%BIN(&NEWPW &INDX2 2)) IF COND( (&XLTCHR *LT 1) *OR (&XLTCHR *GT 255) ) THEN(DO) CHGVAR &RTN VALUE(3) /* reject */ SNDPGMMSG MSG(INVALID CHARACTER IN NEW PASSWORD) GOTO DONE ENDDO CHGVAR %SST(&NEWPW &INDX3 1) VALUE(%SST(&XLATEU &XLTCHR 1)) CHGVAR &INDX2 VALUE(&INDX2 + 2) CHGVAR &INDX3 VALUE(&INDX3 + 1) IF COND(&INDX2 *GT &NPLEN) THEN(GOTO ECVT1) GOTO CVT1 ECVT1: CHGVAR &NPLEN VALUE(&INDX3 - 1) CHGVAR %SST(&EXINPUT 65 4) VALUE(X00000025) ENDDO /* Check the CCSID of the new password value - must be 37 IF COND(%BIN(&EXINPUT 65 4) *NE 37) THEN(DO) CHGVAR &RTN VALUE(3) /* reject */ SNDPGMMSG MSG(CCSID OF NEW PASSWORD MUST BE 37) GOTO DONE ENDDO */

/* UPPERCASE NEW PASSWORD VALUE */ CHGVAR &INDX2 VALUE(1) CHGVAR &INDX3 VALUE(1) CVT4: CHGVAR %SST(&XLTCHR2 2 1) VALUE(%SST(&NEWPW &INDX2 1)) CHGVAR &XLTCHR VALUE(%BIN(&XLTCHR2 1 2)) IF COND( (&XLTCHR *LT 1) *OR (&XLTCHR *GT 255) ) THEN(DO) CHGVAR &RTN VALUE(3) /* reject */ SNDPGMMSG MSG(INVALID CHARACTER IN NEW PASSWORD) GOTO DONE ENDDO IF COND(%SST(&XLATEC &XLTCHR 1) *NE .) + THEN(CHGVAR %SST(&NEWPW &INDX3 1) VALUE(%SST(&XLATEC &XLTCHR 1))) CHGVAR &INDX2 VALUE(&INDX2 + 1) CHGVAR &INDX3 VALUE(&INDX3 + 1) IF COND(&INDX2 *GT &NPLEN) THEN(GOTO ECVT4)
Chapter 3. Security system values

GOTO CVT4 ECVT4: /* IF IF IF IF IF IF IF IF IF IF CHECK IF LAST POSITION OF NEW PASSWORD IS NUMERIC */ COND(%SST(&NEWPW &NPLEN 1) = 0) THEN(GOTO ERROR1) COND(%SST(&NEWPW &NPLEN 1) = 1) THEN(GOTO ERROR1) COND(%SST(&NEWPW &NPLEN 1) = 2) THEN(GOTO ERROR1) COND(%SST(&NEWPW &NPLEN 1) = 3) THEN(GOTO ERROR1) COND(%SST(&NEWPW &NPLEN 1) = 4) THEN(GOTO ERROR1) COND(%SST(&NEWPW &NPLEN 1) = 5) THEN(GOTO ERROR1) COND(%SST(&NEWPW &NPLEN 1) = 6) THEN(GOTO ERROR1) COND(%SST(&NEWPW &NPLEN 1) = 7) THEN(GOTO ERROR1) COND(%SST(&NEWPW &NPLEN 1) = 8) THEN(GOTO ERROR1) COND(%SST(&NEWPW &NPLEN 1) = 9) THEN(GOTO ERROR1) */

/* CHECK IF PASSWORD CONTAINS USER PROFILE NAME CHGVAR &UNLEN VALUE(1) LOOP2: /* FIND LENGTH OF USER NAME */ IF COND(%SST(&UNAME &UNLEN 1) *NE ) THEN(DO) CHGVAR &UNLEN VALUE(&UNLEN + 1) IF COND(&UNLEN = 11) THEN(GOTO ELOOP2) GOTO LOOP2 ENDDO ELOOP2: CHGVAR &UNLEN VALUE(&UNLEN - 1)

/* CHECK FOR USER NAME IN NEW PASSWORD */ IF COND(&UNLEN *GT &NPLEN) THEN(GOTO ELOOP3) CHGVAR &INDX VALUE(1) LOOP3: IF COND(%SST(&NEWPW &INDX &UNLEN) = %SST(&UNAME 1 &UNLEN)) + THEN(GOTO ERROR2) IF COND((&INDX + &UNLEN + 1) *LT 128) THEN(DO) CHGVAR &INDX VALUE(&INDX + 1) GOTO LOOP3 ENDDO ELOOP3: /* New Password is valid GOTO DONE */

ERROR1: /* NEW PASSWORD ENDS IN NUMERIC CHARACTER */ CHGVAR &RTN VALUE(3) /* reject */ SNDPGMMSG TOPGMQ(*PRV) MSGTYPE(*ESCAPE) MSGID(PWD0001) MSGF(QSYS/PWDERRORS) GOTO DONE ERROR2: /* NEW PASSWORD CONTAINS USER NAME */ CHGVAR &RTN VALUE(3) /* reject */ SNDPGMMSG TOPGMQ(*PRV) MSGTYPE(*ESCAPE) MSGID(PWD0002) MSGF(QSYS/PWDERRORS) GOTO DONE DONE: ENDPGM

System values that control auditing

Auditing system activity is an important part of system security, as it can help detect system misuse and intrusions. You can use specific systems values to control auditing on the i5/OS operating system. Overview: Purpose: Specify system values to control security auditing on the system.

IBM i: Security Security reference

How To: WRKSYSVAL *SEC (Work with System Values command) Authority: *AUDIT Journal Entry: SV Note: Changes take effect immediately. IPL is not required.

These system values control auditing on the system: QAUDCTL Auditing control QAUDENDACN Auditing end action QAUDFRCLVL Auditing force level QAUDLVL Auditing level QAUDLVL2 Auditing level extension QCRTOBJAUD Create default auditing

Auditing Control (QAUDCTL)

The Auditing Control (QAUDCTL) system value determines whether auditing is performed. This system value functions like an on and off switch for the following operations: v The QAUDLVL and QAUDLVL2 system values v The auditing defined for objects using the Change Object Auditing (CHGOBJAUD), Change Auditing Value (CHGAUD), and Change DLO Auditing (CHGDLOAUD) commands v The auditing defined for users using the Change User Audit (CHGUSRAUD) command Note: This system value is a restricted value. See Security system values for details on how to restrict changes to security system values and a complete list of the restricted system values. You can specify more than one value for the QAUDCTL system value, unless you specify *NONE.
Table 47. Possible values for the QAUDCTL system value *NONE *NOTAVL No auditing is performed for user actions and objects. This value is displayed to indicate that the system value is unavailable to the user because the user has neither *AUDIT nor *ALLOBJ special authority. You cannot set the system value to this value. Auditing is performed for objects that have been selected using the CHGOBJAUD, CHGDLOAUD, or CHGAUD commands. Auditing is performed for any functions selected on the QAUDLVL and QAUDLVL2 system values and on the AUDLVL parameter of individual user profiles. The audit level for a user is specified using the Change User Audit (CHGUSRAUD) command.

*OBJAUD *AUDLVL

Chapter 3. Security system values

Table 47. Possible values for the QAUDCTL system value (continued) *NOQTEMP Auditing is not performed for most actions if the object is in QTEMP library. See Chapter 9, Auditing security on System i, on page 257 for more details. You must specify this value with either *OBJAUD or *AUDLVL. See Planning security auditing on page 263 for a complete description of the process for controlling auditing on your system.

Auditing End Action (QAUDENDACN)

The Auditing End Action (QAUDENDACN) system value determines what action the system takes if auditing is active and the system is unable to write entries to the audit journal. Note: This system value is a restricted value. See Security system values for details on how to restrict changes to security system values and a complete list of the restricted system values.
Table 48. Possible values for the QAUDENDACN system value: *NOTAVL This value is displayed to indicate that the system value is not available to the user because the user does not have either *AUDIT or *ALLOBJ special authority. The system value cannot be set to this value. Message CPI2283 is sent to the QSYSOPR message queue and the QSYSMSG message queue (if it exists) every hour until auditing is successfully restarted. The system value QAUDCTL is set to *NONE to prevent the system from attempting to write additional audit journal entries. Processing on the system continues. If an IPL is performed before auditing is restarted, message CPI2284 is sent to the QSYSOPR and QSYSMSG message queues during the IPL. *PWRDWNSYS If the system is unable to write an audit journal entry, the system powers down immediately. The system unit displays system reference code (SRC) B900 3D10. When the system is powered on again, it is in a restricted state. This means the controlling subsystem is in a restricted state, no other subsystems are active, and sign-on is allowed only at the console. The QAUDCTL system value is set to *NONE. The user who signs on the console to complete the IPL must have *ALLOBJ and *AUDIT special authority.

*NOTIFY

Recommended value: For most installations, *NOTIFY is the recommended value. If your security policy requires that no processing be performed on the system without auditing, then you must select *PWRDWNSYS. Only very unusual circumstances cause the system to be unable to write audit journal entries. However, if this does happen and the QAUDENDACN system value is *PWRDWNSYS, your system ends abnormally. This might cause a lengthy initial program load (IPL) when your system is powered on again.

Auditing Force Level (QAUDFRCLVL)

The Auditing Force Level (QAUDFRCLVL) system value determines how often new audit journal entries are forced from memory to auxiliary storage. This system value controls the amount of auditing data that may be lost if the system ends abnormally. Note: This system value is a restricted value. See Security system values for details on how to restrict changes to security system values and a complete list of the restricted system values.

IBM i: Security Security reference

Table 49. Possible values for the QAUDFRCLVL system value *NOTAVL This value is displayed to indicate that the system value is not available to the user because the user does not have either *AUDIT or *ALLOBJ special authority. The system value cannot be set to this value. The system determines when journal entries are written to auxiliary storage based on internal system performance. Specify a number between 1 and 100 to determine how many audit entries can accumulate in memory before they are written to auxiliary storage. The smaller the number, the greater the effect on system performance.

*SYS number-of- records

Recommended value: *SYS provides the best auditing performance. However, if your installation requires that no audit entries be lost when your system ends abnormally, you must specify 1. Specifying 1 might impair performance.

Auditing Level (QAUDLVL)

The Auditing Level (QAUDLVL) system value along with the QAUDLVL2 system value determines which security-related events are logged to the security audit journal (QAUDJRN) for all system users. You can specify more than one value for the QAUDLVL system value, unless you specify *NONE. For the QAUDLVL system value to take effect, the QAUDCTL system value must include *AUDLVL. Note: This system value is a restricted value. See Security system values for details on how to restrict changes to security system values and a complete list of the restricted system values.
Table 50. Possible values for the QAUDLVL system value *NONE No events controlled by the QAUDLVL or QAUDLVL2 system values are logged. Events are logged for individual users based on the AUDLVL values of user profiles. This value is displayed to indicate that the system value is not available to the user because the user does not have either *AUDIT or *ALLOBJ special authority. The system value cannot be set to this value. Both QAUDLVL and QAUDLVL2 system values will be used to determine the security actions to be audited. Attention events are logged. Authority failure events are logged. Object create operations are logged. Object delete operations are logged. Job base functions are audited. Changes to a thread's active user profile or its group profiles are audited. Actions that affect a job are logged. *JOBDTA is composed of two values, which are *JOBBAS and *JOBCHGUSR, to enable you to better customize your auditing. If both of the values are specified, you will get the same auditing as if just *JOBDTA is speicified. *NETBAS *NETCLU Network base functions are audited. Cluster and cluster resource group operations are audited.

*NOTAVL

AUDLVL2 ATNEVT AUTFAIL CREATE DELETE JOBBAS JOBCHGUSR JOBDTA

Chapter 3. Security system values

Table 50. Possible values for the QAUDLVL system value (continued) *NETCMN Network and communication functions are audited. *NETCMN is composed of several values to enable you to better customize your auditing. The following values make up *NETCMN: *NETBAS *NETCLU *NETFAIL *NETSCK *NETFAIL *NETSCK *OBJMGT *OFCSRV *OPTICAL *PGMADP *PGMFAIL *PRTDTA *SAVRST *SECCFG *SECDIRSRV *SECIPC *SECNAS *SECRUN *SECSCKD *SECURITY Network failures are audited. Socket tasks are audited. Object move and rename operations are logged. Changes to the system distribution directory and office mail actions are logged. Use of Optical Volumes is logged. Obtaining authority from a program that adopts authority is logged. System integrity violations are logged. Printing a spooled file, sending output directly to a printer, and sending output to a remote printer are logged. Save and restore operations are logged. Security configuration is audited. Changes or updates when doing directory service functions are audited. Changes to interprocess communications are audited. Network authentication service actions are audited. Security run time functions are audited. Socket descriptors are audited. Security-related functions are logged. *SECURITY is composed of several values to enable you to better customize your auditing. The following values make up *SECURITY: *SECCFG *SECDIRSRV *SECIPC *SECNAS *SECRUN *SECSCKD *SECVFY *SECVLDL *SECVFY *SECVLDL *SERVICE *SPLFDTA *SYSMGT Use of verification functions are audited. Changes to validation list objects are audited. Using service tools is logged. Actions performed on spooled files are logged. Use of systems management functions is logged.

IBM i: Security Security reference

Related reference Planning the auditing of actions on page 263 The QAUDCTL (audit control) system value, the QAUDLVL (audit level) system value, the QAUDLVL2 (audit level extension) system value, and the AUDLVL (action auditing) parameter in user profiles work together to control action auditing.

Auditing Level Extension (QAUDLVL2)

The Auditing Level Extension (QAUDLVL2) system value is required when more than sixteen auditing values are needed. Specifying *AUDLVL2 as one of the values in the QAUDLVL system value will cause the system to also look for auditing values in the QAUDLVL2 system value. You can specify more than one value for the QAUDLVL2 system value, unless you specify *NONE. For the QAUDLVL2 system value to take effect, the QAUDCTL system value must include *AUDLVL and the QAUDLVL system value must include *AUDLVL2. Note: This system value is a restricted value. See Security system values for details on how to restrict changes to security system values and a complete list of the restricted system values.
Table 51. Possible values for the QAUDLVL2 system value *NONE *NOTAVL No auditing values are contained in this system value. This value is displayed to indicate that the system value is not available to the user because the user does not have either *AUDIT or *ALLOBJ special authority. The system value cannot be set to this value. Attention events are logged. Authority failure events are logged. Object create operations are logged. Object delete operations are logged. Job base functions are audited. Changes to a thread's active user profile or its group profiles are audited. Actions that affect a job are logged. *JOBDTA is composed of two values, which are *JOBBAS and *JOBCHGUSR, to enable you to better customize your auditing. If both of the values are specified, you will get the same auditing as if just *JOBDTA is speicified. *NETBAS *NETCLU *NETCMN Network base functions are audited. Cluster and cluster resource group operations are audited. Network and communication functions are audited. *NETCMN is composed of several values to allow you to better customize your auditing. The following values make up *NETCMN: *NETBAS *NETCLU *NETFAIL *NETSCK *NETFAIL *NETSCK *OBJMGT *OFCSRV *OPTICAL Network failures are audited. Socket tasks are audited. Object move and rename operations are logged. Changes to the system distribution directory and office mail actions are logged. Use of Optical Volumes is logged.
Chapter 3. Security system values

ATNEVT AUTFAIL CREATE DELETE JOBBAS JOBCHGUSR *JOBDTA

Table 51. Possible values for the QAUDLVL2 system value (continued) *PGMADP *PGMFAIL *PRTDTA *SAVRST *SECCFG *SECDIRSRV *SECIPC *SECNAS *SECRUN *SECSCKD *SECURITY Obtaining authority from a program that adopts authority is logged. System integrity violations are logged. Printing a spooled file, sending output directly to a printer, and sending output to a remote printer are logged. Restore operations are logged. Security configuration is audited. Changes or updates when doing directory service functions are audited. Changes to interprocess communications are audited. Network authentication service actions are audited. Security run time functions are audited. Socket descriptors are audited. Security-related functions are logged. *SECURITY is composed of several values to allow you to better customize your auditing. The following values make up *SECURITY: *SECCFG *SECDIRSRV *SECIPC *SECNAS *SECRUN *SECSCKD *SECVFY *SECVLDL *SECVFY *SECVLDL *SERVICE *SPLFDTA *SYSMGT Use of verification functions are audited. Changes to validation list objects are audited. Using service tools is logged. Actions performed on spooled files are logged. Use of systems management functions is logged.

Auditing for New Objects (QCRTOBJAUD)

The Auditing for New Objects (QCRTOBJAUD) system value is used to determine the auditing value for a new object, if the create object auditing default for the library or directory of the new object is set to *SYSVAL. The QCRTOBJAUD system value is also the default object auditing value for new folderless documents. For example, the CRTOBJAUD value for the CUSTLIB library is *SYSVAL. The QCRTOBJAUD value is *CHANGE. If you create a new object in the CUSTLIB library, its object auditing value is automatically set to *CHANGE. You can change the object auditing value using the CHGOBJAUD or CHGAUD command. Note: This system value is a restricted value. See Security system values for details on how to restrict changes to security system values and a complete list of the restricted system values.

IBM i: Security Security reference

Table 52. Possible values for the QCRTOBJAUD system value: *NONE *NOTAVL No auditing is done for the object. This value is displayed to indicate that the system value is not available to the user because the user does not have either *AUDIT or *ALLOBJ special authority. The system value cannot be set to this value. Auditing of the object is based on the value in the profile of the user accessing the object. An audit record is written whenever a security relevant change is made to the object. An audit record is written for any security relevant action that affects the contents of the object. An audit record is also written if a security relevant change is made to the object.

USRPRF CHANGE *ALL

Recommended value: The value you select depends on the auditing requirements of your installation. Planning the auditing of object access on page 286 provides more information about methods for setting up object auditing on your system. You can control the auditing value at the directory level with the CRTOBJAUD parameter on the Make Directory (CRTDIR) command, and the *CRTOBJAUD value on the Change Attribute (CHGATR) command. You can also control the auditing value at the library level with the CRTOBJAUD parameter with the CRTLIB command and the CHGLIB command.

Chapter 3. Security system values

IBM i: Security Security reference

Chapter 4. User profiles

User profiles are a powerful and flexible tool. Designing them well can help you protect your system and customize it for your users. Overview: Purpose: Create and maintain user profiles and group profiles on the system How To: Work with User Profiles (WRKUSRPRF) command Change User Audit (CHGUSRAUD) command Authority: *SECADM special authority *AUDIT special authority to change user auditing Journal Entry: AD for changes to user auditing CO for creation of a user profile CP for changes to users profiles DO for deletion of a user profile ZC for changes to a user profile that are not relevant to security Related concepts User profiles on page 4 On the i5/OS operating system, every system user has a user profile.

Roles of the user profile

A user profile contain a user's passwords, the list of special authorities assigned to a user, and the objects the user owns. A user profile has several roles on the system: v It contains security-related information that controls how the user signs on the system, what the user is allowed to do after signing on, and how the users actions are audited. v It contains information that is designed to customize the system and adapt it to the user. v It is a management and recovery tool for the operating system. The user profile contains information about the objects owned by the user and all the private authorities to objects. v The user profile name identifies the users jobs and printer output. If the security level (QSECURITY) system value on your system is 10, the system automatically creates a user profile when someone signs on with a user ID that does not already exist on the system. Default values for user profiles on page 317 in Appendix B, IBM-supplied user profiles, on page 317 shows the values assigned when the system creates a user profile. If the QSECURITY system value on your system is 20 or higher, a user profile must exist before a user can sign on.

Copyright IBM Corp. 1996, 2010

Group profiles
A group profile is a special type of user profile that provides the same authority to a group of users. A group profile serves two purposes on the system: Security tool A group profile provides a method for organizing authorities on your system and sharing them among users. You can define object authorities or special authorities for group profiles rather than for each individual user profile. A user can be a member of up to 16 group profiles. Customizing tool A group profile can be used as a pattern for creating individual user profiles. Most people who are part of the same group have the same customizing needs, such as the initial menu and the default printer. You can define these things in the group profile and then copy the group profile to create individual user profiles. You create group profiles in the same way that you create individual profiles. The system recognizes a group profile when you add the first member to it. At that point, the system sets information in the profile indicating that it is a group profile. The system also generates a group identification number (gid) for the profile. You can also designate a profile as a group profile at the time when you create it by specifying a value in the gid parameter. Planning group profiles on page 239 shows an example of setting up a group profile.

User-profile parameter fields

This topic describes detailed information about the parameter fields for user profiles shown on the Create User Profile command prompt. When you create a user profile, the system gives theses authorities to the profile: *OBJMGT, *CHANGE. These authorities are necessary for system functions and should not be removed. Many system displays have different versions, called assistance levels, to meet the needs of different users: v Basic assistance level, which contains less information and does not use technical terminology. v Intermediate assistance level, which shows more information and uses technical terms. v Advanced assistance level, which uses technical terms and shows the maximum amount of data by not always displaying function key and option information. The following sections show what the user profile fields are called on both the basic assistance level and the intermediate assistance level displays. Field title The title of the section shows how the field name appears on the Create User Profile command prompt. The title displays when you create a user profile with intermediate assistance level or the Create User Profile (CRTUSRPRF) command. Add User prompt: This shows how the field name appears on the Add User display and other user-profile displays that use basic assistance level. The basic assistance level displays show a subset of the fields in the user profile. Not shown means the field does not appear on the basic assistance level display. When you use the Add User display to create a user profile, default values are used for all fields that are not shown. CL parameter: You use the CL parameter name for a field in a CL program or when you enter a user profile command without prompting.

IBM i: Security Security reference

Length: If you use the Retrieve User Profile (RTVUSRPRF) command in a CL program, this is the length you should use to define the field associated with the parameter. Authority: If a field refers to a separate object, such as a library or a program, you are told the authority requirements for the object. To specify the object when you create or change a user profile, you need the corresponding authority listed. To sign on using the profile, the user needs the authority listed. For example, if you create user profile USERA with job description JOBD1, you must have *USE authority to JOBD1. USERA must have *USE authority to JOBD1 to successfully sign on with the profile. In addition, each section describes the possible values for the field and a recommended value.

User profile name

The user profile name identifies the user to the system. This user profile name is also known as the user ID. It is the name the user types in the User prompt on the Sign On display. Add User prompt: User CL parameter: USRPRF Length: 10 The user profile name can be a maximum of 10 characters. The characters can be: v Any letter (A through Z) v Any number (0 through 9) v These special characters: pound (#), dollar ($), underline (_), at (@). The user profile name cannot begin with a number. Notes: v The Add User display allows only an eight-character user name. v It is possible to create a user profile so that when a user signs on, the user ID is only numerals. To create a profile like this, specify a Q as the first character, such as Q12345. A user can then sign on by entering 12345 or Q12345 for the User prompt on the Sign On display. For more information about specifying names on the system, see the CL programming topic. Recommendations for naming user profiles: Consider these things when deciding how to name user profiles: v A user profile name can be up to 10 characters long. Some communications methods limit the user ID to eight characters. The Add User display also limits the user profile name to eight characters. v Use a naming scheme that makes user IDs easy to remember. v The system does not distinguish between uppercase and lowercase letters in a user profile name. If you enter lowercase alphabetic characters at your workstation, the system translates them to uppercase characters. v The displays and lists that you use to manage user profiles show the user profiles in alphabetical order by user profile name. v Avoid using special characters in user profile names. Special characters might cause problems with keyboard mapping for certain workstations or with national language versions of the i5/OS licensed program.
Chapter 4. User profiles

One technique for assigning user profile names is to use the first seven characters of the family name followed by the first character of the first name. For example:
User name Anderson, George Anderson, Roger Harrisburg, Keith Jones, Sharon Jones, Keith User profile name ANDERSOG ANDERSOR HARRISBK JONESS JONESK

Recommendations for naming group profiles: To easily identify group profiles on the system, use a naming convention. Begin all group profile names with the same characters, such as GRP (for group) or DPT (for department).

Password
The password is used to verify a users authority to sign on the system. A user ID and a password must be specified to sign on when password security is active (QSECURITY system value is 20 or higher). Add User prompt: Password CL parameter: PASSWORD Length: 128 Passwords can be a maximum of 10 characters when the QPWDLVL system value is set to 0 or 1. Passwords can be a maximum of 128 characters when the QPWDLVL system value is set to 2 or 3. When the Password Level (QPWDLVL) system value is 0 or 1, the rules for specifying passwords are the same as those used for user profile names. When the first character of the password is a Q and the second character is a numeric character, the Q can be omitted on the sign-on display. If a user specifies Q12345 as the password on the Change Password display, the user can specify either 12345 or Q12345 as the password on the sign-on display. When QPWDLVL is 2 or 3, the user must specify the password as Q12345 on the sign-on display if the user profile was created with a password of Q12345. An all numeric password is allowed when QPWDLVL is 2 or 3, but the user profile password must be created as all numeric. When the Password Level (QPWDLVL) system value is 2 or 3, the password is case-sensitive and can contain any character including blank characters. However, the password cannot begin with an asterisk character ('*'), and trailing blank characters in the password are removed. Note: Passwords can be created using double-byte characters. However, a password containing double-byte characters cannot be used to sign on via the system sign-on screen. Passwords containing double byte characters can be created by the CRTUSRPRF and CHGUSRPRF commands and can be passed to the system APIs that support the password parameter. One-way encryption is used to store the password on the system. If a password is forgotten, the security officer can use the Change User Profile (CHGUSRPRF) command to assign a temporary password and set that password to expired, requiring the user to assign a new password at the next sign-on. You can set system values to control the passwords that users assign. The password composition system values apply only when a user changes a password using the Change Password (CHGPWD) command,

IBM i: Security Security reference

the Change password option from the ASSIST menu, or the QSYCHGPW API. A user cannot set the password equal to the user profile name using the CHGPWD command, the ASSIST menu, or the QSYCHGPW API in any of the following conditions. v The QPWDRULES system value is *PWDSYSVAL and the Password Minimum Length (QPWDMINLEN) system value is not 1. v The QPWDRULES system value is *PWDSYSVAL and the Password Maximum Length (QPWDMAXLEN) system value is not 10. v The QPWDRULES system value is *PWDSYSVAL and any of the other password composition system values have been changed from the default values. See the topic System values that apply to passwords on page 46 for information about setting the password composition system values.
Table 53. Possible values for PASSWORD: *USRPRF The password for this user is the same as the user profile name. When the Password Level (QPWDLVL) system value is 2 or 3, the password is the uppercased value of the user profile name. For profile JOHNDOE, the password is JOHNDOE, not johndoe. No password is assigned to this user profile. Sign-on is not allowed with this user profile. You can submit a batch job using a user profile with password *NONE if you have correct authority to the user profile. A character string (128 characters or less).

*NONE

user- password

Recommendations for passwords: v Set the password for a group profile to *NONE. This prevents anyone from signing on with the group profile. v When creating an individual user profile, set the password to an initial value and require a new password to be assigned when the user signs on (set password expired to *YES). The default password when creating a user profile is the same as the user profile name. v If you use a trivial or default password when creating a new user profile, make sure the user intends to sign on immediately. If you expect a delay before the user signs on, set the status of the user profile to *DISABLED. Change the status to *ENABLED when the user is ready to sign on. This protects a new user profile from being used by someone who is not authorized. v Use the password composition system values to prevent users from assigning trivial passwords. v Some communications methods send passwords between systems and limit the length of password and the characters that passwords can contain. If your system communicates with other systems, use the QPWDMAXLEN or QPWDRULES system value to limit the passwords length. At password levels 0 and 1, the QPWDLMTCHR system value can be used to specify characters that cannot be used in passwords.

Set password to expired

The Set password to expired field allows a security administrator to indicate in the user profile that the users password is expired and must be changed the next time the user signs on. Add User prompt: Not shown CL parameter: PWDEXP Length: 4

Chapter 4. User profiles

This value is reset to *NO when the password is changed. You can change the password by using either the CHGPWD or CHGUSRPRF command, or the QSYCHGPW API, or as part of the next sign-on process. This field can be used when a user cannot remember the password and a security administrator must assign a new one. Requiring the user to change the password assigned by the security administrator prevents the security administrator from knowing the new password and signing on as the user. When a users password has expired, the user receives a message at sign-on (see Password expiration interval on page 91). The user can either press the Enter key to assign a new password or press F3 (Exit) to cancel the sign-on attempt without assigning a new password. If the user chooses to change the password, the Change Password display is shown and password validation is run for the new password.

Sign-on Information Password has expired. request. System: Password must be changed to continue sign-on

Previous sign-on . . . . . . . . . . . . . :

10/30/91

14:15:00

Figure 1. Password expiration message Table 54. Possible values for PWDEXP: *NO: *YES: The password is not set to expired. The password is set to expired.

Recommendations: Set the password to expired whenever you create a new user profile or assign a temporary password to a user.

Status
The value of the Status field indicates if the profile is valid for sign-on. If the profile status is enabled, the profile is valid for sign-on. If the profile status is disabled, an authorized user has to enable the profile again to make it valid for sign-on. Add User prompt: Not shown CL parameter: STATUS Length: 10 You can use the CHGUSRPRF command to enable a profile that has been disabled. You must have *SECADM special authority and *OBJMGT and *USE authority to the profile to change its status. Enabling a user profile on page 125 shows an example of an adopted authority program to allow a system operator to enable a profile. The system can disable a profile after a certain number of incorrect password verification attempts with that profile, depending on the settings of the QMAXSIGN and QMAXSGNACN system values. You can always sign on with the QSECOFR (security officer) profile at the console, even if the status of QSECOFR is *DISABLED. If the QSECOFR user profile becomes disabled, sign on as QSECOFR at the console and type CHGUSRPRF QSECOFR STATUS(*ENABLED).

IBM i: Security Security reference

Table 55. Possible values for STATUS: *ENABLED *DISABLED The profile is valid for sign-on. The profile is not valid for sign-on until an authorized user enables it again.

Recommendations: Set the status to *DISABLED if you want to prevent sign-on with a user profile. For example, you can disable the profile of a user who will be away from the business for an extended period.

User class
User class is used to control what menu options are shown to the user on i5/OS menus. This helps control user access to some system functions. Add User prompt: Type of User CL parameter: USRCLS Length: 10 This does not necessarily limit the use of commands. The Limit capabilities field controls whether the user can enter commands. User class may not affect what options are shown on menus provided by other licensed programs. If no special authorities are specified when a user profile is created, the user class and the security level (QSECURITY) system value are used to determine the special authorities for the user. Possible values for USRCLS: Table 56 shows the possible user classes and what the default special authorities are for each user class. The entries indicate that the authority is given at security levels 10 and 20 only, at all security levels, or not at all. The default value for user class is *USER.
Table 56. Default special authorities by user class User classes Special authority *ALLOBJ *SECADM *JOBCTL *SPLCTL *SAVSYS *SERVICE *AUDIT *IOSYSCFG *SECOFR All All All All All All All All 10 or 20 10 or 20 All 10 or 20 *SECADM 10 or 20 All 10 or 20 10 or 20 All *PGMR 10 or 20 *SYSOPR 10 or 20 *USER 10 or 20

Recommendations: Most users do not need to perform system functions. Set the user class to *USER, unless a user specifically needs to use system functions.

Chapter 4. User profiles

Assistance level
The Assistance level field in the user profile specifies the default assistance level for the user when the profile is created. The System i platform provides three levels of assistance: basic, intermediate, and advanced. Add User prompt: Not shown CL parameter: ASTLVL Length: 10 For each user, the system keeps track of the last assistance level used for every system display that has more than one assistance level. That level is used the next time the user requests that display. During an active job, a user can change the assistance level for a display or group of related displays by pressing F21 (Select assistance level). The new assistance level for that display is stored with the user information. Specifying the assistance level (ASTLVL) parameter on a command does not change the assistance level that is stored for the user for the associated display. If the assistance level in the user profile is changed using the CHGUSRPRF or the Change Profile (CHGPRF) command, the assistance levels stored for all displays for that user are reset to the new value. For example, assume the user profile for USERA is created with the default assistance level (basic). Table 57 shows whether USERA sees the Work with User Profiles display or the Work with User Enrollment display when using different options. The table also shows whether the system changes the version for the display that is stored with USERAs profile.
Table 57. How assistance levels are stored and changed Action taken Use WRKUSRPRF command From Work with User Enrollment display, press F21 and select intermediate assistance level. Use WRKUSRPRF command Select the work with user enrollment option from the SETUP menu. Type CHGUSRPRF USERA ASTLVL(*BASIC) Use WRKUSRPRF command Type WRKUSRPRF ASTLVL(*INTERMED) Work with User Enrollment display Work with User Profiles display Version of display shown Work with User Enrollment display Work with User Profiles display Version of display stored No change (basic assistance level) Changed to intermediate assistance level No change (intermediate) No change (intermediate) Changed to basic assistance level No change (basic) No change (basic)

Work with User Profiles display Work with User Profiles display

Note: The User option field in the user profile also affects how system displays are shown. This field is described on page User Options on page 108.
Table 58. Possible Values for ASTLVL *SYSVAL *BASIC *INTERMED The assistance level specified in the QASTLVL system value is used. The Operational Assistant user interface is used. The system interface is used.

IBM i: Security Security reference

Table 58. Possible Values for ASTLVL (continued) *ADVANCED The expert system interface is used. To allow for more list entries, the option numbers and the function keys are not always displayed. If a command does not have an advanced (*ADVANCED) level, the intermediate (*INTERMED) level is used.

Current library
The current library is the library that is specified to be the first user library searched for objects requested by a user. If the user creates objects and specifies *CURLIB, the objects are put in the current library. Add User prompt: Default library CL parameter: CURLIB Length: 10 Authority *USE The current library is automatically added to the users library list when the user signs on. It does not need to be included in the initial library list in the users job description. The user cannot change the current library if the Limit capabilities field in the user profile is *YES or *PARTIAL. The topic Library lists on page 207 provides more information about using library lists and the current library.
Table 59. Possible values for CURLIB: *CRTDFT current-library-name This user has no current library. If objects are created using *CURLIB on a create command, the library QGPL is used as the default current library. The name of a library.

Recommendations: Use the Current library field to control where users are allowed to put new objects, such as Query programs. Use the Limit capabilities field to prevent users from changing the current library.

Initial program
You can specify the name of a program to call when a user signs on. Such a program is called an initial program. An initial program runs before the initial menu, if any, is displayed. Add User prompt: Sign on program CL parameter: INLPGM Length: 10 (program name) 10 (library name) Authority: *USE for program *EXECUTE for library If the Limit capabilities field in the user's profile is *YES or *PARTIAL, the user cannot specify an initial program on the Sign On display.
Chapter 4. User profiles

The initial program is called only if the user's routing program is QCMD or QCL. See Starting an interactive job on page 199 for more information about the processing sequence when a user signs on. Initial programs are used for two main purposes: v To restrict a user to a specific set of functions. v To perform some initial processing, such as opening files or establishing the library list, when the user first signs on. Parameters cannot be passed to an initial program. If the initial program fails, the user is not able to sign on.
Table 60. Possible values for INLPGM: *NONE program-name No program is called when the user signs on. If a menu name is specified on the initial menu (INLMNU) parameter, that menu is displayed. The name of the program that is called when the user signs on.

Table 61. Possible values for INLPGM library: *LIBL The library list is used to locate the program. If the job description for the user profile has an initial library list, that list is used. If the job description specifies *SYSVAL for the initial library list, the QUSRLIBL system value is used. The current library specified in the user profile is used to locate the program. If no current library is specified, QGPL is used. The library where the program is located.

*CURLIB library-name

Initial menu
You can specify the name of a menu to be shown when the user signs on. The initial menu is displayed after the users initial program runs. The initial menu is called only if the users routing program is QCMD or QCL. Add User prompt: First menu CL parameter: INLMNU Length: 10 (menu name) 10 (library name) Authority *USE for menu *EXECUTE for library If you want the user to run only the initial program, you can specify *SIGNOFF for the initial menu. If the Limit capabilities field in the users profile is *YES, the user cannot specify a different initial menu on the Sign On display. If a user is allowed to specify an initial menu on the Sign On display, the menu specified overrides the menu in the user profile.
Table 62. Possible values for MENU: MAIN *SIGNOFF menu-name The System i Main Menu is shown. The system signs off the user when the initial program completes. Use this to limit users to running a single program. The name of the menu that is called when the user signs on.

IBM i: Security Security reference

Table 63. Possible values for MENU library: *LIBL The library list is used to locate the menu. If the initial program adds entries to the library list, those entries are included in the search, because the menu is called after the initial program has completed. The current library for the job is used to locate the menu. If no current library entry exists in the library list, QGPL is used. The library where the menu is located.

*CURLIB library-name

Limit capabilities
You can use the Limit capabilities field to limit the users ability to enter commands and to override the initial program, initial menu, current library, and attention-key-handling program specified in the user profile. This field is a tool for preventing users from experimenting on the system. Add User prompt: Restrict command line use CL parameter: LMTCPB Length: 10 A user with limited capabilities can only run commands that are defined as being allowed to be used by limited users. The following commands are shipped by IBM with ALWLMTUSR(*YES): v Sign off (SIGNOFF) v Send message (SNDMSG) v v v v v Display messages (DSPMSG) Display job (DSPJOB) Display job log (DSPJOBLOG) Start PC Organizer (STRPCO) Work with Messages (WRKMSG)

The Limit capabilities field in the user profile and the ALWLMTUSR parameter on commands apply only to commands that are run from the command line, the Command Entry display, FTP, REXEC, using the QCAPCMD API, or an option from a command grouping menu. Users are not restricted to perform the following actions: v Run commands in CL programs that are running a command as a result of taking an option from a menu v Run remote commands through applications You can allow the limited capability user to run additional commands, or remove some of these commands from the list, by changing the ALWLMTUSR parameter for a command. Use the Change Command (CHGCMD) command. If you create your own commands, you can specify the ALWLMTUSR parameter on the Create Command (CRTCMD) command. Possible values: Table 64 shows the possible values for the Limit capabilities field and what functions are allowed for each value.
Table 64. Functions allowed for limit capabilities values Function Change initial program Change initial menu *YES No No *PARTIAL No Yes *NO Yes Yes
Chapter 4. User profiles

Table 64. Functions allowed for limit capabilities values (continued) Function Change current library Change attention program Enter commands
1

*YES No No A few
1

*PARTIAL No No Yes

*NO Yes Yes Yes

These commands are allowed by default: SIGNOFF, SNDMSG, DSPMSG, DSPJOB, DSPJOBLOG, STRPCO, WRKMSG. The user cannot use F9 to display a command line from any menu or display.

Recommendations: Using an initial menu, restricting command line use, and providing access to the menu allow you to set up an environment for a user who does not need or want to access system functions. Related concepts Planning menus on page 228 Menus are a good method for providing controlled access on your system. You can use menus to restrict a user to a set of strictly controlled functions by specifying limited capabilities and an initial menu in the user profile.

Text
The text in the user profile is used to describe the user profile or what it is used for. Add User prompt: User description CL parameter: TEXT Length: 50 For user profiles, the text should have identifying information, such as the users name and department. For group profiles, the text should identify the group, such as what departments the group includes.
Table 65. Possible values for text: *BLANK: description No text is specified. Specify no more than 50 characters.

Recommendations: The Text field is truncated on many system displays. Put the most important identifying information at the beginning of the field.

Special authority
Special authority is used to specify the types of actions a user can perform on system resources. A user can be given one or more special authorities. Add User prompt: Not shown CL parameter: SPCAUT Length: 100 (10 characters per special authority) Authority: To give a special authority to a user profile, you must have that special authority.

IBM i: Security Security reference

Table 66. Possible values for SPCAUT: *USRCLS Special authorities are granted to this user based on the user class (USRCLS) field in the user profile and the security level (QSECURITY) system value. If *USRCLS is specified, no additional special authorities can be specified for this user. If you specify *USRCLS when you create or change a user profile, the system puts the correct special authorities in the profile as if you had entered them. When you display profiles, you cannot tell whether special authorities were entered individually or entered by the system based on the user class. Table 56 on page 79 shows the default special authorities for each user class. *NONE special-authority-name No special authority is granted to this user. Specify one or more special authorities for the user.

*ALLOBJ special authority

All-object (*ALLOBJ) special authority allows the user to access any resource on the system whether private authority exists for the user. Even if the user has *EXCLUDE authority to an object, *ALLOBJ special authority still allows the user to access the object. Risks: *ALLOBJ special authority gives the user extensive authority over all resources on the system. The user can view, change, or delete any object. The user can also grant to other users the authority to use objects. A user with *ALLOBJ authority cannot directly perform operations that require another special authority. For example, *ALLOBJ special authority does not allow a user to create another user profile, because creating user profiles requires *SECADM special authority. However, a user with *ALLOBJ special authority can submit a batch job to run using a profile that has the needed special authority. Giving *ALLOBJ special authority essentially gives a user access to all functions on the system.

*SECADM special authority

Security administrator (*SECADM) special authority allows a user to create, change, and delete user profiles. A user with *SECADM special authority can: v Add users to the system distribution directory. v Display authority for documents or folders. v Add and remove access codes to the system. v Give and remove a users access code authority. v Give and remove permission for users to work on another users behalf. v Delete documents and folders. v Delete document lists. v Change distribution lists created by other users. Only a user with *SECADM and *ALLOBJ special authority can give *SECADM special authority to another user.

*JOBCTL special authority

The Job control (*JOBCTL) special authority allows a user to change the priority of jobs and of printing, end a job before it has finished, or delete output before it has printed. *JOBCTL special authority can also give a user access to confidential spooled output, if output queues are specified OPRCTL(*YES).
Chapter 4. User profiles

Job control (*JOBCTL) special authority allows the user to perform the following actions: v Change, delete, hold, and release all files on any output queues specified as OPRCTL(*YES). v Display, send, and copy all files on any output queues specified as DSPDTA(*YES or *NO) and OPRCTL(*YES). v Hold, release, and clear job queues specified as OPRCTL(*YES). v Hold, release, and clear output queues specified as OPRCTL(*YES). v Hold, release, change, and cancel other users jobs. v Start, change, end, hold, and release writers, if the output queue is specified as OPRCTL(*YES). v Change the running attributes of a job, such as the printer for a job. v Stop subsystems. v Perform an initial program load (IPL). Securing printer output and output queues is discussed in Printing on page 211. You can change the job priority (JOBPTY) and the output priority (OUTPTY) of your own job without job control special authority. You must have *JOBCTL special authority to change the run priority (RUNPTY) of your own job. Changes to the output priority and job priority of a job are limited by the priority limit (PTYLMT) in the profile of the user making the change. Risks: A user who abuses *JOBCTL special authority can cause negative effect on individual jobs and on overall system performance.

*SPLCTL special authority

Spool control (*SPLCTL) special authority allows the user to perform all spool control functions, such as changing, deleting, displaying, holding and releasing spooled files. The user can perform these functions on all output queues, regardless of any authorities for the output queue or the OPRCTL parameter for the output queue. *SPLCTL special authority also allows the user to manage job queues, including holding, releasing, and clearing the job queue. The user can perform these functions on all job queues, regardless of any authorities for the job queue or the OPRCTL parameter for the job queue. Risks: The user with *SPLCTL special authority can perform any operation on any spooled file in the system. Confidential spooled files cannot be protected from a user with *SPLCTL special authority.

*SAVSYS special authority

Save system (*SAVSYS) special authority gives the user the authority to save, restore, and free storage for all objects on the system, regardless of whether the user has object existence authority to the objects. Risks: The user with *SAVSYS special authority can: v Save an object and take it to another system to be restored. v Save an object and display the tape to view the data. v Save an object and free storage, thus deleting the data portion of the object. v Save a document and delete it.

*SERVICE special authority

Service (*SERVICE) special authority allows the user to start system service tools using the STRSST command. This special authority allows the user to debug a program with only *USE authority to the program and perform the display and alter service functions. It also allows the user to perform trace functions.

IBM i: Security Security reference

The dump function can be performed without *SERVICE authority. Risks: A user with *SERVICE special authority can display and change confidential information using service functions. The user must have *ALLOBJ special authority to change the information using service functions. To minimize the risk for trace commands, users can be given authorization to perform service tracing without the *SERVICE special authority. In this way, only specific users have the ability to perform a trace command, which can grant them access to sensitive data. The user must be authorized to the command and have either *SERVICE special authority, or be authorized to the Service Trace function of i5/OS through Application Administration in System i Navigator. The Change Function Usage (CHGFCNUSG) command, with the function ID of QIBM_SERVICE_TRACE, can also be used to change the list of users that are allowed to perform trace operations. The commands to which access can be granted in this way include:
STRCMNTRC ENDCMNTRC PRTCMNTRC DLTCMNTRC CHKCMNTRC TRCCNN TRCINT STRTRC ENDTRC PRTTRC DLTTRC TRCTCPAPP WRKTRC Start Communications Trace End Communications Trace Print Communications Trace Delete Communications Trace Check Communications Trace Trace Connection (see Granting access to traces) Trace Internal Start Job Trace End Job Trace Print Job Trace Delete Job Trace Trace TCP/IP Application Work with Traces

Note: You need *ALLOBJ to change data using service functions. Granting access to traces: Trace commands, such as TRCCNN (Trace Connection) are powerful commands that should not be granted to all users who need access to other service and debug tools. Complete the following steps to limit who can access these trace commands without having *SERVICE authority: 1. In System i Navigator, open Users and Groups. 2. Select All Users to view a list of user profiles. 3. Right-click the user profile to be altered. 4. 5. 6. 7. 8. 9. 10. Select Properties. Click Capabilities. Open the Applications tab. Select Access for. Select Host Applications. Select Operating System. Select Service.
Chapter 4. User profiles

11. Use the check box to grant or revoke access to trace command. Alternatively, the Change Function Usage (CHGFCNUSG) command can be used to grant users access to the trace commands. Enter CHGFCNUSG FCNID(QIBM_SERVICE_TRACE) USER(user-profile) USAGE(*ALLOWED).

*AUDIT special authority

Audit (*AUDIT) special authority gives the user the ability to view and change auditing characteristics. A user can perform the following tasks with the *AUDIT special authority: v v v v v v Change and display the system values that control auditing. Use the CHGOBJAUT, CHGDLOAUD, and CHGAUD commands to change auditing for objects. Use the CHGUSRAUD command to change auditing for a user. Display an object's auditing values. Display a user profile's auditing values. Run some of the security tool commands, such as PRTADPOBJ.

Risks: A user with *AUDIT special authority can stop and start auditing on the system or prevent auditing of particular actions. If having an audit record of security-relevant events is important for your system, carefully control and monitor the use of *AUDIT special authority. To prevent general users from viewing auditing information, restrict general users' access to the following information: v The security audit journal (QAUDJRN) v Other journals that contain auditing data v Save files, outfiles, spool files, and printed output that contain auditing information Note: Only a user with *ALLOBJ, *SECADM, and *AUDIT special authorities can give another user *AUDIT special authority.

*IOSYSCFG special authority

System configuration (*IOSYSCFG) special authority gives the user the ability to change how the system is configured. Users with this special authority can add or remove communications configuration information, work with TCP/IP servers, and configure the internet connection server (ICS). Most commands for configuring communications require *IOSYSCFG special authority. Recommendations for special authorities: Giving special authorities to users represents a security exposure. For each user, carefully evaluate the need for any special authorities. Keep track of which users have special authorities and periodically review their requirement for the authority. In addition, you should control the following situations for user profiles and programs: v Whether user profiles with special authorities can be used to submit jobs v Whether programs created by these users can run using the authority of the program owner Programs adopt the *ALLOBJ special authority of the owner if: v The programs are created by users who have *ALLOBJ special authority v The user specifies USRPRF(*OWNER) parameter on the command that creates the program

Special environment
The user can operate in the System i5, the System/36, or the System/38 environment. When the user signs on, the system uses the routing program and the special environment in the users profile to determine the users environment.

IBM i: Security Security reference

Add User prompt: Not shown CL parameter: SPCENV Length: 10

Table 67. Possible values for SPCENV: *SYSVAL *NONE *S36 The QSPCENV system value is used to determine the environment when the user signs on, if the users routing program is QCMD. The user operates in the System i5 environment. The user operates in the System/36 environment if the users routing program is QCMD.

Recommendations: If the user runs a combination of System i and System/36 applications, use the Start System/36 (STRS36) command before running System/36 applications rather than specifying the System/36 environment in the user profile. This provides better performance for the System i applications.

Chapter 4. User profiles

Figure 2. Description of special environment

Description of special environment in Figure 2 The system determines if the routing program is QCMD. If it is not, then the system checks to see if the routing program is QCL. If the routing program is QCL, then the system will use the System/38 special environment. If the routing program is not QCL, then the system uses the program specified in the routing entry. If the routing program is QCMD, then the system determines if the SPCENV system value is set. If it is set, then the system retrieves the value for QSPCENV system value and the system tests the special environment value. If SPCENV system value is not set, then the system tests the special environment value. If the special environment value is set to *S36, the system runs the System/36 special environment. If the special environment value is set to *NONE, then the system runs the integrated System i environment.

Display sign-on information

The Sign-on Information display is a tool for users to monitor their profiles and to detect attempted misuse. The Display sign-on information field specifies whether the Sign-on Information display is shown when the user signs on.

IBM i: Security Security reference

Add User prompt: Not shown CL parameter: DSPSGNINF Length: 7 Figure 3 shows the display. Password expiration information is only shown if the password expires within the password expiration warning days.

Sign-on Information Previous sign-on . . . . . . . . . . . . . : Password verifications not valid . . . . . : Days until password expires . . . . . . . : 10/30/91 3 5 System: 14:15:00

Figure 3. Sign-On Information Display Table 68. Possible values for DSPSGNINF: *SYSVAL *NO *YES The QDSPSGNINF system value is used. The Sign-on Information display is not shown when the user signs on. The Sign-on Information display is shown when the user signs on.

Recommendations: Having all users see this display is recommended. Users with special authority or authority to critical objects should be encouraged to use the display to make sure no one attempts to use their profiles.

Password expiration interval

The password expiration interval controls the number of days that a valid password can be used before it must be changed. Add User prompt: Not shown CL parameter: PWDEXPITV Length: 5,0 When a users password has expired, the user receives a message at sign-on. The user can either press the Enter key to assign a new password or press F3 (Exit) to cancel the sign-on attempt without assigning a new password. If the user chooses to change the password, the Change Password display is shown and full password validation is run for the new password. Password expiration interval shows an example of the password expiration message.
Table 69. Possible values for PWDEXPITV: *SYSVAL *NOMAX password- expiration- interval The QPWDEXPITV system value is used. The system does not require the user to change the password. Specify a number from 1 through 366.

Chapter 4. User profiles

Recommendations: Set the QPWDEXPITV system value for an appropriate interval, such as 60 to 90 days. Use the Password expiration interval field in the user profile to require users with *SERVICE, *SAVSYS, *SECADM, or *ALLOBJ special authorities to change passwords more frequently than other users.

Block Password Change

The block password change parameter specifies the time period during which a password is blocked from being changed after the prior successful password change operation. Add User prompt: Not shown CL parameter: PWDCHGBLK Length: 10 This parameter value does not restrict password changes made by the Change User Profile (CHGUSRPRF) command. In addition, this parameter value is not enforced if the set password to expired (PWDEXP) field in the user profile has a value of *YES. This enables a security administrator to create a user profile with an expired password and still permit the user to sign-on and change the password (once) without being restricted by the block password change system value.
Table 70. Possible values for PWDCHGBLK: *SYSVAL *NONE 1 - 99 The QPWDCHGBLK system value is used. The password can be changed at any time. A password cannot be changed within the specified number of hours after the prior successful password changed operation.

Recommendation: Set the parameter to *SYSVAL unless you notice unusual password change activity for a specific user. In this case, you can use a value, such as 2, to limit the user's password change frequency.

Local password management

The Local password management ( LCLPWDMGT) parameter controls whether the user profile password is managed locally. When the password is not management locally, users cannot access the system by direct sign-on, but through other platforms. If the password is managed locally, then the password is stored locally with the user profile. This is the traditional method of storing the password. Add User prompt: Not shown CL parameter: LCLPWDMGT Length: 10 If the password is not being managed locally, then the local i5/OS password is set to *NONE. The password value specified in the password parameter will be sent to other IBM products that do password synchronization, such as IBM i5/OS Integration for Windows Server. Users will not be able to change their passwords using the Change Password (CHGPWD) command. In addition, users will not be able to sign on to the system directly. Specifying this value will affect other IBM products that do password synchronization, such as IBM i5/OS Integration for Windows Server.

IBM i: Security Security reference

This parameter should not be set to *NO unless the user only needs to access the system through some other platform, such as Windows Server.
Table 71. Possible values for LCLPWDMGT: *YES *NO The password is managed locally. The password is not managed locally.

Limit device sessions

The Limit device sessions field controls whether the number of device sessions allowed for a user is limited. The value does not restrict the use of the System Request menu or a second sign-on from the same device. Add User prompt: Not shown CL parameter: LMTDEVSSN Length: 7
Table 72. Possible values for LMTDEVSSN: *SYSVAL *NO *YES 0 1 2-9 The QLMTDEVSSN system value is used. The user may be signed on to more than one device at the same time. The user may not be signed on to more than one device at the same time. The user is not limited to a specific number of device sessions. This value has the same meaning as *NO. The user is limited to a single device session. This value has the same meaning as *YES. The user is limited to the specified number of device sessions.

Recommendations: Limiting users to one workstation at a time is one way to discourage sharing user profiles. Set the QLMTDEVSSN system value to 1 (YES). If some users have a requirement to sign on at multiple workstations, use the Limit device sessions field in the user profile for those users.

Keyboard buffering
This parameter specifies the keyboard buffering value used when a job is initialized for this user profile. The new value takes effect the next time the user signs on. Add User prompt: Not shown CL parameter: KBDBUF Length: 10 The keyboard buffering field controls two functions: Type-ahead: Lets the user type data faster than it can be sent to the system.

Chapter 4. User profiles

Attention key buffering: If attention key buffering is on, the Attention key is treated like any other key. If attention key buffering is not on, pressing the Attention key results in sending the information to the system even when other workstation input is inhibited.
Table 73. Possible values for KBDBUF: *SYSVAL *NO *TYPEAHEAD *YES The QKBDBUF system value is used. The type-ahead feature and Attention-key buffering option are not active for this user profile. The type-ahead feature is active for this user profile. The type-ahead feature and Attention-key buffering option are active for this user profile.

Maximum storage
You can specify the maximum amount of auxiliary storage that the system uses to store permanent objects that a user profile owns. This includes objects that the system places in the temporary library (QTEMP) during a job. Add User prompt: Not shown CL parameter: MAXSTG Length: 11,0 If the storage needed is greater than the maximum amount specified when the user attempts to create an object, the object is not created. The maximum storage value is independently applied to each independent auxiliary storage pool (ASP) on the system. Therefore, specifying a value of 5000 means that the user profile can use the following size of auxiliary storage: v 5000 KB of auxiliary storage in the system ASP and basic user ASPs. v 5000 KB of auxiliary storage in independent ASP 00033 (if it exists). v 5000 KB of auxiliary storage in independent ASP 00034 (if it exists). This provides a total of 15 000 KB of auxiliary storage from the whole system. When planning maximum storage for user profiles, consider the following system functions, which can affect the maximum storage needed by a user: v A restore operation first assigns the storage to the user doing the restore operation, and then transfers the objects to the OWNER. Users who do large restore operations should have MAXSTG(*NOMAX) in their user profiles. v The user profile that owns a journal receiver is assigned the storage as the receiver size grows. If new receivers are created, the storage continues to be assigned to the user profile that owns the active journal receiver. Users who own active journal receivers should have MAXSTG(*NOMAX) in their user profiles. v If a user profile specifies OWNER(*GRPPRF), ownership of any object created by the user is transferred to the group profile after the object is created. However, the user creating the object must have adequate storage to contain any created object before the object ownership is transferred to the group profile.

IBM i: Security Security reference

v The system assigns storage for the descriptions of objects that are placed in a library to the owner of that library. This is true even if the objects are owned by another user profile. Examples of such descriptions are text and program references. v The system assigns storage to the user profile for temporary objects that are used during job processing. Examples of such objects are commitment control blocks, file editing spaces, and documents.
Table 74. Possible values for MAXSTG: *NOMAX maximum- KB As much storage as required can be assigned to this profile. Specify the maximum amount of storage in kilobytes (1 kilobyte equals 1024 bytes) that can be assigned to this user profile.

Priority limit
The priority limit in the user profile determines the maximum scheduling priorities (job priority and output priority) that are allowed for any jobs the user submits. Priority limit controls the job's priority when it is submitted. It also controls any changes made to the job's priority while the job is waiting in the queue, or when the job runs. Add User prompt: Not shown CL parameter: PTYLMT Length: 1 A batch job has three different priority values: Run priority: Determines how the job competes for machine resources when the job is running. Run priority is determined by the jobs class. Job priority: Determines the scheduling priority for a batch job when the job is in the job queue. You can set the job's priority in the job description or by using the submit command. Output priority: Determines the scheduling priority for any output created by the job on the output queue. You can set the output priority in the job description or when you use the submit command. The priority limit also limits changes that a user with *JOBCTL special authority can make to another users job. You cannot give someone elses job a higher priority than the limit specified in your own user profile. If a batch job runs under a different user profile than the user submitting the job, the priority limits for the batch job are determined by the profile the job runs under. If a requested scheduling priority on a submitted job is higher than the priority limit in the user profile, the priority of the job is reduced to the level permitted by the user profile.
Table 75. Possible values for PTYLMT: 3 The default priority limit for user profiles is 3. The default priority for both job priority and output priority on job descriptions is 5. Setting the priority limit for the user profile at 3 gives the user the ability to move some jobs ahead of others on the queues. Specify a value, 1 through 9. The highest priority is 1; the lowest priority is 9.

priority- limit

Chapter 4. User profiles

Recommendations: Using the priority values in job descriptions and on the submit job commands is often a better way to manage the use of system resources than changing the priority limit in user profiles. Use the priority limit in the user profile to control changes that users can make to submitted jobs. For example, system operators may need a higher priority limit so that they can move jobs in the queues.

Job description
A job description contains a specific set of job-related attributes, such as which job queue to use, scheduling priority, routing data, message queue severity, library list and output information. The attributes determine how each job is run on the system. Add User prompt: Not shown CL parameter: JOBD Length 10 (job description name) 10 (library name) Authority: *USE for job description, *READ and *EXECUTE for library When a user signs on, the system looks at the workstation entry in the subsystem description to determine what job description to use for the interactive job. If the workstation entry specifies *USRPRF for the job description, the job description in the user profile is used. The job description for a batch job is specified when the job is started. It can be specified by name, or it can be the job description from the user profile under which the job runs. See the Work management topic for more information about job descriptions and their uses.
Table 76. Possible values for JOBD: QDFTJOBD The system-supplied job description found in library QGPL is used. You can use the Display Job Description (DSPJOBD) command to see the attributes contained in this job description. Specify the name of the job description, 10 characters or less.

job- description- name

Table 77. Possible values for JOBD Library: *LIBL *CURLIB library- name The library list is used to locate the job description. The current library for the job is used to locate the job description. If no current library entry exists in the library list, QGPL is used. Specify the library where the job description is located, 10 characters or less.

Recommendations: For interactive jobs, the job description is a good method of controlling library access. You can use a job description for an individual to specify a unique library list, rather than using the QUSRLIBL (user library list) system value.

Group profile
The group profile (GRPPRF) parameter specifies if the user is a member of a group profile. The group profile can provide the user with authority to use objects for which the user does not have specific authority. You may specify up to 15 additional groups for the user in the Supplemental group profile (SUPGRPPRF) parameter.

IBM i: Security Security reference

Add User prompt: User Group CL parameter: GRPPRF Length: 10 Authority: To specify a group when creating or changing a user profile, you must have *OBJMGT, *OBJOPR, *READ, *ADD, *UPD, and *DLT authority to the group profile. Note: Adopted authority is not used to check for *OBJMGT authority to the group profile. For more information about adopted authority, see Objects that adopt the owner's authority on page 149.

When a group profile is specified in a user profile, the user is automatically granted *OBJMGT, *OBJOPR, *READ, *ADD, *UPD, and *DLT authorities to the group profile, if the group profile is not already one of the user's group profiles. These authorities are necessary for system functions and should not be removed. If a profile specified in the GRPPRF parameter is not already a group profile, the system sets information in the profile marking it as a group profile. The system also generates a gid for the group profile, if it does not already have one. When the GRPPRF value is changed, the change takes effect the next time the user signs on or the next time a job swaps to the user profile using a profile handle or profile token, which was obtained after the change occurred. See Planning group profiles on page 239 for more information about using group profiles.
Table 78. Possible values for GRPPRF *NONE user-profile-name No group profile is used with this user profile. Specify the name of a group profile of which this user profile is a member.

Owner
If the user is a member of a group, you can use the owner parameter in the user profile to specify who owns any new objects created by the user. Objects can be owned either by the user or by the users first group (the value of the GRPPRF parameter). You can specify the Owner field only if you have specified a value other than *NONE for the Group profile field. Add User prompt: Not shown CL parameter: OWNER Length: 10 When the Owner value is changed, the change takes effect the next time the user signs on or the next time a job swaps to the user profile using a profile handle or profile token obtained after the change has occurred.
Table 79. Possible values for Owner: *USRPRF This user profile is the Owner of any new objects it creates.

Chapter 4. User profiles

Table 79. Possible values for Owner: (continued) *GRPPRF The group profile is made the Owner of any objects created by the user and is given all (*ALL) authority to the objects. The user profile is not given any specific authority to new objects it creates. If *GRPPRF is specified, you must specify a group profile name in the GRPPRF parameter, and the GRPAUT parameter must be *NONE. Notes: 1. If you give ownership to the group, all members of the group can change, replace, and delete the object. 2. The *GRPPRF parameter is ignored for all file systems except QSYS.LIB. In cases where the parameter is ignored, the user retains ownership of the object.

Group authority
If the user profile is a member of a group and OWNER(*USRPRF) is specified, the Group authority field controls what authority is given to the group profile for any objects created by this user. Add User prompt: Not shown CL parameter: GRPAUT Length: 10 Group authority can be specified only when GRPPRF is not *NONE and OWNER is *USRPRF. Group authority applies to the profile specified in the GRPPRF parameter. It does not apply to supplemental group profiles specified in the SUPGRPPRF parameter. When the GRPAUT value is changed, the change takes effect the next time the user signs on or the next time a job swaps to the user profile using a profile handle or profile token obtained after the change has occurred.
Table 80. Possible values for GRPAUT: *NONE *ALL *CHANGE *USE *EXCLUDE No specific authority is given to the group profile when this user creates objects. The group profile is given all management and data authorities to any new objects the user creates. The group profile is given the authority to change any objects the user creates. The group profile is given authority to view any objects the user creates. The group profile is specifically denied access to any new objects created by the user.

Related reference Defining how information can be accessed on page 132 You can define what operations can be preformed on objects, data, and fields.

Group authority type

When a user creates a new object, the Group authority type parameter in the users profile determines what type of authority the users group receives to the new object. Add User prompt: Not shown

IBM i: Security Security reference

CL parameter: GRPAUTTYP Length: 10 The GRPAUTTYP parameter works with the OWNER, GRPPRF, and GRPAUT parameters to determine the groups authority to a new object. When the GRPAUTTYP value is changed, the change takes effect the next time the user signs on or the next time a job swaps to the user profile using a profile handle or profile token obtained after the change has occurred.
Table 81. Possible values for GRPAUTTYP: *PRIVATE *PGP
1

The authority defined in the GRPAUT parameter is assigned to the group profile as a private authority. The group profile defined in the GRPPRF parameter is the primary group for the newly created object. The primary group authority for the object is the authority specified in the GRPAUT parameter. This value can be specified only when GRPAUT is not *NONE.

Private authority and primary group authority provide the same access to the object for members of the group, but they might have different performance characteristics. Primary group for an object on page 144 explains how primary group authority works.

Recommendations: Specifying *PGP is a method for beginning to use primary group authority. Consider using GRPAUTTYP(*PGP) for users who frequently create new objects that must be accessed by members of the group profile.

Supplemental groups
You can specify supplemental groups when creating or changing a user profile. The user cannot have supplemental group profiles if the GRPPRF parameter is *NONE. Add User prompt: Not shown CL parameter: SUPGRPPRF Length: 150 Authority: To specify supplemental groups when creating or changing a user profile, you must have *OBJMGT, *OBJOPR, *READ, *ADD, *UPD, and *DLT authority to each group profile. Note: *OBJMGT authority cannot come from adopted authority. For more information, see Objects that adopt the owner's authority on page 149.

You can specify the names of up to 15 profiles from which this user is to receive authority. The user becomes a member of each supplemental group profile. When supplemental group profiles are specified in a user profile, the user is automatically granted *OBJMGT, *OBJOPR, *READ, *ADD, *UPD, and *DLT authorities to each group profile, if the group profile is not already one of the user's group profiles. These authorities are necessary for system functions and should not be removed. If a profile specified in the SUPGRPPRF parameter is not already a group profile, the system marks it as a group profile. The system also generates a group identification number (gid) for the group profile, if it does not already have one.
Chapter 4. User profiles

When the SUPGRPPRF value is changed, the change takes effect the next time the user signs on or the next time a job swaps to the user profile using a profile handle or profile token obtained after the change has occurred. See Planning group profiles on page 239 for more information about using group profiles.
Table 82. Possible values for SUPGRPPRF *NONE group- profile- name No supplemental groups are used with this user profile. Specify up to 15 names of group profiles to be used with this user profile. These profiles, in addition to the profile specified in the GRPPRF parameter, are used to give the user access to objects. The profile name specified for GRPPRF can also be specified as one of the 15 supplemental group profiles.

Accounting code
Specifying the accounting code allows you to gather information about the system resources used by a job. Add User prompt: Not shown CL parameter: ACGCDE Length: 15 Job accounting is an optional function used to gather information about the use of system resources. The accounting level (QACGLVL) system value determines whether job accounting is active. The accounting code for a job comes from either the job description or the user profile. The accounting code can also be specified when a job is running using the Change Accounting Code (CHGACGCDE) command. When the accounting code value is changed, the change takes effect the next time the user signs on or the next time a job, which runs using the user profile's accounting code value, is started. See the Work management topic for more information about job accounting.
Table 83. Possible values for ACGCDE: *BLANK accounting-code An accounting code of 15 blanks is assigned to this user profile. Specify a 15-character accounting code. If less than 15 characters are specified, the string is padded with blanks on the right.

Document password
A document password controls the accessibility and distribution of personal mail when viewed by people who are working on behalf of the user. The document password is supported by some Document Interchange Architecture (DIA) products, such as the Displaywriter. Add User prompt: Not shown CL parameter: DOCPWD
Table 84. Possible values for DOCPWD: *NONE No document password is used by this user.

100

IBM i: Security Security reference

Table 84. Possible values for DOCPWD: (continued) document- password Specify a document password for this user. The password must consist of from 1 through 8 characters (letters A through Z and numbers 0 through 9). The first character of the document password must be alphabetic; the remaining characters can be alphanumeric. Embedded blanks, leading blanks, and special characters are not allowed.

Message queue
A message queue is an object on which messages are placed when they are sent to a person or a program. A message queue is used when a user sends or receives messages. Add User prompt: Not shown CL parameter: MSGQ Length: 10 (message queue name) 10 (library name) Authority: *USE for message queue, if it exists. *EXECUTE for the message queue library. If the message queue does not exist, it is created when the profile is created or changed. The message queue is owned by the profile being created or changed. The user creating the profile is given *ALL authority to the message queue. If the message queue for a user profile is changed using the Change User Profile (CHGUSRPRF) command, the previous message queue is not automatically deleted by the system.
Table 85. Possible values for MSGQ: *USRPRF A message queue with the same name as the user profile name is used as the message queue for this user. If the message queue does not exist, it is created in library QUSRSYS. Specify the message queue name that is used for this user. If you specify a message queue name, you must specify the library parameter.

message- queue-name

Table 86. Possible values for MSGQ Library: *LIBL *CURLIB The library list is used to locate the message queue. If the message queue does not exist, you cannot specify *LIBL. The current library for the job is used to locate the message queue. If no current library entry exists in the library list, QGPL is used. If the message queue does not exist, it is created in the current library or QGPL. Specify the library where the message queue is located. If the message queue does not exist, it is created in this library.

library- name

Recommendations: Give each user profile a unique message queue, preferably with the same name as the user profile.

Delivery
The delivery mode of a message queue determines whether the user is interrupted when a new message arrives on the queue.

Chapter 4. User profiles

101

Add User prompt: Not shown CL parameter: DLVRY Length: 10 The delivery mode specified in the user profile applies to the users personal message queue. If you change the message queue delivery in the user profile and the user is signed on, the change takes affect the next time the user signs on. You can also change the delivery of a message queue with the Change Message Queue (CHGMSGQ) command.
Table 87. Possible values for DLVRY: *NOTIFY The job to which the message queue is assigned is notified when a message arrives at the message queue. For interactive jobs at a workstation, the audible alarm sounds and the message-waiting light turns on. The type of delivery cannot be changed to *NOTIFY if the message queue is also being used by another user. The job that the message queue is assigned to is interrupted when a message arrives at the message queue. If the job is an interactive job, the audible alarm sounds (if the alarm is installed). The type of delivery cannot be changed to *BREAK if the message queue is also being used by another user. The messages are held in the message queue until they are requested by the user or program. Messages requiring replies are answered with their default reply; information-only messages are ignored.

*BREAK

*HOLD *DFT

Severity
If a message queue is in *BREAK or *NOTIFY mode, the severity code determines the lowest-level messages that are delivered to the user. Messages whose severity is lower than the specified severity code are held in the message queue without the user being notified. Add User prompt: Not shown CL parameter: SEV Length: 2,0 If you change the message queue severity in the user profile and the user is signed on, the change takes effect the next time the user signs on. You can also change the severity of a message queue with the CHGMSGQ command.
Table 88. Possible values for SEV: 00: severity- code If a severity code is not specified, 00 is used. The user is notified of all messages, if the message queue is in *NOTIFY or *BREAK mode. Specify a value, 00 through 99, for the lowest severity code that causes the user to be notified. Any 2-digit value can be specified, even if no severity code has been defined for it (either defined by the system or by the user).

102

IBM i: Security Security reference

Print device
You can specify the printer used to print the output for this user. Spooled files are placed on an output queue with the same name as the printer when the output queue (OUTQ) is specified as the print device (*DEV). Add User prompt: Default printer CL parameter: PRTDEV Length: 10 The print device and output queue information from the user profile are used only if the printer file specifies *JOB and the job description specifies *USRPRF. For more information about directing printer output, see the Basic printing topic.
Table 89. Possible values for PRTDEV: *WRKSTN *SYSVAL print- device- name The printer assigned to the users workstation (in the device description) is used. The default system printer specified in the QPRTDEV system value is used. Specify the name of the printer that is used to print the output for this user.

Output queue
Both interactive and batch processing can result in spooled files that are to be sent to a printer. Spooled files are placed on an output queue. The system can have many different output queues. Add User prompt: Not shown CL parameter: OUTQ Length: 10 (output queue name) 10 (library name) Authority: *USE for output queue *EXECUTE for library An output queue does not need to be attached to a printer to receive new spooled files. The print device and output queue information from the user profile are used only if the printer file specifies *JOB and the job description specifies *USRPRF. For more information about directing printer output, see the Advanced Function Presentation topic.
Table 90. Possible values for OUTQ: *WRKSTN *DEV output- queue- name The output queue assigned to the users workstation (in the device description) is used. An output queue with the same name as the print device specified on the PRTDEV parameter is used. Specify the name of the output queue that is to be used. The output queue must already exist. If an output queue is specified, the library must be specified also.

Table 91. Possible values for OUTQ library: *LIBL The library list is used to locate the output queue.
Chapter 4. User profiles

103

Table 91. Possible values for OUTQ library: (continued) *CURLIB library- name The current library for the job is used to locate the output queue. If no current library entry exists in the library list, QGPL is used. Specify the library where the output queue is located.

Attention-Key-Handling program
The Attention-key-handling program (ATNPGM) is the program that is called when the user presses the Attention (ATTN) key during an interactive job. Add User prompt: Not shown CL parameter: ATNPGM Length: 10 (program name) 10 (library name) Authority: *USE for program *EXECUTE for library The ATNPGM is activated only if the users routing program is QCMD. The ATNPGM is activated before the initial program is called. If the initial program changes the ATNPGM, the new ATNPGM remains active only until the initial program ends. If the Set Attention-Key-Handling Program (SETATNPGM) command is run from a command line or an application, the new ATNPGM specified overrides the ATNPGM from the user profile. Note: See Starting an interactive job on page 199 for more information about the processing sequence when a user signs on. The Limit capabilities field determines if a different Attention-key-handling program can be specified by the user with the Change Profile (CHGPRF) command.
Table 92. Possible values for ATNPGM: *SYSVAL *NONE *ASSIST program- name The QATNPGM system value is used. No Attention-key-handling program is used by this user. Operational Assistant Attention Program (QEZMAIN) is used. Specify the name of the Attention-key-handling program. If a program name is specified, a library must be specified.

Table 93. Possible values for ATNPGM Library: *LIBL *CURLIB library- name: The library list is used to locate the Attention-key-handling program. The current library for the job is used to locate the Attention-key-handling program. If no current library entry exists in the library list, QGPL is used. Specify the library where the Attention-key-handling program is located.

Sort Sequence
Sort sequence is used for this users output. You can use system-provided sort tables or create your own. A sort table can be associated with a particular language identifier on the system.

104

IBM i: Security Security reference

Add User prompt: Not shown CL parameter: SRTSEQ Length: 10 (value or table name) 10 (library name) Authority: *USE for table *EXECUTE for library
Table 94. Possible values for SRTSEQ: *SYSVAL *HEX *LANGIDSHR *LANGIDUNQ table-name The QSRTSEQ system value is used. The standard hexadecimal sort sequence is used for this user. The sort sequence table associated with the users language identifier is used. The table can contain the same weight for multiple characters. The sort sequence table associated with the users language identifier is used. The table must contain a unique weight for each character in the code page. Specify the name of the sort sequence table for this user.

Table 95. Possible values for SRTSEQ Library: *LIBL *CURLIB library- name The library list is used to locate the table specified for the SRTSEQ value. The current library for the job is used to locate the table specified for the SRTSEQ value. If no current library entry exists in the library list, QGPL is used. Specify the library where the sort sequence table is located.

Language identifier
You can specify the language identifier to be used by the system for the user. Add User prompt: Not shown CL parameter: LANGID Length: 10 To see a list of language identifiers, press F4 (prompt) on the language identifier parameter from the Create User Profile display or the Change User Profile display.
Table 96. Possible values for LANGID: *SYSVAL: language- identifier The system value QLANGID is used to determine the language identifier. Specify the language identifier for this user.

Country or region identifier

You can specify the country or region identifier to be used by the system for the user. Add User prompt: Not shown CL parameter: CNTRYID
Chapter 4. User profiles

105

Length: 10 To see a list of country or region identifiers, press F4 (prompt) on the country or region identifier parameter from the Create User Profile display or the Change User Profile display.
Table 97. Possible values for CNTRYID: *SYSVAL country or region identifier The system value QCNTRYID is used to determine the country or region identifier. Specify the country or region identifier for this user.

Coded character set identifier

You can specify the coded character set identifier to be used by the system for the user. Add User prompt: Not shown CL parameter: CCSID Length: 5,0 To see a list of coded character set identifiers, press F4 (prompt) on the coded character set identifier parameter from the Create User Profile display or the Change User Profile display.
Table 98. Possible values for CCSID: *SYSVAL coded-character- set-identifier The QCCSID system value is used to determine the coded character set identifier. Specify the coded character set identifier for this user.

Character identifier control

The CHRIDCTL attribute controls the type of coded character set conversion that occurs for display files, printer files and panel groups. Add User prompt: Not shown CL parameter: CHRIDCTL Length: 10 The character identifier control information from the user profile is used only if the *CHRIDCTL special value is specified on the CHRID command parameter on the create, change, or override commands for display files, printer files, and panel groups.
Table 99. Possible values for CHRIDCTL: *SYSVAL *DEVD The system value QCHRIDCTL is used to determine the character identifier control. The CHRID of the device is used to represent the CCSID of the data. No conversions occur, since the CCSID of the data is always the same as the CHRID of the device.

106

IBM i: Security Security reference

Table 99. Possible values for CHRIDCTL: (continued) *JOBCCSID Character conversion occurs when a difference exists between the device CHRID, job CCSID, or data CCSID values. On input, character data is converted from the device CHRID to the job CCSID when it is necessary. On output, character data is converted from the job CCSID to the device CHRID when it is necessary. On output, character data is converted from the file or panel group CCSID to the device CHRID when it is necessary.

Job attributes
The SETJOBATR field specifies which job attributes are to be taken at job initiation from the locale specified in the LOCALE parameter. Add User prompt: Not shown CL parameter: SETJOBATR Length: 160
Table 100. Possible values for SETJOBATR: *SYSVAL *NONE *CCSID *DATFMT *DATSEP *DECFMT *SRTSEQ *TIMSEP The system value QSETJOBATR is used to determine which job attributes are to be taken from the locale. No job attributes are to be taken from the locale. The coded character set identifier (CCSID) from the locale is used. The CCSID value from the locale will override the user profile CCSID. The date format from the locale is used. The date separator from the locale is used. The decimal format from the locale is used. The sort sequence from the locale is used. The sort sequence from the locale will override the user profile sort sequence. The time separator from the locale is used.

Any combination of the following values can be specified: v *CCSID v *DATFMT v *DATSEP v *DECFMT v *SRTSEQ v *TIMSEP

Locale
The Locale field specifies the path name of the locale that is assigned to the LANG environment variable for this user. Add User prompt: Not shown CL parameter: LOCALE

Chapter 4. User profiles

107

Table 101. Possible values for LOCALE: *SYSVAL *NONE *C *POSIX locale path name The system value QLOCALE is used to determine the locale path name to be assigned for this user. No locale is assigned for this user. The C locale is assigned for this user. The POSIX locale is assigned for this user. The path name of the locale to be assigned to this user.

User Options
The User options field allows you to customize certain system displays and functions for the user. You can specify multiple values for the user option parameter. Add User prompt: Not shown CL parameter: USROPT Length: 240 (10 characters each)
Table 102. Possible values for USROPT: *NONE *CLKWD No special options are used for this user. The standard system interface is used. Keywords are shown instead of the possible parameter values when a control language (CL) command is prompted. This is equivalent to pressing F11 from the normal control language (CL) command prompting display. When the user views displays that show object authority, such as the Edit Object Authority display or the Edit Authorization List display, detailed authority information is shown without the user having to press F11 (Display detail). Authority displays on page 154 shows an example of the expert version of the display. The user sees full display help information instead of a window. A message is sent to the users message queue when a spooled file is printed for this user. The actions of the Page Up and Page Down keys are reversed. Status messages typically shown at the bottom of the display are not shown to the user. Status messages are displayed when sent to the user.

*EXPERT

HLPFULL PRTMSG ROLLKEY NOSTSMSG *STSMSG

User identification number

The integrated file system uses the user identification number (uid) to identify a user and verify the users authority. Every user on the system must have a unique uid. Add User prompt: Not shown CL parameter: UID Length: 10,0

108

IBM i: Security Security reference

Table 103. Possible values for UID: *GEN uid The system generates a unique uid for this user. The generated uid will be greater than 100. A value from 1 to 4294967294 to be assigned as the uid for this user. The uid must not be already assigned to another user.

Recommendations: For most installations, let the system generate a uid for new users by specifying UID(*GEN). However, if your system is part of a network, you may need to assign uids to match those assigned on other systems in the network. Consult your network administrator.

Group identification number

The integrated file system uses the group identification number (gid) to identify this profile as a group profile. A profile that is used as a group profile must have a gid. Add User prompt: Not shown CL parameter: GID Length: 10,0
Table 104. Possible values for GID: *NONE *GEN gid This profile does not have a gid. This value must be specified if the user profile is a member of a group (GRPPRF is not *NONE). The system generates a unique gid for this profile. The generated gid will be greater than 100. A value from 1 to 4294967294 to be assigned as the gid for this profile. The gid must not be already assigned to another profile.

Recommendations: For most installations, let the system generate a gid for new group profiles by specifying GID(*GEN). However, if your system is part of a network, you might need to assign gids to match those assigned on other systems in the network. Consult your network administrator. Do not assign a gid to a user profile that you do not plan to use as a group profile. In some environments, a user who is signed on and has a gid is restricted from performing certain functions.

Home directory
The home directory is the users initial working directory for the integrated file system. The home directory is the users current directory if a different current directory has not been specified. Add User prompt: Not shown CL parameter: HOMEDIR If the home directory specified in the profile does not exist when the user signs on, the users home directory is the "root" (/) directory.
Table 105. Possible values for HOMEDIR: *USRPRF The home directory assigned to the user is /home/xxxxx, where xxxxx is the user's profile name.

Chapter 4. User profiles

109

Table 105. Possible values for HOMEDIR: (continued) home-directory The name of the home directory to assign to this user.

EIM association
The EIM association specifies whether an Enterprise Identity Mapping (EIM) association should be added to an EIM identifier for this user. Optionally, the EIM identifier can also be created if it does not already exist. Add User prompt: Not shown CL parameter: EIMASSOC Notes: 1. The EIM association information is not stored in the user profile. This information is not saved or restored with the user profile. 2. If this system is not configured for EIM, then no processing is done. Not being able to perform EIM operations does not cause the command to fail.
Table 106. Possible values for EIMASSOC, single values: Single values *NOCHG EIM association will not be added.

Table 107. Possible values for EIMASSOC, element 1: Element 1: EIM identifier Specifies the EIM identifier for this association. *USRPRF character-value The name of the EIM identifier is the same name as the user profile. Specifies the name of the EIM identifier.

Table 108. Possible values for EIMASSOC, element 2: Element 2: Association type Specifies the type of association. It is recommended that a target association is added for an i5/OS user. Target associations are primarily used to secure existing data. They are found as the result of a mapping lookup operation (for example, eimGetTargetFromSource()), but cannot be used as the source identity for a mapping lookup operation. Source associations are primarily used for authentication purposes. They can be used as the source identity of a mapping lookup operation, but will not be found as the target of a mapping lookup operation. Administrative associations are used to show that an identity is associated with an EIM identifier, but cannot be used as the source for, and will not be found as the target of, a mapping lookup operation. *TARGET *SOURCE *TGTSRC *ADMIN *ALL Process a target association. Process a source association. Process both a target and a source association. Process an administrative association. Process all association types.

110

IBM i: Security Security reference

Table 109. Possible values for EIMASSOC, element 3: Element 3: Association action *REPLACE Associations of the specified type will be removed from all EIM identifiers that have an association for this user profile and local EIM registry. A new association will be added to the specified EIM identifier. Add an association. Remove an association.

*ADD *REMOVE

Table 110. Possible values for EIMASSOC, element 4: Element 4: Create EIM identifier Specifies whether the EIM identifier should be created if it does not already exist. *NOCRTEIMID *CRTEIMID EIM identifier does not get created. EIM identifier gets created if it does not exist.

| | | | | | | | | | | | | | | | | | | | | | | | | | | |

User expiration date

The User expiration date can be used to specify the date at which the user profile is automatically disabled. Add User prompt: Not shown CL parameter: USREXPDATE Length: 6 The User expiration date field allows a security administrator to indicate that the user profile will expire on a specific date. If User expiration interval is used, this date is calculated by the system.
Table 111. Possible values for USREXPDATE: *NONE *USREXPITV user-expiration-date The user profile does not have an expiration date. The user expiration date is to be calculated using the value specified in the User expiration interval (USREXPITV) parameter. Specifies the date when the user profile expires. The date must be specified in the job date format.

User expiration interval

The User expiration interval controls the number of days before the user profile is automatically disabled. Add User prompt: Not shown CL parameter: USREXPITV Length: 5,0 The User expiration interval field allows a security administrator to indicate in the user profile the number of days before the user profile will expire and be automatically disabled. If a value is specified

Chapter 4. User profiles

111

| for User expiration interval when a user profile is created or when an expired user profile is re-enabled, | the User expiration date is generated by the system using the expiration interval. | | | |
Table 112. Possible values for USREXPITV: user-expiration-interval Specify a number from 1 through 366.

Authority
The Authority field specifies the public authority to the user profile. Add User prompt: Not shown CL parameter: AUT The authority to a profile controls many functions associated with the profile, such as: v Changing the profile v Displaying the profile v Deleting the profile v Submitting a job using the profile v Specifying the profile in a job description v Transferring object ownership to the profile v Adding members, if the profile is a group profile
Table 113. Possible values for AUT: *EXCLUDE *ALL *CHANGE *USE The public is specifically denied access to the user profile. The public is given all management and data authorities to the user profile. The public is given the authority to change the user profile. The public is given authority to view the user profile.

See Defining how information can be accessed on page 132 for a complete explanation of the authorities that can be granted. Recommendations: To prevent misuse of user profiles that have authority to critical objects, make sure the public authority to the profiles is *EXCLUDE. Possible misuses of a profile include submitting a job that runs under that user profile or changing a program to adopt the authority of that user profile.

Object auditing
The object auditing value for a user profile works with the object auditing value for an object to determine whether the users access of an object is audited. Add User prompt: Not shown CL parameter: OBJAUD Length: 10 Object auditing for a user profile cannot be specified on any user profile commands. Use the CHGUSRAUD command to specify object auditing for a user. Only a user with *AUDIT special authority can use the CHGUSRAUD command.

112

IBM i: Security Security reference

Table 114. Possible values for OBJAUD: *NONE *ALL *CHANGE *NOTAVL The OBJAUD value for objects determines whether object auditing is done for this user. If the OBJAUD value for an object specifies *USRPRF, an audit record is written when this user changes or reads the object. If the OBJAUD value for an object specifies *USRPRF, an audit record is written when this user changes the object. This value is displayed to indicate that the parameter value is not available to the user because the user does not have either *AUDIT or *ALLOBJ special authority. The parameter value cannot be set to this value.

Table 115 shows how the OBJAUD values for the user and the object work together:
Table 115. Auditing performed for object access OBJAUD value for user OBJAUD value for object *ALL *CHANGE *NONE *USRPRF *NONE Change and Use Change None None *CHANGE Change and Use Change None Change *ALL Change and Use Change None Change and Use

Related tasks Planning the auditing of object access on page 286 The i5/OS operating system provides the ability to log accesses to an object in the security audit journal by using system values and the object auditing values for users and objects. This is called object auditing.

Action auditing
For an individual user, you can specify which security-relevant actions should be recorded in the audit journal. The actions specified for an individual user apply in addition to the actions specified for all users by the QAUDLVL and QAUDLVL2 system values. Add User prompt: Not shown CL parameter: AUDLVL Length: 640 Action auditing for a user profile cannot be specified on any user profile displays. It is defined using the CHGUSRAUD command. Only a user with *AUDIT special authority can use the CHGUSRAUD command.
Table 116. Possible values for AUDLVL: *NONE *NOTAVL The QAUDLVL system value controls action auditing for this user. No additional auditing is done. This value is displayed to indicate that the parameter value is not available to the user because the user does not have either *AUDIT or *ALLOBJ special authority. The parameter value cannot be set to this value. Authorization failures are audited.

*AUTFAIL

Chapter 4. User profiles

113

Table 116. Possible values for AUDLVL: (continued) *CMD Command strings are logged. *CMD can be specified only for individual users. Command string auditing is not available as a system-wide option using the QAUDLVL system value. Object create operations are logged. Object delete operations are logged. Job base functions are audited. Changes to a thread's active user profile or its group profiles are audited. Job changes are logged. Object move and rename operations are logged. Changes to the system distribution directory and office mail actions are logged. Network base functions are audited. Cluster or cluster resource group operations are audited.
3 1

CREATE DELETE JOBBAS JOBCHGUSR *JOBDTA

*OBJMGT *OFCSRV *NETBAS *NETCLU *NETCMN *NETFAIL *NETSCK *OPTICAL *PGMADP *PGMFAIL *PRTDTA *SAVRST *SECCFG *SECDIRSRV *SECIPC *SECNAS *SECRUN *SECSCKD *SECURITY *SECVFY *SECVLDL *SERVICE *SPLFDTA *SYSMGT
2

Networking and communications functions are audited. Network failures are audited. Sockets tasks are audited. All optical functions are audited. Obtaining authority to an object through a program that adopts authority is logged. Program failures are audited. Printing functions with parameter SPOOL(*NO) are audited. Save and restore operations are logged. Security configuration is audited. Changes or updates when doing directory service functions are audited. Changes to interprocess communications are audited. Network authentication service actions are audited. Security run time functions are audited. Socket descriptors are audited. Security-related functions are logged. Use of verification functions are audited. Changes to validation list objects are audited. Using service tools is logged. Actions performed on spooled files are logged. Use of systems management functions is logged.

114

IBM i: Security Security reference

Table 116. Possible values for AUDLVL: (continued)

*JOBDTA includes two values that are *JOBBAS and *JOBCHGUSR, which enable you to better customize your auditing. If both of the values are specified, you will get the same auditing as if just *JOBDTA is specified. *SECURITY is composed of several values to enable you to better customize your auditing. If all of the values are specified, you will get the same auditing as if just *SECURITY is specified. These values are as follows. v *SECCFG v *SECDIRSRV v *SECIPC v *SECNAS v *SECRUN v *SECSCKD v *SECVFY v *SECVLDL

*NETCMN is composed of several values to enable you to better customize your auditing. If all of the values are specified, you will get the same auditing as if just *NETCMN is specified. These values are as follows. v *NETBAS v *NETCLU v *NETFAIL v *NETSCK

Additional information associated with a user profile

This topic discusses the private authorities, owned object information, and primary group object information that are associated with a user profile. Related reference How security information is stored on page 246 Planning adequate backup and recovery procedures for security information requires understanding how the information is stored and saved.

Private authorities
All of the private authorities that a user has to objects are stored with the user profile. When a user needs authority to an object, the users private authorities might be searched. Flowchart 3: How user authority to an object is checked on page 174 provides more information about authority checking. You can display a users private authorities to library-based objects by using the Display User Profile command:
DSPUSRPRF user-profile-name TYPE(*OBJAUT)

Chapter 4. User profiles

115

You can work with a user's private authorities to library- and directory-based objects using the Work with Objects by Private Authority (WRKOBJPVT) command. To change a users private authorities, you can use the commands that work with object authorities, such as Edit Object Authority (EDTOBJAUT). You can copy all of the private authorities from one user profile to another using the Grant User Authority (GRTUSRAUT) command. See Copying authority from a user on page 165 for more information.

Primary group authorities

The names of all of the objects for which the profile is the primary group are stored with the group profile. You can display the library-based objects for which the profile is the primary group using the DSPUSRPRF command:
DSPUSRPRF group-profile-name TYPE(*OBJPGP)

You can also use the Work with Objects by Primary Group (WRKOBJPGP) command.

Owned object information

Because the size of a user profile can affect your performance, it is suggested that you do not assign all (or nearly all) objects to only one owning profile. Private authority information for an object is stored with the user profile that owns the object. This information is used to build system displays that work with object authority. If a profile owns a large number of objects that have many private authorities, the performance of building object authority displays for these objects can be affected. The size of an owner profile affects performance when displaying and working with the authority to owned objects, and when saving or restoring profiles. System operations can also be impacted. To prevent impacts to either performance or system operations, distribute ownership of objects to multiple profiles.

Digital ID authentication
The digital certificates allow users to secure communications and ensure message integrity. The System i security infrastructure allows x.509 digital certificates to be used for identification. The digital ID APIs create, distribute, and manage digital certificates associated with user profiles. See Digital certificate management APIs for details about the following APIs: v Add User Certificate (QSYADDUC) v Remove User Certificate (QSYRMVUC) v List User Certificate (QSYLSTUC) v Find Certificate User (QSYFNDUC) v Add Validation List Certificate (QSYADDVC) v v v v Remove Validation List Certificate (QSYRMVVC) List Validation List Certificate (QSYLSTVC) Check Validation List Certificate (QSYCHKVC) Parse Certificate (QSYPARSC)

116

IBM i: Security Security reference

Working with user profiles

This topic describes the commands and displays you use to create, change, and delete user profiles on the i5/OS operating system. You must have *SECADM special authority to create, change, or delete user profiles.

Creating user profiles

You can create a user profile by using the Work with User Profiles (WRKUSRPRF) list display, using the Create User Profile (CRTUSRPRF) command, using the Work with User Enrollment option from the SETUP menu or using System i Navigator . The user who creates the user profile owns it and is given *ALL authority to it. The user profile is given *OBJMGT and *CHANGE authority to itself. These authorities are necessary for normal operations and should not be removed. A user profile cannot be created with more authorities or capabilities than those of the user who creates the profile. Note: You cannot use the Create User Profile(CRTUSRPRF) command to create a user profile into an independent disk pool. However, when a user is privately authorized to an object in the independent disk pool, is the owner of an object on an independent disk pool, or is the primary group of an object on an independent disk pool, the name of the profile is stored on the independent disk pool. If the independent disk pool is moved to another system, the private authority, object ownership, and primary group entries will be attached to the profile with the same name on the target system. If a profile does not exist on the target system, a profile will be created. The user will not have any special authorities and the password will be set to *NONE.

Using the Work with User Profiles command

You can enter a specific profile name, a generic profile set, or *ALL on the Work with User Profiles (WRKUSRPRF) command. The assistance level determines which list display you see. When you use the WRKUSRPRF command with *BASIC assistance level, you will access the Work with User Enrollment display. If *INTERMED assistance level is specified, you will access the Work with User Profiles display. You can specify the ASTLVL (assistance level) parameter on the command. If you do not specify ASTLVL, the system uses the assistance level stored with your user profile. On the Work with User Profiles display, type 1 and the name of the profile you want to create:

Work with User Profiles Type options, press Enter. 1=Create 2=Change 3=Copy 12=Work with objects by owner User Opt Profile 1 NEWUSER __ DPTSM __ DPTWH

4=Delete

5=Display

Text Sales and Marketing Departme Warehouse Department

You see the Create User Profile display:

Chapter 4. User profiles

117

Create User Profile (CRTUSRPRF) Type choices, press Enter. User profile . . . . . . User password . . . . . Set password to expired Status . . . . . . . . . User class . . . . . . . Assistance level . . . . Current library . . . . Initial program to call Library . . . . . . . Initial menu . . . . . . Library . . . . . . . Limit capabilities . . . Text description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . NEWUSER *NONE *YES *ENABLED *USER *SYSVAL *CRTDFT *NONE MAIN QSYS *NO *BLANK Name Character value, *USRPRF... *NO, *YES *ENABLED, *DISABLED *USER, *SYSOPR, *PGMR... *SYSVAL, *BASIC, *INTERMED... Name, *CRTDFT Name, *NONE Name, *LIBL, *CURLIB Name, *SIGNOFF Name, *LIBL, *CURLIB *NO, *PARTIAL, *YES

The Create User Profile display shows all of the fields in the user profile. Use F10 (Additional parameters) and page down to enter more information. Use F11 (Display keywords) to see the parameter names. The Create User Profile display does not add the user to the system directory.

Using the Create User Profile command

You can use the (Create User Profile) CRTUSRPRF command to create a user profile. You can enter parameters with the command, or you can request prompting (F4) and see the Create User Profile display.

Using the Work with User Enrollment option

You can use the Work with User Enrollment option to add users to the system. Select the Work with User Enrollment option from the SETUP menu. The assistance level stored with your user profile determines whether you see the Work with User Profiles display or the Work with User Enrollment display. You can use F21 (Select assistance level) to change levels. On the Work with User Enrollment display, use option 1 (Add) to add a new user to the system.

Work with User Enrollment Type options below, then press Enter. 1=Add 2=Change 3=Copy 4=Remove Opt 1 _ _ User NEWUSER DPTSM DPTWH Description Sales and Marketing Departme Warehouse Department

5=Display

You see the Add User display:

118

IBM i: Security Security reference

Add User Type choices below, then press Enter. User . . . . . . User description Password . . . . Type of user . . User group . . . . . . . . . . . . . . . . . . . . . . . NEWUSER NEWUSER *USER *NONE N Name

Type, F4 for list Name, F4 for list Y=Yes, N=No Name Name, *WRKSTN, F4 for list Name, *NONE Name Name Name

Restrict command line use Default library Default printer Sign on program Library . . . . . . . . . . . . . . . . . . . . . . .

*WRKSTN *NONE

First menu . . . . . . . Library . . . . . . . . F1=Help F3=Exit F5=Refresh F12=Cancel

The Add User display is designed for a security administrator without a technical background. It does not show all of the fields in the user profile. Default values are used for all fields that are not shown. Note: If you use the Add User display, you are limited to eight-character user profile names. Page down to see the second display:

Add User Type choices below, then press Enter. Attention key program . . Library . . . . . . . . *SYSVAL

The Add user display automatically adds an entry in the system directory with the same user ID as the user profile name (the first eight characters) and an address of the system name.

Copying user profiles

You can create a user profile by copying another user profile or a group profile. You might want to set up one profile in a group as a pattern. Copy the first profile in the group to create additional profiles. You can copy a profile interactively from either the Work with User Enrollment display or the Work with User Profiles display. No command exists to copy a user profile. Related concepts Group profiles on page 4 A group profile is a special type of user profile. Rather than giving authority to each user individually, you can use a group profile to define authority for a group of users.

Copying from the Work with User Profiles display

You can copy the information of a user profile from the Work with User Profiles display.

Chapter 4. User profiles

119

On the Work with User Profiles display, type 3 in front of the profile you want to copy. You see the Create User Profile display:

Create User Profile (CRTUSRPRF) Type choices, press Enter. User profile . . . . . . User password . . . . . Set password to expired Status . . . . . . . . . User class . . . . . . . Assistance level . . . . Current library . . . . Initial program to call Library . . . . . . . Initial menu . . . . . . Library . . . . . . . Limit capabilities . . . Text description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Name Name *NO, *YES *ENABLED, *USER, *SYSVAL, Name, Name, Name, ICMAIN Name, ICPGMLIB Name, *NO *NO, Warehouse Department

> > > > > > > > > > >

USRPRF NO ENABLED USER SYSVAL DPTWH NONE

All of the values from the copy-from user profile are shown on the Create User Profile display, except the following fields: User profile Blank. Must be filled in. Password CRTUSRPRF command default Document password *NONE Message queue *USRPRF Locale job attributes *SYSVAL Locale *SYSVAL User Identification Number *GEN Group Identification Number *NONE Home directory *USRPRF EIM Association *NOCHG Authority *EXCLUDE You can change any fields on the Create User Profile display. Private authorities of the copy-from profile are not copied. In addition, internal objects containing user preferences and other information about the user are not copied.

Copying from the Work with User Enrollment display

You can also copy user profiles from the Work with User Enrollment display.

120

IBM i: Security Security reference

On the Work with User Enrollment display, type 3 in front of the profile you want to copy. You see the Copy User display:

Copy User Copy from user . . . . : DPTWH

Type choices below, then press Enter. User . . . . . . User description Password . . . . Type of user . . User group . . . . . . . . . . . . . . . . . . . . . . .

Warehouse Department USER

Restrict command line use Default library Default printer Sign on program Library . . . . . . . . . . . . . . . . . . . . . . .

N DPTWH PRT04 *NONE

All of values from the copy-from profile appear on the Add User display, except the following values: User Blank. Must be filled in. Limited to 8 characters.

Password Blank. If you do not enter a value, the profile is created with the password equal to the default value specified for the PASSWORD parameter of the CRTUSRPRF command. You can change any fields on the Copy User display. User profile fields that do not appear on the basic assistance level version are still copied from the copy-from profile, with the following exceptions: Message queue *USRPRF Document password *NONE User Identification Number *GEN Group Identification Number *NONE EIM Association *NOCHG Authority *EXCLUDE Private authorities of the copy-from profile are not copied.

Copying private authorities

You can copy the private authorities from one user profile to another using the Grant User Authority (GRTUSRAUT) command. This should not be used in place of group profiles or authorization lists. Copying authorities does not help you manage similar authorities in the future, and it can cause performance problems on your system.

Chapter 4. User profiles

121

Related concepts Copying authority from a user on page 165 You can copy all the private authorities from one user profile to another using the Grant User Authority (GRTUSRAUT) command.

Changing user profiles

You can change a user profile using option 2 (Change) from either the Work with User Profiles display or the Work with User Enrollment display. You can also use the Change User Profile (CHGUSRPRF) command. Users who are allowed to enter commands can change some parameters of their own profiles using the Change Profile (CHGPRF) command. A user cannot change a user profile to have more special authorities or capabilities than the user who changes the profile.

Deleting user profiles

You cannot delete a user profile that owns objects. Before you can delete such user profiles, you must delete any objects owned by the profile or transfer ownership of those objects to another profile. You cannot delete a user profile if it is the primary group for any objects. When you use the intermediate assistance level to delete a user profile, you can change or remove the primary group for objects. You can use the WRKOBJPGP command to list any objects for which a profile is the primary group. When you delete a user profile, the user is removed from all distribution lists and from the system directory. You do not need to change ownership of or delete the users message queue. The system automatically deletes the message queue when the profile is deleted. You cannot delete a group profile that has members. To list the members of a group profile, type DSPUSRPRF group-profile-name *GRPMBR. Change the GRPPRF or SUPGRPPRF field in each member profile before deleting the group profile.

Using the Delete User Profile command

To delete a user profile, you can enter the Delete User Profile (DLTUSRPRF) command directly, or you can use option 4 (Delete) from the Work with User Profiles display. The DLTUSRPRF command has parameters allowing you to handle: v All objects owned by the profile v All objects for which the profile is the primary group v EIM associations

122

IBM i: Security Security reference

Delete User Profile (DLTUSRPRF) Type choices, press Enter. User profile . . . . . . . . . Owned object option: Owned object value . . . . . User profile name if *CHGOWN Primary group option: Primary group value . . . . New primary group . . . . . New primary group authority EIM association . . . . . . . . > HOGANR . *CHGOWN WILLISR *NOCHG Name *NODLT, *DLT, *CHGOWN Name *NOCHG, *PGP

. . . .

*DLT

*DLT, *NODLT

You can delete all the owned objects or transfer them to a new owner. If you want to handle owned objects individually, you can use the Work with Objects by Owner (WRKOBJOWN) command. You can change the primary group for all objects for which the group profile is the primary group. If you want to handle objects individually, you can use the Work with Objects by Primary Group (WRKOBJPGP) command. The displays for both commands are similar:

Work with Objects by Owner User profile . . . . . . . : HOGANR

Type options, press Enter. 2=Edit authority 4=Delete 5=Display author 8=Display description 9=Change owner Opt 4 9 9 Object HOGANR QUERY1 QUERY2 Library QUSRSYS DPTWH DPTWH Type *MSGQ *PGM *PGM Attribute ASP Device *SYSBAS *SYSBAS *SYSBAS

Using the Remove User option

You can use the Remove User option on the Work with User Enrollment display to delete a user profile. From the Work with User Enrollment display, type 4 (Remove) in front of the profile you want to delete. You see the Remove User display:

Remove User User . . . . . . . . . . . : User description . . . . . : HOGANR Sales and Marketing Department

To remove this user type a choice below, then press Enter. 1. Give all objects owned by this user to a new owner 2. Delete or change owner of specific objects owned by this user.

To change the ownership of all objects before deleting the profile, select option 1. You see a display prompting you for the new owner. To handle the objects individually, select option 2. You see a detailed Remove User display:

Chapter 4. User profiles

123

Remove User User . . . . . . . . . . . : User description . . . . . : New owner . . . . . . . . . HOGANR Hogan, Richard - Warehouse DPT Name, F4 for list

To remove this user, delete or change owner of all objects. Type options below and press Enter. 2=Change to new owner 4=Delete 5=Display details

Opt Object 4 HOGANR 2 QUERY1 2 QUERY2

Library QUSRSYS DPTWH DPTWH

Description HOGANR message queue Inventory Query, on-hand report Inventory Query, on-order report

Use the options on the display to delete objects or transfer them to a new owner. When all objects have been removed from the display, you can delete the profile. Notes: 1. You can use F13 to delete all the objects owned by the user profile. 2. Spooled files do not appear on the Work with Objects by Owner display. You can delete a user profile even though that profile still owns spooled files. After you have deleted a user profile, use the Work with Spooled Files (WRKSPLF) command to locate and delete any spooled files owned by the user profile, if they are no longer needed. 3. Any objects for which the deleted user profile was the primary group will have a primary group of *NONE.

Working with Objects by Private Authorities

You can use the Work with Objects by Private Authorities (WRKOBJPVT) command to display and work with objects for which a profile has private authority.

Working with Objects by Primary Group

You can use the Work with Objects by Primary Group (WRKOBJPGP) command to display and work with objects for which a profile is the primary group. You can use this display to change an objects primary group to another profile or to set its primary group to *NONE.

Work with Objects by Primary Group Primary group . . . . . . : DPTAR

Type options, press Enter. 2=Edit authority 4=Delete 5=Display authority 8=Display description 9=Change primary group ASP Opt Object Library Type Attribute Device CUSTMAST CUSTLIB *FILE *SYSBAS CUSTWRK CUSTLIB *FILE *SYSBAS CUSTLIB QSYS *LIB *SYSBAS

124

IBM i: Security Security reference

Enabling a user profile

If the QMAXSIGN and QMAXSGNACN system values on your system are set up to disable a user profile after too many password verification attempts, you might need to enable the profile by changing the profile status to *ENABLED. To enable a user profile, you must have *SECADM special authority, *OBJMGT authority, and *USE authority to the user profile. Normally, a system operator does not have *SECADM special authority. A solution is to use a simple program which adopts authority: 1. Create a CL program owned by a user who has *SECADM special authority, *OBJMGT authority, and *USE authority to the user profiles on the system. Adopt the authority of the owner when the program is created by specifying USRPRF(*OWNER). 2. Use the EDTOBJAUT command to make the public authority to the program *EXCLUDE and give the system operators *USE authority. 3. The operator enables the profile by entering CALL ENABLEPGM profile-name. 4. The main part of the ENABLEPGM program looks like this:
PGM &PROFILE DCL VAR(&PROFILE) TYPE(*CHAR) LEN(10) CHGUSRPRF USRPRF(&PROFILE) STATUS(*ENABLED) ENDPGM

Listing user profiles

You can display and print information about user profiles in a variety of formats.

Displaying an individual profile

To display the values for an individual user profile, use option 5 (Display) from either the Work with User Enrollment display or the Work with User Profiles display. Or, you can use the Display User Profile (DSPUSRPRF) command.

Listing all profiles

You can use the Display Authorized Users (DSPAUTUSR) command to either print or display all the user profiles on the system. The sequence (SEQ) parameter on the command allows you to sort the list either by profile name or by group profile.

Display Authorized Users Password Last Changed 08/04/0x 09/15/0x 08/04/0x 09/06/0x 09/06/0x 09/20/0x 08/29/0x 09/05/0x 09/18/0x X X

Group Profile DPTSM

User Profile ANDERSR VINCENT

No Password

Text Anders, Roger Vincent, Mark Anders, Roger Hogan, Richard Quinn, Rose Jones, Sharon Harrison, Ken Sales and Marketing Warehouse

DPTWH ANDERSR HOGANR QUINN QSECOFR JONESS HARRISON *NO GROUP DPTSM DPTWH

Chapter 4. User profiles

125

By pressing F11, you are able to see which user profiles have passwords defined for use at the various password levels.

Display Authorized Users Password Level Last 0 or 1 Changed Password 04/21/0x *YES 07/07/0x *YES 05/15/0x *YES 05/15/0x *NO 05/18/0x *YES 04/20/0x *YES 03/30/0x *YES 08/04/0x *YES 03/16/0x *YES Level 2 or 3 Password *NO *YES *YES *NO *NO *NO *NO *YES *NO Local Pwd Mgt *YES *YES *YES *NO *YES *YES *YES *YES *YES

User Profile ANGELA ARTHUR CAROL1 CAROL2 CHUCKE DENNISS DPORTER GARRY JANNY

Group Profile

Netserver Password *YES *YES *YES *NO *YES *YES *YES *YES *YES

Types of user profile displays

The Display User Profile (DSPUSRPRF) command provides several types of displays and listings. v Some displays and listings are available only for individual profiles. Others can be printed for all profiles or a generic set of profiles. v You can create an output file from some displays by specifying output (*OUTFILE). Use a query tool or program to produce customized reports from the output file. Analyzing user profiles on page 301 gives suggestions for reports.

Types of user profile reports

You can generate user profile reports by using the Print User Profile (PRTUSRPRF) command or the Analyze Default Password (ANZDFTPWD) command. v Print User Profile (PRTUSRPRF) This command generates reports that contain information about the user profiles on the system. Four different variations of this report can be printed. One contains authority type information, one contains environment type information, one contains password type information, and one contains password level type information. v Analyze Default Password (ANZDFTPWD) This command generates a report about all of the user profiles on the system that have a default password and allows you to take an action against the profiles. A profile has a default password when the user profile name matches the profile's password. User profiles on the system that have a default password can be disabled and their passwords can be set to expired.

Renaming a user profile

The system does not provide a direct method for renaming a user profile. A new profile can be created with the same authorities for a user with a new name. Some information, however, cannot be transferred to the new profile. The following are examples of information that cannot be transferred: v Spool files. v Internal objects containing user preferences and other information about the user will be lost. v Digital certificates that contain the user name will be invalidated. v The uid and gid information retained by the integrated file system cannot be changed. v You might not be able to change the information that is stored by applications that contain the user name.

126

IBM i: Security Security reference

Applications that are run by the user can have application profiles. Creating a new i5/OS user profile to rename a user does not rename any application profiles the user might have. A Lotus Notes profile is one example of an application profile. The following example shows how to create a new profile for a user with a new name and the same authorities. The old profile name is SMITHM, while the new user profile name is JONESM: 1. Copy the old profile (SMITHM) to a new profile (JONESM) using the copy option from the Work with User Enrollment display. 2. Give JONESM all the private authorities of SMITHM using the Grant User Authority (GRTUSRAUT) command:
GRTUSRAUT JONESM REFUSER(SMITHM)

3. Change the primary group of all objects that SMITHM is the primary group of using the Work with Objects by Primary Group (WRKOBJPGP) command:
WRKOBJPGP PGP(SMITHM)

Enter option 9 on all objects that need their primary group changed and enter NEWPGP (JONESM) on the command line. Note: JONESM must have a gid assigned using the GID parameter on the Create or Change User Profile (CRTUSRPRF or CHGUSRPRF) command. 4. Display the SMITHM user profile using the Display User Profile (DSPUSRPRF) command:
DSPUSRPRF USRPRF(SMITHM)

Write down the uid and gid for SMITHM. 5. Transfer ownership of all other owned objects to JONESM and remove the SMITHM user profile, using option 4 (Remove) from the Work with User Enrollment display. 6. Change the uid and the gid of JONESM to the uid and gid that belonged to SMITHM by using the Change User Profile (CHGUSRPRF) command:
CHGUSRPRF USRPRF(JONESM) UID(uid from SMITHM) GID(gid from SMITHM)

If JONESM owns objects in a directory, the CHGUSRPRF command cannot be used to change the uid and gid. Use the QSYCHGID API to change the uid and gid of user profile JONESM.

Working with user auditing

You can use the Change User Auditing (CHGUSRAUD) command to set the audit characteristics for users. To use this command, you must have *AUDIT special authority.

Change User Audit (CHGUSRAUD) Type choices, press Enter. User profile . . . . . . . . . . + for more values Object auditing value . . . . . User action auditing . . . . . . + for more values HOGANR JONESS *SAME *CMD *SERVICE

You can specify the auditing characteristics for more than one user at a time by listing user profile names. The AUDLVL (user action auditing) parameter can have more than one value. The values that you specify are not added to the current AUDLVL values for the users but rather they replace the current AUDLVL values.
Chapter 4. User profiles

127

If you have either *ALLOBJ or *AUDIT special authority, you can use the Display User Profile (DSPUSRPRF) command to see audit characteristics for a user.

Working with profiles in CL programs

You can work with user profiles within a CL program. You may want to retrieve information about the user profile from within a CL program. You can use the Retrieve User Profile (RTVUSRPRF) command in your CL program. The command returns the requested attributes of the profile to variables you associate with the user profile field names. The descriptions of user profile fields in this section show the field lengths expected by the RTVUSRPRF command. In some cases, a decimal field can also have a value that is not numeric. For example, the maximum storage field (MAXSTG) is defined as a decimal field, but it can have a value of *NOMAX. Online information for the RVTUSRPRF command describes the values that are returned in a decimal field for values that are not numeric. The sample program in Using a password approval program on page 60 shows an example of using the RTVUSRPRF command. You may also want to use the CRTUSRPRF or CHGUSRPRF command within a CL program. If you use variables for the parameters of these commands, define the variables as character fields to match the Create User Profile prompt display. The variable sizes do not need to match the field sizes. You cannot retrieve a users password, because the password is stored with one-way encryption. If you want the user to enter the password again before accessing critical information, you can use the Check Password (CHKPWD) command in your program. The system compares the password entered to the users password and sends an escape message to your program if the password is not correct.

User profile exit points

You can write your own exit programs to perform specific user profile functions. When you register your exit programs with any of the user profile exit points, you are notified when a user profile is created, changed, deleted, or restored. At the time of notification, your exit program can perform any of the following operations: v Retrieve information about the user profile. v Enroll the user profile that was just created in the system directory. v Create necessary objects for the user profile. Note: All adopted authority will be suppressed before the exit programs are called. This means that the exit program may not have authority to access the user profile object. Related information Exit programs

IBM-supplied user profiles

A number of user profiles are shipped with your system software. These IBM-supplied user profiles are used as object owners for various system functions. Some system functions also run under specific IBM-supplied user profiles. To allow you to install your system the first time, the password for the security officer (QSECOFR) profile is the same for every system that is shipped. However, the password for QSECOFR is shipped as expired. For new systems, you are required to change the password the first time you sign on as QSECOFR.

128

IBM i: Security Security reference

When you install a new release of the operating system, passwords for IBM-supplied profiles are not changed. If profiles such as QPGMR and QSYSOPR have passwords, those passwords are not set to *NONE automatically. Appendix B, IBM-supplied user profiles, on page 317 contains a complete list of all the IBM-supplied user profiles and the field values for each profile. Note: All IBM-supplied user profiles except for QSECOFR are shipped with a password of *NONE and are not intended for sign-on. These profiles are used by the IBM i operating system. Therefore, signing on with these profiles or using the profiles to own user (non-IBM supplied ) objects is not recommended. Related concepts IBM-supplied user profiles on page 258 You can perform auditing tasks on IBM-supplied user profiles by verifying their passwords.

Changing passwords for IBM-supplied user profiles

If you need to sign on with one of the IBM-supplied profiles, you can change the password using the CHGUSRPRF command. You can also change these passwords using an option from the SETUP menu. To protect your system, you should leave the password set to *NONE for all IBM-supplied profiles except QSECOFR. Do not allow trivial passwords for the QSECOFR profile.

Change Passwords for IBM-Supplied Type new password below for IBM-supplied user, type password again to verify change, then press Enter. New security officer (QSECOFR) password . . . . . . New password (to verify) . . . . . . . . . . . . . New system operator (QSYSOPR) password . . . . . . . New password (to verify) . . . . . . . . . . . . . New programmer (QPGMR) password . . . . . . . . . . New password (to verify) . . . . . . . . . . . . . New user (QUSER) password . . . . . . . . . . . . . New password (to verify) . . . . . . . . . . . . . New service (QSRV) password . . . . . . . . . . . . New password (to verify) . . . . . . . . . . . . .

Page down to change additional passwords:

Change Passwords for IBM-Supplied Type new password below for IBM-supplied user, type change, then press Enter. New basic service (QSRVBAS) password . . . . . . . . New password (to verify) . . . . . . . . . . . . .

Working with service tools user IDs

There are several enhancements and additions to service tools that make them easier to use and understand. v System service tools (SST)
Chapter 4. User profiles

129

You can now manage and create service tools user IDs from system service tools (SST) by selecting option 8 (Work with service tools user IDs) from the main SST display. You no longer need to go into dedicated service tools (DST) to reset passwords, grant or revoke privileges, or create service tools user IDs. Note: Information regarding Service tools has been moved to the information center. v Password management enhancements The server is shipped with limited ability to change default and expired passwords. This means that you cannot change service tools user IDs that have default and expired passwords through the Change Service Tools User ID (QSYCHGDS) API, nor can you change their passwords through SST. You can only change a service tools user ID with a default and expired password through DST. And, you can change the setting to allow default and expired passwords to be changed. Also, you can use the new Start service tools (STRSST) privilege to create a service tools user ID that can access DST, but can be restricted from accessing SST. v Terminology changes The textual data and other documentation have been changed to reflect the new service tools terminology. Specifically, the term service tools user IDs replaces previous terms, such as DST user profiles, DST user IDs, service tools user profiles, or variations of these names. Related concepts IBM-supplied user profiles on page 258 You can perform auditing tasks on IBM-supplied user profiles by verifying their passwords. Related information Managing service tools user IDs

System password
The system password is used to authorize system model changes, certain service conditions, and ownership changes. If these changes have occurred on your system, you may be prompted for the system password when you perform an IPL.

130

IBM i: Security Security reference

Chapter 5. Resource security

This section describes each of the components of resource security and how they work together to protect information about your system. It also explains how to use CL commands and displays to set up resource security on your system. Resource security defines which users are allowed to use objects on the system and what operations they are allowed to perform on those objects. Chapter 7, Designing security, on page 219 discusses techniques for designing resource security, including how it affects both application design and system performance. The topic How the system checks authority on page 169 provides detailed flowcharts and notes about how the system checks authority. You might find it useful to consult this information as you read the explanations that follow. Related concepts Resource security on page 5 The ability to access an object is called authority. Resource security on the i5/OS operating system enables you to control object authorities by defining who can use which objects and how those objects can be used. Overall recommendations for security design on page 220 Keeping your security design as simple as possible makes it easier to manage and audit security. It also improves application performance and backup performance.

Defining who can access information

You can give authority to individual users, groups of users, and the public. Note: In some environments, a user's authority is referred to as a privilege. You define who can use an object in several ways: Public authority: The public authority consists of anyone who is authorized to sign on to your system. Public authority is defined for every object on the system, although the public authority for an object can be *EXCLUDE. Public authority to an object is used if no other specific authority is found for the object. Private authority: You can define specific authority to use (or not use) an object. You can grant authority to an individual user profile or to a group profile. An object has private authority if any authority other than public authority, object ownership, or primary group authority is defined for the object. User authority: Individual user profiles can be given authority to use objects on the system. This is one type of private authority. Group authority: Group profiles can be given authority to use objects on the system. A member of the group gets the group's authority unless an authority is specifically defined for that user. Group authority is also considered private authority.

Copyright IBM Corp. 1996, 2010

131

Object ownership: Every object on the system has an owner. The owner has *ALL authority to the object by default. However, the owner's authority to the object can be changed or removed. The owner's authority to the object is not considered private authority. Primary group authority: You can specify a primary group for an object and the authority the primary group has to the object. Primary group authority is stored with the object and can provide better performance than private authority granted to a group profile. Only a user profile with a group identification number (gid) can be the primary group for an object. Primary group authority is not considered private authority.

Defining how information can be accessed

You can define what operations can be preformed on objects, data, and fields. Authority means the type of access allowed to an object. Different operations require different types of authority. Note: In some environments, the authority associated with an object is called the object's mode of access. Authority to an object is divided into three categories: 1. Object authority defines what operations can be performed on the object as a whole. 2. Data authority defines what operations can be performed on the contents of the object. 3. Field authority defines what operations can be performed on the data fields. Table 117 describes the types of authority available and lists some examples of how the authorities are used. In most cases, accessing an object requires a combination of object, data, field authorities. Appendix D, Authority required for objects used by commands, on page 337 provides information about the authority that is required to perform a specific function.
Table 117. Description of authority types Authority Object Authorities: *OBJOPR *OBJMGT Object Operational Object Management Look at the description of an object. Use the object as determined by the user's data authorities. Specify the security for the object. Move or rename the object. All functions defined for *OBJALTER and *OBJREF. Delete the object. Free storage of the object. Perform save and restore operations for the object1. Transfer ownership of the object. Add, clear, initialize and reorganize members of the database files. Alter and add attributes of database files: add and remove triggers. Change the attributes of SQL packages. Specify a database file as the parent in a referential constraint. For example, you want to define a rule that a customer record must exist in the CUSMAS file before an order for the customer can be added to the CUSORD file. You need *OBJREF authority to the CUSMAS file to define this rule. Add and remove users and their authorities from the authorization list2. Name Functions allowed

*OBJEXIST

Object Existence

*OBJALTER

Object Alter

*OBJREF

Object Reference

*AUTLMGT

Authorization List Management

132

IBM i: Security Security reference

Table 117. Description of authority types (continued) Authority Data Authorities: *READ *ADD *UPD *DLT Read Add Update Delete Display the contents of the object, such as viewing records in a file. Add entries to an object, such as adding messages to a message queue or adding records to a file. Change the entries in an object, such as changing records in a file. Remove entries from an object, such as removing messages from a message queue or deleting records from a file. Run a program, service program, or SQL package. Locate an object in a library or a directory. Name Functions allowed

EXECUTE Field Authorities: MGT ALTER REF READ ADD *UPDATE

Execute

Management Alter Reference Read Add Update

Specify the security for the field. Change the attributes of the field. Specify the field as part of the parent key in a referential constraint. Access the contents of the field. For example, display the contents of the field. Add entries to data, such as adding information to a specific field. Change the content of existing entries in the field.

If a user has save system (*SAVSYS) special authority, object existence authority is not required to perform save and restore operations on the object. See the topic Authorization list management on page 138 for more information.

Related tasks Changing to level 30 from a lower level on page 13 When you change to security level 30 from a lower security level, the system changes all user profiles to update special authorities the next time you perform an initial program load (IPL). Related reference Group authority on page 98 If the user profile is a member of a group and OWNER(*USRPRF) is specified, the Group authority field controls what authority is given to the group profile for any objects created by this user.

Commonly used authorities

You can specify certain sets of objects and data authorities. Certain sets of object and data authorities are commonly required to perform operations on objects. You can specify these system-defined sets of authority (*ALL, *CHANGE, *USE) instead of individually defining the authorities needed for an object. *EXCLUDE authority is different than having no authority. *EXCLUDE authority specifically denies access to the object. Having no authority means you use the public authority defined for the object. Table 118 on page 134 shows the system-defined authorities available using the object authority commands and displays.

Chapter 5. Resource security

133

Table 118. System-defined authority Authority Object Authorities *OBJOPR *OBJMGT *OBJEXIST *OBJALTER *OBJREF Data Authorities *READ *ADD *UPD *DLT *EXECUTE X X X X X X X X X X X X X X X X X X X *ALL *CHANGE *USE *EXCLUDE

Table 119 shows additional system-defined authorities that are available using the WRKAUT and CHGAUT commands:
Table 119. System-defined authority Authority Object Authorities *OBJOPR *OBJMGT *OBJEXIST *OBJALTER *OBJREF Data Authorities *READ *ADD *UPD *DLT *EXECUTE X X X X X X X X X X X X X X X X X X X X X X X X X X X *RWX *RW *RX *R *WX *W *X

The LAN Server licensed program uses access control lists to manage authority. A user's authorities are called permissions. Table 120 shows how the LAN Server permissions map to object and data authorities:
Table 120. LAN server permissions Authority *EXCLUDE Object Authorities *OBJOPR *OBJMGT *OBJEXIST *OBJALTER See note 1 Permission Create, Delete Attribute LAN server permissions None

134

IBM i: Security Security reference

Table 120. LAN server permissions (continued) Authority *OBJREF Data Authorities *READ *ADD *UPD *DLT *EXECUTE Read Create Write Delete Execute LAN server permissions No equivalent

Unless NONE is specified for a user in the access control list, the user is implicitly given *OBJOPR.

Defining what information can be accessed

You can define resource security for individual objects on the system. You can also define security for groups of objects using either library security or an authorization list.

Library security
You can use library security to protect information. Most objects on the system reside in libraries. To access an object, you need authority both to the object itself and the library in which the object resides. For most operations, including deleting an object, *USE authority to the object library is sufficient (in addition to the authority required for the object). Creating a new object requires *ADD authority to the object library. Appendix D, Authority required for objects used by commands, on page 337 shows what authority is required by CL commands for objects and the object libraries. Using library security is one technique for protecting information while maintaining a simple security scheme. For example, to secure confidential information for a set of applications, you can do the following actions: v Use a library to store all confidential files for a particular group of applications. v Ensure that public authority is sufficient for all objects (in the library) that are used by applications (*USE or *CHANGE). v Restrict public authority to the library itself (*EXCLUDE). v Give selected groups or individuals authority to the library (*USE, or *ADD if the applications require it). Although library security is a simple, effective method for protecting information, it might not be adequate for data with high security requirements. Highly sensitive objects should be secured individually or with an authorization list, rather than relying on library security. Related concepts Planning libraries on page 225 A library is like a directory used to locate the objects in the library. Many factors affect how you choose to group your application information into libraries and manage libraries.

Library security and library lists

When a library is added to a user's library list, the authority the user has to the library is stored with the library list information.
Chapter 5. Resource security

135

The user's authority to the library remains for the entire job, even if the user's authority to the library is revoked while the job is active. When access to an object is requested and *LIBL is specified for the object, the library list information is used to check authority for the library. If a qualified name is specified, the authority for the library is specifically checked, even if the library is included in the users library list. Attention: If a user is running under adopted authority when a library is added to the library list, the user remains authorized to the library even when the user is no longer running under adopted authority. This represents a potential security exposure. Any entries added to a users library list by a program running under adopted authority should be removed before the adopted authority program ends. In addition, applications that use library lists rather than qualified library names have a potential security exposure. A user who is authorized to the commands to work with library lists can potentially run a different version of a program. Related reference Library lists on page 207 The library list for a job indicates which libraries are to be searched and the order in which they are to be searched.

Field authorities
You can specify field authorities for database files. Field authorities are supported for database files. Authorities supported are Management, Alter, Reference, Read, Add, and Update. You can only administer these authorities through the SQL statements, GRANT and REVOKE. You can display these authorities through the Display Object Authority (DSPOBJAUT) and the Edit Object Authority (EDTOBJAUT) commands. You can only display the field authorities with the EDTOBJAUT command; you cannot edit them.

Display Object Authority Object . . . . . : Library. . . . : Object type. . . : PLMITXT RLN *FILE Owner . . . . . . . : Primary group . . . : ASP Device . . . . : PGMR1 DPTAR *SYSBAS

Object secured by authorization list . . . . . . . . : *NONE Object ---------------Data--------------User Group Authority Read Add Update Delete Execute *PUBLIC *CHANGE X X X X X PGMR1 *ALL X X X X X USER1 *USE X X USER2 USER DEF X X X USER3 USER DEF X X

Press Enter to continue

F3=Exit

F11=Nondisplay detail F12=Cancel F16=Display field authorities

Figure 4. Display Object Authority display showing F16=Display field authorities. This function key will be displayed when a database file has field authorities.

136

IBM i: Security Security reference

Display Field Authority Object . . . . . . . : Library . . . . . : Object type . . . . : PLMITXT RLN *FILE Object Authority *ALL *Use USER DEF USER DEF *CHANGE *ALL *Use USER DEF USER DEF *CHANGE Owner . . . . . . . : Primary group . . . : PGMR1 *NONE

Field Field3

Field4

User PGMR1 USER1 USER2 USER3 *PUBLIC PGMR1 USER1 USER2 USER3 *PUBLIC

-----Field Authorities----------Mgt Alter Ref Read Add Update X X X X X X X X X X X X X X X X X X X X X X X X X More

Press Enter to continue. F3=Exit F5=Refresh F12=Cancel F16=Repeat position to F17=Position to

Figure 5. Display Field Authority display. When "F17=Position to" is pressed, the Position List prompt will be displayed. If F16 is pressed, the previous position to operation will be repeated.

Field authorities include the following options: v The Print Private Authority (PRTPVTAUT) command has a field that indicates when a file has field authorities. v The Display Object Authority (DSPOBJAUT) command has an Authority Type parameter to allow display of object authorities, field authorities, or all authorities. If the object type is not *FILE, you can display only object authorities. v Information provided by List Users Authorized to Object (QSYLUSRA) API indicates if a file has field authorities. v The Grant User Authority (GRTUSRAUT) command will not grant a user's field authorities. v When a grant with reference object is performed using the GRTOBJAUT command and both objects (the one being granted to and the referenced one) are database files, all field authorities will be granted where the field names match. v If a user's authority to a database file is removed, any field authorities for the user are also removed.

Security and the System/38 Environment

This section provides information about security in the System/38 Environment. The System/38 Environment and CL programs of type CLP38 represent a potential security exposure. When a non-library qualified command is entered from the System/38 Command Entry screen, or invoked by any CLP38 CL program, library QUSER38 (if it exists) is the first library searched for that command. Library QSYS38 is the second library searched. A programmer or other knowledgeable user might place another CL command in either of these libraries and cause that command to be used instead of one from a library in the library list. Library QUSER38 is not shipped with the operating system. However, it can be created by anyone with enough authority to create a library. Related information System/38 Environment Programming

Recommendation for System/38 Environment

This topic includes a list of recommendations for the System/38 Environment.
Chapter 5. Resource security

137

Use these measures to protect your system for the System/38 Environment and CL programs of type CLP38: v Check the public authority of the QSYS38 library, and if it is *ALL or *CHANGE then change it to *USE. v Check the public authority of the QUSER38 library, and if it is *ALL or *CHANGE then change it to *USE. v If the QUSER38 and QSYS38 do not exist, then create them and set them to public *USE authority. This will prevent anyone else from creating it at a later time and giving themselves or the public too much authority to it.

Directory security
You can use directory security to protect information. When accessing an object in a directory, you must have authority to all the directories in the path containing the object. You must also have the necessary authority to the object to perform the operation you requested. You might want to use directory security in the same way that you use library security. Limit access to directories and use public authority to the objects within the directory. Limiting the number of private authorities defined for objects improves the performance of the authority checking process.

Authorization list security

You can group objects with similar security requirements using an authorization list. An authorization list, conceptually, contains a list of users and the authorities that the users have for the objects secured by the list. Each user can have a different authority to the set of objects the list secures. When you give a user authority to the authorization list, the operating system actually grants a private authority for that user to the authorization list. You can also use an authorization list to define public authority for the objects in the list. If the public authority for an object is set to *AUTL, the object gets its public authority from its authorization list. The authorization list object is used as a management tool by the system. It actually contains a list of all objects that are secured by the authorization list. This information is used to build displays for viewing or editing the authorization list objects. You cannot use an authorization list to secure a user profile or another authorization list. Only one authorization list can be specified for an object. Only the owner of the object, a user with all object (*ALLOBJ) special authority, or a user with all (*ALL) authority to the object, can add or remove the authorization list for an object. Objects in the system library (QSYS) can be secured with an authorization list. However, the name of the authorization list that secures an object is stored with the object. In some cases, when you install a new release of the operating system, all the objects in the QSYS library are replaced. The association between the objects and your authorization list will be lost. See the topic Advantages of using an authorization list on page 166 for examples of how to use authorization lists.

Authorization list management

You can grant a special operational authority called Authorization List Management (*AUTLMGT) for authorization lists.

138

IBM i: Security Security reference

Users with *AUTLMGT authority are allowed to add and remove the users' authority to the authorization list and change the authorities for those users. *AUTLMGT authority, by itself, does not give authority to secure new objects with the list or to remove objects from the list. A user with *AUTLMGT authority can give only the same or less authority to others. For example, assume that USERA has *CHANGE and *AUTLMGT authority to authorization list CPLIST1. USERA can add USERB to CPLIST1 and give USERB *CHANGE authority or less. USERA cannot give USERB *ALL authority to CPLIST1, because USERA does not have *ALL authority. A user with *AUTLMGT authority can remove the authority for a user if the *AUTLMGT user has equal or greater authority to the list than the user profile name being removed. If USERC has *ALL authority to CPLIST1, then USERA cannot remove USERC from the list, because USERA has only *CHANGE and *AUTLMGT.

Using authorization lists to secure IBM-supplied objects

You can use authorization lists to secure IBM-supplied objects. For example, you might want to restrict the use of a group of commands to a few users. Objects in IBM-supplied libraries, other than the QUSRSYS and QGPL libraries, are replaced whenever you install a new release of the operating system. Therefore, the link between objects in IBM-supplied libraries and authorization lists is lost. Also, if an authorization list secures an object in QSYS and a complete system restore is required, the link between the objects in QSYS and the authorization list is lost. After you install a new release or restore your system, use the EDTOBJAUT or GRTOBJAUT command to re-establish the link between the IBM-supplied object and the authorization list.

Authority for new objects in a library

You can specify the authority for new objects in a library. Every library has a parameter called CRTAUT (create authority). This parameter determines the default public authority for any new object that is created in that library. When you create an object, the AUT parameter on the create command determines the public authority for the object. If the AUT value on the create command is *LIBCRTAUT, which is the default for most commands, the public authority for the object is set to the CRTAUT value for the library. For example, assume that library CUSTLIB has a CRTAUT value of *USE. Both of the commands below create a data area called DTA1 with public authority *USE: v Specifying the AUT parameter:
CRTDTAARA DTAARA(CUSTLIB/DTA1) + TYPE(*CHAR) AUT(*LIBCRTAUT)

v Allowing the AUT parameter to default. *LIBCRTAUT is the default:

CRTDTAARA DTAARA(CUSTLIB/DTA1) + TYPE(*CHAR)

The default CRTAUT value for a library is *SYSVAL. Any new objects created in the library using AUT(*LIBCRTAUT) have public authority set to the value of the QCRTAUT system value. The QCRTAUT system value is shipped as *CHANGE. For example, assume that the ITEMLIB library has a CRTAUT value of *SYSVAL. This command creates the DTA2 data area with public authority of change:
CRTDTAARA DTAARA(ITEMLIB/DTA2) + TYPE(*CHAR) AUT(*LIBCRTAUT)

Assigning authority and ownership to new objects on page 145 shows more examples of how the system assigns ownership and authority to new objects.

Chapter 5. Resource security

139

The CRTAUT value for a library can also be set to an authorization list name. Any new object created in the library with AUT(*LIBCRTAUT) is secured by the authorization list. The public authority for the object is set to *AUTL. The CRTAUT value of the library is not used during a move (MOVOBJ), create duplicate (CRTDUPOBJ), or restore of an object into the library. The public authority of the existing object is used. If the REPLACE (*YES) parameter is used on the create command, then the authority of the existing object is used instead of the CRTAUT value of the library.

Create Authority (CRTAUT) risks

You need to consider the risks when you change the Create Authority (CRTAUT) for an application library. If your applications use default authority for new objects created during application processing, you should control who has authority to change the library descriptions. Changing the CRTAUT authority for an application library might allow unauthorized access to new objects created in the library.

Authority for new objects in a directory

You can specify the authority for new objects in a directory. When you create a new directory using the CRTDIR (Make Directory), MD (Make Directory) or MKDIR (Make Directory) commands, you specify the data authority and object authority that the public receives for the new directory. If you use the default *INDIR option, the authority for the created directory is determined from its parent directory. Otherwise, you can specify the specific required authority. When you create a new directory using the mkdir()--Make Directory API, the owner, primary group, and public object authorities for the created directory are determined from the directory in which it is being created in while the owner, primary group, and public data authorities are determined by the mode that is specified on the API call. The following two examples show different results when you create a new directory with various options. The first example creates a new directory in the "root"(/) file system using the CRTDIR command and specify *PUBLIC authority.

140

IBM i: Security Security reference

Starting conditions: Authorities on parent directory:

Display Authority Object . . . . . . Owner . . . . . . Primary group . . Authorization list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . : : : : /sanders/mytest SANDERS SANDERSGP3 *NONE

User *PUBLIC SANDERS SANDERSGP3 QPGMR QTCM

Data Authority RWX RW RX RWX *RWX

-----Object Authorities----Exist Mgt Alter Ref X X X X

User SANDERS issues the following command: CRTDIR DIR('/sanders/mytest/deletemepub') DTAAUT(*R) OBJAUT(*NONE) Results: Authorities on created directory:
Display Authority Object . . . . . . Owner . . . . . . Primary group . . Authorization list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . : : : : /sanders/mytest/deletemepub SANDERS SANDERSGP3 *NONE

User *PUBLIC SANDERS SANDERSGP3

Data Authority R RWX *RX

-----Object Authorities----Exist Mgt Alter Ref

Notes: 1. The *PUBLIC data and object authorities are set based on the DTAAUT and OBJAUT parameters. 2. The owner's (SANDERS) data authorities are set to *RWX but the object authorities are inherited from the parent directory's owner. This means that the owner of this directory has no object authorities to the new directory because the owner of the parent directory has no object authorities to the parent directory. 3. The new directory has a primary group profile of SANDERSGP3 because the parent directory has SANDERSGP3 as its primary group profile.

The second example shows how all authorities are inherited from the parent directory when you create a new directory in the "root" (/) file system using the CRTDIR command .

Chapter 5. Resource security

141

Starting conditions: Authorities on parent directory:

User *PUBLIC SANDERS SANDERSGP3 QPGMR QTCM

Data Authority RWX RW RX RWX *RWX

-----Object Authorities----Exist Mgt Alter Ref X X X X

User SANDERSUSR issues the following command: CRTDIR DIR('/sanders/mytest/deletemepub') Results: Authorities on created directory:
Display Authority Object . . . . . . Owner . . . . . . Primary group . . Authorization list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . : : : : /sanders/mytest/deletemepub SANDERSUSR SANDERSGP3 *NONE

User *PUBLIC SANDERSUSR SANDERSGP3 QPGMR QTCM SANDERS

Data Authority RWX RWX RX RWX RWX RW

-----Object Authorities----Exist Mgt Alter Ref X X X X

Notes: 1. The *PUBLIC data and object authorities are inherited from the parent directory; therefore, the data authority is set to *RWX with all object authorities. 2. The owner's (SANDERSUSR) data authorities are set to *RWX but the object authorities are inherited from the parent directory's owner. This means that the owner of this directory has no object authorities to the new directory because the owner of the parent directory has no object authorities to the parent directory. 3. The new directory has a primary group profile of SANDERSGP3 because the parent directory has SANDERSGP3 as its primary group profile. 4. All users who are privately authorized to the parent directory (QPGMR, QTCM), and the owner of the parent directory (SANDERS), are granted the same private authority to the new directory.

Object ownership
This topic describes object ownership and its functions in the system.

142

IBM i: Security Security reference

Each object is assigned to an owner when it is created. The owner is either the user who creates the object or the group profile if the member user profile has specified that the group profile should be the owner of the object. When the object is created, the owner is given all the object and data authorities to the object. Assigning authority and ownership to new objects on page 145 shows examples of how the system assigns ownership to new objects. The owner of an object always has all the authorities for the object unless any or all authorities is removed specifically. As an object owner, you might choose to remove some specific authority as a precautionary measure provided you do not have *ALLOBJ special authority. For example, if a file exists that contains critical information, you might remove your object existence authority to prevent yourself from accidentally deleting the file. However, as object owner, you can grant any object authority to yourself at any time. The owner of a newly created integrated file system object has the same object authorities for that integrated file system object as the owner of the parent directory has to the parent directory. Check the Planning and setting up system security topic to see whether the rules for object authorities apply to all file systems or only to certain ones. Ownership of an object can be transferred from one user to another. Ownership can be transferred to an individual user profile or a group profile. A group profile can own objects, whether the group has members. The following paragraphs apply to both library- and directory-based objects. When changing an objects owner, you have the option to keep or revoke the former owners authority. You cannot delete a profile that owns objects. Ownership of objects must be transferred to a new owner or the objects must be deleted before the profile can be deleted. The Delete User Profile (DLTUSRPRF) command allows you to handle owned objects when you delete the profile. Object ownership is used as a management tool by the system. The owner profile for an object contains a list of all users who have private authority to the object. This information is used to build displays for editing or viewing object authority. Profiles that own many objects with many private authorities can become very large. The size of a profile that owns many objects affects performance when displaying and working with the authority to objects it owns and when saving or restoring profiles. System operations can also be impacted. To prevent impacts on either performance or system operations, do not assign objects to only one owner profile for your entire System i5 environment. Each application and the application objects should be owned by a separate profile. Also, IBM-supplied user profiles should not own user data or objects. The owner of an object also needs sufficient storage for the object. See Maximum storage on page 94 for more information.

Group ownership of objects

This topic provides detailed information about the group ownership of objects. When an object is created, the system looks at the profile of the user creating the object to determine object ownership. If the user is a member of a group profile, the OWNER field in the user profile specifies whether the user or the group should own the new object. If the group owns the object (OWNER is *GRPPRF), the user creating the object is not automatically given any specific authority to the object. The user gets authority to the object through the group. If the user owns the object (OWNER is *USRPRF), the group's authority to the object is determined by the GRPAUT field in the user profile. Objects created into directories do not use the OWNER and GRPAUT values to determine ownership or group authority. The object will always be owned by the creator of the object.
Chapter 5. Resource security

143

The group authority type (GRPAUTTYP) field in the user profile determines whether the group 1) becomes the primary group for the object or 2) is given private authority to the object. Assigning authority and ownership to new objects on page 145 shows several examples. If the user who owns the object changes to a different user group, the original group profile still retains authority to any objects created. Even if the Owner field in a user profile is *GRPPRF, the user must still have sufficient storage to hold a new object while it is being created. After it is created, ownership is transferred to the group profile. The MAXSTG parameter in the user profile determines how much auxiliary storage a user is allowed. Evaluate the objects a user might create, such as query programs, when choosing between group and individual user ownership: v If the user moves to a different department and a different user group, should the user still own the objects? v Is it important to know who creates objects? The object authority displays show the object owner, not the user who created the object. Note: The Display Object Description display shows the object creator. If the audit journal function is active, a Create Object (CO) entry is written to the QAUDJRN audit journal at the time an object is created. This entry identifies the creating user profile. The entry is written only if the QAUDLVL system value includes *CREATE and the QAUDCTL system value includes *AUDLVL. Related concepts Group profiles on page 4 A group profile is a special type of user profile. Rather than giving authority to each user individually, you can use a group profile to define authority for a group of users.

Primary group for an object

You can specify a primary group for an object. The name of the primary group profile and the primary group's authority to the object are stored with the object. Using primary group authority might provide better performance than using private group authority when checking authority to an object. A profile must be a group profile (have a gid) to be assigned as the primary group for an object. The same profile cannot be the owner of the object and its primary group. When a user creates a new object, parameters in the user profile control whether the user's group is given authority to the object and the type of authority given. The Group authority type (GRPAUTTYP) parameter in a user profile can be used to make the user's group the primary group for the object. Assigning authority and ownership to new objects on page 145 shows examples of how authority is assigned when new objects are created. For a directory-based object in some file systems, the object inherits the primary group of its parent directory. For example, if the parent directory has a primary group of FRED, then FRED will have problems trying to create anything in that parent directory. That is because the same profile cannot be both the owner and the primary group profile for the same object. You can change the primary group for a library- or directory-based object using any of the following commands: v Change Object Primary Group (CHGOBJPGP) command v Change Primary Group (CHGPGP) command v Option 9 on the Work with Objects by Primary Group (WRKOBJPGP) command

144

IBM i: Security Security reference

You can change the authority of the primary group using the Edit Object Authority (EDTOBJAUT) command or the grant and revoke authority commands. You can change the primary group's authority for a library- or directory-based object using the Change Authority (CHGAUT) command or the Work with Authority (WRKAUT) command. Related concepts Group profiles on page 4 A group profile is a special type of user profile. Rather than giving authority to each user individually, you can use a group profile to define authority for a group of users.

Default Owner (QDFTOWN) user profile

The Default Owner (QDFTOWN) user profile is an IBM-supplied user profile that is used when an object has no owner or when object ownership might pose a security exposure. The following situations cause ownership of an object to be assigned to the QDFTOWN profile: v If an owning profile becomes damaged and is deleted, its objects no longer have an owner. Using the Reclaim Storage (RCLSTG) command assigns ownership of these objects to the default owner (QDFTOWN) user profile. v If an object is restored and the owner profile does not exist. v If a program that needs to be created again is restored, but the program creation is not successful. See the topic Validation of programs being restored on page 17 for more information about which conditions cause ownership to be assigned to QDFTOWN. v If the maximum storage limit is exceeded for the user profile that owns an authority holder that has the same name as a file being moved, renamed, or whose library is being renamed. The system supplies the QDFTOWN user profile because all objects must have an owner. When the system is shipped, only a user with *ALLOBJ special authority can display and access this user profile and transfer ownership of objects associated with the QDFTOWN user profile. You can grant other users authority to the QDFTOWN profile. QDFTOWN user profile is intended for system use only. You should not design your security such that QDFTOWN normally owns objects.

Assigning authority and ownership to new objects

You can assign authority and ownership to new objects on the system. The system uses several values to assign authority and ownership when a new object is created on the system: v Parameters on the CRTxxx command v The QCRTAUT system value v The CRTAUT value of the library v Values in the user profile of the creator Figure 6 on page 146 through Figure 9 on page 149 show several examples of how these values are used:

Chapter 5. Resource security

145

QCRTAUT system value: *CHANGE CRTAUT library parameter: *USE Values in USERA (Creator) Profile: GRPPRF: DPT806 OWNER: *USRPRF GRPAUT: *CHANGE GRPAUTTYP: *PRIVATE Command Used to Create Object: CRTDTAARA DTAARA(CUSTLIB/DTA1) TYPE(*CHAR) AUT(*LIBCRTAUT) or CRTDTAARA DTAARA(CUSTLIB/DTA1) TYPE(*CHAR) Values for New Object: Public authority: *USE Owner authority: USERA *ALL Primary group authority: None Private authority: DPT806 *CHANGE Note: *LIBCRTAUT is the default value for the AUT parameter on most CRTxxx commands. Figure 6. New object example: Public authority from library, group given private authority

146

IBM i: Security Security reference

QCRTAUT system value: *CHANGE CRTAUT library parameter: *SYSVAL Values in USERA (Creator) Profile: GRPPRF: DPT806 OWNER: *USRPRF GRPAUT: *CHANGE GRPAUTTYP: *PRIVATE Command Used to Create Object: CRTDTAARA DTAARA(CUSTLIB/DTA1) TYPE(*CHAR) AUT(*LIBCRTAUT) Values for New Object: Public authority: *CHANGE Owner authority: USERA *ALL Primary group authority: None Private authority: DPT806 *CHANGE Figure 7. New object example: Public authority from system value, group given private authority

Chapter 5. Resource security

147

QCRTAUT system value: *CHANGE CRTAUT library parameter: *USE Values in USERA (Creator) Profile: GRPPRF: DPT806 OWNER: *USRPRF GRPAUT: *CHANGE GRPAUTTYP: *PGP Command Used to Create Object: CRTDTAARA DTAARA(CUSTLIB/DTA1) TYPE(*CHAR) AUT(*LIBCRTAUT) Values for New Object: Public authority: *USE Owner authority: USERA *ALL Primary group authority: DPT806 *CHANGE Private authority: None Figure 8. New object example: Public authority from library, group given primary group authority

148

IBM i: Security Security reference

QCRTAUT system value: *CHANGE CRTAUT library parameter: *USE Values in USERA (Creator) Profile: GRPPRF: DPT806 OWNER: *GRPPRF GRPAUT: GRPAUTTYP: Command Used to Create Object: CRTDTAARA DTAARA(CUSTLIB/DTA1) TYPE(*CHAR) AUT(*CHANGE) Values for New Object: Public authority: *CHANGE Owner authority: DPT806 *ALL Primary group authority: None Private authority: None Figure 9. New object example: Public authority specified, group owns object

Objects that adopt the owner's authority

You can assign adopted authority to a user program to allow the user to change a customer file. Sometimes a user needs different authorities to an object or an application, depending on the situation. For example, a user might be allowed to change the information in a customer file when using application programs providing that function. However, the same user should be allowed to view, but not change, customer information when using a decision support tool, such as SQL. A solution to this situation is to 1) give the user *USE authority to customer information to allow querying the files and 2) use adopted authority in the customer maintenance programs to allow the user to change the files. When an object uses the owner's authority, this is called adopted authority. Objects of type *PGM, *SRVPGM, *SQLPKG and Java programs can adopt authority. When you create a program, you specify a user profile (USRPRF) parameter on the CRTxxxPGM command. This parameter determines whether the program uses the authority of the owner of the program in addition to the authority of the user running the program. Consult the Limit the use of adopted authority topic concerning security considerations and adopted authority when using SQL packages.
Chapter 5. Resource security

149

The following description applies to adopted authority: v Adopted authority is added to any other authority found for the user. v Adopted authority is checked only if the authority that the user, the user's group, or the public has to an object is not adequate for the requested operation. v The special authorities (such as *ALLOBJ) in the owner's profile are used. v If the owner profile is a member of a group profile, the group's authority is not used for adopted authority. v Public authority is not used for adopted authority. For example, USER1 runs the program LSTCUST, which requires *USE authority to the CUSTMST file: Public authority to the CUSTMST file is *USE. USER1's authority is *EXCLUDE. USER2 owns the LSTCUST program, which adopts owner authority. USER2 does not own the CUSTMST file and has no private authority to it. Although public authority is sufficient to give USER2 access to the CUSTMST file, USER1 does not get access. Owner authority, primary group authority, and private authority are used for adopted authority. Only the authority is adopted. No other user profile attributes are adopted. For example, the limited capabilities attributes are not adopted. v Adopted authority is active as long as the program using adopted authority remains in the call stack. For example, assume that PGMA uses adopted authority: If PGMA starts PGMB using the CALL command, these are the call stacks before and after the CALL command:
Table 121. Adopted authority and the CALL command Call stack before CALL command: QCMD v v v PGMA Call stack after CALL command: QCMD v v v PGMA PGMB

Because PGMA remains in the call stack after PGMB is called, PGMB uses the adopted authority of PGMA. (The use adopted authority (USEADPAUT) parameter can override this. See Programs that ignore adopted authority on page 152 for more information about the USEADPAUT parameter.) If PGMA starts PGMB using the Transfer Control (TFRCTL) command, the call stacks look like this:
Table 122. Adopted authority and the TFRCTL command Call stack before TFRCTL command: QCMD v v v PGMA Call stack after TFRCTL command: QCMD v v v PGMB

PGMB does not use the adopted authority of PGMA, because PGMA is no longer in the call stack. v If the program running under adopted authority is interrupted, the use of adopted authority is suspended. The following functions do not use adopted authority: System request

150

IBM i: Security Security reference

Attention key (If a Transfer to Group Job (TFRGRPJOB) command is running, adopted authority is not passed to the group job.) Break-message-handling program Debug functions Note: Adopted authority is immediately interrupted by the attention key or a group job request. The user must have authority to run the attention-key-handling program or the group job initial program, or the attempt fails. For example, USERA runs the program PGM1, which adopts the authority of USERB. PGM1 uses the SETATNPGM command and specifies PGM2. USERB has *USE authority to PGM2. USERA has *EXCLUDE authority to PGM2. The SETATNPGM function is successful because it is run using adopted authority. USERA receives an authority error when attempting to use the attention key because USERB's authority is no longer active. v If a program that uses adopted authority submits a job, that submitted job does not have the adopted authority of the submitting program. v When a trigger program or exit point program is called, adopted authority from previous programs in the call stack will not be used as a source of authority for the trigger program or exit point program. v Adopted authority is not used by the integrated file systems, including the "root" (/), QOpenSys, QDLS, and user-defined file systems. v The program adopt function is not used when you use the Change Job (CHGJOB) command to change the output queue for a job. The user profile making the change must have authority to the new output queue. v Any objects created, including spooled files that might contain confidential data, are owned by the user of the program or by the user's group profile, not by the owner of the program. v Adopted authority can be specified either on the command that creates the program (CRTxxxPGM) or on the Change Program (CHGPGM) or Change Service Program (CHGSRVPGM) command. v If a program is created using REPLACE(*YES) on the CRTxxxPGM command, the new copy of the program has the same USRPRF, USEADPAUT, and AUT values as the replaced program. The USRPRF and AUT parameters specified on the CRTxxxPGM parameter are ignored. v Only the owner of the program can specify REPLACE(*YES) on the CRTxxxPGM command when USRPRF(*OWNER) is specified on the original program. v Only a user who owns the program or has *ALLOBJ and *SECADM special authorities can change the value of the USRPRF parameter. v You must be signed on as a user with *ALLOBJ and *SECADM special authorities to transfer ownership of an object that adopts authority. v If someone other than the program's owner or a user with *ALLOBJ and *SECADM special authorities restores a program that adopts authority, all private and public authorities to the program are revoked to prevent a possible security exposure. The Display Program (DSPPGM) and Display Service Program (DSPSRVPGM) commands show whether a program adopts authority (User profile prompt) and whether it uses adopted authority from previous programs in the call stack (Use adopted authority prompt). The Display Program Adopt (DSPPGMADP) command shows all the objects that adopt the authority of a specific user profile. The Print Adopting Objects (PRTADPOBJ) command provides a report with more information about objects that adopt authority. This command also provides an option to print a report for objects that have been changed since the last time the command was run. Flowchart 8: How adopted authority is checked on page 182 provides more information about adopted authority. The topic Using adopted authority in menu design on page 230 shows an example of how to use adopted authority in an application. Adopted authority and bound programs:
Chapter 5. Resource security

151

An ILE* program (*PGM) is an object that contains one or more modules. It is created by an ILE* compiler. An ILE program can be bound to one or more service programs (*SRVPGM). To activate an ILE program successfully, the user must have *EXECUTE authority to the ILE program and to all service programs to which it is bound. If an ILE program uses adopted authority from a program higher in the program call stack, that adopted authority is used to check authority to all service programs to which the ILE program is bound. If the ILE program adopts authority, the adopted authority will not be checked when the system checks the user's authority to the service programs at program activation time.

Adopted authority risks and recommendations

You should use adopted authorities with care to prevent possible security risks. Allowing a program to run using adopted authority is an intentional release of control. You permit the user to have authority to objects, and possibly special authority, which the user will not normally have. Adopted authority provides an important tool for meeting diverse authority requirements, but it should be used with care: v Adopt the minimum authority required to meet the application requirements. Adopting the authority of an application owner is preferable to adopting the authority of QSECOFR or a user with *ALLOBJ special authority. v Carefully monitor the function provided by programs that adopt authority. Make sure that these programs do not provide a means for the user to access objects outside the control of the program, such as command entry capability. v Make sure that programs that adopt authority and call other programs perform library qualified calls. Do not use the library list (*LIBL) on the call. v Control which users are permitted to call programs that adopt authority. Use menu interfaces and library security to prevent these programs from being called without sufficient control.

Programs that ignore adopted authority

You can specify the use adopted authority (USEADPAUT) parameter to control whether a program uses the adopted authority. You might not want some programs to use the adopted authority of previous programs in the call stack. For example, if you use an initial menu program that adopts owner authority, you might not want some of the programs called from the menu program to use that authority. The use adopted authority (USEADPAUT) parameter of a program determines whether the system uses the adopted authority of previous programs in the stack when checking authority for objects. When you create a program, the default is to use adopted authority from previous programs in the stack. If you do not want the program to use adopted authority, you can change the program with the Change Program (CHGPGM) command or Change Service Program (CHGSRVPGM) command to set the USEADPAUT parameter to *NO. If a program is created using REPLACE(*YES) on the CRTxxxPGM command, the new copy of the program has the same USRPRF, USEADPAUT, and AUT values as the replaced program. The topic Ignoring adopted authority on page 232 shows an example of how to use this parameter in menu design. See Use Adopted Authority (QUSEADPAUT) on page 35 for information about the QUSEADPAUT system value.

152

IBM i: Security Security reference

Attention: In some situations, you can use the MODINVAU MI instruction to prevent passing adopted authority to called functions. The MODINVAU instruction can be used to prevent passing any adopted authority from C and C++ programs to called functions in another program or service program. This might be useful when you do not know the USEADPAUT setting of the function that is called. Related concepts Ignoring adopted authority on page 232 The technique of using adopted authority in menu design requires the user to return to the initial menu before running queries. If you want to provide the convenience of starting query from application menus as well as from the initial menu, you can set up the QRYSTART program to ignore adopted authority.

Authority holders
An authority holder is a tool for keeping the authorities for a program-described database file that does not currently exist on the system. The primary use of an authority holder is for System/36 environment applications, which often delete program-described files and create them again. An authority holder can be created for a file that already exists or for a file that does not exist, using the Create Authority Holder (CRTAUTHLR) command. The following descriptions apply to authority holders: v Authority holders can only secure files in the system auxiliary storage pool (ASP) or a basic user ASP. They cannot secure files in an independent ASP. v The authority holder is associated with a specific file and library. It has the same name as the file. v Authority holders can be used only for program-described database files and logical files. v After the authority holder is created, you add private authorities for it like a file. Use the commands to grant, revoke, and display object authorities, and specify object type *FILE. On the object authority displays, the authority holder is indistinguishable from the file itself. The displays do not indicate whether the file exists; nor do they show that the file has an authority holder. v If a file is associated with an authority holder, the authorities defined for the authority holder are used during authority checking. Any private authorities defined for the file are ignored. v Use the Display Authority Holder (DSPAUTHLR) command to display or print all the authority holders on the system. You can also use it to create an output file (OUTFILE) for processing. v If you create an authority holder for a file that exists: The user creating the authority holder must have *ALL authority to the file. The owner of the file becomes the owner of the authority holder regardless of the user creating the authority holder. The public authority for the authority holder comes from the file. The public authority (AUT) parameter on the CRTAUTHLR command is ignored. The existing file's authority is copied to the authority holder. v If you create a file and an authority holder for that file already exists: The user creating the file must have *ALL authority to the authority holder. The owner of the authority holder becomes the owner of the file regardless of the user creating the file. The public authority for the file comes from the authority holder. The public authority (AUT) parameter on the CRTPF or CRTLF command is ignored. The authority holder is linked to the file. The authority specified for the authority holder is used to secure the file. v If an authority holder is deleted, the authority information is transferred to the file itself.

Chapter 5. Resource security

153

v If a file is renamed and the new file name matches an existing authority holder, the authority and ownership of the file are changed to match the authority holder. The user renaming the file needs *ALL authority to the authority holder. v If a file is moved to a different library and an authority holder exists for that file name and the target library, the authority and ownership of the file are changed to match the authority holder. The user moving the file must have *ALL authority to the authority holder. v Ownership of the authority holder and the file always match. If you change the ownership of the file, ownership of the authority holder also changes. v When a file is restored, if an authority holder exists for that file name and the library to which it is being restored, it is linked to the authority holder. v Authority holders cannot be created for files in these libraries: QSYS, QRCL, QRECOVERY, QSPL, QTEMP, and QSPL0002 QSPL0032.

Authority holders and System/36 Migration

The System/36 Migration Aid creates an authority holder for every file that is migrated. It also creates an authority holder for entries in the System/36 resource security file if no corresponding file exists on the System/36. You need authority holders only for files that are deleted and re-created by your applications. Use the Delete Authority Holder (DLTAUTHLR) command to delete any authority holders that you do not need.

Authority holder risks

You should take security into consideration when using an authority holder. An authority holder provides the capability of defining authority for a file before that file exists. Under certain circumstances, this can allow an unauthorized user to gain access to information. If a user knew that an application creates, moves, or renames a file, the user can create an authority holder for the new file. The user thus gains access to the file. To limit this exposure, the CRTAUTHLR command is shipped with public authority *EXCLUDE. Only users with *ALLOBJ authority can use the command, unless you grant authority to others.

Working with authority

This topic describes commonly-used methods for setting up, maintaining, and displaying authority information about your system. Appendix A, Security commands, on page 309 provides a complete list of the commands available for working with authority. The descriptions that follow do not discuss all the parameters for commands or all the fields on the displays. Consult online information for complete details.

Authority displays
This section describes some characteristics of the displays that show object authorities. Four displays show object authorities: v Display Object Authority display v Edit Object Authority display v Display Authority display v Work with Authority display Figure 10 on page 155 shows the basic version of the Display Object Authority display:

154

IBM i: Security Security reference

Display Object Authority Object . . . . . . : Library. . . . . : Object type . . . : CUSTNO CUSTLIB *DTAARA Owner . . . . . . . : Primary group . . . : ASP device . . . . : . . . . . . . . : PGMR1 DPTAR *SYSBAS *NONE

Object secured by authorization list

Object User Group Authority *PUBLIC *EXCLUDE PGMR1 *ALL DPTAR *CHANGE DPTSM *USE F3=Exit F11=Display detail object authorities F12=Cancel

F17=Top

Figure 10. Display Object Authority display

The system-defined names of the authorities are shown on this display. F11 acts as a toggle between this and two other versions of the display. One shows detailed object authorities:

Display Object Authority Object . . . . . . : Library. . . . . : Object type. . . . : CUSTNO CUSTLIB *DTAARA Owner . . . . . . : Primary group . . . : ASP device . . . : . . . . . . . . . : PGMR1 DPTAR *SYSBAS *NONE

Object secured by authorization list

Object ----------Object----------User Group Authority Opr Mgt Exist Alter Ref *PUBLIC *EXCLUDE X PGMR1 *ALL X X X X X DPTAR *CHANGE X DPTSM *USE X . . . F3=Exit F11=Display data authorities F12=Cancel F17=Top F18=Bottom

The other shows data authorities:

Display Object Authority Object . . . . . . : Library. . . . . : Object type. . . . : CUSTNO CUSTLIB *DTAARA Owner . . . . . . . : Primary group . . . : ASP device . . . . : PGMR1 DPTAR *SYSBAS *NONE

Object secured by authorization list. . . . . . . . . . : Object Authority *EXCLUDE *ALL *CHANGE *USE

User *PUBLIC PGMR1 DPTAR DPTSM

Group

---------------Data--------------Read Add Update Delete Execute X X X X X X X X X X X X

If you have *OBJMGT authority to an object, you see all private authorities for that object. If you do not have *OBJMGT authority, you see only your own sources of authority for the object.
Chapter 5. Resource security

155

For example, if USERA displays authority for the CUSTNO data area, only public authority is shown. If USERB, who is a member of the DPTAR group profile, displays the authority for the CUSTNO data area, it looks like this:

Display Object Authority Object . . . . . . : Library. . . . . : Object type. . . . : CUSTNO CUSTLIB *DTAARA Owner . . . . . . . : Primary group . . . : ASP device . . . . : PGMR1 DPTAR *SYSBAS *NONE

Object secured by authorization list. . . . . . . . . . : Object Authority *CHANGE

User *GROUP

Group DPTAR

If USERB runs a program that adopts the authority of PGMR1 and displays the authority for the CUSTNO data area, it looks like this:

Display Object Authority Object .. . . . . . : CUSTNO Library . . . . : CUSTLIB Object type. . . . : *DTAARA Owner . . . . . . . : Primary group . . . : ASP device . . . . : PGMR1 DPTAR *SYSBAS *NONE

Object secured by authorization list . . . . . . . . . . : Object Authority USER DEF *EXCLUDE *ALL *CHANGE *USE

User ADOPTED PUBLIC PGMR1 *GROUP DPTSM

Group

DPTAR

The *ADOPTED authority indicates only the additional authority received from the program owner. USERB receives from PGMR1 all the authorities that are not included in *CHANGE. The display shows all private authorities because USERB has adopted *OBJMGT. The detailed display looks like this:
Display Object Authority Object . . . . . . : Library. . . . . : Object type. . . . : CUSTNO CUSTLIB *DTAARA Owner . . . . . . . : Primary group . . . : ASP device . . . . : PGMR1 DPTAR *SYSBAS *NONE

Object secured by authorization list . . . . . . . . . . :

Object -----------Object----------User Group Authority Opr Mgt Exist Alter Ref *ADOPTED USER DEF X X X X *PUBLIC *EXCLUDE PGMR1 *ALL X X X X X *GROUP DPTAR *CHANGE X DPTSM *USE X F3=Exit F11=Display data authorities F12=Cancel F17=Top F18=Bottom

156

IBM i: Security Security reference

If the user option (USROPT) field in USERB's user profile includes *EXPERT, this is how the display looks:
Display Object Authority Object . . . . . . : Library. . . . . : Object type. . . . : CUSTNO CUSTLIB *DTAARA Owner . . . . . . . : Primary group . . . : ASP device . . . . .: PGMR1 DPTAR *SYSBAS *NONE

Object secured by authorization list . . . . . . . . . :

User Group ADOPTED PUBLIC PGMR1 *GROUP DPTAR DPTSM

OBJECT -----Object------ ------Data-------Authority O M E A R R A U D E USER DEF X X X X EXCLUDE ALL X X X X X X X X X X CHANGE X X X X X X USE X X X

Authority reports
Several reports are available to help you monitor your security implementation. For example, you can monitor objects with *PUBLIC authority other than *EXCLUDE and objects with private authorities with the following commands: v Print Public Authority (PRTPUBAUT) v Print Private Authority (PRTPVTAUT) Related information System security tools

Working with libraries

You can specify the authority for libraries and new objects created in the libraries. Two parameters on the Create Library (CRTLIB) command affect authority: Authority (AUT): The AUT parameter can be used to specify either of the following authorities: v The public authority for the library v The authorization list that secures the library. The AUT parameter applies to the library itself, not to the objects in the library. If you specify an authorization list name, the public authority for the library is set to *AUTL. If you do not specify AUT when you create a library, *LIBCRTAUT is the default. The system uses the CRTAUT value from the QSYS library, which is shipped as *SYSVAL. Create Authority (CRTAUT): The CRTAUT parameter determines the default authority for any new objects that are created in the library. CRTAUT can be set to one of the system-defined authorities (*ALL, *CHANGE, *USE, or *EXCLUDE), to *SYSVAL (the QCRTAUT system value), or to the name of an authorization list. Note: You can change the CRTAUT value for a library using the Change Library (CHGLIB) command. If user PGMR1 enters this command:
CRTLIB TESTLIB AUT(LIBLST) CRTAUT(OBJLST)

Chapter 5. Resource security

157

the authority for the library looks like this:

Display Object Authority Object . . . . . . : Library. . . . . : Object type. . . . : TESTLIB QSYS *LIB Owner . . . . . . . : Primary group . . . : ASP device . . . . : PGMR1 *NONE *SYSBAS LIBLST

Object secured by authorization list. . . . . . . . . . . : Object Authority AUTL ALL

User *PUBLIC PGMR1

Group

v Because an authorization list was specified for the AUT parameter, public authority is set to *AUTL. v The user entering the CRTLIB command owns the library, unless the user's profile specifies OWNER(*GRPPRF). The owner is automatically given *ALL authority. v The CRTAUT value is not shown on the object authority displays. Use the Display Library Description (DSPLIBD) command to see the CRTAUT value for a library.

Display Library Description Library . . . . . . . . . . . . . . . . . : . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . : : : : : : TESTLIB PROD 1 *SYSBAS OBJLST *SYSVAL Customer Rec

Type . . . . . . . . . ASP number . . . . . . ASP device . . . . . . Create authority . . . Create object auditing Text description . . .

Creating objects
You can specify the authority of a new object. When you create a new object, you can either specify the authority (AUT) or use the default, *LIBCRTAUT. If PGMR1 enters this command:
CRTDTAARA (TESTLIB/DTA1) + TYPE(*CHAR)

the authority for the data area looks like this:

Display Object Authority Object . . . . . . : Library. . . . . : Object type. . . . : DTA1 TESTLIB *DTAARA Owner . . . . . . . : Primary group . . . : ASP device . . . . . : PGMR1 *NONE *SYSBAS OBJLST

Object secured by authorization list. . . . . . . . . . : Object Authority AUTL ALL

User *PUBLIC PGMR1

Group

158

IBM i: Security Security reference

The authorization list (OBJLST) comes from the CRTAUT parameter that was specified when TESTLIB was created. If PGMR1 enters this command:
CRTDTAARA (TESTLIB/DTA2) AUT(*CHANGE) + TYPE(*CHAR)

the authority for the data area looks like this:

Display Object Authority Object . . . . . . : Library . . . . : Object type. . . . : DTA2 TESTLIB *DTAARA Owner . . . . . . . : Primary group . . . : ASP device . . . . . : PGMR1 *NONE *SYSBAS *NONE

Object secured by authorization list . . . . . . . . . : Object Authority CHANGE ALL

User *PUBLIC PGMR1

Group

Working with individual object authority

You can change the authority for an object. To change the authority for an object, you must have one of the following authorities: v *ALLOBJ authority or membership in a group profile that has *ALLOBJ special authority. Note: The group's authority is not used if you have private authority to the object. v Ownership of the object. If a group profile owns the object, any member of the group can act as the object owner, unless the member has been given specific authority that does not meet the requirements for changing the object's authority. v *OBJMGT authority to the object and any authorities being granted or revoked (except *EXCLUDE). Any user who is allowed to work with the object's authority can grant or revoke *EXCLUDE authority. The easiest way to change authority for an individual object is with the Edit Object Authority display. This display can be called directly by using the Edit Object Authority (EDTOBJAUT) command or selected as an option from the Work with Objects by Owner, Work with Objects by Private Authority, Work with Objects by Primary Group, or Work with Objects display.

Edit Object Authority Object. . . . . . : Library . . . . : Object type.. . . : DTA1 TESTLIB *DTAARA Owner . . . . . . . : Primary group . . . : ASP device . . . . . : PGMR1 *NONE *SYSBAS

Type changes to current authorities, press Enter. Object secured by authorization list Object Authority *AUTL *ALL . . . . . . . : OBJLST

User *PUBLIC PGMR1

Group

You can also use these commands to change object authority:

Chapter 5. Resource security

159

v v v v

Change Authority (CHGAUT) Work with Authority (WRKAUT) Grant Object Authority (GRTOBJAUT) Revoke Object Authority (RVKOBJAUT)

To specify the generic authority subsets, such as Read/Write (*RX) or Write/Execute (*WX), you must use the CHGAUT or WRKAUT commands.

Specifying user-defined authority

This topic provides information about specifying user-defined authorities. The Object Authority column on the Edit Object Authority display allows you to specify any of the system-defined sets of authorities (*ALL, *CHANGE, *USE, *EXCLUDE). If you want to specify authority that is not a system-defined set, use F11 (Display detail). Note: If the User options (USROPT) field in your user profile is set to *EXPERT, you always see this detailed version of the display without having to press F11. For example, PGMR1 removes *OBJEXIST authority to the CONTRACTS file, to prevent accidentally deleting the file. Because PGMR1 has a combination of authorities that is not one of the system-defined sets, the system puts USER DEF (user-defined) in the Object Authority column:

Edit Object Authority Object . . . . . . : Library. . . . . : Object type. . . . : CONTRACTS TESTLIB *FILE Owner . . . . . . . : Primary group . . . : ASP device . . . . . : PGMR1 *NONE *SYSBAS

Type changes to current authorities, press Enter. Object secured by authorization list. . . . . . . . . . : Object Authority *AUTL USER DEF LIST2

User *PUBLIC PGMR1

Group

Opr X

----------Object----------Mgt Exist Alter Ref X X X

You can press F11 (Display data authorities) to view or change the data authorities:

Edit Object Authority Object . . . . . . : Library . . . . . : Object type. . . . : CONTRACTS TESTLIB *FIL Owner . . . . . . . : Primary group . . . : ASP device . . . . . : PGMR1 *NONE *SYSBAS

Type changes to current authorities, press Enter. Object secured by authorization list. . . . . . . . . : LIST2

User *PUBLIC PGMR1

Group

Object ---------------Data--------------Authority Read Add Update Delete Execute *AUTL USER DEF X X X X X

Giving authority to new users

You can grant authority to new users.

160

IBM i: Security Security reference

To give authority to additional users, press F6 (Add new users) from the Edit Object Authority display. You see the Add New Users display, which allows you to define authority for multiple users:

Add New Users Object . . . . . . . : Library . . . . . : DTA1 TESTLIB

Type new users, press Enter. Object Authority *USE *CHANGE *ALL

User USER1 USER2 PGMR2

Removing a user's authority

You can also remove a user's authority for an object. Removing a user's authority for an object is different from giving the user *EXCLUDE authority. *EXCLUDE authority means the user is specifically not allowed to use the object. Only *ALLOBJ special authority and adopted authority override *EXCLUDE authority. Note: *EXCLUDE authority for a group profile can be overriden if the user has another group profile with private authority to the object. Removing a user's authority means the user has no specific authority to the object. The user can gain access through a group profile, an authorization list, public authority, *ALLOBJ special authority, or adopted authority. You can remove a user's authority using the Edit Object Authority display. Type blanks in the Object Authority field for the user and press the Enter key. The user is removed from the display. You can also use the Revoke Object Authority (RVKOBJAUT) command. Either revoke the specific authority the user has or revoke *ALL authority for the user. Note: The RVKOBJAUT command revokes only the authority you specify. For example, USERB has *ALL authority to FILEB in library LIBB. You revoke *CHANGE authority:
RVKOBJAUT OBJ(LIBB/FILEB) OBJTYPE(*FILE) + USER(*USERB) AUT(*CHANGE)

After the command, USERB's authority to FILEB looks like this:

Display Object Authority Object . . . . . . : Library. . . . . : Object type. . . . : FILEB LIBB *FILE Owner . . . . . . . : Primary group . . . : ASP device . . . . : PGMR1 *NONE *SYSBAS *NONE

Object secured by authorization list. . . . . . . . : Object Authority Opr USER DEF

User USERB

Group

--------Object-----------Mgt Exist Alter Ref X X X X

Chapter 5. Resource security

161

Display Object Authority Object . . . . . . : Library. . . . . : Object type . . . : FILEB LIBB *FILE Owner . . . . . . . : Primary group . . . : ASP device . . . . . : . . . . . . . . . . PGMR1 *NONE *SYSBAS *NONE

Object secured by authorization list

User USERB

Group

Object ---------------Data--------------Authority Read Add Update Delete Execute USER DEF

Working with authority for multiple objects

Learn how to make authority changes to more than one object at a time. The Edit Object Authority display allows you to interactively work with the authority for one object at a time. The Grant Object Authority (GRTOBJAUT) command allows you to make authority changes to more than one object at a time. You can use the GRTOBJAUT authority command interactively or in batch. You can also call it from a program. Following are examples of using the GRTOBJAUT command, showing the prompt display. When the command runs, you receive a message for each object indicating whether the change was made. Authority changes require an exclusive lock on the object and cannot be made when an object is in use. Print your job log for a record of changes attempted and made. v To give all the objects in the TESTLIB library a public authority of *USE:

Grant Object Authority (GRTOBJAUT) Type choices, press Enter. Object . . . . . . . . . . . . . *ALL Library . . . . . . . . . . . . . TESTLIB Object type . . . . . . . . . . *ALL ASP device . . . . . . . . . . . * Users . . . . . . . . . . . . . *PUBLIC + for more values Authority . . . . . . . . . . . *USE

This example for the GRTOBJAUT command gives the authority you specify, but it does not remove any authority that is greater than you specified. If some objects in the TESTLIB library have public authority *CHANGE, the command just shown will not reduce their public authority to *USE. To make sure that all objects in TESTLIB have a public authority of *USE, use the GRTOBJAUT command with the REPLACE parameter.
GRTOBJAUT OBJ(TESTLIB/*ALL) OBJTYPE(*ALL) + USER(*PUBLIC) REPLACE(*YES)

The REPLACE parameter indicates whether the authorities you specify replaces the existing authority for the user. The default value of REPLACE(*NO) gives the authority that you specify, but it does not remove any authority that is greater than the authority you specify, unless you are granting *EXCLUDE authority. These commands set public authority only for objects that currently exist in the library. To set the public authority for any new objects that are created later, use the CRTAUT parameter on the library description.

162

IBM i: Security Security reference

v To give *ALL authority to the work files in the TESTLIB library to users AMES and SMITHR. In this example, work files all start with the characters WRK:

Grant Object Authority (GRTOBJAUT) Type choices, press Enter. Object . . . . . . . . . . . . . WRK* Library . . . . . . . . . . . TESTLIB Object type . . . . . . . . . . *FILE ASP device . . . . . . . . . . . * Users . . . . . . . . . . . . . AMES + for more values SMITHR Authority . . . . . . . . . . . *ALL

This command uses a generic name to specify the files. You specify a generic name by typing a character string followed by an asterisk (*). Online information tells which parameters of a command allow a generic name. v To secure all the files starting with the characters AR* using an authorization list called ARLST1 and have the files get their public authority from the list, use the following two commands: 1. Secure the files with the authorization list using the GRTOBJAUT command:

Grant Object Authority Type choices, press Enter. Object . . . . . . . . . . . . . AR* Library . . . . . . . . . . . TESTLIB Object type . . . . . . . . . . *FILE ASP device . . . . . . . . . . . * . . . Authorization list . . . . . . .

ARLST1

2. Set public authority for the files to *AUTL, using the GRTOBJAUT command:

Grant Object Authority Type choices, press Enter. Object . . . . . . . . . . . . . AR* Library . . . . . . . . . . . TESTLIB Object type . . . . . . . . . . *FILE ASP device . . . . . . . . . . . * Users . . . . . . . . . . . . . *PUBLIC + for more values Authority . . . . . . . . . . . *AUTL

Working with object ownership

You can change the ownership of an object in several ways. To change ownership of an object, use one of the following commands: v The Change Object Owner (CHGOBJOWN) command v The Work with Objects by Owner (WRKOBJOWN) command v The Change Owner (CHGOWN) command
Chapter 5. Resource security

163

The Work with Objects by Owner display shows all the objects owned by a profile. You can assign individual objects to a new owner. You can also change ownership for more than one object at a time by using the NEWOWN (new owner) parameter at the bottom of the display:

Work with Objects by Owner User profile . . . . . . . : OLDOWNER

Type options, press Enter. 2=Edit authority 4=Delete 5=Display author 8=Display description 9=Change owner Opt 9 9 Object COPGMMSG CUSTMAS CUSTMSGQ ITEMMSGQ Library COPGMLIB CUSTLIB CUSTLIB ITEMLIB Type *MSGQ *FILE *MSGQ *MSGQ Attribute ASP Device *SYSBAS *SYSBAS *SYSBAS *SYSBAS

Parameters or command ===> NEWOWN(OWNIC) F3=Exit F4=Prompt F5=Refresh F18=Bottom

F9=Retrieve

When you change ownership using either method, you can choose to remove the previous owner's authority to the object. The default for the CUROWNAUT (current owner authority) parameter is *REVOKE. To transfer ownership of an object, you must have: v v v v Object existence authority for the object *ALL authority or ownership, if the object is an authorization list Add authority for the new owner's user profile Delete authority for the present owner's user profile

You cannot delete a user profile that owns objects. The topic Deleting user profiles on page 122 shows methods for handling owned objects when deleting a profile. The Work with Objects by Owner display includes integrated file system objects. For these objects, the Object column on the display shows the first 18 characters of the path name. If the path name is longer than 18 characters, a greater than symbol (>) appears at the end of the path name. To see the absolute path name, place your cursor anywhere on the path name and press the F22 key.

Working with primary group authority

You can change the primary group or primary group's authority to an object. To change the primary group or primary group's authority to an object, use one of the following commands: v Change Object Primary Group (CHGOBJPGP) v Work with Objects by Primary Group (WRKOBJPGP) v Change Primary Group (CHGPGP) When you change an object's primary group, you specify what authority the new primary group has. You can also revoke the old primary group's authority. If you do not revoke the old primary group's authority, it becomes a private authority. The new primary group cannot be the owner of the object.

164

IBM i: Security Security reference

To change an object's primary group, you must have all of the following authorities: v *OBJEXIST authority for the object. v If the object is a file, library, or subsystem description, *OBJOPR and *OBJEXIST authority. v If the object is an authorization list, *ALLOBJ special authority or the owner of the authorization list. v If revoking authority for the old primary group, *OBJMGT authority. v If a value other than *PRIVATE is specified, *OBJMGT authority and all the authorities being given.

Using a referenced object

Both the Edit Object Authority display and the GRTOBJAUT command allow you to give authority to an object (or group of objects) based on the authority of a referenced object. This is a useful tool in some situations, but you should also evaluate the use of an authorization list to meet your requirements. See Advantages of using an authorization list on page 166 for information about the advantages of using authorization lists.

Copying authority from a user

You can copy all the private authorities from one user profile to another using the Grant User Authority (GRTUSRAUT) command. This method can be useful in certain situations. For example, the system does not allow you to rename a user profile. To create an identical profile with a different name involves several steps, including copying the original profile's authorities. Renaming a user profile on page 126 shows an example of how to do this. The GRTUSRAUT command copies private authorities only. It does not copy special authorities; nor does it transfer object ownership. The GRTUSRAUT command should not be used in place of creating group profiles. GRTUSRAUT creates a duplicate set of private authorities, which increases the time it takes to save the system and makes authority management more difficult. GRTUSRAUT copies authorities as they exist at a particular moment. If authority is required to new objects in the future, each profile must be granted authority individually. The group profile provides this function automatically. To use the GRTUSRAUT command, you must have all the authorities being copied. If you do not have an authority, that authority is not granted to the target profile. The system issues a message for each authority that is granted or not granted to the target user profile. Print the job log for a complete record. To avoid having a partial set of authorities copied, the GRTUSRAUT command should be run by a user with *ALLOBJ special authority. Related tasks Copying private authorities on page 121 You can copy the private authorities from one user profile to another using the Grant User Authority (GRTUSRAUT) command.

Working with authorization lists

This section introduces the steps for creating an authorization list. Setting up an authorization list requires three steps: 1. Creating the authorization list. 2. Adding users to the authorization list. 3. Securing objects with the authorization list. Steps 2 and 3 can be done in any order.
Chapter 5. Resource security

165

Advantages of using an authorization list

You can use authorization lists to protect objects on your system. An authorization list has these advantages: v Authorization lists simplify managing authorities. User authority is defined for the authorization list, not for the individual objects on the list. If a new object is secured by the authorization list, the users on the list gain authority to the object. v One operation can be used to give a user authority to all the objects on the list. v Authorization lists reduce the number of private authorities on the system. Each user has a private authority to one object, the authorization list. This gives the user authority to all the objects on the list. Reducing the number of private authorities in the system has the following advantages: Reduces the size of user profiles. Improves the performance when saving the system (SAVSYS) or saving the security data (SAVSECDTA). v Authorization lists provide a good way to secure files. If you use private authorities, each user will have a private authority for each file member. If you use an authorization list, each user will have only one authority. Also, files that are open cannot have authority granted to the file or revoked from the file. If you secure the file with an authorization list, you can change the authorities, even when the file is open. v Authorization lists provide a way to remember authorities when an object is saved. When an object is saved that is secured by an authorization list, the name of the authorization list is saved with the object. If the object is deleted and restored to the same system, it is automatically linked to the authorization list again. If the object is restored on a different system, the authorization list is not linked, unless ALWOBJDIF(*ALL), ALWOBJDIF(*AUTL), or ALWOBJDIF(*COMPATIBLE) is specified on the restore command. v From a security management view, an authorization list is the preferred method to manage objects that have the same security requirements. Even when there are only a few objects that are secured by the list, there is still an advantage of using an authorization list over using private authorities on the object. Because the authorities are in one place (the authorization list), it is easier to change who is authorized to the objects. It is also easier to secure any new objects with the same authorities as the existing objects.

| | | | | |

Creating an authorization list

Use the Create Authorization List (CRTAUTL) command to create an authorization list. You do not need any authority to the QSYS library to create an authorization list into that library. Use the Create Authorization List (CRTAUTL) command:

Create Authorization List (CRTAUTL) Type choices, press Enter. Authorization list . . . . . . . Text description . . . . . . . custlst1 Name Files cleared at month-end

Additional Parameters Authority . . . . . . . . . . . use CHANGE, ALL, USE, *EXCLUDE

The AUT parameter sets the public authority for any objects secured by the list. The public authority from the authorization list is used only when the public authority for an object secured by the list is *AUTL.

166

IBM i: Security Security reference

Giving users authority to an authorization list

Use the Edit Authorization List (EDTAUTL) display to give users authority to the authorization list you have created. To work with the authority that users have for the authorization list, you must have *AUTLMGT (authorization list management) authority, as well as the specific authorities you are granting. See the topic Authorization list management on page 138 for a complete description. You can use the Edit Authorization List (EDTAUTL) display to change user authority to the authorization list or to add new users to the list:

Edit Authorization List Object . . . . . . . : Library . . . . . : CUSTLST1 QSYS Owner . . . . . . . : Primary group . . . : PGMR1 *NONE

Type changes to current authorities, press Enter. Object List Authority Mgt *USE *ALL X

User *PUBLIC PGMR1

To give new users authority to the authorization list, press F6 (Add new users):

Add New Users Object . . . . . . . : Library . . . . . : CUSTLST1 QSYS Owner . . . PGMR1

Type new users, press Enter. Object List Authority Mgt *CHANGE *CHANGE

User AMES SMITHR

Each user's authority to the list is actually stored as a private authority in that user's profile. You can also use commands to work with authorization list users, either interactively or in batch: v Add Authorization List Entry (ADDAUTLE) to define authority for additional users. v Change Authorization List Entry (CHGAUTLE) to change authority for users who are already authorized to the list. v Remove Authorization List Entry (RMVAUTLE) to remove a user's authority to the list. v Work with Authority (WRKAUT) to show the list of authorized users of an object. v Change Authority (CHGAUT) to change a user's authority for the object.

Securing objects with an authorization list

To secure an object with an authorization list, you must own the object, have *ALL authority to it, or have *ALLOBJ special authority. Use the Edit Object Authority display, the GRTOBJAUT command, the WRKAUT command, or the CHGAUT command to secure an object with an authorization list:

Chapter 5. Resource security

167

Edit Object Authority Object . . . . . . : Library . . . . : Object type . . . : ARWRK1 TESTLIB *FILE Owner . . . . . . . : Primary group. . . . : ASP device . . . . . : PGMR1 *NONE *SYSBAS

Type changes to current authorities, press Enter. Object secured by authorization list Object Authority *AUTL *ALL . . . . . . . . . . ARLST1

User *PUBLIC PGMR1

Set the public authority for the object to *AUTL if you want public authority to come from the authorization list. On the Edit Authorization List display, you can use F15 (Display authorization list objects) to list all of the objects secured by the list:

Display Authorization List Objects Authorization list Library . . . . Owner . . . . . . Primary group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . : : : : CUSTLST1 CUSTLIB OWNAR DPTAR Primary group

Object CUSTMAS CUSTADDR

Library CUSTLIB CUSTLIB

Type FILE FILE

Owner OWNAR OWNAR

Text

This is an information list only. You cannot add or remove objects from the list. You can also use the Display Authorization List Objects (DSPAUTLOBJ) command to view or print a list of all objects secured by the list.

Setting up an authorization list

The setup of an authorization list makes it easier to change who is authorized to the objects, and easier to secure any new objects with the same authorities as the existing objects. At the JKL Toy Company, an authorization list is used to secure all the work files used in month-end inventory processing. These work files are cleared, which requires *OBJMGT authority. As application requirements change, more work files may be added to the application. Also, as job responsibilities change, different users run month-end processing. An authorization list makes it simpler to manage these changes. Follow these steps to set up the authorization list. 1. Create the authorization list:
CRTAUTL ICLIST1

2. Secure all the work files with the authorization list:

GRTOBJAUT OBJ(ITEMLIB/ICWRK*) + OBJTYP(*FILE) AUTL(ICLIST1)

3. Add users to the list who perform month-end processing:

ADDAUTLE AUTL(ICLIST1) USER(USERA) AUT(*ALL)

168

IBM i: Security Security reference

If you use authorization lists, then you should not have private authorities on the object. Two searches of the user's private authorities are required during the authority checking if the object has private authorities and the object is also secured by an authorization list. The first search is for the private authorities on the object; the second search is for the private authorities on the authorization list. Two searches require use of system resources; therefore, the performance can be impacted. If you use only the authorization list, only one search is performed. Also, because of the use of authority caching with the authorization list, the performance for the authority check will be the same as it is for checking only private authorities on the object.

Deleting an authorization list

You might also want to delete the authorization list that you have created. You cannot delete an authorization list if it is used to secure any objects. Use the DSPAUTLOBJ command to list all of the objects secured by the list. Use either the Edit Object Authority display, Change Authority (CHGAUT), or the Revoke Object Authority (RVKOBJAUT) command to change the authority for each object. When the authorization list no longer secures any objects, use the Delete Authorization List (DLTAUTL) command to delete it.

How the system checks authority

When a user attempts to perform an operation on an object, the system verifies that the user has adequate authority for the operation. The system first checks authority to the library or directory path that contains the object. If the authority to the library or directory path is adequate, the system checks authority to the object itself. In the case of database files, authority checking is done at the time the file is opened, not when each individual operation to the file is performed. During the authority-checking process, when any authority is found (even if it is not adequate for the requested operation) authority checking stops and access is granted or denied. The adopted authority function is the exception to this rule. Adopted authority can override any specific (and inadequate) authority found. See the topic Objects that adopt the owner's authority on page 149 for more information about adopted authority. The system verifies a user's authority to an object in the following order: 1. Object's authority - fast path 2. User's *ALLOBJ special authority 3. User's specific authority to the object 4. User's authority on the authorization list securing the object 5. Groups' *ALLOBJ special authority 6. Groups' authority to the object 7. Groups' authority on the authorization list securing the object 8. Public authority specified for the object or for the authorization list securing the object 9. Program owner's authority, if adopted authority is used Note: Authority from one or more of the user's groups might be accumulated to find sufficient authority for the object being accessed.

Authority checking flowcharts

This section introduces the flowcharts, descriptions, and examples of how authority is checked.

Chapter 5. Resource security

169

Use them to answer specific questions about whether a particular authority scheme will work or diagnose problems with your authority definitions. The charts also highlight the types of authority that cause the greatest performance effect. The process of checking authority is divided into a primary flowchart and several smaller flowcharts showing specific parts of the process. Depending on the combination of authorities for an object, the steps in some flowcharts might be repeated several times. The numbers at the upper left of figures on the flowcharts are used in the examples following the flowcharts. The steps representing the search of a profile's private authorities are highlighted: v Step 6 in Figure 13 on page 174 v Step 6 in Figure 16 on page 180 v Step 2 in Figure 19 on page 185 Repeating these steps is likely to cause performance problems in the authority checking process.

Flowchart 1: Main authority checking process

The steps in Flowchart 1 show the main process the system follows in checking authority for an object.

170

IBM i: Security Security reference

Figure 11. Flowchart 1: Main authority checking process

Description of Flowchart 1: Main authority checking process Note: At any step in the authority checking process, the system might find sufficient authority and authorize the user to the object.

Chapter 5. Resource security

171

1. The system checks the object's authority. (Refer to Flowchart 2: Fast Path for Object Authority Checking.) If the system finds that authority is insufficient, it proceeds to Step 2. 2. The system checks the user's authority to the object. (Refer to Flowchart 3: How User Authority to an Object Is Checked.) If the system determines that the user does not have authority to the object, it proceeds to Step 3. If the system finds that the user's authority is insufficient, it proceed to Step 6. 3. The system checks whether the user profile belongs to any groups. If it does, the system proceeds to Step 4. If it does not, the system proceeds to Step 5. 4. The system determines the group authority. (Refer to Flowchart 6). If the system determines that there is no group authority to the object, it proceeds to Step 5. If the system determines that the group authority to the object is not sufficient, it proceeds to Step 6. 5. The system checks the public authority of the object. (Refer to Flowchart 7.) If the system determines that the public authority is insufficient, it proceeds to Step 6. 6. The system checks the adopted authority of the object. (Refer to Flowchart 8.)

Flowchart 2: Fast path for object authority checking

The steps in Flowchart 2 are performed using information stored with the object. This is the fastest method for authorizing a user to an object.

172

IBM i: Security Security reference

Figure 12. Flowchart 2: Fast path for object authority

Description of Flowchart 2: Fast path for object authority 1. The system determines whether the object has any private authorities. If it does, the system returns to the calling flowchart with insufficient authority. If it does not, the system proceeds to Step 2. 2. The system determines whether the object is secured by an authorization list. If it is, the system returns to the calling flowchart with insufficient authority. If it does not, the system proceeds to Step 3. 3. The system determines whether the owner of the object has sufficient authority. If it does not, the system returns to the calling flowchart with insufficient authority. If it does, the system proceeds to Step 4. 4. The system determines whether the object has a primary group. If it does, the system proceeds to Step 5. If it does not, the system proceeds to Step 6. 5. The system determines whether the object's primary group has sufficient authority. If it does, the system proceeds to Step 6. If it does not, the system returns to the calling flowchart with insufficient authority.
Chapter 5. Resource security

173

6. The system determines whether public authority is sufficient. If it is, the object is authorized. If it is not, the system returns to the calling flowchart with insufficient authority.

Flowchart 3: How user authority to an object is checked

The steps in Flowchart 3 are performed for the individual user profile.

Figure 13. Flowchart 3: Check user authority

174

IBM i: Security Security reference

Description of Flowchart 3: Check user authority 1. The system determines if the user profile has *ALLOBJ authority. If the profile does have *ALLOBJ authority, then the profile is authorized. If it does not have *ALLOBJ authority, then the authority checking proceeds to Step 2. 2. The system sets the authority of the object to the equal the original object. The authority checking proceeds to Step 3. 3. The system checks the owner authority. If the authority is insufficient, then it proceeds to Step 8. If no authority is found, then it proceeds to Step 4. 4. The system completes a fast path authority check of the original object. (Refer to Flowchart 5). If authority is insufficient, then authority checking proceeds to Step 5. 5. The system determines if the object has private authorities. If it does, then the authority check proceeds to Step 6. If there are no private authorities, then the authority checking goes to Step 7. 6. The system checks for private authorities with the user profile. If the authority is sufficient, then the user is authorized. If authority is not sufficient, then the authority checking proceeds to Step 8. If no authority is found, then the authority checking proceeds to Step 7. 7. The system determines if the object is secured by an authorization list. If it is not, then the authority checking proceeds to Step 8. If it is secured by an authorization list, then the authority checking proceeds to Step 9. 8. The system sets the object to test equal to the original object and returns to the calling flowchart with insufficient authority or no authority found. 9. The system sets the object to test equal to the authorization list and returns to Step 3.

Flowchart 4: How owner authority is checked

Flowchart 4 shows the process for checking owner authority. The name of the owner profile and the owner's authority to an object are stored with the object. Several possibilities exist for using the owner's authority to access an object: v The user profile owns the object. v The user profile owns the authorization list. v The user's group profile owns the object. v The user's group profile owns the authorization list. v Adopted authority is used, and the program owner owns the object. v Adopted authority is used, and the program owner owns the authorization list.

Chapter 5. Resource security

175

Figure 14. Flowchart 4: Owner authority checking

Description of Flowchart 4: Owner authority checking 1. The system determines if the user profile owns the object being checked. If the user profile does own the object, then it moves to Step 2. If the user profile does not own the object, then the system returns to the calling flowchart with no authority found. 2. If the user profile does own the object, the system then determines if the owner has authority to the object. If the owner has authority to the object, then the authority check proceeds to Step 3. If the system determines that the owner does not have authority to the object, then the system returns to the calling flowchart with no authority found. 3. If the owner does have authority to the object, then the system determines whether this authority is sufficient to access to object. If the authority is sufficient, then the owner is authorized to the object. If it is not sufficient, then the system returns to the calling flowchart with insufficient authority found.

Flowchart 5: Fast path for user authority checking

Flowchart 5 shows the fast path for testing user authority without searching private authorities.

176

IBM i: Security Security reference

Figure 15. Flowchart 5: Fast path for user authority

Flowchart 5 notes: 1. Authority is considered less than public if any authority that is present for *PUBLIC is not present for another user. In the example shown in Table 123 on page 178, the public has *OBJOPR, *READ, and *EXECUTE authority to the object. WILSONJ has *EXCLUDE authority and does not have any of the authorities the public has. Therefore, this object does have private authority less than its public authority. (OWNAR also has less authority than the public, but owner authority is not considered private authority.)

Chapter 5. Resource security

177

Table 123. Public versus private authority Users Authority Object Authorities: *OBJOPR *OBJMGT *OBJEXIST *OBJALTER *OBJREF Data Authorities *READ *ADD *UPD *DLT *EXECUTE *EXCLUDE X X X X X X X X X X X OWNAR DPTMG WILSONJ *PUBLIC

2. This path provides a method for using public authority, if possible, even though private authority exists for an object. The system tests to make sure that nothing later in the authority checking process might deny access to the object. If the result of these tests is Sufficient, searching private authorities can be avoided. Description of Flowchart 5: Fast path for user authority This flowchart shows the fast path for testing user authority without searching private authorities. 1. The system determines if there are any private authorities to the object being checked. If there are private authorities to the object, then the authority check proceeds to Step 2. If there is no private authority, the authority check proceeds to Step 3. 2. If private authorities exist, then the system determines if the object has private authorities that are less than its public authority. (See note 1.) If the object does have private authorities that are less than its public authority, then the system returns to the calling flowchart with no authority or insufficient authority found. If the object does not have private authorities that are less than its public authority, (See note 2), then the authority check proceeds to Step 3. 3. If the object does not have any private authorities or the object does not have private authorities that are less than its public authority, then the system determine if the public authority is sufficient. If the public authority is sufficient, then the authority check proceeds to Step 4. If the public authority is insufficient, then system returns to the calling flowchart with no authority or insufficient authority found. 4. If the public authority is sufficient, then the system determines if the object owner's authority is sufficient. If the object owner's authority is sufficient, then the authority check proceeds to Step 5. If the object owner's authority is insufficient, then system returns to the calling flowchart with no authority or insufficient authority found. 5. If the object owner's authority is sufficient, then the system determines if the object's primary group authority is sufficient. If the object's primary group authority is sufficient, then the authority check proceeds to Step 6. If object's primary group authority is insufficient, then the system returns to the calling flowchart with no authority or insufficient authority found. 6. If the object's primary group authority is sufficient, then the system determines if the object is secured by an authorization list. If the object is secured by an authorization list, then the system returns to the

178

IBM i: Security Security reference

calling flowchart with no authority or insufficient authority found. If the object is not secured by an authorization list, then the user is authorized to the object.

Flowchart 6: How group authority is checked

A user might be a member of up to 16 groups. A group might have private authority to an object, or it might be the primary group for an object. Authority from one or more of the user's groups might be accumulated to find sufficient authority for the object being accessed. For example, WAGNERB needs *CHANGE authority to the CRLIM file. *CHANGE authority includes *OBJOPR, *READ, *ADD, *UPD, *DLT, and *EXECUTE. Table 124 shows the authorities for the CRLIM file:
Table 124. Accumulated group authority Users Authority Object Authorities: *OBJOPR *OBJMGT *OBJEXIST *OBJALTER *OBJREF Data Authorities *READ *ADD *UPD *DLT *EXECUTE *EXCLUDE X X X X X X X X X X X X X X X X X X X X X OWNAR DPT506 DPT702 *PUBLIC

WAGNERB needs both DPT506 and DPT702 to get sufficient authority to the CRLIM file. DPT506 is missing *DLT authority, and DPT702 is missing *ADD authority. Flowchart 6 on page Figure 16 on page 180 shows the steps in checking group authority.

Chapter 5. Resource security

179

Figure 16. Flowchart 6: Group authority checking

Note: If the user is signed on as the profile that is the primary group for an object, the user cannot receive authority to the object through the primary group. Description of Flowchart 6: Group authority checking 1. The system determines if the group has *ALLOBJ authority. If it does, then the group is authorized. If it does not, authority checking proceeds to Step 2. 2. The group does not have *ALLOBJ authority so the system sets the object that is being checked to be equal to the original object.

180

IBM i: Security Security reference

3. After the system sets the object to the original, it checks owner authority. (See Flowchart 4) If authority is sufficient, then the group is authorized. If the authority is not sufficient, then the authority check goes to Step 11. If the authority is not found, then the authority check proceeds to Step 4. 4. The owner authority is not found so the system checks if the group is the object's primary group. Note: If the user is signed on as the profile that is the primary group for an object, the user cannot receive authority to the object through the primary group. If the group is the object's primary group, then the authority check proceeds to Step 5. If the group is not the object's primary group, then authority check proceeds to Step 6. 5. The group is the object's primary group so the system checks and tests the primary group authority. If primary group authority is sufficient, then the group is authorized. If primary group authority is not found, then the authority check goes to Step 7. If the primary group authority is insufficient, then the authority check goes to Step 11 6. The group is not the object's primary group so the system looks up the private authorities in the group profile. If authority is found, then authority checking goes to Step 10. If authority is not found, then authority checking proceeds to Step 7. 7. No authority is found for the private authorities for the group profile so the system checks to see if the object is secured by an authorization list. If the object is secured by an authorization list, then the authority check proceeds to Step 8. If the object is not secured by an authorization list, then the authority check goes to Step 11. 8. The object is secured by an authorization list so the system set the object to be checked equal to the authorization list and authority check returns to Step 3. 9. The user belongs to another group profile so the system sets the profile to the next group profile and returns to Step 1 to start the authority checking process over again. 10. Authority is found for private authorities within the group profile so the private authorities are checked and tested in the group profile. If authorities are sufficient, then the group profile is authorized. If it is not sufficient, then the authority check goes to Step 11. 11. Authority is not found or is insufficient so the system checks to see if the users is associated with another group profile. If the user does belong to another group profile, then the system goes to Step 9. If the user does not belong to another group profile, then the system returns to the calling flowchart with insufficient authority or no authority found.

Flowchart 7: How public authority is checked

When checking public authority, the system must determine whether to use the public authority for the object or the authorization list. Flowchart 7 shows the process:

Chapter 5. Resource security

181

Figure 17. Flowchart 7: Check public authority

Description of Flowchart 7: Check public authority Flowchart 7 shows how the system must determine whether to use the public authority for the object or the authorization list. 1. The system determine if the public authority for the original object is *AUTL. If the public authority for the original object is *AUTL, then the system proceeds to Step 2. If the public authority for the original object is not *AUTL, then the system proceeds to Step 3. 2. If the public authority for the original object is *AUTL, then the system sets the object being checked equal to the authorization list and proceeds to Step 4. 3. If the public authority for the original object is not *AUTL, then the system sets the object being checked to the original object and proceeds to Step 4. 4. If the object being checked has been set equal to the authorization list or the original object, the system determines if the public authority is sufficient. If the public authority is sufficient, then user is authorized to the object. If the public authority is not sufficient, then the system returns to the calling flowchart with insufficient authority.

Flowchart 8: How adopted authority is checked

If insufficient authority is found by checking user authority, the system checks adopted authority. The system might use adopted authority from the original program the user called or from earlier programs in the call stack. To provide the best performance and minimize the number of times private authorities are searched, the process for checking adopted authority checks to see if the program owner has *ALLOBJ special authority or owns the object being tested. This is repeated for every program in the stack that uses adopted authority. If sufficient authority is not found, the system checks to see if the program owner has private authority for the object being checked. This is repeated for every program in the stack that uses adopted authority. Figure 18 on page 183 and Figure 19 on page 185 show the process for checking adopted authority.

182

IBM i: Security Security reference

Figure 18. Flowchart 8A: Checking adopted authority user *ALLOBJ and owner

Description of Flowchart 8A: Checking adopted authority user *ALLOBJ and owner Flowchart 8A describes how the system checks adopted authority when insufficient authority has been found by checking user authority. 1. The system sets the object being checked to the original object and proceeds to Step 2. 2. The system determines if the program adopts authority. If the program does adopt authority, then the authority checking proceeds to Step 3. If the program does not adopt authority and the authority is insufficient, then authority checking goes to Step 5. 3. If the program does adopt authority, then the system determines if the program owner has *ALLOBJ authority. If the program owner does have *ALLOBJ authority, then the user is authorized. If the program owner does not have *ALLOBJ authority, then the authority checking proceeds to Step 4. 4. If the program owner does not have *ALLOBJ authority, then the system checks and tests the owner authority. If the authority is sufficient, then the user is authorized. If the authority is insufficient, then authority checking proceeds to Step 5.
Chapter 5. Resource security

183

5. The system checks USEADPAUT value for the program currently being test. If the value equals *NO then authority checking proceeds to Step 8. If the value is equal to *YES, then the authority checking proceeds to Step 6. 6. If the USEADPAUT value is equal to *YES, then the system determine if there are more programs waiting in the stack. If there are more programs in the stack, then authority checking proceeds to Step 7. If there are not any more programs waiting in the stack, then authority checking goes to Step 8. 7. Test using the next program in the stack and start back at Step 2. 8. If there are no more programs in the stack or the USEADPAUT value is equal to *NO, then system sets the object and program to the original values and proceeds to Step 9. 9. The system checks private authority. This is described in Flowchart 8B: Checking adopted authority using private authorities.

184

IBM i: Security Security reference

Figure 19. Flowchart 8B: Checking adopted authority using private authorities

Description of Flowchart 8B: Checking adopted authority using private authorities 1. The system determines whether the program can adopt authority. If yes, proceed to Step 2. If no, proceed to Step 7. 2. The system determines whether the object has private authorities. If yes, proceed to Step 3. If no, proceed to Step 4.

Chapter 5. Resource security

185

3. The system checks the private and primary group authorities for the program owner. If authority is sufficient, the program is authorized. If insufficient authority is found, proceed to Step 7. If no authority is found, proceed to Step 4. 4. The system determines whether the object is secured by an authorization list. If yes, proceed to Step 5. If no, proceed to Step 7. 5. The system sets object equal to authorization list and then proceeds to Step 6. 6. The system checks the owner's authority to the authorization list. (Refer to Flowchart 4.) If not authority is found, go back to Step 2. If sufficient authority is found, the program is authorized. 7. The system tests the USEADPAUT authority value for the program currently being checked. If *YES, proceed to Step 8. If *NO, access denied. 8. The system checks whether there are more programs in the stack. If yes, proceed to Step 9. If no, access denied. 9. The system sets object equal to original object and proceeds to Step 10. 10. Test using next program in stack and start back at Step 1. Related concepts Ignoring adopted authority on page 232 The technique of using adopted authority in menu design requires the user to return to the initial menu before running queries. If you want to provide the convenience of starting query from application menus as well as from the initial menu, you can set up the QRYSTART program to ignore adopted authority.

Authority checking examples

This section includes several examples of authority checking. These examples demonstrate the steps the system uses to determine whether a user is allowed a requested access to an object. These examples are intended to show how authority checking works and where potential performance problems might occur. Figure 20 shows the authorities for the PRICES file. Following the figure are several examples of requested access to this file and the authority checking process. In the examples, searching private authorities (Flowchart 4, step 6) is highlighted because this is the part of the authority checking process that can cause performance problems if it is repeated several times.

Display Object Authority Object . . . . . . . : Library . . . . . : Object type . . . : PRICES CONTRACTS *FILE Owner . . . . . . . : Primary group . . . : ASP device . . . . . : . . . . . . . . . . . . : OWNCP *NONE *SYSBAS *NONE

Object secured by authorization list Object Authority *ALL *CHANGE *CHANGE *USE *USE

User OWNCP DPTSM DPTMG WILSONJ *PUBLIC

Group

Figure 20. Authority for the PRICES file

Case 1: Using private group authority

This case demonstrates how to use private group authority.

186

IBM i: Security Security reference

User ROSSM wants to access the PRICES file using the program CPPGM01. CPPGM01 requires *CHANGE authority to the file. ROSSM is a member of group profile DPTSM. Neither ROSSM nor DPTSM has *ALLOBJ special authority. The system performs these steps in determining whether to allow ROSSM access to the PRICES file: 1. Flowchart 1, step 1. a. Flowchart 2, step 1. 2. Flowchart 1, step 2. a. Flowchart 3, steps 1 and 2. Object to check = CONTRACTS/PRICES *FILE. b. Flowchart 3, step 3. 1) Flowchart 4, step 1. Return to Flowchart 3 with no authority found. ROSSM does not own the PRICES file. c. Flowchart 3, step 4. 1) Flowchart 5, steps 1, 2, and 3. Public is not sufficient. d. Flowchart 3, step 5. e. Flowchart 3, step 6. ROSSM does not have private authority to the PRICES file. f. Flowchart 3, steps 7 and 8. The PRICES file is not secured by an authorization list. Return to Flowchart 1 with no authority found. 3. Flowchart 1, steps 3 and 4. DPTSM is the group profile for ROSSM. a. Flowchart 6, steps 1, 2, and 3. 1) Flowchart 4, step 1. DPTSM does not own the PRICES file. b. Flowchart 6, step 4. DPTSM is not the primary group for the PRICES file. c. Flowchart 6, step 6. Authorized. (DPTSM has *CHANGE authority.) Result: ROSSM is authorized because the group profile DPTSM has *CHANGE authority. Analysis: Using group authority in this example is a good method for managing authorities. It reduces the number of private authorities on the system and is easy to understand and audit. However, using private group authority typically causes two searches of private authorities (for the user and the group), when public authority is not adequate. One search of the private authority can be avoided by making DPTSM the primary group for the PRICES file.

Case 2: Using primary group authority

This case demonstrates how to use primary group authority. ANDERSJ needs *CHANGE authority to the CREDIT file. ANDERSJ is a member of the DPTAR group. Neither ANDERSJ nor DPTAR has *ALLOBJ special authority. Figure 21 on page 188 shows the authorities for the CREDIT file.

Chapter 5. Resource security

187

Display Object Authority Object . . . . . . . : Library . . . . . : Object type . . . : CREDIT ACCTSRCV *FILE Owner . . . . . . . : Primary group . . . : ASP device . . . . . : . . . . . . . . . . . . : OWNAR DPTAR *SYSBAS *NONE

Object secured by authorization list Object Authority ALL CHANGE *USE

User OWNAR DPTAR *PUBLIC

Group

Figure 21. Authority for the CREDIT file

The system performs these steps to determine whether to allow ANDERSJ to have *CHANGE access to the CREDIT file: 1. Flowchart 1, step 1. a. Flowchart 2, step 1. DPTARs authority is primary group authority, not private authority. b. Flowchart 2, steps 2, 3, 4, 5, and 6. Public authority is not sufficient. 2. Flowchart 1, step 2. a. Flowchart 3, steps 1 and 2. Object to check = ACCTSRCV/CREDIT *FILE. b. Flowchart 3, step 3. 1) Flowchart 4, step 1. ANDERSJ does not own the CREDIT file. Return to Flowchart 3 with no authority found. c. Flowchart 3, step 4. 1) Flowchart 5, step 1. The CREDIT file has no private authorities. 2) Flowchart 5, step 3. Public authority is not sufficient. Return to Flowchart 3 with no authority found. d. Flowchart 3, steps 5, 7, and 8. The CREDIT file is not secured by an authorization list. Return to Flowchart 1 with no authority found. 3. Flowchart 1, steps 3 and 4. ANDERSJ is a member of the DPTAR group profile. a. Flowchart 6, steps 1 and 2. Object to check = ACCTSRCV/CREDIT *FILE. b. Flowchart 6, step 3. 1) Flowchart 4, step 1. DPTAR does not own the CREDIT file. Return to Flowchart 6 with no authority found. c. Flowchart 6, steps 4 and 5. Authorized. DPTAR is the primary group for the CREDIT file and has *CHANGE authority. Result: ANDERSJ is authorized because DPTAR is the primary group for the CREDIT file and has *CHANGE authority. Analysis: If you use primary group authority, the authority checking performance is better than if you specify private authority for the group. This example does not require any search of private authorities.

188

IBM i: Security Security reference

Related concepts Considerations for primary groups for objects on page 240 Any object on the system can have a primary group. Primary group authority can provide a performance advantage if the primary group is the first group for most users of an object.

Case 3: Using public authority

This case describes the steps of using public authority. User JONESP wants to access the CREDIT file using the program CPPGM06. CPPGM06 requires *USE authority to the file. JONESP is a member of group profile DPTSM and does not have *ALLOBJ special authority. The system performs these steps in determining whether to allow JONESP access to the CREDIT file: Flowchart 1, step 1. 1. Flowchart 2, step 1. The CREDIT file has no private authorities. DPTARs authority is primary group authority, not private authority. 2. Flowchart 2, steps 2 and 3. Owners authority (OWNAR) is sufficient. 3. Flowchart 2, steps 4 and 5. Primary group authority (DPTAR) is sufficient. 4. Flowchart 2, step 6. Authorized. Public authority is sufficient. Analysis: This example shows the performance benefit gained when you avoid defining any private authorities for an object.

Case 4: Using public authority without searching private authority

This case describes how to use public authority without searching private authority. User JONESP wants to access the PRICES file using the program CPPGM06. CPPGM06 requires *USE authority to the file. JONESP is a member of group profile DPTSM and does not have *ALLOBJ special authority. The system performs these steps in determining whether to allow JONESP access to the PRICES file: 1. Flowchart 1, step 1. a. Flowchart 2, step 1. The PRICES file has private authorities. 2. Flowchart 1, step 2. a. Flowchart 3, steps 1 and 2. Object to check = CONTRACTS/PRICES *FILE. b. Flowchart 3, step 3. 1) Flowchart 4, step 1. JONESP does not own the PRICES file. Return to Flowchart 3 with no authority found. c. Flowchart 3, step 4. 1) Flowchart 5, steps 1, 2, and 3. Public authority is sufficient. 2) Flowchart 5, step 4. Owner authority is sufficient. (OWNCP has *ALL.) 3) Flowchart 5, step 5. The PRICES file does not have a primary group. 4) Flowchart 5, step 6. Authorized. (The PRICES file is not secured by an authorization list.) Analysis: This example shows the performance benefit gained when you avoid defining any private authorities, which are less than public authority, for an object. Although private authority exists for the PRICES file, the public authority is sufficient for this request and can be used without searching private authorities.

Chapter 5. Resource security

189

Case 5: Using adopted authority

This case demonstrates the performance advantage in using adopted authority. User SMITHG wants to access the PRICES file using program CPPGM08. SMITHG is not a member of a group and does not have *ALLOBJ special authority. Program CPPGM08 requires *CHANGE authority to the file. CPPGM08 is owned by the profile OWNCP and adopts owner authority (USRPRF is *OWNER). 1. Flowchart 1, step 1. a. Flowchart 2, step 1. 2. Flowchart 1, step 2. a. Flowchart 3, steps 1 and 2. Object to check = CONTRACTS/PRICES *FILE. b. Flowchart 3, step 3. 1) Flowchart 4, step 1. SMITHG does not own the PRICES file. Return to Flowchart 3 with no authority found. c. Flowchart 3, step 4. 1) Flowchart 5, steps 1, 2, and 3. Public is not sufficient. d. Flowchart 3, step 5. e. Flowchart 3, step 6. SMITHG does not have private authority. f. Flowchart 3, steps 7 and 8. The PRICES file is not secured by an authorization list. Return to Flowchart 1 with no authority found. 3. Flowchart 1, step 3. SMITHG does not have a group. 4. Flowchart 1, step 5. a. Flowchart 7, step 1. Public authority is not *AUTL. b. Flowchart 7, step 3. Object to check = CONTRACTS/PRICES *FILE. c. Flowchart 7, step 4. Public authority is not sufficient. 5. Flowchart 1, step 6. a. Flowchart 8A, step 1. Object to check = CONTRACTS/PRICES *FILE. b. Flowchart 8A, steps 2 and 3. OWNCP does not have *ALLOBJ authority. c. Flowchart 8A, step 4. 1) Flowchart 4, steps 1, 2, and 3. Authorized. OWNCP owns the PRICES files and has sufficient authority. Analysis: This example demonstrates the performance advantage in using adopted authority when the program owner also owns the application objects. The number of steps required to perform authority checking has almost no effect on performance, because most of the steps do not require retrieving new information. In this example, although many steps are performed, private authorities are searched only once (for user SMITHG). Compare this with Case 1 on page Case 1: Using private group authority on page 186. v If you were to change Case 1 so that the group profile DPTSM owns the PRICES file and has *ALL authority to it, the performance characteristics of the two examples is the same. However, having a group profile own application objects might represent a security exposure. The members of the group always have the group's (owner) authority, unless you specifically give group members less authority. When you use adopted authority, you can control the situations in which owner authority is used. v You can also change Case 1 so that DPTSM is the primary group for the PRICES file and has *CHANGE authority to it. If DPTSM is the first group for SMITHG (specified in the GRPPRF parameter of SMITHG's user profile), the performance characteristics is the same as Case 5.

190

IBM i: Security Security reference

Case 6: User and group authority

This case demonstrates that a user can be denied access to an object even though the user's group has sufficient authority. User WILSONJ wants to access file PRICES using program CPPGM01, which requires *CHANGE authority. WILSONJ is a member of group profile DPTSM and does not have *ALLOBJ special authority. Program CPPGM01 does not use adopted authority, and it ignores any previous adopted authority (USEADPAUT is *NO). 1. Flowchart 1, step 1. a. Flowchart 2, step 1. PRICES has private authorities. 2. Flowchart 1, step 2. a. Flowchart 3, steps 1 and 2. Object to check = CONTRACTS/PRICES *FILE. b. Flowchart 3, step 3. 1) Flowchart 4, step 1. WILSONJ does not own the PRICES file. Return to Flowchart 3 with no authority found. c. Flowchart 3, step 4. 1) Flowchart 5, steps 1, 2, and 3. Public is not sufficient. d. Flowchart 3, step 5. e. Flowchart 3, step 6. WILSONJ has *USE authority, which is not sufficient. f. Flowchart 3, step 8. Object to test = CONTRACTS/PRICES *FILE. Return to Flowchart 1 with insufficient authority. 3. Flowchart 1, step 6. a. Flowchart 8A, step 1. Object to check = CONTRACTS/PRICES *FILE. b. Flowchart 8A, step 2. Program CPPGM01 does not adopt authority. c. Flowchart 8A, step 5. The *USEADPAUT parameter for the CPPGM01 program is *NO. d. Flowchart 8A, steps 8 and 9. 1) Flowchart 8B, step 1. Program CPPGM01 does not adopt authority. 2) Flowchart 8B, step 7. The *USEADPAUT parameter for the CPPGM01 program is *NO. Access is denied. Analysis: Giving a user the same authority as the public but less than the user's group does not affect the performance of authority checking for other users. However, if WILSONJ had *EXCLUDE authority (less than public), you might lose the performance benefits shown in Case 4. Although this example has many steps, private authorities are searched only once. This should provide acceptable performance.

Case 7: Public authority without private authority

This case demonstrates the performance advantage of using public authority without private authority. The authority information for the ITEM file looks like this:

Chapter 5. Resource security

191

Display Object Authority Object . . . . . . . : Library . . . . . : Object type . . . . : ITEM ITEMLIB *FILE Owner . . . . . . . : Primary group . . . : ASP device . . . . : . . . . . . . . . . . . : OWNIC *NONE *SYSBAS *NONE

Object secured by authorization list Object Authority ALL USE

User OWNIC *PUBLIC

Group

Figure 22. Display Object Authority

ROSSM needs *USE authority to the ITEM file. ROSSM is a member of the DPTSM group profile. These are the authority-checking steps: Flowchart 1, step 1. 1. Flowchart 2, steps 1, 2, and 3. OWNICs authority is sufficient. 2. Flowchart 2, step 4. The ITEM file does not have a primary group. 3. Flowchart 2, step 6. Authorized. Public authority is sufficient. Analysis: Public authority provides the best performance when it is used without any private authorities. In this example, private authorities are never searched.

Case 8: Adopted authority without private authority

This case shows the advantage of using adopted authority without private authority. For this example, all programs in the application are owned by the OWNIC profile. Any program in the application requiring more than *USE authority adopts owner authority. These are the steps for user WILSONJ to obtain *CHANGE authority to the ITEM file using program ICPGM10, which adopts authority: 1. Flowchart 1, step 1. a. Flowchart 2, steps 1, 2, 3, 4, and 6. Public authority is not sufficient. 2. Flowchart 1, step 2. a. Flowchart 3, steps 1 and 2. Object to check = ITEMLIB/ITEM *FILE. b. Flowchart 3, step 3. 1) Flowchart 4, step 1. WILSONJ does not own the ITEM file. Return to Flowchart 3 with no authority found. c. Flowchart 3, step 4. 1) Flowchart 5, steps 1 and 3. Public authority is not sufficient. Return to Flowchart 3 with no authority found. d. Flowchart 3, steps 5, 7, and 8. The ITEM file is not secured by an authorization list. Return to Flowchart 1 with no authority found. 3. Flowchart 1, steps 3 and 5. (WILSONJ does not have a group profile.) a. Flowchart 7, steps 1, 3, and 4. The public has *USE authority, which is not sufficient. 4. Flowchart 1, step 6. a. Flowchart 8A, step 1. Object to check = ITEMLIB/ITEM *FILE. b. Flowchart 8A, steps 2, 3, and 4. The OWNIC profile does not have *ALLOBJ authority. 1) Flowchart 4, steps 1, 2, and 3. Authorized. OWNIC has sufficient authority to the ITEM file.

192

IBM i: Security Security reference

Analysis: This example shows the benefits of using adopted authority without private authority, particularly if the owner of the programs also owns application objects. This example did not require searching private authorities.

Case 9: Using an authorization list

This case demonstrates the advantage of using authorization lists. The ARWKR01 file in library CUSTLIB is secured by the ARLST1 authorization list. Figure 23 and Figure 24 show the authorities:

Display Object Authority Object . . . . . . . : Library . . . . . : Object type . . . . : ARWRK01 CUSTLIB *FILE Owner . . . . . . . : Primary group . . . : ASP device . . . . . : OWNAR *NONE *SYSBAS ARLST1

Object secured by authorization list. . . . . . . . . . . . : Object Authority ALL USE

User OWNCP *PUBLIC

Group

Figure 23. Authority for the ARWRK01 file

Display Authorization List Object . . . . . . . : Library . . . . . : ARLST1 QSYS Object Authority *ALL *CHANGE *USE Owner . . . . . . . : Primary group . . . : List Mgt OWNAR *NONE

User OWNCP AMESJ *PUBLIC

Group

Figure 24. Authority for the ARLST1 authorization list

User AMESJ, who is not a member of a group profile, needs *CHANGE authority to the ARWRK01 file. These are the authority-checking steps: 1. Flowchart 1, step 1. a. Flowchart 2, steps 1 and 2. The ARWRK01 file is secured by an authorization list. 2. Flowchart 1, step 2. a. Flowchart 3, steps 1 and 2. Object to check = CUSTLIB/ARWRK01 *FILE. b. Flowchart 3, step 3. 1) Flowchart 4, step 1. AMESJ does not own the ARWRK01 file. Return to Flowchart 2 with no authority found. c. Flowchart 3, step 4. 1) Flowchart 5, steps 1 and 3. Public authority is not sufficient. Return to Flowchart 3 with no authority found. d. Flowchart 3, steps 5, 7, and 9. Object to check = ARLST1 *AUTL. e. Flowchart 3, step 3. 1) Flowchart 4, step 1. AMESJ does not own the ARLST1 authorization list. Return to Flowchart 3 with no authority found.
Chapter 5. Resource security

193

f. Flowchart 3, steps 4 and 5. g. Flowchart 3, step 6. Authorized. AMESJ has *CHANGE authority to the ARLST1 authorization list. Analysis: This example demonstrates that authorization lists can make authorities easy to manage and provide good performance. This is particularly true if objects secured by the authorization list do not have any private authorities. If AMESJ were a member of a group profile, it will add additional steps to this example, but it will not add an additional search of private authorities, as long as no private authorities are defined for the ARWRK01 file. Performance problems are most likely to occur when private authorities, authorization lists, and group profiles are combined, as in Case 11: Combining authorization methods on page 195.

Case 10: Using multiple groups

This is an example of using multiple groups. WOODBC needs *CHANGE authority to the CRLIM file. WOODBC is a member of three groups: DPTAR, DPTSM, and DPTMG. DPTAR is the first group profile (GRPPRF). DPTSM and DPTMG are supplemental group profiles (SUPGRPPRF). Figure 25 shows the authorities for the CRLIM file:

Display Object Authority Object . . . . . . . : Library . . . . . : Object type . . . : CRLIM CUSTLIB *FILE Owner . . . . . . . : Primary group . . . : ASP device . . . . . : . . . . . . . . . . . . : OWNAR DPTAR *SYSBAS *NONE

Object secured by authorization list Object Authority *ALL *CHANGE *USE *EXCLUDE

User OWNAR DPTAR DPTSM *PUBLIC

Group

Figure 25. Authority for the CRLIM file

These are the authority checking steps: 1. Flowchart 1, step 1. a. Flowchart 2, step 1. Return to calling flowchart with insufficient authority. 2. Flowchart 1, step 2. a. Flowchart 3, steps 1 and 2. Object to check = CUSTLIB/CRLIM *FILE. b. Flowchart 3, step 3. 1) Flowchart 4, step 1. WOODBC does not own the CRLIM file. Return to Flowchart 3 with no authority found. c. Flowchart 3, step 4. 1) Flowchart 5, steps 1, 2 and 3. Public authority is not sufficient. d. Flowchart 3, step 5. e. Flowchart 3, step 6. WOODBC does not have any authority to the CRLIM file. f. Flowchart 3, steps 7 and 8. The CRLIM file is not secured by an authorization list. Return to Flowchart 1 with no authority found. 3. Flowchart 1, steps 3 and 4. The first group for WOODBC is DPTAR. a. Flowchart 6, steps 1 and 2. Object to check = CUSTLIB/CRLIM *FILE.

194

IBM i: Security Security reference

b. Flowchart 6, step 3. 1) Flowchart 4, step 1. DPTAR does not own the CRLIM file. Return to Flowchart 6 with no authority found. c. Flowchart 6, steps 4 and 5. Authorized. DPTAR is the primary group and has sufficient authority.

Case 11: Combining authorization methods

This case shows a poor authority design. WAGNERB needs *ALL authority to the CRLIMWRK file. WAGNERB is a member of these groups: DPTSM, DPT702, and DPTAR. WAGNERBs first group (GRPPRF) is DPTSM. Figure 26 shows the authority for the CRLIMWRK file.

Display Object Authority Object . . . . . . . : Library . . . . . : Object type . . . : CRLIMWRK CUSTLIB *FILE Owner . . . . . . . : Primary group . . . : ASP device . . . . . : . . . . . . . . . . . . : OWNAR *NONE *SYSBAS CRLST1

Object secured by authorization list Object Authority *ALL *USE *EXCLUDE *USE

User OWNAR DPTSM WILSONJ *PUBLIC

Group

Figure 26. Authority for CRLIMWRK file

The CRLIMWRK file is secured by the CRLST1 authorization list. Figure 27 shows the authority for the CRLST1 authorization list.

Display Authorization List Object . . . . . . . : Library . . . . . : CRLST1 QSYS Object List Authority Mgt *ALL X *ALL *EXCLUDE Owner . . . . . . . : Primary Group . . . : OWNAR DPTAR

User OWNAR DPTAR *PUBLIC

Group

Figure 27. Authority for the CRLST1 authorization list

This example shows many of the possibilities for authority checking. It also demonstrates how using too many authority options for an object can result in poor performance. Following are the steps required to check WAGNERB's authority to the CRLIMWRK file: 1. Flowchart 1, step 1. a. Flowchart 2, step 1. 2. Flowchart 1, step 2. a. Flowchart 3, steps 1 and 2. Object to check = CUSTLIB/CRLIMWRK *FILE. b. Flowchart 3, step 3. 1) Flowchart 4, step 1. WAGNERB does not own the CRLIMWRK file. Return to Flowchart 3 with no authority found. c. Flowchart 3, step 4.
Chapter 5. Resource security

195

1) Flowchart 5, steps 1 and 2. WILSONJ has *EXCLUDE authority, which is less than the public authority of *USE. d. Flowchart 3, steps 5 and 6 (first search of private authorities). WAGNERB does not have private authority. e. Flowchart 3, steps 7 and 9. Object to check = CRLST1 *AUTL. f. Flowchart 3, step 3. 1) Flowchart 4, step 1. WILSONJ does not own CRLST1. Return to Flowchart 3 with no authority found. g. Flowchart 3, steps 4 and 5. h. Flowchart 3, step 6 (second search of private authorities). WAGNERB does not have private authority to CRLST1. i. Flowchart 3, steps 7 and 8. Object to check = CUSTLIB/CRLIMWRK *FILE. 3. Flowchart 1, steps 3 and 4. WAGNERB's first group profile is DPTSM. a. Flowchart 6, steps 1 and 2. Object to check = CUSTLIB/CRLIMWRK *FILE. b. Flowchart 6, step 3. 1) Flowchart 4, step 1. DPTSM does not own the CRLIMWRK file. Return to Flowchart 6 with no authority found. c. Flowchart 6, step 4. DPTSM is not the primary group for the CRLIMWRK file. d. Flowchart 6, step 6 (third search of private authorities). DPTSM has *USE authority to the CRLIMWRK file, which is not sufficient. e. Flowchart 6, step 6 continued. *USE authority is added to any authorities already found for WAGNERBs groups (none). Sufficient authority has not yet been found. f. Flowchart 6, steps 9 and 10. WAGNERB's next group is DPT702. g. Flowchart 6, steps 1 and 2. Object to check = CUSTLIB/CRLIMWRK *FILE. h. Flowchart 6, step 3. 1) Flowchart 4, step 1. DPT702 does not own the CRLIMWRK file. Return to Flowchart 6 with no authority found. i. Flowchart 6, step 4. DPT702 is not the primary group for the CRLIMWRK file. j. Flowchart 6, step 6 (fourth search of private authorities). DPT702 has no authority to the CRLIMWRK file. k. Flowchart 6, steps 7 and 8. Object to check = CRLST1 *AUTL l. Flowchart 6, step 3. 1) Flowchart 5, step 1. DPT702 does not own the CRLST1 authorization list. Return to Flowchart 6 with no authority found. m. Flowchart 6, steps 4 and 6. (fifth search of private authorities). DPT702 has no authority to the CRLST1 authorization list. n. Flowchart 6, steps 7, 9, and 10. DPTAR is WAGNERB's next group profile. o. Flowchart 6, steps 1 and 2. Object to check = CUSTLIB/CRLIMWRK *FILE. p. Flowchart 6, step 3. 1) Flowchart 4, step 1. DPTAR does not own the CRLIMWRK file. Return to Flowchart 6 with no authority found. q. Flowchart 6, steps 4 and 6. (sixth search of private authorities). DPTAR has no authority to the CRLIMWRK file. r. Flowchart 6, steps 7 and 8. Object to check = CRLST1 *AUTL s. Flowchart 6, step 3. 1) Flowchart 4, step 1. DPTAR does not own the CRLST1 authorization list. Return to Flowchart 6 with no authority found.

196

IBM i: Security Security reference

t. Flowchart 6, steps 4 and 5. Authorized. DPTAR is the primary group for the CRLST1 authorization list and has *ALL authority. Result: WAGNERB is authorized to perform the requested operation using DPTAR's primary group authority to the CRLIST1 authorization list. Analysis: This example demonstrates poor authority design, both from a management and performance standpoint. Too many options are used, making it difficult to understand, change, and audit. Private authorities are searched 6 separate times, which might cause noticeable performance problems:
Profile WAGNERB WAGNERB DPTSM DPT702 DPT702 DPTAR Object CRLIMWRK CRLST1 CRLIMWRK CRLIMWRK CRLST1 CRLIMWRK Type *FILE *AUTL *FILE *FILE *AUTL *FILE Result No authority found No authority found *USE authority (insufficient) No authority found No authority found No authority found

Changing the sequence of WAGNERB's group profiles changes the performance characteristics of this example. Assume that DPTAR is WAGNERB's first group profile (GRPPRF). The system searches private authorities 3 times before finding DPTAR's primary group authority to the CRLST1 authorization list. v WAGNERB authority for CRLIMWRK file v WAGNERB authority for CRLST1 authorization list v DPTAR authority for CRLIMWRK file Careful planning of group profiles and authorization lists is essential to good system performance.

Authority cache
The system creates authority caches for users to provide flexibility and performance enchancement. Since Version 3, Release 7, the system creates an authority cache for a user the first time the user accesses an object. Each time the object is accessed, the system looks for authority in the user's cache before looking at the users's profile. This results in a faster check for private authority. The authority cache contains up to 32 private authorities to objects and up to 32 private authorities to authorization lists. The cache is updated when a user authority is granted or revoked. All user caches are cleared when the system IPL is performed. While limited use of private authorities is recommended, the cache offers flexibility. For example, you can choose how to secure objects with less concern about the effect on system performance. This is especially true if users access the same objects repeatedly.

Chapter 5. Resource security

197

198

IBM i: Security Security reference

Chapter 6. Work management security

This section discusses security issues associated with work management on the system. The following issues are described in this section. Related information Work management

Job initiation
The system checks the authority to some objects when a job is started. When you start a job on the system, objects are associated with the job, such as an output queue, a job description, and the libraries on the library list. Authority to some of these objects is checked before the job is allowed to start, while authority to other objects is checked after the job starts. Inadequate authority might cause errors or may cause the job to end. Objects that are part of the job structure for a job can be specified in the job description, the user profile, and on the Submit Job (SBMJOB) command for a batch job.

Starting an interactive job

This topic is a description of the security activity performed when an interactive job is started. Because many possibilities exist for specifying the objects used by a job, this is only an example. When an authority failure occurs during the sign-on process, a message appears at the bottom of the Sign On display describing the error. Some authority failures also cause a job log to be written. If a user is unable to sign on because of an authority failure, either change the users profile to specify a different object or grant the user authority to the object. After the user enters a user ID and password, these steps are performed before a job is actually started on the system: 1. The user profile and password are verified. The status of the user profile must be *ENABLED. The user profile that is specified on the sign-on display must have *OBJOPR, and *CHANGE authority to itself. 2. The user's authority to use the workstation is checked. See Workstations on page 201 for details. 3. The system verifies authority for the values in the user profile and in the user's job description that are used to build the job structure, such as: v Job description v Output queue v Current library v Libraries in library list If any of these objects does not exist or the user does not have adequate authority, a message is displayed at the bottom of the Sign On display, and the user is unable to sign on. If authority is successfully verified for these objects, the job is started on the system. Note: Authority to the print device and job queue is not verified until the user attempts to use them. After the job is started, these steps are performed before the user sees the first display or menu:
Copyright IBM Corp. 1996, 2010

199

1. If the routing entry for the job specifies a user program, normal authority checking is done for the program, the program library, and any objects used by the program. If authority is not adequate, a message is sent to the user on the Sign On display and the job ends. 2. If the routing entry specifies the command processor (QCMD): a. Authority checking is done for the QCMD processor program, the program library, and any objects used, as described in step 1. b. The user's authority to the Attention-key-handling program and library is checked. If authority is not adequate, a message is sent to the user and written to the job log. Processing continues. If authority is adequate, the Attention-key-handling program is activated. The program is not started until the first time the user presses the Attention key. At that time, normal authority checking is done for the objects used by the program. c. Normal authority checking is done for the initial program (and its associated objects) specified in the user profile. If authority is adequate, the program is started. If authority is not adequate, a message is sent to the user and written to the job log. The job ends. d. Normal authority checking is done for the initial menu (and its associated objects) specified in the user profile. If authority is adequate, the menu is displayed. If authority is not adequate, a message is sent to the user and written to the job log. The job ends.

Starting a batch job

This topic includes a description of the security activity performed when a batch job is started. Because several methods exist for submitting batch jobs and for specifying the objects used by the job, this is only a guideline. This example uses a job submitted from an interactive job using the submit job (SBMJOB) command. When you enter the SBMJOB command, this checking is performed before the job is added to the job queue: 1. If you specify a user profile on the SBMJOB command, you must have *USE authority to the user profile. 2. Authority is checked for objects specified as parameters on the SBMJOB command and in the job description. Authority is checked for the user profile the job will run under. 3. If the security level is 40 or 50 and the SBMJOB command specifies USER(*JOBD), the user submitting the job must have *USE authority to the user profile in the job description. 4. If an object does not exist or if authority is not adequate, a message is sent to the user and the job is not submitted. When the system selects the job from the job queue and attempts to start the job, the authority checking sequence is similar to the sequence for starting an interactive job.

Adopted authority and batch jobs

You can change the parameters for a batch job when it is running under adopted authority. When a new job is started, a new call stack is created for the job. Adopted authority cannot take effect until the first program is added to the call stack. Adopted authority cannot be used to gain access to any objects, such as an output queue or a job description, which are added to the job structure before the job is routed. Therefore, even if your interactive job is running under adopted authority when you submit a job, that adopted authority is not used when authority is checked for the objects on your SBMJOB request. You can change characteristics of a batch job when it is waiting to run, using the Change Job (CHGJOB) command. See Job commands for the authority that is required to change parameters for a job.

200

IBM i: Security Security reference

Workstations
The system performs authority checking for a workstation when you sign on. A device description contains information about a particular device or logical unit that is attached to the system. When you sign on the system, your workstation is attached to either a physical or virtual device description. To successfully sign on, you must have *CHANGE authority to the device description. The QLMTSECOFR (limit security officer) system value controls whether users with *ALLOBJ or *SERVICE special authority must be specifically authorized to device descriptions. Figure 28 on page 202 shows the logic for determining whether a user is allowed to sign on at a device:

Chapter 6. Work management security

201

Figure 28. Authority checking for workstations

Note: Normal authority checking is performed to determine whether the user has at least *CHANGE authority to the device description. *CHANGE authority can be found by using the following authorities: v *ALLOBJ special authority from the user profile, group profile, or supplemental group profiles. v Private authority to the device description in the user profile, the group profile, or supplemental group profiles. v Authority to an authorization list used to secure the device description. v Authority to an authorization list used to secure the public authority.

202

IBM i: Security Security reference

Authority checking for the device description is done before any programs are in the call stack for the job; therefore, adopted authority does not apply. Description of authority checking for workstations The system determines the user's authority to the workstation. (See note 1) If the authority is less than *CHANGE, the sign-on fails. If the authority is *CHANGE or greater, the system checks if the security level on the system is 30 or higher. If it is not, then the user is allowed to sign-on. If the security level is 30 or higher, the system checks if the user has *ALLOBJ or *SERVICE special authority. If the user does not have either of these special authorities, then sign-on is allowed. If the user has either *ALLOBJ or *SERVICE special authorities, then the system checks if the QLMTSECOFR system value is set to 1. If it is not set to 1, then sign-on is allowed. If the QLMTSECOFR system value is set to 1, then the system will test the user's authority to the workstation. If the user's authority is *CHANGE or higher, then sign-on is allowed. If the user's authority is less than *CHANGE, sign-on fails. If the user has no authority to the workstation, the system checks the user's group authority to the workstation. If the user's group authority is *CHANGE or higher, then sign-on is allowed. If the user's group authority is less than *CHANGE, sign-on fails. If the user's group has no authority to the workstation, the system checks whether the user has *SERVICE but not *ALLOBJ special authority. If the user has *SERVICE but not *ALLOBJ special authority, then sign-on fails. If the user has *ALLOBJ special authority, then the system checks if QSECOFR has *CHANGE or higher. If QSECOFR does not have *CHANGE or higher, then sign-on fails. If QSECOFR has *CHANGE or higher, then sign-on is allowed. The security officer (QSECOFR), service (QSRV), and basic service (QSRVBAS) user profiles are always allowed to sign on at the console. The QCONSOLE (console) system value is used to determine which device is the console. If the QSRV or QSRVBAS profile attempts to sign on at the console and does not have *CHANGE authority, the system grants *CHANGE authority to the profile and allows sign-on.

Ownership of device descriptions

You can specify the ownership of device descriptions to control the authority to the devices. The default public authority on the CRTDEVxxx commands is *CHANGE. Devices are created in the library QSYS, which is shipped with a CRTAUT value of *SYSVAL. The shipped value for the QCRTAUT system value is *CHANGE. To limit the users who can sign on at a workstation, set the public authority for the workstation to *EXCLUDE and give *CHANGE authority to specific users or groups. The security officer (QSECOFR) is not specifically given authority to any devices. If the QLMTSECOFR system value is set to 1 (YES), you must give the security officer *CHANGE authority to devices. Anyone with *OBJMGT and *CHANGE authority to a device can give *CHANGE authority to another user. If a device description is created by the security officer, the security officer owns that device and is specifically given *ALL authority to it. When the system automatically configures devices, most devices are owned by the QPGMR profile. Devices created by the QLUS program (*APPC type devices) are owned by the QSYS profile.

Chapter 6. Work management security

203

If you plan to use the QLMTSECOFR system value to limit where the security officer can sign on, any devices you create should be owned by a profile other than QSECOFR. To change ownership of a display device description, the device must be powered on and varied on. Sign on at the device and change the ownership using the CHGOBJOWN command. If you are not signed on at the device, you must allocate the device before changing ownership, using the Allocate Object (ALCOBJ) command. You can allocate the device only if no one is using it. After you have changed ownership, deallocate the device using the Deallocate Object (DLCOBJ) command.

Signon screen display file

The system administrator can change the system signon display to add text or company logo to the display. When changing the signon screen display file, the system administrator must make sure not to change the field names or buffer lengths of the display file when adding text to the display file. Changing the field names or buffer lengths can cause signon to fail.

Changing the signon screen display

You can change the source code for the signon display file to change the screen display. The source code for the signon display file is shipped with the operating system. The source is shipped in file QSYS/QAWTSSRC. This source code can be changed to add text to the signon screen display. Field names and buffer lengths should not be changed.

Display file source for the signon screen

You need to copy the appropriate source file to create your own signon screen display. The source for the signon display file is shipped as a member (QDSIGNON or QDSIGNON2) in the QSYS/QAWTSSRC physical file. QDSIGNON contains the source for the signon screen source used when system value QPWDLVL is set to 0 or 1. Member QDSIGNON2 contains the signon screen source used when the system value QPWDLVL is set to 2 or 3. The file QSYS/QAWTSSRC is deleted and restored each time the i5/OS operating system is installed. If you plan to create your own version of the signon screen, then you should first copy the appropriate source file member, either QDSIGNON or QDSIGNON2, to your own source file and make changes to the copy in your source file.

Changing the signon display file

This topic includes the steps for changing the signon display file. To change the format of the Signon display, perform the following steps: 1. Create a changed signon display file. A hidden field in the display file named UBUFFER can be changed to manage smaller fields. UBUFFER is 128 bytes long and is stated as the last field in the display file. This field can be changed to function as an input/output buffer so the data specified in this field of the display will be available to application programs when the interactive job is started. You can change the UBUFFER field to contain as many smaller fields as you need if the following requirements are met: v The new fields must follow all other fields in the display file. The location of the fields on the display does not matter as long as the order in which they are put in the data description specifications (DDS) meets this requirement. v The length must total 128. If the length of the fields is more than 128, some of the data will not be passed to the application.

204

IBM i: Security Security reference

3. 4. 5.

6. 7.

v All fields must be input/output fields (type B in DDS source) or hidden fields (type H in DDS source). The order in which the fields in the signon display file are declared must not be changed. The position in which they are shown on the display can be changed. Do not change the existing field names in the source for the signon screen display file. Do not change the total size of the input or output buffers. Serious problems can occur if the order or size of the buffers is changed. Do not use the data descriptions specifications (DDS) help function in the signon display file. Change a subsystem description to use the changed display file instead of the system default of QSYS/QDSIGNON. You can change the subsystem descriptions for subsystems that you want to use the new display. To change the subsystem description, perform the following steps: a. Use the Change Subsystem Description (CHGSBSD) command. b. Specify the new display file on the SGNDSPF parameter. c. Use a test version of a subsystem to verify that the display is valid before attempting to change the controlling subsystem. Test the change. Change the other subsystem descriptions.

Notes: 1. The buffer length for the display file must be 318. If it is less than 318, the subsystem uses the default sign-on display, QDSIGNON in library QSYS when system value QPWDLVL is 0 or 1 and QDSIGNON2 in library QSYS when QPWDLVL is 2 or 3. 2. The copyright line cannot be deleted.

Subsystem descriptions
The subsystem descriptions perform several functions on the system. Subsystem descriptions control: v How jobs enter your system v How jobs are started v Performance characteristics of jobs Only a few users should be authorized to change subsystem descriptions, and changes should be carefully monitored. Related concepts Signing on without a user ID and password on page 16 Your security level determines how the system controls signing on without a user ID and password.

Controlling how jobs enter the system

You can use the subsystem descriptions to control how jobs enter the system. Several subsystem descriptions are shipped with your system. After you have changed your security level (QSECURITY system value) to level 20 or higher, signing on without entering a user ID and password is not allowed with the subsystems shipped by IBM. However, defining a subsystem description and job description combination that allows default sign-on (no user ID and password) is possible and represents a security exposure. When the system routes an interactive job, it looks at the workstation entry in the subsystem description for a job description. If the

Chapter 6. Work management security

205

job description specifies USER(*RQD), the user must enter a valid user ID (and password) on the Sign On display. If the job description specifies a user profile in the User field, anyone can press the Enter key to sign on as that user. At security levels 30 and higher, the system logs an entry (type AF, sub-type S) in the audit journal, if default signon is attempted and the auditing function is active. At security level 40 and higher, the system does not permit default signon, even if a combination of workstation entry and job description exists that allows it. See Signing on without a user ID and password on page 16 for more information. Make sure all workstation entries for interactive subsystems refer to job descriptions with USER(*RQD). Control the authority to change job descriptions and monitor any changes that are made to job descriptions. If the auditing function is active, the system writes a JD type journal entry every time the USER parameter in a job description is changed. Communications entries in a subsystem description control how communications jobs enter your system. A communications entry points to a default user profile, which allows a job to be started without a user ID and password. This represents a potential security exposure. Evaluate the communications entries on your system and use network attributes to control how communications jobs enter your system. Network attributes on page 214 discusses the network attributes that are important for security.

Job descriptions
A job description is a valuable tool for security and work management. You can also set up a job description for a group of users who need the same initial library list, output queue, and job queue. You can set up a job description for a group of batch jobs that have similar requirements. A job description also represents a potential security exposure. In some cases, a job description that specifies a profile name for the USER parameter can allow a job to enter the system without appropriate security checking. Controlling how jobs enter the system on page 205 discusses how this can be prevented for interactive and communications jobs. When a batch job is submitted, the job might run using a different profile other than the user who submitted the job. The profile can be specified on the SBMJOB command, or it can come from the USER parameter of the job description. If your system is at security level (QSECURITY system value) 30 or lower, the user submitting a job needs authority to the job description but not to the user profile specified on the job description. This represents a security exposure. At security level 40 and higher, the submitter needs authority to both the job description and the user profile. For example: v USERA is not authorized to file PAYROLL. v USERB has *USE authority to the PAYROLL file and to program PRLIST, which lists the PAYROLL file. v Job description PRJOBD specifies USER(USERB). Public authority for PRJOBD is *USE. At security level 30 or lower, USERA can list the payroll file by submitting a batch job:
SBMJOB RQSDTA("Call PRLIST") JOBD(PRJOBD) + USER(*JOBD)

You can prevent this by using security level 40 and higher or by controlling the authority to job descriptions that specify a user profile. Sometimes, a specific user profile name in a job description is required for certain types of batch work to function properly. For example, the QBATCH job description is shipped with USER(QPGMR). This job description is shipped with the public authority of *EXCLUDE.

206

IBM i: Security Security reference

If your system is at security level 30 or lower, any user on the system who has authority to the Submit Job (SBMJOB) command or the start reader commands, and has *USE authority to the QBATCH job description, can submit work under the programmer (QPGMR) user profile, whether the user has authority to the QPGMR profile. At security level 40 and higher, *USE authority to the QPGMR profile is also required.

System operator message queue

You can specify the authorities to control access to the system operator message queue The i5/OS Operational Assistant (ASSIST) menu provides an option to manage your system, users, and devices. The Manage Your System, Users, and Devices menu provides an option to work with system operator messages. You might want to prevent users from responding to messages in the QSYSOPR (system operator) message queue. Incorrect responses to system operator messages can cause problems on your system. Responding to messages requires *USE and *ADD authorities to the message queue. Removing messages requires *USE and *DLT authorities (See Message commands.) Give the authority to respond to and remove messages in QSYSOPR only to users with system operator responsibility. Public authority to QSYSOPR should be *OBJOPR and *ADD, which allows adding new messages to QSYSOPR. Attention: All jobs need the ability to add new messages to the QSYSOPR message queue. Do not make the public authority to QSYSOPR *EXCLUDE.

Library lists
The library list for a job indicates which libraries are to be searched and the order in which they are to be searched. When a program specifies an object, the object can be specified with a qualified name, which includes both the object name and the library name. Or, the library for the object can be specified as *LIBL (library list). The libraries on the library list are searched, in order, until the object is found. Table 125 summarizes the parts of the library list and how they are built during a job. The sections that follow discuss the risks and protection measures for library lists.
Table 125. Parts of the library list. The library list is searched in this sequence: Part System Portion 15 entries Product Library Portion 2 entries How it is built Initially built using the QSYSLIBL system value. Can be changed during a job with the CHGSYSLIBL command. Initially blank. A library is added to the product library portion of the library list when a command or menu runs that was created with a library in the PRDLIB parameter. The library remains in the product library portion of the library list until the command or menu ends. Specified in the user profile or on the Sign On display. Can be changed when a command or menu runs that specifies a library for the CURLIB parameter. Can be changed during the job with the CHGCURLIB command. Initially built using the initial library list from the users job description. If the job description specifies *SYSVAL, the QUSRLIBL system value is used. During a job, the user portion of the library list can be changed with the ADDLIBLE, RMVLIBLE, CHGLIBL, and EDTLIBL commands.

Current Library 1 entry User Portion 250 entries

Chapter 6. Work management security

207

Related concepts Library security and library lists on page 135 When a library is added to a user's library list, the authority the user has to the library is stored with the library list information. Planning libraries on page 225 A library is like a directory used to locate the objects in the library. Many factors affect how you choose to group your application information into libraries and manage libraries.

Security risks of library lists

This topic gives specific examples of the possible security exposures of library lists and how to avoid them. Library lists represent a potential security exposure. If a user is able to change the sequence of libraries on the library list, or add additional libraries to the list, the user might be able to perform functions that break your security requirements. Library security and library lists on page 135 provides some general information about the issues associated with library lists. This section provides two examples of how changes to a library list might break security requirements.

Change in function
This example shows the possible risk of a change in function when calling a program in the library. Figure 29 shows an application library. Program A calls Program B, which is expected to be in LIBA. Program B performs updates to File A. Program B is called without a qualified name, so the library list is searched until Program B is found.

Figure 29. Library listexpected environment

A programmer or another knowledgeable user might place another Program B in the library LIBB. The substitute program might perform different functions, such as making a copy of confidential information or updating files incorrectly. If LIBB is placed ahead of LIBA in the library list, the substitute Program B is run instead of the original Program B, because the program is called without a qualified name:

208

IBM i: Security Security reference

Figure 30. Library listactual environment

Unauthorized access to information

The example demonstrates the potential risk of unauthorized access to information in the library. Assume Program A in Figure 29 on page 208 adopts the authority of USER1, who has *ALL authority to File A. Assume that Program B is called by Program A (adopted authority remains in effect). A knowledgeable user can create a substitute Program B that just calls the command processor. The user will have a command line and complete access to File A.

Recommendations for system portion of library list

This topic provides the recommendations for the system portion of the library list. The system portion of the library list is intended for IBM-supplied libraries. Application libraries that are carefully controlled can also be placed in the system portion of the library list. The system portion of the library list represents the greatest security exposure, because the libraries in this part of the list are searched first. Only a user with *ALLOBJ and *SECADM special authority can change the QSYSLIBL system value. Control and monitor any changes to the system portion of the library list. Follow these guidelines when adding libraries: v Only libraries that are specifically controlled should be placed on this list. v The public should not have *ADD authority to these libraries. v A few IBM-supplied libraries, such as QGPL are shipped with public authority *ADD for production reasons. Regularly monitor what objects (particularly programs, source files, and commands) are added to these libraries. The CHGSYSLIBL command is shipped with public authority *EXCLUDE. Only users with *ALLOBJ authority are authorized to the command, unless you grant authority to other users. If the system library list needs to be changed temporarily during a job, you can use the technique described in the topic Changing the system library list on page 227.

Recommendations for product library

In this topic you will find the recommendations for protecting the product library. The product library portion of the library list is searched before the user portion. A knowledgeable user can create a command or menu that inserts a product library into the library list. For example, this statement creates CMDX, which runs program PGMA:
Chapter 6. Work management security

209

CRTCMD CMDX PGM(PGMA) PRDLIB(LIBB)

As long as CMDX is running, LIBB is in the product portion of the library list. Use these measures to protect the product portion of the library list: v Control authority to the Create Command (CRTCMD), Change Command (CHGCMD), Create Menu (CRTMNU), and Change Menu (CHGMNU) commands. v When you create commands and menus, specify PRDLIB(*NONE), which removes any entries currently in the product portion of the library list. This protects you from having unknown libraries searched ahead of the library you expect when your command or menu runs. Note: The default when you create a command or menu is PRDLIB(*NOCHG). *NOCHG means that when the command or menu is run, the product library portion of the library list is not changed.

Recommendations for the current library

This topic provides the recommendations to ensure the security of your system when using the current library. The current library can be used by decision-support tools, such as Query/400. Any query programs created by a user are, by default, placed in the users current library. When you create a menu or command, you can specify a current library to be used while the menu is active. The current library provides an easy method for the user and the programmer to create new objects, such as query programs, without worrying about where they should be located. However, the current library poses a security risk, because it is searched before the user portion of the library list. You can take several precautions to protect the security of your system while still making use of the current library capability: v Specify *YES for the Limit capabilities field in the user profile. This prevents a user from changing the current library on the Sign On display or using the CHGPRF command. v Restrict authority to the Change Current Library (CHGCURLIB), Create Menu (CRTMNU), Change Menu (CHGMNU), Create Command (CRTCMD), and Change Command (CHGCMD) commands. v Use the technique described in Controlling the user library list on page 227 to set the current library during application processing.

Recommendations for the user portion of the library list

In this topic you will find the recommendations for controlling the user portion of the library list. The user portion of the library list often changes more than the other portions and is more difficult to control. Many application programs change the library list. Job descriptions also affect the library list for a job. Here are some suggested alternatives for controlling the user portion of the library list to make sure that unauthorized libraries with substitute programs and files are not used during processing: v Restrict users of production applications to a menu environment. Set the Limit capabilities field in user profiles to *YES to restrict their ability to enter commands. Planning menus on page 228 provides an example of this environment. v Use qualified names (object and library) in your applications. This prevents the system from searching the library list to find an object. v Control the ability to change job descriptions, because the job description sets the initial library list for a job. v Use the Add Library List Entry (ADDLIBLE) command at the beginning of the program to ensure the required objects are at the beginning of the user portion of the library list. At the end of the program, the library can be removed.

210

IBM i: Security Security reference

If the library is already on the library list, but you are not sure if it is at the beginning of the list, you must remove the library and add it. If the sequence of the library list is important to other applications on the system, use the next method instead. v Use a program that retrieves and saves the library list for a job. Replace the library list with the list required for the application. When the application ends, return the library list to its original setting. See Controlling the user library list on page 227 for an example of this technique.

Printing
You can control the security of the output queues on your system. Most information that is printed on your system is stored as a spooled file on an output queue while it is waiting to print. Unless you control the security of output queues on your system, unauthorized users can display, print, and even copy confidential information that is waiting to print. One method for protecting confidential output is to create a special output queue. Send confidential output to the output queue and control who can view and manipulate the spooled files on the output queue. To determine where output goes, the system looks at the printer file, job attributes, user profile, workstation device description, and the print device (QPRTDEV) system value in sequence. If defaults are used, the output queue associated with the QPRTDEV printer is used. The Advanced Function Presentation topic provides examples of how to direct output to a particular output queue.

Securing spooled files

You can specify several parameters to control the security of a spooled file. A spooled file is a special type of object on the system. You cannot directly grant and revoke authority to view and manipulate a spooled file. The authority to a spooled file is controlled by several parameters on the output queue that holds the spooled file. When you create a spooled file, you are the owner of that file. You can always view and manipulate any spooled files you own, regardless of how the authority to the output queue is defined. You must have *READ authority to add new entries to an output queue. If your authority to an output queue is removed, you can still access any entries you own on that queue using the Work with Spooled Files (WRKSPLF) command. The security parameters for an output queue are specified using the Create Output Queue (CRTOUTQ) command or the Change Output Queue (CHGOUTQ) command. You can display the security parameters for an output queue using the Work with Output Queue Description (WRKOUTQD) command. Attention: A user with *SPLCTL special authority can perform all functions on all entries, regardless of how the output queue is defined. Some parameters on the output queue allow a user with *JOBCTL special authority to view the contents of entries on the output queue.

Display Data (DSPDTA) parameter of output queue

You can specify the Display Data (DSPDTA) parameter to protect the contents of a spooled file. The DSPDTA parameter determines what authority is required to perform the following functions on spooled files owned by other users: v View the contents of a spooled file (DSPSPLF command) v Copy a spooled file (CPYSPLF command) v Send a spooled file (SNDNETSPLF command) v Move a spooled file to another output queue (CHGSPLFA command)
Chapter 6. Work management security

211

Possible values for DSPDTA *NO A user cannot display, send, or copy spooled files owned by other users, unless the user has one of the following authorities: v *JOBCTL special authority if the OPRCTL parameter is *YES. v *READ, *ADD, and *DLT authority to the output queue if the *AUTCHK parameter is *DTAAUT. v Ownership of the output queue if the *AUTCHK parameter is *OWNER. *YES *OWNER Any user with *READ authority to the output queue can display, copy, or send the data of spooled files owned by others. Only the owner of a spooled file or a user with *SPLCTL (spool control) can display, copy, send, or move the file. If the OPRCTL value is *YES, users with *JOBCTL special authority can hold, change, delete, and release spooled files on the output queue, but they cannot display, copy, send, or move the spooled files. This is intended to allow operators to manage entries on an output queue without being able to view the contents.

Authority to Check (AUTCHK) parameter of output queue

You can use the Authority to Check (AUTCHK) parameter to control a user's authority to change or delete a spooled file on your system. The AUTCHK parameter determines whether *READ, *ADD, and *DLT authority to the output queue allows a user to change and delete spooled files owned by other users.
Possible values for AUTCHK *OWNER *DTAAUT Only the user who owns the output queue can change or delete spooled files owned by others. Specifies that any user with *READ, *ADD, and *DLT authority to the output queue can change or delete spooled files owned by others.

Operator Control (OPRCTL) parameter of output queue

The Operator Control (OPRCTL) parameter determines whether a user with *JOBCTL special authority can control the output queue.
Possible values for OPRCTL *YES A user with *JOBCTL special authority can perform all functions on the spooled files, unless the DSPDTA value is *OWNER. If the DSPDTA value is *OWNER, *JOBCTL special authority does not allow the user to display, copy, send, or move spooled files. *JOBCTL special authority does not give the user any authority to perform operations on the output queue. Normal authority rules apply to the user.

*NO

Output queue and parameter authorities required for printing

This topic includes the reference information about the output queue parameters and authorities required for performing printing management functions. Table 126 on page 213 shows what combination of output queue parameters and authority to the output queue is required to perform print management functions on the system. For some functions, more than one combination is listed. The owner of a spooled file can always perform all functions on that file. For more information see Writer commands on page 494.

212

IBM i: Security Security reference

The authority and output queue parameters for all commands associated with spooled files are listed on Spooled file commands on page 479. Output queue commands are listed on Output queue commands on page 452. Attention: A user with *SPLCTL (spool control) special authority is not subject to any authority restrictions associated with output queues. *SPLCTL special authority allows the user to perform all operations on all output queues. Make careful consideration when giving *SPLCTL special authority to any user.
Table 126. Authority required to perform printing functions Output queue parameters Printing function Add spooled files to queue
1

DSPDTA

AUTCHK OPRCTL

Output queue authority *READ

Special authority None *JOBCTL

*YES *READ View list of spooled files (WRKOUTQ command 2) Display, copy, or send spooled files (DSPSPLF, CPYSPLF, SNDNETSPLF, SNDTCPSP2) *YES *NO *NO *YES *NO *OWNER *DTAAUT Change, delete, hold, and release spooled file (CHGSPLFA, DLTSPLF, HLDSPLF, RLSSPLF 2) Change, clear, hold, and release output queue (CHGOUTQ, CLROUTQ, HLDOUTQ, RLSOUTQ 2) Start a writer for the queue (STRPRTWTR, STRRMTWTR 2)
1 2 3 4 5

None *JOBCTL

*YES *READ *DTAAUT *OWNER *YES *YES *READ, *ADD, *DLT Owner
3

None None None JOBCTL JOBCTL

READ, ADD, DLT Owner YES

None None *JOBCTL

*OWNER

DTAAUT OWNER YES DTAAUT *YES

READ, ADD, *DLT Owner

None None *JOBCTL

*CHANGE

None *JOBCTL

This is the authority required to direct your output to an output queue. Use these commands or equivalent options from a display. You must be the owner of the output queue. Also requires *USE authority to the printer device description. *CHGOUTQ requires *OBJMGT authority to the output queue, in addition to *READ, *ADD, and *DLT authorities.

Examples: Output queue

These examples demonstrate how to set security parameters for output queues to meet different requirements.

Chapter 6. Work management security

213

v Create a general-purpose output queue. All users are allowed to display all spooled files. The system operators are allowed to manage the queue and change spooled files:
CRTOUTQ OUTQ(QGPL/GPOUTQ) DSPDTA(*YES) + OPRCTL(*YES) AUTCHK(*OWNER) AUT(*USE)

v Create an output queue for an application. Only members of the group profile GRPA are allowed to use the output queue. All authorized users of the output queue are allowed to display all spooled files. System operators are not allowed to work with the output queue:
CRTOUTQ OUTQ(ARLIB/AROUTQ) DSPDTA(*YES) + OPRCTL(*NO) AUTCHK(*OWNER) AUT(*EXCLUDE) GRTOBJAUT OBJ(ARLIB/AROUTQ) OBJTYP(*OUTQ) + USER(GRPA) AUT(*CHANGE)

v Create a confidential output queue for the security officers to use when printing information about user profiles and authorities. The output queue is created and owned by the QSECOFR profile.
CRTOUTQ OUTQ(QGPL/SECOUTQ) DSPDTA(*OWNER) + AUTCHK(*DTAAUT) OPRCTL(*NO) + AUT(*EXCLUDE)

Even if the security officers on a system have *ALLOBJ special authority, they are not able to access spooled files owned by others on the SECOUTQ output queue. v Create an output queue that is shared by users printing confidential files and documents. Users can work with only their own spooled files. System operators can work with the spooled files, but they cannot display the contents of the files.
CRTOUTQ OUTQ(QGPL/CFOUTQ) DSPDTA(*OWNER) + AUTCHK(*OWNER) OPRCTL(*YES) AUT(*USE)

Network attributes
Network attributes control how your system communicates with other systems. Some network attributes control how remote requests to process jobs and access information are handled. These network attributes directly affect security on your system and are discussed in the topics that follow: v Job action (JOBACN) v Client request access (PCSACC) v DDM request access (DDMACC) Possible values for each network attribute are shown. The default value is underlined. To set the value of a network attribute, use the Change Network Attribute (CHGNETA) command.

Job Action (JOBACN) network attribute

The JOBACN network attribute determines how the system processes incoming requests to run jobs.
Possible values for JOBACN: *REJECT *FILE The input stream is rejected. A message stating the input stream was rejected is sent to both the sender and the intended receiver. The input stream is filed on the queue of network files for the receiving user. This user can display, cancel, or receive the input stream into a database file or submit it to a job queue. A message stating that the input stream was filed is sent to both the sender and the receiver. The network job table controls the actions by using the values in the table.

*SEARCH

Recommendations:

214

IBM i: Security Security reference

If you do not expect to receive remote job requests on your system, set the JOBACN network attribute to *REJECT. Related information SNA Distribution Services

Client Request Access (PCSACC) network attribute

The PCSACC network attribute determines how the System i Access for Windows licensed program processes requests from attached personal computers to access objects. The PCSACC network attribute controls whether personal computer jobs can access objects on the System i platform, but it doesn't control whether the personal computer can use workstation emulation. Note: PCSACC network attribute controls only the DOS and OS/2 clients. This attribute has no effect on any other System i Access clients.
Possible values for PCSACC: *REJECT *OBJAUT System i Access rejects every request from the personal computer to access objects on the System i platform. An error message is sent to the PC application. The System i Access programs on the system verify normal object authorities for any object requested by a PC program. For example, if file transfer is requested, authority to copy data from the database file is checked. The system uses the system's registration facility to determine which exit program (if any) to run. If no exit program is defined for an exit point and this value is specified, *OBJAUT is used. The System i Access program calls this user-written exit program to determine if the PC request should be rejected. The exit program is called only if normal authority checking for the object is successful. The System i Access program passes information about the user and the requested function to the exit program. The program returns a code indicating whether the request should be allowed or rejected. If the return code indicates the request should be rejected or if an error occurs, an error message is sent to the personal computer.

*REGFAC

qualified- program- name

Risks and recommendations

Use the instructions in this topic to protect the files on your system. Normal security measures on your system might not be sufficient protections if the System i Access program is installed on your system. For example, if a user has *USE authority to a file and the PCSACC network attribute is *OBJAUT, the user can use the System i Access program and a program on the personal computer to transfer that entire file to the personal computer. The user can then copy the data to a PC diskette or tape and remove it from the premises. Several methods are available to prevent a System i user with *USE authority to a file from copying the file: v Setting LMTCPB(*YES) in the user profile. v Restricting authority to commands that copy files. v Restricting authority to commands used by System i Access. v Not giving the user *ADD authority to any library. *ADD authority is required to create a new file in a library. v Not giving the user access to any *SAVRST device. None of these methods work for the PC user of the System i Access licensed program. Using an exit program to verify all requests is the only adequate protection measure.
Chapter 6. Work management security

215

The System i Access program passes information for the following types of access to the user exit program called by the PCSACC network attribute: v File transfer v Virtual print v Message v Shared folder Related information Programming: iSeries Access

DDM Request Access (DDMACC) network attribute

The DDM Request Access (DDMACC) network attribute determines how the system processes requests from other systems to access data using the distributed data management (DDM) or the distributed relational database function.
Possible values for DDMACC: *REJECT The system does not allow any DDM or DRDA requests from remote systems. *REJECT does not prevent this system from functioning as the requester system and sending requests to other server systems. Remote requests are controlled by the object authority on the system. This user-written exit program is called after normal object authority has been verified. The exit program is called only for DDM files, not for distributed relational database functions. The exit program is passed a parameter list, built by the remote system, that identifies the local system user and the request. The program evaluates the request and sends a return code, granting or denying the requested access.

*OBJAUT qualified- program- name

Related information DDMACC parameter considerations

Save and restore operations

The ability to save objects from your system or restore objects to your system represents an exposure to your organization. For example, programmers often have *OBJEXIST authority to programs because this authority is required to recompile a program (and delete the old copy). *OBJEXIST authority is also required to save an object. Therefore, the typical programmer can make a tape copy of your programs, which might represent a substantial financial investment. A user with *OBJEXIST authority to an object can also restore a new copy of an object over an existing object. In the case of a program, the restored program might have been created on a different system. It might perform different functions. For example, assume the original program worked with confidential data. The new version might perform the same functions, but it might also write a copy of confidential information to a secret file in the programmers own library. The programmer does not need authority to the confidential data because the regular users of the program will be accessing the data.

Restricting save and restore operations

You can restrict the save and restore operations to protect your system. You can control the ability to save and restore objects in several ways: v Restrict physical access to save and restore devices, such as tape units and optical units.

216

IBM i: Security Security reference

v Restrict authority to the device descriptions objects for the save and restore devices. To save an object to a tape unit, you must have *USE authority to the device description for the tape unit. v Restrict the save and restore commands. This allows you to control what is saved from your system and restored to your system through all interfaces - including save files. See Example: Restricting save and restore commands for an example of how to do this. The system sets the restore commands to PUBLIC(*EXCLUDE) when you install your system. v Only give *SAVSYS special authority to trusted users.

Example: Restricting save and restore commands

This topic shows an example of restricting the save and restore commands. You can follow these steps to restrict the save and restore commands on your system: 1. To create an authorization list that you can use to give authority to the commands to system operators, type the following example:
CRTAUTL AUTL(SRLIST) TEXT(Save and Restore List) AUT(*EXCLUDE)

2. To use the authorization list to secure the save commands, type the following example:
GRTOBJAUT OBJ(SAV*) OBJTYPE(*CMD) AUTL(SRLIST)

3. To ensure *PUBLIC authority comes from the authorization list, type the following example:
GRTOBJAUT OBJ(SAV*) OBJTYPE(*CMD) USER(*PUBLIC) AUT(*AUTL)

4. To use the authorization list to secure the restore commands, type the following example:
GRTOBJAUT OBJ(RST*) OBJTYPE(*CMD) AUTL(SRLIST)

5. To ensure *PUBLIC authority comes from the authorization list, type the following example:
GRTOBJAUT OBJ(RST*) OBJTYPE(*CMD) USER(*PUBLIC) AUT(*AUTL)

6. Although system operators who are responsible for saving the system have *SAVSYS special authority, they must now be given explicit authority to the SAVxxx commands. You do this by adding the system operators to the authorization list:
ADDAUTLE AUTL(SRLIST) USER(USERA USERB) AUT(*USE)

Note: You might want your system operators to have authority only to the save commands. In that case, secure the save commands and the restore commands with two separate authorization lists. 7. To restrict the save and restore APIs and secure them with an authorization list, type the following commands:
GRTOBJAUT OBJ(QSRSAVO) OBJTYPE(*PGM) AUTL(SRLIST) GRTOBJAUT OBJ(QSRSAVO) OBJTYPE(*PGM) USER(*PUBLIC) AUT(*AUTL) GRTOBJAUT OBJ(QSRLIB01) OBJTYPE(*SRVPGM) AUTL(SRLIST) GRTOBJAUT OBJ(QSRLIB01) OBJTYPE(*SRVPGM) USER(*PUBLIC) AUT(*AUTL) GRTOBJAUT OBJ(QSRRSTO) OBJTYPE(*PGM) AUTL(SRLIST) GRTOBJAUT OBJ(QSRRSTO) OBJTYPE(*PGM) USER(*PUBLIC) AUT(*AUTL)

Performance tuning
Monitoring and tuning performance is not the responsibility of a security officer. However, the security officer should ensure that users are not altering the performance characteristics of the system to speed up their own jobs at the expense of others. Several work management objects affect the performance of jobs in the system: v The class sets the run priority and time slice for a job.
Chapter 6. Work management security

217

v The routing entry in the subsystem description determines the class and the storage pool the job uses. v The job description can determine the output queue, output priority, job queue, and job priority. Knowledgeable users with appropriate authority can create their own environment on the system and give themselves better performance than other users. Control this by limiting the authority to create and change work management objects. Set the public authority to work management commands to *EXCLUDE and grant authority to a few trusted users. Performance characteristics of the system can also be changed interactively. For example, the Work with System Status (WRKSYSSTS) display can be used to change the size of storage pools and the activity levels. Also, a user with *JOBCTL (job control) special authority can change the scheduling priority of any job on the system, subject to the priority limit (PTYLMT) in the users profile. Assign *JOBCTL special authority and PTYLMT in user profiles carefully. To allow users to view performance information using the WRKSYSSTS command but not change it, do the following action:
GRTOBJAUT OBJ(CHGSHRPOOL) OBJTYPE(*CMD) + USER(*PUBLIC) AUT(*EXCLUDE)

Authorize users responsible for system tuning to change performance characteristics:

GRTOBJAUT OBJ(CHGSHRPOOL) OBJTYPE(*CMD) + USER(USRTUNE) AUT(*USE)

Restricting jobs to batch

You can create or change commands to restrict certain jobs to be run only in a batch environment. For example, you might want to run certain reports or program compiles in batch. A job running in batch often affects system performance less than the same job running interactively. For example, to restrict the command that runs program RPTA to batch, do the following action: v Create a command to run RPTA and specify that the command can be run only in batch:
CRTCMD CMD(RPTA) PGM(RPTA) ALLOW(*BATCH *BPGM)

To restrict compiles to batch, do the following for the create command for each program type:
CHGCMD CMD(CRTxxxPGM) ALLOW(*BATCH *BPGM)

218

IBM i: Security Security reference

Chapter 7. Designing security

This section contains guidelines to help application developers and systems managers include security as part of the overall design. It also contains examples of techniques that you can use to accomplish security objectives on your system. Protecting information is an important part of most applications. Security should be considered, along with other requirements, at the time the application is designed. For example, when deciding how to organize application information into libraries, try to balance security requirements with other considerations, such as application performance and backup and recovery. Some of the examples in this section contain sample programs. These programs are included for illustrative purposes only. Many of them will not compile or run successfully as is, nor do they include message handling and error recovery. The Plan and set up system security in the information center is intended for the security administrator. It contains forms, examples, and guidelines for planning security for applications that have already been developed. If you have responsibility for designing an application, you might find it useful to review the forms and examples in the Plan and set up system security topic for details. They can help you view your application from the perspective of a security administrator and understand what information you need to provide. The Plan and set up system security topic in the information center also uses a set of example applications for a fictional company called the JKL Toy Company. This section discusses design considerations for the same set of example applications. Figure 31 on page 220 shows the relationships between user groups, applications, and libraries for the JKL Toy Company:

Copyright IBM Corp. 1996, 2010

219

Figure 31. Example applications

Description of graphic This graphic shows how five sets of user groups access applications and libraries on the system at JKL Toy Company. The user groups include Warehouse, Manufacturing, Sales and Marketing, Order Processing, and Accounting. These user groups have different accesses to different applications, which are stated in the following list. v The Warehouse, Manufacturing and Sales and Marketing user groups can all access the Inventory Control applications. v The Sales and Marketing user group also has access to the Contracts and Pricing application and the Customer Order application. v The Order Processing user group can also access the Customer Order application. v The Accounting user group only has access to the Accounts Receivable application. Related information Scenarios for HTTP Server

Overall recommendations for security design

Keeping your security design as simple as possible makes it easier to manage and audit security. It also improves application performance and backup performance. Here is a list of general recommendations for security design:

220

IBM i: Security Security reference

v Use resource security along with the methods available, such as limited capabilities in the user profile and restricting users to a set of menus, to protect information. Attention: If you use a product such as System i Access or if you have communication lines attached to your system, do not rely only on limiting capabilities in the user profile and menu access control. You must use resource security to secure any objects that you do not want to be accessible through these interfaces. Secure only those objects that really require security. Analyze a library to determine which objects, such as data files, are confidential and secure those objects. Use public authority for other objects, such as data areas and message queues. Move from the general to the specific: Plan security for libraries and directories. Deal with individual objects only when necessary. Plan public authority first, followed by group authority and individual authority. Make the public authority for new objects in a library (CRTAUT parameter) the same as the public authority for the majority of existing objects in the library. To make auditing easier and improve authority-checking performance, avoid defining private authority that is less than the public authority for an object.

v v

v Use authorization lists to group objects with the same security requirements. Authorization lists are simpler to manage than individual authorities and help to recover security information. Related concepts Chapter 5, Resource security, on page 131 This section describes each of the components of resource security and how they work together to protect information about your system. It also explains how to use CL commands and displays to set up resource security on your system.

Planning password level changes

Changing password levels should be planned carefully. Operations with other systems might fail or users might not be able to sign on to the system if you haven't planned for the password level change adequately. Before changing the QPWDLVL system value, make sure that you have saved your security data using the SAVSECDTA or SAVSYS command. If you have a current backup, you will be able to reset the passwords for all users' profiles, even if you need to return to a lower password level. Products that you use on the system, and on clients with which the system interfaces, might have problems when the password level (QPWDLVL) system value is set to 2 or 3. Any product or client that sends passwords to the system in an encrypted form, rather than in the clear text that a user enters on a sign-on screen, must be upgraded to work with the password encryption rules for QPWDLVL 2 or 3. Sending the encrypted password is known as password substitution. Password substitution is used to prevent a password from being captured during transmission over a network. Password substitutes generated by older clients that do not support the algorithm for QPWDLVL 2 or 3, even if the specific characters typed in are correct, will not be accepted. This also applies to any System i to System i peer access which utilizes the encrypted values to authenticate from one system to another. The problem is compounded by the fact that some affected products (such as IBM Toolbox for Java) are provided as middleware. A third party product that incorporates a prior version of one of these products will not work correctly until rebuilt using an updated version of the middleware. Given this and other scenarios, it is easy to see why careful planning is necessary before you chang the QPWDLVL system value.

Chapter 7. Designing security

221

Considerations for changing QPWDLVL from 0 to 1

Password level 1 allows a system, which doesn't need to communicate with the System i Support for Windows Network Neighborhood (NetServer), to eliminate the NetServer passwords. Eliminating unnecessary encrypted passwords from the system increases the overall security of the system. At QPWDLVL 1, all current, pre-V5R1 password substitution and password authentication mechanisms will continue to work. There is very little potential for breakage except for functions/services that require the NetServer password.

Considerations for changing QPWDLVL from 0 or 1 to 2

Password level 2 introduces the use of case-sensitive passwords up to 128 characters in length (also called passphrases) and provides the maximum ability to revert back to QPWDLVL 0 or 1. Regardless of the password level of the system, password level 2 and 3 passwords are created whenever a password is changed or a user signs on to the system. Having a level 2 and 3 password created while the system is still at password level 0 or 1 helps prepare for the change to password level 2 or 3. Before changing QPWDLVL to 2, the system administrator should use the PRTUSRPRF TYPE(*PWDLVL) command to locate all of the user profiles that do not have a password that is usable at password level 2. Depending on the profiles located, the administrator can use one of the following mechanisms to have a password level 2 and 3 password added to the profiles. v Change the password for the user profile using the CHGUSRPRF or CHGPWD CL command or the QSYCHGPW API. This will cause the system to change the password that is usable at password levels 0 and 1; and the system also creates two equivalent case-sensitive passwords that are usable at password levels 2 and 3. An all-uppercase and all-lowercase version of the password is created for use at password level 2 or 3. For example, changing the password to C4D2RB4Y results in the system generating C4D2RB4Y and c4d2rb4y password level 2 passwords. v Sign on to the system through a mechanism that presents the password in clear text (does not use password substitution). If the password is valid and the user profile does not have a password that is usable at password levels 2 and 3, the system creates two equivalent case-sensitive passwords that are usable at password levels 2 and 3. An all-uppercase and all-lowercase version of the password is created for use at password level 2 or 3. The absence of a password that is usable at password level 2 or 3 can be a problem whenever the user profile also does not have a password that is usable at password levels 0 and 1 or when the user tries to sign on through a product that uses password substitution. In these cases, the user will not be able to sign on when the password level is changed to 2. If a user profile meets the following description, the system validates the user against the password level 0 password and creates two password level 2 passwords (as described above) for the user profile. v The user profile does not have a password that is usable at password levels 2 and 3. v The user profile does have a password that is usable at password levels 0 and 1. v The user signs on through a product that sends clear text passwords. Subsequent signons will be validated against the password level 2 passwords. Any client that uses password substitution will not work correctly at QPWDLVL 2 if the client hasn't been updated to use the new password (passphrase) substitution scheme. The administrator should check whether a client which hasn't been updated to the new password substitution scheme is required. The clients that use password substitution include: v TELNET

222

IBM i: Security Security reference

v v v v v

System i Access System i Host Servers QFileSrv.400 System i NetServer Print support DDM

v DRDA v SNA LU6.2 It is highly recommended that the security data be saved before changing to QPWDLVL 2. This can help make the transition back to QPWDLVL 0 or 1 easier if that becomes necessary. Avoid changing password system values, such as QPWDMINLEN, QPWDMAXLEN, and QPWDRULES, until after you have tested QPWDLVL 2. This makes it easier to transition back to QPWDLVL 1 or 0 if necessary. However, the QPWDVLDPGM system value must specify either *REGFAC or *NONE before the system allows QPWDLVL to be changed to 2. Therefore, if you use a password validation program, you might want to write a new one that can be registered for the QIBM_QSY_VLD_PASSWRD exit point by using the ADDEXITPGM command. NetServer passwords are still supported at QPWDLVL 2, so any function/service that requires a NetServer password should still function correctly. After you are comfortable with running the system at QPWDLVL 2, you can change the password system values to use longer passwords. However, you need to be aware that longer passwords have these effects: v If passwords greater than 10 characters are specified, the password level 0 and 1 password is cleared. This user profile will not be able to sign on if the system is returned to password level 0 or 1. v If passwords contain special characters or do not follow the composition rules for simple object names (excluding case sensitivity), the password level 0 and 1 password is cleared. v If passwords greater than 14 characters are specified, the NetServer password for the user profile is cleared. v The password system values only apply to the new password level 2 value and do not apply to the system-generated password level 0 and 1 password or NetServer password values (if generated).

Considerations for changing QPWDLVL from 2 to 3

After running the system at QPWDLVL 2 for some period of time, you can consider moving to QPWDLVL 3 to maximize the password security protection. At QPWDLVL 3, all NetServer passwords are cleared so a system should not be moved to QPWDLVL 3 until there is no need to use NetServer passwords. At QPWDLVL 3, all password level 0 and 1 passwords are cleared. The administrator can use the DSPAUTUSR or PRTUSRPRF command to locate user profiles which don't have password level 2 or 3 passwords associated with them.

Changing QPWDLVL to a lower password level

Returning to a lower QPWDLVL value, while possible, is not expected to be a completely painless operation. In general, the mind set should be that this is a one-way trip from lower QPWDLVL values to higher QPWDLVL values. However, there might be cases where a lower QPWDLVL value must be reinstated.

Chapter 7. Designing security

223

Considerations for changing from QPWDLVL 3 to 2

This change is relatively easy. After the QPWDLVL is set to 2, the administrator needs to determine if any user profile is required to contain NetServer passwords or password level 0 or 1 passwords and, if so, change the password of the user profile to an allowable value. Additionally, the password system values might need to be changed back to values compatible with NetServer and password level 0 or 1 passwords, if those passwords are needed.

Considerations for changing from QPWDLVL 3 to 1 or 0

Because of the very high potential for causing problems for the system (such as no one can sign on because all of the password level 0 and 1 passwords have been cleared), this change is not supported directly. To change from QPWDLVL 3 to QPWDLVL 1 or 0, the system must first make the intermediary change to QPWDLVL 2.

Considerations for changing from QPWDLVL 2 to 1

Before changing QPWDLVL to 1, you should use the DSPAUTUSR or PRTUSRPRF TYPE(*PWDINFO) command to locate any user profiles that do not have a password level 0 or 1 password. If the user profile requires a password after the QPWDLVL is changed, make sure that a password level 0 and 1 password is created for the profile using one of the following mechanisms: v Change the password for the user profile using the CHGUSRPRF or CHGPWD CL command or the QSYCHGPW API. This causes the system to change the password that is usable at password levels 2 and 3; and the system also creates an equivalent uppercase password that is usable at password levels 0 and 1. The system is only able to create the password level 0 and 1 password if the following conditions are met: The password is 10 characters or less in length. The password can be converted to uppercase EBCDIC characters A-Z, 0-9, @, #, $, and underline. The password does not begin with a numeric or underline character. For example, changing the password to a value of RainyDay can result in the system generating a password level 0 and 1 password of RAINYDAY. But changing the password value to Rainy Days In April can cause the system to clear the password level 0 and 1 password (because the password is too long and it contains blanks). No message or indication is produced if the password level 0 or 1 password cannot be created. v Sign on to the system through a mechanism that presents the password in clear text (does not use password substitution). If the password is valid and the user profile does not have a password that is usable at password levels 0 and 1, the system creates an equivalent uppercase password that is usable at password levels 0 and 1. The system is only able to create the password level 0 and 1 password if the conditions listed above are met. The administrator can then change QPWDLVL to 1. All NetServer passwords are cleared when the change to QPWDLVL 1 takes effect (next IPL).

Considerations for changing from QPWDLVL 2 to 0

The considerations are the same as those for changing from QPWDLVL 2 to 1 except that all NetServer passwords are retained when the change takes effect.

224

IBM i: Security Security reference

Considerations for changing from QPWDLVL 1 to 0

After changing QPWDLVL to 0, you should use the DSPAUTUSR or PRTUSRPRF command to locate any user profiles that do not have a NetServer password. If the user profile requires a NetServer password, it can be created by changing the user's password or signing on through a mechanism that presents the password in clear text. You can then change QPWDLVL to 0.

Planning libraries
A library is like a directory used to locate the objects in the library. Many factors affect how you choose to group your application information into libraries and manage libraries. Library security is effective only if the rules below are followed: v Libraries contain objects with similar security requirements. v Users are not allowed to add new objects to restricted libraries. Changes to programs in the libraries are controlled. That is, application libraries should have public authority of *USE or *EXCLUDE unless users need to create objects directly into the library. v Library lists are controlled. To access an object, you need authority to the object itself and to the library containing the object. You can restrict access to an object by restricting the object itself, the library containing the object, or both. *USE authority to a library allows you to find objects in the library. The authority for the object itself determines how you can use the object. *USE authority to a library is sufficient to perform most operations on the objects in the library. Using public authority for objects and restricting access to libraries can be a simple, effective security technique. Putting programs in a separate library from other application objects can also simplify security planning. This is particularly true if files are shared by more than one application. You can use authority to the libraries containing application programs to control who can perform application functions. Here are two examples of using library security for the JKL Toy Company applications. (See Figure 31 on page 220 for a diagram of the applications.) v The information in the CONTRACTS library is considered confidential. The public authority for all the objects in the library is sufficient to perform the functions of the Pricing and Contracts application (*CHANGE). The public authority to the CONTRACTS library itself is *EXCLUDE. Only users or groups authorized to the Contracts and Pricing application are granted *USE authority to the library. v The JKL Toy Company is a small company with a nonrestrictive approach to security, except for the contract and pricing information. All system users are allowed to view customer and inventory information, although only authorized users can change this information. The CUSTLIB and the ITEMLIB libraries, and the objects in the libraries, have public authority of *USE. Users can view information in these libraries through their primary application or by using an SQL query. The program libraries have public authority *EXCLUDE. Only users who are allowed to change inventory information have access to the ICPGMLIB. Programs that change inventory information adopt the authority of the application owner (OWNIC) and thus have *ALL authority to the files in the ITEMLIB library.

Chapter 7. Designing security

225

Related concepts Library security on page 135 You can use library security to protect information. Related reference Library lists on page 207 The library list for a job indicates which libraries are to be searched and the order in which they are to be searched. Related information Scenarios for HTTP Server

Planning applications to prevent large profiles

To reduce impacts on the performance and security of your system, you need to plan your applications carefully to avoid large profiles. Because of the potential impacts on performance and security, perform the following actions to prevent profiles from becoming too full: v Do not have one profile own everything on your system. Create special user profiles to own applications. Owner profiles that are specific to an application make it easier to recover applications and to move applications between systems. Also, information about private authorities is spread among several profiles, which improves performance. By using several owner profiles, you can prevent a profile from becoming too large because of owning too many objects. Owner profiles also allow you to adopt the authority of the owner profile rather than a more powerful profile that provides unnecessary authority. v Avoid having applications owned by IBM-supplied user profiles, such as QSECOFR or QPGMR. These profiles own a large number of IBM-supplied objects and can become difficult to manage. Having applications owned by IBM-supplied user profiles can also cause security problems when moving applications from one system to another. Applications owned by IBM-supplied user profiles can also affect performance for commands, such as CHKOBJITG and WRKOBJOWN. v Use authorization lists to secure objects. If you are granting private authorities to many objects for several users, you should consider using an authorization list to secure the objects. Authorization lists will cause one private authority entry for the authorization list in the user's profile rather than one private authority entry for each object. In the object owner's profile, authorization lists create an authorized object entry for each user with authority to the authorization list.

Library lists
The library list for a job represents a security exposure, while it provides flexibility. This exposure is particularly important if you use public authority for objects and rely on library security as your primary means of protecting information. In this case, a user who gains access to a library has uncontrolled access to the information in the library. To avoid the security risks of library lists, your applications can specify qualified names. When both the object name and the library are specified, the system does not search the library list. This prevents a potential intruder from using the library list to circumvent security. However, other application design requirements might prevent you from using qualified names. If your applications rely on library lists, the following techniques can reduce the security exposure. Note: By using the code examples, you agree to the terms of the Chapter 10, Code license and disclaimer information, on page 307.

226

IBM i: Security Security reference

Controlling the user library list

As a security precaution, you might want to make sure that the user portion of the library list has the correct entries in the expected sequence before a job runs. One method for doing this is to use a CL program to save the users library list, replace it with the list that you want, and restore it at the end of the application. Here is a sample program to do this: Note: By using the code examples, you agree to the terms of the Chapter 10, Code license and disclaimer information, on page 307.
&USRLIBL *CHAR LEN(2750) &CURLIB *CHAR LEN(10) &ERROR *LGL &CMD *CHAR LEN(2800) MSGID(CPF0000) + EXEC(GOTO SETERROR) RTVJOBA USRLIBL(&USRLIBL) + CURLIB(&CURLIB) IF COND(&CURLIB=(*NONE)) + THEN(CHGVAR &CURLIB *CRTDFT ) CHGLIBL LIBL(QGPL) CURLIB(*CRTDFT) /*********************************/ /* */ /* Normal processing */ /* */ /*********************************/ GOTO ENDPGM SETERROR: CHGVAR &ERROR 1 ENDPGM: CHGVAR &CMD + (CHGLIBL LIBL+ ( *CAT &USRLIBL *CAT) + CURLIB( *CAT &CURLIB *TCAT )) CALL QCMDEXC PARM(&CMD 2800) IF &ERROR SNDPGMMSG MSGID(CPF9898) + MSGF(QCPFMSG) MSGTYPE(*ESCAPE) + MSGDTA(The xxxx error occurred) ENDPGM Figure 32. Program to replace and restore library list PGM DCL DCL DCL DCL MONMSG

Notes: 1. Regardless of how the program ends (normally or abnormally), the library list is returned to the version it held when the program was called. This is because error handling includes restoring the library list. 2. Because the CHGLIBL command requires a list of library names, it cannot be run directly. The RTVJOBA command, therefore, retrieves the libraries used to build the CHGLIBL command as a variable. The variable is passed as a parameter to the QCMDEXC function. 3. If you exit to an uncontrolled function (for example, a user program, a menu that allows commands to be entered, or the Command Entry display) in the middle of a program, your program should replace the library list on return to ensure adequate control.

Changing the system library list

You might also need to change the system portion of the library list to protect your system. If your application needs to add entries to the system portion of the library list, you can use a CL program similar to the one shown in Figure 32, with the following changes: v Instead of using the RTVJOBA command, use the Retrieve System Values (RTVSYSVAL) command to get the value of the QSYSLIBL system value.
Chapter 7. Designing security

227

v Use the Change System Library List (CHGSYSLIBL) command to change the system portion of the library list to the value that you want. v At the end of your program, use the CHGSYSLIBL command again to restore the system portion of the library list to its original value. v The CHGSYSLIBL command is shipped with public authority *EXCLUDE. To use this command in your program, do one of the following actions: Grant the program owner *USE authority to the CHGSYSLIBL command and use adopted authority. Grant users running the program *USE authority to the CHGSYSLIBL command.

Describing library security

As an application designer, you need to provide information about a library for the security administrator. The security administrator uses this information to decide how to secure the library and its objects. Typical information needed is: v Any application functions that add objects to the library. v Whether any objects in the library are deleted during application processing. v What profile owns the library and its objects. v Whether the library should be included on library lists. Figure 33 provides a sample format for providing this information:
Library name: ITEMLIB *EXCLUDE *CHANGE *CHANGE

Public authority to the library:

Public authority to objects in the library:

Public authority for new objects (CRTAUT): Library owner: OWNIC

Include on library lists? No. Library is added to library list by initial application program or initial query program. List any functions that require *ADD authority to the library: No objects are added to the library during normal application processing. List any objects requiring *OBJMGT or *OBJEXIST authority and what functions need that authority: All work files, whose names begin with the characters ICWRK, are cleared at month-end. *OBJMGT authority. Figure 33. Format for describing library security This requires

Planning menus
Menus are a good method for providing controlled access on your system. You can use menus to restrict a user to a set of strictly controlled functions by specifying limited capabilities and an initial menu in the user profile. To use menus as an access control tool, follow these guidelines when designing them: v Do not provide a command line on menus designed for restricted users.

228

IBM i: Security Security reference

v Avoid having functions with different security requirements on the same menu. For example, if some application users are allowed to only view information, not change it, provide a menu that has only display and print options for those users. v Make sure that the set of menus provides all the necessary links between menus so the user does not need a command line to request one. v Provide access to a few system functions, such as viewing printer output. The ASSIST system menu gives this capability and can be defined in the user profile as the Attention-key-handling program. If the user profile has a class of *USER and has limited capabilities, the user cannot view the output or jobs of other users. v Provide access to decision-support tools from menus. The topic Using adopted authority in menu design on page 230 gives an example of how to do this. v Consider controlling access to the System Request Menu or some of the options on this menu. v For users who are allowed to run only a single function, avoid menus entirely and specify an initial program in the user profile. Specify *SIGNOFF as the initial menu. For example, at the JKL Toy Company, all users see an inquiry menu allowing access to most files. For users who are not allowed to change information, this is the initial menu. The return option on the menu signs the user off. For other users, this menu is called by an inquiry option from application menus. By pressing F12 (Return), the user returns to the calling menu. Because library security is used for program libraries, this menu and the programs it calls are kept in the QGPL library:
INQMENU 1. 2. 3. 4. 5. Inquiry Menu Item Descriptions Item Balances Customer Information Query Office

Enter option ==> F1=Help F12=Return

Figure 34. Sample inquiry menu

Note: By using the code examples, you agree to the terms of the Chapter 10, Code license and disclaimer information, on page 307. Related concepts System request menu on page 233 A user can use the system request function to suspend the current job and display the System Request Menu. The System Request Menu allows the user to send and display messages, transfer to a second job, or end the current job. This might represent a security exposure because the public authority to the System Request Menu is *USE when a system is shipped. Related reference Limit capabilities on page 83 You can use the Limit capabilities field to limit the users ability to enter commands and to override the initial program, initial menu, current library, and attention-key-handling program specified in the user profile. This field is a tool for preventing users from experimenting on the system. Related information Scenarios for HTTP Server

Describing menu security

As an application designer, you need to provide information about a menu for the security administrator. The security administrator uses this information to decide who should have access to the menu and what authorities are required.

Chapter 7. Designing security

229

Examples of the type of information that a security administrator needs are: v Whether any menu options require special authorities, such as *SAVSYS or *JOBCTL. v Whether menu options call programs that adopt authority. v What authority to objects is required for each menu option. You should only need to identify those authorities that are greater than normal public authority. Figure 35 shows a sample format for providing this information.
Menu name: MENU1 Program called: QRYSTART Authority adopted: QRYUSR None Library: Library: QGPLOption number: QGPL 3 Description: Query

Special authority required:

Object authorities required: User must have *USE authority to QRYSTART program. QRYUSR must have *USE authority to libraries containing files to be queried. User, QRYUSR, or public must have *USE authority to files being queried. Figure 35. Format for menu security requirements

Using adopted authority in menu design

The availability of decision-support tools, such as Query/400, poses challenges for security design. No method exists in the resource security definitions for a user to have different authority to a file in different circumstances. However, using adopted authority allows you to define authority to meet different requirements. For example, you might want users to be able to view information in files using a query tool, but you probably want to make sure that the files are changed only by tested application programs. Note: Objects that adopt the owner's authority on page 149 describes how adopted authority works. Flowchart 8: How adopted authority is checked on page 182 describes how the system checks for adopted authority. Figure 36 shows a sample initial menu that uses adopted authority to provide controlled access to files using query tools:

MENU1 1. 2. 3. 4.

Initial Menu Inventory Control Customer Orders Query Office (ICSTART) (COSTART) (QRYSTART) (OFCSTART)

(no command line)

Figure 36. Sample initial menu

The programs that start applications (ICSTART and COSTART) adopt the authority of a profile that owns the application objects. The programs add application libraries to the library list and display the initial application menu. Here is an example of the Inventory Control program (ICSTART). Note: By using the code examples, you agree to the terms of the Chapter 10, Code license and disclaimer information, on page 307.

230

IBM i: Security Security reference

PGM ADDLIBLE ITEMLIB ADDLIBLE ICPGMLIB GO ICMENU RMVLIBLE ITEMLIB RMVLIBLE ICPGMLIB ENDPGM Figure 37. Sample initial application program

The program that starts Query (QRYSTART) adopts the authority of a profile (QRYUSR) provided to allow access to files for queries. Figure 38 shows the QRYSTART program:

PGM ADDLIBLE ADDLIBLE STRQRY RMVLIBLE RMVLIBLE ENDPGM

ITEMLIB CUSTLIB ITEMLIB CUSTLIB

Figure 38. Sample program for query with adopted authority

The menu system uses three types of user profiles, shown in Table 127. Table 128 describes the objects used by the menu system.
Table 127. User profiles for menu system Profile type Description Password Limit Special capabilities authorities Not applicable *YES Not applicable As needed by application None None Initial menu Not applicable MENU1 Not applicable

Application owner Owns all application objects and has *NONE *ALL authority. OWNIC owns Inventory Control application. Application user Query Profile
1

Example profile for anyone who uses the menu system Used to provide access to libraries for query

Yes *NONE

The current library specified in the application user profile is used to store any queries created. The Attention-key-handling program is *ASSIST, giving the user access to basic system functions.

Table 128. Objects used by menu system Object name MENU1 in QGPL library Owner See Note Public authority *EXCLUDE Private authorities *USE authority for any users who are allowed to use the menu *USE authority for users authorized to Inventory Control application *USE authority for users authorized to create or run queries QRYUSR has *USE Additional information In QGPL library because users do not have authority to application libraries Created with USRPRF(*OWNER) to adopt OWNIC authority Created with USRPRF(*OWNER) to adopt QRYUSR authority

ICSTART program in QGPL QRYSTART program in QGPL ITEMLIB ICPGMLIB

OWNIC

*EXCLUDE

QRYUSR

*EXCLUDE

OWNIC OWNIC

*EXCLUDE *EXCLUDE

Chapter 7. Designing security

231

Table 128. Objects used by menu system (continued) Object name Owner Public authority *USE *EXCLUDE *USE Private authorities Additional information

Files available for Query in OWNIC ITEMLIB Files not available for Query in ITEMLIB Programs in ICPGMLIB OWNIC OWNIC

Note: A special owner profile can be created for objects used by multiple applications.

When USERA selects option 1 (Inventory Control) from MENU1, program ICSTART runs. The program adopts the authority of OWNIC, giving *ALL authority to the inventory control objects in ITEMLIB and the programs in ICPGMLIB. USERA is thus authorized to make changes to the inventory control files while using options from the ICMENU. When USERA exits ICMENU and returns to MENU1, the ITEMLIB and ICPGMLIB libraries are removed from the USERA library list, and program ICSTART is removed from the call stack. USERA is no longer running under adopted authority. When USERA selects option 3 (Query) from MENU1, program QRYSTART runs. The program adopts the authority of QRYUSR, giving *USE authority to the ITEMLIB library. The public authority to the files in ITEMLIB determines which files USERA is allowed to query. This technique has the advantage of minimizing the number of private authorities and providing good performance when checking authority: v The objects in the application libraries do not have private authorities. For some application functions, public authority is adequate. If public authority is not adequate, owner authority is used. Case 8: Adopted authority without private authority on page 192 shows the authority checking steps. v Access to the files for query uses public authority to the files. The QRYUSR profile is only specifically authorized to the ITEMLIB library. v By default, any query programs created are placed in the users current library. The current library should be owned by the user, and the user should have *ALL authority. v Individual users only need to be authorized to MENU1, ICSTART, and QRYSTART. Consider these risks and precautions when using this technique: v USERA has *ALL authority to all entire inventory control objects from ICMENU. Make sure that the menu does not allow access to a command line or allow unwanted delete and update functions. v Many decision-support tools allow access to a command line. The QRYUSR profile should be a limited capability user without special authorities to prevent unauthorized functions. Related concepts Planning file security on page 236 The information contained in database files is often the most important asset on your system. Resource security allows you to control who can view, change, and delete information in a file.

Ignoring adopted authority

The technique of using adopted authority in menu design requires the user to return to the initial menu before running queries. If you want to provide the convenience of starting query from application menus as well as from the initial menu, you can set up the QRYSTART program to ignore adopted authority. Figure 39 on page 233 shows an application menu that includes the QRYSTART program:

232

IBM i: Security Security reference

ICMENU

Inventory Control Menu 1. 2. 3. 4. Issues (ICPGM1) Receipts (ICPGM2) Purchases (ICPGM3) Query (QRYSTART)

(no command line)

Figure 39. Sample application menu with query

The authority information for the QRYSTART program is the same as shown in Table 128 on page 231. The program is created with the use adopted authority (USEADPAUT) parameter set to *NO, to ignore the adopted authority of previous programs in the stack. Here are comparisons of the call stacks when USERA selects query from MENU1 (see Figure 36 on page 230) and from ICMENU: Call stack when query selected from MENU1 v MENU1 (no adopted authority) v QRYSTART (adopted authority QRYUSR) Call stack when query selected from ICMENU v MENU1 (no adopted authority) v ICMENU (adopted authority OWNIC) v QRYSTART (adopted authority QRYUSR) By specifying the QRYSTART program with USEADPAUT(*NO), the authority of any previous programs in the stack is not used. This allows USERA to run a query from ICMENU without having the ability to change and delete files. This is because the authority of OWNIC is not used by the QRYSTART program. When USERA ends the query and returns to ICMENU, adopted authority is once again active. Adopted authority is ignored only as long as the QRYSTART program is active. If public authority to the QRYSTART program is *USE, specify USEADPAUT(*NO) as a security precaution. This prevents anyone running under adopted authority from calling the QRYSTART program and performing unauthorized functions. The inquiry menu (Figure 34 on page 229) at the JKL Toy Company also uses this technique, because it can be called from menus in different application libraries. It adopts the authority of QRYUSR and ignores any other adopted authority in the call stack. Related concepts Programs that ignore adopted authority on page 152 You can specify the use adopted authority (USEADPAUT) parameter to control whether a program uses the adopted authority. Related reference Flowchart 8: How adopted authority is checked on page 182 If insufficient authority is found by checking user authority, the system checks adopted authority. Related information Scenarios for HTTP Server

System request menu

A user can use the system request function to suspend the current job and display the System Request Menu. The System Request Menu allows the user to send and display messages, transfer to a second job,

Chapter 7. Designing security

233

or end the current job. This might represent a security exposure because the public authority to the System Request Menu is *USE when a system is shipped. The simplest way to prevent users from accessing this menu is to restrict authority to the panel group QGMNSYSR: v To prevent specific users from seeing the System Request Menu, specify *EXCLUDE authority for those users:
GRTOBJAUT OBJ(QSYS/QGMNSYSR) + OBJTYPE(*PNLGRP) + USER(USERA) AUT(*EXCLUDE)

v To prevent most users from seeing the System Request Menu, revoke public authority and grant *USE authority to specific users:
RVKOBJAUT OBJ(QSYS/QGMNSYSR) + OBJTYPE(*PNLGRP) + USER(*PUBLIC) AUT(*ALL) GRTOBJAUT OBJ(QSYS/QGMNSYSR) + OBJTYPE(*PNLGRP) + USER(USERA) AUT(*USE)

Some of the actual commands used for the System Request menu come from the CPX2313 message in the QCPFMSG message file. Commands are qualified with a library name from the CPX2373 message. The values in the CPX2373 message for each command are *NLVLIBL or *SYSTEM. Someone might potentially use the Override Message File (OVRMSGF) command to change the commands that the System Request menu options use. Each time the System Request key is pressed, the system automatically changes the current user profile of the job to the initial user profile of the job. This is done so that the user does not have any additional authority on the System Request menu or in the Presystem Request Program exit program. After the System Request function is completed, the current user profile of the job is returned to the value that it was before the System Request key was pressed. You can prevent users from selecting specific options from the System Request Menu by restricting the authority to the associated commands. Table 129 shows the commands associated with the menu options:
Table 129. Options and commands for the system request menu Option 1 2 3 4 5 6 7 10 11 12 13 14 15 80 90 Command Transfer Secondary Job (TFRSECJOB) End Request (ENDRQS) Display Job (DSPJOB) Display Message (DSPMSG) Send Message (SNDMSG) Display Message (DSPMSG) Display Workstation User (DSPWSUSR) Start System Request at Previous System (TFRPASTHR). (See note below.) Transfer to previous system (TFRPASTHR). (See note below.) Display 3270 emulation options (See note below.) Start System Request at Home System (TFRPASTHR). (See note below.) Transfer to Home System (TFRPASTHR). (See note below.) Transfer to End System (TFRPASTHR). (See note below.) Disconnect Job (DSCJOB) Sign-Off (SIGNOFF)
IBM i: Security Security reference

234

Table 129. Options and commands for the system request menu (continued) Option Notes: 1. Options 10, 11, 13, 14, and 15 are displayed only if display station pass-through has been started with the Start Pass-Through (STRPASTHR) command. Option 10, 13, and 14 are only displayed on the target system. 2. Option 12 is only displayed when 3270 emulation is active. 3. Some of the options have restrictions for the System/36 environment. Command

For example, to prevent users from transferring to an alternative interactive job, revoke public authority to the Transfer to Secondary Job (TFRSECJOB) command and grant authority only to specific users:
RVKOBJAUT OBJ(TFRSECJOB) OBJTYPE(*CMD) USER(*PUBLIC) AUT(*ALL) GRTOBJAUT OBJ(TFRSECJOB) OBJTYPE(*CMD) USER(USERA) AUT(*USE)

If a user selects an option for which the user does not have authority, a message is displayed. If you want to prevent users from general use of the commands from the System Request menu but still want them to be able to run a command at a specific time (such as sign-off), you can create a CL program that adopts the authority of an authorized user and runs the command. Related concepts Planning menus on page 228 Menus are a good method for providing controlled access on your system. You can use menus to restrict a user to a set of strictly controlled functions by specifying limited capabilities and an initial menu in the user profile.

Planning command security

When your system arrives, the ability to use commands is set up to meet the security needs of most installations. Some commands can be run only by a security officer. Others require a special authority, such as *SAVSYS. Most commands can be used by anyone on the system. You can change the authority to commands to meet your security requirements. For example, you might want to prevent most users on your system from working with communications. You can set the public authority to *EXCLUDE for all commands that work with communications objects, such the CHGCTLxxx, CHGLINxxx, and CHGDEVxxx commands. If you need to control which commands can be run by users, you can use object authority to the commands themselves. Every command on the system has object type *CMD and can be authorized to the public or only to specific users. To run a command, the user needs *USE authority to that command. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 lists all the commands that are shipped with the public authority set to *EXCLUDE. If you use the System/38 library, you need to restrict security-relevant commands in that library also. Or, you might restrict access to the entire library. If you use one or more national language versions of the i5/OS licensed program on your system, you need to restrict commands in the additional QSYSxxx libraries on your system as well. Another useful security measure is to change the default values for some commands. The Change Command Default (CHGCMDDFT) command allows you to do this.

Chapter 7. Designing security

235

Planning file security

The information contained in database files is often the most important asset on your system. Resource security allows you to control who can view, change, and delete information in a file. If users require different authority to files depending on the situation, you can use adopted authority. For critical files on your system, keep a record of what users have authority to the file. If you use group authority and authorization lists, you need to keep track of users who have authority through those methods, as well as users who are directly authorized. If you use adopted authority, you can list programs that adopt the authority of a particular user using the Display Program Adopt (DSPPGMADP) command. You can also use the journaling function on the system to monitor activity against a critical file. Although the primary intent of a journal is to recover information, it can be used as a security tool. It contains a record of who has accessed a file and in what way. You can use the Display Journal (DSPJRN) command to view a sampling of journal entries periodically. Related reference Using adopted authority in menu design on page 230 The availability of decision-support tools, such as Query/400, poses challenges for security design. No method exists in the resource security definitions for a user to have different authority to a file in different circumstances. However, using adopted authority allows you to define authority to meet different requirements.

Securing logical files

Resource security on the system supports field-level security of a file. You can also use logical files to protect specific fields or records in a file. A logical file can be used to specify a subset of records that a user can access (by using select and omit logic). Therefore, specific users can be prevented from accessing certain record types. A logical file can be used to specify a subset of fields in a record that a user can access. Therefore, specific users can be prevented from accessing certain fields in a record. A logical file does not contain any data. It is a particular view of one or more physical files that contain the data. Providing access to the information defined by a logical file requires data authority to both the logical file and the associated physical files. Figure 40 on page 237 shows an example of a physical file and three different logical files associated with it.

236

IBM i: Security Security reference

Figure 40. Using a logical file for security

Members of the sales department (group profile DPTSM) are allowed to view all fields, but they cannot change the credit limit. Members of the accounts receivable department (group profile DPTAR) are allowed to view all fields, but they cannot change the sales field. The authority to the physical file looks like this:
Table 130. Physical file example: CUSTMAST file Authority Users: *PUBLIC

Object Authorities *OBJOPR *OBJMGT *OBJEXIST *OBJALTER *OBJREF Data Authorities *READ *ADD *UPD *DLT *EXECUTE *EXCLUDE X X X X X

The public should have all data authority but no object operational authority to the CUSTMAST physical file. The public cannot access the CUSTMAST file directly because *OBJOPR authority is required to open a file. The publics authority makes all the data authority potentially available to users of the logical file. Authority to the logical files looks like this:

Chapter 7. Designing security

237

Display Object Authority Object . . . . . . . : Library . . . . . : Object type . . . . : CUSTINFO CUSTLIB *FILE Owner . . . . . . . : Primary group . . . : ASP device . . . . . : . . . . . . . . . . . : OWNAR *NONE *SYSBAS *NONE

Object secured by authorization list Object Authority *USE

User *PUBLIC

Group

Display Object Authority Object . . . . . . . : Library . . . . . : Object type . . . . : CUSTCRDT CUSTLIB *FILE Owner . . . . . . . : Primary group . . . : ASP device . . . . . : . . . . . . . . . . . : OWNAR DPTAR *SYSBAS *NONE

Object secured by authorization list Object Authority CHANGE USE

User DPTAR *PUBLIC

Group

Display Object Authority Object . . . . . . . : Library . . . . . : Object type . . . . : CUSTSLS CUSTLIB *FILE Owner . . . . . . . : Primary group . . . : ASP device . . . . . : . . . . . . . . . . . : OWNSM DPTSM *SYSBAS *NONE

Object secured by authorization list Object Authority CHANGE USE

User DPTSM *PUBLIC

Group

Making the group profile, such as DPTSM, the primary group for the logical file is not necessary for this authority scheme to work. However, using primary group authority eliminates searching private authorities for both the user attempting to access the file and the users group. Case 2: Using primary group authority on page 187 shows how using primary group authority affects the authority checking process. You can specify data authorities for logical files beginning with V3R1 of the i5/OS licensed program. When a pre-V3R1 logical file is restored on a V3R1 system or later, the system converts your logical files the first time a logical file is accessed. The system gives it all data authorities. To use logical files as a security tool, do this: v Grant all data authorities to the underlying physical files. v Revoke *OBJOPR from the physical files. This prevents users from accessing the physical files directly. v Grant the appropriate data authorities to logical files. Revoke any authorities you do not want. v Grant *OBJOPR to the logical files.

238

IBM i: Security Security reference

Related information DB2 Universal Database for iSeries

Overriding files
You can use override commands to have a program use a different file with the same format. For example, assume that a program in the contracts and pricing application at the JKL Toy Company writes pricing information to a work file before making price changes. A user with access to a command line who wanted to capture confidential information can use an override command to cause the program to write data to a different file in a library controlled by the user. You can make sure that a program processes the correct files by using override commands with SECURE(*YES) before the program runs, thus those files are protected from the effects of any file override commands that were previously called. If you use SECURE(*NO), those files are not protected from other file overrides. Their values can be overridden by the effects of any file override commands that were previously called.

File security and SQL

You should pay much attention to file security when using a CL program that adopts authority to start SQL or Query Manager. Both of these query programs allow users to specify a file name. The user can, therefore, access any file that the adopted profile has authority to. Structured Query Language (SQL) uses cross-reference files to keep track of database files and their relationships. These files are collectively referred to as the SQL catalog. Public authority to the SQL catalog is *READ. This means that any user who has access to the SQL interface can display the names and text descriptions for all files on your system. The SQL catalog does not affect the normal authority required to access the contents of database files.

Planning group profiles

A group profile is a useful tool when several users have similar security requirements. You can directly create group files or you can make an existing profile into a group profile. When you use group profiles, you can manage authority more efficiently and reduce the number of individual private authorities for objects. Group files are particularly useful when job requirements and group membership change. For example, if members of a department have responsibility for an application, a group profile can be set up for the department. As users join or leave the department, the group profile field in their user profiles can be changed. This is easier to manage than removing individual authorities from user profiles. A group profile is just a special type of user profile. It becomes a group profile when one of the following conditions are met: v Another profile designates it as a group profile v You assign a group identification number (gid) to it. For example: 1. Create a profile called GRPIC:
CRTUSRPRF GRPIC

2. When the profile is created, it is an ordinary profile, not a group profile. 3. Designate GRPIC as the group profile for another group profile:
CHGUSRPRF USERA GRPPRF(GRPIC)

4. The system now treats GRPIC as a group profile and assigns a gid to it.

Chapter 7. Designing security

239

Related concepts Group profiles on page 4 A group profile is a special type of user profile. Rather than giving authority to each user individually, you can use a group profile to define authority for a group of users.

Considerations for primary groups for objects

Any object on the system can have a primary group. Primary group authority can provide a performance advantage if the primary group is the first group for most users of an object. Often, one group of users is responsible for some information about the system, such as customer information. That group needs more authority to the information than other system users. By using primary group authority, you can set up this type of authority scheme without affecting the performance of authority checking. Related tasks Case 2: Using primary group authority on page 187 This case demonstrates how to use primary group authority.

Considerations for multiple group profiles

By using group profiles, you can manage authority more efficiently and reduce the number of individual private authorities for objects. However, the misuse of group profiles can have a negative effect on the performance of authority checking. This topic provides some suggestions on using multiple group profiles. A user can be a member of up to 16 groups: the first group (GRPPRF parameter in the user profile) and 15 supplemental groups (SUPGRPPRF parameter in the user profile). Here are suggestions when using multiple group profiles: v Try to use multiple groups in combination with primary group authority and eliminate private authority to objects. v Carefully plan the sequence in which group profiles are assigned to a user. The users first group should relate to the users primary assignment and the objects used most often. For example, assume a user called WAGNERB does inventory work regularly and does order entry work occasionally. The profile needed for inventory authority (DPTIC) should be WAGNERBs first group. The profile needed for order entry work (DPTOE) should be WAGNERBs first supplemental group. Note: The sequence in which private authorities are specified for an object has no effect on authority checking performance. v If you plan to use multiple groups, study the authority checking process described in How the system checks authority on page 169. Make sure that you understand how using multiple groups in combination with other authority techniques, such as authorization lists, might affect your system performance.

Accumulating special authorities for group profile members

Special authorities are cumulative for users who are members of multiple groups. Special authorities of group profiles are available to the members of that group. User profiles that are members of one or more groups have their own special authorities, plus the special authorities of any group profiles for which the user is a member. Special authorities are cumulative for users who are members of multiple groups. For example, assume that profile GROUP1 has *JOBCTL, profile GROUP3 has *AUDIT, and profile GROUP16 has *IOSYSCFG special authorities. A user profile that has all three profiles as its group profiles has *JOBCTL, *AUDIT, and *IOSYSCFG special authorities. Note: If a group member owns a program, the program adopts only the authority of the owner. The authorities of the owner's group are not adopted.

240

IBM i: Security Security reference

Using an individual profile as a group profile

Creating profiles specifically to be group profiles is preferable to making existing profiles into group profiles. You might find that a specific user has all of the authorities needed by a group of users and be tempted to make that user profile into a group profile. However, using an individuals profile as a group profile might cause problems in the future: v If the user whose profile is used as the group profile changes responsibilities, a new profile needs to be designated as the group profile, authorities need to be changed, and object ownership needs to be transferred. v All members of the group automatically have authority to any objects created by the group profile. The user whose profile is the group profile loses the ability to have private objects, unless that user specifically excludes other users. Try to plan group profiles in advance. Create specific group profiles with password *NONE. If you discover after an application has been running that a user has authorities that should belong to a group of users, do the following actions: 1. Create a group profile. 2. Use the GRTUSRAUT command to give the users authorities to the group profile. 3. Remove the private authorities from the user, because they are no longer needed. Use the RVKOBJAUT or EDTOBJAUT command.

Comparison of group profiles and authorization lists

Group profiles are used to simplify managing user profiles that have similar security requirements. Authorization lists are used to secure objects with similar security requirements. Table 131 shows the characteristics of the two methods.
Table 131. Authorization list and group profile comparison Item being compared Used to secure multiple objects User can belong to more than one Private authority overrides other authority User must be assigned authority independently Authorities specified are the same for all objects Object can be secured by more than one Authority can be specified when the object is created Can secure all object types Association with object is deleted when the object is deleted Association with object is saved when the object is saved
1

Authorization list Yes Yes Yes Yes Yes No Yes No Yes Yes

Group profile Yes Yes Yes No No Yes Yes Yes Yes Yes
2 1

The group profile can be given authority when an object is created by using the GRPAUT parameter in the profile of the user creating an object. Primary group authority is saved with the object. Private group authorities are saved if PVTAUT(*YES) is specified on the save command.

For the authorization list of the item "Authority can be specified when the object is created":

Chapter 7. Designing security

241

v To assign an authorization list to a library-based object, specify AUT (*LIBCRTAUT) on the CRTxxxx command and the CRTAUT (authorization-list-name) for the library. Some objects, such as validation lists, cannot use a value of *LIBCRTAUT in the CRT command. v To assign an authorization list to a directory-based object, specify the *INDIR value for the DTAAUT and OBJAUT parameters on the MKDIR command. In this way, the authorization list secures both the parent directory and the new one. The system does not allow an arbitrary authorization list to be specified when an object is created.

Planning security for programmers

Programmers pose a problem for the security officer. Their knowledge makes it possible for them to bypass security procedures that are not carefully designed. Programmers can bypass security to access data they need for testing. They can also circumvent the normal procedures that allocate system resources in order to achieve better performance for their own jobs. Security is often seen by them as a hindrance to doing the tasks required by their job, such as testing applications. However, giving programmers too much authority on the system breaks the security principle of separating duties. It also allows a programmer to install unauthorized programs. Follow these guidelines when setting up an environment for application programmers: v Do not grant all special authorities to programmers. If you must give programmers special authorities, give them only the special authority that is required to perform the jobs or tasks that are assigned to the programmer. v Do not use the QPGMR user profile as a group profile for programmers. v Use test libraries and prevent access to production libraries. v Create programmer libraries and use a program that adopts authority to copy selected production data to programmer libraries for testing. v If interactive performance is an issue, consider changing the commands for creating programs to run only in batch:
CHGCMD CMD(CRTxxxPGM) ALLOW(*BATCH *BPGM)

v Perform security auditing of application function before moving applications or program changes from test to production libraries. v Use the group profile technique when an application is being developed. Have all application programs owned by a group profile. Make programmers who work on the application members of the group and define the programmer user profiles to have the group own any new objects that are created (OWNER(*GRPPRF)). When a programmer moves from one project to another, you can change the group information in the programmers profile. See Group ownership of objects on page 143 for more information. v Develop a plan for assigning ownership of applications when they are moved into production. To control changes to a production application, all application objects, including programs, should be owned by the user profile that is designated for the application. Application objects should not be owned by a programmer because the programmer can have uncontrolled access to them in a production environment. The profile that owns the application might be the profile of the individual responsible for the application, or it might be a profile specifically created as the application owner.

Managing source files

To protect the information on your system, you need carefully plan the security of source files. Source files are important to the integrity of your system. They might also be a valuable company asset, if you have developed or acquired custom applications. Source files should be protected like any other important file on the system. Consider placing source files in separate libraries and controlling who can update them and who can move them to production.

242

IBM i: Security Security reference

When a source file is created on the system, the default public authority is *CHANGE. This allows any user to update any source member. By default, only the owner of the source file or a user with *ALLOBJ special authority can add or remove members. In most cases, this default authority for source physical files should be changed. Programmers working on an application need *OBJMGT authority to the source files in order to add new members. The public authority should be reduced to *USE or *EXCLUDE, unless the source files are in a controlled library.

Protecting Java class files and jar files in the integrated file system
To run a Java program, you will need read (*R) authority to each Java class and jar file plus execute (*X) authority to each directory in the path to the Java class and jar files. If you use Java class and jar files in the integrated file system, you need to protect them using normal object authorities. To protect Java files, use the CHGAUT command to secure the directories in the path and the files with object authority attributes. A user might need read (*R) authority to the Java class and jar files to run a Java program. They can get that authority from the public authority of the file or from private authority. An authorization list is helpful in setting up private authority for a group of users. Do not give anyone write (*W) authority to the file unless they are allowed to change the file. You can use the Classpath Security Check Level (CHKPATH) parameter on the RUNJVA command to make sure that a running Java application is using the correct files from the CLASSPATH. You can use a value of CHKPATH(*SECURE) to prevent a Java program from running if one or more warning messages are sent for each directory in the CLASSPATH that has public write authority.

Planning security for system programmers or managers

You can limit the authority given to system programmers or managers to protect the files on your system. Most systems have someone responsible for housekeeping functions. This person monitors the use of system resources, particularly disk storage, to make sure that users regularly remove unused objects to free space. System programmers need broad authority to observe all the objects on the system. However, they do not need to view the contents of those objects. You can use adopted authority to provide a set of display commands for system programmers, rather than giving special authorities in their user profiles. For example, you might want Sue and Fred to be the two people who can create and change user profiles without giving them special authorities. You can achieve this by doing the following steps. 1. Write a command or program that is a front end to the CRT/CHGUSRPRF command. 2. Have the command or program adopt a profile that can do the creates and changes. 3. Authorize Sue and Fred to the program. Then Sue and Fred can only do the task through the application.

Using validation lists

Validation list objects provide a method for applications to securely store user-authentication information. For example, the Internet Connection Server (ICS) uses validation lists to carry out the concept of an Internet user. The ICS can perform basic authentication before a Web page is served. Basic authentication requires users to provide some type of authentication information, such as a password, PIN, or account number. The name of the user and the authentication information can be stored securely in a validation list. The ICS can use the information from the validation list rather than require all users of the ICS to have a System i user id and password.

Chapter 7. Designing security

243

An internet user can be permitted or denied access to the system from the Web server. The user, however, has no authority to any System i resources or authority to sign-on or run jobs. A System i user profile is never created for the internet users. To create and delete validation lists, you can use the CL commands Create Validation List (CRTVLDL) and the Delete Validation List (DLTVLDL). Application Programming Interfaces (APIs) are also provided to allow applications to add, change, remove, verify (authenticate), and find entries in a validation list. Validation list objects are available for all applications to use. For example, if an application requires a password, the application passwords can be stored in a validation list object rather than a database file. The application can use the validation list APIs to verify a user's password. Since the validation list is encrypted, this method is more secure than using the application alone to verify the user's password. You can store the authentication information in a decryptable form. If a user has the appropriate security, the authentication information can be decrypted and returned to the user. Related reference Retain Server Security (QRETSVRSEC) on page 31 The Retain Server Security (QRETSVRSEC) system value determines whether decryptable authentication information associated with user profiles or validation list (*VLDL) entries can be retained on the host system. This does not include the System i user profile password. Related information Application programming interfaces

Limit access to program function

The limit access to program function allows you to define who can use an application, the parts of an application, or the functions within a program. This support is not a replacement for resource security. Limit access to program function does not prevent a user from accessing a resource (such as a file or program) from another interface. The function goes through the following processes to do the verification. v Register a function v Retrieve information about the function v Define who can or cannot use the function v Check to see if the user is allowed to use the function The limit access to program function lets APIs perform the following tasks: To use this function within an application, the application provider must register the functions when the application is installed. The registered function corresponds to a code block for specific functions in the application. When the user runs the application, before the application invokes the code block, it calls the check usage API to verify that the user has the authority to use the function that is associated with the code block. If the user is allowed to use the registered function, the code block runs. If the user is not allowed to use the function, the user is prevented from running the code block. The system administrator specifies who is allowed or denied access to a function. The administrator can either use the Work with Function Usage Information (WRKFCNUSG) command to manage the access to program function or use Application Administration in the System i Navigator. Related information Application administration

244

IBM i: Security Security reference

Chapter 8. Backup and recovery of security information

Saving your security information is just as important as saving your data. In some situations, you might need to recover user profiles, object authorities, and the data on your system. If you do not have your security information saved, you might need to manually rebuild user profiles and object authorities. This can be time-consuming and can lead to errors and security exposures. This topic includes information on the following topics: v How security information is saved and restored v How security affects saving and restoring objects v Security issues associated with *SAVSYS special authority Planning adequate backup and recovery procedures for security information requires understanding how the information is stored, saved, and restored. Table 132 shows the commands that are used to save and restore security information. The sections that follow discuss saving and restoring security information in more detail.
Table 132. How security information is saved and restored Save and restore commands used SAVCHGOBJ SAVOBJ SAVLIB SAVSECDTA SAVDLO SAVSYS SAVCFG RSTUSRPRF X
1

Security information saved or restored User profiles Object ownership Primary group
1 1 3

RSTOBJ RSTLIB RSTDLO RSTCFG

RSTAUT

RSTDFROBJ

X X X X X X X X X X X X X X X X X X X X X X X X X X X

Public authorities

Private authorities

X X X

Authorization lists Authority holders Link with the authorization list and authority holders Object auditing value Function registration information 2 Function usage information Validation lists Server Authentication Entries

Copyright IBM Corp. 1996, 2010

245

Table 132. How security information is saved and restored (continued) Save and restore commands used SAVCHGOBJ SAVOBJ SAVLIB SAVSECDTA SAVDLO SAVSYS SAVCFG RSTUSRPRF RSTOBJ RSTLIB RSTDLO RSTCFG

Security information saved or restored

RSTAUT

RSTDFROBJ

The SAVSECDTA, SAVSYS, and RSTUSRPRF commands save and restore ownership, primary group, primary group authority, and public authority for these object types : User profile (*USRPRF), Authorization list (*AUTL), and Authority holder (*AUTHLR). The object to save/restore is QUSEXRGOBJ, type *EXITRG in QUSRSYS library. Private authorities for all objects are saved with SAVSECDTA. RSTUSRPRF will restore the authority information needed to restore the private authorities. The private authorities are restored with RSTAUT. Private authorities for individual objects can be saved with the SAV, SAVLIB, SAVOBJ, and SAVCHGOBJ commands. Private authorities for individual objects can be restored with the RST, RSTLIB, and RSTOBJ commands if they were saved with the save command.

2 3

Related information Backup and recovery Backup and recovery PDF

How security information is stored

Planning adequate backup and recovery procedures for security information requires understanding how the information is stored and saved. Security information is stored with objects, user profiles, and authorization lists: Authority information stored with object: v Public authority v Owner name v v v v v v v Owners authority to object Primary group name Primary groups authority to object Authorization list name Object auditing value Whether any private authority exists Whether any private authority is less than public

Authority information stored with user profile: v Heading Information: The user profile attributes shown on the Create User Profile display. The uid and gid. v Private Authority Information: Private authority to objects. This includes private authority to authorization lists. v Ownership Information: List of owned objects For each owned object, a list of users with private authority to the object. v Primary Group Information:

246

IBM i: Security Security reference

List of objects for which the profile is the primary group. v Auditing Information: Action auditing value Object auditing value v Function Usage Information: Usage settings for registered functions. v Server Authentication Information: Server authentication entries. Authority Information Stored with Authorization Lists: v Normal authority information stored with any object, such as the public authority and owner. v List of all objects secured by the authorization list. Related concepts Additional information associated with a user profile on page 115 This topic discusses the private authorities, owned object information, and primary group object information that are associated with a user profile.

Saving security information

Security information is stored differently on the save media than it is on your system. When you save user profiles, the private authority information stored with the user profile is formatted into an authority table. An authority table is built and saved for each user profile that has private authorities. This reformatting and saving of security information can be lengthy if you have many private authorities on your system. This is how security information is stored on the save media: Authority information saved with object: v Public authority v v v v v v Owner name Owners authority to object Primary group name Primary groups authority to object Authorization list name Field level authorities

v Object auditing value v Whether any private authority exists v Whether any private authority is less than public v Private authorities for the object, if PVTAUT(*YES) is specified on the SAVxxx command Authority information saved with authorization list: v Normal authority information stored with any object, such as the public authority, owner, and primary group. Authority information saved with user profile: v The user profile attributes shown on the Create User Profile display. v Other application information associated with the user profile. For example: Server authentication entries
Chapter 8. Backup and recovery of security information

247

User Application Information entries that are added using the Update User Application Information (QsyUpdateUserApplicationInfo) API Authority table saved associated with user profile: v One record for each private authority of the user profile, including usage settings for registered functions. Function registration information saved with QUSEXRGOBJ object: v The function registration information can be saved by saving the QUSEXRGOBJ *EXITRG object in QUSRSYS.

Recovering security information

Recovering your system often requires restoring data and associated security information. The typical sequence for recovery is: 1. Restore user profiles and authorization lists (RSTUSRPRF USRPRF(*ALL)). 2. Restore objects (RSTCFG, RSTLIB, RSTOBJ, RSTDLO or RST). 3. Restore the private authorities to objects (RSTAUT). Note: By using the code examples, you agree to the terms of the Chapter 10, Code license and disclaimer information, on page 307. Related information Backup and Recovery

Restoring user profiles

There might be some changes that are made to a user profile when it is restored. The following rules apply: v If profiles are being restored individually (RSTUSRPRF USRPRF(*ALL) is not specified), SECDTA(*PWDGRP) is not requested, and the profile that is being restored does not exist on the system, these fields are changed to *NONE: Group profile name (GRPPRF) Password (PASSWORD) Document password (DOCPWD) Supplemental group profiles (SUPGRPPRF) Product passwords are changed to *NONE, so they will be incorrect after restoring an individual user profile that did not exist on the system. v If profiles are being restored individually (RSTUSRPRF USRPRF(*ALL) is not specified) SECDTA(*PWDGRP) is not requested, and the profile exists on the system, the password, document password, and group profile are not changed. User profiles can be restored individually with the password and group information restored from the save media by specifying the SECDTA(*PWDGRP) parameter on the RSTUSRPRF command. *ALLOBJ and *SECADM special authorities are required to restore the password and group information when restoring individual profiles. Product passwords restored with the user profile will be incorrect after restoring an individual user profile that existed on the system, unless the SECDTA(*PWDGRP) parameter is specified on the RSTUSRPRF command. v If all of the user profiles are being restored to your system, all of the fields in any of the profiles that already exist on the system are restored from the save media, including the password.

248

IBM i: Security Security reference

Attention: 1. User Profiles saved from a system with a different password level (QPWDLVL system value) than the system that is being restored might result in having a password that is not valid on the restored system. For example, if the saved user profile came from a system that was running password level 2, the user can have a password of "This is my password". This password will not be valid on a system running password level 0 or 1. 2. Keep a record of the security officer (QSECOFR) password associated with each version of your security information that is saved. This ensures that you can sign on to your system if you need to do a complete restore operation. You can use DST (Dedicated Service Tools) to reset the password for the QSECOFR profile. v If a profile exists on the system, the restore operation does not change the uid or gid. v If a profile does not exist on the system, the uid and gid for a profile are restored from the save media. If either the uid or the gid already exists on the system, the system generates a new value and issues a message (CPI3810). v *ALLOBJ special authority is removed from user profiles that are being restored to a system at security level 30 or higher in either of these situations: The profile was saved from a different system and the user performing the RSTUSRPRF does not have *ALLOBJ and *SECADM special authorities. The profile was saved from the same system at security level 10 or 20. Attention: The system uses the machine serial number on the system and on the save media to determine whether objects are being restored to the same system or to a different system. *ALLOBJ special authority is not removed from these IBM-supplied profiles: QSYS (system) user profile QSECOFR (security officer) user profile QLPAUTO (licensed program automatic install) user profile QLPINSTALL (licensed program install) user profile | v If a profile is restored (all profiles or individual profile) that already exists on the system, the restore | operation will not change the existing user expiration fields. | v If a profile is restored (all profiles or individual profile) that does not yet exist on the system, all fields | in the user profile are restored from the save media, including the user expiration interval and user | expiration date fields: | If the profile is enabled and user expiration date is past, the user profile will be set to disabled and | CPF2271 diagnostic message will be sent. | If the profile is enabled and the user expiration date has not past, the job scheduler entry will be | added. Related information Resetting the QSECOFR i5/OS user profile password

Restoring objects
When you restore an object to the system, the system uses the authority information stored with the object. This topic describes the rules applicable to the authority information when restoring objects. The following applies to the security of the restored object: Object ownership: v If the profile that owns the object exists on the system, ownership is restored to that profile. v If the owner profile does not exist on the system, ownership of the object is given to the QDFTOWN (default owner) user profile.

Chapter 8. Backup and recovery of security information

249

| v If the object exists on the system and the owner on the system is different from the owner on the save | media, the object is not restored unless ALWOBJDIF(*ALL), ALWOBJDIF(*OWNER), or | ALWOBJDIF(*COMPATIBLE) is specified. In that case, the object is restored and the owner on the | system is used. v See Restoring programs on page 252 for additional considerations when restoring programs. Primary group: For an object that does not exist on the system: v If the profile that is the primary group for the object is on the system, the primary group value and authority are restored for the object. v If the profile that is the primary group does not exist on the system: The primary group for the object is set to none. The primary group authority is set to no authority. When an existing object is restored, the primary group for the object is not changed by the restore operation. Public authority: v If the object that is being restored does not exist on the system, public authority is set to the public authority of the saved object. v If the object that is being restored does exist and is being replaced, public authority is not changed. The public authority from the saved version of the object is not used. v The CRTAUT for the library is not used when restoring objects to the library. Authorization list: v If an object, other than a document or folder, already exists on the system and is linked to an authorization list, the ALWOBJDIF parameter determines the result: If ALWOBJDIF(*NONE) is specified, the existing object must have the same authorization list as the saved object. If not, the object is not restored. | | If ALWOBJDIF(*ALL), ALWOBJDIF(*AUTL), or ALWOBJDIF(*COMPATIBLE) is specified, the object is restored. The object is linked to the authorization list that is associated with the existing object. v If a document or folder that already exists on the system is restored, the authorization list that is associated with the object on the system is used. The authorization list from the saved document or folder is not used. v If the authorization list does not exist on the system, the object is restored without being linked to an authorization list and the public authority is changed to *EXCLUDE. v If the object is being restored on the same system from which it was saved, the object is linked to the authorization list again. v If the object is being restored on a different system, the ALWOBJDIF parameter on the restore command is used to determine whether the object is linked to the authorization list: | If ALWOBJDIF(*ALL), ALWOBJDIF(*AUTL), or ALWOBJDIF(*COMPATIBLE) is specified, the object | is linked to the authorization list. If ALWOBJDIF(*NONE) is specified, then the object is not linked to the authorization list and the public authority of the object is changed to *EXCLUDE. Private authorities: v Private authority is saved with user profiles, and with objects if PVTAUT(*YES) is specified on the SAVxxx command.

250

IBM i: Security Security reference

v If user profiles have private authority to an object that is being restored, those private authorities are typically not affected. Restoring certain types of programs might result in private authorities being revoked. v If an object is deleted from the system, the private authority for the object no longer exists on the system. When an object is deleted, all private authority to the object is removed from user profiles. If the object is then restored from a save version, the private authorities can be restored if PVTAUT(*YES) was specified when the object was saved. v If private authorities need to be recovered and the private authorities were not saved with the object, then the Restore Authority (RSTAUT) command must be used. The normal sequence is: 1. Restore user profiles 2. Restore objects 3. Restore authority Object auditing: v If the object that is being restored does not exist on the system, the object auditing (OBJAUD) value of the saved object is restored. v If the object that is being restored does exist and is being replaced, the object auditing value is not changed. The OBJAUD value of the saved version of the object is not restored. v If a library or directory that is being restored does not exist on the system, the create object or directory auditing (CRTOBJAUD) value for the library or directory is restored. v If a library or directory that is being restored exists and is being replaced, the CRTOBJAUD value for the library or directory is not restored. The CRTOBJAUD value for the existing library or directory is used. Authority holder: v If a file is restored and an authority holder exists for that file name as well as the library to which it is being restored, the file is linked to the authority holder. v The authority information associated with the authority holder replaces the public authority and owner information saved with the file. User domain objects: The system restricts user domain objects (*USRSPC, *USRIDX, and *USRQ) to the libraries specified in the QALWUSRDMN system value. If a library is removed from the QALWUSRDMN system value after a user domain object of type *USRSPC, *USRIDX, or *USRQ is saved, the system changes the object to system domain when it is restored. Function registration information: The function registration information can be restored by restoring the QUSEXRGOBJ *EXITRG object into QUSRSYS. This restores all of the registered functions. The usage information associated with the functions is restored when user profiles and authorities are restored. Applications that use certificates registration: The applications that use certificates registration information can be restored by restoring the QUSEXRGOBJ *EXITRG object into QUSRSYS. This restores all of the registered applications. The association of the application to its certificate information can be restored by restoring the QYCDCERTI *USRIDX object into QUSRSYS.

Chapter 8. Backup and recovery of security information

251

Related concepts Restoring programs Restoring programs to your system that are obtained from an unknown source poses a security exposure. This topic provides information about the factors that should be taken into consideration when restoring programs. Restoring authorization lists on page 254 No method exists for restoring an individual authorization list. When you restore an authorization list, authority and ownership are established just as they are for any other object that is restored.

Restoring authority
When security information is restored, private authorities must be rebuilt. When you restore a user profile that has an authority table, the authority table for the profile is also restored. The Restore Authority (RSTAUT) command rebuilds the private authority in the user profile by using the information from the authority table. The grant authority operation runs for each private authority in the authority table. This can be a lengthy process if authority is being restored for many profiles and if many private authorities exist in the authority tables. The RSTUSRPRF and RSTAUT commands can be run for a single profile, a list of profiles, a generic profile name, or all profiles. The system searches the save media or save file that was created by the SAVSECDTA command, the SAVSYS command, or the QSRSAVO API to find the profiles you want to restore. If the private authorities are saved with objects, you can optionally restore them with the objects. It is suggested if you are saving and restoring a relatively small number of objects, rather than an entire system. Restoring field authority: The following steps are required to restore private field authorities for database files that do not already exist on the system: v Restore or create the necessary user profiles. v Restore the files. v Run the Restore Authority (RSTAUT) command. The private field authorities are not fully restored until the private object authorities that they restrict are also established again.

Restoring programs
Restoring programs to your system that are obtained from an unknown source poses a security exposure. This topic provides information about the factors that should be taken into consideration when restoring programs. Programs might perform operations that break your security requirements. Of particular concern are programs that contain restricted instructions, programs that adopt their owner authority, and programs that have been tampered with. This includes object types *PGM, *SRVPGM, *MODULE, and *CRQD. You can use the QVFYOBJRST, QFRCCVNRST, and QALWOBJRST system values to prevent these object types from being restored to your system. The system uses a validation value to help protect programs. This value is stored with a program and recalculated when the program is restored. The system's actions are determined by the ALWOBJDIF parameter on the restore command and the Force conversion on restore (QFRCCVNRST) system value.

252

IBM i: Security Security reference

Note: Programs contain information that allows the program to be re-created at restore time if necessary. The information needed to re-create the program remains with the program even when the observability of the program is removed. If a program validation error is determined to exist at the time the program is restored, the program will be re-created in order to correct the program validation error. Restoring programs that adopt the owners authority: When a program that adopts owner authority is restored, the ownership and authority to the program might be changed. The following applies: v The user profile doing the restore operation must either own the program or have *ALLOBJ and *SECADM special authorities. v The user profile doing the restore operation can receive the authority to restore the program by Being the program owner. Being a member of the group profile that owns the program (unless you have private authority to the program). Having *ALLOBJ and *SECADM special authority. Being a member of a group profile that has *ALLOBJ and *SECADM special authority. Running under adopted authority that meets one of the tests just listed. v If the restoring profile does not have adequate authority, all public and private authorities to the program are revoked, and the public authority is changed to *EXCLUDE. v If the owner of the program does not exist on the system, ownership is given to the QDFTOWN user profile. Public authority is changed to *EXCLUDE and the authorization list is removed. Related concepts Restoring objects on page 249 When you restore an object to the system, the system uses the authority information stored with the object. This topic describes the rules applicable to the authority information when restoring objects. Related reference Security-related restore system values on page 41 This topic introduces the security-related restore system values on your i5/OS operating system.

Restoring licensed programs

This topic introduces the instructions on restoring the licensed programs on your system. The Restore Licensed Programs (RSTLICPGM) command is used to install IBM-supplied programs on your system. It can also be used to install non-IBM programs that were created by using the IBM System Manager for i5/OS licensed program. When your system is shipped, only users with *ALLOBJ special authority can use the RSTLICPGM command. The RSTLICPGM procedure calls an exit program to install programs that are not supplied by IBM. To protect security on your system, the exit program should not run using a profile with *ALLOBJ special authority. Instead of having a user with *ALLOBJ authority run the command directly, use a program that adopts *ALLOBJ special authority to run the RSTLICPGM command. Here is an example of this technique. The program to be installed using the RSTLICPGM command is called CPAPP (Contracts and Pricing). 1. Create a user profile with sufficient authority to successfully install the application. Do not give this profile *ALLOBJ special authority. In this example, the user profile is called OWNCP. 2. Write a program to install the application. In this example, the program is called CPINST:
Chapter 8. Backup and recovery of security information

253

Note: By using the code examples, you agree to the terms of the Chapter 10, Code license and disclaimer information, on page 307.
PGM RSTLICPGM CPAPP ENDPGM

3. Create the CPINST program to adopt the authority of a user with *ALLOBJ special authority, such as QSECOFR, and authorize OWNCP to the program:
CRTCLPGM QGPL/CPINST USRPRF(*OWNER) + AUT(*EXCLUDE) GRTOBJAUT OBJ(CPINST) OBJTYP(*PGM) + USER(OWNCP) AUT(*USE)

4. Sign on as OWNCP and call the CPINST program. When the CPINST program runs the RSTLICPGM command, you are running under QSECOFR authority. When the exit program runs to install the CPAPP programs, it drops adopted authority. The programs called by the exit program run under the authority of OWNCP.

Restoring authorization lists

No method exists for restoring an individual authorization list. When you restore an authorization list, authority and ownership are established just as they are for any other object that is restored. The link between authorization lists and objects is established if the objects are restored after the authorization list. Users' private authorities to the list are restored using the RSTAUT command. Authorization lists are saved by either the SAVSECDTA command or the SAVSYS command. Authorization lists are restored by the command:
RSTUSRPRF USRPRF(*ALL)

Recovering from a damaged authorization list

When an authorization list that secures an object becomes damaged, access to the object is limited to users that have all object (*ALLOBJ) special authority. To recover from a damaged authorization list, two steps are required: 1. Recover users and their authorities on the authorization list. 2. Recover the association of the authorization list with the objects. These steps must be done by a user with *ALLOBJ special authority. Related concepts Restoring objects on page 249 When you restore an object to the system, the system uses the authority information stored with the object. This topic describes the rules applicable to the authority information when restoring objects.

Recovering the authorization list

Use the instructions in this topic to recover the authorization list. If users authorities to the authorization list are known, you can restore the authorization list by following the steps below. 1. Delete the authorization list. 2. Create the authorization list again. 3. Add all known users to it. If you do not know all of the user authorities, you can restore the authorization list by using the last saved SAVSYS or SAVECDTA tapes. To restore the authorization list, do the following actions:

254

IBM i: Security Security reference

1. Delete the damaged authorization list using the Delete Authorization List (DLTAUTL) command. 2. Restore the authorization list by restoring user profiles:
RSTUSRPRF USRPRF(*ALL)

3. Restore users private authorities to the list by using the RSTAUT command. This procedure restores user profile values from the save media. Refer to Restoring user profiles on page 248 for more information about restoring user profiles values from save media.

Recovering the association of objects to the authorization list

Follow the steps in this topic to recover the association of objects to the authorization list. When the damaged authorization list is deleted, the objects that were secured by the authorization list need to be added to the new authorization list. Do the following actions: 1. Find the objects that were associated with the damaged authorization list by using the Reclaim Storage (RCLSTG) command. Reclaim storage assigns the objects that were associated with the authorization list to the QRCLAUTL authorization list. 2. Use the Display Authorization List Objects (DSPAUTLOBJ) command to list the objects that are associated with the QRCLAUTL authorization list. 3. Use the Grant Object Authority (GRTOBJAUT) command to secure each object with the correct authorization list:
GRTOBJAUT OBJ(library-name/object-name) + OBJTYPE(object-type) + AUTL(authorization-list-name)

If a large number of objects are associated with the QRCLAUTL authorization list, create a database file by specifying OUTPUT(*OUTFILE) on the DSPAUTLOBJ command. You can write a CL program to run the GRTOBJAUT command for each object in the file.

Restoring the operating system

When you perform a manual IPL on your system, the IPL or Install the System menu provides an option to install the operating system. The dedicated service tools (DST) function provides the ability to require anyone using this menu option to enter the DST security password. You can use this to prevent someone from restoring an unauthorized copy of the operating system. To secure the installation of your operating system, do the following actions: 1. Perform a manual IPL. 2. 3. 4. 5. 6. From the IPL or Install the System menu, select DST. From the Use DST menu, select the option to work with the DST environment. Select the option to change DST passwords. Select the option to change the operating system install security. Specify 1 (secure).

7. Press F3 (exit) until you return to the IPL or Install the System menu. 8. Complete the manual IPL and return the keylock to its normal position. Notes: 1. If you no longer want to secure the installation of the operating system, follow the same steps and specify 2 (not secure). 2. You can also prevent installation of the operating system by keeping your keylock switch in the normal position and removing the key.

Chapter 8. Backup and recovery of security information

255

*SAVSYS special authority

To save or restore an object, you must have *OBJEXIST authority to the object or *SAVSYS special authority. A user with *SAVSYS special authority does not need any additional authority to an object to save or restore it. *SAVSYS special authority gives a user the capability to save an object and take it to a different system to be restored or to display (dump) the media to view the data. It also gives a user the capability to save an object and free storage thus deleting the data in the object. When saving documents, a user with *SAVSYS special authority has the option to delete those documents. *SAVSYS special authority should be given carefully.

Auditing save and restore operations

A security audit record is written for each restore operation if the action auditing value (QAUDLVL system value or AUDLVL in the user profile) includes *SAVRST. When you use a command that restores a large number of objects, such as RSTLIB, an audit record is written for each object restored. This might cause problems with the size of the audit journal receiver, particularly if you are restoring more than one library. The RSTCFG command does not create an audit record for each object restored. If you want to have an audit record of this command, set object auditing for the command itself. One audit record will be written whenever the command is run. Commands that save a very large number of objects, such as SAVSYS, SAVSECDTA, and SAVCFG, do not create individual audit records for the objects saved, even if the saved objects have object auditing active. To monitor these commands, set up object auditing for the commands themselves.

256

IBM i: Security Security reference

Chapter 9. Auditing security on System i

This section describes techniques for auditing the effectiveness of security on your system. People audit their system security for several reasons: v To evaluate whether the security plan is complete. v To make sure that the planned security controls are in place and working. This type of auditing is performed by the security officer as part of daily security administration. It is also performed, sometimes in greater detail, as part of a periodic security review by internal or external auditors. v To make sure that system security is keeping pace with changes to the system environment. Some examples of changes that affect security are: New objects created by system users New users admitted to the system Change of object ownership (authorization not adjusted) Change of responsibilities (user group changed) Temporary authority (not timely revoked) New products installed v To prepare for a future event, such as installing a new application, moving to a higher security level, or setting up a communications network. The techniques described in this section are appropriate for all of these situations. Which things you audit and how often depends on the size and security needs of your organization. The purpose of this section is to discuss what information is available, how to obtain it, and why it is needed, rather than to give guidelines for the frequency of audits. This section has three parts: v A checklist of security items that can be planned and audited. v Information about setting up and using the audit journal provided by the system. v Other techniques that are available to gather security information about the system. Security auditing involves using commands in the System i environment and accessing log and journal information about the system. You might want to create a special profile to be used by someone doing a security audit of your system. The auditor profile will need *AUDIT special authority to be able to change the audit characteristics of your system. Some of the auditing tasks suggested in this section require a user profile with *ALLOBJ and *SECADM special authority. Make sure that you set the password for the auditor profile to *NONE when the audit period has ended. Related concepts Security audit journal on page 6 You can use security audit journals to audit the effectiveness of security on your system.

Checklist for security officers and auditors

You can use the checklist to plan and audit your system's security. As you plan security, choose the subjects from this collection that best meet your security requirements. When you audit the security of your system, use the list to evaluate the controls that you have in place and to determine if additional controls are needed.

Copyright IBM Corp. 1996, 2010

257

Each list serves as a review of the information in this topic collection. They contain brief descriptions of how to do each item and how to verify that the item has been done, including what entries in the QAUDJRN journal to look for. Details about the items are found throughout this topic collection.

Physical security
You can use the physical security checklist to plan or audit physical security of your system. Note: See Planning and setting up system security for a complete discussion of physical security on the System i product. Here is a checklist for planning physical security of your system: __ v The system unit and console are in a secure location. __ v Backup media is protected from damage and theft. __ v The keylock switch setting on the processor unit is in the Secure or Auto position. The keys are removed and kept separately under tight physical security. See Planning physical security for the system unit for more information about the keylock switch. __ v Access to publicly located workstations and the console is restricted. Use the DSPOBJAUT command to see who has *CHANGE authority to the workstations. Look for AF entries in the audit journal with the object type field equal to *DEVD to find attempts to sign on at restricted workstations. __ v Sign-on for users with *ALLOBJ or *SERVICE special authority is limited to a few workstations. Check to see that the QLMTSECOFR system value is 1. Use the DSPOBJAUT command for devices to see if the QSECOFR profile has *CHANGE authority.

System values
Setting up the auditing function for system values helps you to track the changed values on the system. v Security system values follow recommended guidelines. To print the security system values, type: WRKSYSVAL *SEC OUTPUT(*PRINT). Two important system values to audit are: QSECURITY, which should be set to 40 or higher. QMAXSIGN, which should not be greater than 5. Note: If the auditing function is active, an SV entry is written to the QAUDJRN journal whenever a system value is changed. v Use the Display Security Attributes (DSPSECA) command to verify the current and pending values of QSECURITY (security level) and QPWDLVL (password level), and the current setting of the security related system (whether the values can be changed). v Review decisions about system values periodically. This is particularly important when the system environment changes, such as the installation of new applications or a communications network.

IBM-supplied user profiles

You can perform auditing tasks on IBM-supplied user profiles by verifying their passwords. v The password has been changed for the QSECOFR user profile. This profile is shipped with the password set to QSECOFR so you can sign on to install your system. The password must be changed the first time you sign on to your system and changed periodically after the installation. Verify that it has been changed by checking a DSPAUTUSR list for the date the QSECOFR password was changed and by attempting to sign on with the default password. v The IBM passwords for dedicated service tools (DST) are changed.

258

IBM i: Security Security reference

User IDs for service tools do not appear on a DSPAUTUSR list. To verify that the user IDs and passwords are changed, start DST and attempt to use the default values. v With the exception of QSECOFR, do not sign on with the IBM-supplied user profiles. These IBM-supplied profiles are designed to own objects or to run system functions. Use a DSPAUTUSR list to verify that the IBM-supplied user profiles listed in Appendix B, IBM-supplied user profiles, on page 317, except QSECOFR, have a password of *NONE. Related concepts IBM-supplied user profiles on page 128 A number of user profiles are shipped with your system software. These IBM-supplied user profiles are used as object owners for various system functions. Some system functions also run under specific IBM-supplied user profiles. Working with service tools user IDs on page 129 There are several enhancements and additions to service tools that make them easier to use and understand. Related reference Appendix B, IBM-supplied user profiles, on page 317 This section contains information about the user profiles that are shipped with the system. These profiles are used as object owners for various system functions. Some system functions also run under specific IBM-supplied user profiles.

Password control
You can use the password control mechanism to audit your system security. v Users can change their own passwords. Allowing users to define their own passwords reduces the need for users to write down their passwords. Users should have access to the CHGPWD command or to the Change Password function from the Security (GO SECURITY) menu. v A password change is required according to the organizations security guidelines, such as every 30 to 90 days. The QPWDEXPITV system value is set to meet the security guidelines. v If a user profile has a password expiration interval that is different from the system value, it meets the security guidelines. Review user profiles for a PWDEXPITV value other than *SYSVAL. v Trivial passwords are prevented by using the system values to set the password rules and by using a password approval program. Use the WRKSYSVAL *SEC command and look at the settings for the values beginning with QPWD. v Group profiles have a password of *NONE. Use the DSPAUTUSR command to check for any group profiles that have passwords. Whenever the system is not operating at password level 3 and users change their password, the system attempts to create an equivalent password that is usable at the other password levels. You can use the PRTUSRPRF TYPE(*PWDLVL) command to see which user profiles have passwords that are usable at the various password levels. Note: The equivalent password is a best effort attempt to create a usable password for the other password levels but it may not have passed all of the password rules if the other password level was in effect. For example, if password BbAaA3x is specified at password level 2, the system will
Chapter 9. Auditing security on System i

259

create an equivalent password of BBAAA3X for use at password levels 0 and 1. This can be true even if the QPWDLMTCHR system value includes 'A' as one of the limited characters (QPWDLMTCHR is not enforced at password level 2) or QPWDLMTREP system value specified that consecutive characters cannot be the same (because the check is case-sensitive at password level 2 but not case sensitive at password levels 0 and 1).

User and group profiles

You can validate the user and group profiles and their authorities to audit the security effectiveness on your system. v Each user is assigned a unique user profile. Set the QLMTDEVSSN system value to 1. Although limiting each user to one device session at a time does not prevent sharing user profiles, it discourages it. v User profiles with *ALLOBJ special authority are limited, and are not used as group profiles. Use the DSPUSRPRF command to check the special authorities for user profiles and to determine which profiles are group profiles. The topic Printing selected user profiles on page 302 shows how to use an output file and query to determine this. v The Limit capabilities field is *YES in the profiles of users who should be restricted to a set of menus. The topic Printing selected user profiles on page 302 gives an example of how to determine this. v Programmers are restricted from production libraries. Use the DSPOBJAUT command to determine the public and private authorities for production libraries and critical objects in the libraries. Planning security for programmers on page 242 has more information about security and the programming environment. v Membership in a group profile is changed when job responsibilities change. To verify group membership, use one of these commands:
DSPAUTUSR SEQ(*GRPPRF) DSPUSRPRF profile-name *GRPMBR

v You should use a naming convention for group profiles. When authorities are displayed, you can then easily recognize the group profile. v The administration of user profiles is adequately organized. No user profiles have large numbers of private authorities. The topic Examining large user profiles on page 302 discusses how to find and examine large user profiles on your system. v Employees are removed from the system immediately when they are transferred or released. Regularly review the DSPAUTUSR list to make sure only active employees have access to the system. To make sure user profiles are deleted immediately after employees leave, review the DO (Delete Object) entries in the audit journal. v Management regularly verifies the users authorized to the system. Use the DSPAUTUSR command to view users authorization information. v The password for an inactive employee is set to *NONE. Use the DSPAUTUSR command to verify that the inactive user profiles do not have passwords. v Management regularly verifies the users with special authorities, particularly *ALLOBJ *SAVSYS, and *AUDIT special authorities.

260

IBM i: Security Security reference

The topic Printing selected user profiles on page 302 gives an example of how to determine this.

Authorization control
Authorization control enables you to audit the security of the information stored on your system. You can use the following checklist to help you audit authorization control security. v Owners of data understand their obligation to authorize users on a need-to-know basis. v Owners of objects regularly verify the authority to use the objects, including public authority. The WRKOBJOWN command provides a display for working with the authorities to all objects owned by a user profile. v Sensitive data is not public. Check the authority for user *PUBLIC for critical objects using the DSPOBJAUT command. v Authority to user profiles is controlled. The public authority to user profiles should be *EXCLUDE. This prevents users from submitting jobs that run under another users profile. v Job descriptions are controlled: Job descriptions with public authority of *USE or greater are specified as USER(*RQD). This means jobs submitted using the job description must run using the submitters profile. Job descriptions that specify a user have public authority *EXCLUDE. Authorization to use these job descriptions is controlled. This prevents unauthorized users from submitting jobs that run using another profiles authority. To find out what job descriptions are on the system, type:
DSPOBJD OBJ(*ALL/*ALL) OBJTYPE(*JOBD) ASPDEV(*ALLAVL) OUTPUT(*PRINT)

To check the User parameter of a job description, use the Display Job Description (DSPJOBD) command. To check the authority to a job description, use the Display Object Authority (DSPOBJAUT) command. Note: At security level 40 or 50, a user submitting a job using a job description that specifies a user profile name must have *USE authority to both the job description and the user profile. At all security levels, an attempt to submit or schedule a job without *USE authority to the user specified in the job description causes an AF entry with violation type J in the audit journal. v Users are not allowed to sign on by pressing the Enter key on the Sign On display. Make sure no workstation entries in the subsystem descriptions specify a job description that has a user profile name specified for the USER parameter. Default sign-on is prevented at security level 40 or 50, even if a subsystem description allows it. At all security levels, an AF entry with violation type S is written to the audit journal if default sign-on is attempted and a subsystem description is defined to allow it. v The library list in application programs is controlled to prevent a library that contains a similar program from being added before the production libraries. The topic Library lists on page 207 discusses methods for controlling the library list. v Programs that adopt authority are used only when required and are carefully controlled. See the topic Analyzing programs that adopt authority on page 303 for an explanation of how to evaluate the use of the program adopt function. v Application program interfaces (APIs) are secured. v Good object security techniques are used to avoid performance problems.
Chapter 9. Auditing security on System i

261

Unauthorized access
Use this checklist along with auditing journal to audit unauthorized attempts to access information. v Security-related events are logged to the security auditing journal (QAUDJRN) when the auditing function is active. To audit authority failures, use the following system values and settings: QAUDCTL must be set to *AUDLVL. QAUDLVL must include the values of *PGMFAIL and *AUTFAIL. The best method to detect unauthorized attempts to access information is to review entries in the audit journal on a regular basis. v The QMAXSIGN system value limits the number of consecutive incorrect access attempts to five or less. The QMAXSGNACN system value is set at 2 or 3. v The QSYSMSG message queue is created and monitored. v The audit journal is audited for repeated attempts by a user. (Authorization failures cause AF type entries in the audit journal.) v Programs fail to access objects using interfaces that are not supported. (QSECURITY system value is set to 40 or 50.) v User ID and password are required to sign on. Security levels 40 and 50 enforce this. At level 20 or 30, you must make sure that no subsystem descriptions have a workstation entry that uses a job description that has a user profile name.

Unauthorized programs
The Check Object Integrity (CHKOBJITG) command allows you to audit unauthorized changes to program changes on the system. v The QALWOBJRST system value is set to *NONE to prevent anyone from restoring security-sensitive programs to the system. v The Check Object Integrity (CHKOBJITG) command is run periodically to detect unauthorized changes to program objects. This command is described in Checking for objects that have been altered on page 304.

Communications
This checklist can be used to plan and audit the controls needed over various types of communications on the system. v Use call-back procedures to protect telephone communications. v Use encryption on sensitive data. v Control remote sign-on. The QRMTSIGN system value is set to *FRCSIGNON or a pass-through validation program is used. v Use the JOBACN, PCSACC, and DDMACC network attributes to control access to data from other systems, including personal computers. The JOBACN network attribute should be *FILE.

Using the security audit journal

The security audit journal is the primary source of auditing information about the system. This section describes how to plan, set up, and manage security auditing, what information is recorded, and how to view that information. A security auditor inside or outside your organization can use the auditing function that is provided by the system to gather information about security-related events that occur on the system.

262

IBM i: Security Security reference

You can define auditing on your system at three different levels: v System-wide auditing that occurs for all users. v Auditing that occurs for specific objects. v Auditing that occurs for specific users. You use system values, user profile parameters, and object parameters to define auditing. Planning security auditing describes how to do this. When a security-related event that might be audited occurs, the system checks whether you have selected that event for audit. If you have, the system writes a journal entry in the current receiver for the security auditing journal (QAUDJRN in library QSYS). When you want to analyze the audit information you have collected in the QAUDJRN journal, you can use the Display Journal (DSPJRN) command. With this command, information from the QAUDJRN journal can be written to a database file. You can use an application program or a query tool to analyze the data. Related reference Appendix F, Layout of audit journal entries, on page 561 This section contains layout information for all entry types with journal code T in the audit (QAUDJRN) journal. These entries are controlled by the action and object auditing you define. Appendix E, Object operations and auditing, on page 497 This topic collection lists operations that can be performed against objects on the system, and whether those operations are audited.

Planning security auditing

The security auditing function is optional. You must take specific steps to set up security auditing. To plan the use of security auditing on your system, follow these steps: v Determine which security-relevant events you want to record for all system users. The auditing of security-relevant events is called action auditing. v Check whether you need additional auditing for specific users. v Decide whether you want to audit the use of specific objects on the system. v Determine whether object auditing should be used for all users or specific users.

Planning the auditing of actions

The QAUDCTL (audit control) system value, the QAUDLVL (audit level) system value, the QAUDLVL2 (audit level extension) system value, and the AUDLVL (action auditing) parameter in user profiles work together to control action auditing. The functions of each system value are as follows: v The QAUDLVL system value specifies which actions are audited for all users of the system. v The QAUDLVL2 system value also specifies which actions are audited for all users of the system, and is used when more than 16 auditing values are needed. v The AUDLVL parameter in the user profile determines which actions are audited for a specific user. The values for the AUDLVL parameter apply in addition to the values for the QAUDLVL and QAUDLVL2 system values. v The QAUDCTL system value starts and stops action auditing. The events that you choose to log depends on both your security objectives and your potential exposures. Action auditing on page 113 describes the possible audit level values and how you can use them. It shows whether they are available as a system value, a user profile parameter, or both.

Chapter 9. Auditing security on System i

263

Related reference Auditing Level (QAUDLVL) on page 67 The Auditing Level (QAUDLVL) system value along with the QAUDLVL2 system value determines which security-related events are logged to the security audit journal (QAUDJRN) for all system users. Auditing Level Extension (QAUDLVL2) on page 69 The Auditing Level Extension (QAUDLVL2) system value is required when more than sixteen auditing values are needed. Action auditing on page 113 For an individual user, you can specify which security-relevant actions should be recorded in the audit journal. The actions specified for an individual user apply in addition to the actions specified for all users by the QAUDLVL and QAUDLVL2 system values. Action auditing values: This table lists the possible values available on the QAUDLVL and QAUDLVL2 system values and the CHGUSRAUD command when auditing actions of the system.
Table 133. Action auditing values Available on QAUDLVL and QAUDLVL2 system values Yes Available on CHGUSRAUD command Yes

Possible value *NONE

Description If the QAUDLVL system value is *NONE, no actions are logged on a system-wide basis. Actions are logged for individual users based on the AUDLVL value in their user profiles. If the AUDLVL value in a user profile is *NONE, no additional action auditing is done for this user. Any actions specified for the QAUDLVL system value are logged for this user.

*ATNEVT

Yes

Attention events: The system writes a journal entry for events that require further examination. With this information, you can determine the potential significance of the attention event to the system. Authorization failures: Unsuccessful attempts to sign on the system and to access objects are logged. *AUTFAIL can be used regularly to monitor users trying to perform unauthorized functions on the system. *AUTFAIL can also be used to assist with migration to a higher security level and to test resource security for a new application. Commands: The system logs command strings run by a user. If a command is run from a CL program that is created with LOG(*NO) and ALWRTVSRC(*NO), then only the command name and library name are logged. *CMD can be used to record the actions of a particular user, such as the security officer. Creating objects: The system writes a journal entry when a new or replacement object is created. *CREATE can be used to monitor when programs are created or recompiled.

*AUTFAIL

Yes

*CMD

Yes

*CREATE

Yes

264

IBM i: Security Security reference

Table 133. Action auditing values (continued) Available on QAUDLVL and QAUDLVL2 system values Yes Yes Available on CHGUSRAUD command Yes Yes

Possible value DELETE JOBBAS

Description Deleting objects: The system writes a journal entry when an object is deleted. Job base functions: Actions that affect a job are logged, such as starting or stopping a job, holding, releasing, canceling, or changing the job. Job change user: Changes to a thread's active user profile or its group profiles are logged. Job tasks: Actions that affect a job are logged, such as starting or stopping a job, holding, releasing, canceling, or changing the job, changing the thread's active user profile or group profile. *JOBDTA can be used to monitor who is running batch jobs. *JOBDTA is composed of two values, which are *JOBBAS and *JOBCHGUSR, to enable you to better customize your auditing.

*JOBCHGUSR *JOBDTA

Yes Yes

*NETBAS

Yes

Network base functions: IP rules actions, sockets connections, APPN directory search filter, APPN end point filter. Cluster or cluster resource group operations: An audit journal entry is written when any of these events occur: v A cluster node or cluster resource group is added, created, or deleted. v A cluster node or cluster resource group is started, ended, updated, or removed. v Automatic failure of a system that switches access to another system. v Access is manually switched from one system to another system in a cluster.

*NETCLU

Yes

*NETCMN

Yes

Network communications auditing: The violations detected by the APPN Filter support are logged to the security auditing journal when the Directory search filter and the End point filter are audited. *NETCMN is composed of several values to allow you to better customize your auditing. The following values make up *NETCMN: *NETBAS *NETCLU *NETFAIL *NETSCK

*NETFAIL

Yes

Network failures: An audit journal entry is written when trying to connect to a TCP/IP port that does not exist, or trying to send information to a TCP/IP port that is not open or available.

Chapter 9. Auditing security on System i

265

Table 133. Action auditing values (continued) Available on QAUDLVL and QAUDLVL2 system values Yes Available on CHGUSRAUD command Yes

Possible value *NETSCK

Description Socket tasks: An audit journal entry is written when any of these events occur: v An inbound TCP/IP socket connection is accepted. v An outbound TCP/IP socket connection is established. v An IP address is assigned through DHCP (Dynamic Host Configuration Protocol). v An IP address is unable to be assigned through DHCP because all of the IP addresses are being used. v Mail is filtered or rejected.

*OBJMGT

Yes

Object management tasks: Moving an object to a different library or renaming it is logged. *OBJMGT can be used to detect copying confidential information by moving the object to a different library. Optical functions: All optical functions are audited, including functions related to optical files, optical directories, optical volumes, and optical cartridges. *OPTICAL can be used to detect attempts to create or delete an optical directory. Adopting authority: The system writes a journal entry when adopted authority is used to gain access to an object. *PGMADP can be used to test where and how a new application uses adopted authority. Program failures: The system writes a journal entry when a program causes an integrity error. *PGMFAIL can be used to assist with migration to a higher security level or to test a new application. Printing functions: Printing a spooled file, printing directly from a program, or sending a spooled file to a remote printer is logged. *PRTDTA can be used to detect printing confidential information. Restore operations: *SAVRST can be used to detect attempts to restore unauthorized objects.

*OPTICAL

Yes

*PGMADP

Yes

*PGMFAIL

Yes

*PRTDTA

Yes

*SAVRST

Yes

266

IBM i: Security Security reference

Table 133. Action auditing values (continued) Available on QAUDLVL and QAUDLVL2 system values Yes Available on CHGUSRAUD command Yes

Possible value *SECCFG

Description Security configuration: An audit journal entry is written when any of these events occur: v User profiles are created, changed, deleted, or restored. v Changes are made to programs, system values, subsystem routing, or to the auditing attributes of an object. v The QSECOFR password is reset to the shipped value. v The service tools security officer password is defaulted.

*SECDIRSRV

Yes

Directory service functions: An audit journal entry is written when any of these events occur: v Changes or updates are made to auditing, authority, passwords, and ownership. v Successful binds and unbinds. v Changes are made to directory security policies (for example, password policy)

*SECIPC

Yes

Interprocess communications: An audit journal entry is written when any of these events occur: v Changes are made to the ownership or authority of an IPC object. v A create, delete, or retrieve of an IPC object. v Shared memory attach.

Chapter 9. Auditing security on System i

267

Table 133. Action auditing values (continued) Available on QAUDLVL and QAUDLVL2 system values Yes Available on CHGUSRAUD command Yes

Possible value *SECNAS

Description Network authentication service actions: An audit journal entry is written when any of these events occur: v Service ticket invalid. v Service principals do not match. v Client principals do not match. v Ticket IP address mismatch. v Decryption of the ticket failed. v Decryption of the authentication failed. v Realm is not within client and local realms. v Ticket is a replay attempt. v Ticket not yet valid. v Remote or local IP address mismatch. v Decryption of KRB_AP_PRIV or KRB_AP_SAFE checksum error. v For KRB_AP_PRIV or KRB_AP_SAFE: Timestamp error, replay error, or sequence order error. v For graphics symbol set accept: Expired credentials, checksum error, or channel bindings. v For graphics symbol set unwrap or graphics symbol set verify: Expired context, decrypt/decode, checksum error, or sequence error.

*SECRUN

Yes

Security runtime functions: Changes to object ownership, authority, and primary group are written to the audit journal. Socket descriptors: An audit journal entry is written when any of these events occur: v A socket descriptor is given to another job. v A socket descriptor is received. v A socket descriptor is unusable.

*SECSCKD

Yes

*SECVFY

Yes

Verification functions: An audit journal entry is written when any of these events occur: v A profile handle or token is generated. v All profile tokens were invalidated. v The maximum number of profile tokens has been generated. v All profile tokens for a user have been removed. v A user profile has been authenticated. v A target profile was changed during a pass-through session.

268

IBM i: Security Security reference

Table 133. Action auditing values (continued) Available on QAUDLVL and QAUDLVL2 system values Yes Available on CHGUSRAUD command Yes

Possible value *SECVLDL

Description Validation list operations: An audit journal entry is written when any of these events occur: v An add, change, remove, or find of a validation list entry. v Successful or unsuccessful verification of a validation list entry.

*SECURITY

Yes

Security tasks: Security-relevant events, such as changing a user profile or system value, are logged. *SECURITY can be used to keep a record of all security activity. *SECURITY is composed of several values to allow you to better customize your auditing. The following values make up *SECURITY: *SECCFG *SECDIRSRV *SECIPC *SECNAS *SECRUN *SECSCKD *SECVFY *SECVLDL

*SERVICE

Yes

Service tasks: The use of service tools, such as DMPOBJ (Dump Object) and STRCPYSCN (Start Copy Screen), is logged. *SERVICE can be used to detect attempts to circumvent security by using service tools. Operations on spooled files: Actions performed on spooled files are logged, including creating, copying, and sending. *SPLFDTA can be used to detect attempts to print or send confidential data. Systems management tasks: The system writes a journal entry for systems management activities, such as changing a reply list or the power on/off schedule. *SYSMGT can be used to detect attempts to use systems management functions to circumvent security controls.

*SPLFDTA

Yes

*SYSMGT

Yes

Security auditing journal entries: This topic provides information about the journal entries that are written for the action auditing values specified on the QAUDLVL and QAUDLVL2 system values and in the user profile. It shows: v The type of entry written to the QAUDJRN journal. v The model database output file that can be used to define the record when you create an output file with the DSPJRN command. Complete layouts for the model database outfiles are found in Appendix F, Layout of audit journal entries, on page 561.
Chapter 9. Auditing security on System i

269

v The detailed entry type. Some journal entry types are used to log more than one type of event. The detailed entry type field in the journal entry identifies the type of event. v The ID of the message that can be used to define the entry-specific information in the journal entry.
Table 134. Security auditing journal entries Action or object auditing value Action Auditing: *ATNEVT IM QASYIMJ5 P A potential intrusion has been detected. Further evaluation is required to determine if this is an actual intrusion or an expected and permitted action. An attempt was made to access an object or perform an operation to which the user was not authorized. Restricted instruction Validation failure Use of unsupported interface, object domain failure Hardware storage protection error, program constant space violation ICAPI authorization error. ICAPI authentication error. Scan exit program action. System Java inheritance not allowed An attempt was made to submit or schedule a job under a job description which has a user profile specified. The submitter did not have *USE authority to the user profile. An attempt was made to perform an operation for which the user did not have the required special authority. The profile token was not a regenerable profile token. Optical Object Authority failure An attempt was made to use a profile handle that is not valid on the QWTSETP API. Hardware protection error Default signon attempt. Not authorized to TCP/IP port. A user permission request was not valid. The profile token was not valid for generating new profile token. The profile token was not valid for exchange. Journal Model database entry type outfile Detailed entry Description

*AUTFAIL

QASYAFJE/J4/J5

B C D E F G H I J

N O P

R S T U V W

270

IBM i: Security Security reference

Table 134. Security auditing journal entries (continued) Action or object auditing value Journal Model database entry type outfile Detailed entry X Description System violation, see description of AF (Authority Failure) journal entries for details Not authorized to the current JUID field during a clear JUID operation. Not authorized to the current JUID field during a set JUID operation. Connection ended abnormally. Connection rejected. Authority failures. Password failures. Function registration operations. An incorrect password was entered. Authority failure for an IPC request. APPC bind failure. CHKPWD failure. An incorrect service tool user ID was entered. An incorrect service tool user ID password was entered. An incorrect password was entered. Attempted signon (user authentication) failed because user profile was disabled. Attempted signon (user authentication) failed because password was expired. SQL decrypt a password that was not valid. User name not valid. Service tools user is disabled. Service tools user not valid. Service tools password not valid. A connection was rejected because of incorrect password. Unsuccessful verification of a validation list entry. A network logon was rejected because of expired account, incorrect hours, incorrect user ID, or incorrect password. An incorrect network password was used. Delegate of identity token failed.

Y Z CV QASYCVJ4/J5 E R DI QASYDIJ4/J5 AF PW GR KF IP PW QASYGRJ4/J5 QASYKFJ4/J5 QASYIPJE/J4/J5 QASYPWJE/J4/J5 F P F A C D E P Q

S U X Y Z VC VO VN QASYVCJE/J4/J5 QASYVOJ4/J5 QASYVNJE/J4/J5 R U R

VP X1

QASYVPJE/J4/J5 QASYX1J5

P F

Chapter 9. Auditing security on System i

271

Table 134. Security auditing journal entries (continued) Action or object auditing value Journal Model database entry type outfile Detailed entry U XD *CMD
1

Description Get user from identity token failed. Group names (associated with DI entry) A command was run. An S/36E control language statement was run. An S/36E operator control command was run. An S/36E procedure was run. Command run after command substitution took place. An S/36E utility control statement was run. Creation of a new object, except creation of objects in QTEMP library. Replacement of existing object. Object created. Group names (associated with DI entry) Object deleted. Pending delete committed. Pending create rolled back. Delete pending. Pending delete rolled back. Object deleted. Group names (associated with DI entry) The ENDJOBABN command was used. A job was submitted. A job was changed. A job was ended. A job was held. A job was disconnected. The ENDJOB command was used. A program start request was attached to a prestart job. Query attributes changed. A held job was released. A job was started. CHGUSRTRC command. Change profile or group profile.

QASYXDJ5 QASYCDJE/J4/J5

G C L O P S U

*CREATE

QASYCOJE/J4/J5

N R

DI XD *DELETE
2

QASYDIJ4/J5 QASYXDJ5 QASYDOJE/J4/J5

CO G A C D P R

DI XD *JOBBAS JS

QASYDIJ4/J5 QASYXDJ5 QASYJSJ5

DO G A B C E H I N P Q R S U

*JOBCHGUSR

QASYJSJ5

272

IBM i: Security Security reference

Table 134. Security auditing journal entries (continued) Action or object auditing value Journal Model database entry type outfile Detailed entry T *JOBDTA JS QASYJSJE/J4/J5 A B C E H I M N P Q R S T U SG QASYSGJE/J4/J5 A P Description Change profile or group profile using a profile token. The ENDJOBABN command was used. A job was submitted. A job was changed. A job was ended. A job was held. A job was disconnected. Change profile or group profile. The ENDJOB command was used. A program start request was attached to a prestart job. Query attributes changed. A held job was released. A job was started. Change profile or group profile using a profile token. CHGUSRTRC command. Asynchronous i5/OS signal process. Asynchronous Private Address Space Environment (PASE) signal processed. A connection was started. A connection was ended. Logoff requested. Logon requested. A server session was started. A server session was ended. Connection established. Connection ended normally. Rejected connection. IP rules have been loaded from a file. IP rules have been unloaded for an IP Security connection. IP rules have been loaded for an IP Security connection. IP rules have been read and copied to a file. IP rules have been unloaded (removed). Phase 1 negotiation.

QASYVCJE/J4/J5

S E

QASYVNJE/J4/J5

F O

QASYVSJE/J4/J5

S E

*NETBAS

QASYCVJE/J4/J5

C E R

QASYIRJ4/J5

L N P R U

QASYISJ4/J5

Chapter 9. Auditing security on System i

273

Table 134. Security auditing journal entries (continued) Action or object auditing value Journal Model database entry type outfile Detailed entry 2 ND QASYNDJE/J4/J5 A Description Phase 2 negotiation. A violation was detected by the APPN Filter support when the Directory search filter was audited. A violation is detected by the APPN Filter support when the End point filter is audited. Creation of an object by the cluster control operation. Creation of an object by the Cluster Resource Group (*GRP) management operation. Creation of an object by the cluster control operation. Creation of an object by the Cluster Resource Group (*GRP) management operation. Connection established. Connection ended normally. IP rules have been loaded from a file. IP rule have been unloaded for an IP Security connection. IP rules have been loaded for an IP Security connection. IP rules have been read and copied to a file. IP rules have been unloaded (removed). Phase 1 negotiation. Phase 2 negotiation. A violation was detected by the APPN Filter support when the Directory search filter was audited. A violation is detected by the APPN Filter support when the End point filter is audited. Accept Connect DHCP address assigned Filtered mail Port unavailable Reject mail DHCP address denied Port unavailable Accept

QASYNEJE/J4/J5

*NETCLU

QASYCUJE/J4/J5

M R

*NETCMN

QASYCUJE/J4/J5

M R

QASYCVJ4/J5

C E

QASYIRJ4/J5

L N P R U

QASYISJ4/J5

1 2

QASYNDJE/J4/J5

QASYNEJE/J4/J5

QASYSKJ4/J5

A C D F P R U

*NETFAIL *NETSCK

SK SK

QASYSKJ4/J5 QASYSKJ4/J5

P A

274

IBM i: Security Security reference

Table 134. Security auditing journal entries (continued) Action or object auditing value Journal Model database entry type outfile Detailed entry C D F R U *OBJMGT
2

Description Connect DHCP address assigned Filtered mail Reject mail DHCP address denied Object rename An object was moved to a different library. An object was renamed. A mail log was opened. A change was made to the system distribution directory. Open file or directory Change or retrieve attributes Delete file directory Create directory Release held optical file Copy file or directory Rename file Back up file or directory Save held optical file Move file Initialize volume Backup volume Rename volume Convert backup volume to primary Import Export Change authorization list Change volume attributes Absolute read A program started that adopts owner authority. The start entry is written the first time adopted authority is used to gain access to an object, not when the program enters the call stack.

DI OM

QASYDIJ4/J5 QASYOMJE/J4/J5

OM M R

*OFCSRV

ML SD

QASYMLJE/J4/J5 QASYSDJE/J4/J5 QASY01JE/J4/J5

O S R U D C X

*OPTICAL

QASY02JE/J4/J5

C R B S M

QASY03JE/J4/J5

I B N C M E L A R

*PGMADP

QASYAPJE/J4/J5

Chapter 9. Auditing security on System i

275

Table 134. Security auditing journal entries (continued) Action or object auditing value Journal Model database entry type outfile Detailed entry E Description A program ended that adopts owner authority. The end entry is written when the program leaves the call stack. If the same program occurs more than once in the call stack, the end entry is written when the highest (last) occurrence of the program leaves the stack. Adopted authority was used during program activation. A program ran a restricted machine interface instruction. A program which failed the restore-time program validation checks was restored. Information about the failure is in the Validation Value Violation Type field of the record. A program accessed an object through an unsupported interface or callable program not listed as a callable API. Hardware storage protection violation. Attempt made to update an object that is defined as read-only. (Enhanced hardware storage protection is logged only at security level 40 and higher) Printer output was printed directly to a printer. Output sent to remote system to print. Printer output was spooled and printed. A new object was restored to the system. An object was restored that replaces an existing object. The system changed the authority to an object being restored. 3 A job description that contains a user profile name was restored. The object owner was changed to QDFTOWN during restore operation.3 A program that adopts owner authority was restored.

A *PGMFAIL AF QASYAFJE/J4/J5 B C

E R

*PRTDTA

QASYPOJE/J4/J5

D R S

*SAVRST

QASYORJE/J4/J5

N E

RA RJ RO

QASYRAJE/J4/J5 QASYRJJE/J4/J5 QASYROJE/J4/J5

A A A

QASYRPJE/J4/J5

276

IBM i: Security Security reference

Table 134. Security auditing journal entries (continued) Action or object auditing value Journal Model database entry type outfile RQ RU RZ QASYRQJE/J4/J5 QASYRUJE/J4/J5 QASYRZJE/J4/J5 Detailed entry A A A O U *SECCFG AD QASYADJE/J4/J5 D O Description A *CRQD object with PROFILE(*OWNER) was restored. Authority was restored for a user profile using the RSTAUT command. The primary group for an object was changed during a restore operation. Auditing of an object was changed with CHGOBJAUD command. Auditing for a user was changed with CHGUSRAUD command. Auditing of a DLO was changed with CHGDLOAUD command. Auditing of an object was changed with CHGOBJAUD or CHGAUD commands. The scan attribute was changed using CHGATR command or the Qp0lSetAttr API, or when the object was created. Auditing for a user was changed with CHGUSRAUD command. Enterprise Identity Mapping (EIM) configuration change Create, change, or restore operation of user profile when QSYSRESPA API is used. A *CRQD object was changed. Access Control function Facility Control function Master Key function Object was deleted not under commitment control A pending object delete was committed A pending object create was rolled back The object delete is pending (the delete was performed under commitment control) A pending object delete was rolled back Request to reset DST QSECOFR password to system-supplied default. DST profile changed. Add. Change.

U AU CP QASYAUJ5 QASYCPJE/J4/J5 E A

CQ CY

QASYCQJE/J4/J5 QASYCYJ4/J5

A A F M

QASYDOJE/J4/J5

A C D P

R DS QASYDSJE/J4/J5 A C EV QASYEVJ4/J5 A C

Chapter 9. Auditing security on System i

277

Table 134. Security auditing journal entries (continued) Action or object auditing value Journal Model database entry type outfile Detailed entry D I GR QASYGRJ4/J5 A D F R JD KF QASYJDJE/J4/J5 QASYKFJ4/J5 A C K T NA PA SE SO QASYNAJE/J4/J5 QASYPAJE/J4/J5 QASYSEJE/J4/J5 QASYSOJ4/J5 A A A A C R SV QASYSVJE/J4/J5 A B C E F VA QASYVAJE/J4/J5 S F V VU QASYVUJE/J4/J5 G M U *SECDIRSRV DI QASYDIJE/J4/J5 AD BN CA CP OW PO UB Description Delete. Initialize environment variable space. Exit program added Exit program removed Function registration operation Exit program replaced The USER parameter of a job description was changed. Certificate operation. Key ring file operation. Trusted root operation. A network attribute was changed. A program was changed to adopt owner authority. A subsystem routing entry was changed. Add entry. Change entry. Remove entry. A system value was changed. Service attributes were changed. Change to system clock. Change to option Change to system-wide journal attribute The access control list was changed successfully. The change of the access control list failed. Successful verification of a validation list entry. A group record was changed. User profile global information changed. A user record was changed. Audit change. Successful bind Authority change Password change Ownership change Policy change Successful unbind

278

IBM i: Security Security reference

Table 134. Security auditing journal entries (continued) Action or object auditing value *SECIPC Journal Model database entry type outfile IP QASYIPJE/J4/J5 Detailed entry A C D G *SECNAS X0 QASYX0J4/J5 1 2 3 4 5 6 7 8 9 A B C D E F K L M N O P Q *SECRUN CA OW PG QASYCAJE/J4/J5 QASYOWJE/J4/J5 QASYPGJE/J4/J5 A A A Description The ownership or authority of an IPC object was changed. Create an IPC object. Delete an IPC object. Get an IPC object. Service ticket valid. Service principals do not match. Client principals do not match. Ticket IP address mismatch. Decryption of the ticket failed Decryption of the authenticator failed Realm is not within client and local realms Ticket is a replay attempt Ticket not yet valid Decrypt of KRB_AP_PRIV or KRB_AP_SAFE checksum error Remote IP address mismatch Local IP address mismatch KRB_AP_PRIV or KRB_AP_SAFE timestamp error KRB_AP_PRIV or KRB_AP_SAFE replay error KRB_AP_PRIV KRB_AP_SAFE sequence order error GSS accept - expired credential GSS accept - checksum error GSS accept - channel bindings GSS unwrap or GSS verify expired context GSS unwrap or GSS verify decrypt/decode GSS unwrap or GSS verify checksum error GSS unwrap or GSS verify sequence error Changes to authorization list or object authority. Object ownership was changed. The primary group for an object was changed.

Chapter 9. Auditing security on System i

279

Table 134. Security auditing journal entries (continued) Action or object auditing value *SECSCKD Journal Model database entry type outfile GS QASYGSJE/J4/J5 Detailed entry G Description A socket descriptor was given to another job. (The GS audit record is created if it is not created for the current job.) Receive descriptor. Unable to use descriptor. Auditing of a DLO was changed with CHGDLOAUD command. Auditing of an object was changed with CHGOBJAUD or CHGAUD commands. Scan attribute change by CHGATR command or Qp01SetAttr API Auditing for a user was changed with CHGUSRAUD command. Delegate of identity token successful Get user from identity token successful Enterprise Identity Mapping (EIM) configuration change Changes to authorization list or object authority. Create, change, or restore operation of user profile when QSYRESPA API is used A *CRQD object was changed. Connection established. Connection ended normally. Connection rejected. Access Control function Facility Control function Master Key function Audit change Successful bind Authority change Password change Ownership change Policy change Successful unbind Object was deleted not under commitment control A pending object delete was committed

R U *SECURITY AD QASYADJE/J4/J5 D O

S U X1 QASYADJE/J4/J5 D G AU CA CP QASYAUJ5 QASYCAJE/J4/J5 QASYCPJE/J4/J5 E A A

CQ CV

QASYCQJE/J4/J5 QASYCVJ4/J5

A C E R

QASYCYJ4/J5

A F M

QASYDIJ4/J5

AD BN CA CP OW PO UB

QASYDOJE/J4/J5

A C

280

IBM i: Security Security reference

Table 134. Security auditing journal entries (continued) Action or object auditing value Journal Model database entry type outfile Detailed entry D P Description A pending object create was rolled back The object delete is pending (the delete was performed under commitment control) A pending object delete was rolled back Request to reset DST QSECOFR password to system-supplied default. DST profile changed. Add. Change. Delete. Initialize environment variable space. Exit program added Exit program removed Function registration operation Exit program replaced A socket descriptor was given to another job. (The GS audit record is created if it is not created for the current job.) Receive descriptor. Unable to use descriptor. The ownership or authority of an IPC object was changed. Create an IPC object. Delete an IPC object. Get an IPC object. The USER parameter of a job description was changed. Certificate operation. Key ring file operation. Trusted root operation. A network attribute was changed. Object ownership was changed. A program was changed to adopt owner authority. The primary group for an object was changed. A target user profile was changed during a pass-through session.

R DS QASYDSJE/J4/J5 A C EV QASYEVJ4/J5 A C D I GR QASYGRJ4/J5 A D F R GS QASYGSJE/J4/J5 G

R U IP QASYIPJE/J4/J5 A C D G JD KF QASYJDJE/J4/J5 QASYKFJ4/J5 A C K T NA OW PA PG PS QASYNAJE/J4/J5 QASYOWJE/J4/J5 QASYPAJE/J4/J5 QASYPGJE/J4/J5 QASYPSJE/J4/J5 A A A A A

Chapter 9. Auditing security on System i

281

Table 134. Security auditing journal entries (continued) Action or object auditing value Journal Model database entry type outfile Detailed entry E H I M P R S V SE SO QASYSEJE/J4/J5 QASYSOJ4/J5 A A C R SV QASYSVJE/J4/J5 A B C E F VA QASYVAJE/J4/J5 S F VO VU QASYVUJE/J4/J5 V G M U X0 QASYX0J4/J5 1 2 3 4 5 6 7 8 Description An office user ended work on behalf of another user. A profile handle was generated through the QSYGETPH API. All profile tokens were invalidated. The maximum number of profile tokens have been generated. Profile token generated for user. All profile tokens for a user have been removed. An office user started work on behalf of another user. User profile authenticated. A subsystem routing entry was changed. Add entry. Change entry. Remove entry. A system value was changed. Service attributes were changed. Change to system clock. Change to option Change to system-wide journal attribute The access control list was changed successfully. The change of the access control list failed. Successful verify of a validation list entry. A group record was changed. User profile global information changed. A user record was changed. Service ticket valid. Service principals do not match Client principals do not match Ticket IP address mismatch Decryption of the ticket failed Decryption of the authenticator failed Realm is not within client and local realms Ticket is a replay attempt

282

IBM i: Security Security reference

Table 134. Security auditing journal entries (continued) Action or object auditing value Journal Model database entry type outfile Detailed entry 9 A B C D E F K L M N O P Q *SECVFY PS QASYPSJE/J4/J5 A E H I M P R S V X1 QASYX1J5 D G *SECVLDL *SERVICE VO ST VV QASYSTJE/J4/J5 QASYVVJE/J4/J5 V A C Description Ticket not yet valid Decrypt of KRB_AP_PRIV or KRB_AP_SAFE checksum error Remote IP address mismatch Local IP address mismatch KRB_AP_PRIV or KRB_AP_SAFE timestamp error KRB_AP_PRIV or KRB_AP_SAFE replay error KRB_AP_PRIV KRB_AP_SAFE sequence order error GSS accept - expired credential GSS accept - checksum error GSS accept - channel bindings GSS unwrap or GSS verify expired context GSS unwrap or GSS verify decrypt/decode GSS unwrap or GSS verify checksum error GSS unwrap or GSS verify sequence error A target user profile was changed during a pass-through session. An office user ended work on behalf of another user. A profile handle was generated through the QSYGETPH API. All profile tokens were invalidated. The maximum number of profile tokens have been generated. Profile token generated for user. All profile tokens for a user have been removed. An office user started work on behalf of another user. User profile authenticated. Delegate of identity token successful Get user from identity token successful Successful verification of a validation list entry. A service tool was used. The service status was changed.

Chapter 9. Auditing security on System i

283

Table 134. Security auditing journal entries (continued) Action or object auditing value Journal Model database entry type outfile Detailed entry E P R S *SPLFDTA SF QASYSFJE/J4/J5 A C D H I R S T U V *SYSMGT DI QASYDIJ4/J5 CF CI DI RM SM QASYSMJE/J4/J5 B C D F N O P S T VL QASYVLJE/J4/J5 A D L U W Object Auditing: *CHANGE DI QASYDIJ4/J5 IM LDAP directory import Description The server was stopped. The server paused. The server was restarted. The server was started. A spooled file was read by someone other than the owner. A spooled file was created. A spooled file was deleted. A spooled file was held. An inline file was created. A spooled file was released. A spooled file was saved. A spooled file was restored. A spooled file was changed. Only non-security relevant spooled files attributes changed. Configuration changes Create instance Delete instance Replication management Backup options were changed using xxxxxxxxxx. Automatic cleanup options were changed using xxxxxxxxxx. A DRDA* change was made. An HFS file system was changed. A network file operation was performed. A backup list was changed using xxxxxxxxxx. The power on/off schedule was changed using xxxxxxxxxx. The system reply list was changed. The access path recovery times were changed. The account is expired. The account is disabled. Logon hours were exceeded. Unknown or unavailable. Workstation not valid.

284

IBM i: Security Security reference

Table 134. Security auditing journal entries (continued) Action or object auditing value Journal Model database entry type outfile Detailed entry ZC ZC QASYZCJ4/J5 C U AD QASYADJEJ4/J5 D O S U AU CA OM QASYAUJ5 QASYCAJE/J4/J5 QASYOMJE/J4/J5 E A M R OR QASYORJE/J4/J5 N E OW PG RA RO RZ GR LD QASYOWJE/J4/J5 QASYPGJE/J4/J5 QASYRAJE/J4/J5 QASYROJE/J4/J5 QASYRZJE/J4/J5 QASYGRJ4/J5 QASYLDJE/J4/J5 A A A A A F L U VF QASYVFJE/J4/J5 A N S VO QASYVOJ4/J5 A C F R Description Object change Object changes Upgrade of open access to an object Auditing of an object was changed with CHGOBJAUD command. Auditing of an object was changed with CHGOBJAUD command. Scan attribute change by CHGATR command or Qp01SetAttr API Auditing for a user was changed with CHGUSRAUD command. Enterprise Identity Mapping (EIM) configuration change Changes to authorization list or object authority. An object was moved to a different library. An object was renamed. A new object was restored to the system. An object was restored that replaces an existing object. Object ownership was changed. The primary group for an object was changed. The system changed the authority to an object being restored. The object owner was changed to QDFTOWN during restore operation. The primary group for an object was changed during a restore operation. Function registration operations5 Link a directory. Unlink a directory. The file was closed because of administrative disconnection. The file was closed because of normal client disconnection. The file was closed because of session disconnection. Add validation list entry. Change validation list entry. Find validation list entry. Remove validation list entry.

Chapter 9. Auditing security on System i

285

Table 134. Security auditing journal entries (continued) Action or object auditing value Journal Model database entry type outfile VR QASYVRJE/J4/J5 Detailed entry F S YC ZC
4

Description Resource access failed. Resource access was successful. A document library object was changed. An object was changed. Upgrade of open access to an object. Command run LDAP directory export Object read Function registration operations5 Search a directory. A document library object was read. An object was read.

QASYYCJE/J4/J5 QASYZCJE/J4/J5

C C U

*ALL

CD DI

QASYCDJ4/J5 QASYDIJ4/J5

C EX ZR

GR LD YR ZR
1

QASYGRJ4/J5 QASYLDJE/J4/J5 QASYYRJE/J4/J5 QASYZRJE/J4/J5

F K R R

This value can only be specified for the AUDLVL parameter of a user profile. It is not a value for the QAUDLVL system value. If object auditing is active for an object, an audit record is written for a create, delete, object management, or restore operation even if these actions are not included in the audit level. See the topic Restoring objects on page 249 for information about authority changes which might occur when an object is restored. When *ALL is specified, the entries for both *CHANGE and *ALL are written. When the QUSRSYS/QUSEXRGOBJ *EXITRG object is being audited.

4 5

Planning the auditing of object access

The i5/OS operating system provides the ability to log accesses to an object in the security audit journal by using system values and the object auditing values for users and objects. This is called object auditing. The QAUDCTL system value, the OBJAUD value for an object, and the OBJAUD value for a user profile work together to control object auditing. The OBJAUD value for the object and the OBJAUD value for the user who is using the object determine whether a specific access should be logged. The QAUDCTL system value starts and stops the object auditing function. Table 135 shows how the OBJAUD values for the object and the user profile work together.
Table 135. How object and user auditing work together OBJAUD value for user OBJAUD value for object *NONE *USRPRF *CHANGE *ALL *NONE None None Change Change and Use *CHANGE None Change Change Change and Use *ALL None Change and Use Change Change and Use

286

IBM i: Security Security reference

You can use object auditing to keep track of all users that are accessing a critical object on the system. You can also use object auditing to keep track of all the object that are accessed by a particular user. Object auditing is a flexible tool that enables you to monitor those object accesses that are important to your organization. Taking advantage of the capabilities of object auditing requires careful planning. Poorly designed auditing might generate many more audit records than you can analyze. This can have a severe effect on system performance. For example, setting the OBJAUD value to *ALL for a library results in an audit entry being written every time the system searches for an object in that library. For a heavily used library on a busy system, this would generate a very large number of audit journal entries. Here are some examples of how to use object auditing. v If certain critical files are used throughout your organization, you can periodically review who is accessing them using a sampling technique: 1. Set the OBJAUD value for each critical file to *USRPRF using the Change Object Auditing command:

Change Object Auditing (CHGOBJAUD) Type choices, press Enter. Object . . . . . . . . Library . . . . . . Object type . . . . . ASP device . . . . . . Object auditing value . . . . . . . . . . . . . . . . . . . . . . . . . file-name library-name *FILE * *USRPRF

2. Set the OBJAUD value for each user in your sample to *CHANGE or *ALL using the CHGUSRAUD command. 3. Make sure the QAUDCTL system value includes *OBJAUD. 4. When sufficient time has elapsed to collect a representative sample, set the OBJAUD value in the user profiles to *NONE or remove *OBJAUD from the QAUDCTL system value. 5. Analyze the audit journal entries by using the techniques described in Analyzing audit journal entries with query or a program on page 296. v If you are concerned about who is using a particular file, you can collect information about all accesses to the file for a period of time: 1. Set object auditing for the file independent of user profile values:
CHGOBJAUD OBJECT(library-name/file-name) OBJTYPE(*FILE) OBJAUD(*CHANGE or *ALL)

2. Make sure that the QAUDCTL system value includes *OBJAUD. 3. When sufficient time has elapsed to collect a representative sample, set the OBJAUD value in the object to *NONE. 4. Analyze the audit journal entries using the techniques described in Analyzing audit journal entries with query or a program on page 296. v To audit all object accesses for a specific user, do the following actions: 1. Set the OBJAUD value for all objects to *USRPRF using the CHGOBJAUD and CHGAUD commands:

Chapter 9. Auditing security on System i

287

Change Object Auditing (CHGOBJAUD) Type choices, press Enter. Object . . . . . . . . . . . . . Library . . . . . . . . . . . . Object type . . . . . . . . . . ASP device . . . . . . . . . . . Object auditing value . . . . . *ALL *ALLAVL *ALL * *USRPRF

Attention: Depending on how many objects are on your system, this command might take many hours to run. Setting up object auditing for all objects on the system often is not necessary and will severely degrade performance. Selecting a subset of object types and libraries for auditing is recommended. 2. Set the OBJAUD value for the specific user profile to *CHANGE or *ALL using the CHGUSRAUD command. 3. Make sure the QAUDCTL system value includes *OBJAUD. 4. When you have collected a specific sample, set the OBJAUD value for the user profile to *NONE. Related reference Object auditing on page 112 The object auditing value for a user profile works with the object auditing value for an object to determine whether the users access of an object is audited. Displaying object auditing: Use the DSPOBJD command to display the current object auditing level for an object. Use the DSPDLOAUD command to display the current object auditing level for a document library object. Setting default auditing for objects: You can use the QCRTOBJAUD system value and the CRTOBJAUD value for libraries and directories to set object auditing for newly created objects. For example, if you want all new objects in the INVLIB library to have an audit value of *USRPRF, use the following command:
CHGLIB LIB(INVLIB) CRTOBJAUD(*USRPRF)

This command affects the auditing value of new objects only. It does not change the auditing value of objects that already exist in the library. Use the default auditing values carefully. Improper use might result in many unwanted entries in the security audit journal. Effective use of the object auditing capabilities of the system requires careful planning.

Preventing loss of auditing information

Two system values control what the system does when error conditions might cause the loss of audit journal entries.

Audit force level

The QAUDFRCLVL system value determines how often the system writes audit journal entries from memory to auxiliary storage.

288

IBM i: Security Security reference

The QAUDFRCLVL system value works like the force level for database files. You should follow similar guidelines in determining the correct force level for your installation. If you allow the system to determine when to write entries to auxiliary storage, the system balances the performance effect against the potential loss of information in a power outage. *SYS is the default choice. If you set the force level to a low number, you minimize the possibility of losing audit records, but you might notice a negative performance effect. If your installation requires that no audit records be lost in a power failure, you must set the QAUDFRCLVL to 1.

Audit end action

The Auditing End Action (QAUDENDACN) system value determines what the system does if it is unable to write an entry to the audit journal. The default value is *NOTIFY. The system performs the following tasks if it is unable to write audit journal entries and QAUDENDACN is *NOTIFY: 1. The QAUDCTL system value is set to *NONE to prevent additional attempts to write entries. 2. Message CPI2283 is sent to the QSYSOPR message queue and the QSYSMSG message queue (if it exists) every hour until auditing is successfully restarted. 3. Normal processing continues. 4. If an IPL is performed on the system, message CPI2284 is sent to the QSYSOPR and QSYSMSG message queues during the IPL. Note: In most cases, performing an IPL resolves the problem that caused auditing to fail. After you have restarted your system, set the QAUDCTL system value to the correct value. The system attempts to write an audit journal record whenever this system value is changed. You can set the QAUDENDACN to turn off your system if auditing fails (*PWRDWNSYS). Use this value only if your installation requires that auditing be active for the system to run. If the system is unable to write an audit journal entry and the QAUDENDACN system value is *PWRDWNSYS, the following events take place: 1. The system shuts down immediately (the equivalent of issuing the PWRDWNSYS *IMMED command). 2. SRC code B900 3D10 is displayed. Next, you must do the following actions: 1. Start an IPL from the system unit. Make sure that the device specified in the console (QCONSOLE) system value is powered on. 2. To complete the IPL, sign on at the console using a user with *ALLOBJ and *AUDIT special authority. The system starts in a restricted state with a message indicating that an auditing error caused the system to stop. 3. The QAUDCTL system value is set to *NONE. 4. To restore the system to normal, set the QAUDCTL system value to a value other than *NONE. When you change the QAUDCTL system value, the system attempts to write an audit journal entry. If it is successful, the system returns to a normal state. If the system does not successfully return to a normal state, use the job log to determine why auditing has failed. Correct the problem and reset the QAUDCTL value.

Choosing not to audit QTEMP objects

You can choose to not audit QTEMP objects by specifying the *NOQTEMP value.

Chapter 9. Auditing security on System i

289

The value, *NOQTEMP, can be specified as a value for the system value QAUDCTL. If you use the *NOQTEMP value, you must also specify either *OBJAUD or *AUDLVL for the QAUDCTL. When auditing is active and *NOQTEMP is specified, the following actions on objects in the QTEMP library will NOT be audited. v Changing or reading objects in QTEMP (journal entry types ZC, ZR). v Changing the authority, owner, or primary group of objects in QTEMP (journal entry types CA, OW, PG).

Using CHGSECAUD to set up security auditing

Overview: Using the CHGSECAUD command, you can activate system security auditing for actions by ensuring that the security journal exists, setting the QAUDCTL system value to *AUDLVL, and setting the QAUDLVL system value to the default set of values. The default set includes *AUTFAIL, *CREATE, *DELETE, *SECURITY, and *SAVRST action audits.
CHGSECAUD QAUDCTL(*AUDLVL) QAUDLVL(*DFTSET)

Purpose: Set up the system to collect security events in the QAUDJRN journal. How To: CHGSECAUD DSPSECAUD Authority: The user must have *ALLOBJ and *AUDIT special authority. Journal Entry: CO (create object) SV (system value change) AD (object and user audit changes) The CHGSECAUD command creates the journal and journal receiver if it does not exist. The CHGSECAUD then sets the QAUDCTL, QAUDLVL, and QAUDLVL2 system values. Related reference Options on the Security Tools menu on page 705 You can use the Security Tools (SECTOOLS) menu to simplify the management and control of the security on your system with plenty of options and commands that it provides. Note:

Setting up security auditing

With security auditing, you can collect information about security events in the QAUDJRN journal. Overview: Purpose: Set up the system to collect security events in the QAUDJRN journal. How To: CRTJRNRCV CRTJRN QSYS/QAUDJRN WRKSYSVAL *SEC

290

IBM i: Security Security reference

CHGOBJAUD CHGDLOAUD CHGUSRAUD Authority: *ADD authority to QSYS and to journal receiver library *AUDIT special authority Journal Entry: CO (create object) SV (system value change) AD (object and user audit changes) Note: QSYS/QAUDJRN must exist before QAUDCTL can be changed, otherwise the system auditing function doesn't know the journal name and won't find it.

To set up security auditing, do the following steps. You need *AUDIT special authority to complete these steps. 1. Create a journal receiver in a library of your choice by using the Create Journal Receiver (CRTJRNRCV) command. This example uses a library called JRNLIB for journal receivers.
CRTJRNRCV JRNRCV(JRNLIB/AUDRCV0001) + THRESHOLD(100000) AUT(*EXCLUDE) + TEXT(Auditing Journal Receiver)

a. Place the journal receiver in a library that is saved regularly. Do not place the journal receiver in library QSYS, even though that is where the journal will be. b. Choose a journal receiver name that can be used to create a naming convention for future journal receivers, such as AUDRCV0001. You can use the *GEN option when you change journal receivers to continue the naming convention. It's very helpful to using this type of naming convention if you choose to have the system manage changing your journal receivers. c. Specify a receiver threshold appropriate to your system size and activity. The size you choose should be based on the number of transactions on your system and the number of actions that you choose to audit. If you use system change-journal management support, the journal receiver thresholds must be at least 100 000 KB. For more information about journal receiver threshold, refer to Journal management. d. Specify *EXCLUDE on the AUT parameter to limit access to the information that is stored in the journal. 2. Create the QSYS/QAUDJRN journal by using the Create Journal (CRTJRN) command:
CRTJRN JRN(QSYS/QAUDJRN) + JRNRCV(JRNLIB/AUDRCV0001) + MNGRCV(*SYSTEM) DLTRCV(*NO) + AUT(*EXCLUDE) TEXT(Auditing Journal)

v The name QSYS/QAUDJRN must be used. v Specify the name of the journal receiver that you created in the previous step. v Specify *EXCLUDE on the AUT parameter to limit access to the information stored in the journal. You must have authority to add objects to QSYS to create the journal. v Use the Manage receiver (MNGRCV) parameter to have the system change the journal receiver and attach a new one when the attached receiver exceeds the threshold specified in the creation of the journal receiver. If you choose this option, you do not need to use the CHGJRN command to detach receivers and create and attach new receivers manually.

Chapter 9. Auditing security on System i

291

v Do not have the system delete detached receivers. Specify DLTRCV(*NO), which is the default. The QAUDJRN receivers are your security audit trail. Make sure that they are adequately saved before deleting them from the system. The Journal management topic provides more information about working with journals and journal receivers. 3. Set the audit level (QAUDLVL) system value or the audit level extension (QAUDLVL2) system value by using the WRKSYSVAL command. The QAUDLVL and QAUDLVL2 system values determine which actions are logged to the audit journal for all users on the system. See Planning the auditing of actions on page 263. 4. If necessary, set action auditing for individual users by using the CHGUSRAUD command. See Planning the auditing of actions on page 263. 5. If necessary, set object auditing for specific objects by using the CHGOBJAUD, CHGAUD, and CHGDLOAUD commands. See Planning the auditing of object access on page 286. 6. If necessary, set object auditing for specific users by using the CHGUSRAUD command. 7. Set the QAUDENDACN system value to control what happens if the system cannot access the audit journal. See Audit end action on page 289. 8. Set the QAUDFRCLVL system value to control how often audit records are written to auxiliary storage. See Preventing loss of auditing information on page 288. 9. Start auditing by setting the QAUDCTL system value to a value other than *NONE. The QSYS/QAUDJRN journal must exist before you can change the QAUDCTL system value to a value other than *NONE. When you start auditing, the system attempts to write a record to the audit journal. If the attempt is not successful, you receive a message and the auditing does not start.

Managing the audit journal and journal receivers

The system provides a mechanism for managing the audit journal and journal receivers. You can use the methods described in this topic to audit the security on your system. The auditing journal QSYS/QAUDJRN is intended solely for security auditing. Objects should not be journaled to the audit journal. Commitment control should not use the audit journal. User entries should not be sent to this journal using the Send Journal Entry (SNDJRNE) command or the Send Journal Entry (QJOSJRNE) API. The system uses special locking protection to make sure that it can write audit entries to the audit journal. When auditing is active (the QAUDCTL system value is not *NONE), the system arbitrator job (QSYSARB) holds a lock on the QSYS/QAUDJRN journal. You cannot perform certain operations on the audit journal when auditing is active, such as: v DLTJRN command v Moving the journal v Restoring the journal v WRKJRN command The information recorded in the security journal entries is described in Appendix F, Layout of audit journal entries, on page 561. All security entries in the audit journal have a journal code of T. In addition to security entries, system entries also appear in the journal QAUDJRN. These are entries with a journal code of J, which relate to initial program load (IPL) and general operations performed on journal receivers (for example, saving the receiver). If damage occurs to the journal or to its current receiver so that the auditing entries cannot be journaled, the QAUDENDACN system value determines what action the system takes. Recovery from a damaged journal or journal receiver is the same as for other journals.

292

IBM i: Security Security reference

You might want to have the system manage the changing of journal receivers. Specify MNGRCV(*SYSTEM) when you create the QAUDJRN journal, or change the journal to that value. If you specify MNGRCV(*SYSTEM), the system automatically detaches the receiver when it reaches its threshold size and creates and attaches a new journal receiver. This is called system change-journal management. If you specify MNGRCV(*USER) for the QAUDJRN, a message is sent to the threshold message queue that was specified for the journal when the journal receiver reaches a storage threshold. The message indicates that the receiver has reached its threshold. Use the CHGJRN command to detach the receiver and attach a new journal receiver. This prevents Entry not journaled error conditions. If you do receive a message, you must use the CHGJRN command in order for security auditing to continue. The default message queue for a journal is QSYSOPR. If your installation has a large volume of messages in the QSYSOPR message queue, you can associate a different message queue, such as AUDMSG, with the QAUDJRN journal. You can use a message handling program to monitor the AUDMSG message queue. When a journal threshold warning is received (CPF7099), you can automatically attach a new receiver. If you use system change-journal management, then message CPF7020 is sent to the journal message queue when a system change journal completes. You can monitor for this message so that you can know when to do a save of the detached journal receivers. Attention: The automatic cleanup function that is provided when using Operational Assistant menus does not clean up the QAUDJRN receivers. To avoid problems with disk space, regularly detach, save, and delete QAUDJRN receivers. See the Journal management topic for complete information about managing journals and journal receivers. The QAUDJRN journal is created during an IPL if it does not exist and the QAUDCTL system value is set to a value other than *NONE. This occurs only after an unusual situation, such as replacing a disk device or clearing an auxiliary storage pool. Related information Journal management

Saving and deleting audit journal receivers

You should regularly detach the current audit journal receiver and attach a new one. Overview: Purpose: Attach a new audit journal receiver; Save and delete the old receiver How To: v CHGJRN QSYS/QAUDJRN JRNRCV(*GEN) v SAVOBJ (to save old receiver) v DLTJRNRCV (to delete old receiver) Authority: *ALL authority to journal receiver *USE authority to journal Journal Entry: J (system entry to QAUDJRN) Note: Select a time when the system is not busy.

You should regularly detach the current audit journal receiver and attach a new one for two reasons: v Analyzing journal entries is easier if each journal receiver contains the entries for a specific, manageable time period. v Large journal receivers can affect system performance and take valuable space on auxiliary storage.
Chapter 9. Auditing security on System i

293

It is suggested to have the system manage receivers automatically. You can specify this by using the Manage receiver parameter when you create the journal. If you have set up action auditing and object auditing to log many different events, you might need to specify a large threshold value for the journal receiver. If you are managing receivers manually, you might need to change journal receivers several times a day. If you log only a few events, you might want to change receivers to correspond with the backup schedule for the library containing the journal receiver. You use the CHGJRN command to detach a receiver and attach a new receiver. System-managed journal receivers: You can follow the steps described in this topic to save or delete the journal receivers. If you have the system manage the receivers, use the following procedure to save all detached QAUDJRN receivers and to delete them: 1. Type WRKJRNA QAUDJRN. The display shows you the currently attached receiver. Do not save or delete this receiver. 2. Use F15 to work with the receiver directory. This shows all receivers that have been associated with the journal and their corresponding status. 3. Use the SAVOBJ command to save each receiver. Do not receive the currently attached receiver. 4. Use the DLTJRNRCV command to delete each receiver after it is saved. An alternative to the preceding procedure can be done by using the journal message queue and monitoring for the CPF7020 message which indicates that the system change journal has completed successfully. Related information Backup and Recovery User-managed journal receivers: You can follow the steps described here to detach, save, or delete journal receivers manually. If you choose to manage journal receivers manually, use the following procedure to detach, save and delete a journal receiver: 1. Type CHGJRN JRN(QAUDJRN) JRNRCV(*GEN). This command: a. Detaches the currently attached receiver. b. Creates a new receiver with the next sequential number. c. Attaches the new receiver to the journal. For example, if the current receiver is AUDRCV0003, the system creates and attaches a new receiver called AUDRCV0004. The Work with Journal Attributes (WRKJRNA) command tells you which receiver is currently attached: WRKJRNA QAUDJRN. 2. Use the Save Object (SAVOBJ) command to save the detached journal receiver. Specify object type *JRNRCV. 3. Use the Delete Journal Receiver (DLTJRNRCV) command to delete the receiver. If you try to delete the receiver without saving it, you will receive a warning message.

Stopping the audit function

You might want to use the audit function periodically, rather than all the time. For example, you might want to use it when testing a new application. Or you might use it to perform a quarterly security audit.

294

IBM i: Security Security reference

To stop the auditing function, do the following actions: 1. Use the WRKSYSVAL command to change the QAUDCTL system value to *NONE. This stops the system from logging any more security events. 2. Detach the current journal receiver using the CHGJRN command. 3. Save and delete the detached receiver, using the SAVOBJ and DLTJRNRCV commands. 4. You can delete the QAUDJRN journal after you change QAUDCTL to *NONE. If you plan to resume security auditing in the future, you should leave the QAUDJRN journal on the system. If the QAUDJRN journal is set up with MNGRCV(*SYSTEM), the system detaches the receiver and attaches a new one whenever you perform an IPL, whether security auditing is active. You need to delete these journal receivers. Saving them before deleting them is not necessary, because they do not contain any audit entries.

Analyzing audit journal entries

After you have set up the security auditing function, you can use several different methods to analyze the events that are logged. v View selected entries at your workstation using the Display Journal (DSPJRN) command. v Copy selected entries to output files using the Copy Audit Journal Entries (CPYAUDJRNE) or DSPJRN command, and then using a query tool or program to analyze entries. v Use the Display Audit Journal Entries (DSPAUDJRNE) command. Note: IBM has stopped providing enhancements for the DSPAUDJRNE command. The command does not support all security audit record types, and the command does not list all the fields for the records it supports. v Use the Receive Journal Entry (RCVJRNE) command on the QAUDJRN journal to receive the entries as they are written to the QAUDJRN journal.

Viewing audit journal entries

Overview: Purpose: View QAUDJRN entries How To: DSPJRN (Display Journal command) Authority: *USE authority to QSYS/QAUDJRN *USE authority to journal receiver The Display Journal (DSPJRN) command allows you to view selected journal entries at your workstation. To view journal entries, do the following actions: 1. Type DSPJRN QAUDJRN and press F4. On the prompt display, you can enter information to select the range of entries that is shown. For example, you can select all entries in a specific range of dates, or you can select only a certain type of entry, such as an incorrect sign-on attempt (journal entry type PW). The default is to display entries from only the attached receiver. You can use RCVRNG(*CURCHAIN) to see entries from all receivers that are in the receiver chain for the QAUDJRN journal, up to and including the receiver that is currently attached. 2. When you press the Enter key, you see the Display Journal Entries display:

Chapter 9. Auditing security on System i

295

Display Journal Entries Journal . . . . . . : QAUDJRN Largest sequence number on this screen Type options, press Enter. 5=Display entire entry Library . . . . . . : QSYS . . . . . :00000000000000000012

Opt

Sequence 1 2 3 4 5 6 7 8 9 10 11 12

Code J T T T T T T T T T T T

Type PR CA CO CA CO CA CO CA CO CA CO CA

Object

Library

Job SCPF SCPF SCPF SCPF SCPF SCPF SCPF SCPF SCPF SCPF SCPF SCPF

Time 10:24:55 10:24:55 10:24:55 10:24:55 10:24:55 10:24:55 10:24:55 10:24:56 10:24:56 10:24:57 10:24:57 10:24:57 More...

F3=Exit

F12=Cancel

3. Use option 5 (Display entire entry) to see information about a specific entry:
Display Journal Entry Object . . Member . . Incomplete Sequence . Code . . . Type . . . . . . . . . data . . . . . . . . . . . . . . . . . . . . . : : : : : : Library . . . . . . :

No Minimized entry data : *None 1198 T - Audit trail entry CO - Create object

Column 00001 00051 00101 00151 00201 00251 00301

Entry specific data ...+....1....+....2....+....3....+....4....+....5 NISAVLDCK QSYS PGM CLE More...

Press Enter to continue. F3=Exit F6=Display only entry specific data F10=Display only entry details F12=Cancel

F24=More keys

4. You can use F6 (Display only entry specific data) for entries with a large amount of entry-specific data. You can also select a hexadecimal version of that display. You can use F10 to display details about the journal entry without any entry-specific information. Appendix F, Layout of audit journal entries, on page 561 contains the layout for each type of QAUDJRN journal entry.

Analyzing audit journal entries with query or a program

Overview: Purpose: Display or print selected information from journal entries.

296

IBM i: Security Security reference

How To: DSPJRN OUTPUT(*OUTFILE), Create a query or program, or Run a query or program Authority: *USE authority to QSYS/QAUDJRN, *USE authority to journal receiver, and *ADD authority to library for output file You can use the Display Journal (DSPJRN) command to write selected entries from the audit journal receivers to an output file. You can use a program or a query to view the information in the output file. For the output parameter of the DSPJRN command, specify *OUTFILE. You see additional parameters prompting you for information about the output file:

Display Journal (DSPJRN) Type choices, press Enter. . . . Output . . . . . . . . . . . . Outfile format . . . . . . . . File to receive output . . . . Library . . . . . . . . . . Output member options: Member to receive output . . Replace or add records . . . Entry data length: Field data format . . . . . Variable length field length Allocated length . . . . . .

. > OUTFILE . TYPE5 . dspjrnout . mylib . . . . FIRST REPLACE *OUTFILFMT

All security-related entries in the audit journal contain the same heading information, such as the entry type, the date of the entry, and the job that caused the entry. The QADSPJR5 (with record format QJORDJE5) is provided to define these fields when you specify *TYPE5 as the output file format parameter. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562 for more information. For more information about other records and their output file formats, see Appendix F, Layout of audit journal entries, on page 561. If you want to perform a detailed analysis of a particular entry type, use one of the model database outfiles provided. Table 134 on page 270 shows the name of the model database output file for each entry type. Appendix F, Layout of audit journal entries, on page 561 shows the file layouts for each model database output file. For example, to create an output file called AUDJRNAF5 in QGPL that includes only authority failure entries: 1. Create an empty output file with the format defined for AF journal entries:
CRTDUPOBJ OBJ(QASYAFJ5) FROMLIB(QSYS) + OBJTYPE(*FILE) TOLIB(QGPL) NEWOBJ(AUDJRNAF5)

2. Use the DSPJRN command to write selected journal entries to the output file:
DSPJRN JRN(QAUDJRN) ... + JRNCDE(T) ENTTYP(AF) OUTPUT(*OUTFILE) + OUTFILFMT(*TYPE5) OUTFILE(QGPL/AUDJRNAF5)

3. Use Query or a program to analyze the information in the AUDJRNAF5 file. Here are a few examples of how you might use QAUDJRN information: v If you suspect someone is trying to break into your system:
Chapter 9. Auditing security on System i

297

1. Make sure the QAUDLVL system value includes *AUTFAIL. 2. Use the CRTDUPOBJ object command to create an empty output file with the QASYPWJ5 format. 3. A PW type journal entry is logged when someone enters an incorrect user ID or password on the Sign On display. Use the DSPJRN command to write PW type journal entries to the output file. 4. Create a query program that displays or prints the date, time, and workstation for each journal entry. This information should help you determine where and when the attempts are occurring. v If you want to test the resource security you have defined for a new application: 1. Make sure the QAUDLVL system value includes *AUTFAIL. 2. Run application tests with different user IDs. 3. Use the CRTDUPOBJ object command to create an empty output file with the QASYAFJ5 format. 4. Use the DSPJRN command to write AF type journal entries to the output file. 5. Create a query program that displays or prints information about the object, job and user. This information should help you to determine what users and application functions are causing authority failures. v If you are planning a migration to security level 40: 1. Make sure the QAUDLVL system value includes *PGMFAIL and *AUTFAIL. 2. Use the CRTDUPOBJ object command to create an empty output file with the QASYAFJ5 format. 3. Use the DSPJRN command to write AF type journal entries to the output file. 4. Create a query program that selects the type of violations you are experiencing during your test and prints information about the job and program that causes each entry. Note: Table 134 on page 270 shows which journal entry is written for each authority violation message.

Relationship of object Change Date/Time to audit records

Reports written to detect changes to programs, or other objects, are sometimes based on the Change Date/Time field of the object instead of information in the security audit journal. The following list describes reasons why there might be a difference between the date on the object and the date on the source for the object. v The CHGPGM command is used to force program re-creation to update the Change Date/Time field of the program. This operation writes a ZC (Change to Object) audit record. v The Sign Object (QYDOSGNO) API is used to digitally sign a program or command to update the Change Date/Time field for the program or command. This operation writes a ZC audit record. The operating system can also automatically update the Change Date/Time field of an object in the following situations: v When a user profile has private authority to an object, and that object is then deleted, the system updates the Change Date/Time field of that user profile as it removes that private authority. v If security auditing is on when the object is deleted, a DO (Delete Operation) audit record is written for the deleted object. v Because the system automatically updates every user profile that has private authority to the deleted object, no audit records are written for those user profiles, even though their Change Date/Time fields are updated. To track when your users have used normal system interfaces to change objects, use the security auditing journal. Reports to detect changes to objects that are based solely on the Change Date/Time field of an object can only produce partial results.

298

IBM i: Security Security reference

Why you should not use the Date/Time field for general security auditing
The main guideline used to decide what to audit for i5/OS is to audit the security-relevant actions of users. The second guideline is to not write audit records for operations that the operating system automatically performs. In some cases, those automatic operations might be audited if the operating system performs the operation by using a function that is also designed to be used by users. The objectives for maintaining the Change Date/Time field of an object are different from the audit objectives. The main purpose of the Change Date/Time field is to indicate when an object is changed. An updated Change Date/Time field does not indicate what was changed for the object or who made the change. One of the main uses of this field is to indicate that the object should be saved by the Save Changed Objects (SAVCHGOBJ) command. The SAVCHGOBJ command does not need to know when the last change was made, only that the object was changed since it was last saved. This feature allows performance to be optimized for database files. The Change Date/Time field is updated only the first time the file is changed after it was last saved. Performance can be affected if the Change Date/Time field was updated each time a record in the file was updated, added, or deleted.

Other techniques for monitoring security

The security audit journal (QAUDJRN) is the primary source of information about security-related events on your system. The following sections discuss other ways to observe security-related events and the security values on your system. You will find additional information in Appendix G, Commands and menus for security commands, on page 705. This section includes examples to use the commands and information about the menus for the security tools.

Monitoring security messages

Some security-relevant events, such as incorrect sign-on attempts, cause a message in the QSYSOPR message queue. You can also create a separate message queue called QSYSMSG in the QSYS library. If you create the QSYSMSG message queue in the QSYS library, messages about critical system events are sent to that message queue as well as to QSYSOPR. The QSYSMSG message queue can be monitored separately by a program or a system operator. This provides additional protection of your system resources. Critical system messages in QSYSOPR are sometimes missed because of the volume of messages sent to that message queue.

Using the history log

Not all of the authority failure and integrity violation messages are found in the QHST log. These messages are listed here. Some security-related events, such as exceeding the incorrect sign-on attempts specified in the QMAXSIGN system value, cause a message to be sent to the QHST (history) log. Security messages are in the range 2200 to 22FF. They have the prefixes CPI, CPF, CPC, CPD, and CPA. Beginning with Version 2 Release 3 of the i5/OS licensed program, some authority failure and integrity violation messages are no longer sent to the QHST (history) log. All information that was available in the QHST log can be obtained from the security audit journal. Logging information to the audit journal provides better system performance and more complete information about these security-related events than the QHST log. The QHST log should not be considered a complete source of security violations. Use the security audit functions instead. These messages are no longer written to the QHST log: v CPF2218. These events can be captured in the audit journal by specifying *AUTFAIL for the QAUDLVL system value.
Chapter 9. Auditing security on System i

299

v CPF2240. These events can be captured in the audit journal by specifying *AUTFAIL for the QAUDLVL system value. v CPF2220. These events can be captured in the audit journal by specifying *AUTFAIL for the QAUDLVL system value. v CPF4AAE. These events can be captured in the audit journal by specifying *AUTFAIL for the QAUDLVL system value. v CPF2246. These events can be captured in the audit journal by specifying *AUTFAIL for the QAUDLVL system value.

Using journals to monitor object activity

If you include the *AUTFAIL value for system action auditing (the QAUDLVL system value), the system writes an audit journal entry for every unsuccessful attempt to access a resource. For critical objects, you can also set up object auditing so the system writes an audit journal entry for each successful access. The audit journal records only that the object was accessed. It does not log every transaction to the object. For critical objects on your system, you might want more detailed information about the specific data that was accessed and changed. Object journaling can provide you with those details. Object journaling is used primarily for object integrity and recovery. Refer to the Journal management topic for a list of object types which can be journaled, and what is journaled for each object type. A security officer or auditor can also use these journal entries to review object changes. Do not journal any objects to the QAUDJRN journal. Journal entries can include: v Identification of the job, user, and the time of access v Before- and after-images of all object changes v Records of when the object was opened, closed, changed, saved, created, deleted, and so on. A journal entry cannot be altered by any user, even the security officer. A complete journal or journal receiver can be deleted, but this is easily detected. If you are journaling a database file, data area, data queue, library, or integrated file system object, you can use the DSPJRN command to print all the changes for that particular object. Here are some examples:
Type the following command for a particular database file. DSPJRN JRN(library/journal) + FILE(library/file) OUTPUT(*PRINT) Type the following command for a particular data area. DSPJRN JRN(library/journal) + OBJ((library/object name *DTAARA)) OUTPUT(*PRINT) Type the following command for a particular data queue. DSPJRN JRN(library/journal) + OBJ((library/object name *DTAQ) OUTPUT(*PRINT) Type the following command for a particular integrated file system object. DSPJRN JRN(library/journal) + OBJPATH((path name)) OUTPUT(*PRINT) Type the following command for a particular library. DSPJRN JRN(library/journal) + OBJ(*LIBL/library-name *LIB) OUTPUT(*PRINT)

For example, if journal JRNCUST in library CUSTLIB is used to record information about file CUSTFILE (also in library CUSTLIB), the command can be:
DSPJRN JRN(CUSTLIB/JRNCUST) + FILE(CUSTLIB/CUSTFILE) OUTPUT(*PRINT)

300

IBM i: Security Security reference

You can also create an output file and do a query or use SQL to select all of the records from the output file for a specific output. Type the following command to create an output file for a particular database file.
DSPJRN JRN(library/journal) + FILE(library/file name) + OUTPUT(*OUTFILE) OUTFILEFMT(*TYPE5) OUTFILE(library/outfile) ENTDTALEN(*CALC)

Type the following command to create an output file for a particular data area.
DSPJRN JRN(library/journal) + OBJ((library/object name *DTAARA)) + OUTPUT(*OUTFILE) OUTFILEFMT(*TYPE5) OUTFILE(library/outfile) ENTDTALEN(*CALC)

Type the following command to create an output file for a particular data queue.
DSPJRN JRN(library/journal) + OBJ((library/object name *DTAQ)) + OUTPUT(*OUTFILE) OUTFILEFMT(*TYPE5) OUTFILE(library/outfile) ENTDTALEN(*CALC)

Type the following command to create an output file for a particular integrated file system object.
DSPJRN JRN(library/journal) + OBJPATH((path name)) + OUTPUT(*OUTFILE) OUTFILEFMT(*TYPE5) OUTFILE(library/outfile) ENTDTALEN(*CALC)

Type the following command to create an output file for a particular library.
DSPJRN JRN(library/journal) + OBJ((*LIBL/library-name *LIB)) + OUTPUT(*OUTFILE) OUTFILEFMT(*TYPE5) OUTFILE(library/outfile) ENTDTALEN(*CALC)

If you want to find out which journals are on the system, use the Work with Journals (WRKJRN) command. If you want to find out which objects are being journaled by a particular journal, use the Work with Journal Attributes (WRKJRNA) command. Related information Journal management

Analyzing user profiles

You can display or print a complete list of all the users on your system by using the Display Authorized Users (DSPAUTUSR) command. The list can be sequenced by profile name or group profile name. Here is an example of the group profile sequence.

Chapter 9. Auditing security on System i

301

Display Authorized Users Password Last Changed 08/04/0x 09/15/0x 08/04/0x 09/06/0x 09/20/0x 08/29/0x 09/05/0x 08/13/0x 09/05/0x 09/18/0x X X

Group Profile DPTSM

User Profile ANDERSOR VINCENTM

No Password

Text Roger Anders Mark Vincent Roger Anders Rose Wagner Sharon Jones Ken Harrison Sales and Marketing Warehouse Janet Richards John Smith

DPTWH ANDERSOR WAGNERR QSECOFR JONESS HARRISOK *NO GROUP DPTSM DPTWH RICHARDS SMITHJ

Printing selected user profiles

You can use the Display User Profile (DSPUSRPRF) command to create an output file, which you can process using a query tool.
DSPUSRPRF USRPRF(*ALL) + TYPE(*BASIC) OUTPUT(*OUTFILE)

You can use a query tool to create a variety of analysis reports of your output file, such as: v A list of all users who have both *ALLOBJ and *SPLCTL special authority. v A list of all users sequenced by a user profile field, such as initial program or user class. You can create query programs to produce different reports from your output file. For example: v List all user profiles that have any special authorities by selecting records where the UPSPAU field is not equal to *NONE. v List all users who are allowed to enter commands by selecting records where the Limit capabilities field (called UPLTCP in the model database output file) is equal to *NO or *PARTIAL. v List all users who have a particular initial menu or initial program. v List inactive users by looking at the date last sign-on field. v List all users who do not have a password for use at password levels 0 and 1 by selecting records where the Password present for level 0 or 1 field (called UPENPW in the model output file) is equal to N. v List all users who have a password for use at password levels 2 and 3 by selecting records where the Password present for level 2 or 3 field (called UPENPH in the model output file) is equal to Y.

Examining large user profiles

You might want to evaluate the security effectiveness of large user profiles on your system. User profiles with large numbers of authorities, appearing to be randomly spread over most of the system, can reflect a lack of security planning. Here is one method for locating large user profiles and evaluating them. 1. Use the Display Object Description (DSPOBJD) command to create an output file containing information about all the user profiles on the system:
DSPOBJD OBJ(*ALL) OBJTYPE(*USRPRF) + DETAIL(*BASIC) OUTPUT(*OUTFILE)

2. Create a query program to list the name and size of each user profile, in descending sequence by size.

302

IBM i: Security Security reference

3. Print detailed information about the largest user profiles and evaluate the authorities and owned objects to see if they are appropriate:
DSPUSRPRF USRPRF(user-profile-name) + TYPE(*OBJAUT) OUTPUT(*PRINT) DSPUSRPRF USRPRF(user-profile-name) + TYPE(*OBJOWN) OUTPUT(*PRINT)

Note: Directories and directory-based objects are not printed. WRKOBJOWN and WRKOBJPVT commands can be used to display directory-based objects and library-based objects, but there is no print function associated with these commands. Some IBM-supplied user profiles are very large because of the number of objects they own. Listing and analyzing them is not necessary. However, you should check for programs adopting the authority of the IBM-supplied user profiles that have *ALLOBJ special authority, such as QSECOFR and QSYS. See Analyzing programs that adopt authority. Related reference Appendix B, IBM-supplied user profiles, on page 317 This section contains information about the user profiles that are shipped with the system. These profiles are used as object owners for various system functions. Some system functions also run under specific IBM-supplied user profiles.

Analyzing object and library authorities

You can audit the object and library authorities on your system. You can use the following method to determine who has authority to libraries on the system: 1. Use the DSPOBJD command to list all the libraries on the system:
DSPOBJD OBJ(QSYS/*ALL) OBJTYPE(*LIB) ASPDEV(*ALLAVL) OUTPUT(*PRINT)

2. Use the Display Object Authority (DSPOBJAUT) command to list the authorities to a specific library:
DSPOBJAUT OBJ(library-name) OBJTYPE(*LIB) + ASPDEV(asp-device-name) OUTPUT(*PRINT)

3. Use the Display Library (DSPLIB) command to list the objects in the library:
DSPLIB LIB(library-name) ASPDEV(asp-device-name) OUTPUT(*PRINT)

Using these reports, you can determine what is in a library and who has access to the library. If necessary, you can use the DSPOBJAUT command to view the authority for selected objects in the library also.

Analyzing programs that adopt authority

Programs that adopt the authority of a user with *ALLOBJ special authority represent a security exposure. You can analyze these programs to audit the security of the system. The following method can be used to find and inspect those programs that adopt authority: 1. For each user with *ALLOBJ special authority, use the Display Programs That Adopt (DSPPGMADP) command to list the programs that adopt that users authority:
DSPPGMADP USRPRF(user-profile-name) + OUTPUT(*PRINT)

Note: The topic Printing selected user profiles on page 302 shows how to list users with *ALLOBJ authority. 2. Use the DSPOBJAUT command to determine who is authorized to use each adopting program and what the public authority is to the program:
DSPOBJAUT OBJ(library-name/program-name) + OBJTYPE(*PGM) ASPDEV(asp-device-name) OUTPUT(*PRINT)

Chapter 9. Auditing security on System i

303

Note: The object type parameter might need to be *PGM, *SQLPKG, or *SRVPGM as indicated by the DSPPGMADP report. 3. Inspect the source code and program description to evaluate: v Whether the user of the program is prevented from excess function, such as using a command line, while running under the adopted profile. v Whether the program adopts the minimum authority level needed for the intended function. Applications that use program failure adopted authority can be designed using the same owner profile for objects and programs. When the authority of the program owner is adopted, the user has *ALL authority to application objects. In many cases, the owner profile does not need any special authorities. 4. Verify when the program was last changed, using the DSPOBJD command:
DSPOBJD OBJ(library-name/program-name) + OBJTYPE(*PGM) ASPDEV(asp-device-name) DETAIL(*FULL)

Note: The object type parameter might need to be *PGM, *SQLPKG, or *SRVPGM as indicated by the DSPPGMADP report.

Checking for objects that have been altered

An altered object is often an indication that someone is attempting to tamper with your system. You can use the Check Object Integrity (CHKOBJITG) command to check those objects that have been altered. You might want to run this command after someone has: v Restored programs to your system v Used dedicated service tools (DST) When you run the command, the system creates a database file containing information about any potential integrity problems. You can check objects owned by one or more profiles, objects that match a path name, or all objects on the system. You can look for objects whose domain have been altered and objects that have been tampered with. You can recalculate program validation values to look for objects of type *PGM, *SRVPGM, *MODULE, and *SQLPKG that have been altered. You can check the signature of objects that can be digitally signed. You can check if libraries and commands have been tampered with. You can also start an integrated file system scan or check if objects failed a previous integrated file system scan. Running the CHKOBJITG command requires *AUDIT special authority. The command might take a long time to run because of the scans and calculations that it performs. You should run it at a time when your system is not busy. Most IBM commands duplicated from a release before V5R2 will be logged as violations. These commands should be deleted and re-created using the Create Duplicate Object (CRTDUPOBJ) command each time a new release is loaded. Related information Scanning support

Checking the operating system

You can use the Check System (QYDOCHKS) API to check if any key operating system object has been changed since it was signed. Any object that is not signed or has been changed since it was signed will be reported as an error. Only signatures from a system trusted source are valid. Running the QYDOCHKS API requires *AUDIT special authority. The API might take a long time to run because of the calculations it performs. You should run it at a time when your system is not busy.

304

IBM i: Security Security reference

Related reference Check System (QYDOCHKS) API

Auditing the security officers actions

You can keep a record of all actions performed by users with *ALLOBJ and *SECADM special authority for tracking purpose. To do this, you can use the action auditing value in the user profile: 1. For each user with *ALLOBJ and *SECADM special authority, use the CHGUSRAUD command to set the AUDLVL to have all values that are not included in the QAUDLVL or QAUDLVL2 system values on your system. For example, if the QAUDLVL system value is set to *AUTFAIL, *PGMFAIL, *PRTDTA, and *SECURITY, use this command to set the AUDLVL for a security officer user profile:
CHGUSRAUD USER(SECUSER) + AUDLVL(*CMD *CREATE *DELETE + *OBJMGT *OFCSRV *PGMADP + *SAVRST *SERVICE, + *SPLFDTA *SYSMGT)

Action auditing on page 113 shows all the possible values for action auditing. 2. Remove the *AUDIT special authority from user profiles with *ALLOBJ and *SECADM special authority. This prevents these users from changing the auditing characteristics of their own profiles. You cannot remove special authorities from the QSECOFR profile. Therefore, you cannot prevent a user signed on as QSECOFR from changing the auditing characteristics of that profile. However, if a user signed on as QSECOFR uses the CHGUSRAUD command to change auditing characteristics, an AD entry type is written to the audit journal. It is recommended that security officers (users with *ALLOBJ or *SECADM special authority) use their own profiles for better auditing. The password for the QSECOFR profile should not be distributed. 3. Make sure the QAUDCTL system value includes *AUDLVL. 4. Use the DSPJRN command to review the entries in the audit journal using the techniques described in Analyzing audit journal entries with query or a program on page 296.

Chapter 9. Auditing security on System i

305

306

IBM i: Security Security reference

Chapter 10. Code license and disclaimer information

IBM grants you a nonexclusive copyright license to use all programming code examples from which you can generate similar function tailored to your own specific needs. SUBJECT TO ANY STATUTORY WARRANTIES WHICH CANNOT BE EXCLUDED, IBM, ITS PROGRAM DEVELOPERS AND SUPPLIERS MAKE NO WARRANTIES OR CONDITIONS EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OR CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT, REGARDING THE PROGRAM OR TECHNICAL SUPPORT, IF ANY. UNDER NO CIRCUMSTANCES IS IBM, ITS PROGRAM DEVELOPERS OR SUPPLIERS LIABLE FOR ANY OF THE FOLLOWING, EVEN IF INFORMED OF THEIR POSSIBILITY: 1. LOSS OF, OR DAMAGE TO, DATA; 2. DIRECT, SPECIAL, INCIDENTAL, OR INDIRECT DAMAGES, OR FOR ANY ECONOMIC CONSEQUENTIAL DAMAGES; OR 3. LOST PROFITS, BUSINESS, REVENUE, GOODWILL, OR ANTICIPATED SAVINGS. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF DIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, SO SOME OR ALL OF THE ABOVE LIMITATIONS OR EXCLUSIONS MAY NOT APPLY TO YOU.

Copyright IBM Corp. 1996, 2010

307

308

IBM i: Security Security reference

Appendix A. Security commands

This section contains the system commands related to security. You can use these commands in place of the system menus by typing these commands on a command line. The commands are divided into task-oriented groups. The Control language (CL) topic contains more detailed information about these commands. The tables in Appendix D, Authority required for objects used by commands, on page 337 show what object authorities are required to use these commands. For more information about tools and suggestions about how to use the security tools, see the Configuring the system to use security tools topic.

Authority holders commands

This table provides a list of the commands that allow you to work with authority holders.
Table 136. Authority holders commands Command name CRTAUTHLR DLTAUTHLR DSPAUTHLR Descriptive name Create Authority Holder Delete Authority Holder Display Authority Holder Function Secure a file before the file exists. Authority holders are valid only for program-described database files. Delete an authority holder. If the associated file exists, the authority holder information is copied to the file. Display all the authority holders on the system.

Authority lists commands

You can use these commands to perform different tasks on authority lists.
Table 137. Authority lists commands Command name ADDAUTLE CHGAUTLE CRTAUTL DLTAUTL DSPAUTL DSPAUTLOBJ EDTAUTL RMVAUTLE RTVAUTLE Descriptive name Add Authorization List Entry Change Authorization List Entry Create Authorization List Delete Authorization List Display Authorization List Display Authorization List Objects Edit Authorization List Remove Authorization List Entry Retrieve Authorization List Entry Function Add a user to an authorization list. You specify what authority the user has to all the objects on the list. Change users authorities to the objects on the authorization list. Create an authorization list. Delete an entire authorization list. Display a list of users and their authorities to an authorization list. Display a list of objects secured by an authorization list. Add, change, and remove users and their authorities on an authorization list. Remove a user from an authorization list. Used in a control language (CL) program to get one or more values associated with a user on the authorization list. The command can be used with the CHGAUTLE command to give a user new authorities in addition to the existing authorities that the user already has.

Copyright IBM Corp. 1996, 2010

309

Table 137. Authority lists commands (continued) Command name WRKAUTL Descriptive name Work with Authorization Lists Function Work with authorization lists from a list display.

Object authority and auditing commands

You can refer to this table for commands that you can use to work with object authority and auditing.
Table 138. Object authority and auditing commands Command name CHGAUD CHGAUT CHGOBJAUD CHGOBJOWN CHGOBJPGP CHGOWN CHGPGP DSPAUT DSPLNK DSPOBJAUT Descriptive name Change Auditing Change Authority Change Object Auditing Change Object Owner Change Object Primary Group Change Owner Change Primary Group Display Authority Display Links Display Object Authority Function Change the auditing value for an object. Change the authority of users to objects. Specify whether access to an object is audited. Change the ownership of an object from one user to another. Change the primary group for an object to another user or to no primary group. Change the ownership of an object from one user to another. Change the primary group for an object to another user or to no primary group. Display users authority to an object. Show a list of names of specified objects in directories and options to display information about the objects. Displays the object owner, public authority to the object, any private authorities to the object, and the name of the authorization list used to secure the object. Displays the object auditing level for the object. Add, change, or remove a users authority for an object. Specifically give authority to named users, all users (*PUBLIC), or users of the referenced object for the objects named in this command. Remove one or more (or all) of the authorities given specifically to a user for the named objects. Work with object authority by selecting options on a list display. Show a list of names of specified objects in directories and options to work with the objects. Work with object authority by selecting options on a list display. Work with the objects owned by a user profile.

DSPOBJD EDTOBJAUT GRTOBJAUT

Display Object Description Edit Object Authority Grant Object Authority

RVKOBJAUT WRKAUT WRKLNK WRKOBJ WRKOBJOWN WRKOBJPGP WRKOBJPVT

Revoke Object Authority Work with Authority Work with Links Work with Objects Work with Objects by Owner

Work with Objects by Primary Group Work with the objects for which a profile is the primary group using options from a list display. Work with Objects by Private Authorities Work with the objects for which a profile is privately authorized, using options from a list display.

310

IBM i: Security Security reference

Passwords commands
These commands enable the security administrator to assign, change, verify, or reset password associated with a user profile.
Table 139. Passwords commands Command name CHGDSTPWD CHGPWD CHGUSRPRF CHKPWD Descriptive name Change Dedicated Service Tools Password Change Password Change User Profile Check Password Function Reset the DST security capabilities profile to the default password shipped with the system. Change the users own password. Change the values specified in a users profile, including the users password. Verify a users password. For example, if you want the user to enter the password again to run a particular application, you can use CHKPWD in your CL program to verify the password. When you add a user to the system, you assign a password to the user.

CRTUSRPRF1

Create User Profile

When a CRTUSRPRF is done, you cannot specify that the *USRPRF is to be created into an independent auxiliary storage pool (ASP). However, when a user is privately authorized to an object on an independent ASP, the user is the owner of an object on an independent ASP, or the user is the primary group of an object on an independent ASP, the profile's name is stored on the independent ASP. If the independent ASP is moved to another system, the private authority, object ownership, and primary group entries will be attached to the profile with the same name on the target system. If a profile does not exist on the target system, a profile will be created. The user will not have any special authorities and the password will be set to *NONE.

User profiles commands

As a security administrator, you will need to use these commands to work with user profiles.
Table 140. User profiles commands Command name CHGPRF CHGUSRAUD CHGUSRPRF Descriptive name Change Profile Change User Audit Change User Profile Function Change some of the attributes of the users own profile. Specify the action and object auditing for a user profile. Change the values specified in a users profile such as the users password, special authorities, initial menu, initial program, current library, and priority limit. Check the objects owned by one or more user profiles or check the objects that match the path name to ensure the objects have not been tampered with. Add a user to the system and to specify values such as the users password, special authorities, initial menu, initial program, current library, and priority limit. Delete a user profile from the system. This command provides an option to delete or change ownership of objects owned by the user profile. Allows you to dump the user profile and related information.

CHKOBJITG

Check Object Integrity

CRTUSRPRF

Create User Profile

DLTUSRPRF

Delete User Profile

DMPUSRPRF

Dump User Profile

Appendix A. Security commands

311

Table 140. User profiles commands (continued) Command name DSPAUTUSR Descriptive name Display Authorized Users Function Displays or prints the following for all user profiles on the system: associated group profile (if any), whether the user profile has a password usable at any password level, whether the user profile has a password usable at the various password levels, whether the user profile has a password usable with NetServer, the date the password was last changed, and the user profile text. Displays a list of service tools user identifiers. It can also be used to show detailed information about a specific service tools user ID, including the status and privileges of that user. Display a user profile in several different formats. Copy private authorities from one user profile to another user profile. Print a report of internal information about the number of entries. Analyze user profiles that meet specified criteria. Used in a control language (CL) program to get and use one or more values that are stored and associated with a user profile. Work with user profiles by entering options on a list display.

DSPSSTUSR

Display Service Tools User ID

DSPUSRPRF GRTUSRAUT PRTPRFINT PRTUSRPRF RTVUSRPRF

Display User Profile command Grant User Authority Print Profile Internals Print User Profile Retrieve User Profile

WRKUSRPRF

Work with User Profiles

Related user profile commands

This table lists some other commands that are related to user profiles. These commands allow you to restore or save the user profiles and their attributes.
Table 141. Related user profile commands Command name DSPPGMADP RSTAUT Descriptive name Display Programs That Adopt Restore Authority Function Display a list of programs and SQL packages that adopt a specified user profile. Restore authorities for objects held by a user profile when the user profile was saved. These authorities can only be restored after a user profile is restored with the Restore User Profile (RSTUSRPRF) command. Restore a user profile and its attributes. Restoring specific authority to objects is done with the RSTAUT command after the user profile is restored. The RSTUSRPRF command also restores all authorization lists and authority holders if RSTUSRPRF(*ALL) is specified. Saves all user profiles, authorization lists, and authority holders without using a system that is in a restricted state. Saves all user profiles, authorization lists, and authority holders on the system. A dedicated system is required to use this function.

RSTUSRPRF

Restore User Profile

SAVSECDTA

Save Security Data

SAVSYS

Save System

312

IBM i: Security Security reference

Auditing commands
You can use these commands to manage auditing on an object.
Table 142. Auditing commands Command name CHGAUD CHGDLOAUD CHGOBJAUD CHGUSRAUD Descriptive name Change Auditing Change Document Library Object Auditing Change Object Auditing Change User Audit Function Specify the auditing for an object. Specify whether access is audited for a document library object. Specify the auditing for an object. Specify the action and object auditing for a user profile.

Document library objects commands

This table lists the commands that you can use to work with document library objects.
Table 143. Document library objects commands Command name ADDDLOAUT Descriptive name Add Document Library Object Authority Change Document Library Object Auditing Change Document Library Object Authority Change Document Library Object Owner Change Document Library Object Primary Group Function Give a user access to a document or folder or to secure a document or folder with an authorization list or an access code. Specify the object auditing level for a document library object. Change the authority for a document or folder. Transfers document or folder ownership from one user to another user. Change the primary group for a document library object.

CHGDLOAUD CHGDLOAUT CHGDLOOWN CHGDLOPGP DSPAUTLDLO DSPDLOAUD DSPDLOAUT EDTDLOAUT GRTUSRPMN

Display Authorization List Document Display the documents and folders that are secured by Library Objects the specified authorization list. Display Document Library Object Auditing Display Document Library Object Authority Edit Document Library Object Authority Grant User Permission Displays the object auditing level for a document library object. Display authority information for a document or a folder. Add, change, or remove users authorities to a document or folder. Gives permission to a user to handle documents and folders or to do office-related tasks on behalf of another user. Remove a users authority to documents or folders. Takes away document authority from one user (or all users) to access documents on behalf of another user.

RMVDLOAUT RVKUSRPMN

Remove Document Library Object Authority Revoke User Permission

Appendix A. Security commands

313

Server authentication entries commands

These commands allow you to display, add, remove, or change server authentication entries for a user profile.
Table 144. Server authentication entries commands Command name ADDSVRAUTE CHGSVRAUTE DSPSVRAUTE RMVSVRAUTE Descriptive name Add Server Authentication Entry Change Server Authentication Entry Function Add server authentication information for a user profile. Change existing server authentication entries for a user profile.

Display Server Authentication Entries Display server authentication entries for a user profile. Remove Server Authentication Entry Remove server authentication entries from the specified user profile.

These commands allow a user to specify a user name, the associated password, and the name of a remote server machine. Distributed Relational Database Access (DRDA) uses these entries to run database access requests as the specified user on the remote server.

System distribution directory commands

You can use these commands to add, remove, or change entries in the system distribution directory.
Table 145. System distribution directory commands Command name ADDDIRE Descriptive name Add Directory Entry Function Adds new entries to the system distribution directory. The directory contains information about a user, such as the user ID and address, system name, user profile name, mailing address, and telephone number. Changes the data for a specific entry in the system distribution directory. The system administrator has authority to update any of the data contained in a directory entry, except the user ID, address, and the user description. Users can update their own directory entries, but they are limited to updating certain fields. Removes a specific entry from the system distribution directory. When a user ID and address is removed from the directory, it is also removed from any distribution lists. Provides a set of displays that allow a user to view, add, change, and remove entries in the system distribution directory.

CHGDIRE

Change Directory Entry

RMVDIRE

Remove Directory Entry

WRKDIRE

Work with Directory

Validation lists commands

These two commands allow you to create and delete validation lists in a library.
Table 146. Validation lists commands Command name CRTVLDL Descriptive name Create Validation List Function Create a validation list object that contains entries consisting of an identifier, data that will be encrypted by the system when it is stored, and free-form data. Delete the specified validation list from a library.

DLTVLDL

Delete Validation List

314

IBM i: Security Security reference

Function usage information commands

You can use these commands to change or display function usage information.
Table 147. Function usage information commands Command name CHGFCNUSG DSPFCNUSG WRKFCNUSG Descriptive name Change function usage Display function usage Work with function usage Function Change the usage information for a registered function. Display a list of function identifiers and the detailed usage information for a specific function. Display a list of function identifiers and change or display function usage information.

Auditing security tools commands

These commands enable you to work with security auditing, the entries from the security audit journal and the system values that control security auditing. For more information about the security tools, see Appendix G, Commands and menus for security commands, on page 705.
Table 148. Auditing security tools commands Command name CHGSECAUD CPYAUDJRNE Descriptive name Change Security Auditing Copy Audit Journal Entries Function Set up security auditing and to change the system values that control security auditing. Copy entries from the security audit journal to output files that you can query. You can select specific entry types, specific users, and a time period. Display or print information about entries in the security audit journal. You can select specific entry types, specific users, and a time period. Display information about the security audit journal and the system values that control security auditing.

DSPAUDJRNE1

Display Audit Journal Entries

DSPSECAUD

Display Security Auditing Values

IBM has stopped providing enhancements for the DSPAUDJRNE command. The command does not support all security audit record types, and the command does not list all the fields for the records it does support.

Authority security tools commands

You can use these commands to perform various printing tasks that are related to security settings.
Table 149. Authority security tools commands Command name PRTJOBDAUT Descriptive name Print Job Description Authority Function Print a list of job descriptions whose public authority is not *EXCLUDE. You can use this command to print information about job descriptions that specify a user profile that every user on the system can access. Print a list of objects of the specified type whose public authority is not *EXCLUDE. Print a list of private authorities for objects of the specified type.

PRTPUBAUT PRTPVTAUT

Print Publicly Authorized Objects Print Private Authorities

Appendix A. Security commands

315

Table 149. Authority security tools commands (continued) Command name PRTQAUT Descriptive name Print Queue Authority Function Print the security settings for output queues and job queues on your system. These settings control who can view and change entries in the output queue or job queue. Print a list of subsystem descriptions in a library that contains a default user in a subsystem entry. Print a list of trigger programs that are associated with database files on your system. Print a list of the user objects (objects not supplied by IBM) that are in a library.

PRTSBSDAUT PRTTRGPGM PRTUSROBJ

Print Subsystem Description Authority Print Trigger Programs Print User Objects

System security tools commands

You can use these commands to work with system security.
Table 150. System security tools commands Command name CHGSECA
1

Descriptive name Change Security Attributes

Function Set new starting values for generating user ID numbers or group ID numbers. Users can specify a starting user ID number and a starting group ID number. Set security-relevant system values to their recommended settings. The command also sets up security auditing on your system. Clear decryptable authentication information that is associated with user profiles and validation list (*VLDL) entries. Note: This is the same information that was cleared in releases previous to V5R2 when the QRETSVRSEC system value was changed from '1' to '0'. Display the current and pending values of some system security attributes. Print the security attributes of the *DEVD, *CTL, and *LIND objects on the system. Print a list of security-relevant system values and network attributes. The report shows the current value and the recommended value. Set the public authority to *EXCLUDE for a set of security-sensitive commands on your system.

CFGSYSSEC

Configure System Security

CLRSVRSEC

Clear Server Security Data

DSPSECA PRTCMNSEC PRTSYSSECA

Display Security Attributes Print Communications Security Print System Security Attributes

RVKPUBAUT

Revoke Public Authority

To use this command, you must have *SECADM special authority.

316

IBM i: Security Security reference

Appendix B. IBM-supplied user profiles

This section contains information about the user profiles that are shipped with the system. These profiles are used as object owners for various system functions. Some system functions also run under specific IBM-supplied user profiles.

Default values for user profiles

This table shows the default values that are used for all IBM-supplied user profiles and on the Create User Profile (CRTUSRPRF) command. The parameters are sequenced in the order they appear on the Create User Profile display.
Table 151. Default values for user profiles Default values User profile parameter Password (PASSWORD) Set password to expired (PWDEXP) Status (STATUS) User class (USRCLS) Assistance level (ASTLVL) Current library (CURLIB) Initial program (INLPGM) Initial menu (INLMNU) Initial menu library Limited capabilities (LMTCPB) Text (TEXT) Special authority (SPCAUT) Special environment (SPCENV) Display sign-on information (DSPSGNINF) Block password change (PWDCHGBLK) Local password management (LCLPWDMGT) Password expiration interval (PWDEXPITV) Limit device sessions (LMTDEVSSN) Keyboard buffering (KBDBUF) Maximum storage (MAXSTG) Priority limit (PTYLMT) Job description (JOBD) Job description library Group profile (GRPPRF) Owner (OWNER) Group authority (GRPAUT) Group authority type (GRPAUTTYP) Supplemental groups (SUPGRPPRF)
Copyright IBM Corp. 1996, 2010

IBM-supplied user profiles Create user profile display *NONE *NO *ENABLED *USER *SYSVAL *CRTDFT *NONE MAIN *LIBL *NO *BLANK *ALLOBJ *SAVSYS *SYSVAL *SYSVAL *SYSVAL *YES *SYSVAL *SYSVAL *SYSVAL *NOMAX 0 QDFTJOBD QGPL *NONE *USRPRF *NONE *PRIVATE *NONE
1 1

*USRPRF4 *NO *ENABLED *USER *SYSVAL *CRTDFT *NONE MAIN *LIBL *NO *BLANK *USRCLS2 *SYSVAL *SYSVAL *SYSVAL *YES *SYSVAL *SYSVAL *SYSVAL *NOMAX 3 QDFTJOBD *LIBL *NONE *USRPRF *NONE *PRIVATE *NONE

317

Table 151. Default values for user profiles (continued) Default values User profile parameter Accounting code (ACGCDE) Document password (DOCPWD) Message queue (MSGQ) Delivery (DLVRY) Severity (SEV) Printer device (PRTDEV) Output queue (OUTQ) Attention program (ATNPGM) Sort sequence (SRTSEQ) Language identifier (LANGID) Country or Region Identifier (CNTRYID) Coded Character Set Identifier (CCSID) Character identifier control (CHRIDCTL) Set Job Attributes (SETJOBATR) Locale (LOCALE) User Option (USROPT) User Identification Number (UID) Group Identification Number (GID) Home Directory (HOMEDIR) EIM association (EIMASSOC) IBM-supplied user profiles Create user profile display *SYS *NONE *USRPRF *NOTIFY 00 *WRKSTN *WRKSTN *NONE *SYSVAL *SYSVAL *SYSVAL *SYSVAL *SYSVAL *SYSVAL *NONE *NONE *GEN *NONE *USRPRF *NOCHG *NONE *EXCLUDE
3 3

*BLANK *NONE *USRPRF *NOTIFY 00 *WRKSTN *WRKSTN *SYSVAL *SYSVAL *SYSVAL *SYSVAL *SYSVAL *SYSVAL *SYSVAL *SYSVAL *NONE *GEN *NONE *USRPRF *NOCHG *NONE *EXCLUDE *NONE *NONE

@ User expiration date (USREXPDATE)

Authority (AUT) Action auditing (AUDLVL) Object auditing (OBJAUD)
1 2

*NONE *NONE

When the system security level is changed from level 10 or 20 to level 30 or above, this value is removed. When a user profile is automatically created at security level 10, the *USER user class gives *ALLOBJ and *SAVSYS special authority. Action and object auditing are specified using the CHGUSRAUD command. When you perform a CRTUSRPRF, you cannot create a user profile (*USRPRF) into an independent disk pool. However, when a user is privately authorized to an object in the independent disk pool, the user is the owner of an object in an independent disk pool, or the user is the primary group of an object on an independent disk pool, the name of the profile is stored on the independent disk pool. If the independent disk pool is moved to another system, the private authority, object ownership, and primary group entries will be attached to the profile with the same name on the target system. If a profile does not exist on the target system, a profile will be created. The user will not have any special authorities and the password will be set to *NONE.

3 4

318

IBM i: Security Security reference

IBM-supplied user profiles

This table lists each IBM-supplied profile, its purpose, and any values for the profile that are different from the defaults for IBM-supplied user profiles. Note: IBM-supplied user profiles now includes additional user profiles that are shipped with the licensed program products. The table includes only some, but not all user profiles for licensed program products; therefore, the list is not inclusive. Attention: v Password for the QSECOFR profile You must change the password for the QSECOFR profile after you install your system. This password is the same for every System i product and poses a security exposure until it is changed. However, Do not change any other values for IBM-supplied user profiles. Changing these profiles can cause system functions to fail. v Authorities for IBM-supplied profiles Use caution when removing authorities that IBM-supplied profiles have for objects that are shipped with the operating system. Some IBM-supplied profiles are granted private authorities to objects that are shipped with the operating system. Removing any of these authorities can cause system functions to fail.
Table 152. IBM-supplied user profiles Profile name QADSM Descriptive name ADSM user profile Parameters different from default values v USERCLS: *SYSOPR v CURLIB: QADSM v TEXT: ADSM profile used by ADSM server v SPCAUT: *JOBCTL, *SAVSYS v JOBD: QADSM/QADSM v OUTQ: QADSM/QADSM QAFOWN APD user profile v USRCLS: *PGMR v SPCAUT: *JOBCTL v JOBD: QADSM/QADSM v TEXT: Internal APD User Profile QAFUSR QAFDFTUSR APD user profile APD user profile v TEXT: Internal APD User Profile v INLPGM: *LIBL/QAFINLPG v LMTCPB: *YES v TEXT: Internal APD User Profile QAUTPROF QBRMS QCLUMGT IBM authority user profile BRM user profile Cluster management profile v STATUS: *DISABLED v MSGQ: *NONE v ATNPGM: *NONE QCLUSTER High availability cluster profile v SPCAUT: *IOSYSCFG

Appendix B. IBM-supplied user profiles

319

Table 152. IBM-supplied user profiles (continued) Profile name QCOLSRV Descriptive name Management central collection services user profile Database share profile v AUT: *ADD, *DELETE Database share profile v AUT: *ADD, *DELETE Default owner profile i5/OS Directory Server server user profile v PTYLMT: 3 v LMTCPB: *YES v JOBD: QGPL/QBATCH v DSPSGNINF: *NO v LMTDEVSSN: *NO v DLVRY: *HOLD v SPCENV: *NONE v ATNPGM: *NONE QDLFM QDOC QDSNX DataLink File Manager profile Document profile v SRTSEQ: *HEX v AUT: *CHANGE Parameters different from default values

QDBSHR QDBSHRDO QDFTOWN QDIRSRV

Distributed systems v PTYLMT: 3 node executive profile v CCSID: *HEX v SRTSEQ: *HEX WebSphere Application Server user profile Enterprise Java user profile Finance profile VM/MVS bridge profile Internet printing profile Licensed program automatic install profile v PTYLMT: 3 v CCSID: *HEX v SRTSEQ: *HEX v MSGQ: QUSRSYS/QIPP v USRCLS: *SYSOPR v INLMNU: *SIGNOFF v SPCAUT: *ALLOBJ, *JOBCTL ,*SAVSYS, *SECADM, *IOSYSCFG v INLPGM: QSYS/QLPINATO v DLVRY: *HOLD v SEV: 99

QEJBSVR

QEJB QFNC QGATE

QIPP QLPAUTO

QLPINSTALL

Licensed program install profile

v USRCLS: *SYSOPR v DLVRY: *HOLD v SPCAUT: *ALLOBJ, *JOBCTL, *SAVSYS, *SECADM, *IOSYSCFG

@ @ QLWISVR @ @ @ @

Default profile for IAS v LMTDEVSSN: *NO servers v DSPSGNINF: *NO v LOCALE: *SYSVAL v MSGQ: QUSRSYS/QLWISVR

320

IBM i: Security Security reference

Table 152. IBM-supplied user profiles (continued) Profile name QMGTC QMSF Descriptive name Management central profile Mail server framework profile

Parameters different from default values v JOBD: QSYS/QYPSJOBD v CCSID: *HEX v SRTSEQ: *HEX

QMQM

MQSeries user profile v USRCLS: *SECADM v SPCAUT: *NONE v PRTDEV: *SYSVAL v TEXT: MQM user which owns the QMQM library

QNFSANON QNETSPLF QNTP

NFS user profile Network spooling profile Network time profile v JOBD: QTOTNTP v JOBD LIBRARY: QSYS

QPGMR

Programmer profile

v USRCLS: PGMR v SPCAUT: ALLOBJ v PTYLMT: 3 v ACGCDE: *BLANK

*SAVSYS *JOBCTL

QPEX

Performance Explorer user profile

v PTYLMT: 3 v ATNPGM: *SYSVAL v TEXT: IBM-supplied User Profile

QPM400

IBM Performance v SPCAUT: *IOSYSCFG, *JOBCTL Management for System i(PM System i) Content Manager OnDemand user profile Content Manager OnDemand owning profile v INLMNU: *SIGNOFF v TEXT: OnDemand Administration Profile v USRCLS: *PGMR v INLMNU: *SIGNOFF v OUTQ: *DEV v TEXT: OnDemand owning profile Content Manager OnDemand owning profile 1 v INLMNU: *SIGNOFF v GRPPRF: QRDARS400 v OUTQ: *DEV v TEXT: OnDemand file owning profile 1 Content Manager OnDemand owning profile 2 v INLMNU: *SIGNOFF v GRPPRF: QRDARS400 v OUTQ: *DEV v TEXT: OnDemand file owning profile 2 Content Manager OnDemand owning profile 3 v INLMNU: *SIGNOFF v GRPPRF: QRDARS400 v OUTQ: *DEV v TEXT: OnDemand file owning profile 3

@ QRDARSADM @ @ @ @ QRDAR @ @ @ @ QRDARS4001 @ @ @ @ QRDARS4002 @ @ @ @ QRDARS4003 @ @ @

Appendix B. IBM-supplied user profiles

321

Table 152. IBM-supplied user profiles (continued) Profile name Descriptive name Content Manager OnDemand owning profile 4 Parameters different from default values v INLMNU: *SIGNOFF v GRPPRF: QRDARS400 v OUTQ: *DEV v TEXT: OnDemand file owning profile 4 Content Manager OnDemand owning profile 5 v INLMNU: *SIGNOFF v GRPPRF: QRDARS400 v OUTQ: *DEV v TEXT: OnDemand file owning profile 5 QRMTCAL QRJE Remote Calendar user v TEXT: OfficeVision Remote Calendar User profile Remote job entry profile v USRCLS: *PGMR v SPCAUT: *ALLOBJ
1

@ QRDARS4004 @ @ @ @ QRDARS4005 @ @ @

*SAVSYS 1 *JOBCTL

QSECOFR

Security officer profile v PWDEXP: *YES v USRCLS: *SECOFR v SPCAUT: *ALLOBJ, *SAVSYS, *JOBCTL, *SECADM, *SPLCTL, *SERVICE, *AUDIT, *IOSYSCFG v UID: 0 v PASSWORD: QSECOFR

QSNADS

SNA distribution services profile OptiConnect user profile

v CCSID: *HEX v SRTSEQ: *HEX v USRCLS: *SYSOPR v CURLIB: *QSOC v SPCAUT: *JOBCTL v MSGQ: QUSRSYS/QSOC

QSOC

QSPL QSPLJOB QSRV

Spool profile Spool job profile Service profile v USRCLS: *PGMR v SPCAUT: *ALLOBJ 1, *SAVSYS 1, *JOBCTL, *SERVICE v ASTLVL: *INTERMED v ATNPGM: QSYS/QSCATTN

QSRVAGT QSRVBAS

Service Agent user profile Service basic profile v USRCLS: *PGMR v SPCAUT: *ALLOBJ
1

*SAVSYS 1 *JOBCTL

v ASTLVL: *INTERMED v ATNPGM: QSYS/QSCATTN QSVCCS CC Server user profile v USRCLS: *SYSOPR v SPCAUT: *JOBCTL v SPCENV: *SYSVAL v TEXT: CC Server User Profile QSVCM Client Management Server user profile v TEXT: Client Management Server User Profile

322

IBM i: Security Security reference

Table 152. IBM-supplied user profiles (continued) Profile name QSVSM Descriptive name ECS user profile Parameters different from default values v USRCLS: *SYSOPR v STATUS: *DISABLED v SPCAUT: *JOBCTL v SPCENV: *SYSVAL v TEXT: SystemView System Manager User Profile QSVSMSS Managed System Service user profile v STATUS: *DISABLED v USRCLS: *SYSOPR v SPCAUT: *JOBCTL v SPCENV: *SYSVAL v TEXT: Managed System Service User Profile QSYS System profile v USRCLS: *SECOFR v SPCAUT: *ALLOBJ, *SECADM, *SAVSYS, *JOBCTL, *AUDIT, *SPLCTL, *SERVICE, *IOSYSCFG QSYSOPR System operator profile v USRCLS: *SYSOPR v SPCAUT: *ALLOBJ 1, *SAVSYS, *JOBCTL v INLMNU: SYSTEM v LIBRARY: *LIBL v MSGQ: QSYSOPR v DLVRY: *BREAK v SEV: 40 QTCM QTCP Triggered cache manager profile Transmission control protocol (TCP) profile v STATUS: *DISABLED v USRCLS: *SYSOPR v SPCAUT: *JOBCTL v CCSID: *HEX v SRTSEQ: *HEX QTFTP QTMPLPD Trivial File Transfer Protocol Transmission control protocol/Internet protocol (TCP/IP) printing support profile Remote LPR user profile v PTYLMT: 3 v AUT: *USE

QTMPLPD

v JOBD: QGPL/QDFTJOBD v PWDEXPITV: *NOMAX v MSGQ: QTCP/QTMPLPD

QTMTWSG

HTML Workstation Gateway Profile user profile HTML Workstation Gateway Profile user profile HTML Workstation Gateway Profile user profile

v MSGQ: QUSRSYS/QTMTWSG v TEXT: HTML Workstation Gateway Profile v MSGQ: QUSRSYS/QTMHHTTP v TEXT: HTTP Server Profile v MSGQ: QUSRSYS/QTMHHTTP v TEXT: HTTP Server CGI Profile

QTMHHTTP

QTMHHTP1

Appendix B. IBM-supplied user profiles

323

Table 152. IBM-supplied user profiles (continued) Profile name QTSTRQS QUSER Descriptive name Test request profile Workstation user profile Profile for the Web Admin GUI v PTYLMT: 3 v LMTDEVSSN: *NO v DSPSGNINF: *NO v MSGQ: QUSRSYS/QWEBADMIN Default profile for Integrated Web Services server v LMTDEVSSN: *NO v DSPSGNINF: *NO v LOCALE: *SYSVAL v MSGQ: QUSRSYS/QWSERVICE Server user profile Management Central Java Server profile Internal APU user profile v TEXT: Internal APU User profile Parameters different from default values

@ @ QWEBADMIN @ @ @ @ @ QWSERVICE @ @ @ @ @
QYCMCIMOM QYPSJSVR QYPUOWN

When the system security level is changed from level 10 or 20 to level 30 or above, this value is removed.

324

IBM i: Security Security reference

Appendix C. Commands shipped with public authority *EXCLUDE

This section identifies which commands have restricted authorization (public authority is *EXCLUDE) when your system is shipped. It shows which IBM-supplied user profiles are authorized to use these restricted commands. For more information about IBM-supplied user profiles, see the topic IBM-supplied user profiles on page 128. In Table 153, commands that are restricted to the security officer, and any user profile with *ALLOBJ authority, have an R in the QSECOFR profile. Commands that are specifically authorized to one or more IBM-supplied user profiles, in addition to the security officer, have an S under the profile names for which they are authorized. Any commands not listed here are public, which means they can be used by all users. However, some commands require special authority, such as *SERVICE or *JOBCTL. The special authorities required for a command are listed in Appendix D, Authority required for objects used by commands, on page 337. If you choose to grant other users or the public *USE authority to these commands, update this table to indicate that which commands are no longer restricted on your system. Using some commands might require the authority to certain objects on the system as well as to the commands themselves. See Appendix D, Authority required for objects used by commands, on page 337 for the object authorities required for commands.
Table 153. Authorities of IBM-supplied user profiles to restricted commands Command Name QSECOFR R R R R R S R R R R S S S R S S S S S S QPGMR QSYSOPR QSRV QSRVBAS

@ ADDASPCPYD @ ADDCADMRE @ ADDCADNODE @ ADDCLUMON

ADDCLUNODE ADDCMDCRQA ADDCRGDEVE ADDCRGNODE ADDCRSDMNK ADDDEVDMNE ADDDSTQ ADDDSTRTE ADDDSTSYSN ADDEXITPGM ADDDWDFN ADDJWDFN ADDMFS ADDMSTPART ADDNETJOBE
Copyright IBM Corp. 1996, 2010

325

Table 153. Authorities of IBM-supplied user profiles to restricted commands (continued) Command Name ADDOBJCRQA ADDOPTCTG ADDOPTSVR ADDPEXDFN ADDPEXFTR ADDPRDCRQA ADDPTFCRQA ADDRPYLE ADDRSCCRQA ADDTRCFTR ANSQST ANZBESTMDL ANZCMDPFR ANZDBF ANZDBFKEY ANZDFTPWD ANZJVM ANZOBJCVN ANZPFRDTA ANZPGM ANZPRB ANZPRFACT ANZS34OCL ANZS36OCL APYJRNCHG APYPTF APYRMTPTF CFGDSTSRV CFGRPDS CFGSYSSEC CHGACTSCDE CHGASPA CHGASPACT R R R S S S S S S R R R S S S S S R R R S S S S R R R R R R R S S S S R R S S S S S S S S S S S S S S S S S QSECOFR QPGMR S QSYSOPR S QSRV S QSRVBAS S

@ CHGASPCPYD @ CHGASPSSN @ CHGCAD @ CHGCLU

CHGCLUCFG

R R R R R R R

@ CHGCLUMON
CHGCLUNODE

326

IBM i: Security Security reference

Table 153. Authorities of IBM-supplied user profiles to restricted commands (continued) Command Name CHGCLURCY CHGCLUVER CHGCMDCRQA CHGCRG CHGCRGDEVE CHGCRGPRI CHGCRSDMNK CHGDIRSRVA CHGDSTQ CHGDSTRTE CHGEXPSCDE CHGFCNARA CHGGPHFMT CHGGPHPKG CHGJOBTRC CHGJOBTYP CHGJRN CHGJRNA CHGLICINF CHGMGDSYSA CHGMGRSRVA CHGMSTK CHGNETA CHGNETJOBE CHGNFSEXP CHGNWSA CHGNWSCFG CHGOBJCRQA CHGOPTA CHGPEXDFN CHGPRB CHGPRDCRQA CHGPTFCRQA CHGPTR CHGQSTDB CHGRCYAP CHGRPYLE CHGRSCCRQA CHGSYSLIBL CHGSYSVAL R S S S R S S S S S S S R S S S S S S S S S S S S S S S R R R R R R S S S S R S S S S S S S S R R R R R R S S S S S S S S S R R R R QSECOFR R R S S S S QPGMR QSYSOPR QSRV QSRVBAS

Appendix C. Commands shipped with public authority *EXCLUDE

327

Table 153. Authorities of IBM-supplied user profiles to restricted commands (continued) Command Name CHGS34LIBM CHKASPBAL CHKCMNTRC CHKMSTKVV CHKPRDOPT CLRMSTKEY CPHDTA CPYFCNARA CPYFRMLDIF CPYGPHFMT CPYGPHPKG CPYPFRCOL CPYPFRDTA CPYPTF CPYPTFGRP CPYTOLDIF CRTADMDMN CRTAUTHLR R R R R R R R R R R R R R R R R R R S S S S S S S S R R S S S S QSECOFR R R S QPGMR QSYSOPR QSRV QSRVBAS

@ CRTCAD
CRTCLS CRTCLS CRTCLU CRTCRG CRTFCNARA CRTGPHFMT CRTGPHPKG CRTHSTDTA CRTJOBD CRTNWSCFG CRTPFRDTA CRTPFRSUM CRTLASREP CRTPEXDTA CRTQSTDB CRTQSTLOD CRTSBSD CRTUDFS CRTUDFS CRTVLDL CVTBASSTR

S S R R S R R R R S S

328

IBM i: Security Security reference

Table 153. Authorities of IBM-supplied user profiles to restricted commands (continued) Command Name CVTBASUNF CVTBGUDTA CVTDIR CVTPFRCOL CVTPFRDTA CVTPFRTHD CVTS36FCT CVTS36JOB CVTS38JOB CVTTCPCL DB2LDIF DLTADMDMN DLTAPARDTA DLTBESTMDL R R R S R R R R R R R R R S R R S S R R S S R R R S S S S S S S S S S S S S S S S S S S S S R S S S S QSECOFR R R R R R R R R R S S S S QPGMR QSYSOPR QSRV QSRVBAS

@ DLTCAD
DLTCLU DLTCMNTRC DLTCRGCLU DLTEXPSPLF DLTFCNARA DLTGPHFMT DLTGPHPKG DLTHSTDTA

@ DLTINTSVR
DLTLICPGM DLTNWSCFG DLTPEXDTA DLTPFRCOL DLTPFRDTA DLTPRB DLTPTF DLTQST DLTQSTDB DLTRMTPTF DLTSMGOBJ DLTUDFS DLTVLDL DLTWNTSVR DMPDLO DMPJOB

Appendix C. Commands shipped with public authority *EXCLUDE

329

Table 153. Authorities of IBM-supplied user profiles to restricted commands (continued) Command Name DMPJOBINT DMPJVM DMPMEMINF DMPOBJ DMPSYSOBJ DMPTRC DMPUSRPRF R S S S S S S S S QSECOFR QPGMR S S QSYSOPR S S QSRV S S QSRVBAS S S

@ DSPASPCPYD @ DSPASPSSN @ DSPCLUINF @ DSPCRGINF

DSPDSTLOG DSPHSTGPH DSPMGDSYSA DSPNWSCFG DSPPFRDTA DSPPFRGPH DSPPTF DSPSRVSTS EDTCPCST EDTQST EDTRBDAP EDTRCYAP ENCCPHK ENCFRMMSTK ENCTOMSTK ENDASPBAL

R R R R R R S R R R S S S S S R S S R R R R R R R R R R S S S S S S S S S S S S S

@ ENDASPSSN @ ENDCAD
ENDCHTSVR ENDCLUNOD ENDCMNTRC ENDCRG ENDDBGSVR ENDDW ENDHOSTSVR ENDIDXMON ENDIPSIFC ENDJOBABN ENDJOBTRC

S R S S R

S S

330

IBM i: Security Security reference

Table 153. Authorities of IBM-supplied user profiles to restricted commands (continued) Command Name ENDJW ENDMGDSYS ENDMGRSRV ENDMSF ENDNFSSVR ENDPEX ENDPFRTRC ENDSRVJOB ENDSYSMGR ENDTCP ENDTCPCNN ENDTCPIFC ENDTCPSVR ENDWCH GENCPHK GENCRSDMNK GENMAC GENPIN GENS36RPT GENS38RPT GRTACCAUT HLDCMNDEV HLDDSTQ R R R R R R R R S S R S S R S R R S S S S S S S S R S S S S S S S S S S S S R S S S S S S S S S S S S S S S S S S S S S S S S S S S S S QSECOFR QPGMR QSYSOPR QSRV QSRVBAS

@ INSINTSVR
INSPTF2 INSRMTPRD INSWNTSVR INZDSTQ INZNWSCFG INZSYS LDIF2DB LODOPTFMW LODPTF LODQSTDB MGRS36 MGRS36APF MGRS36CBL MGRS36DFU MGRS36DSPF MGRS36ITM

R S R R R R R R R
Appendix C. Commands shipped with public authority *EXCLUDE

331

Table 153. Authorities of IBM-supplied user profiles to restricted commands (continued) Command Name MGRS36LIB MGRS36MNU MGRS36MSGF MGRS36QRY MGRS36RPG MGRS36SEC MGRS38OBJ MIGRATE PKGPRDDST PRTACTRPT PRTCMNTRC PRTCPTRPT PRTJOBRPT PRTJOBTRC PRTLCKRPT PRTPOLRPT PRTRSCRPT PRTSYSRPT PRTTNSRPT PRTTRCRPT PRTDSKINF PRTERRLOG PRTINTDTA PRTPRFINT PWRDWNSYS RCLDBXREF RCLOBJOWN RCLOPT RCLSPLSTG RCLSTG RCLTMPSTG RESMGRNAM RLSCMNDEV RLSDSTQ RLSIFSLCK RLSRMTPHS RMVACC R R R R R S S R R R R R R S S S S S S S S S S S S S S S S S S S S S S S R R R R R R R R R R S S S S S S S S R S QSECOFR R R R R R R R R S S S S QPGMR QSYSOPR QSRV QSRVBAS

@ RMVASPCPYD @ RMVCADMRE @ RMVCADNODE

332

IBM i: Security Security reference

Table 153. Authorities of IBM-supplied user profiles to restricted commands (continued) Command Name QSECOFR R R R R R R R S S S S S S QPGMR QSYSOPR QSRV QSRVBAS

@ RMVCLUMON
RMVCLUNODE RMVCRGDEVE RMVCRGNODE RMVCRSDMNK RMVDEVDMNE RMVDFRID RMVDSTQ RMVDSTRTE RMVDSTSYSN RMVDWDFN RMVEXITPGM RMVJRNCHG RMVJWDFN RMVLANADP RMVMFS RMVNETJOBE RMVOPTCTG RMVOPTSVR RMVPEXDFN RMVPEXFTR RMVPTF RMVRMTPTF RMVRPYLE RMVTRCFTR RSTAUT RST3 RSTCFG RSTDFROBJ RSTDLO RSTLIB RSTLICPGM RSTOBJ
3

R S S

R R R R R S S S S S S S R R S S S

R R R R R

RSTPFRCOL RSTPFRDTA RSTS36F RSTS36FLR RSTS36LIBM RSTS38AUT RSTUSRPRF

R R R R R
Appendix C. Commands shipped with public authority *EXCLUDE

333

Table 153. Authorities of IBM-supplied user profiles to restricted commands (continued) Command Name RTVDSKINF RTVPRD RTVPTF RTVSMGOBJ RUNLPDA RUNSMGCMD RUNSMGOBJ RVKPUBAUT SAVAPARDTA SAVLICPGM SAVPFRCOL SAVPFRDTA SAVRSTCHG SAVRSTLIB SAVRSTOBJ SBMFNCJOB SBMNWSCMD SETMSTK SETMSTKEY SNDDSTQ SNDPRD SNDPTF SNDPTFORD SNDSMGOBJ SNDSRVRQS STRASPBAL R R R R R R S R S S S S S S S S S S S S S S S S S S S S S S S S S R R R R R R R R R S S S S QSECOFR R S S S S S S S S S S S S S S S S S S S S S S S S QPGMR QSYSOPR QSRV QSRVBAS

@ STRASPSSN
STRBEST

@ STRCAD
STRCHTSVR STRCLUNOD STRCMNTRC STRCRG STRDBG STRDBGSVR STRDW STRHOSTSVR STRIDXMON STRIPSIFC STRJW

S R S R

334

IBM i: Security Security reference

Table 153. Authorities of IBM-supplied user profiles to restricted commands (continued) Command Name STRJOBTRC STRMGDSYS STRMGRSRV STRMSF
1

QSECOFR

QPGMR

QSYSOPR

QSRV

QSRVBAS

S S

S S S

STRNFSSVR

R R R S R R R R R S S S S S R R S S S R R R R R S S S S S S R R S S R R S S R S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S

STRNETINS STROBJCVN STRPEX STRPFRG STRPFRT STRPFRTRC STRRGZIDX STRSPLRCL STRSRVJOB STRSST STRSYSMGR STRS36MGR STRS38MGR STRTCP STRTCPIFC STRTCPSVR STRUPDIDX STRWCH TRCASPBAL TRCCPIC TRCICF TRCINT TRCJOB TRCTCPAPP TRNPIN UPDPTFINF VFYCMN VFYLNKLPDA VFYMSTK VFYPIN VFYPRT VFYTAP

@ WRKASPCPYD
WRKCNTINF

Appendix C. Commands shipped with public authority *EXCLUDE

335

Table 153. Authorities of IBM-supplied user profiles to restricted commands (continued) Command Name WRKDEVTBL WRKDPCQ WRKDSTQ WRKFCNARA WRKJRN WRKLICINF WRKNWSCFG WRKPEXDFN WRKPEXFTR WRKPGMTBL WRKPRB WRKPTFGRP WRKPTFORD WRKSRVPVD WRKSYSACT WRKTRC WRKTXTIDX WRKUSRTBL WRKWCH
1 2 3

QSECOFR R

QPGMR

QSYSOPR

QSRV

QSRVBAS

S S R S R R S S R S S R

S S

S S S S

R R R R R

The QMSF user profile is also authorized to this command. QSRV can only run this command if an IPL is not being done. In addition to QSYS, user profile QRDARS400 has authority.

336

IBM i: Security Security reference

Appendix D. Authority required for objects used by commands

The tables in this section show what authority is needed for objects referenced by commands. For example, in the entry for the Change User Profile (CHGUSRPRF) command the table lists all of the objects to which you need authority, such as the user's message queue, job description, and initial program. The tables are organized in alphabetical order according to object type. In addition, tables are included for items that are not i5/OS objects (jobs, spooled files, network attributes, and system values) and for some functions (device emulation and finance). Additional considerations (if any) for the commands are included as footnotes to the table. The following sections are descriptions of the columns in the tables.

Referenced object
The objects listed in the Referenced object column are objects to which the user needs authority when using the command.

Authority required for object

The authorities specified in the tables show the object authorities and the data authorities that are required for the object when using the command.

Authority required for library

This column shows what authority is needed for the library containing the object. For most operations, *EXECUTE authority is needed to locate the object in the library. Adding an object to a library requires *READ and *ADD authority.

Object type
The value refers to the type of the object specified in the Referenced object column.

File system
The value refers to the type of file system that the referenced object belongs to. For the integrated file system in the i5/OS operating system, refer to Integrated file system. The following table describes the authorities that are specified in the Authority needed column. The description includes examples of how the authority is used. In most cases, accessing an object requires a combination of object and data authorities.
Table 154. Description of authority types Authority Object authorities: *OBJOPR Object Operational Look at the description of an object. Use the object as determined by the user's data authorities. Name Functions allowed

Copyright IBM Corp. 1996, 2010

337

Table 154. Description of authority types (continued) Authority *OBJMGT Name Object Management Functions allowed Specify the security for the object. Move or rename the object. All functions defined for *OBJALTER and *OBJREF. Delete the object. Free storage of the object. Perform save and restore operations for the object 1. Transfer ownership of the object. Add, clear, initialize and reorganize members of the database files. Alter and add attributes of database files: add and remove triggers. Change the attributes of SQL packages. Move a library or folder to a different ASP. Specify a database file as the parent in a referential constraint. For example, assume that you want to define a rule that a customer record must exist in the CUSMAS file before an order for the customer can be added to the CUSORD file. You need *OBJREF authority to the CUSMAS file to define this rule. Add and remove users and their authorities from the authorization list.

*OBJEXIST

Object Existence

*OBJALTER

Object Alter

*OBJREF

Object Reference

AUTLMGT Data authorities: READ ADD UPD *DLT

Authorization List Management

Read Add Update Delete

Display the contents of the object, such as viewing records in a file. Add entries to an object, such as adding messages to a message queue or adding records to a file. Change the entries in an object, such as changing records in a file. Remove entries from an object, such as removing messages from a message queue or deleting records from a file. Run a program, service program, or SQL package. Locate an object in a library or a directory.

*EXECUTE

Execute

If a user has save system (*SAVSYS) special authority, object existence authority is not required to perform save and restore operations on the object.

In addition to these values, the Authority needed columns of the table might show system-defined subsets of these authorities. The following table shows the subsets of object authorities and data authorities.
Table 155. System-defined authority Authority Object Authorities *OBJOPR *OBJMGT *OBJEXIST *OBJALTER *OBJREF Data Authorities *READ *ADD X X
IBM i: Security Security reference

*ALL

*CHANGE

*USE

*EXCLUDE

X X X X X

X X

338

Table 155. System-defined authority (continued) Authority *UPD *DLT *EXECUTE *ALL X X X *CHANGE X X X X *USE *EXCLUDE

The following table shows additional authority subsets that are supported by the CHGAUT and WRKAUT commands.
Table 156. System-defined authority Authority Object authorities *OBJOPR *OBJMGT *OBJEXIST *OBJALTER *OBJREF Data authorities *READ *ADD *UPD *DLT *EXECUTE X X X X X X X X X X X X X X X X X X X X X X X X X X X *RWX *RW *RX *R *WX *W *X

Command usage assumptions

There are some default assumptions you need to consider before using any command. 1. *USE authority is required to use any command. This authority is not specifically listed in the tables. 2. To enter any display command, you need operational authority to the IBM-supplied display file, printer output file, or panel group that is used by the command. These files and panel groups are shipped with public authority *USE.

General rules for object authorities on commands

This table shows the general rules for object authorities on commands.
Authority needed Command Referenced object For object The current values are displayed if the user has authority to those values. *X *R *X *WX For library *EXECUTE

Change (CHG) with F4 Current values (Prompt)7

Command accessing object in directory Creating object in directory

Directories in path prefix Directory when pattern is specified (* or ?) Directories in path prefix Directory to contain new object

Appendix D. Authority required for objects used by commands

339

Authority needed Command Referenced object For object *OBJOPR, *READ *OBJOPR For library *EXECUTE *EXECUTE *ADD, *EXECUTE *OBJOPR, *OBJMGT, *ADD, *DLT *OBJOPR, *ADD *OBJOPR, *OBJMGT, *ADD, *DLT *OBJOPR, *OBJMGT, *ADD, *UPD *OBJOPR, *ADD, *UPD *ADD, *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *READ, *ADD *ADD

Copy (CPY) where Object to be copied to-file is a database file CRTPF command, if CRTFILE (*YES) is specified To-file, if CRTFILE (*YES) is specified1 To-file, if it exists and new member is added To-file, if file and member exist and *ADD option is specified To-file, if file and member exist and *REPLACE option is specified To-file, if it exists, a new member is added, and *UPDADD option is specified.8 To-file, if file and member exist and *UPDADD option is specified.8 Create (CRT) Object to be created2 User profile that will own created object (either the user profile running the job or the users group profile) Create (CRT) if REPLACE(*YES) is specified 6, 9 Object to be created (and replaced)2 User profile that will own created object (either the user profile running the job or the user's group profile)

OBJMGT, OBJEXIST, READ, ADD READ5 ADD

Display (DSP) or other Object to be displayed operation using output Output file, if file does not exist3 file (OUTPUT(*OUTFILE)) Output file, if file exists and new member is added and *REPLACE option specified and member did not previously exist

*USE

EXECUTE ADD, *EXECUTE

OBJOPR, OBJMGT or OBJALTER, ADD, *DLT

*ADD, *EXECUTE

Output file, if file exists and new member is OBJOPR, *OBJMGT *ADD, *EXECUTE added and *ADD option specified and or *OBJALTER, *ADD member did not previously exist Output file, if file and member exist and *ADD option is specified Output file, if file and member exist and *REPLACE option is specified Format file (QAxxxxx), if output file does not exist Display (DSP) using *PRINT or Work (WRK) using *PRINT Save (SAV) or other operation using device description Object to be displayed Output queue
4

*OBJOPR, *ADD *OBJOPR, *OBJMGT or *OBJALTER, *ADD, *DLT *OBJOPR *USE *READ *USE *USE *USE

*EXECUTE *EXECUTE

EXECUTE EXECUTE EXECUTE EXECUTE *EXECUTE

Printer file (QPxxxxx in QSYS) Device description Device file associated with device description, such as QSYSTAP for the TAP01 device description

340

IBM i: Security Security reference

Authority needed Command

Referenced object

For object

For library

The user profile running the copy command becomes the owner of the to-file, unless the user is a member of a group profile and has OWNER(*GRPPRF). If the user's profile specifies OWNER(*GRPPRF), the group profile becomes the owner of the to-file. In that case, the user running the command must have *ADD authority to the group profile and the authority to add a member and write data to the new file. The to-file is given the same public authority, primary group authority, private authorities, and authorization list as the from-file. The user profile running the create command becomes the owner of the newly created object, unless the user is a member of a group profile and has OWNER(*GRPPRF). If the user's profile specifies OWNER(*GRPPRF), the group profile becomes the owner of the newly created object. Public authority to the object is controlled by the AUT parameter. The user profile that is running the display command becomes the owner of the newly created output file, unless the user is a member of a group profile and has OWNER(*GRPPRF). If the user's profile specifies OWNER(*GRPPRF), the group profile becomes the owner of the output file. Public authority to the output file is controlled by the CRTAUT parameter of the output file library. If the output queue is defined as OPRCTL (*YES), a user with *JOBCTL special authority does not need any additional authority to the output queue. A user with *SPLCTL special authority does not need any additional authority to the output queue. For device files, *OBJOPR authority is also required. The REPLACE parameter is not available in the S/38 environment. REPLACE(*YES) is equivalent to using a function key from the programmer menu to delete the current object. Authority to the corresponding (DSP) command is also required. The *UPDADD option in only available on the MBROPT parameter of the CPYF command. This does not apply to the REPLACE parameter on the CRTJVAPGM command.

7 8 9

Common commands for most objects

This table lists commands that can work on most objects in alphabetical order. Commands identified by (Q) are shipped with public authority *EXCLUDE. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others.
Table 157. Common commands for most objects Authority needed Command ALCOBJ
1,2,11 20

Referenced object Object

20 18

For object *OBJOPR

For library *EXECUTE

ANZOBJCVN (Q) ANZUSROBJ

CHGOBJAUD CHGOBJD

ASP Device (if specified) Object, if it is a file Object, if it is not a file

USE OBJOPR, OBJMGT OBJMGT EXECUTE EXECUTE

Appendix D. Authority required for objects used by commands

341

Table 157. Common commands for most objects (continued) Authority needed Command CHGOBJOWN
3,4

Referenced object Object

For object *OBJEXIST

For library EXECUTE EXECUTE EXECUTE EXECUTE *EXECUTE

Object (if file, library, subsystem description) *OBJOPR, *OBJEXIST Object (if *AUTL ) Old user profile New user profile ASP Device (if specified) CHGOBJPGP
3

Ownership or ALLOBJ DLT ADD USE *OBJEXIST

Object

EXECUTE EXECUTE *EXECUTE

Object (if file, library, subsystem description) *OBJOPR, *OBJEXIST Object (if *AUTL ) Ownership and *OBJEXIST, or *ALLOBJ *DLT *ADD *USE

Old user profile New user profile ASP Device (if specified) CHKOBJ CPROBJ CHKOBJITG (Q) CRTDUPOBJ
3,9,11,21 11 3

Object Object

Authority specified by EXECUTE AUT parameter 14 OBJMGT *EXECUTE

New object Object being copied, if it is an *AUTL Object being copied, all other types CRTSAVF command (if the object is a save file) ASP Device (if specified) *AUTLMGT *OBJMGT, *USE *OBJOPR *USE *USE *OBJOPR *OBJEXIST *USE *OBJOPR, *READ *OBJOPR, *READ *OBJMGT or *ALLOBJ special authority or ownership Refer to the general rules. *USE

USE, ADD USE, ADD *USE

DCPOBJ DLCOBJ
1,11 35

Object Object Object ASP Device (if specified)

EXECUTE EXECUTE *EXECUTE

@ DLTOBJ

DMPOBJ (Q)

Object Object Object (to see all authority information)

EXECUTE EXECUTE *EXECUTE

DMPSYSOBJ (Q) DSPOBJAUT

Output file ASP Device (if specified)

Refer to the general rules.

342

IBM i: Security Security reference

Table 157. Common commands for most objects (continued) Authority needed Command DSPOBJD
2, 28

Referenced object Output file Object ASP Device (if specified)

For object Refer to the general rules. Some authority other than *EXCLUDE *EXECUTE *OBJMGT *OBJOPR, *OBJMGT Not *EXCLUDE *USE *OBJMGT *OBJOPR, *OBJMGT Not *EXCLUDE *USE *EXECUTE *OBJMGT or Ownership *OBJMGT *ADD, *DLT, *EXECUTE *DLT, *EXECUTE

For library Refer to the general rules. *EXECUTE

EDTOBJAUT

3,5,6,15

Object Object (if file) *AUTL, if used to secure object ASP Device (if specified)

*EXECUTE *EXECUTE

GRTOBJAUT

3,5,6,15

Object Object (if file) *AUTL, if used to secure object ASP Device (if specified) Reference ASP Device (if specified) Reference object

*EXECUTE *EXECUTE

*EXECUTE

MOVOBJ

3,7,12

Object Object (if *FILE) Object (not *FILE), From-library To-library ASP Device (if specified)

CHANGE READ, ADD USE

PRTADPOBJ 26(Q) PRTPUBAUT PRTUSROBJ

26 26 26

PRTPVTAUT RCLDBXREF

RCLOBJOWN (Q) RCLSTG (Q) RCLTMPSTG (Q) RMVDFRID (Q) RNMOBJ

3,11 10

Object

*OBJMGT

*EXECUTE

Object Object, if *AUTL Object (if *FILE) ASP Device (if specified)

OBJMGT AUTLMGT OBJOPR, OBJMGT *USE

UPD, EXECUTE EXECUTE UPD, *EXECUTE

Appendix D. Authority required for objects used by commands

343

Table 157. Common commands for most objects (continued) Authority needed Command RSTDFROBJ (Q)
10

Referenced object QSYS/QPSRLDSP printer output, if OUTPUT(*PRINT) specified Output file, if specified QSYS/QASRRSTO field reference file for output file, if an output file is specified and does not exist

For object USE Refer to the general rules USE

For library EXECUTE Refer to the general rules EXECUTE

RSTOBJ (Q)3,13, 31, 33

Object, if it already exists in the library Object, if it is *CFGL, *CNNL, *CTLD, *DEVD, *LIND, or *NWID Media definition Message queues being restored to library where they already exist User profile owning objects being created Program that adopts authority

*OBJEXIST

EXECUTE, ADD EXECUTE EXECUTE EXECUTE, ADD

CHANGE and OBJMGT USE OBJOPR, *OBJEXIST

*ADD

Owner or SECADM and ALLOBJ special authority EXECUTE, ADD

8 8

*EXECUTE

To-library

Library for saved object if VOL(*SAVVOL) is *USE specified Save file RSTOBJ (Q) Tape unit or optical unit Tape (QSYSTAP) file or diskette (QSYSDKT) file Optical File (OPTFILE)22 Parent Directory of optical file (OPTFILE) Path prefix of OPTFILE Optical volume
24 22 22

*USE *USE *USE *R *X *X *USE *USE Refer to the general rules. *USE
8

*EXECUTE *EXECUTE *EXECUTE Not applicable Not applicable Not applicable Not applicable *EXECUTE Refer to the general rules. *EXECUTE

QSYS/QPSRLDSP printer output, if OUTPUT(*PRINT) specified Output file, if specified QSYS/QASRRSTO field reference file for output file, if an output file is specified and does not exist ASP device description25 RSTSYSINF Save file Tape unit or optical unit Optical File (OPTFILE)
22 22

*USE *USE *USE *R *X *X *USE *EXECUTE *EXECUTE Not applicable Not applicable Not applicable Not applicable

Parent Directory of optical file (OPTFILE) Path prefix of OPTFILE Optical volume RVKPUBAUT
20 24 22

344

IBM i: Security Security reference

Table 157. Common commands for most objects (continued) Authority needed Command RTVOBJD
2, 29

Referenced object Object ASP Device (if specified) Object (8) Tape unit or optical unit Save file, if empty Save file, if records exist in it Save active message queue Command user space, if specified
22 22

For object Some authority other than *EXCLUDE *USE *OBJEXIST *USE *USE, *ADD *OBJMGT, *USE, *ADD *OBJOPR, *ADD *USE *RW *WX *X *RWX *CHANGE Refer to the general rules. *USE
8 22 22, 23

For library *EXECUTE

RVKOBJAUT 3,5,15, 27 SAVCHGOBJ

3, 32

*EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE Not applicable Not applicable Not applicable Not applicable

SAVCHGOBJ

Optical File (OPTFILE)

Parent Directory of optical file (OPTFILE) Path prefix of optical file (OPTFILE)
24

Root Directory (/) of optical volume Optical volume

Output file, if specified QSYS/QASAVOBJ field reference file for output file, if an output file is specified and does not exist QSYS/QPSAVOBJ printer output ASP device description SAVOBJ
3, 32 25

Refer to the general rules. *EXECUTE

*USE *USE

*EXECUTE
8

Object Media definition Tape unit or optical unit Save file, if empty Save file, if records exist in it Save active message queue Command user space, if specified
22 22

OBJEXIST USE *USE

*EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE Not applicable Not applicable Not applicable Not applicable

*USE, *ADD *OBJMGT, *USE, *ADD *OBJOPR, *ADD *USE *RW *WX *X
22, 23

SAVOBJ

Optical File (OPTFILE)

Parent Directory of optical file (OPTFILE) Path prefix of OPTFILE

24 22

Root directory (/) of optical volume Optical volume

RWX CHANGE Refer to the general rules. *USE

Output file, if specified QSYS/QASAVOBJ field reference file for output file, if an output file is specified and does not exist QSYS/QPSAVOBJ printer output ASP device description
25

Refer to the general rules. *EXECUTE

*USE *USE

*EXECUTE

Appendix D. Authority required for objects used by commands

345

Table 157. Common commands for most objects (continued) Authority needed Command SAVSTG SAVSYS
10 10

Referenced object

For object

For library

Tape unit, optical unit Root directory (/) of optical volume Optical volume
24 22

*USE *RWX *CHANGE *USE *USE *USE, *ADD *OBJMGT, *USE, *ADD *RW
22

*EXECUTE Not applicable Not applicable *EXECUTE *EXECUTE *EXECUTE *EXECUTE Not applicable Not applicable Not applicable Not applicable

SAVSYSINF

Media definition Tape unit or optical unit Save file, if empty Save file, if records exist in it Optical File (OPTFILE)
22

Parent Directory of optical file (OPTFILE) Path prefix of OPTFILE

24 22 22, 23

WX X RWX CHANGE

Root directory (/) of optical volume Optical volume SAVRSTCHG

On the source system, same authority as required by SAVCHGOBJ command. On the target system, same authority as required by RSTOBJ command. ASP device description25 *USE

SAVRSTOBJ

On the source system, same authority as required by SAVOBJ command. On the target system, same authority as required by RSTOBJ command. ASP device description25 *USE *OBJOPR *EXECUTE

SETOBJACC STROBJCVN (Q) STRSAVSYNC34 WRKOBJ

19 20

Object

Object Object ASP Device

Any authority

*USE *EXECUTE

WRKOBJLCK
17

EXECUTE READ READ READ EXECUTE EXECUTE *EXECUTE

WRKOBJOWN WRKOBJPGP WRKOBJPVT

1 17 17

User profile User profile User profile

See the OBJTYPE keyword of the ALCOBJ command for the list of object types that can be allocated and deallocated. Some authority to the object (other than *EXCLUDE) is required. This command cannot be used for documents or folders. Use the equivalent Document Library Object (DLO) command. You must have *ALLOBJ and *SECADM special authority to change the object owner of a program, service program, or SQL package that adopts authority. You must be the owner or have *OBJMGT authority and the authorities being granted or revoked.
IBM i: Security Security reference

2 3

346

Table 157. Common commands for most objects (continued) Authority needed Command
6 7

Referenced object

For object

For library

You must be the owner or have *ALLOBJ special authority to grant *OBJMGT or *AUTLMGT authority. This command cannot be used for user profiles, controller descriptions, device descriptions, line descriptions, documents, document libraries, and folders. If you have *SAVSYS special authority, you do not need the authority specified. If the user running the CRTDUPOBJ command has OWNER(*GRPPRF) in his user profile, the owner of the new object is the group profile. To successfully copy authorities to a new object owned by the group profile, the following applies: v The user running the command must have authority to the from-object. Authorities can be obtained from adopted authority or through the group profile. v If an error occurs while copying authorities to the new object, the newly created object is deleted.

8 9

You must have *SAVSYS special authority. This command cannot be used for journals and journal receivers. This command cannot be used for journals and journal receivers, unless the from-library is QRCL and the to-library is the original library for the journal or journal receiver. You must have *ALLOBJ special authority to specify a value other than *NONE for the Allow object differences (ALWOBJDIF) parameter. To check a user's authority to an object, you must have the authority you are checking. For example, to check whether a user has *OBJEXIST authority for FILEB, you must have *OBJEXIST authority to FILEB. To secure an object with an authorization list or remove the authorization list from the object, you must do one of the following actions: v Own the object. v Have *ALL authority to the object. v Have *ALLOBJ special authority.

11 12

If either the original file or the renamed file has an associated authority holder, *ALL authority to the authority holder is required. This command does not support the QOPT file system. You must have *AUDIT special authority. To use an individual operation, you must have the authority required by the individual operation. You must have *ALLOBJ special authority. All authorities on the from-object are duplicated to the new object. The primary group of the new object is determined by the group authority type (GRPAUTTYP) field in the user profile that is running the command. If the from-object has a primary group, the new object might not have the same primary group, but the authority that the primary group has on the from-object will be duplicated to the new object. This authority check is only made when the Optical media format is Universal Disk Format. This authority check is only made if you are clearing the optical volume. Optical volumes are not actual system objects. The link between the optical volume and the authorization list used to secure the volume is maintained by the optical support function. Authority required only if save or restore operation requires a library namespace switch.

17 18 19 20

22 23 24

Appendix D. Authority required for objects used by commands

347

Table 157. Common commands for most objects (continued) Authority needed Command
26 27

Referenced object

For object

For library

You must have *ALLOBJ or *AUDIT special authority to use this command. *** Security Risk *** Revoking all authorities specifically given to a user for an object can result in the user having more authority than before the revoke operation. If a user has *USE authority for and object and *CHANGE authority on the authorization list that secures the object, revoking *USE authority results in the user having *CHANGE authority to the object. You must have either *ALLOBJ or *AUDIT special authority to have the current object auditing value displayed. Otherwise, the value *NOTAVL is displayed to indicate that the value is not available for display. You must have either *ALLOBJ or *AUDIT special authority to retrieve the current object auditing value. Otherwise, the value *NOTAVL is returned to indicate that the values are not available for retrieval. See the CHGPGM, CHGSRVPGM, and CHGMOD commands to determine the authority needed to convert programs, service programs, and modules. You must have *ALLOBJ special authority to specify *YES for the PVTAUT parameter. You must have either *ALLOBJ or *SAVSYS special authority to specify *YES for the PVTAUT parameter. You must have *SAVSYS special authority to specify a name for the DFRID parameter. You must have *SAVSYS and *JOBCTL special authority. Some supported object types may require additional object and library authorities. Refer to the Delete Object (QLIDLTO) API documentation for more information.

31 32 33 34

@ @

Access path recovery commands

This table lists the specific authorities required for the access path recovery commands Commands identified by (Q) are shipped with public authority *EXCLUDE. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others. These commands do not require object authorities.
Authority needed Command CHGRCYAP (Q) DSPRCYAP
1 2 1

Referenced object ASP Device (if specified) ASP Device (if specified)

For object USE USE

For library

EDTRBDAP (Q) EDTRCYAP 1 (Q)

1 2

ASP Device (if specified)

*USE

You must have *JOBCTL special authority to use this command. You must have *ALLOBJ special authority to use this command.

348

IBM i: Security Security reference

Advanced Function Presentation (AFP) commands

This table lists the specific authorities required for the Advanced Function Presentation (AFP) commands.
Authority needed Command ADDFNTTBLE CHGCDEFNT CHGFNTTBLE CRTFNTRSC Referenced object DBCS font table Font resource DBCS font table Source file Font resource: REPLACE(*NO) Font resource: REPLACE(*YES) CRTFNTTBL CRTFORMDF DBCS font table Source file Form definition: REPLACE(*NO) Form definition: REPLACE(*YES) CRTOVL Source file Overlay: REPLACE(*NO) Overlay: REPLACE(*YES) CRTPAGDFN Source file Page definition: REPLACE(*NO) Page definition: REPLACE(*YES) CRTPAGSEG Source file Page segment: REPLACE(*NO) Page segment: REPLACE(*YES) DLTFNTRSC DLTFNTTBL DLTFORMDF DLTOVL DLTPAGDFN DLTPAGSEG DSPCDEFNT DSPFNTRSCA DSPFNTTBL RMVFNTTBLE WRKFNTRSC WRKOVL 1 WRKPAGDFN
1 1 1

For object CHANGE CHANGE CHANGE USE

For library EXECUTE EXECUTE EXECUTE EXECUTE READ, ADD

Refer to the general rules.

READ, ADD READ, ADD

*USE

EXECUTE READ, *ADD

Refer to the general rules. *USE

READ, ADD EXECUTE READ, *ADD

Refer to the general rules. *USE

READ, ADD EXECUTE READ, *ADD

Refer to the general rules. *USE

READ, ADD EXECUTE READ, *ADD

Refer to the general rules. *OBJEXIST *CHANGE *OBJEXIST *OBJEXIST *OBJEXIST *OBJEXIST *USE *USE *USE *CHANGE *USE *USE *USE Any authority

*READ, *ADD *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *USE *USE *USE *USE

Font resource DBCS font table Form definition Overlay Page definition Page segment Font resource Font resource DBCS font table DBCS font table Font resource Form definition Overlay Page definition

WRKFORMDF

Appendix D. Authority required for objects used by commands

349

Authority needed Command WRKPAGSEG

1 1

Referenced object Page segment

For object *USE

For library Any authority

To use individual operations, you must have the authority required by the individual operation.

AF_INET sockets over SNA commands

This table lists the specific authorities required for the AF_INET sockets over SNA commands. Commands identified by (Q) are shipped with public authority *EXCLUDE. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others. These commands do not require any authority to objects:
These commands do not require any authority to objects: ADDIPSIFC1 ADDIPSRTE1 ADDIPSLOC1 CFGIPS CHGIPSIFC1 CHGIPSLOC1 CHGIPSTOS1 CVTIPSIFC CVTIPSLOC ENDIPSIFC (Q) PRTIPSCFG RMVIPSIFC1 RMVIPSLOC1 RMVIPSRTE1 STRIPSIFC (Q)

You must have *IOSYSCFG special authority to use this command.

Alerts commands
This table lists the specific authorities required for the alerts commands.
Authority needed Command ADDALRD CHGALRD CHGALRTBL (Q) CRTALRTBL (Q) DLTALR DLTALRTBL (Q) RMVALRD WRKALR
1 1 1

Referenced object Alert table Alert table Alert table Alert table Physical file QAALERT Alert table Alert table Physical file QAALERT Alert table Alert table

For object USE, ADD USE, UPD *CHANGE

For library EXECUTE EXECUTE EXECUTE READ, *ADD

USE, DLT OBJEXIST USE, DLT USE USE READ

EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE USE

WRKALRD

WRKALRTBL
1

To use individual operations, you must have the authority required by the individual operation.

350

IBM i: Security Security reference

Application development commands

This table lists the specific authorities required for the application development commands.
Authority needed Command FNDSTRPDM MRGFORMD STRAPF
1

Referenced object Source part Form description Source file Commands CRTPF, CRTLF, ADDPFM, ADDLFM, and RMVM

For object READ READ

For library EXECUTE EXECUTE

OBJMGT, CHANGE READ, ADD USE EXECUTE

STRBGU STRDFU

1 1

Chart Program (if create program option) Program (if change or delete program option) Program (if change or display data option) Database file (if change data option) Database file (if display data option) Display file (if display or change data option) Display file (if change program option) Display file (if delete program option)

*OBJMGT, *CHANGE *EXECUTE *READ, *ADD *OBJEXIST *USE *OBJOPR, *ADD, *UPD, *DLT *USE *USE *USE *OBJEXIST *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE

STRPDM STRRLU

Source file Edit, add, or change a member Browse a member Print a prototype report Remove a member Change type or text of member

*READ, *ADD, *UPD, *EXECUTE *DLT *OBJOPR, *OBJMGT *OBJOPR *OBJOPR *OBJOPR, *OBJEXIST *OBJOPR *READ, *ADD *EXECUTE *EXECUTE *EXECUTE *EXECUTE

STRSDA

Source file Update and add new member Delete member

*READ, *ADD, *UPD, *EXECUTE *DLT *CHANGE, *OBJMGT *READ, *ADD *ALL *USE *EXECUTE *EXECUTE

STRSEU

Source file Edit or change a member Add a member Browse a member Print a member Remove a member Change type or text of a member
1, 4 1

*CHANGE, *OBJMGT *EXECUTE *USE, *OBJMGT *USE *USE *USE, *OBJEXIST *USE, *OBJMGT *READ, *ADD *EXECUTE *EXECUTE *EXECUTE *EXECUTE

WRKLIBPDM

WRKMBRPDM WRKOBJPDM
1

Source file File

USE READ or Ownership

*EXECUTE *EXECUTE

Appendix D. Authority required for objects used by commands

351

Authority needed Command

1 2 3 4

Referenced object

For object

For library

To use the individual operations, you must have the authority required by the individual operation. A group corresponds to a library. A project consists of one or more groups (libraries). This command requires *ALLOBJ special authority.

Authority holder commands

This table lists the specific authorities required for the authority holder commands.
Authority needed Command CRTAUTHLR (Q) DLTAUTHLR DSPAUTHLR Referenced object Associated object if it exists Authority holder Output file For object *ALL *ALL Refer to the general rules. For library *EXECUTE *EXECUTE Refer to the general rules.

Authorization list commands

This table lists the specific authorities required for the authorization list commands.
Authority needed Command ADDAUTLE CHGAUTLE CRTAUTL DLTAUTL DSPAUTL *AUTL *AUTL Output file DSPAUTLDLO DSPAUTLOBJ *AUTL *AUTL Output file EDTAUTL 1 RMVAUTLE RTVAUTLE
2 1 1

Referenced object AUTL AUTL

For object AUTLMGT or ownership AUTLMGT or ownership

For QSYS library EXECUTE EXECUTE

Owner or *ALLOBJ

*EXECUTE *EXECUTE

Refer to the general rules. *USE *READ Refer to the general rules. *AUTLMGT or ownership *AUTLMGT or ownership *AUTLMGT or ownership

Refer to the general rules. *EXECUTE *EXECUTE Refer to the general rules. *EXECUTE *EXECUTE *EXECUTE

AUTL AUTL AUTL AUTL

WRKAUTL 3,4,5

352

IBM i: Security Security reference

Authority needed Command

1 2

Referenced object

For object

For QSYS library

You must be the owner or have authorization list management authority. If you do not have *OBJMGT or *AUTLMGT, you can retrieve *PUBLIC authority and your own authority. You must have *READ authority to your own profile to retrieve your own authority. To use an individual operation, you must have the authority required by the operation. You must not be excluded (*EXCLUDE) from the authorization list. Some authority to the authorization list is required.

3 4 5

Binding directory commands

This table lists the specific authorities required for the binding directory commands.
Authority needed Command ADDBNDDIRE CRTBNDDIR DLTBNDDIR DSPBNDDIR RMVBNDDIRE WRKBNDDIR
1 1

Referenced object Binding directory Binding directory Binding directory Binding directory Binding directory Binding directory Binding directory

For object OBJOPR, ADD

For library USE READ, *ADD

OBJEXIST READ, OBJOPR OBJOPR, DLT Any authority READ, *OBJOPR

EXECUTE USE READ, OBJOPR USE USE

WRKBNDDIRE
1

To use individual operations, you must have the authority required by the operation.

Change request description commands

This table lists the specific authorities required for the change request description commands.
Authority needed Command ADDCMDCRQA (Q) ADDOBJCRQA (Q) ADDPRDCRQA (Q) ADDPTFCRQA (Q) ADDRSCCRQA (Q) CHGCMDCRQA (Q) CHGOBJCRQA (Q) CHGPRDCRQA (Q) CHGPTFCRQA (Q) CHGCRQD CHGRSCCRQA (Q) CRTCRQD DLTCRQD Referenced object Change request description Change request description Change request description Change request description Change request description Change request description Change request description Change request description Change request description Change change request description Change request description Change request description Change request description *OBJEXIST For object *CHANGE *CHANGE *CHANGE *CHANGE *CHANGE *CHANGE *CHANGE *CHANGE *CHANGE *CHANGE *CHANGE For library *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *READ, *ADD *EXECUTE

Appendix D. Authority required for objects used by commands

353

Authority needed Command RMVCRQDA WRKCRQD

1 1

Referenced object Change request description Change request description

For object *CHANGE

For library EXECUTE EXECUTE

To use an individual operation, you must have the authority required by the operation.

Chart commands
This table lists the specific authorities required for the chart commands.
Authority needed Command DLTCHTFMT DSPCHT Referenced object Chart format Chart format Database file DSPGDF STRBGU (Option 3) WRKCHTFMT
1 2 1 2

For object *OBJEXIST *USE *USE *USE *CHANGE, *OBJEXIST Any authority

For library EXECUTE USE USE USE EXECUTE USE

Database file Chart format Chart format

To use an individual operation, you must have the authority required by the operation. Option 3 on the BGU menu (shown when STRGBU is run) is the Change chart format option.

Class commands
This table lists the specific authorities required for the class commands.
Authority needed Command CHGCLS CRTCLS DLTCLS DSPCLS WRKCLS
1 1

Referenced object Class Class Class Class Class

For object OBJMGT, OBJOPR

For library EXECUTE READ, *ADD

OBJEXIST USE *OBJOPR

EXECUTE EXECUTE *USE

To use an individual operation, you must have the authority required by the operation.

Class-of-service commands
This table lists the specific authorities required for the class-of-service commands.
Authority needed Command CHGCOSD CRTCOSD DLTCOSD
3 3

Referenced object Class-of-service description Class-of-service description Class-of-service description

For object *CHANGE, OBJMGT

For library *EXECUTE

*OBJEXIST

*EXECUTE

354

IBM i: Security Security reference

Authority needed Command DSPCOSD WRKCOSD

1 2 3 1,2

Referenced object Class-of-service description Class-of-service description

For object USE OBJOPR

For library EXECUTE EXECUTE

To use individual operations, you must have the authority required by the individual operation. Some authority to the object is required. To use this command, you must have *IOSYSCFG special authority.

Cluster commands
This table lists the specific authorities required for the cluster commands. Commands identified by (Q) are shipped with public authority *EXCLUDE. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE to others.
Authority needed Command Referenced object QMRAP1 service program
1

For object *USE *USE *CHANGE *USE *USE *USE *CHANGE *EXECUTE2 *USE *USE, *OBJMGT *USE, *OBJMGT *USE, *OBJMGT *USE, *OBJMGT *USE *CHANGE *EXECUTE2 *USE *OBJOPR, *ADD *OBJOPR, *ADD *USE *USE *USE *USE

For library

@ ADDCADMRE (Q)1 @ ADDCADNODE (Q)

QCSTCRG1 service program Cluster resource group

*EXECUTE (QUSRSYS)

@ ADDCLUMON (Q)1
ADDCLUNODE (Q) ADDCRGDEVE (Q)
1 1

QCSTCTL2 service program QCSTCTL service program QCSTCRG1 service program Cluster resource group Exit program User profile to run exit program Device description Controller description Line description Network server description
1

EXECUTE (QUSRSYS) EXECUTE2

ADDCRGNODE (Q)

QCSTCRG1 service program Cluster resource group Exit program User profile to run exit program Failover message queue Distribute information user queue

EXECUTE (QUSRSYS) EXECUTE2

*EXECUTE *EXECUTE

ADDDEVDMNE (Q)1

QCSTDD service program QCSTCRG1 service program QCSTCTL service program QCSTCTL2 service program

@ CHGCAD (Q)1 @ CHGCLU (Q)1 @ CHGCLUMON (Q)1

Appendix D. Authority required for objects used by commands

355

Authority needed Command CHGCLUNODE (Q) CHGCLURCY

Referenced object QCSTCTL service program Cluster resource group

For object USE USE JOBCTL SERVICE or Service Trace function

For library

CHGCLUVER (Q)1 CHGCRG (Q)

QCSTCTL2 service program QCSTCRG1 service program Cluster resource group Exit program User profile to run exit program Device description Failover message queue Controller description Line description Network server description
1

*USE *USE *CHANGE *EXECUTE2 *USE *USE, *OBJMGT *OBJOPR, *ADD *USE, *OBJMGT *USE, *OBJMGT *USE, *OBJMGT *USE *CHANGE *EXECUTE2 *USE *USE, *OBJMGT *USE, *OBJMGT *USE, *OBJMGT *USE, *OBJMGT *USE *CHANGE *EXECUTE2 *USE *USE, *OBJMGT *USE *USE, *OBJMGT *USE, *OBJMGT *USE, *OBJMGT *USE *OBJOPR, *ADD, *READ (QUSRSYS) *USE *EXECUTE (QUSRSYS) *EXECUTE2 *EXECUTE (QUSRSYS) *EXECUTE2 *EXECUTE *EXECUTE (QUSRSYS) *EXECUTE2

CHGCRGDEVE (Q)

QCSTCRG1 service program Cluster resource group Exit program User profile to run exit program Device description Controller description Line description Network server description

CHGCRGPRI (Q)

QCSTCRG2 service program Cluster resource group Exit program User profile to run exit program Device description Vary configuration (VFYCFG) command Controller description Line description Network server description

@ CRTCAD (Q)

QCSTCRG1 service program Cluster resource group

CRTCLU (Q)1

QCSTCTL service program

356

IBM i: Security Security reference

Authority needed Command CRTCRG (Q)

Referenced object QCSTCRG1 service program Cluster resource group library Exit program User profile to run exit program Device description Distribute information user queue Failover message queue Controller description Line description Network server description

For object *USE

For library

*OBJOPR, *ADD, *READ (QUSRSYS) *EXECUTE2 *USE *USE, *OBJMGT *OBJOPR, *ADD *OBJOPR, *ADD *USE, *OBJMGT *USE, *OBJMGT *USE, *OBJMGT *USE *OBJEXIST, *USE *USE *OBJEXIST, *USE *USE *OBJEXIST, *USE *EXECUTE2 *USE *USE *SERVICE or Service Trace function *EXECUTE (QUSRSYS) *EXECUTE2 *EXECUTE (QUSRSYS) *EXECUTE (QUSRSYS) *EXECUTE *EXECUTE *EXECUTE2

@ DLTCAD (Q)

QCSTCRG1 service program Cluster resource group

DLTCLU (Q)1 DLTCRG

QCSTCTL service program Cluster resource group QCSTCRG1 service program Cluster resource group Exit program User profile to run exit program

DLTCRGCLU (Q)1

DMPCLUTRC

Cluster resource group

DSPCLUINF DSPCRGINF Cluster resource group QCSTCRG2 service program Cluster resource group ENDCLUNOD (Q)1 ENDCHTSVR (Q) ENDCRG (Q)
1

*USE *USE *CHANGE *USE *CHANGE *USE *CHANGE *EXECUTE2 *USE *USE *USE *USE

*EXECUTE (QUSRSYS)

@ ENDCAD (Q)

*EXECUTE (QUSRSYS)

QCSTCTL service program Authorization list QCSTCRG2 service program Cluster resource group Exit program User profile to run exit program

EXECUTE (QUSRSYS) EXECUTE2

@ PRTCADMRE (Q)

QCSTCRG3 service program QFPADAP1 Cluster Resource Group

*EXECUTE (QUSRSYS)

Appendix D. Authority required for objects used by commands

357

Authority needed Command Referenced object

1 1

For object *USE *USE *CHANGE *USE *USE *USE *CHANGE *EXECUTE *USE *USE, *OBJMGT *USE, *OBJMGT *USE, *OBJMGT *USE, *OBJMGT *USE *CHANGE, *OBJEXIST *EXECUTE2 *USE *USE, *OBJMGT *USE, *OBJMGT *USE, *OBJMGT *USE, *OBJMGT *USE *USE *USE *USE *USE *USE *USE *CHANGE *CHANGE *USE
2

For library

@ RMVCADMRE (Q)

QMRAP1 service program QCSTCRG1 service program Cluster resource group

@ RMVCADNODE (Q)

*EXECUTE (QUSRSYS)

RMVCLUMON (Q)1 RMVCLUNODE (Q) RMVCRGDEVE (Q)

1 1

*EXECUTE *EXECUTE2

RMVCRGNODE (Q)

QCSTCRG1 service program Cluster resource group Exit program User profile to run exit program Device description Controller description Line description Network server description

*EXECUTE *EXECUTE2

RMVDEVDMNE (Q)

QCSTDD service program QHASM/QHAAPI service program QCSTCTL1 service program

@ RTVCLU @ RTVCRG

QCSTCTL1 service program QCSTCRG3 service program Cluster resource group

*EXECUTE (QUSRSYS)

STRCAD (Q)1

QCSTCRG2 service program Cluster resource group

*EXECUTE (QUSRSYS)

STRCHTSVR STRCLUNOD (Q)

Authorization list QCSTCTL service program

358

IBM i: Security Security reference

Authority needed Command STRCRG (Q)

Referenced object QCSTCRG2 service program Cluster resource group Exit program User profile to run exit program Device description Controller description Line description Network server description

For object *USE *CHANGE *EXECUTE *USE *USE, *OBJMGT *USE, *OBJMGT *USE, *OBJMGT *USE, *OBJMGT *USE
2

For library

*EXECUTE *EXECUTE2

WRKCLU
1 2 3 4

Cluster resource group

*EXECUTE

You must have *IOSYSCFG special authority to use this command. The authority applies to calling user profile and user profile to run exit program. The calling user profile is granted *CHANGE and *OBJEXIST authority to the cluster resource group. You must have *SERVICE special authority or be authorized to the i5/OS Service Trace Function through Application Administration in System i Navigator. The Change Function Usage (CHGFCNUSG) command, with a function ID of QIBM_SERVICE_TRACE, can also be used to change the list of users that are allowed to perform trace operations.

Command (*CMD) commands

This table lists the specific authorities required for the commands related to the operations on command.
Authority needed Command CHGCMD CHGCMDDFT CHGPRXCMD CRTCMD Referenced object Command Command Proxy command Source file Command: REPLACE(*NO) Command: REPLACE(*YES) CRTPRXCMD Proxy command: REPLACE(*NO) Proxy command: REPLACE(*YES) DLTCMD DSPCMD GENCMDDOC
3

For object OBJMGT OBJMGT, USE OBJMGT *USE

For library EXECUTE EXECUTE EXECUTE EXECUTE READ, ADD

Refer to the general rules.

Refer to the general rules. READ, ADD

See General Rules on page D-2 *OBJEXIST *USE *USE *USE *ALL *OBJOPR *USE Any authority Any authority

See General Rules on page D-2 *EXECUTE *EXECUTE *EXECUTE *EXECUTE *CHANGE *EXECUTE *EXECUTE *USE *USE

Command Command Command Panel group (associated) Output file: REPLACE = (*YES)

SBMRMTCMD
1 2

Command DDM file

SLTCMD

Command Command

WRKCMD

Appendix D. Authority required for objects used by commands

359

Authority needed Command

1 2 3

Referenced object

For object

For library

Ownership or some authority to the object is required. To use individual operations, you must have the authority required by the individual operation. You must have execute (*X) authority to the directories in the path for the generated file, and write and execute (*WX) authorities to the parent directory of the generated file.

Commitment control commands

This table lists the specific authorities required for the commitment control commands.
Authority needed Command COMMIT ENDCMTCTL Message queue, as specified on NFYOBJ keyword for the associated STRCMTCTL command. *OBJOPR, *ADD *EXECUTE Referenced object For object For library

ROLLBACK STRCMTCTL Message queue, when specified on NFYOBJ keyword Data area, as specified on NFYOBJ keyword for the associated STRCMTCTL command Files, as specified on NFYOBJ keyword for the associated STRCMTCTL command WRKCMTDFN
1 1

OBJOPR, ADD CHANGE OBJOPR *READ

EXECUTE EXECUTE *EXECUTE

Any user can run this command for commitment definitions that belong to a job that is running under the user profile of the user. A user who has job control (*JOBCTL) special authority can run this command for any commitment definition.

Communications side information commands

This table lists the specific authorities required for the communications side information commands.
Authority needed Command CHGCSI Referenced object Communications side information object Device description CRTCSI
1

For object USE, OBJMGT *CHANGE

For library *EXECUTE

Communications side information object Device description

READ, ADD CHANGE OBJEXIST READ USE EXECUTE EXECUTE *EXECUTE

DLTCSI DSPCSI WRKCSI

Communications side information object Communications side information object Communications side information objects

Authority is verified when the communications side information object is used.

360

IBM i: Security Security reference

Configuration commands
This table lists the specific authorities required for the configuration commands. Commands identified by (Q) are shipped with public authority *EXCLUDE. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others.
Authority needed Command PRTDEVADR
5

Referenced object Controller description (CTL) Device description

For object USE USE *OBJEXIST

For library EXECUTE EXECUTE EXECUTE ADD, *EXECUTE

RSTCFG (Q)

Every object being restored over by a saved version To-library User profile owning objects being created Tape unit Tape file (QSYSTAP) Save file, if specified

ADD USE USE USE

*EXECUTE *EXECUTE *EXECUTE *EXECUTE Refer to the general rules. *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE

Printer output (QPSRLDSP), if output(*print) *USE is specified Output file, if specified QSYS/QASRRSTO field reference file, if output file is specified and it does not exist RTVCFGSTS RTVCFGSRC Object Object Source file SAVCFG
2

Refer to the general rules. *USE *OBJOPR *USE *OBJOPR, *OBJMGT, *ADD, *DLT *USE, *ADD *USE, *ADD, *OBJMGT

Save file, if empty Save file, if records exist in it

SAVRSTCFG

On the source system, same authority as required by SAVCFG command. On the target system, same authority as required by RSTCFG command.

VRYCFG 3, 5, 6, 7 WRKCFGSTS
4

Object Object

USE, OBJMGT *OBJOPR

*EXECUTE *EXECUTE

Appendix D. Authority required for objects used by commands

361

Authority needed Command

1 2 3 4 5

Referenced object

For object

For library

If you have *SAVSYS special authority, you do not need the authority specified. You must have *SAVSYS special authority. If a user has *JOBCTL special authority, authority to the object is not needed. To use the individual operations, you must have the authority required by the individual operation. You must have *ALLOBJ special authority to specify a value other than *NONE for the Allow object differences (ALWOBJDIF) parameter, or RESETSYS(*YES). You must have *IOSYSCFG special authority when the object is a media library and the status is *ALLOCATE or *DEALLOCATE. You must have *IOSYSCFG and *SECADM special authorities to specify GENPTHCERT(*YES).

Configuration list commands

This table lists the specific authorities required for the configuration list commands.
Authority needed Command ADDCFGLE CHGCFGL
2 2 2 2 2

Referenced object Configuration list Configuration list Configuration list Configuration list Configuration list Configuration list
2 2

For object

For library

*CHANGE, *OBJMGT *EXECUTE *CHANGE, *OBJMGT *EXECUTE *CHANGE, *OBJMGT *EXECUTE *USE, *OBJMGT *ADD

CHGCFGLE CPYCFGL CRTCFGL DLTCFGL DSPCFGL

OBJEXIST USE, *OBJMGT

*EXECUTE *EXECUTE

Configuration list Configuration list Configuration list

1, 2

RMVCFGLE WRKCFGL
1 2

CHANGE, OBJMGT EXECUTE OBJOPR *EXECUTE

To use the individual operations, you must have the authority required by the individual operation. To use this command, you must have *IOSYSCFG special authority.

Connection list commands

This table lists the specific authorities required for the connection list commands.
Authority needed Command DLTCNNL DSPCNNL WRKCNNL
1 1

Referenced object Connection list Connection list Connection list

For object OBJEXIST USE *OBJOPR

For library EXECUTE EXECUTE *EXECUTE

To use the individual operations, you must have the authority required by the individual operation.

362

IBM i: Security Security reference

Controller description commands

This table lists the specific authorities required for the controller description commands.
Authority needed Command CHGCTLAPPC
2

Referenced object Controller description Line description (SWTLINLST) Connection list (CNNLSTOUT)
2

For object

For library

CHANGE, OBJMGT EXECUTE USE USE EXECUTE *EXECUTE

CHGCTLASC

Controller description Line description (SWTLINLST)

CHANGE, OBJMGT EXECUTE USE *EXECUTE

CHGCTLBSC

Controller description Line description (SWTLINLST)

CHANGE, OBJMGT EXECUTE USE *EXECUTE

CHGCTLFNC

Controller description Line description (SWTLINLST)

CHANGE, OBJMGT EXECUTE USE *EXECUTE

CHGCTLHOST

Controller description Line description (SWTLINLST) Connection list (CNNLSTOUT)

CHANGE, OBJMGT EXECUTE USE USE EXECUTE *EXECUTE

CHGCTLLWS

Controller description Program (INZPGM)

CHANGE, OBJMGT EXECUTE USE *EXECUTE

CHGCTLNET CHGCTLRTL

2 2

Controller description Controller description Line description (SWTLINLST)

CHANGE, OBJMGT EXECUTE CHANGE, OBJMGT EXECUTE USE EXECUTE

CHGCTLRWS

Controller description Line description (SWTLINLST) Connection list (CNNLSTOUT)

CHANGE, OBJMGT EXECUTE USE USE EXECUTE *EXECUTE

CHGCTLTAP CHGCTLVWS

2 2 2

Controller description Controller Line description (LINE or SWTLINLST) Device description (DEV) Connection list (CNNLSTOUT) Controller description

*CHANGE, *OBJMGT *EXECUTE *CHANGE, *OBJMGT *EXECUTE *USE *USE *USE *EXECUTE *EXECUTE *EXECUTE

CRTCTLAPPC

CRTCTLASC

Line description (LINE or SWTLINLST) Device description (DEV) Controller description

*USE *USE

*EXECUTE *EXECUTE

CRTCTLBSC

Line description (LINE or SWTLINLST) Device description (DEV) Controller description

*USE *USE

*EXECUTE *EXECUTE

CRTCTLFNC

Line description (LINE or SWTLINLST) Device description (DEV) Controller description

*USE *USE

*EXECUTE *EXECUTE

Appendix D. Authority required for objects used by commands

363

Authority needed Command CRTCTLHOST

Referenced object Line description (LINE or SWTLINLST) Device description (DEV) Connection list (CNNLSTOUT) Controller description
2

For object USE USE *USE

For library EXECUTE EXECUTE *EXECUTE

CRTCTLLWS

Device description (DEV) Controller description Program (INZPGM)

*USE

*EXECUTE

USE USE *USE

EXECUTE EXECUTE *EXECUTE

CRTCTLNET

Line description (LINE) Device description (DEV) Controller description

CRTCTLRTL

Line description (LINE or SWTLINLST) Device description (DEV) Controller description

*USE *USE

*EXECUTE *EXECUTE

CRTCTLRWS

Line description (LINE or SWTLINLST) Device description (DEV) Connection list (CNNLSTOUT) Controller description

USE USE *USE

EXECUTE EXECUTE *EXECUTE

CRTCTLTAP

Device description (DEV) Controller description

*USE

*EXECUTE

CRTCTLVWS

Device description (DEV) Controller description

*USE

*EXECUTE

DLTCTLD DSPCTLD ENDCTLRCY PRTCMNSEC RSMCTLRCY WRKCTLD

1 2 3 1 3

Controller description Controller description Controller description

OBJEXIST USE *USE

EXECUTE EXECUTE *EXECUTE

Controller description Controller description

*USE *OBJOPR

*EXECUTE *EXECUTE

To use the individual operations, you must have the authority required by the individual operation. To use this command, you must have *IOSYSCFG special authority. To use this command, you must have *ALLOBJ and *IOSYSCFG, or *AUDIT special authority.

Cryptography commands
This table lists the specific authorities required for the cryptography commands. Commands identified by (Q) are shipped with public authority *EXCLUDE. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others.

364

IBM i: Security Security reference

Authority needed Command ADDCKMKSFE Referenced object User file User library User directory User stream file ADDMSTPART (Q) CHKMSTKVV (Q) CLRMSTKEY (Q) CRTCKMKSF DSPCKMKSFE
1 1 1

For object ADD, OBJOPR, *READ

For library

*EXECUTE *X *R

User library User file User library OBJOPR, READ

*ADD, *EXECUTE

EXECUTE ADD, OBJOPR, READ EXECUTE DLT, OBJOPR EXECUTE

GENCKMKSFE

User file User library

RMVCKMKSFE
1

User file User library

SETMSTKEY (Q) TRNCKMKSF

User file User library

OBJOPR, READ, UPD EXECUTE

You must have *ALLOBJ and *SECADM special authorities to use this command.

Data area commands

This table lists the specific authorities required for the data area commands.
Authority needed Command CHGDTAARA CRTDTAARA
1 1

Referenced object Data area Data area APPC device description

For object *CHANGE

For library EXECUTE READ, *ADD

*CHANGE *OBJEXIST *USE *USE Any authority *EXECUTE *EXECUTE *EXECUTE *USE

DLTDTAARA DSPDTAARA RTVDTAARA

2 3

Data area Data area Data area Data area

WRKDTAARA
1

If the create and change data area commands are run using high-level language functions, these authorities are still required even though authority to the command is not. Authority is verified at run time, but not at compilation time. To use an individual operation, you must have the authority required by the operation. Authority is verified when the data area is used.

2 3 4

Appendix D. Authority required for objects used by commands

365

Data queue commands

This table lists the specific authorities required for the data queue commands.
Authority needed Command CRTDTAQ Referenced object Data queue Target data queue for the QSNDDTAQ program Source data queue for the QRCVDTAQ program APPC device description2 DLTDTAQ WRKDTAQ
1 2 1

For object

For library READ, ADD

OBJOPR, ADD OBJOPR, READ CHANGE OBJEXIST *READ

*EXECUTE *EXECUTE

Data queue Data queue

*EXECUTE *USE

To use individual operations, you must have the authority required by the individual operation. Authority is verified when the data area is used.

Device description commands

This table lists the specific authorities required for the device description commands.
Authority needed Command CFGDEVMLB CHGASPA (Q) CHGASPACT (Q)7 CHGDEVAPPC
4 4 4

Referenced object Device description

For object

For library

CHANGE, OBJMGT *EXECUTE

Device description Device description Mode description (MODE)

USE CHANGE, OBJMGT EXECUTE USE EXECUTE

CHGDEVASC CHGDEVASP
4

Device description Device description

*CHANGE, *OBJMGT *EXECUTE *CHANGE, *OBJMGT *EXECUTE *CHANGE, *OBJMGT *EXECUTE *CHANGE, *OBJMGT *EXECUTE *CHANGE, *OBJMGT *EXECUTE *USE *EXECUTE

CHGDEVBSC CHGDEVCRP CHGDEVDSP

4 4 4

Device description Device description Device description Printer (PRINTER)

CHGDEVFNC

4 4 4 4 4 4

Device description Device description Device description Device description Device description Device description Device description Device description Validation list (if specified)

*CHANGE, *OBJMGT *EXECUTE *CHANGE, *OBJMGT *EXECUTE *CHANGE, *OBJMGT *EXECUTE *CHANGE, *OBJMGT *EXECUTE *CHANGE, *OBJMGT *EXECUTE *CHANGE, *OBJMGT *EXECUTE *CHANGE, *OBJMGT *EXECUTE *CHANGE, *OBJMGT *EXECUTE *READ *EXECUTE

CHGDEVHOST CHGDEVINTR CHGDEVMLB CHGDEVNET

CHGDEVNWSH CHGDEVOPT CHGDEVPRT

4 4

CHGDEVRTL

Device description

CHANGE, OBJMGT *EXECUTE

366

IBM i: Security Security reference

Authority needed Command CHGDEVSNPT CHGDEVSNUF CHGDEVTAP CRTDEVAPPC

4 4 4 4

Referenced object Device description Device description Device description Controller description (CTL) Device description Mode description (MODE)

For object

For library

*CHANGE, *OBJMGT *EXECUTE *CHANGE, *OBJMGT *EXECUTE *CHANGE, *OBJMGT *EXECUTE *USE *EXECUTE

*USE *USE

*EXECUTE *EXECUTE

CRTDEVASC

Controller description (CTL) Device description

CRTDEVASP CRTDEVBSC

4 4

Device description Controller description (CTL) Device description *USE

*EXECUTE *EXECUTE

CRTDEVCRP CRTDEVDSP

4 4

Device description Printer description (PRINTER) Controller description (CTL) Device description
4

EXECUTE USE USE EXECUTE *EXECUTE

CRTDEVFNC

Controller description (CTL) Device description

*USE

*EXECUTE

CRTDEVHOST
4 4 4

Controller description (CTL) Device description

*USE

*EXECUTE

CRTDEVINTR CRTDEVMLB CRTDEVNET

Device description Device description Controller description (CTL) Device description

EXECUTE USE *EXECUTE

CRTDEVNWSH CRTDEVOPT CRTDEVPRT

4 4

Device description Device description Controller description (CTL) Device description Validation list (if specified) *READ *USE *USE

EXECUTE EXECUTE *EXECUTE

*EXECUTE *EXECUTE

CRTDEVRTL

Controller description (CTL) Device description

CRTDEVSNPT

Controller description (CTL) Device description

*USE

*EXECUTE

CRTDEVSNUF
4

Controller description (CTL) Device description

*USE

*EXECUTE

CRTDEVTAP
1

Controller description (CTL) Device description

*USE

*EXECUTE

DLTDEVD

Device description Device description Device description Device description

OBJEXIST USE OBJOPR USE

*EXECUTE

DSPASPSTS DSPCNNSTS DSPDEVD

*EXECUTE *EXECUTE

Appendix D. Authority required for objects used by commands

367

Authority needed Command ENDASPBAL (Q) ENDDEVRCY HLDCMNDEV PRTCMNSEC RLSCMNDEV RSMDEVRCY SETASPGRP
6 2 4, 5

Referenced object

For object

For library

Device description Device description

*USE *OBJOPR

*EXECUTE *EXECUTE

Device description Device description All device descriptions in ASP group

OBJOPR USE *USE

*EXECUTE *EXECUTE

All the specified libraries in the library list *USE before the library namespace and the library list are changed STRASPBAL (Q) TRCASPBAL (Q) WRKDEVD
1 3

Device description

*OBJOPR

*EXECUTE

To remove an associated output queue, object existence (*OBJEXIST) authority to the output queue and execute (*EXECUTE) authority to the QUSRSYS library are required. You must have job control (*JOBCTL) special authority and object operational authority to the device description. To use individual operations, you must have the authority required by the individual operation. You must have *IOSYSCFG special authority to run this command. You must have *ALLOBJ special authority to run this command. When *CURUSR is specified for the ASP group (ASPGRP) or the Libraries for the current thread (USRLIBL) parameter, you must also have read (*READ) authority to the job description that is listed in your user profile and execute (*EXECUTE) authority to the library where the job description is located. You must have *JOBCTL special authority to run this command.

3 4 5 6

Device emulation commands

This table lists the specific authorities required for the device emulation commands.
Authority needed Command ADDEMLCFGE CHGEMLCFGE EJTEMLOUT Referenced object Emulation configuration file Emulation configuration file For object *CHANGE *CHANGE For library *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE

Emulation device description when specified *OBJOPR Emulation device description when location specified *OBJOPR

ENDPRTEML

Emulation device description when specified *OBJOPR Emulation device description when location specified *OBJOPR

EMLPRTKEY

Emulation device description when specified *OBJOPR Emulation device description when location specified *OBJOPR

368

IBM i: Security Security reference

Authority needed Command EML3270 Referenced object Emulation device description Emulation controller description RMVEMLCFGE STREML3270 Emulation configuration file Emulation configuration file Emulation device, emulation controller description, workstation device, and workstation controller description Printer device description, user exit program, and translation tables when specified STRPRTEML Emulation configuration file For object *OBJOPR *OBJOPR *CHANGE *OBJOPR *OBJOPR For library *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE

*OBJOPR

*EXECUTE

*OBJOPR

EXECUTE EXECUTE *EXECUTE

Emulation device description and emulation *OBJOPR controller description Printer device description, printer output, message queue, job description, job queue, and translation tables when specified SNDEMLIGC TRMPRTEML From-file Emulation device description *OBJOPR

*OBJOPR *OBJOPR

*EXECUTE *EXECUTE

Directory and directory shadowing commands

This table lists the specific authorities required for the directory and directory shadowing commands.
These commands do not require any object authorities: ADDDIRE 2 ADDDIRSHD 1 CHGSYSDIRA 2 CHGDIRE 3 CHGDIRSHD 1 CPYFRMDIR 1 CPYTODIR 1 DSPDIRE ENDDIRSHD RMVDIRE 1 RMVDIRSHD RNMDIRE 2
4

STRDIRSHD 4 WRKDIRE 3,5 WRKDIRLOC 1,5 WRKDIRSHD 1,5

1 2 3

You must have *SECADM special authority. You must have *SECADM or *ALLOBJ special authority. A user with *SECADM special authority can work with all directory entries. Users without *SECADM special authority can work only with their own entries. You must have *JOBCTL special authority. To use an individual operation, you must have the authority required by the operation.

4 5

Directory server commands

This table lists the specific authorities required for the directory server commands.
Authority needed Command CHGDIRSRVA
1

Referenced object

For object

For library

Appendix D. Authority required for objects used by commands

369

Authority needed Command CPYTOLDIF

Referenced object LDIF stream file (if it already exists) Parent directory of LDIF stream file

For object *STMF *DIR *STMF *DIR *STMF *DIR *STMF *DIR

For library *W, *OBJEXIST, *OBJMGT *WX *R *X *W, *OBJEXIST, *OBJMGT *WX *R *X

CPYFRMLDIF

LDIF stream file Parent directory of LDIF stream file

DB2LDIF

LDIF stream file (if it already exists) Parent directory of LDIF stream file

LDIF2DB

LDIF stream file Parent directory of LDIF stream file

1 2

You must have *ALLOBJ and *IOSYSCFG special authority. To use this command, you must meet one of the following conditions: v Have *ALLOBJ and *IOSYSCFG special authorities v Provide the administrator DN and password v Be a Directory Server administrator

Disk commands
This table lists the specific authorities required for the disk commands. Commands identified by (Q) are shipped with public authority *EXCLUDE. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others.
These commands do not require authority to any objects: ENDDSKRGZ (Q)
1 1

STRDSKRGZ (Q)

WRKDSKSTS

To use this command, you must have *ALLOBJ special authority.

Display station pass-through commands

This table lists the specific authorities required for the display station pass-through commands. Commands identified by (Q) are shipped with public authority *EXCLUDE. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others.
Authority needed Command ENDPASTHR Referenced object For object For library

370

IBM i: Security Security reference

Authority needed Command STRPASTHR Referenced object APPC device on source system APPC device on target system Virtual controller on target system Virtual device on target system ,
1 2 1

For object CHANGE CHANGE USE CHANGE

For library EXECUTE EXECUTE EXECUTE EXECUTE *USE

Program specified in the QRMTSIGN system *USE value on target system, if any1 TFRPASTHR
1

The user profile that requires this authority is the profile that runs the pass-through batch job. For pass-through that bypasses the signon display, the user profile is the one specified in the remote user (RMTUSER) parameter. For pass-through that uses the normal signon procedure (RMTUSER(* NONE)), the user is the default user profile specified in the communications entry of the subsystem that handles the pass-through request. Generally, this is QUSER. If the pass-through is one that uses the normal signon procedure, the user profile specified on the signon display on the target system must have authority to this object.

Distribution commands
This table lists the specific authorities required for the distribution commands. Commands identified by (Q) are shipped with public authority *EXCLUDE. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others.
Authority needed Command ADDDSTQ (Q) ADDDSTRTE (Q) ADDDSTSYSN (Q) CFGDSTSRV (Q) CFGRPDS (Q) CHGDSTD
1 2

Referenced object

For object

For library

Document

*CHANGE

*EXECUTE

CHGDSTQ (Q) CHGDSTRTE (Q) DLTDST

DSPDSTLOG (Q)

Journal Journal receiver

*USE *USE

*EXECUTE *EXECUTE

DSPDSTSRV (Q) HLDDSTQ (Q) INZDSTQ (Q) QRYDST RCVDST

1 1

Requested file Requested file Folder

CHANGE CHANGE *CHANGE

EXECUTE EXECUTE *EXECUTE

RLSDSTQ (Q)

Appendix D. Authority required for objects used by commands

371

Authority needed Command RMVDSTQ (Q) RMVDSTRTE (Q) RMVDSTSYSN (Q) SNDDST
1

Referenced object

For object

For library

Requested file or document

*USE

*EXECUTE

SNDDSTQ (Q) WRKDSTQ (Q) WRKDPCQ (Q)

If the user is asking for distribution for another user, the user must have the authority to work on behalf of the other user. When the Distribution is filed.

Distribution list commands

This table lists the specific authorities required for the distribution list commands.
These commands do not require any object authorities: ADDDSTLE CHGDSTL1
1

CRTDSTL DLTDSTL

DSPDSTL RMVDSTLE

RNMDSTL WRKDSTL

1 2

You must have *SECADM special authority or own the distribution list. To use an individual operation, you must have the authority required by the operation.

Document library object commands

This table lists the specific authorities required for the document library object commands.
Authority needed Command ADDDLOAUT CHGDLOAUD CHGDLOAUT CHGDLOOWN
1

Referenced object Document library object

For object *ALL or owner

For library *EXECUTE

Document library object Document library object Old user profile New user profile

*ALL or owner Owner or *ALLOBJ special authority *DLT *ADD Owner or *ALLOBJ special authority *DLT *ADD *CHANGE

EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE

CHGDLOPGP

Document library object Old primary group profile New primary group profile

CHGDOCD

Document description

372

IBM i: Security Security reference

Authority needed Command CHKDLO CHKDOC

Referenced object Document library object Document Spelling aid dictionary

For object As required by the AUT keyword CHANGE CHANGE *USE

For library *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE

CPYDOC

From-document

To-document, if replacing existing document *CHANGE To-folder if to-document is new CRTDOC CRTFLR DLTDLO
3 20 15

CHANGE CHANGE CHANGE ALL *ALL

In-folder In-folder Document library object Document list

DLTDOCL DMPDLO

*EXECUTE

DSPAUTLDLO
21

Authorization list Document library object

*USE *USE Refer to the general rules. *USE or owner *USE *USE *USE *ALL or owner *CHANGE *USE *CHANGE *CHANGE *ALL *CHANGE *USE *USE Refer to the general rules. Refer to the general rules. *CHANGE

*EXECUTE *EXECUTE Refer to the general rules. *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE Refer to the general rules. Refer to the general rules. *EXECUTE

DSPDLOAUD DSPDLOAUT

Output file, if specified Document library object

DSPDLONAM DSPDOC DSPFLR EDTDLOAUT EDTDOC FILDOC

Document library object Document Folder Document library object Document Requested file Folder

MOVDOC

From-folder, if source document is in a folder From-document To-folder

MRGDOC

Document From-folder To-document if document is replaced To-folder if to-document is new

PAGDOC

Document

Appendix D. Authority required for objects used by commands

373

Authority needed Command PRTDOC Referenced object Folder Document DLTPF, DLTF, and DLTOVR commands, if an INDEX instruction is specified For object *USE *USE *USE For library *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE

CRTPF, OVRPRTF, DLTSPLF, and DLTOVR *USE commands, if a RUN instruction is specified Save document, if SAVOUTPUT (*YES) is specified Save folder, if SAVOUTPUT (*YES) is specified QRYDOCLIB
2,6

USE USE USE CHANGE

Requested file Document list, if it exists

RCLDLO

Document library object Internal documents or all documents and folders16

RGZDLO

Document library object DLO(ALL), DLO(ALL) FLR(ANY), or DLO(ALL) FLR(ANY) MAIL(YES)16

*CHANGE or owner

*EXECUTE

RMVDLOAUT RNMDLO
2

Document library object Document library object In-folder

ALL or owner ALL CHANGE READ CHANGE ALL

10 10

*EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE Refer to the general rules. *EXECUTE Not applicable Not applicable Not applicable *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE

RPLDOC

Requested file Document

7, 8, 9

RSTDLO (Q)

Document library object, if replacing Parent folder, if new DLO Owning user profile, if new DLO Output file, if specified Save file Optical file (OPTFILE)
19 17 17

*CHANGE *ADD
10

Refer to the general rules. *USE *R *X *USE *USE *USE *CHANGE *USE *USE *CHANGE *USE *CHANGE

Path prefix of optical file (OPTFILE) Optical volume

11,12,14

Tape unit and optical unit RSTS36FLR S/36 folder To-folder Device file or device description RTVDLONAM RTVDOC
2 22

Document library object Document if checking out Document if not checking out Requested file

374

IBM i: Security Security reference

Authority needed Command SAVDLO

7,13

Referenced object Document library object Tape unit and optical unit Save file, if empty Save file, if records exist in it Output file, if specified Optical File (OPTFILE)17 Parent directory of optical file (OPTFILE) Path Prefix of optical file (OPTFILE) Root Directory (/) of volume Optical Volume
19 17, 18 17 17

For object *ALL *USE *USE, *ADD *USE, *ADD, *OBJMGT Refer to the general rules. *RW *WX *X *RWX *CHANGE
10

For library *EXECUTE *EXECUTE *EXECUTE *EXECUTE Refer to the general rules. Not applicable Not applicable Not applicable Not applicable Not applicable

SAVRSTDLO

On the source system, same authority as required by SAVDLO command. On the target system, same authority as required by RSTDLO command.

WRKDOC WRKFLR
1 2 3

Folder Folder

*USE *USE

You must have *AUDIT special authority. If the user is working on behalf of another user, the other user's authority to the object is checked. You must have *ALL authority to all the objects in the folder in order to delete the folder and all the objects in the folder. If you have *ALLOBJ or *SECADM special authority, you do not need all *ALL authority to the document library list. You must have authority to the object being used as the merge source. For example, if MRGTYPE(*QRY) is specified, you must have use authority to the query specified for the QRYDFN parameter. Only objects that meet the criteria of the query and to which you have at least *USE authority are returned in the document list or output file. You must have *SAVSYS, *ALLOBJ special authority, or have been enrolled in the system distribution directory. You must have *SAVSYS or *ALLOBJ special authority to use the following parameter combination: RSTDLO DLO(*MAIL). You must have *ALLOBJ special authority to specify a value other than *NONE for the Allow object differences (ALWOBJDIF) parameter. If you have *SAVSYS or *ALLOBJ special authority, you do not need the authority specified.

Appendix D. Authority required for objects used by commands

375

Authority needed Command

Referenced object

For object

For library

You need *ALL authority to the document if replacing it. You need operational and all the data authorities to the folder if restoring new information into the folders, or you need *ALLOBJ special authority. If used for a data dictionary, only the authority to the command is required. You must have *SAVSYS or *ALLOBJ special authority to use the following parameter combinations: v SAVDLO DLO(*ALL) FLR(*ANY) v SAVDLO DLO(*MAIL) v SAVDLO DLO(*CHG) v SAVDLO DLO(*SEARCH) OWNER(not *CURRENT)

12 13

14 15

You must be enrolled in the system distribution directory if the source folder is a document folder. You must have *ALLOBJ special authority to dump internal document library objects. You must have *ALLOBJ or *SECADM special authority. This authority check is only made when the Optical Media Format is Universal Disk Format (UDF). This authority check is only made when you are clearing the optical volume. Optical volumes are not actual system objects. The link between the optical volume and the authorization list used to secure the volume is maintained by the optical support function. You must have *ALLOBJ special authority when OWNER (*ALL) or OWNER (name) and Name is a different user profile as the caller. You must have all object (*ALLOBJ) or audit (*AUDIT) special authority to use this command. You must have all object (*ALLOBJ) special authority to use this command when specifying *DST for the object class that is to be located.

16 17 18 19

21 22

Domain Name System commands

This table lists the specific authorities required for the Domain Name System (DNS) commands.
Authority needed Command CHKDNSCFG
1

Referenced object Existing configuration file Path to existing configuration file Existing output file Path to existing output file Parent of new output file
1

For object R X W X RX R X W X RX

For library

CHKDNSZNE

Existing zone file Path to existing zone file Existing output file Path to existing output file Parent of new output file

376

IBM i: Security Security reference

Authority needed Command CRTRNDCCFG

Referenced object Existing entropy source file Path to existing entropy source file Existing output file Path to existing output file Parent of new output file

For object R X W X RX R X R X W X RX R X R X W X RX R X R X R X W X RX W X *RX

For library

RUNDNSUPD

Existing batch input file Path to existing batch input file Existing key file Path to existing key file Existing output file Path to existing output file Parent of new output file

RUNRNDCCMD

Existing RNDC configuration file Path to existing RNDC configuration file Existing key file Path to existing key file Existing output file Path to existing output file Parent of new output file

STRDIGQRY

Existing batch input file Path to existing batch input file Existing trusted key file Path to existing trusted key file Existing key file Path to existing key file Existing output file Path to existing output file Parent of new output file

STRHOSTQRY

Existing output file Path to existing output file Parent of new output file

You must have *IOSYSCFG special authority to run this command.

Appendix D. Authority required for objects used by commands

377

Double-byte character set commands

This table lists the specific authorities required for the double-byte character set commands.
Authority needed Command CPYIGCTBL Referenced object DBCS sort table (*IN) DBCS sort table (*OUT) CRTIGCDCT DLTIGCDCT DLTIGCSRT DLTIGCTBL DSPIGCDCT EDTIGCDCT DBCS conversion dictionary DBCS conversion dictionary DBCS sort table DBCS font table DBCS conversion dictionary DBCS conversion dictionary User dictionary STRCGU DBCS sort table DBCS font table STRFMA DBCS font table, if copy-to option specified DBCS font table, if copy-from option specified Font management aid work file (QGPL/QAFSVDF) *OBJEXIST *OBJEXIST *OBJEXIST *USE *USE, *UPD *ADD, *DLT *CHANGE *CHANGE *OBJOPR, *READ *ADD, *UPD *OBJOPR, *READ *CHANGE For object *ALL *USE For library *EXECUTE *EXECUTE *READ, *ADD *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE

Edit description commands

This table lists the specific authorities required for the edit description commands.
Authority needed Command CRTEDTD DLTEDTD DSPEDTD WRKEDTD
1 1

Referenced object Edit description Edit description Edit description Edit description

For object

For library EXECUTE, ADD

OBJEXIST OBJOPR Any authority

EXECUTE EXECUTE *USE

To use an individual operation, you must have the authority required by the operation.

Environment variable commands

This table lists the specific authorities required for the environment variable commands.
These commands do not require any object authorities. ADDENVVAR1
1

CHGENVVAR

RMVENVVAR1

WRKENVVAR1

To update system-level environment variables, you need *JOBCTL special authority.

378

IBM i: Security Security reference

Extended wireless LAN configuration commands

This table lists the specific authorities required for the extended wireless LAN configuration commands.
Authority needed Command ADDEWCBCDE ADDEWCM ADDEWCPTCE ADDEWLM CHGEWCBCDE CHGEWCM CHGEWCPTCE CHGEWLM DSPEWCBCDE DSPEWCM DSPEWCPTCE DSPEWLM RMVEWCBCDE RMVEWCPTCE Referenced object Source file Source file Source file Source file Source file Source file Source file Source file Source file Source file Source file Source file Source file Source file For object *USE *USE *USE *USE *USE *USE *USE *USE *USE *USE *USE *USE *USE *USE For library *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE

File commands
This table lists the specific authorities required for the file commands. Commands identified by (Q) are shipped with public authority *EXCLUDE. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others.
Authority needed Command ADDICFDEVE ADDLFM Referenced object ICF file Logical file File referenced in DTAMBRS parameter, when logical file is keyed File referenced in DTAMBRS parameter, when logical file is not keyed ADDPFCST Dependent file, if TYPE(*REFCST) is specified Parent file, if TYPE(*REFCST) is specified File, if TYPE(*UNQCST) or TYPE(*PRIKEY) is specified ADDPFM Physical file For object *OBJOPR, *OBJMGT *OBJOPR, *OBJMGT or *OBJALTER *OBJOPR, *OBJMGT or *OBJALTER *OBJOPR *OBJMGT or *OBJALTER For library *EXECUTE *EXECUTE, *ADD *EXECUTE *EXECUTE *EXECUTE

*OBJMGT or *OBJREF *EXECUTE *OBJMGT *OBJOPR, *OBJMGT or *OBJALTER *EXECUTE *EXECUTE, *ADD

Appendix D. Authority required for objects used by commands

379

Authority needed Command ADDPFTRG Referenced object Physical file, to insert trigger For object *OBJALTER, *OBJMGT, *READ, *OBJOPR *OBJALTER, *OBJMGT, *READ, *OBJOPR *OBJALTER, *OBJMGT, *READ, *OBJOPR *EXECUTE *OBJOPR, *OBJMGT
7

For library *EXECUTE

Physical file, to delete trigger

*EXECUTE

Physical file, to update trigger

*EXECUTE

Trigger program CHGDDMF DDM file Device description CHGDKTF Diskette file Device if device name specified in the command CHGDSPF Display file Device if device name specified CHGDTA Data file Program Display file CHGICFDEVE CHGICFF CHGLF CHGLFM CHGPF CHGPFCST CHGPFM CHGPFTRG CHGPRTF ICF file ICF file Logical file Logical file Physical file Dependent file Physical file Physical file Printer output Device if device name specified CHGSAVF Save file

*EXECUTE *EXECUTE

*CHANGE *OBJOPR, *OBJMGT *OBJOPR *OBJOPR, *OBJMGT *OBJOPR *OBJOPR, *ADD, *UPD, *DLT *USE *USE *OBJOPR, *OBJMGT *OBJOPR, *OBJMGT *OBJMGT or *OBJALTER *OBJMGT or *OBJALTER *OBJMGT or *OBJALTER *OBJMGT or *OBJALTER *OBJMGT or *OBJALTER *OBJMGT or *OBJALTER *OBJOPR, *OBJMGT *OBJOPR *OBJOPR, and (*OBJMGT or *OBJALTER). *OBJMGT or *OBJALTER *OBJOPR, *OBJMGT *OBJOPR *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE

CHGSRCPF CHGTAPF

Source physical file Tape file Device if device name specified

EXECUTE EXECUTE *EXECUTE

380

IBM i: Security Security reference

Authority needed Command CLRPFM CLRSAVF CPYF Referenced object Physical file Save file From-file To-file (device file) To-file (physical file) Based-on file if from-file is logical file CPYFRMDKT From-file To-file (device file) To-file (physical file) CPYFRMIMPF From-file To-file (device file) To-file (physical file) Based-on file if from-file is logical file command CRTDDMF CPYFRMQRYF
1

For object *OBJOPR, *OBJMGT or *OBJALTER, *DLT *OBJOPR, *OBJMGT *OBJOPR, *READ *OBJOPR, *READ Refer to the general rules. *READ *OBJOPR, *READ *OBJOPR, *READ Refer to the general rules. *OBJOPR, *READ *OBJOPR, *READ Refer to the general rules. *READ *USE *OBJOPR, *READ *OBJOPR, *READ Refer to the general rules. *R *X *WX *WX, *OBJMGT *WX

For library *EXECUTE *EXECUTE *EXECUTE *EXECUTE Refer to the general rules. *EXECUTE *EXECUTE *EXECUTE Refer to the general rules. *USE *USE Refer to the general rules. *USE *USE *EXECUTE *EXECUTE Refer to the general rules.

From-file To-file (device file) To-file (physical file)

CPYFRMSTMF

Stream file Directories in stream file path name prefix Target database file, if MBROPT(*ADD) specified Target database file, if MBROPT(*REPLACE or *NONE) specified Target database file, if new member created

X X X, ADD X X *RWX

Conversion table *TBL used to translate data *R Target save file exists Target save file is created CPYFRMTAP From-file To-file (device file) To-file (physical file) CPYSRCF From-file To-file (device file) To-file (physical file) *OBJOPR, *READ *OBJOPR, *READ Refer to the general rules. *OBJOPR, *READ *OBJOPR, *READ Refer to the general rules. *RWX, *OBJMGT

*EXECUTE *EXECUTE Refer to the general rules. *EXECUTE *EXECUTE Refer to the general rules.

Appendix D. Authority required for objects used by commands

381

Authority needed Command CPYTODKT Referenced object To-file and from-file Device if device name specified on the command Based-on physical file if from-file is logical file CPYTOIMPF From-file To-file (device file) To-file (physical file) Based-on file if from-file is logical file command CRTDDMF CPYTOSTMF Database file or save file Stream file, if it already exists For object *OBJOPR, *READ *OBJOPR, *READ *READ *OBJOPR, *READ *OBJOPR, *READ Refer to the general rules. *READ *USE *RX *W For library *EXECUTE *EXECUTE *EXECUTE *USE *USE Refer to the general rules. *USE *USE *X

Stream file parent directory, if the stream file *WX does not exist Stream file path name prefix Database file and stream file, if AUT(*FILE) or AUT(*INDIRFILE) is specified *X *OBJMGT *X *EXECUTE *EXECUTE *EXECUTE *READ, *ADD Refer to the general rules. *CHANGE *OBJOPR *EXECUTE *READ, *ADD, *EXECUTE Refer to the general rules. *USE *OBJOPR *READ, *ADD, *EXECUTE *EXECUTE *EXECUTE *EXECUTE *READ, *ADD, *EXECUTE Refer to the general rules. *READ, *ADD, *EXECUTE *READ, *ADD

Conversion table *TBL used to translate data *R CPYTOTAP To-file and from file Device if device name is specified Based-on physical file if from-file is logical file CRTDDMF DDM file: REPLACE(*NO) DDM file: REPLACE(*YES) Device description CRTDKTF
7

OBJOPR, READ OBJOPR, READ *READ

Device if device name is specified Diskette file: REPLACE(*NO) Diskette file: REPLACE(*YES)

CRTDSPF

Source file Device if device name is specified

File specified in REF and REFFLD keywords *OBJOPR Display file: REPLACE(*NO) Display file: REPLACE(*YES)

382

IBM i: Security Security reference

Authority needed Command CRTICFF Referenced object Source file For object *USE For library *EXECUTE *EXECUTE *READ, *ADD Refer to the general rules. *USE *OBJOPR, *OBJMGT or *OBJALTER *OBJOPR *OBJOPR *OBJOPR *READ, *ADD *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE, *ADD *OBJOPR, *OBJMGT or *OBJALTER *OBJOPR *USE *OBJOPR *EXECUTE *EXECUTE *EXECUTE *EXECUTE

File specified in REF and REFFLD keywords *OBJOPR ICF file: REPLACE(*NO) ICF file: REPLACE(*YES) CRTLF Source file File specified on PFILE or JFILE keyword, when logical file is keyed File specified on PFILE or JFILE keyword, when logical file is not keyed Files specified on FORMAT and REFACCPTH keywords Tables specified in the ALTSEQ keyword Logical file File referenced in DTAMBRS parameter, when logical file is keyed File referenced in DTAMBRS parameter, when logical file is not keyed CRTPF Source file Files specified in FORMAT and REFFLD keywords and tables specified in the ALTSEQ keyword Physical file CRTPRTF Source file Device if device name is specified Files specified in the REF and REFFLD keywords Printer output: Replace(*NO) Printer output: Replace(*YES) CRTSAVF CRTSRCPF CRTS36DSPF Save file Source physical file To-file source file when TOMBR is not *NONE Source file QS36SRC Display file: REPLACE(*NO) Display file: REPLACE(*YES) Create Display File (CRTDSPF) command Refer to the general rules. *OBJOPR *ALL *USE Refer to the general rules. *USE *OBJOPR *OBJOPR

*EXECUTE, *ADD *EXECUTE *EXECUTE *EXECUTE *READ, *ADD, *EXECUTE *READ, *ADD, *EXECUTE *READ, *ADD, *EXECUTE *READ, *ADD, *EXECUTE *CHANGE *EXECUTE *READ, *ADD *READ, *ADD *EXECUTE

Appendix D. Authority required for objects used by commands

383

Authority needed Command CRTTAPF Referenced object Tape file: REPLACE(*NO) Tape file: REPLACE(*YES) Device if device name is specified DLTF DSPCPCST DSPDBR File Database file that has constraint pending Database file Output file, if specified DSPDDMF DSPDTA DDM file Data file Program Display file DSPFD
2

For object

For library READ, ADD

Refer to the general rules. *OBJOPR *OBJOPR, *OBJEXIST *OBJOPR, *READ *OBJOPR Refer to the general rules. *OBJOPR *USE *USE *USE *OBJOPR Refer to the general rules.

*READ, *ADD *EXECUTE *EXECUTE *EXECUTE *EXECUTE Refer to the general rules.

EXECUTE EXECUTE EXECUTE EXECUTE Refer to the general rules.

File Output file

File is a physical file and TYPE(*ALL, *MBR, A data authority other *EXECUTE OR *MBRLST) is specified than *EXECUTE DSPFFD File Output file DSPPFM DSPSAVF EDTCPCST Physical file Save file Data area, as specified on NFYOBJ keyword for the associated STRCMTCTL command. Files, as specified on NFYOBJ keyword for the associated STRCMTCTL command. GENCAT Database file *OBJOPR Refer to the general rules. *USE *USE *CHANGE *OBJOPR, *ADD *OBJOPR and a data authority other than *EXECUTE *EXECUTE Refer to the general rules. *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE

INZPFM

Physical file, when RECORD(*DFT) is specified Physical file, when RECORD(*DLT) is specified

*OBJOPR, *OBJMGT *EXECUTE or *OBJALTER, *ADD *OBJOPR, *OBJMGT *EXECUTE or *OBJALTER, *ADD, *DLT *CHANGE, *OBJMGT *CHANGE *USE *USE *OBJOPR and a data authority other than *EXECUTE *OBJOPR and a data authority other than *EXECUTE *EXECUTE *EXECUTE *EXECUTE

MRGSRC

Target file Maintenance file Root file

OPNDBF

Database file

OPNQRYF

Database file

*EXECUTE

PRTTRGPGM

384

IBM i: Security Security reference

Authority needed Command RGZPFM Referenced object File containing member For object For library

*OBJOPR, *OBJMGT *EXECUTE or *OBJALTER, *READ, *ADD, *UPD, *DLT, *EXECUTE *OBJOPR, *OBJMGT *OBJEXIST, *OBJOPR *OBJMGT or *OBJALTER *OBJALTER, *OBJMGT *OBJOPR, *OBJMGT *ALL *USE *CHANGE *USE *USE *USE *USE
8

RMVICFDEVE RMVM RMVPFCST RMVPFTRG RNMM RSTS36F (Q)

ICF file File containing member File Physical file File containing member To-file From-file Based on physical file, if file being restored is a logical (alternative) file Device description for diskette or tape

*EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE, *UPD Refer to the general rules. *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE Not applicable Not applicable Not applicable Not applicable Not applicable *EXECUTE Refer to the general rules. *EXECUTE Refer to the general rules. *EXECUTE *EXECUTE

RTVMBRD SAVSAVFDTA

File Tape, diskette, or optical device description Save file Optical Save/Restore File (if previously exists) Parent Directory of OPTFILE8 Path Prefix of OPTFILE
10 8 8,9

*RW *WX *X *RWX *CHANGE *USE *ALL *USE *ALL *USE *USE

Root Directory (/) of Optical Volume Optical Volume SAVS36F From-file To-file, when it is a physical file Device file or device description SAVS36LIBM To-file, when it is a physical file From-file Device file or device description STRAPF
3

Source file Commands CRTPF, CRTLF, ADDPFM, ADDLFM, and RMVM

*OBJMGT, *CHANGE *READ, *ADD *USE *EXECUTE *READ, *ADD *OBJEXIST *OBJOPR, *ADD, *UPD, *DLT *READ *CHANGE *READ, *ADD *EXECUTE *EXECUTE *EXECUTE

STRDFU

Program (if create program option) Program (if change or delete program option) File (if change or display data option) File (if display data option)

UPDDTA

File

Appendix D. Authority required for objects used by commands

385

Authority needed Command WRKDDMF WRKF

3,5 3 3

Referenced object DDM file Files

For object OBJOPR, OBJMGT, OBJEXIST OBJOPR

For library READ, ADD USE EXECUTE

WRKPFCST
1

The CPYFRMQRYF command uses a FROMOPNID parameter rather than a FROMFILE parameter. A user must have sufficient authority to perform the OPNQRYF command before running the CPYFRMQRYF command. If CRTFILE(*YES) is specified on the CPYFRMQRYF command, the first file specified on the corresponding OPNQRYF FILE parameter is considered to be the from-file when determining the authorities for the new to-file. Ownership or operational authority to the file is required. To use individual operations, you must have the authority required by the individual operation. If a new file is created and an authority holder exists for the file, then the user must have all (*ALL) authority to the authority holder or be the owner of the authority holder. If there is no authority holder, the owner of the file is the user who entered the RSTS36F command and the public authority is *ALL. Some authority to the object is required. You must have *ALLOBJ special authority. Authority is verified when the DDM file is used. This authority check is only made when the Optical media format is Universal Disk Format (UDF). This authority check is only made if you are clearing the optical volume. Optical volumes are not actual system objects. The link between the optical volume and the authorization list used to secure the volume is maintained by the optical support function. You must have *ALLOBJ or *AUDIT special authority to use this command.

2 3 4

6 7 8 9 10

Filter commands
This table lists the specific authorities required for the filter commands.
Authority needed Command ADDALRACNE ADDALRSLTE ADDPRBACNE ADDPRBSLTE CHGALRACNE CHGALRSLTE CHGFTR CHGPRBACNE CHGPRBSLTE CRTFTR DLTFTR RMVFTRACNE RMVFTRSLTE Referenced object Filter Filter Filter Filter Filter Filter Filter Filter Filter Filter Filter Filter Filter *OBJEXIST *USE, *DLT *USE, *DLT For object *USE, *ADD *USE, *ADD *USE, *ADD *USE, *ADD *USE, *UPD *USE, *UPD *OBJMGT *USE, *UPD *USE, *UPD For library *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *READ, *ADD *EXECUTE *EXECUTE *EXECUTE

386

IBM i: Security Security reference

Authority needed Command WRKFTR

1 1

Referenced object Filter Filter Filter

For object Any authority USE USE

For library EXECUTE EXECUTE *EXECUTE

WRKFTRACNE WRKFTRSLTE
1

To use an individual operation, you must have the authority required by the operation.

Finance commands
This table lists the specific authorities required for the finance commands. Commands identified by (Q) are shipped with public authority *EXCLUDE. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others.
Authority needed Command SBMFNCJOB (Q) SNDFNCIMG (Q) WRKDEVTBL (Q) WRKPGMTBL (Q) WRKUSRTBL (Q)
1

Referenced object Job description and message queue Job description and message queue Device description
1 1 1

For object OBJOPR OBJOPR At least one data authority

For library EXECUTE EXECUTE *EXECUTE

The QFNC user profile must have this authority.

i5/OS graphical operations commands

This table lists the specific authorities required for the i5/OS graphical operations commands.
Authority needed Command CHGFCNUSG DSPFCNUSG EDTWSOAUT GRTWSOAUT RVKWSOAUT SETCSTDTA Workstation object Workstation object Workstation object
1 1 1 5

Referenced object

For object

For library

OBJMGT OBJMGT *OBJMGT

2,3,4 2,3,4 2,3,4

EXECUTE EXECUTE EXECUTE EXECUTE *EXECUTE

Copy-from user profile Copy-to user profile

*CHANGE *CHANGE

WRKFCNUSG

Appendix D. Authority required for objects used by commands

387

Authority needed Command

Referenced object

For object

For library

The workstation object is an internal object that is created when you install the i5/OS Graphical Operations feature. It is shipped with public authority of *USE. You must be the owner or have *OBJMGT authority and the authorities being granted or revoked. You must be the owner or have *ALLOBJ authority to grant *OBJMGT or *AUTLMGT authority. To secure the workstation object with an authorization list or remove the authorization list, you must have one of the following authorities: v Own the workstation object. v Have *ALL authority to the workstation object. v Have *ALLOBJ special authority.

2 3 4

You must have security administrator (*SECADM) special authority to change the usage of a function.

Graphics symbol set commands

This table lists the specific authorities required for the graphics symbol set commands.
Authority needed Command CRTGSS Referenced object Source file Graphics symbol set DLTGSS WRKGSS
1 1

For object *USE

For library EXECUTE READ, *ADD

Graphics symbol set Graphics symbol set

*OBJEXIST *OBJOPR

*EXECUTE *USE

Ownership or some authority to the object is required.

Host server commands

This table lists the specific authorities required for the host server commands. Commands identified by (Q) are shipped with public authority *EXCLUDE. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others.
These commands do not require object authorities. ENDHOSTSVR (Q) STRHOSTSVR (Q)

Image catalog commands

This table lists the specific authorities required for the image catalog commands. Commands identified by (Q) are shipped with public authority *EXCLUDE. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others.

388

IBM i: Security Security reference

Authority needed Command ADDIMGCLGE Referenced object Image catalog Image catalog directory path prefix Device name when FROMDEV specified Image file when FROMFILE specified Image file path prefix when FROMFILE specified Image file parent directory when FROMFILE specified CHGIMGCLG Image catalog Image catalog directory path prefix Object type *IMGCLG *DIR *DEVD *STMF *DIR *DIR *IMGCLG *DIR For object *CHANGE *X *USE *R, *OBJMGT *X *RX *CHANGE *EXECUTE For library1 *EXECUTE

Refer to the general rules Refer to the general rules *CHANGE *EXECUTE

New image catalog directory path prefix when *DIR DIR parameter specified CHGIMGCLGE Image catalog Image catalog directory path prefix CRTIMGCLG QUSRSYS Image catalog if DIR(*REFIMGCLG) specified *IMGCLG *DIR *LIB *IMGCLG

Refer to the general rules *READ, *ADD *USE *OBJOPR, *READ, *ADD, *EXECUTE

Image catalog directory path prefix2 DLTIMGCLG Image catalog Image catalog directory path prefix LODIMGCLG Image catalog Image catalog when WRTPTC(*ALL) or WRTPTC(*NONE) is specified Virtual device Image catalog directory path prefix LODIMGCLGE Image catalog Image catalog directory path prefix RMVIMGCLGE Image catalog Image catalog directory path prefix RTVIMGCLG Image catalog Device description if DEV parameter specified

*DIR *IMGCLG *DIR *IMGCLG *IMGCLG *DEVD *DIR *IMGCLG *DIR *IMGCLG *DIR *IMGCLG *DEVD *DEVD *IMGCLG *DEVD *DIR *IMGCLG *IMGCLG

Refer to the general rules OBJEXIST EXECUTE

Refer to the general rules *USE *CHANGE *USE Refer to the general rules *USE *EXECUTE *EXECUTE *EXECUTE

Refer to the general rules CHANGE EXECUTE

Refer to the general rules *USE *USE *USE *USE *USE Refer to the general rules *USE *USE *EXECUTE *EXECUTE *EXECUTE *EXECUTE

@ STRNETINS (Q)
VFYIMGCLG

Network optical device Image catalog Virtual device Image catalog directory path prefix

WRKIMGCLG WRKIMGCLGE
1 2

Image catalog Image catalog

The library that image catalog objects reside in is QUSRSYS. If a directory is created, you also need write (*W) authority to the directory to contain the new directory.

Appendix D. Authority required for objects used by commands

389

Integrated file system commands

This table lists the specific authorities required for the integrated file system commands. Commands identified by (Q) are shipped with public authority *EXCLUDE. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others.
Authority needed for object1 *OBJEXIST

Command ADDLNK

Referenced object Object when LNKTYPE(*HARD) is specified Parent of new link

Object type *STMF

File system QOpenSys, "root" (/),UDFS QOpenSys, "root" (/), UDFS

*DIR

*WX

Path prefix CHGATR

Refer to the general rules. All except QSYS.LIB *W

Object when setting an attribute other than Any *USECOUNT, *ALWCKPWRT, *DISKSTGOPT, *MAINSTGOPT, *ALWSAV, *SCAN, *CRTOBJSCAN, *SETUID, *SETGID, *RSTRDRNMUNL, *CRTOBJAUD Object when setting *USECOUNT, *DISKSTGOPT, *MAINSTGOPT, *ALWSAV Any *FILE *MBR

All except QSYS.LIB QSYS.LIB QSYS.LIB

*OBJMGT *OBJOPR, *OBJMGT *X, *OBJMGT (authority inherited from parent *FILE) *OBJMGT *OBJMGT *RX

other Object when setting *ALWCKPWRT Directory that contains objects when SUBTREE(*ALL) is specified Object when setting the following attributes: *CRTOBJSCAN or *SCAN26 Object when setting the following attributes: *SETUID, *SETGID, *RSTDRNMUNL *CRTOBJAUD9 Path prefix CHGAUD
4 9

QSYS.LIB All All QOpenSys, "root" (/), UDFS

Any Any directory DIR and STMF Any

All except Ownership QSYS.LIB and QDLS

Refer to the general rules.

390

IBM i: Security Security reference

Command CHGAUT

Referenced object Object

Object type All

File system QOpenSys, "root" (/), UDFS QSYS.LIB, QOPT11 QDLS

Authority needed for object1 Ownership15

Ownership or ALLOBJ Ownership, ALL, or ALLOBJ OBJMGT

Optical volume Directory that contains objects when SUBTREE(*ALL) is specified CHGCURDIR Object Optical volume Path prefix CHGOWN
24

DDIR Any directory or library Any directory DDIR

QOPT8 All

*CHANGE *RX *R

QOPT

Refer to the general rules. All *FILE, *LIB, *SBSD All QSYS.LIB QSYS.LIB QOpenSys, "root" (/), UDFS QDLS QOPT11 *OBJEXIST *OBJEXIST, *OBJOPR Ownership and *OBJEXIST15 Ownership or *ALLOBJ Ownership or *ALLOBJ *DLT *ADD *CHANGE *RX *OBJEXIST *OBJEXIST, *OBJOPR Ownership5, 15

Object

All

CHGOWN24

User profile of old ownerall except QOPT, QDLS User profile of new ownerall except QOPT Optical volume Directory that contains objects when SUBTREE(*ALL) is specified

*USRPRF *USRPRF *DDIR Any directory or library All *FILE, *LIB, *SBSD All

All All QOPT8 All QSYS.LIB QSYS.LIB QOpenSys, "root" (/), UDFS QDLS QOPT11

CHGPGP

Object

All

Ownership or ALLOBJ Ownership or ALLOBJ

Appendix D. Authority required for objects used by commands

391

Command CHGPGP

Referenced object User profile of old primary groupall except QOPT User profile of new primary groupall except QOPT Optical volume Directory that contains objects when SUBTREE(*ALL) is specified

Object type USRPRF USRPRF DDIR Any directory or library STMF

File system All All QOPT8 All QOpenSys, "root" (/), UDFS QDLS QOpenSys, "root" (/), UDFS QDLS

Authority needed for object1 DLT ADD CHANGE RX *W

CHKIN

Object, if the user who checked it out.

DOC Object, if not the user who checked it out. STMF

W ALL or ALLOBJ or Ownership ALL or ALLOBJ or Ownership X

*DOC

Path, if not the user who checked out

*DIR

QOpenSys, "root" (/), UDFS All

Directory that contains objects when SUBTREE(*ALL) is specified Path prefix CHKOUT Object

Any directory

*RX

Refer to the general rules. *STMF QOpenSys, "root" (/), UDFS QDLS All *W

*DOC Directory that contains objects when SUBTREE(*ALL) is specified Path prefix Any directory

*W *RX

Refer to the general rules.

392

IBM i: Security Security reference

Command CPY
25

Referenced object Object being copied, origin object

Object type Any

File system QOpenSys, "root" (/), UDFS QDLS

Authority needed for object1 *R, and *OBJMGT or ownership *RWX and *ALL or ownership None *RX, *OBJMGT *R *W, *OBJEXIST, *OBJMGT *W *RW, *OBJMGT, *OBJEXIST *RW, *OBJMGT, *OBJEXIST *RWX, *ALL *RX, *OBJMGT

*DOC

*MBR others *DSTMF Destination object when REPLACE(*YES) specified (if destination object already exists) Any

QSYS.LIB QSYS.LIB QOPT All

10 11

*DSTMF *LIB

QOPT11 QSYS.LIB

*FILE (PF or LF) *DOC Directory being copied that contains objects *DIR when SUBTREE(*ALL) is specified, so that its contents are copied CPY25 Path (target), parent directory of destination object *FILE *LIB *DIR

QSYS.LIB

QDLS QOpenSys, "root" (/), UDFS QSYS.LIB QSYS.LIB QOpenSys, "root" (/), UDFS QDLS QOPT QOPT QOPT
11 8 8

RX, OBJMGT RX, ADD *WX

FLR DDIR Source Optical volume Target Optical volume CPY

RWX WX USE CHANGE *X

DDIR DDIR *DIR

Parent directory of origin object

QOpenSys, "root" (/), UDFS QDLS QSYS.LIB QOPT

FLR Others DDIR Path prefix (target destination) LIB DIR

*X *RX *X *WX *X

QSYS.LIB QOpenSys, "root" (/), UDFS QDLS QOPT QOPT

11 11

FLR DDIR Path prefix (origin object) *DDIR

*X *X *X

Appendix D. Authority required for objects used by commands

393

Command CPYFRMSTMF CPYTOSTMF CRTDIR

21, 22

Referenced object See File commands on page 379 See File commands on page 379 Parent directory

Object type

File system

Authority needed for object1

*DIR

QOpenSys, "root" (/), UDFS QDLS QSYS.LIB

*WX

FLR FILE Any *DDIR CRTDIR

CHANGE RX, ADD ADD

QOPT

*WX

Path prefix Optical volume

Refer to the general rules. DDIR QOPT8 CHANGE

CVTDIR (Q) DSPAUT

Object

All All ALL

QDLS All others QOPT11 QOPT

ALL OBJMGT or ownership None *USE

Optical volume Path prefix DSPCURDIR Path prefix

*DDIR

Refer to the general rules. *DIR QOpenSys, "root" (/), UDFS QDLS QSYS.LIB
11

*RX

FLR LIB, FILE DIR DDIR DSPCURDIR Current directory DIR

*RX *RX *R

QOPT

*RX *X

QOpenSys, "root" (/), UDFS QSYS.LIB QDLS

11 8

*LIB, *FILE *FLR *DIR *DDIR Optical volume DSPF Database file Database file library Stream file *DDIR* *FILE *LIB *STMF

*X *X *R

QOPT QOPT

X USE USE EXECUTE *R

QSYS.LIB QSYS.LIB QOpenSys, "root" (/), UDFS QSYS.LIB

*USRSPC Path prefix

*USE

Refer to the general rules.

394

IBM i: Security Security reference

Command DSPLNK

Referenced object Any

Object type Any

File system "root" (/), QOpenSys, UDFS QSYS.LIB27, QDLS, QOPT11 "root" (/), QOpenSys, UDFS "root" (/), QOpenSys, UDFS QOPT8 "root" (/), QOpenSys, UDFS QSYS.LIB27 QDLS QOPT
11

Authority needed for object1 None

File, Option 12 (Work with Links)

STMF, SYMLNK, DIR, BLKSF, SOCKET SYMLNK

DSPLNK

Symbolic link object

None

Optical volume Parent directory of referenced object - No Pattern 13

*DDIR *DIR

*USE *X

*LIB, *FILE *FLR *DDIR *DDIR DSPLNK Parent directory of referenced object Pattern specified13 *DIR

*X *X *X *R

"root" (/), QOpenSys, UDFS QSYS.LIB27 QDLS QOPT

*LIB, *FILE *FLR *DDIR *DDIR Parent directory of referenced objectOption 8 (Display Attributes) *DIR

*R *R *R *R

"root" (/), QOpenSys, UDFS QSYS.LIB27 QDLS QOPT

*LIB, *FILE *FLR *DDIR *DDIR DSPLNK Parent directory of referenced object Option 12 (Work with Links) *DIR

*X *X *X *R

"root" (/), QOpenSys, UDFS "root" (/), QOpenSys, UDFS QSYS.LIB27 QDLS QOPT11

*RX

*SYMLNK

LIB, FILE FLR DDIR *DDIR

*X *X *X *R

Appendix D. Authority required for objects used by commands

395

Command DSPLNK

Referenced object Prefix of parent referenced object - No Pattern 13

Object type *DIR

File system "root" (/), QOpenSys, UDFS QSYS.LIB27 QDLS QOPT

Authority needed for object1 *X

*LIB *FILE *FLR *DDIR *DDIR DSPLNK Prefix of parent referenced object - Pattern specified13 *DIR

*X *X *X *R

"root" (/), QOpenSys, UDFS QSYS.LIB27 QDLS QOPT

*LIB *FILE *FLR *DDIR *DDIR DSPLNK Prefix of parent referenced object - Option 8 (Display Attributes) *DIR

*X *X *X *R

"root" (/), QOpenSys, UDFS QSYS.LIB27 QDLS QOPT

*RX

*LIB, *FILE *FLR *DDIR *DDIR DSPLNK Prefix of parent referenced object - Option 12 (Work with Links) *DIR

*X *X *X *R

"root" (/), QOpenSys, UDFS "root" (/), QOpenSys, UDFS QSYS.LIB27 QDLS QOPT
11

*RX

*SYMLNK

LIB, FILE FLR DDIR *DDIR

*X *X *X *R

396

IBM i: Security Security reference

Command DSPLNK

Referenced object Relative Path Name : Current working directory containing object -No Pattern13
14

Object type *DIR

File system "root" (/), QOpenSys, UDFS QSYS.LIB27 QDLS QOPT

Authority needed for object1 *RX

*LIB, *FILE *FLR *DDIR *DDIR Relative Path Name : Current working directory containing object -Pattern Specified13
14

*X *X *RX *R

*DIR

"root" (/), QOpenSys, UDFS QSYS.LIB27 QDLS QOPT

*RX

*LIB, *FILE *FLR *DDIR *DDIR DSPLNK Relative Path Name : Prefix of current working directory containing object -No Pattern 13
14

RX RX RX R

*DIR

"root" (/), QOpenSys, UDFS QSYS.LIB27 QDLS QOPT

*RX

*LIB, *FILE *FLR *DDIR *DDIR DSPLNK Relative Path Name : Prefix of current working directory containing object -Pattern specified13
14

RX RX RX R

*DIR

"root" (/), QOpenSys, UDFS QSYS.LIB27 QDLS QOPT

*RX

*LIB *FILE *FLR *DDIR *DDIR DSPMFSINF Object Path Prefix EDTF Database file, existing member Database file library Database file, new member Database file library, new member Stream file, existing file Any

RX RX RX R

Any

None

Refer to the general rules. *FILE *LIB *FILE *LIB *STMF QSYS.LIB QSYS.LIB QSYS.LIB QSYS.LIB QOpenSys, "root" (/), UDFS QSYS.LIB QOpenSys, "root" (/), UDFS *CHANGE *EXECUTE *CHANGE, *OBJMGT *EXECUTE, *ADD *R

User space Parent directory when creating a new stream file Path prefix

*USRSPC *DIR

*CHANGE *WX

Refer to the general rules.

Appendix D. Authority required for objects used by commands

397

Command ENDJRN

Referenced object Object

Object type *DIR if Subtree (*ALL) *DIR if Subtree (*NONE), *SYMLNK, *STMF *DTAARA, *DTAQ

File system QOpenSys, "root" (/), UDFS QOpenSys, "root" (/), UDFS QSYS.LIB

Authority needed for object1 R, X, OBJMGT R, *OBJMGT

OBJOPR, READ, OBJMGT X

Parent Directory

*DIR

QOpenSys, "root" (/), UDFS QSYS.LIB QSYS.LIB

*LIB Journal Path Prefix MOV

*X *OBJMGT, *OBJOPR

*JRN

Refer to the general rules. *DIR not *DIR *DOC *FILE *MBR other *STMF QOpenSys, "root" (/) QOpenSys, "root" (/) QDLS QSYS.LIB QSYS.LIB QSYS.LIB QOPT
11

Object moved within same file system

OBJMGT, W OBJMGT ALL OBJOPR, OBJMGT None None W WX

MOV

Path (source), parent directory

*DIR

QOpenSys, "root" (/), UDFS QDLS QSYS.LIB, "root" (/) QOpenSys, "root" (/) QSYS.LIB QDLS QSYS.LIB

*FLR *FILE others Path (target), parent directory *DIR *FLR *FILE

*RWX *RX, *OBJEXIST *RWX *WX *CHANGE (*RWX) *X, *ADD, *DLT, *OBJMGT *RWX *WX

*LIB *DDIR

QSYS.LIB QOPT11

398

IBM i: Security Security reference

Command MOV

Referenced object Path prefix (target)

Object type LIB FLR DIR DDIR

File system QSYS.LIB QDLS others QOPT

Authority needed for object1 *X, *ADD *X *X *X *R, *OBJEXIST, *OBJMGT *ALL Not applicable *RW *R, *OBJMGT, *OBJEXIST *ALL

Object moved across file systems into QOpenSys, "root" (/) or QDLS (stream file *STMF and *DOC, *MBR only) .

*STMF

QOpenSys, "root" (/), UDFS QDLS QSYS.LIB QOPT

DOC MBR DSTMF MOV Moved into QSYS MBR *STMF

QOpenSys, "root" (/), UDFS QDLS QOPT QOPT

11 8

*DOC *DSTMF MOV Optical volume (Source and Target) Path (source) moved across file systems, parent directory *DDIR *DIR

RW CHANGE *WX

QOpenSys, "root" (/), UDFS QDLS QSYS. LIB

*FLR *FILE

X ownership, RX, OBJEXIST WX

*DDIR Path Prefix RCLLNK

16 18

QOPT11

Refer to the general rules.

RLSIFSLCK

object

*STMF

"root" (/), QOpenSys, UDFS

Path prefix RMVDIR

19,20

Refer to the general rules. *DIR QOpenSys, "root" (/), UDFS QSYS.LIB QSYS.LIB QDLS QOPT
11

LIB FILE FLR DDIR

RX, OBJEXIST OBJOPR, OBJEXIST ALL W

Appendix D. Authority required for objects used by commands

399

Command RMVDIR

Referenced object Parent directory

Object type *DIR

File system QOpenSys, "root" (/), UDFS QDLS QSYS.LIB QOPT All QOPT8
11

Authority needed for object1 *WX

*FLR *LIB, *FILE *DDIR Directory that contains objects when SUBTREE(*ALL) is specified Optical volume Path Prefix RMVLNK
19

X X WX RX *CHANGE

Any directory *DDIR

Refer to the general rules. *DOC *MBR *FILE *JRNRCV other *DSTMF Any QDLS QSYS.LIB QSYS.LIB QSYS.LIB QSYS.LIB QOPT
11

Object

*ALL

OBJOPR, OBJEXIST OBJEXIST, R OBJEXIST W *OBJEXIST

QOpenSys, "root" (/), UDFS QDLS QSYS.LIB QSYS.LIB QOpenSys, "root" (/), UDFS QOPT11 QOPT
8

RMVLNK

Parent Directory

FLR FILE LIB DIR

X X, OBJEXIST X *WX

*DDIR Optical volume Path prefix RNM

*WX *CHANGE

*DDIR

Refer to the general rules. *DIR QOpenSys, "root" (/), UDFS QOpenSys, "root" (/), UDFS QDLS QSYS.LIB QSYS.LIB QSYS.LIB QOPT QOPT
11 8

Object

*OBJMGT, *W

Not *DIR

*OBJMGT

*DOC, *FLR *MBR *FILE others *DSTMF Optical Volume (Source and Target) *DDIR

ALL Not applicable OBJMGT, OBJOPR OBJMGT W CHANGE

400

IBM i: Security Security reference

Command RNM

Referenced object Parent directory

Object type *DIR

File system QOpenSys, "root" (/), UDFS QDLS QSYS.LIB QSYS.LIB QOPT
11

Authority needed for object1 *WX

FLR FILE LIB DDIR Path prefix *LIB Any

CHANGE (RWX) X, OBJMGT X, UPD WX X, UPD X

QSYS.LIB QOpenSys, "root" (/), UDFS, QDLS QOpenSys, "root" (/), UDFS QSYS.LIB QDLS

RST (Q) 23, 28, 30

Object, if it exists2

Any

*W, *OBJEXIST

Varies *ALL

Path prefix Parent directory created by the restore operation due to CRTPRNDIR(*YES)2 Parent directory owner specified on parameter PRNDIROWN2, 6 RST (Q) Parent directory of object being restored2

Refer to the general rules. *DIR QOpenSys, "root" (/), UDFS QSYS.LIB QOpenSys, "root" (/), UDFS QDLS *WX

*USRPRF *DIR

*ADD *WX

Parent directory of object being restored, if the object does not exist2

*FLR *DIR

CHANGE OBJMGT, OBJALTER, READ, ADD, UPD

User profile owning new object being restored2 Tape unit, optical unit, or save file Media definition RST (Q) Library for device description, media definition, or save file Output file, if specified

USRPRF DEVD, FILE MEDDFN LIB STMF

QSYS.LIB QSYS.LIB QSYS.LIB QSYS.LIB QOpenSys, "root" (/), UDFS QSYS.LIB QOpenSys, "root" (/), UDFS QSYS.LIB

ADD RX USE EXECUTE *W

USRSPC Path prefix of output file DIR

*RWX *X

*LIB

*RX

Appendix D. Authority required for objects used by commands

401

Command RST (Q)

Referenced object Optical volume if restoring from optical device Optical path prefix and parent if restoring from optical device Optical file if restoring from optical device

Object type DDIR DDIR DSTMF DIR

File system QOPT8 QOPT11 QOPT11 QOpenSys, "root" (/), UDFS, QDLS, QOPT11 QOPT11 QDLS QSYS.LIB

Authority needed for object1 USE X R RX

RTVCURDIR

Path prefix

DDIR FLR LIB, FILE Any RTVCURDIR Current directory *DIR

RX RX RX R

QOpenSys, "root" (/), UDFS, QOPT

DDIR LIB, FILE FLR Any SAV

29 2

QOPT11 QSYS.LIB QDLS

*X *X *X *R

Object

Any

QOpenSys, "root" (/), UDFS QSYS.LIB QDLS

*R, *OBJEXIST

Varies *ALL

Path prefix Tape unit, optical unit Media definition SAV Save file, if empty Save file, if not empty Save-while-active message queue Libraries for device description, media definition, save file, or save-while-active message queue SAV Output file, if specified

Refer to the general rules. *DEVD *MEDDFN *FILE *FILE *MSGQ *LIB QSYS.LIB QSYS.LIB QSYS.LIB QSYS.LIB QSYS.LIB QSYS.LIB *RX *USE *USE, *ADD *OBJMGT, *USE, *ADD *OBJOPR, *ADD *EXECUTE

*STMF

QOpenSys, "root" (/), UDFS QSYS.LIB QOpenSys, "root" (/), UDFS QSYS.LIB

USRSPC Path prefix of output file DIR

*RWX *X

*LIB

*RX

402

IBM i: Security Security reference

Command SAV

Referenced object Optical volume, if saving to optical device Optical path prefix if saving to optical device

Object type DDIR DDIR

File system QOPT8 QOPT

Authority needed for object1 CHANGE X WX RW

Optical parent directory if saving to optical *DDIR device Optical file (If it previously exists) SAVRST On the source system, same authority as required by SAV command. On the target system, same authority as required by RST command. STATFS Object Path Prefix STRJRN Object Any *DSTMF

QOPT11 QOPT11

Any

None

Refer to the general rules. *DIR if Subtree (*ALL) *DIR if subtree (*NONE), *SYMLNK, *STMF *DTAARA, *DTAQ QOpenSys, "root" (/), UDFS QOpenSys, "root" (/), UDFS QSYS.LIB *R, *X, *OBJMGT *R, *OBJMGT

OBJOPR, READ, OBJMGT X

Parent Directory

*DIR

QOpenSys, "root" (/), UDFS QSYS.LIB QSYS.LIB

*LIB Journal Path Prefix WRKAUT

6, 7

*X *OBJMGT, *OBJOPR

*JRN

Refer to the general rules. *DOC or *FLR All *DDIR and *DSTMF QDLS not QDLS QOPT11 QOPT8 *ALL *OBJMGT or ownership *NONE *USE

Object

Optical volume Path prefix

*DDIR

Refer to the general rules.

Appendix D. Authority required for objects used by commands

403

Command WRKLNK

Referenced object Any

Object type Any

File system "root" (/), QOpenSys, UDFS, QSYS.LIB27, QDLS, QOPT11 "root" (/), QOpenSys, UDFS "root" (/), QOpenSys, UDFS QOPT8 "root" (/), QOpenSys, UDFS QSYS.LIB27 QDLS QOPT
11

Authority needed for object1 None

File, Option 12 (Work with Links)

STMF, SYMLNK, DIR, BLKSF, SOCKET SYMLNK

Symbolic link object

None

Optical volume WRKLNK Parent directory of referenced object - No Pattern 13

*DDIR *DIR

*USE *X

*LIB, *FILE *FLR *DDIR *DDIR WRKLNK Parent directory of referenced object Pattern Specified *DIR

*X *X *X *R

"root" (/), QOpenSys, UDFS QSYS.LIB27 QDLS QOPT

*LIB *FILE *FLR *DDIR *DDIR WRKLNK Parent directory of referenced objectOption 8 (Display Attributes) *DIR

*R *R *R *R

"root" (/), QOpenSys, UDFS QSYS.LIB27 QDLS QOPT

*LIB *FILE *FLR *DDIR *DDIR WRKLNK Parent directory of referenced object Option 12 (Work with Links) *DIR

*X *X *X *R

"root" (/), QOpenSys, UDFS "root" (/), QOpenSys, UDFS QSYS.LIB27 QDLS QOPT11

*RX

*SYMLNK

LIB FILE FLR DDIR *DDIR

*X *X *X *R

404

IBM i: Security Security reference

Command WRKLNK

Referenced object Prefix of parent referenced object - No Pattern 13

Object type *DIR

File system "root" (/), QOpenSys, UDFS QSYS.LIB27 QDLS QOPT

Authority needed for object1 *X

*LIB *FILE *FLR *DDIR *DDIR WRKLNK Prefix of parent referenced object - Pattern specified13 *DIR

*X *X *X *R

"root" (/), QOpenSys, UDFS QSYS.LIB27 QDLS QOPT

*LIB, *FILE *FLR *DDIR *DDIR WRKLNK Prefix of parent referenced object - Option 8 (Display Attributes) *DIR

*X *X *X *R

"root" (/), QOpenSys, UDFS QSYS.LIB27 QDLS QOPT

*RX

*LIB, *FILE *FLR *DDIR *DDIR WRKLNK Prefix of parent referenced object - Option 12 (Work with Links) *DIR

*X *X *X *R

"root" (/), QOpenSys, UDFS "root" (/), QOpenSys, UDFS QSYS.LIB27 QDLS QOPT
11

*RX

*SYMLNK

LIB, FILE FLR DDIR *DDIR

*X *X *X *R

Appendix D. Authority required for objects used by commands

405

Command WRKLNK

Referenced object Relative Path Name : Current working directory containing object -No Pattern13
14

Object type *DIR

File system "root" (/), QOpenSys, UDFS QSYS.LIB27 QDLS QOPT

Authority needed for object1 *RX

*LIB *FILE *FLR *DDIR *DDIR Relative Path Name : Current working directory containing object -Pattern Specified13
14

*X *X *RX *R

*DIR

"root" (/), QOpenSys, UDFS QSYS.LIB27 QDLS QOPT

*RX

*LIB *FILE *FLR *DDIR *DDIR WRKLNK Relative Path Name : Prefix of current working directory containing object -No Pattern 13
14

RX RX RX R

*DIR

"root" (/), QOpenSys, UDFS QSYS.LIB27 QDLS QOPT

*RX

*LIB, *FILE *FLR *DDIR *DDIR Relative Path Name Prefix of current working directory containing object -Pattern specified13
14

RX RX RX R

*DIR

"root" (/), QOpenSys, UDFS QSYS.LIB27 QDLS QOPT

*RX

LIB, FILE FLR DDIR *DDIR

1 2

RX RX RX R

Adopted authority is not used for integrated file system commands. If you have *SAVSYS special authority, you do not need the authority specified for the QSYS.LIB, QDLS, QOpenSys, and "root" (/) file systems. The authority required varies by object type. See the description of the QLIRNMO API . If the object is a database member, see the authorities for the Rename Member (RNMM) command. You must have *AUDIT special authority to change an auditing value. If the user issuing the command does not have *ALLOBJ authority, the user must be a member of the new primary group.

4 5

406

IBM i: Security Security reference

Command
6

Referenced object

Object type

File system

Authority needed for object1

If the profile that is specified using the PRNDIROWN parameter is not the user doing the restore operation, *SAVSYS or *ALLOBJ special authority is required. These commands require the authority shown plus the authorities required for the DSPCURDIR command. Optical volumes are not actual system objects. The link between the optical volume and the authorization list used to secure the volume is maintained by the optical support function. The user must have *AUDIT special authority to change the *CRTOBJAUD attribute, and the user does not need any of the normal path name prefix authorities (*X and *R). Authority required varies by the command used. See the respective SAVOBJ or RSTOBJ command for the required authority. Authority required by QOPT against media formatted in "Universal Disk Format" (UDF). *ADD is needed only when object being moved to is a *MRB. Pattern: In some commands, an asterisk (*) or a question mark (?) can be used in the last component of the path name to search for names matching a pattern. Relative path name: If a path name does not begin with a slash, the predecessor of the first component of the path name is taken to be the current working directory of the process. For example, if a path name of 'a/b' is specified, and the current working directory is '/home/john', then the object being accessed is '/home/john/a/b'. If you have *ALLOBJ special authority, you do not need the listed authority. You must have *ALLOBJ special authority to use this command. In the above table, QSYS.LIB refers to independent ASP QSYS.LIB file systems as well as QSYS.LIB file system. To use this command, you must have *IOSYSCFG special authority. If the restricted renames and unlinks attribute (also known as S_ISVTX bit) is on for a directory, it will restrict unlinking objects from that directory unless one of these authorities is met: v The user has all object (*ALLOBJ) special authority. v The user is the owner of the object being unlinked. v The user is the owner of the directory.

7 8

11 12 13

16 17

18 19

If RMVLNK (*YES) is specified, the user must also have *OBJEXIST authority to all objects in the specified directory. For QSYS.LIB, "root" (/), QOpenSys, and user-defined file systems, the audit (*AUDIT) special authority is required if a value other than *SYSVAL is specified for the CRTOBJAUD parameter. The user must have all object (*ALLOBJ) and security administrator (*SECADM) special authorities to specify a value for the Scanning option for objects (CRTOBJSCAN) parameter other than *PARENT. You must have *ALLOBJ special authority to specify a value other than *NONE for the Allow object differences (ALWOBJDIF) parameter. Also, you must have *SAVSYS or *ALLOBJ special authority to specify *UDFS as the value for the RBDMFS parameter. The user must have all object (*ALLOBJ) and security administrator (*SECADM) special authority when changing the owner of a stream file (*STMF) with an attached Java program whose authority checking while the program is running includes the user and the owner. The user must have all object (*ALLOBJ) and security administrator (*SECADM) special authority when copying a stream file (*STMF) with an attached Java program whose authority checking includes the user and the owner.

Appendix D. Authority required for objects used by commands

407

Command
26

Referenced object

Object type

File system

Authority needed for object1

The user must have all object (*ALLOBJ) and security administrator (*SECADM) special authority to specify the *CRTOBJSCAN and *SCAN attributes. When you display the contents of the /QSYS.LIB directory, user profile (*USRPRF) objects to which the caller does not have any authority (such as *EXCLUDE) are not returned. The user must have *ALLOBJ special authority to specify *YES for the PVTAUT parameter. The user must have *ALLOBJ or *SAVSYS special authority to specify *YES for the PVTAUT parameter. You must have *SAVSYS or *ALLOBJ special authority to specify *UDFS as the value for the RBDMFS parameter.

28 29 30

Interactive data definition commands

This table lists the specific authorities required for the interactive data definition commands.
Authority needed Command ADDDTADFN Referenced object Data dictionary File CRTDTADCT DLTDTADCT DSPDTADCT LNKDTADFN
1 3

For object CHANGE OBJOPR, *OBJMGT

For library EXECUTE EXECUTE READ, ADD

Data dictionary Data dictionary Data dictionary Data dictionary File OBJEXIST, *USE *USE *USE *OBJOPR, *OBJMGT

EXECUTE EXECUTE *EXECUTE

STRIDD WRKDTADCT WRKDBFIDD

2 2

Data dictionary Data dictionary Database file

*OBJOPR *USE
4

EXECUTE EXECUTE EXECUTE EXECUTE

OBJOPR USE, *CHANGE

WRKDTADFN
1 2 3

Data dictionary

Authority to the data dictionary is not required to unlink a file. To use individual operations, you must have the authority required by the individual operation. Before the dictionary is deleted, all linked files are unlinked. Refer to the LNKDTADFN command for authority required to unlink a file. You need use authority to the data dictionary to create a new file. No authority to the data dictionary is needed to enter data in an existing file.

Internetwork Packet Exchange (IPX) commands

This table lists the specific authorities required for the Internetwork Packet Exchange (IPX) commands. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others.

408

IBM i: Security Security reference

Authority needed Command DLTIPXD DSPIPXD WRKIPXD Referenced object IPX description IPX description IPX description For object *OBJEXIST *USE *OBJOPR For library *EXECUTE *EXECUTE *EXECUTE

Information search index commands

This table lists the specific authorities required for the information search index commands.
Authority needed Command ADDSCHIDXE Referenced object Search index Panel group CHGSCHIDX CRTSCHIDX DLTSCHIDX RMVSCHIDXE STRSCHIDX WRKSCHIDX
1

For object CHANGE USE *CHANGE

For library USE EXECUTE USE READ, *ADD

Search index Search Index Search index Search index Search index Search index Search index

OBJEXIST CHANGE USE ANY *USE

EXECUTE USE EXECUTE USE *USE

WRKSCHIDXE

IPL attribute commands

This table lists the specific authorities required for the IPL attribute commands. Commands identified by (Q) are shipped with public authority *EXCLUDE. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others.
These commands do not require authorities to objects: CHGIPLA (Q) DSPIPLA
1 1

To use this command, you must have *SECADM and *ALLOBJ special authorities.

Java commands
This table lists the specific authorities required for the Java commands.
Authority needed Command ANZJVM
1 1

Referenced object QSYS/STRSRVJOB command QSYS/STRDBG command

For object USE USE

For library

DSPJVMJOB

Java Virtual Machine jobs

GENJVMDMP

Appendix D. Authority required for objects used by commands

409

Authority needed Command PRTJVMJOB

1 1

Referenced object

For object

For library

WRKJVMJOB
1

You must have *JOBCTL special authority to use this command.

Job commands
This table lists the specific authorities required for the Job commands. Commands identified by (Q) are shipped with public authority *EXCLUDE. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others.
Authority needed Command BCHJOB Referenced object Job description
9,11

For object USE USE USE USE USE, ADD *USE

For library *EXECUTE

Libraries in the library list (system, current, and user)7 User profile in job description Sort sequence table Message queue Job queue
1 10,11 7 10 7 10

EXECUTE EXECUTE EXECUTE EXECUTE

Output queue CHGACGCDE CHGGRPA 4 CHGJOB

1,2,3

*READ

Message queue if associating a message queue with a group

*OBJOPR

EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE *EXECUTE

New job queue, if changing the job queue10,11 *USE New output queue, if changing the output queue7 Current output queue, if changing the output queue Sort sequence table7 *READ *READ *USE *USE *USE

CHGPJ

User profile for the program start request to specify *PGMSTRRQS User profile and job description
13

CHGSYSJOB(Q) CHGUSRTRC14

User trace buffer when CLEAR (*YES) is used.15 User trace buffer when MAXSTG is used15 User trace buffer when TRCFULL is used.
15 15

*OBJOPR

*EXECUTE

CHANGE, OBJMGT USE OBJOPR OBJOPR, OBJEXIST EXECUTE EXECUTE

DLTUSRTRC DLYJOB
4

User trace buffer

DMPUSRTRC DSCJOB
1

User trace buffer

*OBJOPR

*EXECUTE

410

IBM i: Security Security reference

Authority needed Command DSPACTPJ Referenced object Auxiliary storage pool (ASP) device description Program library DSPJOB
1

For object *USE

For library

*EXECUTE

DSPJOBTBL DSPJOBLOG
1,5

Output file and member exist Member does not exist Output file does not exist

OBJOPR, OBJMGT, ADD OBJOPR, OBJMGT, ADD *OBJOPR

EXECUTE EXECUTE, ADD EXECUTE, *ADD

ENDGRPJOB ENDJOB
1 1

ENDJOBABN
6

ENDLOGSVR6 ENDPJ Auxiliary storage pool (ASP) device description Program library HLDJOB RLSJOB RRTJOB RTVJOBA SBMDBJOB Database file Job queue SBMDKTJOB
2, 12, 17, 18 1 1

*USE *EXECUTE

*USE *READ *USE, *ADD *READ *USE *USE *USE, *ADD *USE
10 9,11

EXECUTE EXECUTE EXECUTE EXECUTE *EXECUTE

Message queue Job queue and device description

SBMJOB

Job description

Libraries in the library list (system, current, and user)7 Message queue10 User profile
10,11

*EXECUTE

User profile in job description Job queue

10,11 7 7

*USE (at level 40) *USE *READ *USE *USE *USE *EXECUTE *EXECUTE *EXECUTE *EXECUTE

Output queue

Sort sequence table

ASP devices in the initial ASP group SBMNETJOB STRLOGSVR STRPJ

6 6

Database file

Subsystem description Program Auxiliary storage pool (ASP) device description

USE USE USE EXECUTE

Appendix D. Authority required for objects used by commands

411

Authority needed Command TFRBCHJOB TFRGRPJOB TFRJOB

Referenced object Job queue First group program Job queue Subsystem description to which the job queue is allocated

For object READ USE USE USE

For library EXECUTE EXECUTE *EXECUTE

TFRSECJOB WRKACTJOB WRKARMJOB16 WRKASPJOB WRKJOB

Device description

*USE

WRKJOBLOG WRKSBMJOB WRKSBSJOB WRKUSRJOB

Any user can run these commands for jobs running under his own user profile. A user with job control (*JOBCTL) special authority can run these commands for any job. If you have *SPLCTL special authority, you do not need any authority to the job queue. However, you need authority to the library that contains the job queue. You must have the authority (specified in your user profile) for the scheduling priority and output priority specified. To change certain job attributes, even in the users own job, requires job control (*JOBCTL) special authority. These attributes are RUNPTY, TIMESLICE, PURGE, DFTWAIT, and TSEPOOL. This command only affects the job in which it was specified. To display a job log for a job that has all object (*ALLOBJ) special authority, you must have *ALLOBJ special authority or be authorized to the All Object Job Log function of the i5/OS through Application Administration in System i Navigator. The Change Function Usage (CHGFCNUSG) command, with a function ID of QIBM_ACCESS_ALLOBJ_JOBLOG, can also be used to change the list of users that are allowed to display a job log of a job with *ALLOBJ special authority. To use this command, job control *JOBCTL special authority is required. The user profile under which the submitted job runs is checked for authority to the referenced object. The adopted authority of the user submitting or changing the job is not used. If the job being transferred is an interactive job, the following restrictions apply: v The job queue where the job is placed must be associated with an active subsystem. v The workstation associated with the job must have a corresponding workstation entry in the subsystem description associated with the new subsystem. v The workstation associated with the job must not have another job associated with it that has been suspended by means of the Sys Req (System Request) key. The suspended job must be canceled before the Transfer Job command can run. v The job must not be a group job.

4 5

6 7

Both the user submitting the job and the user profile under which the job will run are checked for authority to the referenced object. The user submitting the job is checked for authority to the referenced object.

412

IBM i: Security Security reference

Authority needed Command

11 12

Referenced object

For object

For library

The adopted authority of the user issuing the CHGJOB or SBMJOB command is used. You must be authorized to the user profile and the job description; the user profile must also be authorized to the job description. To change certain job attributes, even in the users own job, requires job control (*JOBCTL) and all object (*ALLOBJ) special authorities. Any user can run these commands for jobs running under his own user profile. A user with job control (*JOBCTL) special authority can run these commands for any job. A user trace buffer is a user space (*USRSPC) object in library QUSRSYS by the name QPOZnnnnnn, where 'nnnnnn' is the job number of the job using the user trace facility. To work with a specific job or to display details of a specific job, one of the following conditions must apply: v The command must be issued from within that job. v The issuer of the command must be running under a user profile that is the same as the job user identity of the job. v The issuer of the command must be running under a user profile that has job control (*JOBCTL) special authority.

You must have the use (*USE) authority to the Changing Accounting Code (CHGACGCDE) command to specify a character-value accounting code on the Accounting code (ACGCDE) parameter. You must have the job control (*JOBCTL) special authority to use the Submitted for (SBMFOR) parameter.

Job description commands

This table lists the specific authorities required for the job description commands. Commands identified by (Q) are shipped with public authority *EXCLUDE. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others.
Authority needed Command CHGJOBD Referenced object Job description User profile (USER) CPYAUDJRNE
8

For object *OBJOPR, *OBJMGT, *READ *USE *OBJOPR *OBJMGT *ADD *DLT

For library *EXECUTE

Output file already exists Output file does not exist

EXECUTE EXECUTE ADD READ, *ADD

CRTJOBD (Q)

Job description User profile (USER) USE OBJEXIST OBJOPR, READ

DLTJOBD DSPJOBD PRTJOBDAUT WRKJOBD

1 1

Job description Job description

*EXECUTE *EXECUTE

Job description

Any

*USE

You must have *ALLOBJ or *AUDIT special authority to use this command.

Appendix D. Authority required for objects used by commands

413

Job queue commands

This table lists the specific authorities required for the job queue commands.
Referenced object Job queue Job queue parameters AUTCHK *DTAAUT OPRCTL
4

Command CHGJOBQ

Special authority

Authority needed For object For library

READ, ADD, EXECUTE DLT, OBJMGMT Owner YES *JOBCTL

*OWNER
1

*EXECUTE *EXECUTE

CLRJOBQ

Job queue

DTAAUT OWNER YES JOBCTL

READ, ADD, EXECUTE DLT Owner

EXECUTE EXECUTE READ, ADD

CRTJOBQ DLTJOBQ HLDJOBQ

Job queue Job queue OBJEXIST DTAAUT OWNER YES *JOBCTL

*EXECUTE

Job queue

READ, ADD, EXECUTE DLT Owner

*EXECUTE *EXECUTE

PRTQAUT RLSJOBQ
1

Job queue

DTAAUT OWNER YES JOBCTL

READ, ADD, EXECUTE DLT Owner

*EXECUTE *EXECUTE

WRKJOBQ

1,3

Job queue

DTAAUT OWNER YES JOBCTL

*READ Owner
2

EXECUTE EXECUTE *EXECUTE

WRKJOBQD

Job queue YES JOBCTL

*READ

*EXECUTE *EXECUTE

If you have *SPLCTL special authority, you do not need any authority to the job queue but you need authority to the library containing the job queue. You must be the owner of the job queue. If you request to work with all job queues, your list display includes all the job queues in libraries to which you have *EXECUTE authority. To display the job queue parameters, use the QSPRJOBQ API. You must have *ALLOBJ or *AUDIT special authority to use this command.

2 3

4 5

414

IBM i: Security Security reference

Job schedule commands

This table lists the specific authorities required for the job schedule commands.
Authority needed Command ADDJOBSCDE Referenced object Job schedule Job description Job queue
1,2 1

For object CHANGE USE READ USE

For library *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE

User profile Message queue CHGJOBSCDE

3 1

USE, ADD *CHANGE

Job schedule Job description Job queue

1,2 1

USE READ *USE

User profile Message queue HLDJOBSCDE RLSJOBSCDE

3 3 4 3 1

USE, ADD CHANGE CHANGE CHANGE USE

Job schedule Job schedule Job schedule Job schedule

RMVJOBSCDE WRKJOBSCDE
1

Both the user profile adding the entry and the user profile under which the job will run are checked for authority to the referenced object. Authority to the job queue cannot come from adopted authority. You must have *JOBCTL special authority or have added the entry. To display the details of an entry (option 5 or print format *FULL), you must have *JOBCTL special authority or have added the entry.

2 3 4

Journal commands
This table lists the specific authorities required for the journal commands. Commands identified by (Q) are shipped with public authority *EXCLUDE. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others.
Authority needed For object Command ADDRMTJRN Referenced object Source journal Target journal APYJRNCHG (Q) Journal Journal receiver Nonintegrated file system objects whose journaled changes are being applied integrated file system objects whose journal changes are being applied *USE *USE For library or directory

CHANGE, OBJMGT EXECUTE EXEC, ADD EXECUTE *EXECUTE

*OBJMGT, *CHANGE, *EXECUTE, *ADD *OBJEXIST *RW, *OBJMGT *RX (if subtree *ALL)

Appendix D. Authority required for objects used by commands

415

Authority needed For object Command APYJRNCHGX (Q) Referenced object Journal Journal receiver File CHGJRN (Q) Journal receiver, if specified Attached journal receiver Journal Journal if RCVSIZOPT(*MINFIXLEN) is specified. CHGJRNA (Q) CHGJRNOBJ
9 10

For library or directory

*USE *USE *OBJMGT, *CHANGE, *EXECUTE, *ADD *OBJEXIST' *OBJMGT, *USE *OBJMGT, *USE *OBJOPR, *OBJMGT, *UPD *OBJOPR, *OBJMGT, *UPD, *OBJALTER *EXECUTE *EXECUTE *EXECUTE *EXECUTE

Journal Nonintegrated file system objects Integrated file system objects Object path SUBTREE(*ALL) Object path SUBTREE(*NONE)

*OBJOPR, *OBJMGT *READ, *OBJMGT *R, *OBJMGT *RX, *OBJMGT *R, *OBJMGT *CHANGE, *OBJMGT *EXECUTE *USE, *OBJMGT *USE *USE *USE *OBJOPR, *OBJMGT, *ADD, *DLT *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE, *ADD *READ, *ADD *OBJOPR, *OBJMGT, *READ *OBJOPR, *OBJEXIST *EXECUTE *EXECUTE *X

CHGRMTJRN

Source journal Source journal

CMPJRNIMG

Journal Journal receiver File

CPYAUDJRNE

Output file already exists Output file does not exist

CRTJRN

Journal Journal receiver

DLTJRN DSPAUDJRNE
8

Journal

416

IBM i: Security Security reference

Authority needed For object Command DSPJRN

Referenced object Journal *USE

For library or directory EXECUTE EXECUTE

Journal if FILE(*ALLFILE) is specified, no *OBJEXIST, *USE object selection is specified, the specified object has been deleted from the system, the specified object has never been journaled, *IGNFILSLT or *IGNOBJSLT is specified for any selected journal codes, or when OBJJID is specified, or the journal is a remote journal. Journal receiver Nonintegrated file system object if specified Output file Integrated file system object if specified *USE *USE Refer to the general rules. *R (It can be *X as well if object is a directory and SUBTREE (*ALL) is specified)

EXECUTE EXECUTE Refer to the general rules. *X

DSPJRNMNU1 ENDJRN ENDJRNAP See Integrated file system commands on page 390. Journal File ENDJRNLIB Journal Library ENDJRNOBJ Journal Object ENDJRNPF Journal File JRNAP JRNPF
2 3

*OBJOPR, *OBJMGT *OBJOPR, *OBJMGT *OBJOPR, *OBJMGT *OBJOPR, *OBJMGT, *READ *OBJOPR, *OBJMGT *OBJOPR, *READ, *OBJMGT *OBJOPR, *OBJMGT *OBJOPR, *OBJMGT, *READ

EXECUTE EXECUTE *EXECUTE

EXECUTE EXECUTE EXECUTE EXECUTE

Appendix D. Authority required for objects used by commands

417

Authority needed For object Command RCVJRNE Referenced object Journal *USE For library or directory *EXECUTE *EXECUTE

*OBJEXIST, *USE Journal if FILE(*ALLFILE) is specified, no object selection is specified, the specified object has been deleted from the system, the specified object has never been journaled, *IGNFILSLT or *IGNOBJSLT is specified for any selected journal codes, or when OBJJID is specified, or the journal is a remote journal. Journal receiver Nonintegrated file system object if specified Integrated file system object if specified *USE *USE *R (It can be *X as well if object is a directory and SUBTREE (*ALL) is specified) *EXECUTE *USE *USE

*EXECUTE *EXECUTE *X

Exit program RMVJRNCHG (Q) Journal Journal receiver Nonintegrated file system objects whose journaled changes are being removed RTVJRNE Journal

EXECUTE EXECUTE *EXECUTE

OBJMGT, CHANGE EXECUTE USE EXECUTE EXECUTE

*EXECUTE *EXECUTE *X

RMVRMTJRN SNDJRNE

Source journal Journal Nonintegrated file system object if specified Integrated file system object if specified

*EXECUTE *EXECUTE *X

STRJRN STRJRNAP

See Integrated file system commands on page 390. Journal File *OBJOPR, *OBJMGT *OBJOPR, *OBJMGT *EXECUTE *EXECUTE

418

IBM i: Security Security reference

Authority needed For object Command STRJRNLIB Referenced object Journal Library STRJRNPF Journal File STRJRNOBJ Journal Object WRKJRN 4 (Q) WRKJRNA 6 Journal Journal receiver Journal *OBJOPR, *OBJMGT *OBJOPR, *OBJMGT, *READ *OBJOPR, *OBJMGT *OBJOPR, *OBJMGT *OBJOPR, *OBJMGT *OBJOPR, *READ, *OBJMGT *USE *USE *OBJOPR and a data authority other than *EXECUTE
5

For library or directory *EXECUTE

EXECUTE EXECUTE EXECUTE EXECUTE READ7 EXECUTE *EXECUTE

Journal receiver

OBJOPR and a data authority other than EXECUTE

*EXECUTE

1 2 3 4

See the WRKJRN command (this command has the same function). See the STRJRNAP command. See the STRJRNPF command. Additional authority is required for specific functions called during the operation selected. For example, to restore an object you must have the authority required for the RSTOBJ or RST command. *OBJOPR and *OBJEXIST authority is required for journal receivers if the option is chosen to delete receivers. To specify JRN(*INTSYSJRN), you must have *ALLOBJ special authority. *READ authority to the journals library is required to display the WRKJRN menu. *EXECUTE authority to the library is required to use an option on the menu. You must have *AUDIT special authority to use this command. To specify PTLTNS(*ALWUSE), you must have *ALLOBJ special authority. You must have *JOBCTL special authority to use this command.

6 7

8 9 10

Journal receiver commands

This table lists the specific authorities required for the journal receiver commands.
Authority needed Command CRTJRNRCV DLTJRNRCV Referenced object Journal receiver Journal receiver For object For library *READ, *ADD *OBJOPR, *OBJEXIST, *EXECUTE and a data authority other than *EXECUTE *OBJOPR *EXECUTE

Journal

Appendix D. Authority required for objects used by commands

419

Authority needed Command DSPJRNRCVA Referenced object Journal receiver For object *OBJOPR and a data authority other than *EXECUTE *OBJOPR Any authority For library *EXECUTE

Journal, if attached WRKJRNRCV , ,

1 2 1 2 3

*EXECUTE *USE

Journal receiver

To use an individual operation, you must have the authority required by the operation. *OBJOPR and *OBJEXIST authority is required for journal receivers if the option is chosen to delete receivers. *OBJOPR and a data authority other than *EXECUTE is required for journal receivers if the option is chosen to display the description.

Kerberos commands
This table lists the specific authorities required for the Kerberos commands.
Object type Command ADDKRBKTE Referenced object Each directory in the path name preceding the target key table file to be open. Parent directory of the target keytab file when add is specified, if the file does not already exist. Keytab file when list is specified. Target keytab file when add or delete is specified. Each directory in the path to the configuration files. Configuration files ADDKRBTKT Each directory in the path name preceding the key table file Key table file Each directory in the path name preceding the credentials cache file Credential cache file *DIR *DIR Authority needed for object *X *WX

STMF STMF DIR STMF DIR STMF DIR STMF

R RW X R X R X RW *WX

Parent directory of the cache file to be used, *DIR if specified by the KRB5CCNAME environment variable, and the file is being created Each directory in the path name to the configuration files Configuration files CHGKRBPWD *DIR *STMF

*X *R

420

IBM i: Security Security reference

Object type Command DLTKRBCCF Referenced object Each directory in the path name preceding the credentials cache file, if the credentials cache file does not reside in the default directory. *DIR

Authority needed for object *X

Parent directory of the credentials cache file, *DIR if the credentials cache file does not reside in the default directory. Credentials cache file, if the credentials cache file does not reside in the default directory. Each directory in the path name to the configuration files, if the credentials cache file does not reside in the default directory. Configuration files, if the credentials cache file does not reside in the default directory. DLTKRBCCF All directories in the path name, if the credentials cache file resides in the default directory. Credentials cache file, if the credentials cache file resides in the default directory. Each directory in the path to the configuration files, if the credentials cache file resides in the default directory. Configuration files, if the credentials cache file resides in the default directory. DSPKRBCCF Each directory in the path name preceding the key table file Key table file Each directory in the path name preceding the credentials cache file Credential cache file DSPKRBKTE Each directory in the path name preceding the target key table file to be open. Parent directory of the target keytab file when add is specified, if the file does not already exist. Keytab file when list is specified. Target keytab file when add or delete is specified. Each directory in the path to the configuration files. Configuration files *STMF

*WX

*RW, *OBJEXIST

*DIR

*STMF *DIR

*R *X

*STMF *DIR

*RW *X

STMF DIR STMF DIR STMF DIR *DIR

*R *X *R *X *RW *X *WX

STMF STMF DIR STMF

*R *RW *X *R

Appendix D. Authority required for objects used by commands

421

Object type Command RMVKRBKTE Referenced object Each directory in the path name preceding the target key table file to be open. Parent directory of the target keytab file when add is specified, if the file does not already exist. Keytab file when list is specified. Target keytab file when add or delete is specified. Each directory in the path to the configuration files. Configuration files *DIR *DIR

Authority needed for object X WX

STMF STMF DIR STMF

*R *RW *X *R

Language commands
This table lists the specific authorities required for the language commands.
Authority needed Command CLOSE CRTBNDC Referenced object Close command Source file Externally described device files and database files referred to in source program Program: REPLACE(*NO) Program: REPLACE(*YES) Directory specified in OUTPUT, PPSRCSTMF or MAKEDEP parameter File specified in OUTPUT, PPSRCSTMF or MAKEDEP parameter CRTBNDCBL Source file Externally described device files and database files referred to in source program Program: REPLACE(*NO) Program: REPLACE(*YES) Binding directory Table specified in SRTSEQ parameter CRTBNDCL Source file Include file Externally described device files and database files referred to in source program Program: REPLACE(*NO) Program: REPLACE(*YES) Table specified in SRTSEQ parameter Refer to the general rules. *USE Refer to the general rules. *USE *USE *USE *USE *OBJOPR Refer to the general rules. *USE Refer to the general rules. *USE *OBJOPR For object *USE *USE *OBJOPR For library *EXECUTE *EXECUTE *EXECUTE *READ, *ADD *READ, *ADD *EXECUTE *READ, *ADD *EXECUTE *EXECUTE *READ, *ADD *READ, *ADD *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *READ, *ADD Refer to the general rules. *EXECUTE

422

IBM i: Security Security reference

Authority needed Command CRTBNDCPP Referenced object Source File Externally described device files and database files referred to in source program Program: REPLACE(*NO) Program: REPLACE(*YES) Directory specified in OUTPUT, PPSRCSTMF, TEMPLATE or MAKEDEP parameter File specified in OUTPUT, PPSRCSTMF, TEMPLATE or MAKEDEP parameter Headers generated by TEMPLATE parameter CRTBNDRPG Source file Externally described device files and database files referred to in source program Program: REPLACE(*NO) Program: REPLACE(*YES) Binding directory Table specified in SRTSEQ parameter CRTCBLMOD Source file Externally described device files and database files referred to in source program Module: REPLACE(*NO) Module: REPLACE(*YES) Table specified in SRTSEQ parameter CRTCLD Source file Locale object - REPLACE(*NO) Locale object - REPLACE(*YES) CRTCLMOD Source file Include file Externally described device files and database files referred to in source program Program: REPLACE(*NO) Program: REPLACE(*YES) Table specified in SRTSEQ parameter Refer to the general rules. *USE Refer to the general rules. *USE *USE *OBJOPR Refer to the general rules. *USE *USE Refer to the general rules. *USE *USE *USE *OBJOPR Refer to the general rules. *USE For object *USE *OBJOPR For library *EXECUTE *EXECUTE *READ, *ADD *READ, *ADD *EXECUTE

Refer to the general rules. USE USE *OBJOPR

*READ, *ADD *EXECUTE *EXECUTE *EXECUTE *READ, *ADD *READ, *ADD *EXECUTE *EXECUTE *EXECUTE *EXECUTE *READ, *ADD *READ, *ADD *EXECUTE *EXECUTE *READ, *ADD *READ, *ADD *EXECUTE *EXECUTE *EXECUTE *READ, *ADD Refer to the general rules. *EXECUTE

Appendix D. Authority required for objects used by commands

423

Authority needed Command CRTCLPGM Referenced object Source file Include file Externally described device files and database files referred to in source program Program: REPLACE(*NO) Program: REPLACE(*YES) Table specified in SRTSEQ parameter CRTCBLPGM (COBOL/400* licensed program or S/38 environment) Source file Externally described device files and database files referred to in source program Program: REPLACE(*NO) Program: REPLACE(*YES) Table specified in SRTSEQ parameter CRTCMOD Source file Externally described device files and database files referred to in source program Module: REPLACE(*NO) Module: REPLACE(*YES) File specified in OUTPUT, PPSRCSTMF or MAKEDEP parameter File specified in OUTPUT, PPSRCSTMF or MAKEDEP parameter CRTCPPMOD Source file Externally described device files and database files referred to in source program Module: REPLACE(*NO) Module: REPLACE(*YES) Directory specified in OUTPUT, PPSRCSTMF, TEMPLATE or MAKEDEP parameter File specified in OUTPUT, PPSRCSTMF, TEMPLATE or MAKEDEP parameter Headers generated by TEMPLATE parameter CRTRPGMOD Source file Externally described device files and database files referred to in source program Module: REPLACE(*NO) Module: REPLACE(*YES) Table specified in SRTSEQ parameter Refer to the general rules. *USE Refer to the general rules. *USE Refer to the general rules. *USE Refer to the general rules. *USE *OBJOPR Refer to the general rules. *USE *USE *OBJOPR Refer to the general rules. *USE *USE *OBJOPR For object *USE *USE *OBJOPR For library *EXECUTE *EXECUTE *EXECUTE *READ, *ADD Refer to the general rules. *EXECUTE *EXECUTE *EXECUTE *READ, *ADD *READ, *ADD *EXECUTE *EXECUTE *EXECUTE *READ, *ADD *READ, *ADD *EXECUTE *READ, *ADD *EXECUTE *EXECUTE *READ, *ADD *READ, *ADD *EXECUTE

Refer to the general rules. USE USE *OBJOPR

*READ, *ADD *EXECUTE *EXECUTE *EXECUTE *READ, *ADD *READ, *ADD *EXECUTE

424

IBM i: Security Security reference

Authority needed Command CRTRPGPGM (RPG/400* licensed program and S/38 environment) Referenced object Source file Externally described device files and database files referred to in source program Program: REPLACE(*NO) Program: REPLACE(*YES) Table specified in SRTSEQ parameter CRTRPTPGM (RPG/400 licensed program and S/38 environment) Source file Program - REPLACE(*NO) Program - REPLACE(*YES) Source file for generated RPG program Externally described device files and database files referred to in source program Table specified in SRTSEQ parameter CRTS36CBL (S/36 environment) Source file Program: REPLACE(*NO) Program: REPLACE(*YES) CRTS36RPG Source file Program: REPLACE(*NO) Program - REPLACE(*YES) CRTS36RPGR Source file Display file: REPLACE(*NO) Display file: REPLACE(*YES) CRTS36RPT Source file Source file for generated RPG program Program: REPLACE(*NO) Program: REPLACE(*YES) Source file CRTSQLCI (DB2 Query Manager and To Source file SQL Development for i5/OS licensed program) 1 Data description specifications Object: REPLACE(*NO) Object: REPLACE(*YES) Table specified in SRTSEQ parameter Refer to the general rules. *USE Refer to the general rules. *OBJOPR, *READ *OBJOPR, *OBJMGT, *EXIST, *READ, *ADD, *UPDATE, *DELETE, *EXECUTE *OBJOPR Refer to the general rules. *USE Refer to the general rules. Refer to the general rules. *USE Refer to the general rules. *USE Refer to the general rules. Refer to the general rules. *OBJOPR *USE *USE Refer to the general rules. *USE *USE For object *USE *OBJOPR For library *EXECUTE *EXECUTE *READ, *ADD *READ, *ADD *EXECUTE *EXECUTE *READ, *ADD *READ, *ADD Refer to the general rules. *EXECUTE *EXECUTE *EXECUTE *READ, *ADD *READ, *ADD *READ, *ADD *READ, *ADD *READ, *ADD *READ, *ADD *READ, *ADD *READ, *ADD *EXECUTE Refer to the general rules. *READ, *ADD *READ, *ADD *EXECUTE *ADD, *EXECUTE

EXECUTE READ, ADD READ, ADD EXECUTE

Appendix D. Authority required for objects used by commands

425

Authority needed Command Referenced object For object *OBJOPR, *READ *OBJOPR, *OBJMGT, *EXIST, *READ, *ADD, *UPDATE, *DELETE, *EXECUTE *OBJOPR For library *EXECUTE *ADD, *EXECUTE

Source file CRTSQLCBL (DB2 Query Manager and To Source file SQL Development for i5/OS licensed program) 1 Data description specifications Program: REPLACE(*NO) Program: REPLACE(*YES) Table specified in SRTSEQ parameter Source file CRTSQLCBLI (DB2 Query Manager and To Source file SQL Development for i5/OS licensed program) 1 Data description specifications Object: REPLACE(*NO) Object: REPLACE(*YES) Table specified in SRTSEQ parameter Source file CRTSQLCPPI (DB2 Query Manager and To Source file SQL Development for i5/OS licensed program) 1 Data description specifications Program: REPLACE(*NO) Program: REPLACE(*YES) Table specified in SRTSEQ parameter Source file CRTSQLFTN (DB2 Query Manager and To Source file SQL Development for i5/OS licensed program) 1 Data description specifications Program: REPLACE(*NO) Program: REPLACE(*YES) Table specified in SRTSEQ parameter

EXECUTE READ, *ADD

Refer to the general rules. *USE *OBJOPR, *READ *OBJOPR, *OBJMGT, *EXIST, *READ, *ADD, *UPDATE, *DELETE, *EXECUTE *OBJOPR

READ, ADD EXECUTE EXECUTE ADD, EXECUTE

EXECUTE READ, *ADD

Refer to the general rules. *USE *OBJOPR, *READ *OBJOPR, *OBJMGT, *EXIST, *READ, *ADD, *UPDATE, *DELETE, *EXECUTE *OBJOPR

READ, ADD EXECUTE EXECUTE ADD, EXECUTE

EXECUTE READ, *ADD

Refer to the general rules. *USE *OBJOPR, *READ *OBJOPR, *OBJMGT, *EXIST, *READ, *ADD, *UPDATE, *DELETE, *EXECUTE *OBJOPR

READ, ADD EXECUTE EXECUTE ADD, EXECUTE

EXECUTE READ, *ADD

Refer to the general rules. *USE

READ, ADD *EXECUTE

426

IBM i: Security Security reference

Authority needed Command Referenced object For object *OBJOPR, *READ *OBJOPR, *OBJMGT, *EXIST, *READ, *ADD, *UPDATE, *DELETE, *EXECUTE *OBJOPR For library *EXECUTE *ADD, *EXECUTE

Source file CRTSQLPLI (DB2 Query Manager and To Source file SQL Development for i5/OS licensed program) 1 Data description specifications Program: REPLACE(*NO) Program: REPLACE(*YES) Table specified in SRTSEQ parameter Source file CRTSQLRPG (DB2 Query Manager and To Source file SQL Development for i5/OS licensed program) 1 Data description specifications Program: REPLACE(*NO) Program: REPLACE(*YES) Table specified in SRTSEQ parameter Source file CRTSQLRPGI (DB2 Query Manager and To Source file SQL Development for i5/OS licensed program) 1 Data description specifications Object: REPLACE(*NO) Object: REPLACE(*YES) Table specified in SRTSEQ parameter CVTRPGSRC Source file Output file Log file CVTSQLCPP
1

EXECUTE READ, *ADD

Refer to the general rules. *USE *OBJOPR, *READ *OBJOPR, *OBJMGT, *EXIST, *READ, *ADD, *UPDATE, *DELETE, *EXECUTE *OBJOPR

READ, ADD EXECUTE EXECUTE ADD, EXECUTE

EXECUTE READ, *ADD

Refer to the general rules. *USE *OBJOPR, *READ *OBJOPR, *OBJMGT, *EXIST, *READ, *ADD, *UPDATE, *DELETE, *EXECUTE *OBJOPR

READ, ADD EXECUTE EXECUTE ADD, EXECUTE

EXECUTE READ, *ADD

Refer to the general rules. *USE *USE *OBJOPR, *OBJMGT, *ADD *OBJOPR, *OBJMGT, *ADD *OBJOPR, *READ *OBJOPR, *OBJMGT, *EXIST, *READ, *ADD, *UPDATE, *DELETE, *EXECUTE *OBJOPR

READ, ADD EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE ADD, *EXECUTE

Source file To Source file

Data description specifications Program: REPLACE(*NO) Program: REPLACE(*YES) Table specified in SRTSEQ parameter

EXECUTE READ, *ADD

Refer to the general rules. *USE

READ, ADD *EXECUTE

Appendix D. Authority required for objects used by commands

427

Authority needed Command DLTCLD ENDCBLDBG (COBOL/400 licensed program or S/38 environment) ENTCBLDBG (S/38 environment) INCLUDE Referenced object Locale object Program For object *OBJEXIST, *OBJMGT *CHANGE For library *EXECUTE *EXECUTE

Program Source file Program Service program Module Database source file

*CHANGE *USE *OBJMGT, *USE *OBJMGT, *USE *OBJMGT, *USE *OBJOPR, *OBJMGT, *ADD, *DLT *USE Refer to the general rules. *OBJOPR, *READ *CHANGE *USE *USE *USE *USE *USE *USE

*EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE Refer to the general rules. *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE

@ RTVCLSRC

RTVCLDSRC

Locale object To-file

RUNSQLSTM1 STRCBLDBG STRREXPRC

Source file Program Source file Exit program

STRSQL (DB2 Query Manager and SQL Development for i5/OS licensed program) 1
1

Sort sequence table Printer device description Printer output queue Printer file

See the Authorization, privileges and object ownership for more information about security requirements for structured query language (SQL) statements.

Library commands
This table lists the specific authorities required for the library commands. Commands identified by (Q) are shipped with public authority *EXCLUDE. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others.
Authority needed Command ADDLIBLE CHGCURLIB CHGLIB
8

Referenced object Library New current library Library Every library being placed in the library list Libraries in new list

For object

For library being acted on USE USE OBJMGT USE *USE

CHGLIBL CHGSYSLIBL (Q)

428

IBM i: Security Security reference

Authority needed Command CLRLIB

Referenced object Every object being deleted from library Object types *DTADCT14, *JRN14,*JRNRCV14, *MSGQ14, *SBSD14 ASP device (if specified)

For object *OBJEXIST See the authority required by the DLTxxx command for the object type *USE

For library being acted on *USE

CPYLIB

From-Library To-library, if it exists CHKOBJ, CRTDUPOBJ commands CRTLIB command, if the target library is being created Object being copied *USE *USE

USE USE, *ADD

The authority that is required when you use the CRTDUPOBJ command to copy the object type. *USE *OBJEXIST See the authority required by the DLTxxx command for the object type *USE *READ
5

CRTLIB DLTLIB

9 3

ASP device (if specified) Every object being deleted from library Object types *DTADCT14, *JRN14,*JRNRCV14, *MSGQ, *SBSD14 ASP device (if specified)

*USE, *OBJEXIST

DSPLIB

Library Objects in the library Some authority other than *EXCLUDE *EXECUTE

ASP device (if specified) DSPLIBD EDTLIBL RCLLIB Library Library to add to list Library

Some authority other than EXCLUDE USE USE, OBJEXIST

Appendix D. Authority required for objects used by commands

429

Authority needed Command RSTLIB (Q)

7, 17, 19

Referenced object Media definition Library, if it does exist Message queues being restored to library where they already exist Programs that adopt authority Library saved if VOL(*SAVVOL) is specified Every object being restored over in the library

For object *USE

For library being acted on EXECUTE READ, *ADD

*OBJOPR, *OBJEXIST

EXECUTE. READ, *ADD

Owner or ALLOBJ and SECADM

*EXECUTE *USE
6

*OBJEXIST
6

EXECUTE, READ, *ADD

User profile owning objects *ADD being created Tape unit, diskette unit, optical unit Output file, if specified *USE

EXECUTE See General Rules EXECUTE

See General Rules

QSYS/QASAVOBJ field *USE reference file for output file, if an output file is specified and does not exist RSTLIB (Q) Tape (QSYSTAP) or diskette *USE (QSYSDKT) file QSYS/QPSRLDSP printer *USE output, if OUTPUT(*PRINT) specified Save file Optical File (OPTFILE)
12 6

*EXECUTE *EXECUTE

*USE *R *X *USE
15

*EXECUTE Not applicable Not applicable

Path prefix of optical file (OPTFILE)12 Optical volume11 ASP device description RSTS36LIBM From-file To-file To-library Device file or device description RTVLIBD Library

*USE *USE *CHANGE *CHANGE *USE *EXECUTE *EXECUTE *EXECUTE *EXECUTE Some authority other than *EXCLUDE

430

IBM i: Security Security reference

Authority needed Command SAVLIB

Referenced object Every object in the library Media definition Save file, if empty Save file, if records exist in it Save active message queue Tape unit, diskette unit, optical unit Output file, if specified QSYS/QASAVOBJ field reference file, if output file is specified and does not exist QSYS/QPSAVOBJ printer output Command user space, if specified

For object *OBJEXIST *USE *USE, *ADD *USE, *ADD, *OBJMGT *OBJOPR, *ADD *USE Refer to the general rules. *USE
6 6

For library being acted on *READ, *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE Refer to the general rules. *EXECUTE

USE USE RW WX *X

*EXECUTE *EXECUTE Not applicable Not applicable Not applicable Not applicable

SAVLIB

Optical File12 Parent Directory of optical file (OPTFILE)12 Path Prefix of optical file (OPTFILE)12 Root Directory (/) of Optical Volume12, 13 Optical volume11 ASP device description
15

RWX CHANGE *USE

SAVRSTLIB

On the source system, same authority as required by SAVLIB command. On the target system, same authority as required by RSTLIB command.

SAVS36LIBM

Save to a physical file Either QSYSDKT for diskette or QSYSTAP for tape, and all commands need authority to the device Save to a physical file if MBROPT(*ADD) is specified Save to a physical file if MBROPT(*REPLACE) is specified From-library

OBJOPR, OBJMGT *OBJOPR

*EXECUTE *EXECUTE

*ADD

*READ, *ADD

*ADD, *DLT

*EXECUTE

*USE *USE

WRKLIB 10, 16

Library

Appendix D. Authority required for objects used by commands

431

Authority needed Command

Referenced object

For object

For library being acted on

The authority needed for the library being acted on is indicated in this column. For example, to add the library CUSTLIB to a library list using the ADDLIBLE command requires Use authority to the CUSTLIB library. The authority needed for the QSYS library is indicated in this column, because all libraries are in QSYS library. If object existence is not found for some objects in the library, those objects are not deleted, and the library is not completely cleared and deleted. Only authorized objects are deleted. All restrictions that apply to the CRTDUPOBJ command, also apply to this command. If you do not have authority to an object in the library, the text for the object says *NOT AUTHORIZED. If you have *SAVSYS special authority, you do not need the authority specified. You must have *ALLOBJ special authority to specify a value other than *NONE for the Allow object differences (ALWOBJDIF) parameter. You must have *AUDIT special authority to change the CRTOBJAUD value for a library. *OBJMGT is not required if you change only the CRTOBJAUD value. *OBJMGT is required if you change the CRTOBJAUD value and other values. You must have *AUDIT special authority to specify a CRTOBJAUD value other than *SYSVAL. You must have the authority required by the operation to use an individual operation. Optical volumes are not actual system objects. The link between the optical volume and the authorization list used to secure the volume is maintained by the optical support function. This authority check is only made when the Optical media format is Universal Disk Format. This authority check is only made when you are clearing the optical volume. This object is allowed on independent ASP. Authority required only if save or restore operation requires a library namespace switch. This command requires *ALLOBJ special authority. You must have *ALLOBJ special authority to specify *YES for the PVTAUT parameter. You must have *ALLOBJ or *SAVSYS special authority to specify *YES for the PVTAUT parameter. You must have *SAVSYS special authority to specify a name for the DFRID parameter.

4 5

6 7

9 10

12 13 14 15

16 17 18 19

License key commands

This table lists the specific authorities required for the license key commands. Commands identified by (Q) are shipped with public authority *EXCLUDE. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others.
Authority needed Command ADDLICKEY (Q) DSPLICKEY (Q) RMVLICKEY (Q) Referenced object Output file Output file Output file For object *USE Refer to the general rules. *CHANGE For library *EXECUTE Refer to the general rules. *EXECUTE

432

IBM i: Security Security reference

Licensed program commands

This table lists the specific authorities required for the licensed program commands. Commands identified by (Q) are shipped with public authority *EXCLUDE. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others.
Authority needed Command CHGLICINF (Q) DLTLICPGM DSPTM INZSYS (Q) RSTLICPGM SAVLICPGM
1,2 1,2 1,2

Referenced object WRKLICINF command

For Object *USE

For Library *EXECUTE

(Q)

(Q) (Q)

WRKLICINF (Q)
1

Some licensed programs can be deleted, saved, or restored only if you are enrolled in the system distribution directory. If deleting, restoring, or saving a licensed program that contains folders, all restrictions that apply to the DLTDLO command also apply to this command. To use individual operations, you must have the authority required by the individual operation.

Line description commands

This table lists the specific authorities required for the line description commands.
Authority needed Command CHGLINASC
2

Referenced object Line description Controller description (SWTCTLLST)

For object

For library

CHANGE, OBJMGT EXECUTE USE *EXECUTE

CHGLINBSC

Line description Controller description (SWTCTLLST)

CHANGE, OBJMGT EXECUTE USE *EXECUTE

CHGLINDDI CHGLINETH CHGLINFAX CHGLINFR

2 2

2 2 2

Line description Line description Line description Line description Line description
2 2

CHGLINPPP

CHGLINSDLC CHGLINTDLC CHGLINTRN

Line description Line description Line description

Appendix D. Authority required for objects used by commands

433

Authority needed Command CHGLINX25

Referenced object Line description Controller description (SWTCTLLST) Connection list (CNNLSTIN or CNNLSTOUT) Network interface description (SWTNWILST)

For object

For library

CHANGE, OBJMGT EXECUTE USE USE USE EXECUTE EXECUTE *EXECUTE

CHGLINWLS
2

Line description Program (INZPGM)

*CHANGE, *OBJMGT *EXECUTE *USE *USE *EXECUTE *EXECUTE *READ, *ADD *USE *EXECUTE *READ, *ADD *READ, *ADD *USE *USE *USE *EXECUTE *EXECUTE *EXECUTE *READ, *ADD *USE *USE *EXECUTE *EXECUTE *READ, *ADD *USE *EXECUTE *READ, *ADD *USE *USE *USE *EXECUTE *EXECUTE *EXECUTE *READ, *ADD *USE *EXECUTE *READ, *ADD *USE *EXECUTE *READ, *ADD *USE *EXECUTE *READ, *ADD *USE *USE *EXECUTE *EXECUTE

CRTLINASC

Controller description (CTL and SWTCTLLST) Line description

CRTLINBSC

Controller description (SWTCTLLST and CTL) Line description

CRTLINDDI

Line description Network interface description (NWI) Controller description (NETCTL)

CRTLINETH

Controller description (NETCTL) Line description Network interface description (NWI) Network server description (NWS)

CRTLINFAX
2

Line description Controller description

CRTLINFR

Line description Network interface description (NWI) Controller description (NETCTL)

CRTLINPPP

Controller description (NETCTL) Line description

CRTLINSDLC

Controller description (CTL) Line description

CRTLINTDLC
2

Controller description (WSC and CTL) Line description

CRTLINTRN

Controller description (NETCTL) Line description Network interface description (NWI) Network server description (NWS)

434

IBM i: Security Security reference

Authority needed Command CRTLINX25

Referenced object Controller description (SWTCTLLST) Permanent virtual circuit (PVC) controller description (LGLCHLE) Line description Connection list (CNNLSTIN or CNNLSTOUT) Network interface description (NWI or SWTNWILST)

For object USE USE

For library EXECUTE EXECUTE READ, ADD

*USE *USE

EXECUTE EXECUTE READ, ADD

CRTLINWLS

Line description Controller description (NETCTL) Program (INZPGM) *USE *USE *OBJEXIST *USE *OBJOPR

EXECUTE EXECUTE EXECUTE EXECUTE *EXECUTE

DLTLIND DSPLIND ENDLINRCY PRTCMNSEC 2, 3 RSMLINRCY WRKLIND

1 2 3 1

Line description Line description Line description

Line description Line description

*OBJOPR *OBJOPR

*EXECUTE *EXECUTE

To use individual operations, you must have the authority required by the individual operation. To use this command, you must have *IOSYSCFG special authority. To use this command, you must have *ALLOBJ special authority.

Local Area Network (LAN) commands

This table lists the specific authorities required for the Local Area Network (LAN) commands. Commands identified by (Q) are shipped with public authority *EXCLUDE. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others.
These commands do not require any object authorities: ADDLANADPI CHGLANADPI DSPLANADPP DSPLANSTS RMVLANADPT (Q) RMVLANADPI WRKLANADPT

Locale commands
This table lists the specific authorities required for the locale commands.
Authority needed Command CRTLOCALE DLTLOCALE Referenced object Source file Locale For object *USE *OBJEXIST For library *USE, *ADD *EXECUTE

Appendix D. Authority required for objects used by commands

435

Mail server framework commands

This table lists the specific authorities required for the mail server framework commands. Commands identified by (Q) are shipped with public authority *EXCLUDE. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others.
This command does not require any object authorities: ENDMSF (Q) STRMSF (Q)

Media commands
This table lists the specific authorities required for the media commands.
Authority needed Command ADDTAPCTG CFGDEVMLB
1

Referenced object Tape Library description Tape Library description Tape Library description Tape Library description Tape Library description Tape device description Tape Library description Media definition Tape Library description
5 4

For object *USE

For library *EXECUTE

*CHANGE, *OBJMGT *EXECUTE *CHANGE, *OBJMGT *EXECUTE *CHANGE *USE *USE *EXECUTE *EXECUTE *EXECUTE

CHGDEVMLB (Q) CHGJOBMLBA CHGTAPCTG CHKTAP CRTTAPCGY DLTMEDDFN DLTTAPCGY DMPTAP (Q) DSPTAP DSPTAPCGY DSPTAPCTG DSPTAPSTS DUPTAP INZTAP RMVTAPCTG SETTAPCGY WRKMLBRSCQ
2 3

*OBJEXIST

*EXECUTE

Tape device description Tape device description Tape Library description Tape Library description Tape Library description Tape device description Tape device description Tape Library description Tape Library description Tape Library description Tape Library description Tape Library description

*USE *USE

*EXECUTE *EXECUTE

USE USE USE USE USE USE USE USE *USE

EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE *EXECUTE

WRKMLBSTS (Q) WRKTAPCTG

436

IBM i: Security Security reference

Authority needed Command

1 2 3

Referenced object

For object

For library

To use this command, you must have *IOSYSCFG special authority. To use individual operation, you must have the authority required by the operation. To change the session media library attributes, you must have *CHANGE authority to the Tape Library description. To change the priority or work with another users job you must have *JOBCTL special authority. To change the priority or work with another user's job you must have *JOBCTL special authority. To use this command, you must have *ALLOBJ special authority when TYPE(*HEX) is specified or the tape has the secure volume flag or secured file flag set.

4 5

Menu and panel group commands

This table lists the specific authorities required for the menu and panel group commands.
Authority needed Command CHGMNU CRTMNU Referenced object Menu Source file Menu: REPLACE(*NO) Menu: REPLACE(*YES) CRTPNLGRP Panel group: Replace(*NO) Panel group: REPLACE(*YES) Source file Include file CRTS36MNU Menu: REPLACE(*NO) Menu: REPLACE(*YES) Source file Message files named in source To-file source file when TOMBR is not *NONE Menu display file when REPLACE(*YES) is specified Command text message file Create Message File (CRTMSGF) command Add Message Description (ADDMSGD) command Create Display File (CRTDSPF) command DLTMNU DLTPNLGRP DSPMNUA Menu Panel group Menu Refer to the general rules. *USE *OBJOPR, *OBJEXIST *OBJOPR, *OBJMGT, *OBJEXIST, *ADD *OBJOPR, *OBJEXIST *OBJOPR, *OBJEXIST *OBJOPR *OBJOPR *OBJOPR *OBJOPR, *OBJEXIST *OBJEXIST *USE Refer to the general rules. *USE *USE Refer to the general rules. For object *CHANGE *USE For library *USE *EXECUTE *READ, *ADD *READ, *ADD *READ, *ADD *READ, *ADD *EXECUTE *EXECUTE *READ, *ADD *READ, *ADD *EXECUTE *EXECUTE *READ, *ADD *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *USE

Appendix D. Authority required for objects used by commands

437

Authority needed Command GO Referenced object Menu Display file and message files with *DSPF specified Current and Product libraries Program with *PGM specified WRKMNU
1 1

For object USE USE USE USE Any Any

For library USE EXECUTE

EXECUTE USE *EXECUTE

Menu Panel group

WRKPNLGRP
1

To use an individual operation, you must have the authority required by the operation.

Message commands
This table lists the specific authorities required for the message commands.
Authority needed Command DSPMSG Referenced object Message queue Message queue that receives the reply to an inquiry message Remove messages from message queue RCVMSG Message queue Remove messages from queue RMVMSG RTVMSG SNDBRKMSG SNDMSG Message queue Message file Message queue that receives the reply to inquiry messages Message queue Message queue that receives the reply to inquiry message SNDPGMMSG Message queue Message file, when sending predefined message Message queue that receives the reply to inquiry message SNDRPY Message queue Remove messages from queue SNDUSRMSG Message queue Message file, when sending predefined message WRKMSG Message queue Message queue that receives the reply to inquiry message Remove messages from message queue For object *USE *USE, *ADD *USE, *DLT *USE *USE, *DLT *OBJOPR, *DLT *USE *OBJOPR, *ADD *OBOPR, *ADD *OBJOPR, *ADD *OBJOPR, *ADD *USE *OBJOPR, *ADD *USE, *ADD *USE, *ADD, *DLT *OBJOPR, *ADD *USE *USE *USE, *ADD *USE, *DLT For library *USE *USE *USE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *USE *USE *USE

438

IBM i: Security Security reference

Message description commands

This table lists the specific authorities required for the message description commands.
Authority needed Command ADDMSGD CHGMSGD DSPMSGD RMVMSGD WRKMSGD
1 1

Referenced object Message file Message file Message file Message file Message file

For object *USE, *ADD *USE, *UPD *USE *OBJOPR, *DLT *USE

For library EXECUTE EXECUTE EXECUTE EXECUTE *EXECUTE

To use individual operations, you must have the authority required by the individual operation.

Message file commands

This table lists the specific authorities required for the message file commands.
Authority needed Command CHGMSGF CRTMSGF DLTMSGF DSPMSGF MRGMSGF Referenced object Message file Message file Message file Message file From-message file To-message file Replace-message file WRKMSGF
1 1.

For object USE, DLT

For library EXECUTE READ, *ADD

*OBJEXIST *USE *USE *USE, *ADD, *DLT *USE, *ADD Any authority

EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE USE

Message file

To use individual operations, you must have the authority required by the individual operation.

Message queue commands

This table lists the specific authorities required for the message queue commands.
Authority needed Command CHGMSGQ CLRMSGQ CRTMSGQ DLTMSGQ DSPLOG WRKMSGQ
1 1

Referenced object Message queue Message queue Message queue Message queue

For object USE, DLT OBJOPR, DLT

For library EXECUTE EXECUTE READ, ADD

OBJEXIST, USE, *DLT

*EXECUTE *EXECUTE

Message queue

Any authority

*USE

To use individual operations, you must have the authority required by the individual operation.

Appendix D. Authority required for objects used by commands

439

Migration commands
This table lists the specific authorities required for the migration commands.
Authority needed Command RCVMGRDTA Referenced object File Device SNDMGRDTA File Device The following commands do not require any object authorities. They are shipped with public authority *EXCLUDE. You must have *ALLOBJ special authority to use these commands. ANZS34OCL ANZS36OCL CHGS34LIBM CHKS36SRCA CVTBASSTR CVTBASUNF CVTBGUDTA CVTS36FCT CVTS36JOB CVTS38JOB GENS36RPT GENS38RPT MGRS36 MGRS36APF MGRS36CBL MGRS36DFU MGRS36DSPF MGRS36ITM MGRS36LIB MGRS36MNU MGRS36MSGF MGRS36QRY 1 MGRS36RPG MGRS36SEC MGRS38OBJ MIGRATE QMUS36 RESMGRNAM RSTS38AUT STRS36MGR STRS38MGR For object *ALL *CHANGE *ALL *CHANGE For library *READ, *ADD *EXECUTE *READ, *ADD *EXECUTE

You must have *ALLOBJ special authority and have i5/OS option 4 installed.

Mode description commands

This table lists the specific authorities required for the mode description commands.
Authority needed Command CHGMODD CRTMODD
2 2

Referenced object Mode description Mode description Device description Mode description Mode description Device Mode description

For object

For library

*CHANGE, *OBJMGT *EXECUTE *READ, *ADD *OBJOPR *OBJEXIST *USE *OBJOPR *OBJOPR *OBJOPR *OBJOPR *OBJOPR *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE

CHGSSNMAX DLTMODD DSPMODD DSPMODSTS

ENDMOD STRMOD WRKMODD

1 2 1

Device description Device description Mode description

To use individual operations, you must have the authority required by the individual operation. To use this command, you must have *IOSYSCFG special authority.

440

IBM i: Security Security reference

Module commands
This table lists the specific authorities required for the module commands.
Authority needed Command CHGMOD Referenced object Module Module, if OPTIMIZE specified Module, if FRCCRT(*YES) specified Module, if ENBPRFCOL specified DLTMOD DSPMOD RTVBNDSRC
1

For object *OBJMGT, *USE *OBJMGT, *USE *OBJMGT, *USE *OBJMGT, *USE *OBJEXIST *USE *USE *USE

For library *USE *USE, *ADD, *DLT *USE, *ADD, *DLT *USE, *ADD, *DELETE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE, *READ, *ADD *EXECUTE, *READ, *ADD *EXECUTE *EXECUTE *EXECUTE *USE

Module Module Module SRVPGMs and modules specified with SRVPGMs

Database source file if file and member *OBJOPR, *OBJMGT, exists and MBROPT(*REPLACE) is specified. *ADD, *DLT Database source file if file and member exists and MBROPT(*ADD) is specified Database source file if file exists and member needs to be created. Database source file if file and member needs to be created. CRTSCRPF command if file does not exist ADDPFM command if member does not exist RGZPFM command to reorganize source file *OBJMGT member WRKMOD
1 2

OBJOPR, ADD OBJOPR, OBJMGT, *ADD

Module

Any authority

You need *USE authority to the: v CRTSRCPF command if the file does not exist. v ADDPFM command if the member does not exist. v RGZPFM command so the source file member is reorganized. Either *CHANGE and *OBJALTER authorities or *OBJMGT authority is required to reorganize the source file member. The RTVBNDSRC command function then completes with the source file member reorganized with sequence numbers of zero.

To use individual operations, you must have the authority required by the individual operation.

NetBIOS description commands

This table lists the specific authorities required for the NetBIOS description commands.
Authority needed Command CHGNTBD CRTNTBD
2 2

Referenced object NetBIOS description NetBIOS description

For object

For library

CHANGE, OBJMGT EXECUTE EXECUTE

Appendix D. Authority required for objects used by commands

441

Authority needed Command DLTNTBD DSPNTBD WKRNTBD

1 2 1

Referenced object NetBIOS description NetBIOS description NetBIOS description

For object OBJEXIST USE *OBJOPR

For library EXECUTE EXECUTE *EXECUTE

To use individual operations, you must have the authority required by the individual operation. To use this command, you must have *IOSYSCFG special authority.

Network commands
This table lists the specific authorities required for the network commands. Commands identified by (Q) are shipped with public authority *EXCLUDE. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others.
Authority needed Command ADDNETJOBE (Q) APING AREXEC CHGNETA (Q)
2 4

Referenced object User profile in the network job entry Device description Device description

For object USE CHANGE *CHANGE

For library

CHGNETJOBE (Q) DLTNETF DSPNETA RCVNETF

User profile in the network job entry Output file

*USE Refer to the general rules. Refer to the general rules.

To-file member does not exist, MBROPT(*ADD) specified To-file member does not exist, MBROPT(*REPLACE) specified To-file member exists, MBROPT(*ADD) specified

*OBJMGT, *USE

*EXECUTE, *ADD

OBJMGT, CHANGE EXECUTE, ADD USE EXECUTE

To-file member exists, MBROPT(*REPLACE) *OBJMGT, *CHANGE *EXECUTE specified RMVNETJOBE (Q) RTVNETA RUNRMTCMD SNDNETF SNDNETMSG to a local user VFYAPPCCNN WRKNETF
2,3 3

User profile in the network job entry

*USE

Device description Physical file or save file Message queue Device description

CHANGE USE OBJOPR, ADD CHANGE EXECUTE *EXECUTE

WRKNETJOBE

QUSRSYS/QANFNJE

*USE

*EXECUTE

442

IBM i: Security Security reference

Authority needed Command

1 2

Referenced object

For object

For library

You must have *ALLOBJ special authority. A user can run these commands on the users own network files or on network files owned by the users group profile. *ALLOBJ special authority is required to process network files for another user. To use an individual operation, you must have the authority required by that operation. To change some network attributes, you must have *IOSYSCFG, or *ALLOBJ and *IOSYSCFG special authorities.

3 4

Network file system commands

This table lists the specific authorities required for the network file system commands.
Authority needed for object *W

Command ADDMFS
1,3 1,2

Referenced object dir_to_be_ mounted_over Path prefix some_dirs Path prefix

1,4

Object type *DIR

File system "root" (/)

CHGNFSEXP DSPMFSINF

Refer to the general rules. DIR "root" (/) RX

Refer to the general rules.

ENDNFSSVR EXPORTFS MOUNT

1,3 1 1,2

none Path prefix dir_to_be_ mounted_over object Refer to the general rules. *DIR *STMF "root" (/) "root" (/), QOpenSys, UDFS *W *R

RLSIFSLCK

Path prefix RMVMFS STATFS

1 1 1

Refer to the general rules.

some_dirs Path prefix

*DIR

"root" (/)

*RX

Refer to the general rules.

STRNFSSVR UNMOUNT
1 2

none

To use this command, you must have *IOSYSCFG special authority. When the -F flag is specified and the /etc/exports file does not exist, you must have write, execute (*WX) authority to the /etc directory. When the -F flag is specified and the /etc/exports file does exist, you must have read, write (*RW) authority to the /etc/exports file and *X authority to the /etc directory. The directory that is mounted over (dir_to_be_mounted_over) is any integrated file system directory that can be mounted over. To end any daemon jobs started by someone else, you must have *JOBCTL special authority.

Appendix D. Authority required for objects used by commands

443

Network interface description commands

This table lists the specific authorities required for the network interface description commands.
Authority needed Command CHGNWIFR CRTNWIFR
2 2

Referenced object Network interface description Network interface description Line description (DLCI)

For object

For library

*CHANGE, *OBJMGT *EXECUTE *READ, *ADD *USE *OBJEXIST *USE *OBJOPR *EXECUTE *EXECUTE *EXECUTE *EXECUTE

DLTNWID DSPNWID WRKNWID

1 2 1

Network interface description Network interface description Network interface description

To use the individual operations, you must have the authority required by the individual operation. To use this command, you must have *IOSYSCFG special authority.

Network server commands

This table lists the specific authorities required for the network server commands.
Authority needed for object *X *WX *RW *CHANGE, *OBJMGT *WX *OBJMGT, *USE "root" (/) QSYS.LIB QSYS.LIB "root" (/) "root" (/) "root" (/) "root" (/) "root" (/) "root" (/) *WX *OBJEXIST *OBJEXIST *WX *RWX, *OBJEXIST *OBJEXIST *WX *RWX, *OBJEXIST *OBJEXIST

Command ADDNWSSTGL
2

Referenced object Path (/QFPNWSSTG) Parent directory (name of the storage space) Files that make up the storage space Network server description

Object type *DIR *DIR *STMF *NWSD *DIR *USRPRF *DIR *NWSD *LIND *DIR *DIR *STMF *DIR *DIR *STMF

File system "root" (/) "root" (/) "root" (/) QSYS.LIB "root" (/)

CHGNWSSTG2 CHGNWSUSRA CRTNWSSTG

2 4

Path (root and /QFPNWSSTG) User Profile Path (root and /QFPNWSSTG) Network server description Line description Network server storage space - Path (/QFPNWSSTG) Parent directory (name of the storage space) Files that make up the storage space

@ DLTINTSVR

DLTNWSSTG

Path (/QFPNWSSTG) Parent directory (name of the storage space) Files that make up the storage space

444

IBM i: Security Security reference

Command DLTWNTSVR
5

Referenced object Network server description Line description Network server storage space - Path (/QFPNWSSTG) Parent directory (name of the storage space) Files that make up the storage space

Object type NWSD LIND DIR DIR *STMF

File system QSYS.LIB QSYS.LIB "root" (/) "root" (/) "root" (/)

Authority needed for object *OBJEXIST *OBJEXIST *WX *RWX, *OBJEXIST *OBJEXIST

DSPNWSSTG

Path prefix Files that make up the storage space

Refer to the general rules *STMF *NWSD *LIND *DIR *NWSD *LIND *NWSCFG *DIR *DIR *DIR *STMF *NWSD "root" (/) Not applicable Not applicable "root" (/) Not applicable Not applicable Not applicable "root" (/) "root" (/) "root" (/) "root" (/) QSYS.LIB *R *USE *USE *WX *USE *USE *USE *WX *X *WX *RW *CHANGE, *OBJMGT

@ INSINTSVR

Network server description Line description Network server storage space - Path (/QFPNWSSTG)

INSWNTSVR6, 7

Network server description Line description Network server configuration Network server storage space - Path (/QFPNWSSTG)

RMVNWSSTGL 2

Path (/QFPNWSSTG) Parent directory (name of the storage space) Files that make up the storage space Network server description

WRKNWSSTG

Path prefix Files that make up the storage space

Refer to the general rules STMF "root" (/) R

These commands do not require any object authorities: ADDRMTSVR CHGNWSA 4(Q) CHGNWSALS CRTNWSALS DLTNWSALS DSPNWSA
1 2 3 4

DSPNWSALS DSPNWSSSN DSPNWSSTC DSPNWSUSRA SBMNWSCMD (Q)

SNDNWSMSG WRKNWSALS WRKNWSENR WRKNWSSSN WRKNWSSTS

Adopted authority is not used for Network Server commands. To use this command, you must have *IOSYSCFG special authority. To use this command, you must have *JOBCTL special authority. You must have *SECADM special authority to specify a value other than *NONE for the NDSTREELST and the NTW3SVRLST parameters.

Appendix D. Authority required for objects used by commands

445

Command
5 6 7

Referenced object

Object type

File system

Authority needed for object

To use this command, you must have *IOSYSCFG and *ALLOBJ special authorities. To use this command, you must have *IOSYSCFG, *ALLOBJ, and *JOBCTL special authorities. You must have *SECADM special authority to specify a nondefault value for the IPSECRULE, CHAPAUT, or SPCERTID parameter.

Network server configuration commands

This table lists the specific authorities required for the network server configuration commands.
Authority needed Command CHGNWSCFG
1, 3

Referenced object Network server configuration Network server configuration Network server configuration Network server configuration Network server configuration Network server configuration

For object CHANGE USE OBJEXIST USE CHANGE USE

For QUSRSYS library *EXECUTE *READ, *ADD *EXECUTE *EXECUTE *EXECUTE *EXECUTE

CRTNWSCFG 1, 3 DLTNWSCFG1, 3 DSPNWSCFG1, 3 INZNWSCFG1, 2 WRKNWSCFG1

1 2 3

To use this command, you must have *IOSYSCFG special authority. To use this command, you must have *SECADM special authority. To specify or view a nondefault value for the IPSECRULE, CHAPAUT, or SPCERTID parameter, you must have security administrator (*SECADM) special authority.

Network server description commands

This table lists the specific authorities required for the network server description commands.
Authority needed Command CHGNWSD
2 2

Referenced object Network server description NetBIOS description (NTB)

For object

For QSYS library

*CHANGE, *OBJMGT *EXECUTE *USE *USE *USE *OBJEXIST *USE *OBJOPR *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE

CRTNWSD

NetBIOS description (NTB) Line description (PORTS)

DLTNWSD DSPNWSD WRKNWSD

Network server description Network server description Network server description

446

IBM i: Security Security reference

Authority needed Command

1 2

Referenced object

For object

For QSYS library

To use an individual operation, you must have the authority required by the operation. To use this command, you must have *IOSYSCFG special authority.

Node list commands

This table lists the specific authorities required for the node list commands.
Authority needed Command ADDNODLE CRTNODL DLTNODL RMVNODLE WRKNODL 1 WRKNODLE
1

Referenced object Node list Node list Node list Node list Node list Node list

For object OBJOPR, ADD

For library EXECUTE READ, *ADD

OBJEXIST OBJOPR, READ, DLT USE USE

EXECUTE EXECUTE USE EXECUTE

To use the individual operations, you must have the authority required by the individual operation.

Office services commands

This table lists the specific authorities required for the office services commands. Commands identified by (Q) are shipped with public authority *EXCLUDE. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others.
These commands do not require object authorities. ADDACC (Q) DSPACC DSPACCAUT DSPUSRPMN
1

GRTACCAUT 2,3,6 (Q) GRTUSRPMN 1,2 RMVACC 1 (Q) RVKACCAUT 1

RVKUSRPMN 1,2 WRKDOCLIB 4 WRKDOCPRTQ

You must have *ALLOBJ special authority to grant or revoke access code authority or document authority for other users. Access is restricted to documents, folders, and mails that are not personal. The access code must be defined to the system (using the Add Access Code (ADDACC) command) before you can grant access code authority. The user being granted access code authority must be enrolled in the system distribution directory. You must have *SECADM special authority. Additional authorities are required for specific functions called by the operations selected. The user also needs additional authorities for any commands called during a specific function. You must have all object (*ALLOBJ) or security administrator (*SECADM) special authority to grant access code authority for other users.

2 3

4 5

Appendix D. Authority required for objects used by commands

447

Online education commands

This table lists the specific authorities required for the online education commands. Commands identified by (Q) are shipped with public authority *EXCLUDE. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others.
Authority needed Command CVTEDU STREDU Referenced object For object For library

Operational assistant commands

This table lists the specific authorities required for the operational assistant commands. Commands identified by (Q) are shipped with public authority *EXCLUDE. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others.
Authority needed Command CHGBCKUP CHGCLNUP
1 2 3 3

Referenced object QUSRSYS/QEZBACKUPL *USRIDX

For object *CHANGE

For library *EXECUTE

CHGPWRSCD

CHGPWRSCDE DSPBCKSTS DSPBCKUP DSPBCKUPL

QUSRSYS/QEZBACKUPL USRIDX QUSRSYS/QEZBACKUPL USRIDX QUSRSYS/QEZBACKUPL USRIDX QUSRSYS/QEZBACKUPF USRIDX

USE USE USE USE

EXECUTE EXECUTE EXECUTE EXECUTE

DSPPWRSCD EDTBCKUPL 1
4

QUSRSYS/QEZBACKUPL USRIDX QUSRSYS/QEZBACKUPF USRIDX

CHANGE CHANGE USE USE USE USE

EXECUTE EXECUTE EXECUTE EXECUTE

ENDCLNUP

ENDJOB *CMD QUSRSYS/QAEZDISK *FILE, member QCURRENT ASP device (if specified)

PRTDSKINF (Q)

RTVBCKUP RTVCLNUP RTVDSKINF (Q) RTVPWRSCDE RUNBCKUP

1 5

QUSRSYS/QEZBACKUPL *USRIDX

*EXECUTE

ASP device (if specified) DSPPWRSCD command QUSRSYS/QEZBACKUPL *USRIDX QUSRSYS/QEZBACKUPF *USRIDX Commands: SAVLIB, SAVCHGOBJ, SAVDLO, SAVSECDTA, SAVCFG, SAVCAL, SAV

USE USE USE USE USE EXECUTE EXECUTE EXECUTE

448

IBM i: Security Security reference

Authority needed Command STRCLNUP

Referenced object QPGMR User profile Job queue

For object USE USE

For library

*EXECUTE

1 2 3 4 5

You must have *ALLOBJ or *SAVSYS special authority. You must have *ALLOBJ, *SECADM, and *JOBCTL special authorities. You must have *ALLOBJ and *SECADM special authorities. You must have *JOBCTL special authority. You must have *ALLOBJ special authority.

Optical commands
This table lists the specific authorities required for the optical commands. Commands identified by (Q) are shipped with public authority *EXCLUDE. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others.
Authority needed Command ADDOPTCTG (Q) ADDOPTSVR (Q) CHGDEVOPT
4

Referenced object Optical Device Server CSI Optical Device

Object USE USE

Library EXECUTE EXECUTE

Optical volume

CHANGE, OBJMGT *EXECUTE

CHGOPTA (Q) CHGOPTVOL Root directory (/) of volume when changing the Text Description5 Optical Device Server CSI CHKOPTVOL Optical device Root directory (/) of volume CPYOPT Optical Device *W Not applicable Not applicable

USE USE USE RWX *USE

EXECUTE EXECUTE EXECUTE Not applicable EXECUTE

*CHANGE3 Not applicable *USE Not applicable *USE - Source Volume *ALL - Target Volume

Each preceding dir in path of source file Each preceding dir in path of destination file Source file (*DSTMF)5 Parent dir of destination file Parent of parent dir if creating dir

*X *X *R *WX *WX

Not applicable Not applicable Not applicable Not applicable Not applicable

Appendix D. Authority required for objects used by commands

449

Authority needed Command CPYOPT Referenced object Destination file if replaced due to SLTFILE(*ALL) Destination file if replaced due to SLTFILE(*CHANGED) Each dir in path that precedes source dir Each dir in path that precedes target dir CPYOPT Dir being copied5 Dir being copied if it contains entries Parent of target dir Target dir if replaced due to SLTFILE(*ALL) Target dir if replaced due to SLTFILE(*CHANGED) Object *W Library Not applicable Optical volume Not applicable
1

*RW

Not applicable

X X R RX WX W *RW

Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable

Target dir if entries are *WX to be created CPYOPT Source files Destination file if replaced due to SLTFILE(*ALL) Destination file if replaced due to SLTFILE(*CHANGED) CRTDEVOPT4 CVTOPTBKU DSPOPT Optical Device Optical Device Path Prefix when DATA (*SAVRST)5 File Prefix when (*SAVRST)2 Optical Device Server CSI DSPOPTLCK DSPOPTSVR DUPOPT Server CSI Optical Device *USE *USE *USE *X *R *EXECUTE *USE *R *W

Not applicable Not applicable Not applicable

*RW

Not applicable

*EXECUTE *EXECUTE Not applicable Not applicable *USE *EXECUTE *ALL Not applicable Not applicable

EXECUTE EXECUTE USE - Source Volume ALL - Target Volume

INZOPT

Root directory (/) of volume Optical Device

*RWX *USE *R

Not applicable *EXECUTE Not applicable

Not applicable *ALL Not applicable

LODOPTFMW

Stream file Path prefix

Refer to the general rules.

450

IBM i: Security Security reference

Authority needed Command RCLOPT (Q) RMVOPTCTG (Q) RMVOPTSVR (Q) STRNETINS (Q) WRKHLDOPTF
2 6 2

Referenced object Optical Device Optical Device Server CSI

Object USE USE *USE

Library *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE

Optical volume

Network optical device *USE Optical Device Server CSI *USE *USE *USE *USE *USE *USE *USE

*USE

WRKOPTDIR
2

Optical Device Server CSI

*USE

WRKOPTF

Optical Device Server CSI

*USE

WRKOPTVOL
1

Optical Device

Optical volumes are not actual system objects. The link between the optical volume and the authorization list used to secure the volume is maintained by the optical support function. There are seven options that can be invoked from the optical utilities that are not commands themselves. These options and their required authorities to the optical volume are shown below. v Delete File: *CHANGE v Rename File: *CHANGE v Delete Directory: *CHANGE v Create Directory: *CHANGE v Rename Volume: *ALL v Release Held Optical File: *CHANGE v Save Held Optical File: *USE - Source Volume, *Change - Target Volume

Authorization list management authority to the authorization list currently securing the optical volume is needed to change the authorization list used to secure the volume. To use this command, you must have *IOSYSCFG special authority. This authority check is only made when the Optical media format is Universal Disk Format (UDF). You must have *JOBCTL special authority to use this command.

4 5 6

Appendix D. Authority required for objects used by commands

451

Output queue commands

This table lists the specific authorities required for the output queue commands.
Referenced object
1

Output queue parameters AUTCHK OPRCTL

Command CHGOUTQ

Special authority

Authority needed For object READ For library EXECUTE

Data queue Output queue *DTAAUT

*OBJMGT, *EXECUTE *READ, *ADD, *DLT Owner *YES *JOBCTL *OBJOPR *ADD *USE
2

*OWNER

EXECUTE EXECUTE EXECUTE EXECUTE

Message queue Workstation customization object User-data transform program User-driver program CLROUTQ
1

OBJOPR EXECUTE OBJOPR EXECUTE DTAAUT OWNER YES JOBCTL *READ

*EXECUTE

Output queue

READ, ADD, EXECUTE DLT Owner

EXECUTE EXECUTE EXECUTE READ, *ADD

CRTOUTQ

Data queue Output queue Message queue Workstation customization object

OBJOPR ADD *USE

*EXECUTE *EXECUTE

DLTOUTQ HLDOUTQ
1

Output queue Output queue DTAAUT OWNER YES JOBCTL

4 1

*OBJEXIST

*EXECUTE

READ, ADD, EXECUTE DLT Owner

*EXECUTE *EXECUTE

PRTQAUT RLSOUTQ

Output queue

DTAAUT OWNER YES JOBCTL

READ, ADD, EXECUTE DLT Owner

*EXECUTE *EXECUTE

WRKOUTQ

1,3

Output queue YES JOBCTL

*READ

*EXECUTE *EXECUTE

WRKOUTQD
1,3

Output queue YES JOBCTL

*READ

*EXECUTE *EXECUTE

452

IBM i: Security Security reference

Command
1

Referenced object

Output queue parameters AUTCHK OPRCTL

Special authority

Authority needed For object For library

If you have *SPLCTL special authority, you do not need authority to the output queue. You do need *EXECUTE authority, however, to the library for the outqueue. You must be the owner of the output queue. If you request to work with all output queues, your list display includes all the output queues in libraries to which you have *EXECUTE authority. You must have *ALLOBJ special authority to use this command.

2 3

Package commands
This table lists the specific authorities required for the package commands.
Authority needed Command CRTSQLPKG Referenced object Program SQL package: REPLACE(*NO) SQL package: REPLACE(*YES) DLTSQLPKG PRTSQLINF Package Package Program Service program STRSQL *OBJOPR, *OBJMGT, *OBJEXIST, *READ *OBJEXIST *OBJOPR, *READ *OBJOPR, *READ *OBJOPR, *READ For object *OBJOPR, *READ For library *EXECUTE *OBJOPR, *READ, *ADD, *EXECUTE *OBJOPR, *READ, *ADD, *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE

Performance commands
This table lists the specific authorities required for the performance commands. Commands identified by (Q) are shipped with public authority *EXCLUDE. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE to others.
Authority needed Command ADDDWDFN (Q) ADDJWDFN (Q)
7 7

Referenced object

For object

For library

ADDPEXDFN (Q)5 ADDPEXFTR (Q)

PGM Library PGMTRG Library PGMFTR Library JVAFTR Path PATHFTR Path *X for directory *X for directory

EXECUTE EXECUTE *EXECUTE

Appendix D. Authority required for objects used by commands

453

Authority needed Command ANZBESTMDL (Q)

Referenced object QPFR/QCYRBMN *PGM Application libraries that contain the database files to be analyzed Job description

For object *USE

For library EXECUTE EXECUTE

USE USE USE USE USE USE

EXECUTE EXECUTE EXECUTE, ADD EXECUTE EXECUTE EXECUTE EXECUTE

ANZCMDPFR (Q)
4

Command file Output file

ANZDBF (Q)

QPFR/QCYRBMN *PGM Job description

ANZDBFKEY (Q)

QPFR/QPTANZKC *PGM Application libraries that contain the programs to be analyzed Job description

*USE *USE
2

EXECUTE EXECUTE ADD, READ

ANZPGM (Q)
4

QPFR/QPTANZPC *PGM Performance data

ANZPFRDTA (Q)

QPFR/QACVPP *PGM Performance data

*USE

EXECUTE ADD, *READ

ANZPFRDT2 (Q)

QPFR/QAVCPP PGM QAPTAPGP FILE DLTFCNARA command (Q) QPFR/QPTAGRP *PGM

USE CHANGE USE USE

EXECUTE EXECUTE EXECUTE EXECUTE *EXECUTE

CFGPFRCOL (Q) CHGFCNARA (Q)

Collection library QPFR/QPTAGRPD *PGM QAPGGPHF *FILE *USE *CHANGE *USE *CHANGE *USE *USE *CHANGE *USE *OBJMGT

EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE

CHGGPHFMT (Q)

QPFR/QPGCRTFM PGM QAPGPKGF FILE QAPGGPHF *FILE

CHGGPHPKG (Q)

QPFR/QPGCRTPK PGM QAPMDMPT FILE

CHGJOBTYP (Q) CHGMGTCOL

QPFR/QPTCHGJT *PGM MGTCOL User library

*EXECUTE *EXECUTE

CHGPEXDFN (Q) CHKPFRCOL (Q)

PGM library

CPYFCNARA (Q)4

QPFR/QPTAGRPR *PGM QAPGGPHF *FILE in "From" library "To" library (if QAPGGPHF *FILE does not exist)

*USE *USE

EXECUTE EXECUTE EXECUTE, ADD *EXECUTE

QAPGGPHF *FILE in "To" library (if adding *CHANGE a new graph format or replacing an existing one)

454

IBM i: Security Security reference

Authority needed Command CPYGPHFMT (Q)

Referenced object QPFR/QPGCPYGP *PGM QAPGPKGF *FILE in "From" library "To" library (if QAPGPKGF *FILE does not exist) QAPGPKGF *FILE in "To" library (if adding a new graph package or replacing an existing one)

For object USE USE

For library EXECUTE EXECUTE EXECUTE, ADD

*CHANGE

*EXECUTE

QAPGGPHF *FILE in "To" library (if adding *USE a new graph package or replacing an existing one) CPYGPHPKG (Q) QPFR/QPGCPYGP *PGM From library To library Job description CPYPFRCOL (Q) From library To library CPYPFRDTA (Q) QPFR/QITCPYCP *PGM Performance data (all QAPM* files) Model library Job description QPFR/QCYCBMCP *PGM QPFR/QCYCBMDL *PGM QPFR/QCYOPDBS *PGM QPFR/QCYCLIDS *PGM CRTBESTMDL (Q) QPFR/QCYCAPT *PGM Library where the Functional Area is created QAPTAPGP *FILE in target library (if adding a new functional area) CRTFCNARA (Q) QPFR/QPTAGRP *PGM Library where the Graph Format is created QAPGGPHF *FILE in target library (if adding a new graph format) CRTGPHFMT (Q) QPFR/QPGCRTFM *PGM Library where the Graph Package is created QAPGGPHF *FILE QAPGPKGF *FILE in target library (if adding a new graph package) CRTGPHPKG (Q) QPFR/QPGCRTPK *PGM Library where the historical data is created Job description CRTHSTDTA (Q) QPFR/QPGCRTHS *PGM To Library *USE *USE *CHANGE *USE *USE *CHANGE *USE *CHANGE *USE *USE *USE *USE *USE *USE *USE *USE *USE *USE *USE

*EXECUTE

*EXECUTE *EXECUTE *EXECUTE, *ADD *EXECUTE *EXECUTE *EXECUTE, *ADD *EXECUTE *EXECUTE *EXECUTE, *ADD *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE, *ADD *EXECUTE *EXECUTE *EXECUTE, *ADD *EXECUTE *EXECUTE *EXECUTE, *ADD *EXECUTE *EXECUTE *EXECUTE *ADD, *READ *EXECUTE *EXECUTE *ADD, *READ

Appendix D. Authority required for objects used by commands

455

Authority needed Command CRTPEXDTA (Q)

Referenced object *MGTCOL Library Data library

For object

For library *EXECUTE *READ, *ADD2 *EXECUTE *ADD, *READ *USE *ADD, *READ *USE *USE, *ADD

CRTPFRDTA (Q)

From Library To Library From Library

CRTPFRSUM (Q) CVTPFRCOL (Q)

User library From library To library

CVTPFRDTA (Q) CVTPFRTHD (Q)

Job description Performance data Model library QPFR/QCYDBMDL *PGM QPFR/QCYCVTBD *CMD
4 2

*USE

EXECUTE ADD, READ EXECUTE, *ADD

*USE *USE *USE *CHANGE *USE *CHANGE *USE *CHANGE *USE *CHANGE *CHANGE *CHANGE *USE

*EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE, *DELETE
2

DLTBESTMDL (Q)

QPFR/QCYCBTOD PGM QAPTAPGP FILE in the functional area library

DLTFCNARA (Q)4

QPFR/QPTAGRPD PGM QAPGGPHF FILE in the graph format library

DLTGPHFMT (Q)4

QPFR/QPGDLTGP PGM QAPGPKGF FILE in the graph package library

DLTGPHPKG (Q)4

QPFR/QPGDLTGP *PGM QAPGHSTD *FILE in the historical data library QAPGHSTI *FILE in the historical data library QAPGSUMD *FILE in the historical data library

DLTHSTDTA (Q)4 DLTPEXDTA (Q) DLTPFRCOL (Q) DLTPFRDTA (Q) DMPMEMINF DMPTRC (Q)5
4 4 5

QPFR/QPGDLTHS *PGM Data Library Library QPFR/QPTDLTCP *PGM Output file Library where the trace data will be stored Output file (QAPTPAGD)
1

*EXECUTE *USE Refer to the general rules *EXECUTE Refer to the general rules *EXECUTE, *ADD *CHANGE *USE *EXECUTE, *ADD *EXECUTE *EXECUTE

DSPHSTGPH (Q)

QPFR/QPGCTRL *PGM Historical data library

456

IBM i: Security Security reference

Authority needed Command DSPPFRDTA (Q)

Referenced object QPFR/QAVCPP *PGM Format or package library Performance data

For object *USE

For library EXECUTE EXECUTE EXECUTE EXECUTE, *ADD

Output file library Output queue Job description DSPPFRGPH (Q)

USE USE *USE

EXECUTE EXECUTE EXECUTE EXECUTE

QPFR/QPGCTRL *PGM Output file library Job description

*USE

*EXECUTE

ENDDW (Q)
7

ENDJOBTRC (Q)4 ENDJW (Q) ENDPEX (Q)5 ENDPFRCOL (Q) PRTACTRPT (Q)4

QPFR/QPTTRCJ0 *PGM
1

*USE

*EXECUTE
2

Data Library

*READ, *ADD

QPFR/QITPRTAC *PGM Performance data Job description

USE USE USE USE

EXECUTE ADD, READ EXECUTE EXECUTE ADD, *READ

PRTCPTRPT (Q)

QPFR/QPTCPTRP *PGM Performance data Job description

*USE *USE
2

EXECUTE EXECUTE ADD, READ

PRTJOBRPT (Q)

QPFR/QPTITVXC *PGM Performance data Job description

*USE *USE

EXECUTE EXECUTE *EXECUTE

PRTJOBTRC (Q)

QPFR/QPTTRCRP *PGM Job trace file (QAPTTRCJ) library Job description

*USE *USE

EXECUTE EXECUTE *EXECUTE2

PRTLCKRPT (Q) PRTPEXRPT

QPFR/QPTLCKQ *PGM Data Library Output file QPFR/QVPEPRTC *PGM QPFR/QVPESVGN *SRVPGM QPFR/QYPESVGN *SRVPGM
1

USE USE USE USE *USE

EXECUTE, ADD EXECUTE EXECUTE EXECUTE EXECUTE ADD, READ

PRTPOLRPT (Q)

QPFR/QPTITVXC *PGM Performance data Job description

*USE *USE
2

EXECUTE EXECUTE ADD, READ

PRTRSCRPT (Q)

QPFR/QPTITVXC *PGM Performance data Job description

*USE

*EXECUTE

Appendix D. Authority required for objects used by commands

457

Authority needed Command PRTSYSRPT (Q)

Referenced object QPFR/QPTTNSRP PGM QAPMDMPT FILE Job description

For object *USE

For library EXECUTE EXECUTE

*USE *USE

EXECUTE EXECUTE *EXECUTE

PRTTNSRPT (Q)

QPFR/QPTTNSRP *PGM Trace file (QTRJOBT) library Job description

*USE *USE

*EXECUTE *EXECUTE

PRTTRCRPT (Q)

4 7

QPFR/QPTTRCCP *PGM
7

RMVDWDFN (Q) RMVJWDFN (Q)

RMVPEXDFN (Q)5 RMVPEXFTR (Q)5 RSTPFRCOL (Q) Library associated with the restore collection *EXECUTE,, *ADD Save file SAVPFRCOL (Q) Library containing collection to be saved Save file, if empty Save file, if records exist in it STRBEST (Q)4 STRDBMON STRDW (Q)
7 3 6

*USE *EXECUTE
6

*EXECUTE

USE, ADD OBJMGT, USE, ADD USE OBJOPR, ADD

EXECUTE, ADD EXECUTE EXECUTE EXECUTE EXECUTE

QPFR/QCYBMAIN *PGM Output file User library QPFR/QPTTRCJ1 *PGM User library

STRJOBTRC (Q) STRJW (Q)

7 5

*USE

*EXECUTE *EXECUTE

STRPEX (Q)

STRPFRCOL (Q) STRPFRG (Q)4 STRPFRT (Q)

QPFR/QPGSTART *PGM QPFR/QMNMAIN0 *PGM QAPTAPGP *FILE in the functional areas library CHGFCNARA command (Q) CPYFCNARA command (Q) CRTFCNARA command (Q) DLTFCNARA command (Q) QPFR/QPTAGRP *PGM QPFR/QPTAGRPD *PGM QPFR/QPTAGRPR *PGM
4

*USE *USE *CHANGE *USE *USE *USE *USE *USE *USE *USE *USE *CHANGE, *ALTER

*EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE, *ADD

WRKFCNARA (Q)

QPFR/QPTAGRPC *PGM Output file (QAITMON)

WRKPEXDFN (Q)5 WRKPEXFTR (Q)5 WRKSYSACT (Q)3, 4 QPFR/QITMONCP *PGM *USE *EXECUTE

458

IBM i: Security Security reference

Authority needed Command v ENDDBMON3 v ENDPFRTRC (Q) v STRPFRTRC (Q)

1 2

Referenced object

For object

For library

These commands do not require any object authorities:

If the default library (QPEXDATA) is specified, authority to that library is not checked. Authority is needed to the library that contains the set of database files. Authority to the individual set of database files is not checked. To use the STRDBMON or ENDDBMON commands, where the JOB command parameter uses a generic name or a specific name which belongs to a user which is different from the current user, requires that you have *JOBCTL special authority or be authorized to the SQL Administrator function of IBM i through Application Administration in System i Navigator. The Change Function Usage Information (CHGFCNUSG) command, with a function ID of QIBM_DB_SQLADM, can also be used to change the list of authorized users. To use this command, you must have *SERVICE special authority or you must be authorized to the Service Trace function of i5/OS through Application Administration in System i Navigator. The Change Function Usage (CHGFCNUSG) command, with a function ID of QIBM_SERVICE_TRACE, can also be used to change the list of users that are allowed to perform trace operations. If you have *SAVSYS special authority, you do not need the authority specified. To use this command, you must have service (*SERVICE) special authority, or be authorized to the Disk Watcher function of the operating system through System i Navigator Application Administration support. The Change Function Usage (CHGFCNUSG) command, with a function ID of QIBM_SERVICE_DISK_WATCHER, can also be used to change the list of users that are allowed to use the disk watcher tool.

| | | | | |

6 7

Print descriptor group commands

This table lists the specific authorities required for the print descriptor group commands.
Authority needed Command CHGPDGPRF CRTPDG DLTPDG DSPPDGPRF RTVPDGPRF Referenced object User profile Print descriptor group Print descriptor group User profile User profile *OBJEXIST *OBJMGT *READ For object *OBJMGT *READ, *ADD *EXECUTE For library

Print Services Facility configuration commands

This table lists the specific authorities required for the print services facility configuration commands.
Authority needed Command CHGPSFCFG 1, 2 CRTGPSFCFG 1, 2 DLTPSFCFG 1, 2 PSF Configuration *OBJEXIST *READ, *ADD *EXECUTE Referenced object For object For library

Appendix D. Authority required for objects used by commands

459

Authority needed Command DSPPSFCFG

1 1

Referenced object PSF Configuration PSF Configuration

For object USE READ

For library EXECUTE EXECUTE

WRKPSFCFG
1 2

The PSF/400 feature is required to use this command. *IOSYSCFG special authority is required to use this command.

Problem commands
This table lists the specific authorities required for the problem commands. Commands identified by (Q) are shipped with public authority *EXCLUDE. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others.
Authority needed Command ADDPRBACNE (Q) ADDPRBSLTE (Q) ANZPRB (Q) CHGPRB (Q) CHGPRBACNE (Q) CHGPRBSLTE (Q) DLTPRB (Q) DSPPRB PTRINTDTA (Q) QRYPRBSTS (Q) VFYCMN (Q) Line description
1 1 1 3

Referenced object Filter Filter SNDSRVRQS command

For object USE, ADD USE, ADD *USE

For library EXECUTE EXECUTE EXECUTE EXECUTE

Filter Filter Command: DLTAPARDTA Output file

USE, UPD USE, UPD *USE Refer to the general rules.

EXECUTE EXECUTE *EXECUTE Refer to the general rules.

USE USE USE USE USE, OBJMGT USE USE

EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE *EXECUTE

Controller description Network ID VFYOPT (Q) VFYTAP (Q) VFYPRT (Q) WRKPRB (Q)
2 4

Device description Device description Device description Line, controller, NWID (Network ID), and device based on problem analysis action

1 2 3

You need *USE authority to the communications object you are verifying. You must have *USE authority to the SNDSRVRQS command to be able to report a problem. You must have authority to DLTAPARDTA if you want the APAR data associated with the problem to be deleted also. See DLTAPARDTA in the Service Commands-Authorities Needed table to determine additional authorities that are needed. You must have *IOSYSCFG special authority when the device description is allocated by a media library device.

460

IBM i: Security Security reference

Program commands
This table lists the specific authorities required for the program commands.
Authority needed Command Referenced object For object For library

The object authorities required for the CRTxxx PGM commands are listed in the Languages table in Language commands on page 422. ADDBKP
1 1,2 1

Breakpoint handling program Program Trace handling program Program Service program
4

USE CHANGE USE OBJOPR, EXECUTE EXECUTE USE, ADD, *DLT

EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE

ADDPGM ADDTRC CALL

CHGDBG CHGHLLPTR CHGPGM

Debug operation

Program Program, if re-create option specified, optimization level changed, or performance data collection changed Program, if USRPRF or USEADPAUT parameter is being changed

OBJMGT, USE OBJMGT, USE

USE USE, ADD, DLT

Owner

USE, ADD, *DLT

CHGPGMVAR CHGPTR
1

CHGSRVPGM

Service program Service program, if re-create option specified, optimization level changed, or performance data collection changed Service program, if USRPRF or USEADPAUT parameter is being changed.

OBJMGT, USE OBJMGT, USE

USE USE, ADD, DLT

Owner 7, USE, OBJMGT

USE, ADD, *DLT

CLRTRCDTA 1 CRTPGM Program, Replace(*NO) Program, Replace(*YES) Service program specified in the BNDSRVPGM parameter. Module Binding directory CRTSRVPGM Service program, Replace(*NO) Service program, Replace(*YES) Module Service program specified in BNDSRVPGM parameter Export source file Binding directory Refer to the general rules. Refer to the general rules. *USE *USE *USE Refer to the general rules. Refer to the general rules. *USE *USE *OBJOPR *READ *USE *READ, *ADD *READ, *ADD *EXECUTE *EXECUTE *EXECUTE *READ, *ADD *READ, *ADD *EXECUTE *EXECUTE *EXECUTE *EXECUTE

Appendix D. Authority required for objects used by commands

461

Authority needed Command CVTCLSRC Referenced object From-file To-file DLTDFUPGM Program Display file DLTPGM DLTSRVPGM DMPCLPGM DSPBKP DSPDBG
1 1

For object *USE *OBJOPR, *OBJMGT, *USE, *ADD, *DLT *OBJEXIST *OBJEXIST *OBJEXIST *OBJEXIST *USE

For library *EXECUTE *READ, *ADD *EXECUTE *EXECUTE *EXECUTE *EXECUTE None
3

Program Service program CL Program

DSPDBGWCH DSPMODSRC2, 4 Source file Any include files Program DSPPGM Program Program, if DETAIL(*MODULE) specified DSPPGMREF Program Output file DSPPGMVAR DSPSRVPGM
1

*USE *USE *CHANGE *READ *USE *OBJOPR Refer to the general rules.

*USE *USE *EXECUTE *EXECUTE *EXECUTE *EXECUTE Refer to the general rules.

Service program Service program, if DETAIL(*MODULE) specified

*READ *USE

*EXECUTE *EXECUTE

DSPTRC

DSPTRCDTA 1 ENDCBLDBG Program (COBOL/400 licensed program or S/38 environment) ENDDBG ENDRQS
1 1

*CHANGE

*EXECUTE

Source debug program

*USE

*USE *EXECUTE

ENTCBLDBG (S/38 environment) EXTPGMINF

Program Source file and database files Program information

*CHANGE *OBJOPR

EXECUTE EXECUTE READ, ADD

PRTCMDUSG RMVBKP
1 1 1 1

Program

*USE

*EXECUTE

RMVPGM RMVTRC RSMBKP

462

IBM i: Security Security reference

Authority needed Command Referenced object Program Service program Module Database source file SETATNPGM SETPGMINF Attention-key-handling program Database files Source file Root program Subprogram STRCBLDBG STRDBG Program Program
2 4 4

For object *OBJMGT, *USE *OBJMGT, *USE *OBJMGT, *USE *OBJOPR, *OBJMGT, *ADD, *DLT *EXECUTE *OBJOPR *USE *CHANGE *USE *CHANGE *CHANGE *USE *USE *USE *USE *USE or a data authority other than *EXECUTE *READ

For library *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *READ, *ADD *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE

@ RTVCLSRC

Source file

Any include files

Source debug program Unmonitored message program TFRCTL

Program

Some language functions when using high-level languages UPDPGM Program Service program specified in the BNDSRVPGM parameter. Module Binding directory UPDSRVPGM Service Program Service program specified in BNDSRVPGM parameter Module Binding directory Export source file WRKPGM
6 6

*EXECUTE

*OBJMGT, *OBJEXIST, *USE, *ADD *USE *USE *USE *USE *EXECUTE *EXECUTE *EXECUTE

*OBJMGT, *OBJEXIST, *USE, *ADD *USE *USE *USE *USE *OBJOPR *READ Any authority Any authority *EXECUTE *EXECUTE *EXECUTE *EXECUTE *USE *USE

Program Service program

WRKSRVPGM

Appendix D. Authority required for objects used by commands

463

Authority needed Command

1 2 3

Referenced object

For object

For library

When a program is in a debug operation, no further authority is needed for debug commands. If you have *SERVICE special authority, you need only *USE authority to the program. The DMPCLPGM command is requested from within a CL program that is already running. Because authority to the library containing the program is checked at the time the program is called, authority to the library is not checked again when the DMPCLPGM command is run. Applies only to ILE programs. See the Authorization, privileges and object ownership for more information about security requirements for SQL statements. To use individual operations, you need the authority required by the individual operation. You must own the program or have *ALLOBJ and *SECADM special authorities.

4 5

6 7

QSH shell interpreter commands

This table lists the specific authorities required for the QSH shell interpreter commands. The commands listed in this table do not require any authorities to objects.
Authority needed Command STRQSH QSH1, 2
1 2 1, 2

Referenced object

For object

For library

QSH is an alias for the STRQSH CL command. You need *RX authority to all scripts and *X authority to all directories in the path to the script.

Query commands
This table lists the specific authorities required for the query commands.
Authority needed Command ANZQRY CHGQRYA
4

Referenced object Query definition

For object *USE

For library *EXECUTE

CRTQMFORM

Query management form: REPLACE(*NO) Query management form: REPLACE(*YES) Source file *ALL *USE

*READ, *ADD, *EXECUTE *READ, *ADD, *EXECUTE *EXECUTE *READ, *ADD, *EXECUTE *ALL *USE *USE *READ, *ADD, *EXECUTE *EXECUTE *EXECUTE

CRTQMQRY

Query management query: REPLACE(*NO) Query management query: REPLACE(*YES) Source file OVRDBF command

464

IBM i: Security Security reference

Authority needed Command DLTQMFORM DLTQMQRY DLTQRY RTVQMFORM Referenced object Query management form Query management query Query definition Query manager form Target source file ADDPFM, CHGPFM, CLRPFM, CPYSRCF, CRTPRTF, CRTSRCPF, DLTF, DLTOVR, OVRDBF, RMVM commands RTVQMQRY Query manager query Target source file ADDPFM, CHGPFM, CLRPFM, CPYSRCF, CRTPRTF, CRTSRCPF, DLTF, DLTOVR, OVRDBF, RMVM commands RUNQRY Query definition Input files Output files STRQMQRY
1

For object OBJEXIST OBJEXIST OBJEXIST OBJEXIST ALL *USE

For library *EXECUTE *EXECUTE *EXECUTE *EXECUTE *READ, *ADD, *EXECUTE *EXECUTE

USE ALL *USE

EXECUTE READ, ADD EXECUTE

*USE *USE Refer to the general rules. *USE *USE *USE Refer to the general rules.

*USE *EXECUTE Refer to the general rules. *EXECUTE *EXECUTE *EXECUTE Refer to the general rules. *EXECUTE

Query management query Query management form, if specified Query definition, if specified Output file

ADDPFM, CHGOBJD, CHGPFM, CLRPFM, *USE CPYSRCF, CRTPRTF, CRTSRCPF, DLTF, DLTOVR, GRTOBJAUT OVRDBF, OVRPRTF RMVM commands (if OUTPUT(*OUTFILE) is specified) STRQMPRC
1

Source file containing query manager procedure Source file containing command source file, if specified OVRPRTF command, if statements result in printed report or query object.

USE USE *USE

EXECUTE EXECUTE EXECUTE EXECUTE

STRQRY WRKQMFORM WRKQMQRY WRKQRY

3 3 3

Query management form Query management query

Any authority Any authority

*USE *USE

Appendix D. Authority required for objects used by commands

465

Authority needed Command

Referenced object

For object

For library

To run STRQM, you must have the authority required by the statements in the query. For example, to insert a row in a table requires *OBJOPR, *ADD, and *EXECUTE authority to the table. Ownership or some authority to the object is required. To use individual operations, you must have the authority required by the individual operation. To use the CHGQRYA command, you must have *JOBCTL special authority or be authorized to the SQL Administrator function of IBM i through Application Administration in System i Navigator. The Change Function Usage Information (CHGFCNUSG) command, with a function ID of QIBM_DB_SQLADM, can also be used to change the list of authorized users.

2 3

| | | |

Question and answer commands

This table lists the specific authorities required for the question and answer commands. Commands identified by (Q) are shipped with public authority *EXCLUDE. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others.
Authority needed Command ANSQST (Q) ASKQST CHGQSTDB (Q) CRTQSTDB (Q) CRTQSTLOD (Q) DLTQST (Q) DLTQSTDB (Q) EDTQST (Q) LODQSTDB (Q) STRQST
4 2 2

Referenced object Database file QAQAxxBQPY

1 1

For object READ READ *READ

For library READ READ READ READ, ADD, EXECUTE

Database file QAQAxxBBPY or QAQAxxBQPY 1 Database file QAQAxxBQPY Database files Database file QAQAxxBQPY Database file QAQAxxBQPY Database file QAQAxxBQPY Database file QAQAxxBQPY Database file QAQAxxBQPY
1 1 1 1 1,3 1

READ READ READ READ READ READ *READ

*READ *READ *READ *READ *READ, *ADD, *EXECUTE *READ *USE *EXECUTE

Database file QAQAxxBBPY 1 or QAQAxxBQPY 1 Database file QAQAxxBBPY QAQAxxBQPY 1

WRKQST WRKCNTINF
1

The xx portion of the file name is the index of the Question and Answer database being operated on by the command. The index is a two-digit number in the range 00 to 99. To obtain the index for a particular Question and Answer database, use the WRKCNTINF command. The user profile running the command becomes the owner of newly created files, unless the OWNER parameter of the user's profile is *GRPPRF. Public authority for new files, except QAQAxxBBPY, is set to *EXCLUDE. Public authority for QAQAxxBBPY is set to *READ. Authority to the file is required only if loading a previously existing Question and Answer database. The command displays the Question and Answer menu. To use individual options, you must have the authority required by those options.
IBM i: Security Security reference

3 4

466

Reader commands
This table lists the specific authorities required for the reader commands.
Authority needed Command STRDBRDR Referenced object Message queue Database file Job queue STRDKTRDR Message queue Job queue Device description These commands do not require any authority to objects: ENDRDR
1 1 1

For object *OBJOPR, *ADD *OBJOPR, *USE *READ *OBJOPR, *ADD *READ *OBJOPR, *READ
1

For library EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE

HLDRDR

RLSRDR

You must be the user who started the reader, or you must have all object (*ALLOBJ) or job control (*JOBCTL) special authority.

Registration facility commands

This table lists the specific authorities required for the registration facility commands. Commands identified by (Q) are shipped with public authority *EXCLUDE. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others.
Authority needed Command ADDEXITPGM (Q) RMVEXITPGM (Q) WRKREGINF Referenced object For object For library

Relational database commands

This table lists the specific authorities required for the relational database commands.
Authority needed Command ADDRDBDIRE CHGRDBDIRE Referenced object Output file, if specified Output file, if specified Remote location device description DSPRDBDIRE Output file, if specified
7

For object EXECUTE EXECUTE *CHANGE Refer to the general rules.

For library EXECUTE EXECUTE

Refer to the general rules.

These commands do not require any authority to objects:

Appendix D. Authority required for objects used by commands

467

Authority needed Command RMVRDBDIRE WRKRDBDIRE

Referenced object

For object

For library

Authority verified when the RDB directory entry is used.

Resource commands
This table lists the specific authorities required for the resource commands.
Authority needed Command DSPHDWRSC DSPSFWRSC EDTDEVRSC WRKHDWRSC
1 1

Referenced object

For object

For library

Output file, if specified

Refer to the general rules.

If you use the option to create a configuration object, you must have authority to use the appropriate CRT command.

Remote Job Entry (RJE) commands

This table lists the specific authorities required for the Remote Job Entry (RJE) commands.
Authority needed Command ADDFCTE Referenced object Forms control table Device file
1,2 1,2

For object DELETE, USE, ADD USE

Physical file Physical file Program

1,2

(RJE generates members) (member specified)

1,2

*OBJMGT, *USE, *ADD *USE, *ADD *USE *USE, *ADD *USE *USE, *ADD, *DLT *USE

1,2

Message queue

QUSER user profile ADDRJECMNE Session description BSC/CMN file

1,2 2

Device description

USE USE READ, ADD, DLT READ

QUSER user profile ADDRJERDRE Session description Job queue

2 2

Message queue

*READ, *ADD

468

IBM i: Security Security reference

Authority needed Command ADDRJEWTRE Referenced object Session description Device file
1,2 1,2

For object READ, ADD, DLT USE

For library *READ, *EXECUTE *READ, *EXECUTE *READ, *EXECUTE, *ADD *READ, *EXECUTE *READ, *EXECUTE *READ, *EXECUTE *READ, *EXECUTE *READ, *EXECUTE *READ, *EXECUTE *READ, *EXECUTE *READ, *EXECUTE, *ADD *READ, *EXECUTE *READ, *EXECUTE *READ, *EXECUTE *READ, *EXECUTE *READ, *EXECUTE *READ, *EXECUTE *READ, *EXECUTE *READ, *EXECUTE *READ, *EXECUTE *READ, *EXECUTE *READ, *EXECUTE *READ, *EXECUTE *READ, *EXECUTE *READ, *EXECUTE, *ADD *READ, *EXECUTE *READ, *EXECUTE *READ, *EXECUTE *READ, *EXECUTE *EXECUTE, *READ *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE

Physical file Physical file Program

1,2

(RJE generates members) (member specified)

1,2

*OBJMGT, *USE, *ADD *OBJOPR, *ADD *USE *USE, *ADD *USE *OBJOPR, *OBJMGT *USE *USE

1.2

Message queue

QUSER user profile CHGFCT CHGFCTE Forms control table Forms control table Device file
1,2 1,2

Physical file Physical file Program

1,2

(RJE generates members) (member specified)

1,2

*OBJMGT, *USE, *ADD *USE, *ADD *USE *USE, *ADD *USE *USE *USE

1,2

Message queue

QUSER user profile CHGRJECMNE Session description BSC/CMN file

1,2 2

Device description

USE USE USE, ADD, DLT USE

QUSER user profile CHGRJERDRE Session description Job queue

2 2

Message queue CHGRJEWTRE

1,2 1,2

USE, ADD USE USE

Session description Device File

Physical file Physical file Program

1,2

(RJE generates members) (member specified)

1,2

*OBJMGT, *USE, *ADD *OBJOPR, *ADD *USE *USE, *ADD *USE *OBJMGT, *READ, *UPD, *OBJOPR *USE

1,2

Message queue

QUSER user profile CHGSSND Session description Job queue

1,2 1,2 1,2

Message queue

USE, ADD USE USE USE USE, *ADD

Forms control table QUSER user profile CNLRJERDR Session description Message queue

Appendix D. Authority required for objects used by commands

469

Authority needed Command CNLRJEWTR Referenced object Session description Message queue CRTFCT CRTRJEBSCF Forms control table BSC file Source physical file (DDS) Device description CRTRJECFG Session description Job queue Job description Subsystem description Message queue CMN file BSC file Printer file CRTRJECFG Physical file User profile QUSER Output queue Forms control table Device description Controller description Line description CRTRJECMNF Communication file Source physical file (DDS) Device description CRTSSND Session description Job queue
1,2 1,2 1,2 3

For object USE USE, *ADD

For library EXECUTE EXECUTE READ, ADD READ, EXECUTE, *ADD

*READ *READ

*EXECUTE *EXECUTE *READ, *ADD, *UPD, *OBJOPR *READ, *ADD *READ, *OBJOPR, *ADD *READ, *OBJOPR, *ADD *READ, *ADD *READ, *EXECUTE, *ADD *READ, *EXECUTE, *ADD *USE, *ADD *EXECUTE, *ADD

USE READ *READ

EXECUTE EXECUTE READ EXECUTE EXECUTE EXECUTE READ, EXECUTE, *ADD

*READ *READ

EXECUTE EXECUTE READ, ADD, UPD, OBJOPR

*USE *USE, *ADD *USE *USE *USE *USE, *UPD *OBJMGT, *USE, *ADD *USE, *ADD

*EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *READ, *EXECUTE, *ADD *EXECUTE

Message queue

Forms control table QUSER user profile CVTRJEDTA Forms control table Input file

Output file (RJE generates member) Output file (member specified)

470

IBM i: Security Security reference

Authority needed Command DLTFCT DLTRJECFG Referenced object Forms control table Session description Job queue BSC/CMN file Physical file Printer file Message queue Job description Subsystem description Device description
4 4 4

For object *OBJEXIST *OBJEXIST *OBJEXIST *OBJEXIST, *OBJOPR *OBJEXIST, *OBJOPR *OBJEXIST, OBJOPR *OBJEXIST, *USE, *DLT *OBJEXIST *OBJEXIST, *USE *OBJEXIST *OBJEXIST *OBJEXIST *OBJEXIST *READ *USE *OBJOPR, *READ, *ADD, *DLT *OBJOPR, *READ, *ADD, *DLT *OBJOPR, *READ, *ADD, *DLT *OBJOPR, *READ, *ADD, *DLT *USE *USE *USE *USE, *ADD
7

For library *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE

Controller description Line description DLTSSND DSPRJECFG ENDRJESSN RMVFCTE RMVRJECMNE RMVRJERDRE RMVRJEWTRE SNDRJECMD SBMRJEJOB
5

Session description Session description Session description Forms control table Session description Session description Session description Session description Session description Input file
6

Message queue Job-related objects SNDRJECMD STRRJECSL

Session description Session description Message queue

USE USE USE USE USE USE *USE

EXECUTE EXECUTE EXECUTE USE USE, ADD EXECUTE EXECUTE *EXECUTE

STRRJERDR STRRJESSN
5

Session description Session description Program User profile QUSER Job-related objects
7

Appendix D. Authority required for objects used by commands

471

Authority needed Command STRRJEWTR Referenced object Session description Program

1 1 1

For object *USE *USE *USE, *ADD *OBJMGT, *USE, *ADD *READ, *ADD *USE, *ADD *USE *USE *USE *CHANGE

For library *USE *READ, *EXECUTE *READ, *EXECUTE *OBJOPR, *ADD *READ, *EXECUTE *READ, *EXECUTE *READ, *EXECUTE *EXECUTE *EXECUTE *EXECUTE

Device file

Physical file (RJE generates members) Physical file 1 (member specified) Message queue
8 8 1

QUSER user profile WRKFCT Forms control table Session description Session description
8

WRKRJESSN WRKSSND
1 2

User profile QUSER requires authority to this object. If the object is not found or the required authority is not held, an information message is sent and the function of the command is still performed. This authority is required to create job description QRJESSN. This authority is only required when DLTCMN(*YES) is specified. You must have *JOBCTL special authority. Input files include those imbedded using the .. READFILE control statement. Review the authorities that are required for the SBMJOB command. To use an individual operation, you must have the authority required by the operation.

3 4 5

6 7 8

Security attributes commands

This table lists the specific authorities required for the security attributes commands.
Authority needed Command CHGSECA
1 2,3

Referenced object

For object

For library

CHGSECAUD CFGSYSSEC DSPSECA DSPSECAUD

1,2,3

PRTSYSSECA 4
1 2 3 4

You must have *SECADM special authority to use this command. You must have *ALLOBJ special authority to use this command. You must have *AUDIT special authority to use this command. You must have *ALLOBJ or *AUDIT special authority to use this command.

472

IBM i: Security Security reference

Server authentication entry commands

This table lists the specific authorities required for the server authentication entry commands.
Authority needed Command ADDSVRAUTE
1

Referenced object

For object

For library

CHGSVRAUTE1 DSPSVRAUTE RMVSVRAUTE

1 1

User profile

*READ

*EXECUTE

If the user profile for this operation is not *CURRENT or the current user for the job, you must have *SECADM special authority and *OBJMGT and *USE authority to the profile.

Service commands
This table lists the specific authorities required for the service commands. Commands identified by (Q) are shipped with public authority *EXCLUDE. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others.
Authority needed Command ADDTRCFTR APYPTF (Q) CHGSRVA (Q) CHKCMNTRC 3 (Q) CHKPRDOPT (Q) CPYPTF (Q)
2 3 11

Referenced object

For object

For library

Product library

*OBJMGT

*EXECUTE All objects in product option From file To-file

8 4

*USE

*EXECUTE

Same requirements as Same requirements as the SAVOBJ command the SAVOBJ command *USE *EXECUTE *USE *USE *EXECUTE

Device description Licensed program Commands: CHKTAP, CPYFRMTAP, CPYTOTAP, CRTLIB, CRTSAVF, CRTTAPF, and OVRTAPF QSRV library CPYPTFGRP (Q)
2

USE USE Same requirements as the SAVOBJ command USE *USE

EXECUTE EXECUTE Same requirements as the SAVOBJ command EXECUTE *EXECUTE

Device description To-file

From-file Commands: CHKTAP, CRTLIB, CRTSAVF DLTAPARDTA (Q) DLTCMNTRC 3 (Q) NWID (network ID) or line description

*USE

*EXECUTE

Appendix D. Authority required for objects used by commands

473

Authority needed Command DLTPTF (Q) Referenced object Cover letter file PTF save file DLTTRC (Q)
4 4

For object

For library EXECUTE EXECUTE

RMVM command QSYS Library Database Files

USE EXECUTE OBJEXIST, OBJOPR *EXECUTE

DMPJOB (Q) DMPJOBINT (Q) DSPPTF (Q) DSPSRVA (Q) DSPSRVSTS (Q) Output file Refer to the general rules.

Refer to the general rules.

@ DSPSSTUSR 19
ENDCMNTRC 3 (Q) ENDCPYSCN (Q) ENDSRVJOB (Q) ENDTRC (Q) QSYS Library Database files *ADD, *EXECUTE *OBJOPR, *OBJMGMT, *ADD, *DLT *USE NWID or line description Device description *USE *USE *EXECUTE *EXECUTE

Commands: PTRTRC, DLTTRC

@ ENDWCH (Q) @
INSPTF9 (Q) LODPTF (Q) LODRUN
2 3

Watch sessions watching for a message within a job log17

Device Description RSTOBJ command NWID (network ID) or line description Output file

*USE *USE *USE Refer to the general rules. Refer to the general rules.

*EXECUTE *EXECUTE *EXECUTE Refer to the general rules. Refer to the general rules.

PRTCMNTRC (Q)

PRTERRLOG (Q) PRTINTDTA12,13 (Q) PRTTRC11(Q)

Output file

QSYS Library Database Files DLTTRC command

EXECUTE USE USE OBJMGT

RMVPTF (Q) RMVTRCFTR

Product library

RUNLPDA (Q)

Line description

*READ

*EXECUTE

474

IBM i: Security Security reference

Authority needed Command SAVAPARDTA (Q)

Referenced object Commands: CRTDUPOBJ, CRTLIB, CRTOUTQ, CRTSAVF, DLTF, DMPOBJ, DMPSYSOBJ, DSPCTLD, DSPDEVD, DSPHDWRSC, DSPJOB, DSPLIND, DSPLOG, DSPNWID, DSPPTF, DSPSFWRSC, OVRPRTF, PRTERRLOG, PRTINTDTA, SAV, SAVDLO, SAVLIB, SAVOJB, WRKACTJOB, and WRKSYSVAL Existing problem
7

For object *USE

For library *EXECUTE

*CHANGE *USE

*EXECUTE

SNDPTFORD

(Q)

CRTIMGCLG QUSRSYS

*ADD, *READ

SNDSRVRQS (Q) STRCMNTRC

(Q)

NWID (network ID) or line description Watched job17

*USE

*EXECUTE

Trace exit program Message queue STRCPYSCN Job queue Device description Output file, if specified STRSRVJOB (Q) STRSST (Q) STRTRC (Q)11, 15 Watched job17 Trace exit program Message queue STRWCH (Q)
16 3

*OBJOPR and *EXECUTE *USE *USE *USE Refer to the general rules. *USE

EXECUTE USE EXECUTE EXECUTE Refer to the general rules. *EXECUTE

User profile of job

OBJOPR and EXECUTE *USE

*EXECUTE *USE

Watched job

Watch exit program Message queue TRCCNN (Q)

OBJOPR and EXECUTE *USE

*EXECUTE *USE

Watched job

Trace exit program Message queue TRCCPIC (Q) TRCICF (Q) TRCINT11 (Q) Watched job17 Trace exit program Message queue TRCJOB (Q) Output file, if specified Exit program, if specified

OBJOPR and EXECUTE *USE

*EXECUTE *USE

OBJOPR and EXECUTE USE Refer to the general rules. USE

EXECUTE USE Refer to the general rules. *EXECUTE

Appendix D. Authority required for objects used by commands

475

Authority needed Command TRCTCPAPP (Q)

Referenced object Line description Network interface Network interface Watched job
17

For object USE USE *USE

For library

Trace exit program Message queue VFYCMN (Q) Line description

5 5 5

*OBJOPR and *EXECUTE *USE *USE *USE *USE *READ *USE *USE *USE, *OBJMGT

EXECUTE USE EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE *EXECUTE

Controller description Network ID VFYLNKLPDA (Q) VFYPRT (Q) VFYOPT (Q) VFYTAP (Q) WRKCNTINF (Q) WRKFSTAF (Q) WRKFSTPCT (Q) WRKPRB
1, 10 14

Line description Device description Device description Device description

QUSRSYS/QPVINDEX *USRIDX QUSRSYS/QPVPCTABLE *USRIDX Line, controller, NWID (Network ID), and device based on problem analysis action

CHANGE CHANGE USE, ADD

USE USE *EXECUTE

(Q)

WRKPTFGRP (Q) WRKPTFORD (Q) WRKSRVPVD (Q) WRKTRC11 (Q) QESCPTFO and SNDPTFORD *USE

@ WRKWCH18 (Q)
1

You need authority to the PRTERRLOG command for some analysis procedures or if the error log records are being saved. All restrictions for the RSTOBJ command also apply. You must have Service (*SERVICE) special authority to use this command. The objects listed are used by the command, but authority to the objects is not checked. Authority to use the command is sufficient to use the objects. You need *USE authority to the communications object that you are verifying.

2 3 4

476

IBM i: Security Security reference

Authority needed Command

6 7

Referenced object

For object

For library

You must have *SPLCTL special authority to save a spooled file. When SAVAPARDTA is run for a new problem, a unique APAR library is created for that problem. If you run SAVAPARDTA again for the same problem to collect more information, you must have Use authority to the APAR library for the problem. The option to add a new member to an existing output file is not valid for this command. This command has the same authorities and restrictions as the APYPTF command and the LODPTF command. To access options 1 and 3 on the "Select Reporting Option" display, you must have *USE authority to the SNDSRVRQS command. The following restrictions apply for the IMGDIR parameter: v You must have *X authority to each directory in the path. v You must have *WX authority to the directory that contains optical image.

8 9

To use this command, you must have *SERVICE special authority, or be authorized to the Service Trace function of i5/OS through Application Administration in System i Navigator. The Change Function Usage Information (CHGFCNUSG) command, with a function ID of QIBM_SERVICE_TRACE, can also be used to change the list of users that are allowed to perform trace operations. To use this command, you must have *SERVICE special authority, or be authorized to the Service Dump Function of i5/OS through Application Administration in System i Navigator. The Change Function Usage Information (CHGFCNUSG) command, with a function ID of QIBM_SERVICE_DUMP, can also be used to change the list of users that are allowed to perform dump operations. This command must be issued from within the job with internal data being printed, or the issuer of the command must be running under a user profile which is the same as the job user identity of the job with internal data being printed, or the issuer of the command must be running under a user profile which has job control (*JOBCTL) special authority. You must have *IOSYSCFG special authority when the device description is allocated by a media library device. If you specify a generic user name for the Job name (JOB) parameter, you must have all object (*ALLOBJ) special authority, or be authorized to the Trace Any User function of i5/OS through Application Administration in System i Navigator. You can also use the Change Function Usage (CHGFCNUSG) command, with a function ID of QIBM_ALLOBJ_TRACE_ANY_USER, to change the list of users that are allowed to perform trace operations.

Appendix D. Authority required for objects used by commands

477

Authority needed Command

Referenced object

For object

For library

To use this command, you must have service (*SERVICE) special authority, or be authorized to the service watch function of i5/OS through Application Administration in System i Navigator. You can also use the Change Function Usage (CHGFCNUSG) command, with a function ID of QIBM_SERVICE_WATCH, to change the list of users that are allowed to start and end watch operations. Job control (*JOBCTL) special authority is needed if the job is running under a different user from the job user identity of the job being watched. All object (*ALLOBJ) special authority is needed if *ALL is specified for the watched job name, or if a generic user name is specified. A user that does not have *ALLOBJ special authority can perform the function if they are authorized to the Watch Any Job function of i5/OS through Application Administration in System i Navigator. You can also use the Change Function Usage (CHGFCNUSG) command, with a function ID of QIBM_WATCH_ANY_JOB, to change the list of users that are allowed to start and end watch operations. To use this command, you must have service (*SERVICE) special authority, or be authorized to the service trace function and service watch function of i5/OS through Application Administration in System i Navigator. You can also use the Change Function Usage (CHGFCNUSG) command, with a function ID of QIBM_SERVICE_TRACE and QIBM_SERVICE_WATCH, to change the list of users that are allowed to perform trace operations. You must have Audit (*AUDIT) and Security Administrator (*SECADM) special authorities to use this command.

Spelling aid dictionary commands

This table lists the specific authorities required for the spelling aid dictionary commands.
Authority needed Command CRTSPADCT Referenced object Spelling aid dictionary Dictionary - REPLACE(*NO) Dictionary - REPLACE(*YES) DLTSPADCT WRKSPADCT
1 1

For object *OBJEXIST

For library EXECUTE READ, *ADD

Refer to the general rules. *OBJEXIST Any authority

READ, ADD EXECUTE USE

Spelling aid dictionary Spelling aid dictionary

To use an individual operation, you must have the authority required by the operation.

Sphere of control commands

This table lists the specific authorities required for the sphere of control commands.
Authority needed Command ADDSOCE DSPSOCSTS RMVSOCE WRKSOC
1

Referenced object Sphere of control

For object USE, ADD

For library *EXECUTE

Sphere of control Sphere of control

1 1

USE, DLT *USE

*EXECUTE *EXECUTE

The sphere of control is physical file QUSRSYS/QAALSOC.

478

IBM i: Security Security reference

Spooled file commands

This table lists the specific authorities required for the spooled file commands. Commands identified by (Q) are shipped with public authority *EXCLUDE. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others.
Referenced object
1,2

Command CHGSPLFA

Special DSPDTA AUTCHK OPRCTL authority

Output queue parameters

Authority needed For object READ, DLT, *ADD Owner

For library

Output queue

DTAAUT OWNER YES JOBCTL

CHGSPLFA , if moving spooled file

Original output queue 3

DTAAUT OWNER YES JOBCTL

READ, ADD, *DLT Owner

Spooled file Target output queue7 Target device CPYSPLF

*OWNER

Owner READ YES JOBCTL USE

*EXECUTE *EXECUTE

Database file

Refer to the general rules for Display (DSP) or other operation using output file (OUTPUT (*OUTFILE)) *OWNER
3

Refer to the general rules for Display (DSP) or other operation using output file (OUTPUT (*OUTFILE))

Spooled file Output queue

Owner READ DTAAUT OWNER YES JOBCTL USE

YES NO NO YES or *NO

READ, ADD, *DLT Owner

DLTEXPSPLF (Q) 10 DLTSPLF

Independent disk pool9 Output queue

DTAAUT OWNER YES JOBCTL

READ, ADD, *DLT Owner

Appendix D. Authority required for objects used by commands

479

Command DSPSPLF
1

Referenced object Output queue

Special DSPDTA AUTCHK OPRCTL authority *YES *NO *NO *YES or *NO *DTAAUT *OWNER *YES *JOBCTL

Output queue parameters

Authority needed For object READ READ, ADD, DLT Owner

For library

Spooled file HLDSPLF

*OWNER
3

Owner DTAAUT OWNER YES JOBCTL *USE

Output queue

READ, ADD, *DLT Owner

RCLSPLSTG (Q) 10 RLSSPLF 1, 8

Independent disk pool9 Output queue

DTAAUT OWNER YES JOBCTL

READ, ADD, *DLT Owner

SNDNETSPLF
1,5

Output queue

YES NO NO YES or NO DTAAUT OWNER YES *JOBCTL

READ READ, ADD, DLT Owner

Spooled file SNDTCPSPLF

1,5

*OWNER
3

Owner READ DTAAUT OWNER YES JOBCTL Owner USE

Output queue

YES NO NO YES or *NO

READ, ADD, *DLT Owner

Spooled file STRSPLRCL (Q)9, 10 WRKSPLF

1 2

*OWNER

Independent disk pool9

Users are always authorized to control their own spooled files. To move a spooled file to the front of an output queue (PRTSEQ(*NEXT)) or change its priority to a value greater than the limit specified in your user profile, you must have one of the authorities shown for the output queue or have *SPLCTL special authority. If you have *SPLCTL special authority, you do not need any authority to the output queue. You must be the owner of the output queue. You must have *USE authority to the recipients output queue and output queue library when sending a file to a user on the same system.

3 4 5

480

IBM i: Security Security reference

Command
6 7

Referenced object

Special DSPDTA AUTCHK OPRCTL authority

Output queue parameters

Authority needed For object For library

You must be the owner of the spooled file. If you have *SPLCTL special authority, you do not need authority to the target output queue but you must have *EXECUTE authority to its library. When the spooled file has been held with HLDJOB SPLFILE(*YES) and the spooled file was also decoupled from the job, the user will need to have *USE authority to the RLSJOB command and either have *JOBCTL special authority or be the owner of the spooled file. You must have *USE authority to all independent disk pools in an independent disk pool group. You must have *SPLCTL special authority to run this command.

9 10

Subsystem description commands

This table lists the specific authorities required for the subsystem description commands. Commands identified by (Q) are shipped with public authority *EXCLUDE. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others.
Authority needed Command ADDAJE Referenced object Subsystem description Job description9 ADDCMNE Subsystem description Job description9 User profile ADDJOBQE ADDPJE Subsystem description Subsystem description User profile Job description ADDRTGE ADDWSE
9

For object *OBJOPR, *OBJMGT, *READ *OBJOPR, *READ *OBJOPR, *OBJMGT, *READ *OBJOPR, *READ *USE *OBJOPR, *OBJMGT, *READ *OBJOPR, *OBJMGT, *READ *USE *OBJOPR, *READ *OBJOPR, *OBJMGT, *READ *OBJOPR, *OBJMGT, *READ *OBJOPR, *READ *OBJOPR, *OBJMGT, *READ *OBJOPR, *READ *OBJOPR, *OBJMGT, *READ *OBJOPR, *READ *USE

For library EXECUTE EXECUTE EXECUTE EXECUTE

*EXECUTE *EXECUTE

EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE

Subsystem description Subsystem description Job description9

CHGAJE

Subsystem description Job description9

CHGCMNE

Subsystem description Job description9 User profile

Appendix D. Authority required for objects used by commands

481

Authority needed Command CHGJOBQE CHGPJE Referenced object Subsystem description Subsystem description User profile Job description CHGRTGE CHGSBSD 5, 7
9

For object *OBJOPR, *OBJMGT, *READ *OBJOPR, *OBJMGT, *READ *USE *OBJOPR, *READ *OJBOPR, *OBJMGT, *READ *OJBOPR, *OBJMGT, *READ *USE *OJBOPR, *OBJMGT, *READ *OBJOPR, *READ
4

For library EXECUTE EXECUTE

EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE READ, ADD

Subsystem description Subsystem description signon display file4

CHGWSE

Subsystem description Job description9

CRTSBSD (Q)

Subsystem description signon display file *USE *USE *OBJEXIST, *USE *OBJOPR, *READ

*EXECUTE

Auxiliary storage pool (ASP) device description 8 DLTSBSD DSPSBSD ENDSBS

1 6

Subsystem description Subsystem description

*EXECUTE *EXECUTE

PRTSBSDAUT RMVAJE RMVCMNE RMVJOBQE RMVPJE RMVRTGE RMVWSE STRSBS

Subsystem description Subsystem description Subsystem description Subsystem description Subsystem description Subsystem description Subsystem description Auxiliary storage pool (ASP) device description

*OBJOPR, *OBJMGT, *READ *OBJOPR, *OBJMGT, *READ *OBJOPR, *OBJMGT, *READ *OBJOPR, *OBJMGT, *READ *OBJOPR, *OBJMGT, *READ *OBJOPR, *OBJMGT, *READ *USE *USE Any authority Any authority

EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE *EXECUTE

WRKSBS 2, 3 WRKSBSD
3

Subsystem description Subsystem description

*USE *USE

482

IBM i: Security Security reference

Authority needed Command

1 2 3 4

Referenced object

For object

For library

You must have job control (*JOBCTL) special authority to use this command. Requires some authority (anything but *EXCLUDE) To use an individual operation, you must have the authority required by the operation. The authority is needed to complete format checks of the display file. This helps predict that the display will work correctly when the subsystem is started. When you are not authorized to the display file or its library, those format checks will not be performed. You must have *SECADM or *ALLOBJ special authority to specify a specific library for the subsystem library. You must have *ALLOBJ or *AUDIT special authority to use this command. You must have *ALLOBJ and *SECADM special authorities to change the auxiliary storage pool (ASP) group name. To specify an ASP device description that does not exist, you must have all object (*ALLOBJ) special authority. To specify a job description that does not exist, you must have all object (*ALLOBJ) special authority.

6 7

System commands
This table lists the specific authorities required for the system commands. Commands identified by (Q) are shipped with public authority *EXCLUDE. The Commands shipped with public authority *EXCLUDE topic shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others.
Authority needed Command PWRDWNSYS
1 2

Referenced object Image catalog (if specified) Library

For object USE READ, ADD, EXECUTE

For library

RTVSYSINF (Q)

These commands do not require any object authorities: CHGSHRPOOL DSPSYSSTS ENDSYS1 PRTSYSINF (Q)
1 2 3

RCLACTGRP1 RCLRSC RETURN RTVGRPA

SIGNOFF UPDSYSINF (Q)3 WRKSHRPOOL

WRKSYSSTS

You must have job control (*JOBCTL) special authority to use this command. You must have *SAVSYS special authority to use this command. You must have *SECADM, *ALLOBJ, *AUDIT, *JOBCTL, and *SAVSYS special authorities to use this command.

System reply list commands

This table lists the specific authorities required for the system reply list commands.
These commands do not require object authorities:

Appendix D. Authority required for objects used by commands

483

ADDRPYLE (Q)

CHGRPYLE (Q)

RMVRPYLE (Q)

WRKRPYLE

System value commands

This table lists the specific authorities required for the system value commands. Commands identified by (Q) are shipped with public authority *EXCLUDE. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others.
These commands do not require any authority to objects: CHGSYSVAL (Q)
1 1,2

DSPSYSVAL3

RTVSYSVAL3

WRKSYSVAL 1,2, 3

To change some system values, you must have *ALLOBJ, *ALLOBJ and *SECADM, *AUDIT, *IOSYSCFG, or *JOBCTL special authorities. To use this command as shipped by IBM, you must be signed on as QPGMR, QSYSOPR, or QSRV, or have *ALLOBJ special authority. To display or retrieve auditing-related system values, you must have either *AUDIT or *ALLOBJ special authority.

System/36 environment commands

This table lists the specific authorities required for the System/36 environment commands. Commands identified by (Q) are shipped with public authority *EXCLUDE. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others.
Authority needed Command CHGS36 CHGS36A CHGS36PGMA CHGS36PRCA CHGS36SRCA CRTMSGFMNU Referenced object S/36 configuration object QS36ENV S/36 configuration object QS36ENV Program File QS36PRC Source Menu: REPLACE(*NO) Menu: REPLACE(*YES) Display file if it exists Message file Source file QS36SRC CRTS36DSPF Display file: REPLACE(*NO) Display file: REPLACE(*YES) To-file source file when TOMBR is not *NONE Source file QS36SRC Create Display File (CRTDSPF) command Refer to the general rules. *ALL *USE *OBJOPR Refer to the general rules. *ALL *USE *ALL For object *UPD *UPD *OBJMGT, *USE *OBJMGT, *USE *OBJMGT, *USE For library *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *READ, *ADD *READ, *ADD *EXECUTE *CHANGE *EXECUTE *READ, *ADD *READ, *ADD, *CHANGE *CHANGE *EXECUTE *EXECUTE

484

IBM i: Security Security reference

Authority needed Command CRTS36MNU Referenced object Menu: REPLACE(*NO) Menu: REPLACE(*YES) To-file source file when TOMBR is not *NONE Source file QS36SRC Display file when REPLACE(*YES) is specified Message files named in source Display file CRTMSGF command ADDMSGD command CRTDSPF command CRTS36MSGF Message file: REPLACE(*NO) Message file: REPLACE(*YES) To-file source file when TOMBR is not *NONE Source file QS36SRC Display file when REPLACE(*YES) is specified Message file named in source Message file named in source when OPTION is *ADD or *CHANGE Message files named in source when OPTION(*CREATE) is specified CRTMSGF command ADDMSGD command CHGMSGD command when OPTION(*CHANGE) is specified DSPS36 EDTS36PGMA S/36 configuration object QS36ENV Program, to change attributes Program, to view attributes EDTS36PRCA File QS36PRC, to change attributes File QS36PRC, to view attributes EDTS36SRCA Source file QS36SRC, to change attributes Source file QS36SRC, to view attributes Refer to the general rules. *ALL *USE *ALL *ALL *CHANGE *ALL *OBJOPR, *OBJEXIST *OBJOPR *OBJOPR *READ *OBJMGT, *USE *USE *OBJMGT, *USE *USE *OBJMGT, *USE *USE *OBJOPR, *OBJEXIST *OBJOPR *OBJOPR Refer to the general rules. *ALL *USE *ALL *ALL For object For library *READ, *ADD, *CHANGE *READ, *ADD, *CHANGE *CHANGE *EXECUTE *EXECUTE *EXECUTE *CHANGE *EXECUTE *EXECUTE *EXECUTE *READ, *ADD, *CHANGE *READ, *ADD, *CHANGE *CHANGE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE

Appendix D. Authority required for objects used by commands

485

Authority needed Command RSTS36F (Q) Referenced object From-file To-file Based-on physical file, if file being restored is a logical (alternative) file Device file or device description RSTS36FLR
1,2,3

For object *USE *ALL *CHANGE *USE *USE *CHANGE *USE *USE *ALL *USE *UPD *USE *ALL *USE *USE *ALL *USE *READ *OBJMGT, *USE *USE *OBJMGT, *USE *USE *OBJMGT, *USE *USE

For library *EXECUTE Refer to the general rules. *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE Refer to the general rules. *EXECUTE *EXECUTE *EXECUTE Refer to the general rules. *EXECUTE *EXECUTE Refer to the general rules. *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE

(Q)

S/36 folder To-folder Device file or device description

RSTS36LIBM (Q)

From-file To-file Device file or device description

RTVS36A SAVS36F

S/36 configuration object QS36ENV From-file To-file, when it is a physical file Device file or device description

SAVS36LIBM

From-file To-file, when it is a physical file Device file or device description

WRKS36 WRKS36PGMA

S/36 configuration object QS36ENV Program, to change attributes Program, to view attributes

WRKS36PRCA

File QS36PRC, to change attributes File QS36PRC, to view attributes

WRKS36SRCA

Source file QS36SRC, to change attributes Source file QS36SRC, to view attributes

You need *ALL authority to the document if replacing it. You need operational and all the data authorities to the folder if restoring new information into the folders, or you need *ALLOBJ special authority. If used for a data dictionary, only the authority to the command is required. You must be enrolled in the system distribution directory if the source folder is a document folder.

2 3

486

IBM i: Security Security reference

Table commands
This table lists the specific authorities required for the table commands.
Authority needed Command CRTTBL Referenced object Table Source file DLTTBL WRKTBL
1 1

For object

For library READ, ADD, *EXECUTE

USE OBJEXIST Any authority

EXECUTE EXECUTE *USE

Table Table

To use an individual operation, you must have the authority required by the operation.

TCP/IP commands
This table lists the specific authorities required for the TCP/IP commands. Commands identified by (Q) are shipped with public authority *EXCLUDE. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others.
Authority needed Command ADDTCPSVR CHGTCPSVR CPYTCPHT
6 1 1

Referenced object Program to call Program to call File objects File objects Line description
4 4

For object EXECUTE EXECUTE

For library EXECUTE EXECUTE

CVTTCPCL (Q) ENDTCPPTP

*USE *USE *USE *USE *USE *USE *USE *USE *USE *USE *USE *USE *USE
4 4 4

*EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE *EXECUTE

Controller description Device description File objects ENDTCPSRV (Q) FTP

File objects File objects Table objects

LPR

Workstation customizing object Table objects

SETVTTBL SNDTCPSPLF STRTCPFTP

Workstation customizing object Table objects File objects

STRTCPPTP

Line description

USE USE USE USE USE USE

Controller description Device description File Objects STRTCPSVR (Q) Table objects File objects

Appendix D. Authority required for objects used by commands

487

Authority needed Command STRTCPTELN Referenced object Table objects File objects Virtual workstation device TELNET Table objects File objects Virtual workstation device
5 5

For object USE USE USE USE USE USE

For library EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE

These commands do not require any object authorities: ADDCOMSNMP ADDNETTBLE 1 ADDOSPFARA1 @ ADDOSPFLNK1 ADDOSPFIFC1 @ ADDOSPFRNG1 ADDPCLTBLE 1 ADDRIPACP1 ADDRIPFLT1 ADDRIPIFC1 ADDRIPIGN1 ADDSRVTBLE 1 ADDTCPHTE 1 ADDTCPIFC 1 ADDTCPPORT 1 ADDTCPRSI 1 ADDTCPRTE 1
1

@ ADDUSRSNMP1
CFGTCP CFGTCPAPP CFGTCPFTP 1 CFGTCPLPD 1

@
1 2

CFGRTG CFGTCPSMTP CFGTCPSNMP CFGTCPTELN CHGCOMSNMP CHGDHCPSVR1 CHGFTPA 1 CHGLPDA 1 CHGOSPFA1 CHGOSPFARA1 CHGOSPFIFC1 CHGOSPFLNK1 CHGOSPFRNG1 CHGRIPA1 CHGRIPFLT1 CHGRIPIFC1 CHGSMTPA 1 CHGSNMPA 1 CHGTCPA 1 CHGTCPHTE1 CHGTCPIFC1 CHGTCPRTE 1 CHGTELNA 1 CHGUSRSNMP1

CHGVTMAP DSPVTMAP ENDTCP (Q) ENDTCPCNN ENDTCPIFC (Q) MGRTCPHT 1 NETSTAT PING RMVCOMSNMP RMVNETTBLE 1 RMVOSPFARA1 RMVOSPFIFC1 RMVOSPFLNK1 RMVOSPFRNG1 RMVPCLTBLE 1 RMVRIPACP1 RMVRIPFLT1 RMVRIPIFC1 RMVRIPIGN1 RMVSRVTBLE 1 RMVTCPHTE1 RMVTCPIFC1 RMVTCPPORT 1

RMVTCPRSI 1 RMVTCPRTE 1 RMVTCPSVR 1 RMVUSRSNMP1 RNMTCPHTE 1 SETVTMAP STRTCP (Q) STRTCPIFC (Q) VFYTCPCNN WRKNAMSMTP WRKNETTBLE1 WRKPCLTBLE1 WRKSRVTBLE1 WRKTCPSTS

You must have *IOSYSCFG special authority to use this command. The SNDTCPSPLF command and the LPR command use the same combinations of referenced object authorities as the SNDNETSPLF command. You must have *SECADM special authority to change the system alias table or another user profile's alias table. If you have *JOBCTL special authority, you do not need the specified authority to the object. If you have *JOBCTL special authority, you do not need the specified authority to the object on the remote system. For the required authorities, refer to the description of the Display (DSP) or other operation using output file (OUTPUT(*OUTFILE)) section in the General rules for object authorities on commands topic.

4 5

Time zone description commands

This table lists the specific authorities required for the time zone description commands.

488

IBM i: Security Security reference

Commands identified by (Q) are shipped with public authority *EXCLUDE. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others.
Authority needed Command CHGTIMZON CRTTIMZON DLTTIMZON
1 2

Referenced object Time zone description Time zone description Time zone description Time zone description

For object *CHANGE

For library EXECUTE READ, *ADD

*OBJEXIST *USE

*EXECUTE *USE

WRKTIMZON
1 2

The time zone description specified in the QTIMZON system value cannot be deleted. If a message is used to specify the abbreviated and full names of the time zone description, you must have *USE authority to the message file and *EXECUTE authority to the message file's library in order to see the abbreviated and full names.

User index, user queue, and user space commands

This table lists the specific authorities required for the user index, user queue, and user space commands.
Command Referenced object For object DLTUSRIDX DLTUSRQ DLTUSRSPC User index User queue User space *OBJEXIST *OBJEXIST *OBJEXIST Authority needed For library *EXECUTE *EXECUTE *EXECUTE

User-defined file system commands

This table lists the specific authorities required for the user-defined file system commands.
Authority needed for object *W

Command ADDMFS
1,2,3

Referenced object dir_to_be_mounted_over Path Prefix

Object type *DIR

File system "root" (/)

Refer to the general rules. *DIR *DIR "root" (/) "root" (/) "root" (/) *DIR *DIR *DIR "root" (/) "root" (/) "root" (/) *RWX *RWX *OBJEXIST *WX *RX *W

CRTUDFS DLTUDFS

1,2,6,7

(Q) (Q)

/dev/QASPxx or /dev/IASPname /dev/QASPxx or /dev/IASPname any integrated file system object in the UDFS Any non-empty directory object

1,2,4,5,8,9,10

DSPUDFS MOUNT
1,2,3

some_dirsxx dir_to_be_ mounted_over Path Prefix

Refer to the general rules.

RMVMFS

1 1

UNMOUNT

Appendix D. Authority required for objects used by commands

489

Command
1 2

Referenced object

Object type

File system

Authority needed for object

To use this command, you must have *IOSYSCFG special authority. There are two directory naming conventions depending on the location of the user-defined file system (UDFS). Use one of the following conventions: v - /dev/QASPxx where xx is 01 for the system asp or 02-32 for the basic user asps. v - /dev/IASPname where IASPname is the name of the independent ASP. This is the directory that contains the *BLKSF that is being mounted.

The directory that is mounted over (dir_to_be_mounted_over) is any integrated file system directory that can be mounted over. A UDFS can contain an entire subtree of objects, so when you delete a UDFS, you delete objects of all types that can be stored in the user-defined file system. When using the DLTUDFS commands, you must have *OBJEXIST authority on every object in the UDFS or no objects are deleted. You must have all object (*ALLOBJ) and security administrator (*SECADM) special authorities to specify a value for the Scanning option for objects (CRTOBJSCAN) parameter other than *PARENT. The audit (*AUDIT) special authority is required when specifying a value other than *SYSVAL on the Auditing value for objects (CRTOBJAUD) parameter. You must have write (*W) and execute (*X) authority to all of the non-empty directory objects in the UDFS. If any non-empty directory object in the UDFS has the "restricted rename and unlink" attribute set to Yes (this attribute is equivalent to the S_ISVTX mode bit), then one or more of the following conditions must be true: v You must be the owner of all the objects contained in the directory. v You must be the owner of the directory. v You must have all object (*ALLOBJ) special authority.

8 9

The UDFS cannot be deleted if it contains an object with the read only attribute set to yes or if it contains an object that is checked out.

User profile commands

This table lists the specific authorities required for the user profile commands. Commands identified by (Q) are shipped with public authority *EXCLUDE. Appendix C, Commands shipped with public authority *EXCLUDE, on page 325 shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others.
Authority needed Command
15

Referenced object
3, 14,

For object

For library

ANZDFTPWD (Q)

ANZPRFACT 3, 14, 15(Q) CHGACTPRFL 14(Q) CHGACTSCDE 3, 14, 15(Q) CHGDSTPWD

490

IBM i: Security Security reference

Authority needed Command

Referenced object
3, 14,

For object

For library

CHGEXPSCDE (Q)

CHGPRF

User profile Initial program Initial menu

2 2 2 2

OBJMGT, USE USE USE USE USE *USE

EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE *EXECUTE

Job description Message queue Output queue

Attention-key- handling program Current library CHGPWD CHGUSRAUD 11(Q) CHGUSRPRF

3 2

*USE *USE

User profile Initial program Initial menu

2 2 2 2

OBJMGT, USE USE USE USE USE *USE

EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE

Job description Message queue Output queue

Attention-key-handling program Current library

*USE *USE
2,4

Group profile (GRPPRF or SUPGRPPRF)

OBJMGT, OBJOPR, EXECUTE READ, ADD, UPD, DLT CHANGE

CHGUSRPRTI CHKPWD CRTUSRPRF 3, 12, 17

User profile

Initial program Initial menu Job description Message queue Output queue Attention-key- handling program Current library Group profile (GRPPRF or SUPGRPPRF)
4

USE USE USE USE USE USE *USE

EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE EXECUTE *EXECUTE

OBJMGT, OBJOPR, EXECUTE READ, ADD, UPD, *DLT

CVTUSRCERT3, 14 DLTUSRPRF
3,9

User profile Message queue

OBJEXIST, USE OBJEXIST, USE, *DLT

*EXECUTE *EXECUTE

DMPUSRPRF 22(Q) DSPACTPRFL 14(Q)

User profile

Appendix D. Authority required for objects used by commands

491

Authority needed Command DSPACTSCD (Q) DSPAUTUSR

6 14 14

Referenced object

For object

For library

User profile

*READ

DSPEXPSCD (Q) DSPPGMADP User profile Output file DSPSSTUSR

*OBJMGT Refer to the general rules. Refer to the general rules.

DSPUSRPRF19

User profile Output file

READ Refer to the general rules. USE READ OBJMGT

*EXECUTE Refer to the general rules.

DSPUSRPRTI GRTUSRAUT
14 7

User profile Referenced user profile Objects you are granting authority to

*EXECUTE

PRTPRFINT (Q) PRTUSRPRF RSTAUT (Q)

18 8

RSTUSRPRF (Q) 8,10, 16 RTVUSRPRF20 RTVUSRPRTI SAVSECDTA

User profile User profile Save file, if empty Save file, if records exist

*READ *USE *USE, *ADD *OBJMGT, *USE, *ADD Any authority *EXECUTE *EXECUTE

WRKUSRPRF
1 2 3 4 5

User profile

This command can be run only if you are signed on as QSECOFR. You need authority only to the objects for fields you are changing in the user profile. *SECADM special authority is required. *OBJMGT authority to the group profile cannot come from adopted authority. The message queue associated with the user profile is deleted if it is owned by that user profile. To delete the message queue, the user running the DLTUSRPRF command must have the authorities specified. The display includes only user profiles to which the user running the command has the specified authority. See the authorities required for the GRTOBJAUT command. *SAVSYS special authority is required. If you select the option to delete objects owned by the user profile, you must have the necessary authority for the delete operations. If you select the option to transfer ownership to another user profile, you must have the necessary authority to the objects and to the target user profile. See information for the CHGOBJOWN command. You must have *ALLOBJ special authority to specify a value other than *NONE for the Allow object differences (ALWOBJDIF) parameter.

6 7 8 9

492

IBM i: Security Security reference

Authority needed Command

11 12

Referenced object

For object

For library

You must have *AUDIT special authority. The user whose profile is created is given these authorities to it: *OBJMGT, *OBJOPR, *READ, *ADD, *DLT, *UPD, *EXECUTE. To use an individual operation, you must have the authority required by the operation. You must have *ALLOBJ special authority to use this command. You must have *JOBCTL special authority to use this command. You must have *ALLOBJ and *SECADM special authorities to specify SECDTA(*PWDGRP), USRPRF(*ALL) or OMITUSRPRF. When you perform a CRTUSRPRF, you cannot create a user profile (*USRPRF) into an independent disk pool. However, when a user is privately authorized to an object in the independent disk pool, is the owner of an object on an independent disk pool, or is the primary group of an object on an independent disk pool, the name of the profile is stored on the independent disk pool. If the independent disk pool is moved to another system, the private authority, object ownership, and primary group entries will be attached to the profile with the same name on the target system. If a profile does not exist on the target system, a profile will be created. The user will not have any special authorities and the password will be set to *NONE. You must have *ALLOBJ or *AUDIT special authority to use this command. You must have either *ALLOBJ or *AUDIT special authority to display the current object auditing value and action auditing value displayed. Otherwise, the value *NOTAVL is displayed to indicate that the values are unavailable for display. You must have either *ALLOBJ or *AUDIT special authority to retrieve the current OBJAUD and AUDLVL values. Otherwise, the value *NOTAVL is returned to indicate that the values are unavailable for retrieval. To use this command, you must have service (*SERVICE) special authority, or be authorized to the Service Dump function of i5/OS through the support of the System i Navigator Application Administration. The Change Function Usage (CHGFCNUSG) command with a function ID of QIBM_SERVICE_DUMP can also be used to change the list of users that are allowed to perform dump operations. To use this command, you must have *SERVICE special authority or have the authorization to the QIBM_SERVICE_DUMP function usage list. You must have either security administrator (*SECADM) or audit (*AUDIT) special authority to use this command.

13 14 15

18 19

Validation list commands

This table lists the specific authorities required for the validation list commands.
Authority needed Command CRTVLDL DLTVLDL Referenced object Validation list Validation list *OBJEXIST For object For library *ADD, *READ *EXECUTE

Appendix D. Authority required for objects used by commands

493

Workstation customization commands

This table lists the specific authorities required for the workstation customization commands.
Authority needed Command CRTWSCST Referenced object Source file Workstation customizing object, if REPLACE(*NO) Workstation customizing object, if REPLACE(*YES) DLTWSCST RTVWSCST Workstation customizing object To-file, if it exists and a new member is added To-file, if file and member exist To-file, if the file does not exist *OBJMGT, *OBJEXIST *OBJEXIST *OBJOPR, *OBJMGT, *ADD *OBJOPR, *ADD, *DLT For object *USE For library *EXECUTE *READ, *ADD *READ, *ADD *EXECUTE *EXECUTE *EXECUTE *READ, *ADD

Writer commands
This table lists the specific authorities required for the writer commands.
Referenced object
2, 4

Output queue parameters AUTCHK OPRCTL

Command CHGWTR

Special authority

Authority needed For object READ, ADD, *DLT Owner

For library

Current output *DTAAUT queue1 *OWNER *YES New output queue *DTAAUT *OWNER *YES *JOBCTL *JOBCTL

*READ, *ADD, *EXECUTE *DLT Owner *EXECUTE *EXECUTE *READ, *ADD, *DLT Owner *YES *JOBCTL *READ, *ADD, *DLT Owner *YES *JOBCTL *READ, *ADD, *DLT Owner *YES *JOBCTL
3 3 3

ENDWTR

Output queue

*DTAAUT *OWNER

HLDWTR

Output queue

*DTAAUT *OWNER

RLSWTR

Output queue

*DTAAUT *OWNER

494

IBM i: Security Security reference

Command STRDKTWTR
1

Referenced object Output queue

Output queue parameters AUTCHK DTAAUT OWNER *YES OPRCTL

Special authority

Authority needed For object For library

*READ, *ADD, *EXECUTE *DLT Owner *JOBCTL *OBJOPR, *ADD *OBJOPR, *READ
3

EXECUTE EXECUTE *EXECUTE

Message queue Device description STRPRTWTR

Output queue

DTAAUT OWNER YES JOBCTL

READ, ADD, EXECUTE DLT Owner

*EXECUTE *EXECUTE

Message queue Workstation customization object User-driver program User-data transform program User separator program Device Description STRRMTWTR
1

OBJOPR, ADD *USE

*EXECUTE *EXECUTE

*OBJOPR *EXECUTE *OBJOPR *EXECUTE *OBJOPR *EXECUTE *OBJOPR, *READ *DTAAUT *OWNER *YES *JOBCTL *OBJOPR, *ADD *USE

*EXECUTE *EXECUTE

*EXECUTE

Output queue

READ, ADD, EXECUTE DLT Owner

EXECUTE EXECUTE EXECUTE EXECUTE

Message queue Workstation customization object User-driver program User-data transform program WRKWTR

OBJOPR EXECUTE OBJOPR EXECUTE

*EXECUTE *EXECUTE

Appendix D. Authority required for objects used by commands

495

Command
1 2

Referenced object

Output queue parameters AUTCHK OPRCTL

Special authority

Authority needed For object For library

If you have *SPLCTL special authority, you do not need any authority to the output queue. To change the output queue for the writer, you need one of the specified authorities for the new output queue. You must be the owner of the output queue. You must have *EXECUTE authority to the new output queue's library even if the user has *SPLCTL special authority.

3 4

496

IBM i: Security Security reference

Appendix E. Object operations and auditing

This topic collection lists operations that can be performed against objects on the system, and whether those operations are audited. The lists are organized by object type. The operations are grouped by whether they are audited when *ALL or *CHANGE is specified for the OBJAUD value of the CHGOBJAUD or CHGDLOAUD command. Whether an audit record is written for an action depends on a combination of system values, including a value in the user profile of the user performing the action, and a value defined for the object. Planning the auditing of object access on page 286 describes how to set up auditing for objects. @ Please also refer to section Relationship of object Change Date/Time to audit records on page 298. Operations shown in the tables in uppercase, such as CPYF, refer to CL commands, unless they are labeled as an application programming interface (API).

Operations common to all object types

This list describes the operations that you can perform against all object types, and whether those operations are audited. v Read operation CRTDUPOBJ Create Duplicate Object (if *ALL is specified for "from-object"). DMPOBJ Dump Object DMPSYSOBJ Dump System Object QSRSAVO Save Object API QsrSave Save Object in Directory API SAV Save Object in Directory

SAVCHGOBJ Save Changed Object SAVLIB Save Library SAVOBJ Save Object SAVSAVFDTA Save Save File Data SAVDLO Save DLO Object SAVLICPGM Save Licensed Program

Copyright IBM Corp. 1996, 2010

497

SAVSHF Save Bookshelf Note: The audit record for the save operation will identify if the save was done with the STG(*FREE). v Change operation APYJRNCHG Apply Journaled Changes CHGJRNOBJ Change Journaled Object CHGOBJD Change Object Description CHGOBJOWN Change Object Owner CRTxxxxxx Create object Notes: 1. If *ALL or *CHANGE is specified for the target library, a ZC entry is written when an object is created. 2. If *CREATE is active for action auditing, a CO entry is written when an object is created. @ DLTxxxxxx or DLTOBJ Delete object Notes: 1. If *ALL or *CHANGE is specified for the library containing the object, a ZC entry is written when an object is deleted. 2. If *ALL or *CHANGE is specified for the object, a ZC entry is written when it is deleted. 3. If *DELETE is active for action auditing, a DO entry is written when an object is deleted. ENDJRNxxx End Journaling GRTOBJAUT Grant Object Authority Note: If authority is granted based on a referenced object, an audit record is not written for the referenced object. MOVOBJ Move Object @ @ QLICOBJD Change Object Description API QLIRNMO Rename Object API QjoEndJournal End Journaling

498

IBM i: Security Security reference

QjoStartJournal Start Journaling QSRRSTO Restore Object API QsrRestore Restore Object in Directory API RCLSTG Reclaim Storage: If an object is secured by a damaged *AUTL, an audit record is written when the object is secured by the QRCLAUTL authorization list. An audit record is written if an object is moved into the QRCL library. RMVJRNCHG Remove Journaled Changes RNMOBJ Rename Object RST Restore Object in Directory

RSTCFG Restore Configuration Objects RSTLIB Restore Library RSTLICPGM Restore Licensed Program RSTOBJ Restore Object RVKOBJAUT Revoke Object Authority STRJRNxxx Start Journaling v Operations that are not audited Prompt
1

Prompt override program for a change command (if one exists) CHKOBJ Check Object ALCOBJ Allocate Object CPROBJ Compress Object DCPOBJ Decompress Object DLCOBJ Deallocate Object

1. A prompt override program displays the current values when prompting is requested for a command. For example, if you type CHGURSPRF USERA and press F4 (prompt), the Change User Profile display shows the current values for the USERA user profile. Appendix E. Object operations and auditing

499

DSPOBJD Display Object Description DSPOBJAUT Display Object Authority EDTOBJAUT Edit Object Authority Note: If object authority is changed and action auditing includes *SECURITY, or the object is being audited, an audit record is written. QSYCUSRA Check User's Authority to an Object API QSYLUSRA List Users Authorized to an Object API. An audit record is not written for the object whose authority is being listed. An audit record is written for the user space used to contain information. QSYRUSRA Retrieve User's Authority to Object API RCLTMPSTG Reclaim Temporary Storage RMVDFRID Remove Defer ID RSTDFROBJ Restore Deferred Object RTVOBJD Retrieve Object Description SAVSTG Save Storage (audit of SAVSTG command only) WRKOBJLCK Work with Object Lock WRKOBJOWN Work with Objects by Owner WRKxxx Work with object commands

Operations for Access Path Recovery Times

This list describes the operations that you can perform against the Access Path Recovery Times object, and whether those operations are audited. Note: Changes to access path recovery times are audited if the action auditing (QAUDLVL) system value or the action auditing (AUDLVL) parameter in the user profile includes *SYSMGT. v Operations that are audited CHGRCYAP Change Recovery for Access Paths EDTRCYAP Edit Recovery for Access Paths v Operations that are not audited

500

IBM i: Security Security reference

DSPRCYAP Display Recovery for Access Paths

Operations for Alert Table (*ALRTBL)

This list describes the operations that you can perform against Alert Table (*ALRTBL), and whether those operations are audited. v Read operation None v Change operation ADDALRD Add Alert Description CHGALRD Change Alert Description CHGALRTBL Change Alert Table RMVALRD Remove Alert Description v Operations that are not audited Print Print alert description

WRKALRD Work with Alert Description WRKALRTBL Work with Alert Table

Operations for Authorization List (*AUTL)

This list describes the operations that you can perform against Authorization List (*AUTL), and whether those operations are audited. v Read operation None v Change operation ADDAUTLE Add Authorization List Entry CHGAUTLE Change Authorization List Entry EDTAUTL Edit Authorization List RMVAUTLE Remove Authorization List Entry v Operations that are not audited DSPAUTL Display Authorization List DSPAUTLOBJ Display Authorization List Objects

Appendix E. Object operations and auditing

501

DSPAUTLDLO Display Authorization List DLO RTVAUTLE Retrieve Authorization List Entry QSYLATLO List Objects Secured by *AUTL API WRKAUTL Work with authorization list

Operations for Authority Holder (*AUTHLR)

This list describes the operations that you can perform against Authority Holder (*AUTHLR), and whether those operations are audited. v Read operation None v Change operation Associated When used to secure an object. v Operations that are not audited DSPAUTHLR Display Authority Holder

Operations for Binding Directory (*BNDDIR)

This list describes the operations that you can perform against Binding Directory (*BNDDIR), and whether those operations are audited. v Read operation CRTPGM Create Program CRTSRVPGM Create Service Program RTVBNDSRC Retrieve Binder Source UPDPGM Update Program UPDSRVPGM Update Service Program v Change operation ADDBNDDIRE Add Binding Directory Entries RMVBNDDIRE Remove Binding Directory Entries v Operations that are not audited DSPBNDDIR Display the contents of a binding directory WRKBNDDIR Work with Binding Directory

502

IBM i: Security Security reference

WRKBNDDIRE Work with Binding Directory Entry

Operations for Configuration List (*CFGL)

This list describes the operations that you can perform against Configuration List (*CFGL), and whether those operations are audited. v Read operation CPYCFGL Copy Configuration List. An entry is written for the from-configuration-list. v Change operation ADDCFGLE Add Configuration List Entries CHGCFGL Change Configuration List CHGCFGLE Change Configuration List Entry RMVCFGLE Remove Configuration List Entry v Operations that are not audited DSPCFGL Display Configuration List WRKCFGL Work with Configuration List

Operations for Special Files (*CHRSF)

This list describes the operations that you can perform against Special Files (*CHRSF), and whether those operations are audited. See Operations for Stream File (*STMF) for *CHRSF auditing.

Operations for Chart Format (*CHTFMT)

This list describes the operations that you can perform against Chart Format (*CHTFMT), and whether those operations are audited. v Read operation Display DSPCHT command or option F10 from the BGU menu Print/Plot DSPCHT command or option F15 from the BGU menu Save/Create Save or create graphics data file (GDF) using CRTGDF command or option F13 from the BGU menu v Change operation None v Operations that are not audited None
Appendix E. Object operations and auditing

503

Operations for C Locale Description (*CLD)

This list describes the operations that you can perform against C Locale Description (*CLD), and whether those operations are audited. v Read operation RTVCLDSRC Retrieve C Locale Source Setlocale Use the C locale object during C program run time using the Set locale function. v Change operation None v Operations that are not audited None

Operations for Change Request Description (*CRQD)

This list describes the operations that you can perform against Change Request Description (*CRQD), and whether those operations are audited. v Read operation QFVLSTA List Change Request Description Activities API QFVRTVCD Retrieve Change Request Description API SBMCRQ Submit Change Request v Change operation ADDCMDCRQA Add Command Change Request Activity ADDOBJCRQA Add Object Change Request Activity ADDPRDCRQA Add Product Change Request Activity ADDPTFCRQA Add PTF Change Request Activity ADDRSCCRQA Add Resource Change Request Activity CHGCMDCRQA Change Command Change Request Activity CHGCRQD Change Change Request Description CHGOBJCRQA Change Object Change Request Activity CHGPRDCRQA Change Product Change Request Activity CHGPTFCRQA Change PTF Change Request Activity

504

IBM i: Security Security reference

CHGRSCCRQA Change Resource Change Request Activity QFVADDA Add Change Request Description Activity API QFVRMVA Remove Change Request Description Activity API RMVCRQDA Remove Change Request Description Activity v Operations that are not audited WRKCRQD Work with Change Request Descriptions

Operations for Class (*CLS)

This list describes the operations that you can perform against Class (*CLS), and whether those operations are audited. v Read operation None v Change operation CHGCLS Change Class v Operations that are not audited Job start When used by work management to start a job DSPCLS Display Class WRKCLS Work with Class

Operations for Command (*CMD)

This list describes the operations that you can perform against Command (*CMD), and whether those operations are audited. v Read operation Run When command is run v Change operation CHGCMD Change Command CHGCMDDFT Change Command Default v Operations that are not audited DSPCMD Display Command PRTCMDUSG Print Command Usage QCDRCMDI Retrieve Command Information API
Appendix E. Object operations and auditing

505

WRKCMD Work with Command The following commands are used within CL programs to control processing and to manipulate data within the program. The use of these commands is not audited.
CALL 1 CALLPRC CHGVAR COPYRIGHT DCL DCLF DO ELSE ENDDO
1

ENDPGM ENDRCV GOTO IF MONMSG PGM

RCVF RETURN SNDF SNDRCVF TFRCTL WAIT

CALL is audited if it is run interactively. It is not audited if it is run within a CL program.

Operations for Connection List (*CNNL)

This list describes the operations that you can perform against Connection List (*CNNL), and whether those operations are audited. v Read operation None v Change operation ADDCNNLE Add Connection List Entry CHGCNNL Change Connection List CHGCNNLE Change Connection List Entry RMVCNNLE Remove Connection List Entry RNMCNNLE Rename Connection List Entry v Operations that are not audited Copy Option 3 of WRKCNNL

DSPCNNL Display Connection List RTVCFGSRC Retrieve source of connection list WRKCNNL Work with Connection List WRKCNNLE Work with Connection List Entry

506

IBM i: Security Security reference

Operations for Class-of-Service Description (*COSD)

This list describes the operations that you can perform against Class-of-Service Description (*COSD), and whether those operations are audited. v Read operation None v Change operation CHGCOSD Change Class-of-Service Description v Operations that are not audited DSPCOSD Display Class-of-Service Description RTVCFGSRC Retrieve source of class-of-service description WRKCOSD Copy class-of-service description WRKCOSD Work with Class-of-Service Description

Operations for Communications Side Information (*CSI)

This list describes the operations that you can perform against Communications Side Information (*CSI), and whether those operations are audited. v Read operation DSPCSI Display Communications Side Information Initialize Initialize conversation v Change operation CHGCSI Change Communications Side Information v Operations that are not audited WRKCSI Work with Communications Side Information

Operations for Cross System Product Map (*CSPMAP)

This list describes the operations that you can perform against Cross System Product Map (*CSPMAP), and whether those operations are audited. v Read operation Reference When referred to in a CSP application v Change operation None v Operations that are not audited DSPCSPOBJ Display CSP Object
Appendix E. Object operations and auditing

507

WRKOBJCSP Work with Objects for CSP

Operations for Cross System Product Table (*CSPTBL)

This list describes the operations that you can perform against Cross System Product Table (*CSPTBL), and whether those operations are audited. v Read operation Reference When referred to in a CSP application v Change operation None v Operations that are not audited DSPCSPOBJ Display CSP Object WRKOBJCSP Work with Objects for CSP

Operations for Controller Description (*CTLD)

This list describes the operations that you can perform against Controller Description (*CTLD), and whether those operations are audited. v Read operation SAVCFG Save Configuration VFYCMN Link test v Change operation CHGCTLxxx Change controller description VRYCFG Vary controller description on or off v Operations that are not audited DSPCTLD Display Controller Description ENDCTLRCY End Controller Recovery PRTDEVADR Print Device Address RSMCTLRCY Resume Controller Recovery RTVCFGSRC Retrieve source of controller description RTVCFGSTS Retrieve controller description status WRKCTLD Copy controller description

508

IBM i: Security Security reference

WRKCTLD Work with Controller Description

Operations for Device Description (*DEVD)

This list describes the operations that you can perform against Device Description (*DEVD), and whether those operations are audited. v Read operation Acquire First acquisition of the device during open operation or explicit acquire operation Allocate Allocate conversation SAVCFG Save Configuration STRPASTHR Start pass-through session Start of the second session for intermediate pass-through VFYCMN Link test v Change operation CHGDEVxxx Change device description HLDDEVxxx Hold device description RLSDEVxxx Release device description QWSSETWS Change type-ahead setting for a device VRYCFG Vary device description on or off v Operations that are not audited DSPDEVD Display Device Description DSPMODSTS Display Mode Status ENDDEVRCY End Device Recovery HLDCMNDEV Hold Communications Device RLSCMNDEV Release Communications Device RSMDEVRCY Resume Device Recovery RTVCFGSRC Retrieve source of device description

Appendix E. Object operations and auditing

509

RTVCFGSTS Retrieve device description status WRKCFGSTS Work with device status WRKDEVD Copy device description WRKDEVD Work with Device Description

Operations for Directory (*DIR)

This list describes the operations that you can perform against Directory (*DIR) objects, and whether those operations are audited. v Read/search operations access, accessx, QlgAccess, QlgAccessx Determine file accessibility CHGATR Change Attribute CPY Copy Object

DSPCURDIR Display Current Directory DSPLNK Display Object Links faccessx Determine file accessibility for a class of users by descriptor getcwd, qlgGetcwd Get Path Name of Current Directory API Qp0lGetAttr, QlgGetAttr Get attributes APIs Qp0lGetPathFromFileID, QlgGetPathFromFileID Get Path From File Identifier APIs Qp0lProcessSubtree, QlgProcessSubtree Process a Path Name APIs open, open64, QlgOpen, QlgOpen64, Qp0lOpen Open File APIs Qp0lSetAttr, QlgSetAttr Set Attributes APIs opendir, QlgOpendir Open Directory APIs RTVCURDIR Retrieve Current Directory SAV Save Object

WRKLNK Work with Links v Change operation

510

IBM i: Security Security reference

CHGATR Change Attributes CHGAUD Change Auditing Value CHGAUT Change Authority CHGOWN Change Owner CHGPGP Change Primary Group chmod, QlgChmod Change File Authorizations API chown, QlgChown Change Owner and Group API CPY Copy Object

CRTDIR Make Directory fchmod Change File Authorizations by Descriptor API fchown Change Owner and Group of File by Descriptor API mkdir, QlgMkdir Make Directory API MOV Move Object Qp0lRenameKeep, QlgRenameKeep Rename File or Directory, Keep New APIs Qp0lRenameUnlink, QlgRenameUnlink Rename File or Directory, Unlink New APIs Qp0lSetAttr, QlgSetAttr Set Attribute APIs rmdir, QlgRmdir Remove Directory API RMVDIR Remove Directory RNM RST Rename Object Restore Object

utime, QlgUtime Set File Access and Modifcation Times API WRKAUT Work with Authority WRKLNK Work with Object Links v Operations that are not audited

Appendix E. Object operations and auditing

511

chdir, QlgChdir Change Directory API CHGCURDIR Change Current Directory close Close File Descriptor API

closedir Close Directory API DSPAUT Display Authority dup dup2 Duplicate Open File Descriptor API Duplicate Open File Descriptor to Another Descriptor API

faccessx Determine file accessibility for a class of users by descriptor fchdir Change current directory by descriptor fcntl Perform File Control Command API

fpathconf Get Configurable Path Name Variables by Descriptor API fstat, fstat64 Get File Information by Descriptor APIs givedescriptor Give File Access API ioctl Perform I/O Control Request API

lseek, lseek64 Set File Read/Write Offset APIs lstat, lstat64, QlgLstat, QlgLstat64 Get File or Link Information APIs pathconf, QlgPathconf Get Configurable Path Name Variables API readdir Read Directory Entry API rewinddir Reset Directory Stream API select Check I/O Status of Multiple File Descriptors API

stat, QlgStat Get File Information API takedescriptor Take File Access API

Operations for Directory Server

This list describes the operations that you can perform against Directory Server, and whether those operations are audited. Note: Directory Server actions are audited if the action auditing (QAUDLVL) system value or the action auditing (AUDLVL) parameter in the user profile includes *OFCSRV.

512

IBM i: Security Security reference

v Operations that are audited Add Change Changing directory entry details Delete Deleting directory entries Rename Renaming directory entries Print Displaying or printing directory entry details Displaying or printing department details Displaying or printing directory entries as the result of a search RTVDIRE Retrieve Directory Entry Collect Collecting directory entry data using directory shadowing Supply Supplying directory entry data using directory shadowing v Operations that are not audited CL commands CL commands that work on the directory can be audited separately using the object auditing function. Note: Some CL directory commands cause an audit record because they perform a function that is audited by *OFCSRV action auditing, such as adding a directory entry. CHGSYSDIRA Change System Directory Attributes Departments Adding, changing, deleting, or displaying directory department data Descriptions Assigning a description to a different directory entry using option 8 from the WRKDIR panel. Adding, changing, or deleting directory entry descriptions Distribution lists Adding, changing, renaming, or deleting distribution lists ENDDIRSHD End Directory Shadowing List Displaying or printing a list of directory entries that does not include directory entry details, such as using the WRKDIRE command or using F4 to select entries for sending a note. Adding new directory entries

Locations Adding, changing, deleting, or displaying directory location data Nickname Adding, changing, renaming or deleting nicknames Search Searching for directory entries STRDIRSHD Start Directory Shadowing
Appendix E. Object operations and auditing

513

Operations for Document Library Object (DOC or FLR)

This list describes the operations that you can perform against document library objects (*DOC or *FLR), and whether those operations are audited. v Read operation CHKDOC Check document spelling CPYDOC Copy Document DMPDLO Dump DLO DSPDLOAUD Display DLO Auditing Note: If auditing information is displayed for all documents in a folder and object auditing is specified for the folder, an audit record is written. Displaying object auditing for individual documents does not result in an audit record. DSPDLOAUT Display DLO Authority DSPDOC Display Document DSPHLPDOC Display Help Document EDTDLOAUT Edit DLO Authority MRGDOC Merge Document PRTDOC Print Document QHFCPYSF Copy Stream File API QHFGETSZ Get Stream File Size API QHFRDDR Read Directory Entry API QHFRDSF Read Stream File API RTVDOC Retrieve Document SAVDLO Save DLO SAVSHF Save Bookshelf SNDDOC Send Document

514

IBM i: Security Security reference

SNDDST Send Distribution WRKDOC Work with Document Note: A read entry is written for the folder containing the documents. v Change operation ADDDLOAUT Add DLO Authority ADDOFCENR Add Office Enrollment CHGDLOAUD Change DLO Auditing CHGDLOAUT Change DLO Authority CHGDLOOWN Change DLO Ownership CHGDLOPGP Change DLO Primary Group CHGDOCD Change Document Description CHGDSTD Change Distribution Description CPYDOC 2 Copy Document Note: A change entry is written if the target document already exists. CRTFLR Create Folder CVTTOFLR 2 Convert to Folder DLTDLO 2 Delete DLO DLTSHF Delete Bookshelf DTLDOCL 2 Delete Document List DLTDST 2 Delete Distribution EDTDLOAUT Edit DLO Authority EDTDOC Edit Document

2. A change entry is written for both the document and the folder if the target of the operation is in a folder. Appendix E. Object operations and auditing

515

FILDOC 2 File Document GRTACCAUT Grant Access Code Authority GRTUSRPMN Grant User Permission MOVDOC 2 Move Document MRGDOC 2 Merge Document PAGDOC Paginate Document QHFCHGAT Change Directory Entry Attributes API QHFSETSZ Set Stream File Size API QHFWRTSF Write Stream File API QRYDOCLIB 2 Query Document Library Note: A change entry is written if an existing document resulting from a search is replaced. RCVDST 2 Receive Distribution RGZDLO Reorganize DLO RMVACC Remove access code, for any DLO to which the access code is attached RMVDLOAUT Remove DLO authority RNMDLO 2 Rename DLO RPLDOC Replace Document RSTDLO 2 Restore DLO RSTSHF Restore Bookshelf RTVDOC Retrieve Document (check out) RVKACCAUT Revoke Access Code Authority RVKUSRPMN Revoke User Permission

516

IBM i: Security Security reference

SAVDLO 2 Save DLO v Operations that are not audited ADDACC Add Access Code DSPACC Display Access Code DSPUSRPMN Display User Permission QHFCHGFP Change File Pointer API QHFCLODR Close Directory API QHFCLOSF Close Stream File API QHFFRCSF Force Buffered Data API QHFLULSF Lock/Unlock Stream File Range API QHFRTVAT Retrieve Directory Entry Attributes API RCLDLO Reclaim DLO (*ALL or *INT) WRKDOCLIB Work with Document Library WRKDOCPRTQ Work with Document Print Queue

Operations for Data Area (*DTAARA)

This list describes the operations that you can perform against Data Area (*DTAARA), and whether those operations are audited. v Read operation DSPDTAARA Display Data Area RCVDTAARA Receive Data Area (S/38 command) RTVDTAARA Retrieve Data Area QWCRDTAA Retrieve Data Area API v Change operation CHGDTAARA Change Data Area SNDDTAARA Send Data Area
Appendix E. Object operations and auditing

517

v Operations that are not audited Data Areas Local Data Area, Group Data Area, PIP (Program Initialization Parameter) Data Area WRKDTAARA Work with Data Area

Operations for Interactive Data Definition Utility (*DTADCT)

This list describes the operations that you can perform against Interactive Data Definition Utility (*DTADCT), and whether those operations are audited. v Read operation None v Change operation Create Data dictionary and data definitions Change Data dictionary and data definitions Copy Data definitions (recorded as create)

Delete Data dictionary and data definitions Rename Data definitions v Operations that are not audited Display Data dictionary and data definitions LNKDTADFN Linking and unlinking file definitions Print Data dictionary, data definitions, and where-used information for data definitions

Operations for Data Queue (*DTAQ)

This list describes the operations that you can perform against Data Queue (*DTAQ), and whether those operations are audited. v Read operation QMHRDQM Retrieve Data Queue Message API v Change operation QRCVDTAQ Receive Data Queue API QSNDDTAQ Send Data Queue API QCLRDTAQ Clear Data Queue API @ QMHQCDQ Change Data Queue API v Operations that are not audited WRKDTAQ Work with Data Queue

518

IBM i: Security Security reference

QMHQRDQD Retrieve Data Queue Description API

Operations for Edit Description (*EDTD)

This list describes the operations that you can perform against Edit Description (*EDTD), and whether those operations are audited. v Read operation DSPEDTD Display Edit Description QECCVTEC Edit code expansion API (via routine QECEDITU) v Change operation None v Operations that are not audited WRKEDTD Work with Edit Descriptions QECEDT Edit API QECCVTEW API for translating Edit Work into Edit Mask

Operations for Exit Registration (*EXITRG)

This list describes the operations that you can perform against Exit Registration (*EXITRG), and whether those operations are audited. v Read operation QUSRTVEI Retrieve Exit Information API QusRetrieveExitInformation Retrieve Exit Information API v Change operation ADDEXITPGM Add Exit Program QUSADDEP Add Exit Program API QusAddExitProgram Add Exit Program API QUSDRGPT Unregister Exit Point API QusDeregisterExitPoint Unregister Exit Point API QUSRGPT Register Exit Point API QusRegisterExitPoint Register Exit Point API

Appendix E. Object operations and auditing

519

QUSRMVEP Remove Exit Program API QusRemoveExitProgram Remove Exit Program API RMVEXITPGM Remove Exit Program WRKREGINF Work with Registration Information v Operations that are not audited None

Operations for Forms Control Table (*FCT)

This list describes the operations that you can perform against Forms Control Table (*FCT), and whether those operations are audited. v No Read or Change operations are audited for the *FCT object type.

Operations for File (*FILE)

This list describes the operations that you can perform against File (*FILE), and whether those operations are audited. v Read operation CPYF Open Copy File (uses open operation) Open of a file for read

DSPPFM Display Physical File Member (uses open operation) Open Open of MRTs after the initial open

CRTBSCF Create BSC File (uses open operation) CRTCMNF Create Communications File (uses open operation) CRTDSPF Create Display File (uses open operation) CRTICFF Create ICF File (uses open operation) CRTMXDF Create MXD File (uses open operation) CRTPRTF Create Printer File (uses open operation) CRTPF Create Physical File (uses open operation) CRTLF Create Logical File (uses open operation) DSPMODSRC Display Module Source (uses open operation)

520

IBM i: Security Security reference

STRDBG Start Debug (uses open operation) QTEDBGS Retrieve View Text API v Change operation Open Open a file for modification

ADDBSCDEVE (S/38E) Add Bisync Device Entry to a mixed device file ADDCMNDEVE (S/38E) Add Communications Device Entry to a mixed device file ADDDSPDEVE (S/38E) Add Display Device Entry to a mixed device file ADDICFDEVE (S/38E) Add ICF Device Entry to a mixed device file ADDLFM Add Logical File Member ADDPFCST Add Physical File Constraint ADDPFM Add Physical File Member ADDPFTRG Add Physical File Trigger ADDPFVLM Add Physical File Variable Length Member APYJRNCHGX Apply Journal Changes Extend CHGBSCF Change Bisync function CHGCMNF (S/38E) Change Communications File CHGDDMF Change DDM File CHGDKTF Change Diskette File CHGDSPF Change Display File CHGICFDEVE Change ICF Device File Entry CHGICFF Change ICF File CHGMXDF (S/38E) Change Mixed Device File CHGLF Change Logical File

Appendix E. Object operations and auditing

521

CHGLFM Change Logical File Member CHGPF Change Physical File CHGPFCST Change Physical File Constraint CHGPFM Change Physical File Member CHGPRTF Change Printer Device GQle CHGSAVF Change Save File CHGS36PRCA Change S/36 Procedure Attributes CHGS36SRCA Change S/36 Source Attributes CHGTAPF Change Tape Device File CLRPFM Clear Physical File Member CPYF Copy File (open file for modification, such as adding records, clearing a member, or saving a member

EDTS36PRCA Edit S/36 Procedure Attributes EDTS36SRCA Edit S/36 Source Attributes INZPFM Initialize Physical File Member JRNAP (S/38E) Start Journal Access Path (entry per file) JRNPF (S/38E) Start Journal Physical File (entry per file) RGZPFM Reorganize Physical File Member RMVBSCDEVE (S/38E) Remove BSC Device Entry from a mixed dev file RMVCMNDEVE (S/38E) Remove CMN Device Entry from a mixed dev file RMVDSPDEVE (S/38E) Remove DSP Device Entry from a mixed dev file RMVICFDEVE (S/38E) Remove ICF Device Entry from an ICM dev file RMVM Remove Member

522

IBM i: Security Security reference

RMVPFCST Remove Physical File Constraint RMVPFTGR Remove Physical File Trigger RNMM Rename Member WRKS36PRCA Work with S/36 Procedure Attributes WRKS36SRCA Work with S/36 Source Attributes v Operations that are not audited CHGPFTRG Change Physical File Trigger DSPCPCST Display Check Pending Constraints DSPFD Display File Description DSPFFD Display File Field Description DSPDBR Display Database Relations DSPPGMREF Display Program File References EDTCPCST Edit Check Pending Constraints OVRxxx Override file RTVMBRD Retrieve Member Description WRKPFCST Work with Physical File Constraints WRKF Work with File

Operations for First-in First-out Files (*FIFO)

This list describes the operations that you can perform against first-in first-out (*FIFO) objects, and whether those operations are audited. See Operations for Stream File (*STMF) for the *FIFO auditing.

Operations for Folder (*FLR)

This list describes the operations that you can perform against folder (*FLR) objects, and whether those operations are audited. See operations for Operations for Document Library Object (*DOC or *FLR) on page 514

Appendix E. Object operations and auditing

523

Operations for Font Resource (*FNTRSC)

This list describes the operations that you can perform against Font Resource (*FNTRSC), and whether those operations are audited. v Read operation Print Printing a spooled file that refers to the font resource v Change operation None v Operations that are not audited WRKFNTRSC Work with Font Resource Print Referring to the font resource when creating a spooled file

Operations for Form Definition (*FORMDF)

This list describes the operations that you can perform against Form Definition (*FORMDF), and whether those operations are audited. v Read operation Print Printing a spooled file that refers to the form definition v Change operation None v Operations that are not audited WRKFORMDF Work with Form Definition Print Referring to the form definition when creating a spooled file

Operations for Filter Object (*FTR)

This list describes the operations that you can perform against Filter Object (*FTR), and whether those operations are audited. v Read operation None v Change operation ADDALRACNE Add Alert Action Entry ADDALRSLTE Add Alert Selection Entry ADDPRBACNE Add Problem Action Entry ADDPRBSLTE Add Problem Selection Entry CHGALRACNE Change Alert Action Entry CHGALRSLTE Change Alert Selection Entry

524

IBM i: Security Security reference

CHGPRBACNE Change Problem Action Entry CHGPRBSLTE Change Problem Selection Entry CHGFTR Change Filter RMVFTRACNE Remove Alert Action Entry RMVFTRSLTE Remove Alert Selection Entry WRKFTRACNE Work with Alert Action Entry WRKFTRSLTE Work with Alert Selection Entry v Operations that are not audited WRKFTR Work with Filter WRKFTRACNE Work with Filter Action Entries WRKFTRSLTE Work with Filter Selection Entries

Operations for Graphics Symbols Set (*GSS)

This list describes the operations that you can perform against Graphics Symbols Set (*GSS), and whether those operations are audited. v Read operation Loaded When it is loaded Font When it is used as a font in an externally described printer file v Change operation None. v Operations that are not audited WRKGSS Work with Graphic Symbol Set

Operations for Double-byte Character Set Dictionary (*IGCDCT)

This list describes the operations that you can perform against Double-byte Character Set Dictionary (*IGCDCT), and whether those operations are audited. v Read operation DSPIGCDCT Display IGC Dictionary v Change operation EDTIGCDCT Edit IGC Dictionary

Appendix E. Object operations and auditing

525

Operations for Double-byte Character Set Sort (*IGCSRT)

This list describes the operations that you can perform against Double-byte Character Set Sort (*IGCSRT), and whether those operations are audited. v Read operation CPYIGCSRT Copy IGC Sort (from-*ICGSRT-object) Conversion Conversion to V3R1 format, if necessary Print Print character to register in sort table (option 1 from CGU menu)

Print before deleting character from sort table (option 2 from CGU menu) v Change operation CPYIGCSRT Copy IGC Sort (to-*ICGSRT-object) Conversion Conversion to V3R1 format, if necessary Create Create a user-defined character (option 1 from CGU menu) Delete Delete a user-defined character (option 2 from CGU menu) Update Update the active sort table (option 5 from CGU menu) v Operations that are not audited FMTDTA Sort records or fields in a file

Operations for Double-byte Character Set Table (*IGCTBL)

This list describes the operations that you can perform against Double-byte Character Set Table (*IGCTBL), and whether those operations are audited. v Read operation CPYIGCTBL Copy IGC Table STRFMA Start Font Management Aid v Change operation STRFMA Start Font Management Aid v Operations that are not audited CHKIGCTBL Check IGC Table

Operations for Job Description (*JOBD)

This list describes the operations that you can perform against Job Description (*JOBD), and whether those operations are audited. v Read operation None

526

IBM i: Security Security reference

v Change operation CHGJOBD Change Job Description v Operations that are not audited DSPJOBD Display Job Description WRKJOBD Work with Job Description QWDRJOBD Retrieve Job Description API Batch job When used to establish a job

Operations for Job Queue (*JOBQ)

This list describes the operations that you can perform against Job Queue (*JOBQ), and whether those operations are audited. v Read operation None v Change operation Entry When an entry is placed on or removed from the queue

CHGJOBQ Change Job Queue CLRJOBQ Clear Job Queue HLDJOBQ Hold Job Queue RLSJOBQ Release Job Queue v Operations that are not audited ADDJOBQE Subsystem descriptions on page 205 Add Job Queue Entry CHGJOB Change Job from one JOBQ to another JOBQ CHGJOBQE Subsystem descriptions on page 205 Change Job Queue Entry QSPRJOBQ Retrieve job queue information RMVJOBQE Subsystem descriptions on page 205 Remove Job Queue Entry TFRJOB Transfer Job TFRBCHJOB Transfer Batch Job

Appendix E. Object operations and auditing

527

WRKJOBQ Work with Job Queue for a specific job queue WRKJOBQ Work with Job Queue for all job queues WRKJOBQD Work with Job Queue Description

Operations for Job Scheduler Object (*JOBSCD)

This list describes the operations that you can perform against Job Scheduler Object (*JOBSCD), and whether those operations are audited. v Read operation None v Change operation ADDJOBSCDE Add Job Schedule Entry CHGJOBSCDE Change Job Schedule Entry RMVJOBSCDE Remove Job Schedule Entry HLDJOBSCDE Hold Job Schedule Entry RLSJOBSCDE Release Job Schedule Entry v Operations that are not audited Display Display details of scheduled job entry WRKJOBSCDE Work with Job Schedule Entries Work with ... Work with previously submitted jobs from job schedule entry QWCLSCDE List job schedule entry API

Operations for Journal (*JRN)

This list describes the operations that you can perform against Journal (*JRN), and whether those operations are audited. v Read operation CMPJRNIMG Compare Journal Images DSPJRN Display Journal Entry for user journals QJORJIDI Retrieve Journal Identifier (JID) Information
3. An audit record is written if object auditing is specified for the subsystem description (*SBSD).

528

IBM i: Security Security reference

QjoRetrieveJournalEntries Retrieve Journal Entries RCVJRNE Receive Journal Entry RTVJRNE Retrieve Journal Entry v Change operation ADDRMTJRN Add Remote Journal APYJRNCHG Apply Journaled Changes APYJRNCHGX Apply Journal Changes Extend CHGJRN Change Journal CHGRMTJRN Change Remote Journal ENDJRNxxx End Journaling JRNAP (S/38E) Start Journal Access Path JRNPF (S/38E) Start Journal Physical File QjoAddRemoteJournal Add Remote Journal API QjoChangeJournalState Change Journal State API QjoEndJournal End Journaling API QjoRemoveRemoteJournal Remove Remote Journal API QJOSJRNE Send Journal Entry API (user entries only via QJOSJRNE API) QjoStartJournal Start Journaling API RMVJRNCHG Remove Journaled Changes RMVRMTJRN Remove Remote Journal SNDJRNE Send Journal Entry (user entries only via SNDJRNE command) STRJRNxxx Start Journaling v Operations that are not audited

Appendix E. Object operations and auditing

529

DSPJRN Display Journal Entry for internal system journals, JRN(*INTSYSJRN) DSPJRNA (S/38E) Work with Journal Attributes DSPJRNMNU (S/38E) Work with Journal QjoRetrieveJournalInformation Retrieve Journal Information API WRKJRN Work with Journal (DSPJRNMNU in S/38 environment) WRKJRNA Work with Journal Attributes (DSPJRNA in S/38 environment)

Operations for Journal Receiver (*JRNRCV)

This list describes the operations that you can perform against Journal Receiver (*JRNRCV), and whether those operations are audited. v Read operation None v Change operation CHGJRN Change Journal (when attaching new receivers) v Operations that are not audited DSPJRNRCVA Display Journal Receiver Attributes QjoRtvJrnReceiverInformation Retrieve Journal Receiver Information API WRKJRNRCV Work with Journal Receiver

Operations for Library (*LIB)

This list describes the operations that you can perform against Library (*LIB), and whether those operations are audited. v Read operation DSPLIB Display Library (when library is not empty. If library is empty, no audit is performed.) Locate When a library is accessed to find an object Note: 1. Several audit entries might be written for a library for a single command. For example, when you open a file, a ZR audit journal entry for the library is written when the system locates the file and each member in the file. 2. No audit entry is written if the locate function is not successful. For example, you run a command using a generic parameter, such as:
DSPOBJD OBJ(AR/WRK*) OBJTYPE(*FILE)

If a library named AR does not have any file names beginning with WRK, no audit record is written for that library.

530

IBM i: Security Security reference

Library list Adding library to a library list v Change operation CHGLIB Change Library CLRLIB Clear Library MOVOBJ Move Object RNMOBJ Rename Object Add Add object to library

Delete Delete object from library v Operations that are not audited None

Operations for Line Description (*LIND)

This list describes the operations that you can perform against Line Description (*LIND), and whether those operations are audited. v Read operation SAVCFG Save Configuration RUNLPDA Run LPDA-2 operational commands VFYCMN Link test VFYLNKLPDA LPDA-2 link test v Change operation CHGLINxxx Change Line Description VRYCFG Vary on/off line description v Operations that are not audited ANSLIN Answer Line Copy Option 3 from WRKLIND

DSPLIND Display Line Description ENDLINRCY End Line Recovery RLSCMNDEV Release Communications Device

Appendix E. Object operations and auditing

531

RSMLINRCY Resume Line Recovery RTVCFGSRC Retrieve Source of line description RTVCFGSTS Retrieve line description status WRKLIND Work with Line Description WRKCFGSTS Work with line description status

Operations for Mail Services

This list describes the operations that you can perform against Mail Services, and whether those operations are audited. Note: Mail services actions are audited if the action auditing (QAUDLVL) system value or the action auditing (AUDLVL) parameter in the user profile includes *OFCSRV. v Operations that are audited Change Changes to the system distribution directory On behalf Working on behalf of another user Note: Working on behalf of another user is audited if the AUDLVL in the user profile or the QAUDLVL system value includes *SECURITY. Open An audit record is written when the mail log is opened v Operations that are not audited Change Change details of a mail item Delete Delete a mail item File File a mail item into a document or folder Note: When a mail item is filed, it becomes a document library object (DLO). Object auditing can be specified for a DLO. Forward Forward a mail item Print Print a mail item Note: Printing of mail items can be audited using the *SPLFDTA or *PRTDTA audit level. Receive Receive a mail item Reply Reply to a mail item Send View Send a mail item View a mail item

532

IBM i: Security Security reference

Operations for Menu (*MENU)

This list describes the operations that you can perform against Menu (*MENU), and whether those operations are audited. v Read operation Display Displaying a menu through the GO MENU command or UIM dialog box command v Change operation CHGMNU Change menu v Operations that are not audited Return Returning to a menu in the menu stack that has already been displayed DSPMNUA Display menu attributes WRKMNU Work with menu

Operations for Mode Description (*MODD)

This list describes the operations that you can perform against Mode Description (*MODD), and whether those operations are audited. v Read operation None v Change operation CHGMODD Change Mode Description v Operations that are not audited CHGSSNMAX Change session maximum DSPMODD Display Mode Description ENDMOD End Mode STRMOD Start Mode WRKMODD Work with Mode Descriptions

Operations for Module Object (*MODULE)

This list describes the operations that you can perform against Module Object (*MODULE), and whether those operations are audited. v Read operation CRTPGM An audit entry for each module object used during a CRTPGM.

Appendix E. Object operations and auditing

533

CRTSRVPGM An audit entry for each module object used during a CRTSRVPGM | RTVCLSRC An audit entry for each module object used during a RTVCLSRC UPDPGM An audit entry for each module object used during an UPDPGM UPDSRVPGM An audit entry for each module object used during an UPDSRVPGM v Change operation CHGMOD Change Module v Operations that are not audited DSPMOD Display Module @ Module Conversion Machine-initiated conversion for compatibility with the current machine RTVBNDSRC Retrieve Binder Source WRKMOD Work with Module

Operations for Message File (*MSGF)

This list describes the operations that you can perform against Message File (*MSGF), and whether those operations are audited. v Read operation DSPMSGD Display Message Description MRGMSGF Merge Message File from-file Print Print message description

RTVMSG Retrieve information from a message file QMHRTVM Retrieve Message API WRKMSGD Work with Message Description v Change operation ADDMSGD Add Message Description CHGMSGD Change Message Description CHGMSGF Change Message File MRGMSGF Merge Message File (to-file and replace MSGF)

534

IBM i: Security Security reference

RMVMSGD Remove Message Description v Operations that are not audited OVRMSGF Override Message File WRKMSGF Work with Message File QMHRMFAT Retrieve Message File Attributes API

Operations for Message Queue (*MSGQ)

This list describes the operations that you can perform against Message Queue (*MSGQ), and whether those operations are audited. v Read operation QMHLSTM List Nonprogram Messages API QMHRMQAT Retrieve Nonprogram Message Queue Attributes API DSPLOG Display Log DSPMSG Display Message Print Print Messages

RCVMSG Receive Message RMV(*NO) QMHRCVM Receive Nonprogram Messages API when message action is not *REMOVE. v Change operation CHGMSGQ Change Message Queue CLRMSGQ Clear Message Queue RCVMSG Receive Message RMV(*YES) QMHRCVM Receive Nonprogram Messages API when message action is *REMOVE. RMVMSG Remove Message QMHRMVM Remove Nonprogram Messages API SNDxxxMSG Send a Message to a message queue QMHSNDBM Send Break Message API

Appendix E. Object operations and auditing

535

QMHSNDM Send Nonprogram Message API QMHSNDRM Send Reply Message API SNDRPY Send Reply WRKMSG Work with Message v Operations that are not audited WRKMSGQ Work with Message Queue Program Program message queue operations

Operations for Node Group (*NODGRP)

This list describes the operations that you can perform against Node Group (*NODGRP), and whether those operations are audited. v Read operation DSPNODGRP Display Node Group v Change operation CHGNODGRPA Change Node Group

Operations for Node List (*NODL)

This list describes the operations that you can perform against Node List (*NODL), and whether those operations are audited. v Read operation QFVLSTNL List node list entries v Change operation ADDNODLE Add Node List Entry RMVNODLE Remove Node List Entry v Operations that are not audited WRKNODL Work with Node List WRKNODLE Work with Node List Entries

Operations for NetBIOS Description (*NTBD)

This list describes the operations that you can perform against NetBIOS Description (*NTBD), and whether those operations are audited. v Read operation

536

IBM i: Security Security reference

SAVCFG Save Configuration v Change operation CHGNTBD Change NetBIOS Description v Operations that are not audited Copy Option 3 of WRKNTBD

DSPNTBD Display NetBIOS Description RTVCFGSRC Retrieve Configuration Source of NetBIOS description WRKNTBD Work with NetBIOS Description

Operations for Network Interface (*NWID)

This list describes the operations that you can perform against Network Interface (*NWID), and whether those operations are audited. v Read operation SAVCFG Save Configuration v Change operation CHGNWIISDN Change Network Interface Description VRYCFG Vary network interface description on or off v Operations that are not audited Copy Option 3 of WRKNWID

DSPNWID Display Network Interface Description ENDNWIRCY End Network Interface Recovery RSMNWIRCY Resume Network Interface Recovery RTVCFGSRC Retrieve Source of Network Interface Description RTVCFGSTS Retrieve Status of Network Interface Description WRKNWID Work with Network Interface Description WRKCFGSTS Work with network interface description status

Appendix E. Object operations and auditing

537

Operations for Network Server Description (*NWSD)

This list describes the operations that you can perform against Network Server Description (*NWSD), and whether those operations are audited. v Read operation SAVCFG Save Configuration v Change operation CHGNWSD Change Network Server Description VRYCFG Vary Configuration v Operations that are not audited Copy Option 3 of WRKNWSD

DSPNWSD Display Network Server Description RTVCFGSRC Retrieve Configuration Source for *NWSD RTVCFGSTS Retrieve Configuration Status for *NWSD WRKNWSD Work with Network Server Description

Operations for Output Queue (*OUTQ)

This list describes the operations that you can perform against Output Queue (*OUTQ), and whether those operations are audited. v Read operation STRPRTWTR Start a Printer Writer to an OUTQ STRRMTWTR Start a Remote Writer to an OUTQ v Change operation Placement When an entry is placed on or removed from the queue CHGOUTQ Change Output Queue CHGSPLFA 4 Change Spooled File Attributes, if moved to a different output queue and either output queue is audited CLROUTQ Clear Output Queue DLTSPLF 4 Delete Spooled File HLDOUTQ Hold Output Queue

538

IBM i: Security Security reference

RLSOUTQ Release Output Queue v Operations that are not audited CHGSPLFA 4 Change Spooled File Attributes CPYSPLF 4 Copy Spooled File Create
4

Create a spooled file DSPSPLF 4 Display Spooled File HLDSPLF 4 Hold Spooled File QSPROUTQ Retrieve output queue information RLSSPLF 4 Release Spooled File SNDNETSPLF 4 Send Network Spooled File WRKOUTQ Work with Output Queue WRKOUTQD Work with Output Queue Description WRKSPLF Work with Spooled File WRKSPLFA Work with Spooled File Attributes

Operations for Overlay (*OVL)

This list describes the operations that you can perform against Overlay (*OVL), and whether those operations are audited. v Read operation Print Printing a spooled file that refers to the overlay v Change operation None v Operations that are not audited WRKOVL Work with overlay Print Referring to the overlay when creating a spooled file

4. This is also audited if action auditing (QAUDLVL system value or AUDLVL user profile value) includes *SPLFDTA. Appendix E. Object operations and auditing

539

Operations for Page Definition (*PAGDFN)

This list describes the operations that you can perform against Page Definition (*PAGDFN), and whether those operations are audited. v Read operation Print Printing a spooled file that refers to the page definition v Change operation None v Operations that are not audited WRKPAGDFN Work with Page Definition Print Referring to the form definition when creating a spooled file

Operations for Page Segment (*PAGSEG)

This list describes the operations that you can perform against Page Segment (*PAGSEG), and whether those operations are audited. v Read operation Print Printing a spooled file that refers to the page segment v Change operation None v Operations that are not audited WRKPAGSEG Work with Page Segment Print Referring to the page segment when creating a spooled file

Operations for Print Descriptor Group (*PDG)

This list describes the operations that you can perform against Print Descriptor Group (*PDG), and whether those operations are audited. v Read operation When the page descriptor group is opened for read access by a PrintManager API or CPI verb. v Change operation Open Open When the page descriptor group is opened for change access by a PrintManager* API or CPI verb.

v Operations that are not audited CHGPDGPRF Change Print Descriptor Group Profile WRKPDG Work with Print Descriptor Group

Operations for Program (*PGM)

This list describes the operations that you can perform against Program (*PGM), and whether those operations are audited. v Read operation

540

IBM i: Security Security reference

Activation Program activation Call Call program that is not already activated

ADDPGM Add program to debug QTEDBGS Qte Register Debug View API QTEDBGS Qte Retrieve Module Views API // RUN Run program in S/36 environment RTVCLSRC Retrieve CL Source STRDBG Start Debug v Create operation CRTPGM Create Program UPDPGM Update Program v Change operation CHGCSPPGM Change CSP/AE Program CHGPGM Change Program CHGS36PGMA Change S/36 Program Attributes EDTS36PGMA Edit S/36 Program Attributes WRKS36PGMA Work with S/36 Program Attributes v Operations that are not audited ANZPGM Analyze Program DMPCLPGM Dump CL Program DSPCSPOBJ Display CSP Object DSPPGM Display Program @ Program Conversion Machine-initiated conversion for compatibility with the current machine PRTCMDUSG Print Command Usage

Appendix E. Object operations and auditing

541

PRTCSPAPP Print CSP Application PRTSQLINF Print SQL Information QBNLPGMI List ILE Program Information API QCLRPGMI Retrieve Program Information API STRCSP Start CSP Utilities TRCCSP Trace CSP Application WRKOBJCSP Work with Objects for CSP WRKPGM Work with Program

Operations for Panel Group (*PNLGRP)

This list describes the operations that you can perform against Panel Group (*PNLGRP), and whether those operations are audited. v Read operation ADDSCHIDXE Add Search Index Entry QUIOPNDA Open Panel Group for Display API QUIOPNPA Open Panel Group for Print API QUHDSPH Display Help API v Change operation None v Operations that are not audited WRKPNLGRP Work with Panel Group

Operations for Product Availability (*PRDAVL)

This list describes the operations that you can perform against Product Availability (*PRDAVL), and whether those operations are audited. v Change operation WRKSPTPRD Work with Supported Products, when support is added or removed v Operations that are not audited Read No read operations are audited

542

IBM i: Security Security reference

Operations for Product Definition (*PRDDFN)

This list describes the operations that you can perform against Product Definition (*PRDDFN), and whether those operations are audited. v Change operation ADDPRDLICI Add Product License Information WRKSPTPRD Work with Supported Products, when support is added or removed v Operations that are not audited Read No read operations are audited

Operations for Product Load (*PRDLOD)

This list describes the operations that you can perform against Product Load (*PRDLOD), and whether those operations are audited. v Change operation Change Product load state, product load library list, product load folder list, primary language v Operations that are not audited Read No read operations are audited

Operations for Query Manager Form (*QMFORM)

This list describes the operations that you can perform against Query Manager Form (*QMFORM), and whether those operations are audited. v Read operation STRQMQRY Start Query Management Query RTVQMFORM Retrieve Query Management Form Run Run a query

Export Export a Query Management form Print Print a Query Management form Print a Query Management report using the form Access the form using option 2, 5, 6, or 9 or function F13 from the DB2 Query Manager and SQL Development Kit for i5/OS. v Change operation Use CRTQMFORM Create Query Management Form IMPORT Import Query Management form Save Save the form using a menu option or a command

Copy Option 3 from the Work with Query Manager Forms function v Operations that are not audited

Appendix E. Object operations and auditing

543

Work with When *QMFORMs are listed in a Work with display Active Any form operation that is done against the 'active' form.

Operations for Query Manager Query (*QMQRY)

This list describes the operations that you can perform against Query Manager Query (*QMQRY), and whether those operations are audited. v Read operation RTVQMQRY Retrieve Query Manager Query Run Run Query Manager Query

STRQMQRY Start Query Manager Query Export Export Query Manager query Print Use Print Query Manager query

Access the query using function F13 or option 2, 5, 6, or 9 from the Work with Query Manager queries function v Change operation CRTQMQRY Create Query Management Query Convert Option 10 (Convert to SQL) from the Work with Query Manager Queries function Copy Option 3 from the Work with Query Manager Queries function

Save Save the query using a menu or command v Operations that are not audited Work with When *QMQRYs are listed in a Work with display Active Any query operation that is done against the 'active' query.

Operations for Query Definition (*QRYDFN)

This list describes the operations that you can perform against Query Definition (*QRYDFN), and whether those operations are audited. v Read operation ANZQRY Analyze Query Change Change a query using a prompt display presented by WRKQRY or QRY. Display Display a query using WRKQRY prompt display Export Export form using Query Manager Export Export query using Query Manager Print Print query definition using WRKQRY prompt display Print Query Management form

544

IBM i: Security Security reference

Print Query Management query Print Query Management report QRYRUN Run Query RTVQMFORM Retrieve Query Management Form RTVQMQRY Retrieve Query Management Query Run Run query using WRKQRY prompt display Run (Query Management command) RUNQRY Run Query STRQMQRY Start Query Management Query Submit Submit a query (run request) to batch using WRKQRY prompt display or Exit This Query prompt display v Change operation Change Save a changed query using the Query/400 licensed program v Operations that are not audited Copy Copy a query using option 3 on the Work with Queries display

Create Create a query using option 1 on the Work with Queries display Delete Delete a query using option 4 on the Work with Queries display Run Run a query using option 1 on the Exit this Query display when creating or changing a query using the Query/400 licensed program; Run a query interactively using PF5 while creating, displaying, or changing a query using the Query/400 licensed program

DLTQRY Delete a query

Operations for Reference Code Translate Table (*RCT)

This list describes the operations that you can perform against Reference Code Translate Table (*RCT), and whether those operations are audited. v Read operation None v Change operation None v Operations that are not audited None

Operations for Reply List

This list describes the operations that you can perform against Reply List, and whether those operations are audited.
Appendix E. Object operations and auditing

545

Note: Reply list actions are audited if the action auditing (QAUDLVL) system value or the action auditing (AUDLVL) parameter in the user profile includes *SYSMGT. v Operations that are audited ADDRPYLE Add Reply List Entry CHGRPYLE Change Reply List Entry RMVRPYLE Remove Reply List Entry WRKRPYLE Work with Reply List Entry v Operations that are not audited None

Operations for Subsystem Description (*SBSD)

This list describes the operations that you can perform against Subsystem Description (*SBSD), and whether those operations are audited. v Read operation ENDSBS End Subsystem STRSBS Start Subsystem v Change operation ADDAJE Add Autostart Job Entry ADDCMNE Add Communications Entry ADDJOBQE Add Job Queue Entry ADDPJE Add Prestart Job Entry ADDRTGE Add Routing Entry ADDWSE Add Workstation Entry CHGAJE Change Autostart Job Entry CHGCMNE Change Communications Entry CHGJOBQE Change Job Queue Entry CHGPJE Change Prestart Job Entry CHGRTGE Change Routing Entry

546

IBM i: Security Security reference

CHGSBSD Change Subsystem Description CHGWSE Change Workstation Entry RMVAJE Remove Autostart Job Entry RMVCMNE Remove Communications Entry RMVJOBQE Remove Job Queue Entry RMVPJE Remove Prestart Job Entry RMVRTGE Remove Routing Entry RMVWSE Remove Workstation Entry v Operations that are not audited DSPSBSD Display Subsystem Description QWCLASBS List Active Subsystem API QWDLSJBQ List Subsystem Job Queue API QWDRSBSD Retrieve Subsystem Description API WRKSBSD Work with Subsystem Description WRKSBS Work with Subsystem WRKSBSJOB Work with Subsystem Job

Operations for Information Search Index (*SCHIDX)

This list describes the operations that you can perform against Information Search Index (*SCHIDX), and whether those operations are audited. v Read operation STRSCHIDX Start Index Search WRKSCHIDXE Work with Search Index Entry v Change operation (audited if OBJAUD is *CHANGE or *ALL) ADDSCHIDXE Add Search Index Entry CHGSCHIDX Change Search Index
Appendix E. Object operations and auditing

547

RMVSCHIDXE Remove Search Index Entry v Operations that are not audited WRKSCHIDX Work with Search Index

Operations for Local Socket (*SOCKET)

This list describes the operations that you can perform against Local Socket (*SOCKET), and whether those operations are audited. v Read operation connect Bind a permanent destination to a socket and establish a connection. DSPLNK Display Links givedescriptor Give File Access API Qp0lGetPathFromFileID Get Path Name of Object from File ID API Qp0lRenameKeep Rename File or Directory, Keep New API Qp0lRenameUnlink Rename File or Directory, Unlink New API sendmsg Send a datagram in connectionless mode. Can use multiple buffers. sendto Send a datagram in connectionless mode. WRKLNK Work with Links v Change operation ADDLNK Add Link bind Establish a local address for a socket.

CHGAUD Change Auditing CHGAUT Change Authority CHGOWN Change Owner CHGPGP Change Primary Group CHKIN Check In CHKOUT Check Out

548

IBM i: Security Security reference

chmod Change File Authorizations API chown Change Owner and Group API givedescriptor Give File Access API link Create Link to File API

Qp0lRenameKeep Rename File or Directory, Keep New API Qp0lRenameUnlink Rename File or Directory, Unlink New API RMVLNK Remove Link RNM RST unlink Remove Link to File API utime Set File Access and Modifcation Times API WRKAUT Work with Authority WRKLNK Work with Links v Operations that are not audited close Close File API Note: Close is not audited, but if there were a failure or modification in a close scan_related exit program, then an audit record is cut. DSPAUT Display Authority dup dup2 fcntl fstat fsync ioctl lstat Duplicate Open File Descriptor API Duplicate Open File Descriptor to Another Descriptor API Perform File Control Command API Get File Information by Descriptor API Synchronize Changes to File API Perform I/O Control Request API Get File or Link Information API Rename Restore

pathconf Get Configurable Path Name Variables API read readv select stat Read from File API Read from File (Vector) API Check I/O Status of Multiple File Descriptors API Get File Information API
Appendix E. Object operations and auditing

549

takedescriptor Take File Access API write Write to File API

writev Write to File (Vector) API

Operations for Spelling Aid Dictionary (*SPADCT)

This list describes the operations that you can perform against Spelling Aid Dictionary (*SPADCT), and whether those operations are audited. v Read operation Verify Spell verify function Aid Spell aid function

Hyphenation Hyphenation function Dehyphenation Dehyphenation function Synonyms Synonym function Base Use dictionary as base when creating another dictionary

Verify Use as verify dictionary when creating another dictionary Retrieve Retrieve Stop Word List Source Print Print Stop Word List Source v Change operation CRTSPADCT Create Spelling Aid Dictionary with REPLACE(*YES) v Operations that are not audited None

Operations for Spooled Files

This list describes the operations that you can perform against Spooled Files, and whether those operations are audited. Note: Spooled file actions are audited if the action auditing (QAUDLVL) system value or the action auditing (AUDLVL) parameter in the user profile includes *SPLFDTA. v Operations that are audited Access Each access by any user that is not the owner of the spooled file, including: CPYSPLF DSPSPLF SNDNETSPLF SNDTCPSPLF STRRMTWTR QSPOPNSP API

550

IBM i: Security Security reference

Change Changing any of the following spooled file attributes with CHGSPLFA: COPIES DEV FORMTYPE RESTART PAGERANGE OUTQ DRAWER PAGDFN FORMDF USRDFNOPT USRDFNOBJ USRDFNDTA EXPDATE

SAVE Changing any other spooled file attributes with CHGSPLFA: Create Creating a spooled file using print operations Creating a spooled file using the QSPCRTSP API Delete Deleting a spooled file using any of the following operations: Printing a spooled file by a printer or diskette writer Clearing the output queue (CLROUTQ) Deleting the spooled file using the DLTSPLF command or the delete option from a spooled files display Hold Deleting spooled files when a job ends (ENDJOB SPLFILE(*YES)) Deleting spooled files when a print job ends (ENDPJ SPLFILE(*YES)) Sending a spooled file to a remote system by a remote writer Deleting of spooled files that have expired using the DLTEXPSPLF command

Deleting of spooled files through the operational assist cleanup function Holding a spooled file by any of the following operations: Using the HLDSPLF command Using the hold option from a spooled files display Printing a spooled file that specifies SAVE(*YES) Sending a spooled file to a remote system by a remote writer when the spooled file specifies SAVE(*YES) Having a writer hold a spooled file after an error occurs when processing the spooled file Reading a spooled file by a printer or diskette writer Releasing a spooled file Restore Restoring a spooled file Save Saving a spooled file

Read Release

Appendix E. Object operations and auditing

551

Operations for SQL Package (*SQLPKG)

This list describes the operations that you can perform against SQL Package (*SQLPKG), and whether those operations are audited. v Read operation Run When *SQLPKG object is run v Change operation None v Operations that are not audited PRTSQLINF Print SQL Information

Operations for Service Program (*SRVPGM)

This list describes the operations that you can perform against Service Program (*SRVPGM), and whether those operations are audited. v Read operation CRTPGM An audit entry for each service program used during a CRTPGM command CRTSRVPGM An audit entry for each service program used during a CRTSRVPGM command QTEDBGS Register Debug View API QTEDBGS Retrieve Module Views API RTVBNDSRC Retrieve Binder Source | | RTVCLSRC An audit entry for each service program used during a RTVCLSRC command UPDPGM An audit entry for each service program used during a UPDPGM command. UPDSRVPGM An audit entry for each service program used during a UPDSRVPGM command. v Create operation CRTSRVPGM Create Service Program UPDSRVPGM Update Service Program v Change operation CHGSRVPGM Change Service Program v Operations that are not audited DSPSRVPGM Display Service Program PRTSQLINF Print SQL Information

552

IBM i: Security Security reference

Service Program Conversion Machine-initiated conversion for compatibility with the current machine QBNLSPGM List Service Program Information API QBNRSPGM Retrieve Service Program Information API WRKSRVPGM Work with Service Program

Operations for Session Description (*SSND)

This list describes the operations that you can perform against Session Description (*SSND), and whether those operations are audited. No Read or Change operations are audited for the *SSND object type.

Operations for Server Storage Space (*SVRSTG)

This list describes the operations that you can perform against Server Storage Space (*SVRSTG), and whether those operations are audited. No Read or Change operations are audited for the *SVRSTG object type.

Operations for Stream File (*STMF)

This list describes the operations that you can perform against Stream File (*STMF) objects, and whether those operations are audited. v Read operation CPY Copy Object

DSPLNK Display Object Links givedescriptor Give File Access API MOV Move Object open, open64, QlgOpen, QlgOpen64, Qp0lOpen Open File APIs SAV Save Object

WRKLNK Work with Object Links v Change operation ADDLNK Add Link CHGAUD Change Auditing CHGAUT Change Authority CHGOWN Change Owner
Appendix E. Object operations and auditing

553

CHGPGP Change Primary Group CHKIN Check In Object CHKOUT Check Out Object chmod, QlgChmod Change File Authorizations APIs chown, QlgChown Change Owner and Group APIs CPY Copy Object

creat, creat64, QlgCreat, QlgCreat64 Create New File or Rewrite Existing File APIs fchmod Change File Authorizations by Descriptor API fchown Change Owner and Group of File by Descriptor API givedescriptor Give File Access API link Create Link to File API

MOV Move Object open, open64, QlgOpen, QlgOpen64, Qp0lOpen When opened for write APIs Qp0lGetPathFromFileID, QlgGetPathFromFileID Get Path Name of Object from File ID APIs Qp0lRenameKeep, QlgRenameKeep Rename File or Directory, Keep New APIs Qp0lRenameUnlink, QlgRenameUnlink Rename File or Directory, Unlink New APIs RMVLNK Remove Link RNM RST Rename Object Restore Object

unlink, QlgUnlink Remove Link to File APIs utime, QlgUtime Set File Access and Modifcation Times APIs WRKAUT Work with Authority WRKLNK Work with Links v Operations that are not audited close Close File API

554

IBM i: Security Security reference

DSPAUT Display Authority dup dup2 Duplicate Open File Descriptor API Duplicate Open File Descriptor to Another Descriptor API

faccessx Determine file accessibility fclear, fclear64 Clear a file fcntl Perform File Control Command API

fpathconf Get Configurable Path Name Variables by Descriptor API fstat, fstat64 Get File Information by Descriptor APIs fsync Synchronize Changes to File API

ftruncate, ftruncate64 Truncate File APIs ioctl Perform I/O Control Request API

lseek, lseek64 Set File Read/Write Offset APIs lstat, lstat64 Get File or Link Information APIs pathconf, QlgPathconf Get Configurable Path Name Variables APIs pread, pread64 Read from Descriptor with Offset APIs pwrite, pwrite64 Write to Descriptor with Offset APIs read readv select Read from File API Read from File (Vector) API Check I/O Status of Multiple File Descriptors API

stat, stat64, QlgStat, QlgStat64 Get File Information APIs takedescriptor Take File Access API write Write to File API

writev Write to File (Vector) API

Operations for Symbolic Link (*SYMLNK)

This list describes the operations that you can perform against symbolic link (*SYMLNK) objects, and whether those operations are audited. v Read operation CPY Copy Object

Appendix E. Object operations and auditing

555

DSPLNK Display Object Links MOV Move Object readlink Read Value of Symbolic Link API SAV Save Object

WRKLNK Work with Object Links v Change operation CHGOWN Change Owner CHGPGP Change Primary Group CPY Copy Object

MOV Move Object Qp0lRenameKeep, QlgRenameKeep Rename File or Directory, Keep New APIs Qp0lRenameUnlink, QlgRenameUnlink Rename File or Directory, Unlink New APIs RMVLNK Remove Link RNM RST Rename Object Restore Object

symlink, QlgSymlink Make Symbolic Link APIs unlink, QlgUnlink Remove Link to File APIs WRKLNK Work with Object Links v Operations that are not audited lstat, lstat64, QlgLstat, QlgLstat64 Link Status APIs

Operations for S/36 Machine Description (*S36)

This list describes the operations that you can perform against S/36 Machine Description (*S36), and whether those operations are audited. v Read operation None v Change operation CHGS36 Change S/36 configuration CHGS36A Change S/36 configuration attributes

556

IBM i: Security Security reference

SET

SET procedure

CRTDEVXXX When a device is added to the configuration table DLTDEVD When a device is deleted from the configuration table RNMOBJ Rename device description v Operations that are not audited DSPS36 Display S/36 configuration RTVS36A Retrieve S/36 Configuration Attributes STRS36 Start S/36 ENDS36 End S/36

Operations for Table (*TBL)

This list describes the operations that you can perform against Table (*TBL), and whether those operations are audited. v Read operation QDCXLATE Translate character string QTBXLATE Translate character string QLGRTVSS Retrieve sort sequence table CRTLF Translation Table during CRTLF command Read Use of Sort Sequence Table when running any command that can specify a sort sequence v Change operation None v Operations that are not audited WRKTBL Work with table

Operations for User Index (*USRIDX)

This list describes the operations that you can perform against User Index (*USRIDX), and whether those operations are audited. v Read operation QUSRTVUI Retrieve user index entries API v Change operation

Appendix E. Object operations and auditing

557

QUSADDUI Add User Index Entries API QUSRMVUI Remove User Index Entries API v Operations that are not audited Access Direct access to a user index using MI instructions (only allowed for a user domain user index in a library specified in the QALWUSRDMN system value. QUSRUIAT Retrieve User Index Attributes API

Operations for User Profile (*USRPRF)

This list describes the operations that you can perform against User Profile (*USRPRF), and whether those operations are audited. v Read operation RCLOBJOWN Reclaim Objects by Owner v Change operation CHGPRF Change Profile CHGPWD Change Password CHGUSRPRF Change User Profile CHKPWD Check Password DLTUSRPRF Delete User Profile GRTUSRAUT Grant User Authority (to-user-profile) QSYCHGPW Change Password API RSTUSRPRF Restore User Profile v Operations that are not audited DSPPGMADP Display Programs that Adopt DSPUSRPRF Display User Profile GRTUSRAUT Grant User Authority (from-user-profile) PRTPRFINT Print Profile Internals PRTUSRPRF Print User Profile

558

IBM i: Security Security reference

QSYCUSRS Check User Special Authorities API QSYLOBJA List Authorized Objects API QSYLOBJP List Objects That Adopt API QSYRUSRI Retrieve User Information API RTVUSRPRF Retrieve User Profile WRKOBJOWN Work with Owned Objects WRKUSRPRF Work with User Profiles

Operations for User Queue (*USRQ)

This list describes the operations that you can perform against User Queue (*USRQ), and whether those operations are audited. v No Read or Change operations are audited for the *USRQ object type. v Operations that are not audited Access Direct access to user queues using MI instructions (only allowed for a user domain user queue in a library specified in the QALWUSRDMN system value.

Operations for User Space (*USRSPC)

This list describes the operations that you can perform against User Space (*USRSPC), and whether those operations are audited. v Read operation QUSRTVUS Retrieve User Space API v Change operation QUSCHGUS Change User Space API QUSCUSAT Change User Space Attributes API v Operations that are not audited Access Direct access to user space using MI instructions (only allowed for user domain user spaces in libraries specified in the QALWUSRDMN system value. QUSRUSAT Retrieve User Space Attributes API

Appendix E. Object operations and auditing

559

Operations for Validation List (*VLDL)

This list describes the operations that you can perform against Validation List (*VLDL), and whether those operations are audited. v Read operation QSYFDVLE Find Validation List Entry API v Change operation QSYADVLE Add Validation List Entry API QSYCHVLE Change Validation List Entry API QSYRMVLE Remove Validation List Entry API

Operations for Workstation Customizing Object (*WSCST)

This list describes the operations that you can perform against Workstation Customizing Object (*WSCST), and whether those operations are audited. v Read operation Vary When a customized device is varied on

RTVWSCST Retrieve Workstation Customizing Object Source (only when *TRANSFORM is specified for the device type) SNDTCPSPLF Send TCP/IP Spooled File (only when TRANSFORM(*YES) is specified) STRPRTWTR Start Printer Writer (only for spooled files that are printed to a customized printer using the host print transform function) STRRMTWTR Start Remote Writer (only when output queue is configured with CNNTYPE(*IP) and TRANSFORM(*YES)) When output is printed directly (not spooled) to a customized printer using the host print transform function v Change operation Print None v Operations that are not audited None

560

IBM i: Security Security reference

Appendix F. Layout of audit journal entries

This section contains layout information for all entry types with journal code T in the audit (QAUDJRN) journal. These entries are controlled by the action and object auditing you define. The journal entry layouts described in this appendix are similar to how one can define a physical file using DDS. For instance, a Binary (4) is defined to hold from 1 to 4 digits information with the storage requirement of two bytes, while a Binary (5) holds from 1 to 5 digits information with the storage requirement of 4 bytes. Languages such as RPG use and enforce these definitions. The system writes additional entries to the audit journal for such events as a system IPL or saving the journal receiver. The layouts for these entry types can be found in the Journal management topic. Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 contains the layout for fields that are common to all entry types when OUTFILFMT(*TYPE2) is specified on the DSPJRN command. This layout, which is called QJORDJE2, is defined in the QADSPJR2 file in the QSYS library. Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563 contains the layout for fields that are common to all entry types when OUTFILFMT(*TYPE4) is specified on the DSPJRN command. This layout, which is called QJORDJE4, is defined in the QADSPJR4 file in the QSYS library. The *TYPE4 output includes all of the *TYPE2 information, plus information about journal identifiers, triggers, and referential constraints. Note: TYPE2 and *TYPE4 output formats are no longer updated; therefore, it is recommended that you stop using *TYPE2 and *TYPE4 formats and use only *TYPE5 formats. Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562 contains the layout for fields that are common to all entry types when OUTFILFMT(*TYPE5) is specified on the DSPJRN command. This layout, which is called QJORDJE5, is defined in the QADSPJR5 file in the QSYS library. The *TYPE5 output includes all of the *TYPE4 information, plus information about the program library, program ASP device name, program ASP device number, receiver, receiver library, receiver ASP device name, receiver ASP device number, arm number, thread ID, address family, remote port, and remote address. AD (Auditing Change) journal entries on page 568 through ZR (Read of Object) journal entries on page 701 contain layouts for the model database outfiles provided to define entry-specific data. You can use the CRTDUPOBJ command to create any empty output file with the same layout as one of the model database outfiles. You can use the DSPJRN command to copy selected entries from the audit journal to the output file for analysis. Analyzing audit journal entries with query or a program on page 296 provides examples of using the model database outfiles. See also the Journal management topic. Note: In these journal entries tables, you might see a blank column under the offset, JE or J4, column. It means there is no model outfile for that audit journal type.

561

Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5)
This table lists all possible values for the fields that are common to all entry types when OUTFILFMT(*TYPE5) is specified on the DSPJRN command.
Table 158. Standard heading fields for audit journal entries. QJORDJE5 Record Format (*TYPE5) Offset 1 6 26 27 29 55 65 75 81 Field Length of Entry Sequence Number Journal Code Entry Type Timestamp of Entry Name of Job User Name Job Number Program Name Format Zoned(5,0) Char(20) Char(1) Char(2) Char(26) Char(10) Char(10) Zoned(6,0) Char(10) Description Total length of the journal entry including the entry length field. Applied to each journal entry. Initially set to 1 for each new or restored journal. Optionally, reset to 1 when a new receiver is attached. Always T. See Audit Journal (QAUDJRN) entry types on page 566 for a list of entry types and descriptions. Date and time that the entry was made in SAA timestamp format. The name of the job that caused the entry to be generated. The user profile name associated with the job1. The job number. The name of the program that made the journal entry. This can also be the name of a service program or the partial name of a class file used in a compiled Java program. If an application program or CL program did not cause the entry, the field contains the name of a system-supplied program such as QCMD. The field has the value *NONE if one of the following conditions is true: v The program name does not apply to this entry type. v The program name was not available. 91 101 111 116 126 136 146 166 167 187 197 205 215 216 217 Program library Program ASP device Program ASP number Name of object Objects Library Member Name Count/RRN Flag Commit Cycle identifier User Profile System Name Journal identifier Referential Constraint Trigger Incomplete Data Char(10) Char(10) Zoned(5,0) Char(10) Char(10) Char(10) Char(20) Char(1) Char(20) Char(10) Char(8) Char(10) Char(1) Char(1) Char(1) Name of the library that contains the program that added the journal entry. Name of ASP device that contains the program that added the journal entry. Number of the ASP that contains the program that added the journal entry. Used for journaled objects. Not used for audit journal entries. Used for journaled objects. Not used for audit journal entries. Used for journaled objects. Not used for audit journal entries. Used for journaled objects. Not used for audit journal entries. Used for journaled objects. Not used for audit journal entries. Used for journaled objects. Not used for audit journal entries. The name of the current user profile1. The name of the system. Used for journaled objects. Not used for audit journal entries. Used for journaled objects. Not used for audit journal entries. Used for journaled objects. Not used for audit journal entries. Used for journaled objects. Not used for audit journal entries.

562

IBM i: Security Security reference

Table 158. Standard heading fields for audit journal entries (continued). QJORDJE5 Record Format (*TYPE5) Offset 218 219 220 221 241 251 261 271 276 281 289 305 306 311 357 396 536 556 606 Field Format Description Used for journaled objects. Not used for audit journal entries. Used for journaled objects. Not used for audit journal entries. Used for journaled objects. Not used for audit journal entries. A number assigned by the system to each journal entry. The name of the receiver holding the journal entry. The name of the library containing the receiver that holds the journal entry. Name of ASP device that contains the receiver. Number of the ASP that contains the receiver that holds the journal entry. The number of the disk arm that contains the journal entry. Identifies the thread within the process that added the journal entry. Displayable hex version of the thread identifier. The format of the remote address for this journal entry. The port number of the remote address associated with the journal entry. The remote address associated with the journal entry. Used for journaled objects. Not used for audit journal entries. Used for journaled objects. Not used for audit journal entries. Used for journaled objects. Not used for audit journal entries. Used for journaled objects. Not used for audit journal entries. Length of the entry specific data.

Ignored by APY/ Char(1) RMVJRNCHG Minimized ESD Object indicator System sequence Receiver Receiver library Receiver ASP device Receiver ASP number Arm number Thread identifier Thread identifier hex Address family Remote port Remote address Logical unit of work Transaction ID Reserved Null value indicators Entry specific data length Char(1) Char(1) Char(20) Char(10) Char(10) Char(10) Zoned(5,0) Zoned(5,0) Hex(8) Char(16) Char(1) Zoned(5,0) Char(46) Char(39) Char(140) Char(20) Char(50) Binary(5)

Note: The three fields beginning at offset 55 make up the system job name. In most cases, the User name field at offset 65 and the User profile name field at offset 187 have the same value. For prestarted jobs, the User profile name field contains the name of the user starting the transaction. For some jobs, both these fields contain QSYS as the user name. The User profile name field in the entry-specific data contains the actual user who caused the entry. If an API is used to exchange user profiles, the User profile name field contains the name of the new (swapped) user profile.

Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4)
This table lists all possible values for the fields that are common to all entry types when OUTFILFMT(*TYPE4) is specified on the DSPJRN command.
Table 159. Standard heading fields for audit journal entries. QJORDJE4 Record Format (*TYPE4) Offset 1 6 Field Length of Entry Sequence Number Format Zoned(5,0) Zoned(10,0) Description Total length of the journal entry including the entry length field. Applied to each journal entry. Initially set to 1 for each new or restored journal. Optionally, reset to 1 when a new receiver is attached.

Appendix F. Layout of audit journal entries

563

Table 159. Standard heading fields for audit journal entries (continued). QJORDJE4 Record Format (*TYPE4) Offset 16 17 19 45 55 65 71 Field Journal Code Entry Type Timestamp of Entry Name of Job User Name Job Number Program Name Format Char(1) Char(2) Char(26) Char(10) Char(10) Zoned(6,0) Char(10) Description Always T. See Audit Journal (QAUDJRN) entry types on page 566 for a list of entry types and descriptions. Date and time that the entry was made in SAA timestamp format. The name of the job that caused the entry to be generated. The user profile name associated with the job1. The job number. The name of the program that made the journal entry. This can also be the name of a service program or the partial name of a class file used in a compiled Java program. If an application program or CL program did not cause the entry, the field contains the name of a system-supplied program such as QCMD. The field has the value *NONE if one of the following is true: v The program name does not apply to this entry type. v The program name was not available. 81 91 101 111 121 122 132 142 150 160 161 162 170 220 Object Name Library Name Member Name Count/RRN Flag Char(10) Char(10) Char(10) Zoned(10) Char(1) Used for journaled objects. Not used for audit journal entries. Used for journaled objects. Not used for audit journal entries. Used for journaled objects. Not used for audit journal entries. Used for journaled objects. Not used for audit journal entries. Used for journaled objects. Not used for audit journal entries. Used for journaled objects. Not used for audit journal entries. The name of the current user profile1. The name of the system. Used for journaled objects. Not used for audit journal entries. Used for journaled objects. Not used for audit journal entries. Used for journaled objects. Not used for audit journal entries.

Commit Cycle ID Zoned(10) User Profile System Name Journal Identifier Referential Constraint Trigger (Reserved Area) Null Value Indicators Entry Specific Data Length Char(10) Char(8) Char(10) Char(1) Char(1) Char(8) Char(50) Binary (4)

Used for journaled objects. Not used for audit journal entries. Length of the entry specific data.

Note: The three fields beginning at offset 45 make up the system job name. In most cases, the User name field at offset 55 and the User profile name field at offset 132 have the same value. For prestarted jobs, the User profile name field contains the name of the user starting the transaction. For some jobs, both these fields contain QSYS as the user name. The User profile name field in the entry-specific data contains the actual user who caused the entry. If an API is used to exchange user profiles, the User profile name field contains the name of the new (swapped) user profile.

564

IBM i: Security Security reference

Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2)
This table lists all possible values for the fields that are common to all entry types when OUTFILFMT(*TYPE2) is specified on the DSPJRN command.
Table 160. Standard heading fields for audit journal entries. QJORDJE2 Record Format (*TYPE2) Offset 1 6 16 17 19 25 31 41 51 57 Field Length of Entry Sequence Number Journal Code Entry Type Timestamp Time of entry Name of Job User Name Job Number Program Name Format Zoned(5,0) Zoned(10,0) Char(1) Char(2) Char(6) Zoned(6,0) Char(10) Char(10) Zoned(6,0) Char(10) Description Total length of the journal entry including the entry length field. Applied to each journal entry. Initially set to 1 for each new or restored journal. Optionally, reset to 1 when a new receiver is attached. Always T. See Audit Journal (QAUDJRN) entry types on page 566 for a list of entry types and descriptions. The system date that the entry was made. The system time that the entry was made. The name of the job that caused the entry to be generated. The user profile name associated with the job1. The job number. The name of the program that made the journal entry. This can also be the name of a service program or the partial name of a class file used in a compiled Java program. If an application program or CL program did not cause the entry, the field contains the name of a system-supplied program such as QCMD. The field has the value *NONE if one of the following is true: v The program name does not apply to this entry type. v The program name was not available. 67 77 87 97 107 108 118 128 136
1

Object Name Library Name Member Name Count/RRN Flag

Char(10) Char(10) Char(10) Zoned(10) Char(1)

Used for journaled objects. Not used for audit journal entries. Used for journaled objects. Not used for audit journal entries. Used for journaled objects. Not used for audit journal entries. Used for journaled objects. Not used for audit journal entries. Used for journaled objects. Not used for audit journal entries. Used for journaled objects. Not used for audit journal entries. The name of the current user profile1. The name of the system.

Commit Cycle ID Zoned(10) User Profile System Name (Reserved Area) Char(10) Char(8) Char(20)

The three fields beginning at offset 31 make up the system job name. In most cases, the User name field at offset 41 and the User profile name field at offset 118 have the same value. For prestarted jobs, the User profile name field contains the name of the user starting the transaction. For some jobs, both these fields contain QSYS as the user name. The User profile name field in the entry-specific data contains the actual user who caused the entry. If an API is used to exchange user profiles, the User profile name field contains the name of the new (swapped) user profile.

Appendix F. Layout of audit journal entries

565

Audit Journal (QAUDJRN) entry types

This table introduces all available entry types for the audit journal.
Table 161. Audit Journal (QAUDJRN) entry types Entry type AD AF AP AU CA CD CO CP CQ CU CV CY DI DO DS EV GR GS IM IP IR IS JD JS KF LD ML NA ND NE OM OR OW O1 O2 O3 Description Auditing changes Authority failure Obtaining adopted authority Attribute changes Authority changes Command string audit Create object User profile changed, created, or restored Change of *CRQD object Cluster Operations Connection verification Cryptographic Configuration Directory Server Delete object DST security password reset System environment variables Generic record Socket description was given to another job Intrusion monitor Interprocess Communication IP Rules Actions Internet security management Change to user parameter of a job description Actions that affect jobs Key ring file Link, unlink, or look up directory entry Office services mail actions Network attribute changed APPN directory search filter violation APPN end point filter violation Object move or rename Object restore Object ownership changed (Optical Access) Single File or Directory (Optical Access) Dual File or Directory (Optical Access) Volume

566

IBM i: Security Security reference

Table 161. Audit Journal (QAUDJRN) entry types (continued) Entry type PA PG PO PS PW RA RJ RO RP RQ RU RZ SD SE SF SG SK SM SO ST SV VA VC VF VL VN VO VP VR VS VU VV X0 X1 XD YC YR ZC ZR Description Program changed to adopt authority Change of an objects primary group Printed output Profile swap Invalid password Authority change during restore Restoring job description with user profile specified Change of object owner during restore Restoring adopted authority program Restoring a *CRQD object Restoring user profile authority Changing a primary group during restore Changes to system distribution directory Subsystem routing entry changed Actions to spooled files Asynchronous Signals Secure sockets connections Systems management changes Server security user information actions Use of service tools System value changed Changing an access control list Starting or ending a connection Closing server files Account limit exceeded Logging on and off the network Validation list actions Network password error Network resource access Starting or ending a server session Changing a network profile Changing service status Network Authentication Identify Token Directory server extension DLO object accessed (change) DLO object accessed (read) Object accessed (change) Object accessed (read)

Appendix F. Layout of audit journal entries

567

AD (Auditing Change) journal entries

This table provides the format of the AD (Auditing Change) journal entries.
Table 162. AD (Auditing Change) journal entries. QASYADJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) D O S CHGDLOAUD command CHGOBJAUD or CHGAUD command The scan attribute was changed using CHGATR command or the Qp0lSetAttr API, or when the object was created. CHGUSRAUD command

156

224

610

U 157 167 177 185 225 235 245 253 611 621 631 639 Object Name Library Name Object Type Object Audit Value CHGUSRAUD *CMD CHGUSRAUD *CREATE CHGUSRAUD *DELETE CHGUSRAUD *JOBDTA CHGUSRAUD *OBJMGT CHGUSRAUD *OFCSRV CHGUSRAUD *PGMADP CHGUSRAUD *SAVRST CHGUSRAUD *SECURITY CHGUSRAUD *SERVICE CHGUSRAUD *SPLFDTA Char(10) Char(10) Char(8) Char(10)

Name of the object for which auditing was changed. Name of the library for the object. The type of object. If the entry type is D, O, or U, the field contains the audit value specified. If the entry type is S, the field contains the scan attribute value. Y = Audit commands for this user. Y = Write an audit record when this user creates an object. Y = Write an audit record when this user deletes an object. Y = Write an audit record when this user changes a job. Y = Write an audit record when this user moves or renames an object. Y = Write an audit record when this user performs office functions. Y = Write an audit record when this user obtains authority through adopted authority. Y = Write an audit record when this user saves or restores objects. Y = Write an audit record when this user performs security-relevant actions. Y = Write an audit record when this user performs service functions. Y = Write an audit record when this user manipulates spooled files.

195 196 197 198 199 200 201 202 203 204 205

263 264 265 266 267 268 269 270 271 272 273

649 650 651 652 653 654 655 656 657 658 659

Char(1) Char(1) Char(1) Char(1) Char(1) Char(1) Char(1) Char(1) Char(1) Char(1) Char(1)

568

IBM i: Security Security reference

Table 162. AD (Auditing Change) journal entries (continued). QASYADJE/J4/J5 Field Description File Offset JE 206 207 208 J4 274 275 276 J5 660 661 662 663 664 Field CHGUSRAUD *SYSMGT CHGUSRAUD *OPTICAL CHGUSRAUD *AUTFAIL CHGUSRAUD *JOBBAS CHGUSRAUD *JOBCHGUSR CHGUSRAUD *NETBAS CHGUSRAUD *NETCLU CHGUSRAUD *NETCMN CHGUSRAUD *NETFAIL CHGUSRAUD *NETSCK CHGUSRAUD *PGMFAIL CHGUSRAUD *PRTDTA CHGUSRAUD *SECCFG CHGUSRAUD *SECDIRSRV CHGUSRAUD *SECIPC CHGUSRAUD *SECNAS CHGUSRAUD *SECRUN CHGUSRAUD *SECSCKD CHGUSRAUD *SECVFY CHGUSRAUD *SECVLDL (Reserved Area) Format Char(1) Char (1) Char(1) Char(1) Char(1) Description Y = Write an audit record when this user makes systems management changes. Y = Write an audit record when this user accesses optical devices. Y = Write an audit record when this user has an authorization failure. Y = Write an audit record when this user performs a job base function. Y = Write an audit record when this user changes a thread's active user profile or its group file. Y = Write an audit record when this user performs network base functions. Y = Write an audit record when this user performs cluster or cluster resource group functions. Y = Write an audit record when this user performs network communications functions. Y = Write an audit record when this user has a network failure. Y = Write an audit record when this user performs sockets tasks. Y = Write an audit record when this user has a program failure. Y = Write an audit record when this user performs a print function with parameter SPOOL(*NO). Y = Write an audit record when this user performs security configuration. Y = Write an audit record when this user makes changes or updates using directory service functions. Y = Write an audit record when this user makes changes to interprocess communications. Y = Write an audit record when this user performs network authentication service actions. Y = Write an audit record when this user performs security run time functions. Y = Write an audit record when this user performs socket descriptor functions. Y = Write an audit record when this user uses verification functions. Y = Write an audit record when this user manipulates validation lists.

665 666

Char(1) Char(1)

667 668 669 670 671

Char(1) Char(1) Char(1) Char(1) Char(1)

672 673

Char(1) Char(1)

674 675 676 677 678 679 680

Char(1) Char(1) Char(1) Char(1) Char(1) Char(1) Char(19)

Appendix F. Layout of audit journal entries

569

Table 162. AD (Auditing Change) journal entries (continued). QASYADJE/J4/J5 Field Description File Offset JE 227 239 247 310 378 396 330 334 398 402 764 782 784 788 J4 295 307 315 J5 681 693 701 Field DLO Name (Reserved Area) Folder Path (Reserved Area) (Reserved Area) Object Name Length 1 Object Name CCSID1 Object Name Country or Region ID1 Object Name Language ID1 Format Char(12) Char(8) Char(63) Char(20) Char(18) Binary(4) Binary(5) Char(2) The length of the object name. The coded character set identifier for the object name. The Country or Region ID for the object name. Path of the folder. Description Name of the DLO object for which auditing was changed.

336 339 342 358 374

404 407 410 426 442 954 970 980 985 989

790 793 796 812 828 1340 1356 1366 1371 1375

Char(3)

The language ID for the object name.

(Reserved area) Char(3) Parent File ID1,2 Char(16) Object File ID Object Name
5 5 1 1 1,2

The file ID of the parent directory. The file ID of the object. The name of the object. The file ID of the object. The name of the ASP device. The number of the ASP device. The coded character set identifier for the path name. The Country or Region ID for the path name.

Char(16) Char(512) Char(16) Char(10) Char(5) Binary(5) Char(2)

Object File ID ASP Name

ASP Number Path Name CCSID1 Path Name Country or Region ID1

991 994 996

1377 1380 1382

Path Name Language ID1 Path Name Length1 Path Name Indicator1

Char(3) Binary(4) Char(1)

The language ID for the path name. The length of the path name. Path name indicator: Y N The Path Name field contains complete absolute path name for the object. The Path Name field does not contain an absolute path name for the object, instead it contains a relative path name. The Relative Directory File ID field is valid and can be used to form an absolute path name with this relative path name.

570

IBM i: Security Security reference

Table 162. AD (Auditing Change) journal entries (continued). QASYADJE/J4/J5 Field Description File Offset JE J4 997 J5 1383 Field Relative Directory File ID1, 3 Path Name1, 4 Format Char(16) Description When the Path Name Indicator field is N, this field contains the file ID of the directory that contains the object identified in the Path Name field. Otherwise it contains hex zeros.3 The path name of the object.

1013
1 2 3

1399

Char(5002)

These fields are used only for objects in the "root" (/), QOpenSys, and user-defined file systems. An ID that has the left-most bit set and the rest of the bits zero indicates that the ID is NOT set. If the Path Name Indicator field is N, but the Relative Directory File ID is hex zeros, then there was some error in determining the path name information. This is a variable length field. The first two bytes contain the length of the path name. If the object is in a library, this is the ASP information of the object's library. If the object is not in a library, this is the ASP information of the object.

4 5

AF (Authority Failure) journal entries

This table provides the format of the AF (Authority Failure) journal entries.
Table 163. AF (Authority Failure) journal entries. QASYAFJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing.

Appendix F. Layout of audit journal entries

571

Table 163. AF (Authority Failure) journal entries (continued). QASYAFJE/J4/J5 Field Description File Offset JE 156 J4 224 J5 610 Field Violation Type
1

Format Char(1)

Description A B C D E F G H I7 J K N O P R S T U V W X Y Z Not authorized to object Restricted instruction Validation failure (see J5 offset 639) Use of unsupported interface, object domain failure Hardware storage protection error, program constant space violation ICAPI authorization error ICAPI authentication error Scan exit program action (see J5 offset 639) System Java inheritance not allowed Submit job profile error Special authority violation Profile token not a regenerable token Optical Object Authority Failure Profile swap error Hardware protection error Default sign-on attempt Not authorized to TCP/IP port User permission request not valid Profile token not valid for generating new profile token Profile token not valid for swap System violation see J5 offset 723 for violation codes Not authorized to the current JUID field during a clear JUID operation. Not authorized to the current JUID field during a set JUID operation.

157 167

225 235

611 621

Object Name
5, 12, 17

Char(10)

The name of the object. The name of the library where the object is stored or the Licensed Internal Code fix number that failed to apply.11 The type of object.

Library Name13 Char(10)

177

245

631

Object Type14, 17 Char(8)

572

IBM i: Security Security reference

Table 163. AF (Authority Failure) journal entries (continued). QASYAFJE/J4/J5 Field Description File Offset JE 185 J4 253 J5 639 Field Validation Error Action Format Char(1) Description Action taken after validation error detected, set only if the violation type (J5 offset 610) is C or H. A The translation of the object was not attempted or it failed. The QALWOBJRST system value setting allowed the object to be restored. The user doing the restore did not have *ALLOBJ special authority and the system security level is set to 10, 20, or 30. Therefore, all authorities to the object were retained. The translation of the object was not attempted or it failed. The QALWOBJRST system value setting allowed the object to be restored. The user doing the restore did not have *ALLOBJ special authority and the system security level is set to 40 or above. Therefore, all authorities to the object were revoked. The translation of the object was successful. The translated copy was restored on the system. The translation of the object was not attempted or it failed. The QALWOBJRST system value setting allowed the object to be restored. The user doing the restore had *ALLOBJ special authority. Therefore, all authorities to the object were retained. System install time error detected. The object was not restored because the signature is not i5/OS format. Unsigned system or inherit state object found when checking system. Unsigned user state object found when checking system. Mismatch between object and its signature found when checking system. IBM certificate not found when checking system. Invalid signature format found when checking system. Scan exit program modified the object that was scanned Scan exit program wanted object marked as having a scan failure

E F G H I J K M X 186 254 640 Job Name Char(10)

The name of the job.

Appendix F. Layout of audit journal entries

573

Table 163. AF (Authority Failure) journal entries (continued). QASYAFJE/J4/J5 Field Description File Offset JE 196 206 212 222 232 242 252 J4 264 274 280 290 300 310 320 J5 650 660 666 676 686 696 706 Field User Name Job Number Format Char(10) Zoned(6,0) Description The job user name. The job number. The name of the program. The name of the library where the program is found. The name of the user that caused the authority failure. The name of the workstation or workstation type. The instruction number of the program.

Program Name Char(10) Program Library User Profile Workstation Name Program Instruction Number Field name Operation Violation Code
2

Char(10) Char(10) Char(10) Zoned(7,0)

259 269

327 337

713 723

Char(10) Char(3)

The name of the field. The type of operation violation that occurred, set only if the violation type (J5 offset 610) is X. AAC HCA Not authorized to use SST Advanced Analysis Command. Service tool user profile not authorized to perform hardware configuration operation (QYHCHCOP). LIC indicates that a Licensed Internal Code fix was not applied because of a signature violation. Not authorized to activate the environment attribute for system file access. An attempt was made to use a command that has been disabled by a system administrator.

LIC

SFA

CMD

272 282 294 302 365 375

340 350 362 370 433

726 736 748 756 819

Office User DLO Name (Reserved Area) Folder Path15, 16 Office on Behalf of User (Reserved Area)

Char(10) Char(12) Char(8) Char(63) Char(10) Char(20) Char(18) Binary(4) Binary(5)

The name of the office user. The name of the document library object.

The path of the folder. User working on behalf of another user.

443 461 395 463

829 847 849

(Reserved Area) Object Name Length3 Object Name CCSID3

The length of the object name. The coded character set identifier for the object name.

574

IBM i: Security Security reference

Table 163. AF (Authority Failure) journal entries (continued). QASYAFJE/J4/J5 Field Description File Offset JE 399 J4 467 J5 853 Field Object Name Country or Region ID3 Object Name Language ID3 Format Char(2) Description The Country or Region ID for the object name.

401 404 407 423 439

469 472 475 491 507 1019 1035 1045 1050 1054

855 858 861 877 893 1405 1421 1431 1436 1440

Char(3)

The language ID for the object name.

(Reserved area) Char(3) Parent File ID3,4 Char(16) Object File ID Object Name
10 10 3,4

Char(16) Char(512) Char(16) Char(10) Char(5) Binary(5) Char(2)

3,6 3

Object File ID ASP Name

ASP Number Path Name CCSID3 Path Name Country or Region ID3

1056 1059 1061

1442 1445 1447

Path Name Language ID3 Path Name Length3 Path Name Indicator3

Char(3) Binary(4) Char(1)

1062

1448

Relative Directory File ID3, 8 Path Name3, 9 ASP Program Library Name ASP Program Library Number

Char(16)

1078

1464 6466 6476

Char(5002) Char(10) Char(5)

Appendix F. Layout of audit journal entries

575

Table 163. AF (Authority Failure) journal entries (continued). QASYAFJE/J4/J5 Field Description File Offset JE
1

Field

Format

Description

When the violation type is for description G, the object name contains the name of the *SRVPGM that contained the exit that detected the error. For more information about the violation types, see Security auditing journal entries on page 269. This field contains the name of the user that caused the entry. QSYS might be the user for the following entries: v offsets 41 and 118 for *TYPE2 records v offsets 55 and 132 for *TYPE4 records v offsets 65 and 187 for *TYPE5 records

3 4 5

These fields are used only for objects in the "root" (/), QOpenSys, and user-defined file systems. An ID that has the left-most bit set and the rest of the bits zero indicates that the ID is NOT set. When the violation type is T, the object name contains the TCP/IP port the user is not authorized to use. The value is left justified and blank filled. The object library and object type fields will be blank. When the violation type is O, the optical object name is contained in the integrated file system object name field. The Country or Region ID, language ID, parent file ID, and object file ID fields will all contain blanks. The Java class object being created can not extend its base class because the base class has system Java attributes. If the Path Name Indicator field is N, but the Relative Directory File ID is hex zeros, then there was some error in determining the path name information. This is a variable length field. The first two bytes contain the length of the path name. If the object is in a library, this is the ASP information of the object's library. If the object is not in a library, this is the ASP information of the object. When the violation type is X and the Operation Violation code value is LIC, this indicates that a Licensed Internal Code fix was not applied because of a signature violation. This field will contain the Licensed Internal Code fix number that failed to apply. When the violation type is K, the object name contains the name of the command or program that detected the error. If the command has several alternative names, the command name in the audit record might not match the specific command name used but will be one of the equivalent alternatives. A special value of *INSTR indicates that a machine instruction detected the error. When the violation type is K, the library name contains the name of the program's library or *N for the command's library that detected the error. When the violation type is K, the object type contains the object type of the command or program that detected the error. When the violation type is K, the Folder Path might contain the full API name of the API or exit point name that detected the error. When the violation type is X and the Operation Violation Code is AAC, the Folder Path will contain the 30 character Advanced Analysis Command name. When the object type is *LIC and the object library is *N, the object name is a Licensed Internal Code Ru name.

9 10

576

IBM i: Security Security reference

AP (Adopted Authority) journal entries

This table provides the format of the AP (Adopted Authority) journal entries.
Table 164. AP (Adopted Authority) journal entries. QASYAPJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) S E A 157 167 177 185 195 225 235 245 253 263 279 289
1

156

224

610

Start End Adopted authority used during program activation

611 621 631 639 649 665 675

Object Name Library Name Object Type Owning User Profile Object File ID ASP Name
1 1

Char(10) Char(10) Char(8) Char(10) Char(16) Char(10) Char(5)

The name of the program, service program, or SQL package The name of the library. The type of object. The name of the user profile whose authority is adopted. The file ID of the object. The name of the ASP device. The number of the ASP device.

ASP Number

If the object is in a library, this is the ASP information of the object's library. If the object is not in a library, this is the ASP information of the object.

AU (Attribute Changes) journal entries

This table provides the format of the AU (Attribute Changes) journal entries.
Table 165. AU (Attribute Changes) journal entries. QASYAUJ5 Field Description File Offset J5 610 Field Entry type Format Char(1) Description The type of entry. E 611 Action Char(3) Action CHG 614 714 716 Name New Value Length New Value CCSID Char(100) Binary(4) Binary(5) Attributes changed EIM configuration attributes

Attribute name New value length New value CCSID

Appendix F. Layout of audit journal entries

577

Table 165. AU (Attribute Changes) journal entries (continued). QASYAUJ5 Field Description File Offset J5 720 Field New Value Country or Region ID New Value Language ID New Value Old Value Length Old Value CCSID Format Char(2) Description New value Country or Region ID

722 725 2727 2729 2733 2735 2738 1

Char(3) Char(2002) Binary(4) Binary(5)

New value language ID New value Old value length Old value CCSID Old value Country or Region ID Old value language ID
1

Old Value Country Char(2) or Region ID Old Value Language ID Old Value Char(3) Char(2002)

Old value

This is a variable length field. The first two bytes contain the length of the field.

CA (Authority Changes) journal entries

This table provides the format of the CA (Authority Changes) journal entries.
Table 166. CA (Authority Changes) journal entries. QASYCAJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) The type of entry. A 157 167 177 185 195 225 235 245 253 263 611 621 631 639 649 Object Name Library Name Object Type User Name Authorization List Name Char(10) Char(10) Char(8) Char(10) Char(10) Changes to authority

156

224

610

The name of the object. The name of the library where the object is stored. The type of object. The name of the user profile whose authority is being granted or revoked. The name of the authorization list. Authorities granted or removed:

205 206

273 274

659 660

Object Existence Object Management

Char(1) Char(1)

Y Y

*OBJEXIST *OBJMGT

578

IBM i: Security Security reference

Table 166. CA (Authority Changes) journal entries (continued). QASYCAJE/J4/J5 Field Description File Offset JE 207 208 J4 275 276 J5 661 662 Field Object Operational Authorization List Management Authorization List Format Char(1) Char(1) Description Y Y *OBJOPR *AUTLMGT

209 210 211 212 213 214 215 216 217

277 278 279 280 281 282 283 284 285

663 664 665 666 667 668 669 670 671

Char(1)

Y Y Y Y Y Y Y Y Y

*AUTL public authority *READ *ADD *UPD *DLT *EXCLUDE *EXECUTE *OBJALTER *OBJREF

Read Authority Char(1) Add Authority Update Authority Delete Authority Exclude Authority Execute Authority Object Alter Authority Object Reference Authority (Reserved Area) Command Type Char(1) Char(1) Char(1) Char(1) Char(1) Char(1) Char(1)

218 222

286 290

672 676

Char(4) Char(3) The type of command used. GRT RPL RVK USR Grant Grant with replace Revoke GRTUSRAUT operation

225 235

293 303

679

Field name (Reserved Area)

Char(10) Char(10) Char(10) Char(10) Char(12) Char(8) Char(63) Char(10)

The name of the field.

689 245 255 267 275 338 348 313 323 335 343 406 416 699 709 721 729 792 802

Object Attribute Office User DLO Name (Reserved Area) Folder Path Office on Behalf of User

The attribute of the object. The name of the office user. The name of the DLO.

The path of the folder. User working on behalf of another user.

Personal Status Char(1)

Personal status changed

Appendix F. Layout of audit journal entries

579

Table 166. CA (Authority Changes) journal entries (continued). QASYCAJE/J4/J5 Field Description File Offset JE 349 J4 417 J5 803 Field Access Code Format Char(1) Description A R 350 354 422 440 374 378 442 446 808 826 828 832 418 804 Access Code (Reserved Area) (Reserved Area) Object Name Length 1 Object Name CCSID1 Object Name Country or Region ID1 Object Name Language ID1 Char(4) Char(20) Char(18) Binary(4) Binary(5) Char(2) The length of the object name. The coded character set identifier for the object name. The Country or Region ID for the object name. Access code added Access code removed

Access code.

380 383 386 402 418

448 451 454 470 486 998 1014 1024 1029 1033

834 837 840 856 872 1384 1400 1410 1415 1419

Char(3)

The language ID for the object name.

(Reserved area) Char(3) Parent File ID1,2 Char(16) Object File ID Object Name
5 1 1,2

Char(16) Char(512) Char(16) Char(10) Char(5) Binary(5) Char(2)

Object File ID ASP Name ASP Number5 Path Name CCSID Path Name Country or Region ID Path Name Language ID Path Name Length Path Name Indicator

1035 1038 1040

1421 1424 1426

Char(3) Binary(4) Char(1)

580

IBM i: Security Security reference

Table 166. CA (Authority Changes) journal entries (continued). QASYCAJE/J4/J5 Field Description File Offset JE J4 1041 J5 1427 Field Relative Directory File ID3 Path Name4 Format Char(16) Description When the Path Name Indicator field is N, this field contains the file ID of the directory that contains the object identified in the Path Name field. Otherwise it contains hex zeros.3 The path name of the object.

1057
1 2 3

1443

Char(5002)

These fields are used only for objects in the "root" (/), QOpenSys, and user-defined file systems. An ID that has the left-most bit set and the rest of the bits zero indicates that the ID is NOT set. If the Path Name Indicator field is N, but the Relative Directory File ID is hex zeros, then there was some error in determining the path name information. This is a variable length field. The first two bytes contain the length of the path name. If the object is in a library, this is the ASP information of the object's library. If the object is not in a library, this is the ASP information of the object.

4 5

CD (Command String) journal entries

This table provides the format of the CD (Command String) journal entries.
Table 167. CD (Command String) journal entries. QASYCDJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) The type of entry. C L O P S U 157 167 177 185 225 235 245 253 611 621 631 639 Object Name Library Name Object Type Char(10) Char(10) Char(8) Command run OCL statement Operator control command S/36 procedure Command run after command substitution took place Utility control statement

156

224

610

The name of the object. The name of the library where the object is stored. The type of object. Y N Yes No

Run from a CL Char(1) program

Appendix F. Layout of audit journal entries

581

Table 167. CD (Command String) journal entries (continued). QASYCDJE/J4/J5 Field Description File Offset JE 186 J4 254 J5 640 6640 Field Command String ASP Name for Command Library ASP Number for Command Library Format Char(6000) Char(10) Description The command that was run, with parameters. ASP name for command library

6650

Char(5)

ASP number for command library

CO (Create Object) journal entries

This table provides the format of the CO (Create Object) journal entries.
Table 168. CO (Create Object) journal entries. QASYCOJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) The type of entry. N R 157 167 177 185 225 235 245 253 639 649 205 215 227 235 298 308 273 283 295 303 366 659 669 681 689 752 611 621 631 Object Name Library Name Object Type (Reserved Area) Object Attribute (Reserved Area) Office User DLO Name (Reserved Area) Folder Path Office on Behalf of User (Reserved Area) Char(10) Char(10) Char(8) Char(20) Char(10) Char(10) Char(10) Char(12) Char(8) Char(63) Char(10) Char(20) The path of the folder. User working on behalf of another user. The name of the office user. The name of the document library object created. The attribute of the object. Create of new object Replacement of existing object

156

224

610

The name of the object. The name of the library the object is in. The type of object.

582

IBM i: Security Security reference

Table 168. CO (Create Object) journal entries (continued). QASYCOJE/J4/J5 Field Description File Offset JE J4 376 394 328 332 396 400 J5 762 780 782 786 Field (Reserved Area) Object Name Length Object Name CCSID1 Object Name Country or Region ID1 Object Name Language ID1 Format Char(18) Binary(4) Binary(5) Char(2) The length of the object name. The coded character set identifier for the object name. The Country or Region ID for the object name. Description

334 337 340 356 372

402 405 408 424 440 952 968 978 983 987

788 791 794 810 826 1338 1354 1364 1369 1373

Char(3)

The language ID for the object name.

(Reserved area) Char(3) Parent File ID1,2 Char(16) Object File ID Object Name
5 5 1 1,2

Char(16) Char(512) Char(16) Char(10) Char(5) Binary(5) Char(2)

Object File ID ASP Name

ASP Number Path Name CCSID Path Name Country or Region ID Path Name Language ID Path Name Length Path Name Indicator

989 992 994

1375 1378 1380

Char(3) Binary(4) Char(1)

995

1381

Relative Directory File ID3 Path Name4

Char(16)

1011

1397

Char(5002)

Appendix F. Layout of audit journal entries

583

Table 168. CO (Create Object) journal entries (continued). QASYCOJE/J4/J5 Field Description File Offset JE
1 2 3

Field

Format

Description

These fields are used only for objects in the "root" (/), QOpenSys, and user-defined file systems. An ID that has the left-most bit set and the rest of the bits zero indicates that the ID is NOT set. If the Path Name Indicator field is N, but the Relative Directory File ID is hex zeros, then there was some error in determining the path name information. This is a variable length field. The first 2 bytes contain the length of the path name. If the object is in a library, this is the ASP information of the object's library. If the object is not in a library, this is the ASP information of the object.

4 5

CP (User Profile Changes) journal entries

This table provides the format of the CP (User Profile Changes) journal entries.
Table 169. CP (User Profile Changes) journal entries. QASYCPJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) The type of entry. A 157 167 177 185 225 235 245 256 611 621 631 639 User Profile Name Library Name Object Type Command Name Char(10) Char(10) Char(8) Char(3) Change to a user profile

156

224

610

The name of the user profile that was changed. The name of the library. The type of object. The type of command used. CRT CHG RST DST RPA CRTUSRPRF CHGUSRPRF RSTUSRPRF QSECOFR password reset using DST QSYRESPA API Password changed Password is *NONE. Password expired is *YES Password expired is *NO

188 189 190

256 257 258

642 643 644

Password Changed Password *NONE Password Expired

Char(1) Char(1) Char(1)

Y Y Y N

584

IBM i: Security Security reference

Table 169. CP (User Profile Changes) journal entries (continued). QASYCPJE/J4/J5 Field Description File Offset JE 191 J4 259 J5 645 Field All Object Special Authority Job Control Special Authority Save System Special Authority Security Administrator Special Authority Spool Control Special Authority Service Special Authority Audit Special Authority System Configuration Special Authority (Reserved Area) Group Profile Owner Group Authority Initial Program Initial Program Library Initial Menu Initial Menu Library Format Char(1) Description Y *ALLOBJ special authority

192

260

646

Char(1)

*JOBCTL special authority

193

261

647

Char(1)

*SAVSYS special authority

194

262

648

Char(1)

*SECADM special authority

195

263

649

Char(1)

*SPLCTL special authority

196 197 198

264 265 266

650 651 652

Char(1) Char(1) Char(1)

Y Y Y

SERVICE special authority AUDIT special authority *IOSYSCFG special authority

199 212 222 232 242 252 262 272 282 292 302 312 313 323

267 280 290 300 310 320 330 340 350 360 370 380 381 391

653 666 676 686 696 706 716 726 736 746 756 766 767 777

Char(13) Char(10) Char(10) Char(10) Char(10) Char(10) Char(10) Char(10) The name of a group profile. Owner of objects created as a member of a group profile. Group profile authority. The name of the user's initial program. The name of the library where the initial program is found. The name of the user's initial menu. The name of the library where the initial menu is found. The name of the user's current library. The value of limited capabilities parameter. The user class of the user. The value of the priority limit parameter. User profile status. The value of the GRPAUTTYP parameter.

Current Library Char(10) Limited Capabilities User Class Priority Limit Profile Status Char(10) Char(10) Char(1) Char(10)

Group Char(10) Authority Type

Appendix F. Layout of audit journal entries

585

Table 169. CP (User Profile Changes) journal entries (continued). QASYCPJE/J4/J5 Field Description File Offset JE 333 483 493 503 J4 401 551 561 571 J5 787 937 947 957 967 Field Supplemental Group Profiles User Identification Group Identification Format Char(150) Char(10) Char(10) Description The names of up to 15 supplemental group profiles for the user. The uid for the user. The gid for the user. The value of the LCLPWDMGT parameter.

Local Password Char(10) Management Password Composition Conformance Char(10)

Indicates whether the new password conforms to the password composition rules. *PASSED Checked and conforms. *SYSVAL Checked but does not conform because of a system value based rule. *EXITPGM Checked but does not conform because of an exit program response. *NONE Not checked; *NONE was specified for the new password. *NOCHECK Not checked; password was changed. This field has meaning only when the Password Changed field contains a Y.

977

Password Expiration Interval

Char(7)

Specifies the value that the password expiration interval has been changed to. *NOMAX No expiration interval. *SYSVAL The system value QPWDEXPITV is used. number The size of the expiration interval in days.

984

Block Password Char(10) Change

Specifies the value that the block password change has been changed to. *SYSVAL The system value QPWDCHGBLK is used. *NONE No block period. 1-99 Blocked hours.

586

IBM i: Security Security reference

Table 169. CP (User Profile Changes) journal entries (continued). QASYCPJE/J4/J5 Field Description File Offset JE J4 J5 994 Field Format Description Specifies the date when the user profile expires. The user profile is automatically disabled or deleted on this date.

| | |

User expiration Char(7) date

CQ (*CRQD Changes) journal entries

This table provides the format of the CQ (*CRQD Changes) journal entries.
Table 170. CQ (*CRQD Changes) journal entries. QASYCQJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) The type of entry. A 157 167 177 225 235 245 611 621 631 639 649 Object Name Library Name Object Type ASP Name ASP Number Char(10) Char(10) Char(8) Char(10) Char(5) Change to a *CRQD object

156

224

610

The name of the object that was changed. The name of the object library. The type of object. ASP name for CRQD library ASP number for CRQD library

CU (Cluster Operations) journal entries

This table provides the format of the CU (Cluster Operations) journal entries.
Table 171. CU (Cluster Operations) journal entries. QASYCUJ4/J5 Field Description File Offset JE J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562 and Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563 for field listing. Entry Type Char(1) The type of entry. M R Cluster control operation Cluster Resource Group (*GRP) management operation

224

610

Appendix F. Layout of audit journal entries

587

Table 171. CU (Cluster Operations) journal entries (continued). QASYCUJ4/J5 Field Description File Offset JE J4 225 J5 611 Field Entry Action Format Char(3) Description The type of action. ADD CRT DLT DST END FLO LST RMV Add Create Delete Distribute End Fail over List information Remove Report state change Start Switch Update attributes

RSC STR SWT UPC 228 614 Status Char(3)

The status of the request. ABN AUT END STR The request ended abnormally Authority Failure, *IOSYSCFG is required The request ended successfully The request was started

231

617

CRG Object Name

Char(10)

The Cluster Resource Group object name. Note: This value is filled in when the entry type is R.

241

627

CRG Library Name

Char(10)

The Cluster Resource Group object library. Note: This value is filled in when the entry type is R.

251 261 269 277 287 297

637 647 655 663 673 683 693 703

Cluster Name Node ID Source Node ID Source User Name User Queue Name User Queue Library ASP Name ASP Number

Char(10) Char(8) Char(8) Char(10) Char(10) Char(10) Char(10) Char(5)

The name of the cluster. The node ID. The source node ID. Name of the source system user that initiated the request. Name of the user queue where responses are sent. The user queue library. ASP name for user queue library ASP number for user queue library

588

IBM i: Security Security reference

CV (Connection Verification) journal entries

This table provides the format of the CV (Connection Verification) journal entries.
Table 172. CV (Connection Verification) journal entries. QASYCVJ4/J5 Field Description File Offset JE J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562 and Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563 for field listing. Entry Type Char(1) The type of entry. C E R 225 611 Action Char(1) Connection established Connection ended Connection rejected

224

610

Action taken for the connection type. "" A C L N P R T U Connection established or ended normally. Used for Entry Type C or E. Peer was not authenticated. Used for Entry Type E or R. No response from the authentication server. Used for Entry Type R. LCP configuration error. Used for Entry Type R. NCP configuration error. Used for Entry Type R. Password is not valid. Used for Entry Type E or R. Authentication was rejected by peer. Used for Entry Type R. L2TP configuration error. Used for Entry Type E or R. User is not valid. Used for Entry Type E or R.

226 236

612 622

Point to Point Profile Name Protocol

Char(10) Char(10)

The point-to-point profile name. The type of entry. L2TP PPP SLIP Layer Two Tunneling protocol Point-to-Point protocol. Serial Line Internet Protocol.

Appendix F. Layout of audit journal entries

589

Table 172. CV (Connection Verification) journal entries (continued). QASYCVJ4/J5 Field Description File Offset JE J4 246 J5 632 Field Local Authentication Method Format Char(10) Description The type of entry. CHAP PAP SCRIPT Script method. 256 642 Remote Authentication Method Char(10) The type of entry. CHAP PAP Challenge Handshake Authentication Protocol. Password Authentication Protocol. Challenge Handshake Authentication Protocol. Password Authentication Protocol.

RADIUS Radius method. SCRIPT Script method. 266 276 286 386 426 466 652 662 672 772 812 852 Object Name Library Name *VLDL User Name Local IP Address Remote IP Address IP Forwarding Char(10) Char(10) Char(100) Char(40) Char(40) Char(1) The *VLDL object name. The *VLDL object library name. The *VLDL user name. The local IP address. The remote IP address. The type of entry. Y N IP forwarding is on. IP forwarding is off.

590

IBM i: Security Security reference

Table 172. CV (Connection Verification) journal entries (continued). QASYCVJ4/J5 Field Description File Offset JE J4 467 J5 853 Field Proxy ARP Format Char(1) Description The type of entry. Y N 468 478 518 532 854 864 904 918 Radius Name Authenticating IP Address Account Session ID Account Multi-Session ID Account Link Count Tunnel Type Char(10) Char(40) Char(14) Char(14) Proxy ARP is enabled. Proxy ARP is not enabled.

The AAA profile name. The authenticating IP address. The account session ID. The account multi-session ID.

546 548

932 934

Binary(4) Char(1)

The account link count. The tunnel type: 0 3 6 9 Not tunneled L2TP AH ESP

549 589 629 637

935 975 1015 1023 1025 1035

Tunnel Client Endpoint Tunnel Server Endpoint Account Session Time Reserved ASP Name ASP Number

Char(40) Char(40) Char(8) Binary(4) Char(10) Char(5)

Tunnel client endpoint. Tunnel server endpoint. The account session time. Used for Entry Type E or R. Always zero ASP name for validation list library ASP number for validation list library

CY (Cryptographic Configuration) journal entries

This table provides the format of the CY (Cryptographic Configuration) journal entries.
Table 173. CY (Cryptographic Configuration) journal entries. QASYCYJ4/J5 Field Description File Offset JE J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing.

Appendix F. Layout of audit journal entries

591

Table 173. CY (Cryptographic Configuration) journal entries (continued). QASYCYJ4/J5 Field Description File Offset JE J4 224 J5 610 Field Entry Type Format Char(1) Description The type of entry. A F K M 225 611 Action Char(3) Cryptographic Coprocessor Access Control Function Cryptographic Coprocessor Facility Control Function Cryptographic Services Master Key Function Cryptographic Coprocessor Master Key Function

The cryptographic configuration function performed: CCP CCR CLK CLR CRT DCP DCR DST EID FCV INI LOD QRY RCP RCR RCV SET SHR TST Define a card profile. Define a card role. Set clock. Clear master keys. Create master keys. Delete a card profile. Delete a card role. Distribute master keys. Set environment ID. Load or clear FCV. Reinitialize card. Load master key. Query role or profile information. Replace a card profile. Replace a card role. Receive master keys. Set master keys. Cloning shares. Test master key.

228 236 244

614 622 630

Card Profile Card Role Device Name

Char(8) Char(8) Char(10)

The name of the card profile.2 The role of the card profile.2 The name of the cryptographic device.2

592

IBM i: Security Security reference

Table 173. CY (Cryptographic Configuration) journal entries (continued). QASYCYJ4/J5 Field Description File Offset JE J4 J5 640 Field
1

Format

Description The cryptographic services Master Key ID3. Possible values are as follows: -2 -1 1 2 3 4 5 6 7 8 Save/restore master key ASP master key Master key 1 Master key 2 Master key 3 Master key 4 Master key 5 Master key 6 Master key 7 Master key 8

Master Key ID Binary(4)

644

Master key encryption

Char(1)

Master Key encrypted with default S/R Master Key. Y The master key was set and encrypted with the default Save/Restore Master Key. The master key was set and encrypted with a user-set Save/Restore Master Key.

645

Master key version

Char(8)

The version of the master key that was cleared. NEW The new version was cleared.

CURRENT The current version was cleared. OLD The old version was cleared.

PENDING The pending version was cleared.

When the entry type (J5 offset 610) is K, the card profile (J5 offset 614), card role (J5 offset 622), and device name (J5 offset 630) is set to blanks. When the entry type is K, this field is blank. When the entry type is not K, this field is blank.

2 3

Appendix F. Layout of audit journal entries

593

DI (Directory Server) journal entries

This table provides the format of the DI (Directory Server) journal entries.
Table 174. DI (Directory Server) journal entries. QASYDIJ4/J5 Field Description File Offset JE J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) The type of entry. L 225 611 Operation Type Char(2) LDAP Operation

224

610

The type of LDAP operation: AD AF BN CA CF CI CO CP DI DO EX IM OM OW PO PW RM UB ZC ZR Audit attribute change. Authority failure. Successful bind. Object authority change. Configuration change. Create instance Object creation. Password change. Delete instance Object delete. LDAP directory export. LDAP directory import. Object management (rename). Ownership change. Policy change. Password fail. Replication management Successful unbind. Object change. Object read.

594

IBM i: Security Security reference

Table 174. DI (Directory Server) journal entries (continued). QASYDIJ4/J5 Field Description File Offset JE J4 227 J5 613 Field Authority Failure Code Format Char(1) Description Code for authority failures. This field is used only if the operation type (J5 offset 611) is AF. A B C D E F Unauthorized attempt to change audit value. Unauthorized bind attempt. Unauthorized object create attempt. Unauthorized object delete attempt. Unauthorized export attempt. Unauthorized configuration change (administrator, change log, backend library, replicas, publishing). Unauthorized replication management attempt. Unauthorized import attempt. Unauthorized change attempt. Unauthorized policy change attempt. Unauthorized read (search) attempt. Unauthorized attempt to read the audit configuration. Unauthorized proxy authorization attempt.

G I M P R U X 228 614 Configuration Change Char(1)

Configuration changes. This field is only used if the operation type (J5 offset 611) is CF. A C L P R Administrator ND change. Change log on or off. Backend library name change. Publishing agent change. Replica server change.

If the operation type (J5 offset 611) is RM the following values might be present: U V W X Y Z Suspend replication. Resume replication. Replicate pending changes now. Skip one or more pending changes. Quiesce replication context. Unquiesce replication context.

Appendix F. Layout of audit journal entries

595

Table 174. DI (Directory Server) journal entries (continued). QASYDIJ4/J5 Field Description File Offset JE J4 229 J5 615 Field Configuration Change Code Format Char(1) Description Code for configuration changes. This field is used only if the operation type (J5 offset 611) is CF. A D M 230 616 Propagate Flag Char(1) Item added to configuration Item deleted from configuration Item modified

Indicates the new setting of the owner or ACL propagate value. This field is used only if the operation type (J5 offset 611) is CA or OW. T F True False

231

617

Bind Authentication Choice LDAP Version

Char(20)

The bind authentication choice. This field is used only if the operation type (J5 offset 611) is BN. Version of client making request. This field is used only if the operation was done through the LDAP server. 2 3 LDAP Version 2 LDAP Version 3

251

637

Char(4)

255

641

SSL Indicator

Char(1)

Indicates if SSL was used on the request. This field is used ony if the operation was done through the LDAP server. 0 1 No Yes

256

642

Request Type

Char(1)

The type of request. This field is used only if the operation was done through the LDAP server. A N U Authenticated Anonymous Unauthenticated

257

643

Connection ID

Char(20)

Connection ID of the request. This field is used only if the operation was done through the LDAP server. IP address and port number of the client request. This field is used only if the operation was done through the LDAP server. The coded character set identifier of the user name. The length of the user name. The name of the LDAP user. The coded character set identifier of the object name. The length of the object name.

277

663

Client IP Address User Name CCSID User Name Length User Name1 Object Name CCSID Object Name Length

Char(50)

327 331 333 2335 2339

713 717 719 2721 2725

Bin(5) Bin(4) Char(2002) Bin(5) Bin(4)

596

IBM i: Security Security reference

Table 174. DI (Directory Server) journal entries (continued). QASYDIJ4/J5 Field Description File Offset JE J4 2341 4343 J5 2727 4729 Field Object Name
1

Format Char(2002) Bin(5)

Description The name of the LDAP object. The coded character set identifier of the owner name. This field is used only if the operation type (J5 offset 611) is OW. The length of the owner name. This field is used only if the operation type is OW. The name of the owner. This field is used only if the operation type (J5 offset 611) is OW. The coded character set identifier of the new name. This field is used only if the operation type (J5 offset 611) is OM, OW, PO, ZC, AF+M, or AF+P. v For operation type OM, this field will contain the CCSID of the new object name. v For operation type OW, this field will contain the CCSID of the new owner name. v For operation types PO, ZC, AF+M, or AF+P, this field will contain the CCSID of the list of changed attribute types in the New Name field.

Owner Name CCSID Owner Name Length Owner Name1 New Name CCSID

4347 4349 6351

4733 4735 6737

Bin(4) Char(2002) Bin(5)

6355

6741

New Name Length

Bin(4)

The length of the new name. This field is used only if the operation type (J5 offset 611) is OM, OW, PO, ZC, AF+M, or AF+P. v For operation type OM, this field will contain the length of the new object name. v For operation type OW, this field will contain the length of the new owner name. v For operation types PO, ZC, AF+M,or AF+P, this field will contain the length of the list of changed attribute types in the New Name field.

6357

6743

New Name1

Char(2002)

The new name. This field is used only if the operation type (J5 offset 611) is OM, OW, PO, ZC, AF+M, or AF+P. v For operation type OM, this field will contain the new object name. v For operation type OW, this field will contain the new owner name. v For operation types PO, ZC, AF+M, or AF+P, this field will contain a list of changed attribute types.

8359 8375 8385 8390 8394

8745 8761 8771 8776 8780

Object File ID2 ASP Name

2 2

Char(16) Char(10) Char(5) Bin(5) Char(2)

The file ID of the object for export. The name of the ASP device. The number of the ASP device. The coded character set identifier of the path name. The Country or Region ID of the path name.

ASP Number Path Name CCSID2 Path Name Country or Region ID2

Appendix F. Layout of audit journal entries

597

Table 174. DI (Directory Server) journal entries (continued). QASYDIJ4/J5 Field Description File Offset JE J4 8396 8399 8401 J5 8782 8785 8787 Field Path Name Language ID2 Path Name Length2 Path Name Indicator2 Format Char(3) Bin(4) Char(1) Description The language ID of the path name. The length of the path name. Path name indicator. Y N The Path Name field contains complete absolute path name for the object. The Path Name field does not contain an absolute path name for the object, instead it contains a relative path name. The Relative Directory File ID field is valid and can be used to form an absolute path name with this relative path name.

8402

8788

Relative Directory File ID2,3 Path Name1,2 Local User Profile Administrator Indicator

Char(16)

When the Path Name Indicator field is N, this field contains the file ID of the directory that contains the object identified in the Path Name field. Otherwise it contains hex zeros.3 The path name of the object. The local user profile name that is mapped to the LDAP user name (J5 offset 719). Blank indicates no user profile is mapped. Administrator indicator for the LDAP user name (J5 offset 719). Y N U The LDAP user is an administrator. The LDAP user is not an administrator. It is unknown at this time if the LDAP user is an administrator.

8418

8804 13806

Char(5002) Char(10)

13816

Char(1)

13817 13821 13823

Proxy ID CCSID Proxy ID Length Proxy ID1

Bin(5) Bin(4) Char(2002)

The coded character set identifier (CCSID) of the proxy ID. The length of the proxy ID. The name of the proxy ID. This field is used when the proxy authorization control is used to request that an operation be done under the authority of the proxy ID, or for a SASL bind in which the client has specified an authorization ID different from the bind ID. Group membership assertion 0 1 Groups were not specified by client. Groups were specified by client.

15825

Group Assertion

Char(1)

15826

Cross Reference Instance Name Route CCSID

Char(36)

Cross reference string used to correlate this entry with the XD entry/entries listing the groups. Instance name CCSID of route

15862 15870

Char(8) Bin(5)

598

IBM i: Security Security reference

Table 174. DI (Directory Server) journal entries (continued). QASYDIJ4/J5 Field Description File Offset JE J4 J5 15874 15876
1 2 3

Field Route Length Route

Format Bin(4) Char(502)

Description Length of route Request route

This is a variable length field. The first two bytes contain the length of the value in the field. These fields are used only if the operation type (J5 offset 611) is EX or IM. If the Path Name Indicator field is N, but the Relative Directory File ID is hex zeros, then there was some error in determining the path name information.

DO (Delete Operation) journal entries

This table provides the format of the DO (Delete Operation) journal entries.
Table 175. DO (Delete Operation) journal entries. QASYDOJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) The type of entry. A C D I P Object was deleted not under commitment control) A pending object delete was committed A pending object create was rolled back Initialize environment variable space The object delete is pending (the delete was performed under commitment control) A pending object delete was rolled back

156

224

610

R 157 167 177 185 225 235 245 253 639 649 611 621 631 Object Name Library Name Object Type (Reserved Area) Object Attribute (Reserved Area) Char(10) Char(10) Char(8) Char(20) Char(10) Char(10)

The name of the object. The name of the library where the object is stored. The type of object.

The attribute of the object.

Appendix F. Layout of audit journal entries

599

Table 175. DO (Delete Operation) journal entries (continued). QASYDOJE/J4/J5 Field Description File Offset JE 205 215 227 235 298 308 376 394 328 332 396 400 762 780 782 786 J4 273 283 295 303 366 J5 659 669 681 689 752 Field Office User DLO Name (Reserved Area) Folder Path Office on Behalf of User (Reserved Area) (Reserved Area) Object Name Length 1 Object Name CCSID1 Object Name Country or Region ID1 Object Name Language ID1 Format Char(10) Char(12) Char(8) Char(63) Char(10) Char(20) Char(18) Binary(4) Binary(5) Char(2) The length of the object name. The coded character set identifier for the object name. The Country or Region ID for the object name. The path of the folder. User working on behalf of another user. Description The name of the office user. The name of the document library object.

334 337 340 356 372

402 405 408 424 440 952 968 978 983 987

788 791 794 810 826 1338 1354 1364 1369 1373

Char(3)

The language ID for the object name.

(Reserved area) Char(3) Parent File ID1,2

Char(16)

Object File ID1,2 Char(16) Object Name

5 5

Char(512) Char(16) Char(10) Char(5) Binary5) Char(2)

Object File ID ASP Name

ASP Number Path Name CCSID Path Name Country or Region ID Path Name Language ID Path Name Length

989 992

1375 1378

Char(3) Binary(4)

The language ID for the path name. The length of the path name.

600

IBM i: Security Security reference

Table 175. DO (Delete Operation) journal entries (continued). QASYDOJE/J4/J5 Field Description File Offset JE J4 994 J5 1380 Field Path Name Indicator Format Char(1) Description Path name indicator: Y N The Path Name field contains complete absolute path name for the object. The Path Name field does not contain an absolute path name for the object, instead it contains a relative path name. The Relative Directory File ID field is valid and can be used to form an absolute path name with this relative path name.

995

1381

Relative Directory File ID3 Path Name4

Char(16)

1011
1 2 3

1397

Char(5002)

These fields are used only for objects in the "root" (/), QOpenSys, and user-defined file systems. An ID that has the left-most bit set and the rest of the bits zero indicates that the ID is NOT set. If the Path Name Indicator field is N, but the Relative Directory File ID is hex zeros, then there was some error in determining the path name information. This is a variable length field. The first two bytes contain the length of the path name. If the object is in a library, this is the ASP information of the object's library. If the object is not in a library, this is the ASP information of the object.

4 5

DS (IBM-Supplied Service Tools User ID Reset) journal entries

This table provides the format of the DS (IBM-Supplied Service Tools User ID Reset) journal entries.
Table 176. DS (IBM-Supplied Service Tools User ID Reset) journal entries. QASYDSJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) The type of entry. A C P Reset of a service tools user ID password. Changed to a service tools user ID. Service tools user ID password was changed.

156

224

610

Appendix F. Layout of audit journal entries

601

Table 176. DS (IBM-Supplied Service Tools User ID Reset) journal entries (continued). QASYDSJE/J4/J5 Field Description File Offset JE 157 J4 225 J5 611 Field IBM-Supplied Service Tools User ID Reset Service Tools User ID Type Format Char(1) Description Y Request to reset an IBM-supplied service tools user ID.

158

226

612

Char(10)

The type of service tools user ID SECURITY FULL *BASIC

168

236

622

Service Tools User ID New Name Service Tools User ID Password Change Service Tools User ID New Name Service Tools User ID Requesting Profile

Char(8)

The name of the service tools user ID.

176

244

630

Char(1)

Request to change the service tools user ID password. Y Request to change service tools user ID password.

245

631

Char(10)

The name of the service tools user ID.

255

641

Char(10)

The name of the service tools user ID that requested the change.

EV (Environment Variable) journal entries

This table provides the format of the EV (Environment Variable) journal entries.
Table 177. EV (Environment Variable) journal entries. QASYEVJ4/J5 Field Description File Offset JE J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) The type of entry. A C D I Add Change Delete Initialize Environment Variable Space

224

610

602

IBM i: Security Security reference

Table 177. EV (Environment Variable) journal entries (continued). QASYEVJ4/J5 Field Description File Offset JE J4 225 J5 611 Field Name Truncated Format Char(1) Description Indicates whether the environment variable name (offset 232) is truncated. Y N 226 230 232 1234 612 616 618 1620 CCSID Length Binary(5) Binary(4) Environment variable name truncated. Environment variable name not truncated.

The CCSID of the environment variable name. The length of the environment variable name. The name of the environment variable. Indicates whether the new environment variable name (offset 1241) is truncated. Y N Environment variable value truncated. Environment variable value not truncated.

Char(1002) Environment Variable Name2 New Name Truncated1 Char(1)

1235 1239 1241

1621 1625 1627

New Name CCSID1 New Name Length1 New Environment Variable Name1,2

Binary(5) Binary(4) Char (1002)

The CCSID of the new environment variable name. The length of the new environment variable name. The new environment variable name.

1 2

These fields are used when the entry type is C. This is a variable length field. The first two bytes contain the length of the environment variable name.

GR (Generic Record) journal entries

This table provides the format of the GR (Generic Record) journal entries.
Table 178. GR (Generic Record) journal entries. QASYGRJ4/J5 Field Description File Offset JE J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562 and Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563 for field listing.

Appendix F. Layout of audit journal entries

603

Table 178. GR (Generic Record) journal entries (continued). QASYGRJ4/J5 Field Description File Offset JE J4 224 J5 610 Field Entry Type Format Char(1) Description The type of entry. A C D F R 225 611 Action Char(2) Exit program added Operations Resource Monitoring and Control Operations Exit program removed Function registration operations Exit program replaced

The action performed. ZC ZR Change Read

227

613

User Name

Char(10)

User profile name For entry type F, this field contains the name of the user the function registration operation was performed against.

237 241

623 627

Field 1 CCSID Field 1 Length

Binary (5) Binary (4)

The CCSID value for field 1. The length of the data in field 1.

604

IBM i: Security Security reference

Table 178. GR (Generic Record) journal entries (continued). QASYGRJ4/J5 Field Description File Offset JE J4 243 J5 629 Field Field 1 Format Char(102)
1

Description Field 1 data For entry type F, this field contains the description of the function registration operation that was performed. The possible values are: *REGISTER: Function has been registered *REREGISTER: Function has been updated *DEREGISTER: Function has been de-registered *CHGUSAGE: Function usage information has been changed *CHKUSAGE: Function usage was checked for a user and the check passed *USAGEFAILURE: Function usage was checked for a user and the check failed For entry types A, D, and R, this field will contain the exit program information for the specific function that was performed. For entry type C, this field contains the name of the RMC function that is being attempted. The possible values are: v mc_reg_event_select Register event using attribute selection v mc_reg_event_handle Register event using resource handle v mc_reg_class_event Register event for a resource class v mc_unreg_event Unregister event v mc_define_resource Define new resource v mc_undefine_resource Undefine resource v mc_set_select Set resource attribute values using attribute selection v mc_set_handle Set resource attribute values using resource handle v mc_class_set Set resource class attribute values v mc_query_p_select Query resource persistent attributes using attribute selection v mc_query_d_select Query resource dynamic attributes using attribute selection

Appendix F. Layout of audit journal entries

605

Table 178. GR (Generic Record) journal entries (continued). QASYGRJ4/J5 Field Description File Offset JE 243 (cont) J4 J5 Field Format Description v mc_query_p_handle Query resource persistent attributes using resource handle mc_query_d_handle Query resource dynamic attributes using resource handle mc_class_query_p Query resource class persistent attributes mc_class_query_d Query resource class dynamic attributes mc_qdef_resource_class Query resource class definition mc_qdef_p_attribute Query persistent attribute definition mc_qdef_d_attribute Query dynamic attribute definition mc_qdef_sd Query Structured Data definition mc_qdef_valid_values Query definition of a persistent attribute's valid values mc_qdef_actions Query definition of a resource's actions mc_invoke_action Invoke action on a resource mc_invoke_class_action Invoke action on a resource class 345 349 351 731 735 737 Field 2 CCSID Field 2 Length Field 2 Binary (5) Binary (4) Char (102)1 The CCSID value for field 2. The length of the data in field 2. Field 2 data For entry type F, this field contains the name of the function that was operated on. For entry type C, this field contains the name of the resource or resource class against which the operation was attempted. 453 457 839 843 Field 3 CCSID Field 3 Length Binary (5) Binary (4) The CCSID value for field 3. The length of the data in field 3.

606

IBM i: Security Security reference

Table 178. GR (Generic Record) journal entries (continued). QASYGRJ4/J5 Field Description File Offset JE J4 459 J5 845 Field Field 3 Format Char(102)
1

Description Field 3 data. For entry type F, this field contains the usage setting for a user. There is a value for this field only if the function registration operation is one of the following values: *REGISTER: When the operation is *REGISTER, this field contains the default usage value. The user name will be *DEFAULT. *REREGISTER: When the operation is *REREGISTER, this field contains the default usage value. The user name will be *DEFAULT. *CHGUSAGE: When the operation is *CHGUSAGE, this field contains the usage value for the user specified in the user name field. For entry type C, this field contains the result of any authorization check that was made for the operation indicated in field 1. The following are possible values: v *NOAUTHORITYCHECKED: When either the operation indicated in field 1 does not require an authorization check, or if for any other reason an authorization check was not attempted. v *AUTHORITYPASSED: When the mapped user ID indicated in the User Profile Name has successfully passed the appropriate authorization check for the operation indicated in field 1 against the resource or resource class indicated in field 2. v *AUTHORITYFAILED: When the mapped user ID indicated in the User Profile Name has failed the appropriate authorization check for the operation indicated in field 1 against the resource or resource class indicated in field 2.

561 565

947 951

Field 4 CCSID Field 4 Length

Binary (5) Binary (4)

The CCSID value for field 4. The length of the data in field 4.

Appendix F. Layout of audit journal entries

607

Table 178. GR (Generic Record) journal entries (continued). QASYGRJ4/J5 Field Description File Offset JE J4 567 J5 953 Field Field 4 Format Char(102)
1

Description Field 4 data. For entry type F, this field contains the allow *ALLOBJ setting for the function. There is a value for this field only if the function registration operation is one of the following values: *REGISTER *REREGISTER

This is a variable length field. The first two bytes contain the length of the field.

GS (Give Descriptor) journal entries

This table provides the format of the GS (Give Descriptor) journal entries.
Table 179. GS (Give Descriptor) journal entries. QASYGSJE/J4/J5 Field Description File Offset JE J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) The type of entry. G R U 157 167 177 183 225 235 245 251 261 611 621 631 637 647 Job Name User Name Job Number User Profile Name JUID Char(10) Char(10) Zoned (6,0) Char (10) Char (10) Give descriptor Received descriptor Unable to use descriptor

156

224

610

The name of the job. The name of the user. The number of the job. The name of the user profile. The Job User ID of the target job. (This value applies only to subtype G audit records.)

608

IBM i: Security Security reference

IM (Intrusion Monitor) journal entries

This table provides the format of the IM (Intrusion Monitor) journal entries.
Table 180. IM (Intrusion Monitor) journal entries. QASYIMJE/J4/J5 Field Description File Offset JE J4 J5 1 610 Entry Type Char(1) Field Format Description Heading fields common to all entry types. The type of entry. P 611 637 Time of Event Potential intrusion event detected

TIMESTAMP The time that the event was detected, in SAA timestamp format. A unique identifier for the processing location that detected the intrusion event. This field is intended for use by service personnel. Local IP address family associated with the detected event. Local port number associated with the detected event. Local IP address associated with the detected event. Remote address family associated with the detected event. Remote port number associated with the detected event. Remote IP address associated with the detected event.

Detection Point Char(4) Identifier Local Address Family Local Port Number Local IP Address Remote Address Family Remote Port Number Remote IP Address Char(1) Zone(5, 0) Char(46) Char(1)

641 642 647 693

694 699

Zoned(5, 0) Char(46)

Appendix F. Layout of audit journal entries

609

Table 180. IM (Intrusion Monitor) journal entries (continued). QASYIMJE/J4/J5 Field Description File Offset JE J4 J5 745 Field Probe Type Identifier Format Char(6) Description Identifies the type of probe used to detect the potential intrusion. Possible values are as follows: ATTACK Attack action detected event TR-TCP Traffic Regulation action detected event over TCP TR-UDP Traffic Regulation action detected event over UDP SCANE Scan event action detected event SCANG Scan global action detected event XATTACK Possible extrusion attack XTRTCP Outbound TR detected event (TCP) XTRUDP Outbound TR detected event (UDP) XSCAN Outbound scan event detected 751 Event Correlator Char(4) Unique identifier for this specific intrusion event. This identifier can be used to correlate this audit record with other intrusion detection information.

610

IBM i: Security Security reference

Table 180. IM (Intrusion Monitor) journal entries (continued). QASYIMJE/J4/J5 Field Description File Offset JE J4 J5 755 Field Event type Format Char(8) Description Identifies the type of potential intrusion that was detected. The possible values are as follows: ACKSTORM TCP ACK storm ADRPOISN Address poisoning FLOOD Flood event FRAGGLE Fraggle attack ICMPRED ICMP (Internet Control Message Protocol) redirect IPFRAG IP fragment MALFPKT Malformed packet OUTRAW Outbound Raw PERPECH Perpetual echo PNGDEATH Ping of death RESTOPT Restricted IP options RESTPROT Restricted IP protocol SMURF Smurf attack 763 766 770 Protocol Condition Throttling Char(3) Char(4) Char(1) Protocol number Condition number from IDS policy file v 0 = not active v 1 = active 771 776 Discarded Packets Target TCP/IP Stack Reserved Suspected Packet Zoned(5,0) Char(1) Number of discarded packets when throttled

P S

Production Stack Service Stack

777 783

Char(6) Char(1002)
1

Reserved for future use A variable length field which can contain up to the first 1000 bytes of the IP packet associated with the detected event. This field contains binary data and should be treated as if it has a CCSID of 65 535.

Appendix F. Layout of audit journal entries

611

Table 180. IM (Intrusion Monitor) journal entries (continued). QASYIMJE/J4/J5 Field Description File Offset JE
1

Field

Format

Description

This is a variable length field. The first 2 bytes contain the length of the suspected packet information.

IP (Interprocess Communication) journal entries

This table provides the format of the IP (Interprocess Communication) journal entries.
Table 181. IP (Interprocess Communication) journal entries. QASYIPJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) The type of entry. A C D F G M Z 157 225 611 IPC Type Char(1) Ownership and/or authority changes Create Delete Authority failure Get Shared memory attach Normal semaphore close or shared memory detach

156

224

610

IPC Type M N Q S Shared memory Normal semaphore Message queue Semaphore

158 162 172 182

226 230 240 250

612 616 626 636

IPC Handle New Owner Old Owner Owner Authority

Binary(5) Char(10) Char(10) Char(3)

IPC handle ID New owner of IPC entity Old owner of IPC entity Owner's authority to IPC entity *R *W *RW read write read and write

185 195

253 263

639 649

New Group Old Group

Char(10) Char(10)

Group associated with IPC entity Previous group associated with IPC entity

612

IBM i: Security Security reference

Table 181. IP (Interprocess Communication) journal entries (continued). QASYIPJE/J4/J5 Field Description File Offset JE 205 J4 273 J5 659 Field Group Authority Format Char(3) Description Group's authority to IPC entity *R *W *RW 208 276 662 Public Authority Char(3) read write read and write

Public's authority to IPC entity *R *W *RW read write read and write

211

279

665

CCSID Semaphore Name Length Semaphore Name Semaphore Name

Binary(5)

The CCSID of the semaphore name.

216

283

669

Binary(4)

The length of the semaphore name.

218

285

671

Char(2050)

The semaphore name. Note: This is a variable length field. The first two characters contain the length of the semaphore name.

IR (IP Rules Actions) journal entries

This table provides the format of the IR (IP Rules Actions) journal entries.
Table 182. IR (IP Rules Actions) journal entries. QASYIRJ4/J5 Field Description File Offset JE J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562 andStandard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563 for field listing. Entry Type Char(1) The type of entry. L N P R U IP rules have been loaded from a file. IP rules have been unloaded for an IP Security connection IP rules have been loaded for an IP Security connection IP rules have been read and copied to a file. IP rules have been unloaded (removed).

224

610

Appendix F. Layout of audit journal entries

613

Table 182. IR (IP Rules Actions) journal entries (continued). QASYIRJ4/J5 Field Description File Offset JE J4 225 J5 611 Field File Name Format Char(10) Description The name of the QSYS file used to load or receive the IP rules. This value is blank if the file used was not in the QSYS file system. 235 245 263 265 269 271 274 277 293 309 821 861 877 887 892 896 621 631 649 651 655 657 660 663 679 695 1207 1247 1263 1273 1278 1282 File Library Reserved File Name Length File Name CCSID1 Char(10) Char(18) Binary (4) Binary (5) The length of the file name. The coded character set identifier for the file name. The Country or Region ID for the file name. The language ID for the file name. The name of the QSYS file library.

File Country or Char(2) Region ID1 File Language ID1 Reserved Parent File ID
2 1,

Char(3) Char(3) Char(16) Char(16) Char(512) Char(40) Char(16) Char(10) Char(5) Binary(5) Char(2)

The file ID of the parent directory. The file ID of the file. The name of the file. The connection name. The file ID of the object. The name of the ASP device. The number of the ASP device. The coded character set identifier for the path name. The Country or Region ID for the path name.

Object File ID1,

File Name1 Connection sequence Object File ID ASP Name ASP Number5 Path Name CCSID Path Name Country or Region ID Path Name Language ID Path Name Length Path Name Indicator

898 901 903

1284 1287 1289

Char(3) Binary(4) Char(1)

614

IBM i: Security Security reference

Table 182. IR (IP Rules Actions) journal entries (continued). QASYIRJ4/J5 Field Description File Offset JE J4 904 J5 1290 Field Relative Directory File ID3 Path Name4 Format Char(16) Description When the Path Name Indicator field is N, this field contains the file ID of the directory that contains the object identified in the Path Name field. Otherwise it contains hex zeros.3 The path name of the object.

920
1 2 3

1306

Char(5002)

These fields are used only for objects in the "root" (/), QOpenSys, and user-defined file system. If the ID has the left-most bit set and the rest of the bits zero, the ID is not set. If the Path Name Indicator field is N, but the Relative Directory File ID is hex zeros, then there was some error in determining the path name information. This is a variable length field. The first two bytes contain the length of the field. If the object is in a library, this is the ASP information of the object's library. If the object is not in a library, this is the ASP information of the object.

4 5

IS (Internet Security Management) journal entries

This table provides the format of the IS (Internet Security Management) journal entries.
Table 183. IS (Internet Security Management) journal entries. QASYISJ4/J5 Field Description File Offset JE J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562 and Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563 for field listing. Entry Type Char(1) The type of entry. A C U 1 2 225 240 245 260 265 611 626 631 646 651 Local IP Address1 Char(15) Fail (this type no longer used) Normal (this type no longer used) Mobile User (this type no longer used) IKE Phase 1 SA Negotiation IKE Phase 2 SA Negotiation

224

610

Local IP Address. Local Client ID port. Remote IP address. Remote Client ID Port (valid for phase 2). Local IP address family 4 6 IPv4 IPv6

Local Client ID Char(5) Port Remote IP Address1 Remote Client ID Port Char (15) Char (5)

Local IP Char (1) Address Family

Appendix F. Layout of audit journal entries

615

Table 183. IS (Internet Security Management) journal entries (continued). QASYISJ4/J5 Field Description File Offset JE J4 J5 652 698 Field Local IP Address Format Char (46) Description Local IP address Remote IP address family 4 6 699 745 521 907 Remote IP Address Reserved Result Code Char (46) Char (162) Char(4) IPv4 IPv6

Remote IP Char (1) Address Family

Remote IP address Reserved Negotiation Result: 0 130 Successful Protocol specific errors (documented in ISAKMP RFC2408, found at: http://www.ietf.org) i5/OS VPN Key Manager specific errors

82xx 525 911 CCSID Bin(5)

The coded character set identifier for the following fields: v Local ID v Local Client ID Value v Remote ID v Remote Client ID Value

529 785

915 1171

Local ID

Char(256)

Local IKE identifier Type of client ID (valid for phase 2): 1 2 3 4 5 6 7 8 9 11 IP version 4 address Fully qualified domain name User fully qualified domain name IP version 4 subnet IP version 6 address IP version 6 subnet IP version 4 address range IP version 6 address range Distinguished name Key identifier

Local Client ID Char(2) Type

787 1043 1047

1173 1429 1433

Local Client ID Char(256) Value Local Client ID Char(4) Protocol Remote ID Char(256)

Local client ID (valid for phase 2) Local client ID protocol (valid for phase 2) Remote IKE identifier

616

IBM i: Security Security reference

Table 183. IS (Internet Security Management) journal entries (continued). QASYISJ4/J5 Field Description File Offset JE J4 1303 J5 1689 Field Remote Client ID Type Format Char(2) Description Type of client ID (valid for phase 2) 1 2 3 4 5 6 7 8 9 11 1305 1561 1691 1947 Remote Client ID Value Remote Client ID Protocol Char(256) Char(4) IP version 4 address Fully qualified domain name User fully qualified domain name IP version 4 subnet IP version 6 address IP version 6 subnet IP version 4 address range IP version 6 address range Distinguished name Key identifier

Remote client ID (valid for phase 2) Remote client ID protocol (valid for phase 2)

This field only supports IPv4 addresses.

JD (Job Description Change) journal entries

This table provides the format of the JD (Job Description Change) journal entries.
Table 184. JD (Job Description Change) journal entries. QASYJDJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) The type of entry. A 157 167 177 225 235 245 611 621 631 Job Description Char(10) Library Name Object Type Char(10) Char(8) User profile specified for the USER parameter of a job description

156

224

610

The name of the job description that had the USER parameter changed. The name of the library where the object is stored. The type of object.

Appendix F. Layout of audit journal entries

617

Table 184. JD (Job Description Change) journal entries (continued). QASYJDJE/J4/J5 Field Description File Offset JE 185 J4 253 J5 639 Field Command Type Format Char(3) Description The type of command used. CHG CRT 188 256 642 Old User Char(10) Change Job Description (CHGJOBD) command. Create Job Description (CRTJOBD) command.

The name of the user profile specified for the USER parameter before the job description was changed. The name of the USER profile specified for the user parameter when the job description was changed. ASP name for JOBD library ASP number for JOBD library

198

266

652

New User

Char(10)

662 672

ASP name ASP number

Char(10) Char(5)

JS (Job Change) journal entries

This table provides the format of the JS (Job Change) journal entries.
Table 185. JS (Job Change) journal entries. QASYJSJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing.

618

IBM i: Security Security reference

Table 185. JS (Job Change) journal entries (continued). QASYJSJE/J4/J5 Field Description File Offset JE 156 J4 224 J5 610 Field Entry Type Format Char(1) Description The type of entry. A B C E H I J K L M N P Q R S T U V 157 225 611 Job Type Char(1) ENDJOBABN command Submit Change End Hold Disconnect The current job is attempting to interrupt another job The current job is about to be interrupted The interruption of the current job has completed Change profile or group profile ENDJOB command Attach prestart or batch immediate job Change query attributes Release Start Change profile or group profile using a profile token. CHGUSRTRC Virtual device changed by QWSACCDS API.

The type of job. A B I M R S W X Autostart Batch Interactive Subsystem monitor Reader System Writer SCPF

Appendix F. Layout of audit journal entries

619

Table 185. JS (Job Change) journal entries (continued). QASYJSJE/J4/J5 Field Description File Offset JE 158 J4 226 J5 612 Field Job Subtype Format Char(1) Description The subtype of the job. ' ' D E J P Q T U 159 169 179 185 195 205 215 225 235 245 255 265 275 705 715 227 237 247 253 263 273 283 293 303 313 323 333 343 773 783 933 613 623 633 639 649 659 669 679 689 699 709 719 729 1159 1169 1319 Job Name Job User Name Job Number Device Name Effective User Profile2 Char(10) Char(10) Char(6) Char(10) Char(10) No subtype Batch immediate Procedure start request Prestart Print device driver Query MRT Alternate spool user

The first part of the qualified job name being operated on The second part of the qualified job name being operated on The third part of the qualified job name being operated on The name of the device The name of the effective user profile for the thread The name of the job description for the job The name of the library for the job description The name of the job queue for the job The name of the library for the job queue The name of the output queue for the job The name of the library for the output queue The name of the printer device for the job The library list for the job The name of the effective group profile for the thread The names of the supplemental group profiles for the thread. Describes the meaning of the JUID field: ' ' C S The JUID field contains the value for the JOB. The clear JUID API was called. The JUID field contains the new value. The set JUID API was called. The JUID field contains the new value.

Job Description Char(10) Name Job Description Char(10) Library Job Queue Name Job Queue Library Output Queue Name Output Queue Library Printer Device Library List
2

Char(10) Char(10) Char(10) Char(10) Char(10) Char(430)

Effective Group Char(10) Profile Name2 Supplemental Group Profiles2 JUID Description Char(150) Char(1)

620

IBM i: Security Security reference

Table 185. JS (Job Change) journal entries (continued). QASYJSJE/J4/J5 Field Description File Offset JE J4 934 944 954 964 974 984 J5 1320 1330 1340 1350 1360 1370 Field JUID Field Real User Profile Saved User Profile Real Group Profile Saved Group Profile Real User Changed3 Format Char(10) Char(10) Char(10) Char(10) Char(10) Char(1) Description Contains the JUID value The name of the real user profile for the thread. The name of the saved user profile for the thread. The name of the real group profile for the thread. The name of the saved group profile for the thread. The real user profile was changed. Y N 985 1371 Effective User Changed3 Char(1) Yes No

The effective user profile was changed. Y N Yes No

986

1372

Saved User Changed3

Char(1)

The saved user profile was changed Y N Yes No

987

1373

Real Group Changed3

Char(1)

The real group profile was changed. Y N Yes No

988

1374

Effective Group Char(1) Changed3

The effective group profile was changed Y N Yes No

989

1375

Saved Group Changed3

Char(1)

The saved group profile was changed. Y N Yes No

990

1376

Supplemental Groups Changed3 Library list Number4 Library List Extension4,5 Library ASP group ASP name ASP number Time Zone Name

Char(1)

The supplemental group profiles were changed. Y N Yes No

991 993

1377 1379 3631 3641 3651 3656

Bin(4) Char(2252) Char(10) Char(10) Char(5) Char(10)

The number of libraries in the library list extension field (offset 993). The extension to the library list for the job. Library ASP group ASP name for JOBD library ASP number for JOBD library The time zone description name

Appendix F. Layout of audit journal entries

621

Table 185. JS (Job Change) journal entries (continued). QASYJSJE/J4/J5 Field Description File Offset JE J4 J5 3666 Field Format Description Can contain any of the following values: v The name of the job that interrupted the current job v The name of the job that was interrupted by the current job v The name of the workload capping group associated with the job 3676 Exit Job User Char(10) The user of the job that interrupted the current job, or the user of the job that was interrupted by the current job The number of the job that interrupted the current job, or the job number of the job that was interrupted by the current job The exit program used to interrupt the job The library name of the exit program used to interrupt the job ASP name for JOBQ library ASP numer of JOBQ library

| | | | | | | | | |

Exit Job Name Char(10) or Workload Capping Group Name6, 7, 8

3686

Exit Job Number6, 7 Exit Program Name6 Exit Program Library6 JOBQ Library ASP Name JOBQ Library ASP Number

Char(6)

3692 3702 3712 3722

Char(10) Char(10) Char(10) Char(5)

1 2

This field is blank if the job is on the job queue and has not run. When the JS audit record is generated because one job performs an operation on another job then this field will contain data from the initial thread of the job that is being operated on. In all other cases, the field will contain data from the thread that performed the operation. This field is used only when entry type (offset 610) is M or T. This field is used only if the number of libraries in the library list exceeds the size of the field at offset 729. This is a variable length field. The first two bytes contain the length of the data in the field. This field is used only when entry type (offset 610) is J, K, or L. When the entry type is J, this field contains information about the job that will be interrupted. When the entry type is K or L, this field contains information about the job that requested the interruption of the current job. When the entry type is C, E, or S, this field contains the Workload Capping Group Name.

3 4 5 6 7

622

IBM i: Security Security reference

KF (Key Ring File) journal entries

This table provides the format of the KF (Key Ring File) journal entries.
Table 186. KF (Key Ring File) journal entries. QASYKFJ4/J5 Field Description File Offset JE J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562 andStandard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563 for field listing. Entry Type Char(1) The type of entry. C K P T 225 611 Certificate Operation Char(3) Certificate operation Key ring file operation Password incorrect Trusted root operation

224

610

Type of action4. ADK ADD REQ SGN Certificate with private key added Certificate added Certificate requested Certificate signed

228

614

Key Ring Operation

Char(3)

Type of action5. ADD DFT EXP IMP LST PWD RMV INF 2DB 2YR Key ring pair added Key ring pair designated as default. Key ring pair exported Key ring pair imported List the key ring pair labels in a file Change key ring file password Key ring pair removed Key ring pair information retrieval Key ring file converted to key database file format Key database file converted to key ring file

231

617

Trusted Root Operation

Char(3)

Type of action6. TRS RMV LST Key ring pair designated as trusted root Trusted root designation removed List trusted roots

234 252

620 638

Reserved Object Name Length

Char(18) Binary(4) Key ring file name length.

Appendix F. Layout of audit journal entries

623

Table 186. KF (Key Ring File) journal entries (continued). QASYKFJ4/J5 Field Description File Offset JE J4 254 258 J5 640 644 Field Object Name CCSID Object Name Country or Region ID Object Name Language ID Reserved Parent File ID Object File ID Object Name Reserved Object Name length Object Name CCSID Object Name Country or Region ID Object Name Language ID Reserved Parent File ID Object File ID Object Name Certificate Label Length Certificate Label1 Object File ID ASP Name ASP Number Path Name CCSID Path Name Country or Region ID Path Name Language ID Path Name Length Format Binary(5) Char(2) Description Key ring file name CCSID. Key ring file name Country or Region ID.

260 263 266 282 298 810 828 830 834

646 649 652 668 684 1196 1214 1216 1220

Char(3) Char(3) Char(16) Char(16) Char(512) Char(18) Binary(4) Binary(5) Char(2)

Key ring file name language ID.

Key ring parent directory file ID. Key ring directory file name. Key ring file name.

Source or destination file name length. Source or destination file name CCSID. Source or destination file name Country or Region ID. Source or destination file name language ID.

836 839 842 858 874 1386 1388 2414 2430 2440 2445 2449

1222 1225 1228 1244 1260 1772 1774 2800 2816 2826 2831 2835

Char(3) Char(3) Char(16) Char(16) Char(512) Binary(4) Char(1026) Char(16) Char(10) Char(5) Binary(5) Char(2)

Source or destination parent directory file ID. Source or destination directory file ID. Source or destination file name. The length of the certificate label. The certificate label. The file ID of the key ring file. The name of the ASP device. The number of the ASP device. The coded character set identifier for the path name. The Country or Region ID for the path name.

2451 2454

2837 2840

Char(3) Binary(4)

The language ID for the path name. The length of the path name.

624

IBM i: Security Security reference

Table 186. KF (Key Ring File) journal entries (continued). QASYKFJ4/J5 Field Description File Offset JE J4 2456 J5 2842 Field Path Name Indicator Format Char(1) Description Path name indicator: Y The Path Name field contains complete absolute path name for the key ring file. The Path Name field does not contain an absolute path name for the object, instead it contains a relative path name. The Relative Directory File ID field is valid and can be used to form an absolute path name with this relative path name.

2457

2843

Relative Directory File ID2

Char(16)

When the Path Name Indicator field is N, this field contains the file ID of the directory that contains the object identified in the Path Name field. Otherwise it contains hex zeros.2 The absolute path name of the key ring file. The file ID of the source or destination file. Source or destination file ASP name Source or destination file ASP number The coded character set identifier for the path name. The Country or Region ID for the path name.

2473 7475 7491 7501 7506 7510

2859 7861 7877 7887 7892 7896

Absolute Path Char(5002) Name1 Object File ID ASP Name ASP Number Path Name CCSID Path name Country or Region ID Path Name Language ID Path Name Length Path Name Indicator Char(16) Char(10) Char(5) Binary(5) Char(2)

7512 7515 7517

7898 7901 7903

Char(3) Binary(4) Char(1)

The language ID for the path name. The length of the path name. Path name indicator: Y The Path Name field contains complete absolute path name for the source or destination file. The Path Name field does not contain an absolute path name for the object, instead it contains a relative path name. The Relative Directory File ID field is valid and can be used to form an absolute path name with this relative path name.

7518

7904

Relative Directory File ID3

Char(16)

7534

7920

Absolute Path Char(5002) Name1

Appendix F. Layout of audit journal entries

625

Table 186. KF (Key Ring File) journal entries (continued). QASYKFJ4/J5 Field Description File Offset JE
1 2

Field

Format

Description

This is a variable length field. The first 2 bytes contain the length of the path name. If the Path Name Indicator field is N, but the Relative Directory File ID is hex zeros, then there was some error in determining the path name information. When the path name indicator (offset 7517) is N, this field will contain the relative file ID of the absolute path name at offset 7534. When the path name indicator is Y, this field will contain 16 bytes of hex zeros. The field will be blanks when it is not a certificate operation. The field will be blanks when it is not a key ring file operation. The field will be blanks when it is not a trusted root operation.

4 5 6

LD (Link, Unlink, Search Directory) journal entries

This table provides the format of the LD (Link, Unlink, Search Directory) journal entries.
Table 187. LD (Link, Unlink, Search Directory) journal entries. QASYLDJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) The type of entry. L U K 157 225 243 177 181 245 249 611 629 631 635 (Reserved area) (Reserved area) Object Name Length 1 Object Name CCSID1 Object Name Country or Region ID1 Object Name Language ID1 (Reserved area) Char(20) Char(18) Binary (4) Binary(5) Char(2) The length of the object name. The coded character set identifier for the object name. The Country or Region ID for the object name. Link directory Unlink directory Search directory

156

224

610

183 186

251 254

637 640

Char(3) Char(3)

The language ID for the object name.

626

IBM i: Security Security reference

Table 187. LD (Link, Unlink, Search Directory) journal entries (continued). QASYLDJE/J4/J5 Field Description File Offset JE 189 205 221 J4 257 273 289 801 817 827 832 836 J5 643 659 675 1187 1203 1213 1218 1222 Field Parent File ID1,2 Object File ID1,2 Object Name1 Object File ID ASP Name ASP Number Path Name CCSID Path Name Country or Region ID Path Name Language ID Path Name Length Path Name Indicator Format Char(16) Char(16) Char(512) Char(16) Char(10) Char(5) Binary(5) Char(2) Description The file ID of the parent directory. The file ID of the object. The name of the object. The file ID of the object. The name of the ASP device. The number of the ASP device. The coded character set identifier for the path name. The Country or Region ID for the path name.

838 841 843

1224 1227 1229

Char(3) Binary(4) Char(1)

The language ID for the path name. The length of the path name. Path name indicator: Y The Path Name field contains complete absolute path name for the object. The Path Name field does not contain an absolute path name for the object, instead it contains a relative path name. The Relative Directory File ID field is valid and can be used to form an absolute path name with this relative path name.

844

1230

Relative Direcotry File ID1 Path Name2

Char(16)

860
1

1246

Char(5002)

If the Path Name Indicator field is N, but the Relative Directory File ID is hex zeros, then there was some error in determining the path name information. This is a variable length field. The first 2 bytes contain the length of the path name.

Appendix F. Layout of audit journal entries

627

ML (Mail Actions) journal entries

This table provides the format of the ML (Mail Actions) journal entries.
Table 188. ML (Mail Actions) journal entries. QASYMLJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) The type of entry. O 157 167 175 225 235 243 611 621 629 User Profile User ID Address Char(10) Char(8) Char(8) Mail log opened

156

224

610

User profile name. User identifier User address

NA (Attribute Change) journal entries

This table provides the format of the NA (Attribute Change) journal entries.
Table 189. NA (Attribute Change) journal entries. QASYNAJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) The type of entry. A T 157 167 417 225 235 485 611 621 871 Attribute New Attribute Value Old Attribute Value Char(10) Char(250) Char(250) Change to network attribute. Change to TCP/IP attribute.

156

224

610

The name of the attribute. The value of the attribute after it was changed. The value of the attribute before it was changed.

628

IBM i: Security Security reference

ND (APPN Directory Search Filter) journal entries

This table provides the format of the ND (APPN Directory Search Filter) journal entries.
Table 190. ND (APPN Directory Search Filter) journal entries. QASYNDJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) The type of entry. A 157 165 173 181 225 233 241 249 611 619 627 635 Filtered control Char(8) point name Filtered control Char(8) point NETID. Filtered CP location name Filtered CP location NETID Partner location name Partner location NETID Inbound session Char(8) Char(8) Directory search filter violation

156

224

610

Filtered control point name Filtered control point NETID. Filtered CP location name. Filtered CP location NETID.

189 197

257 265

643 651

Char(8) Char(8)

Partner location name. Partner location NETID.

205

273

659

Char(1)

Inbound session. Y N This is an inbound session This is not an inbound session

206

274

660

Outbound session

Char(1)

Outbound session. Y N This is an outbound session This is not an outbound session

For more information about APPN Directory Search Filter and APPN End point, see Protection of your system in an APPN and HPR environment for details.

Appendix F. Layout of audit journal entries

629

NE (APPN End Point Filter) journal entries

This table provides the format of the NE (APPN End Point Filter) journal entries.
Table 191. NE (APPN End Point Filter) journal entries. QASYNEJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) The type of entry. A 157 165 173 181 225 233 241 249 611 619 627 635 Local location name Remote location name Remote NETID Inbound session Char(8) Char(8) Char(8) Char(1) End point filter violation

156

224

610

Local location name. Remote location name. Remote NETID. Inbound session. Y N This is an inbound session This is not an inbound session

182

250

636

Outbound session

Char(1)

Outbound session. Y N This is an outbound session This is not an outbound session

For more information about APPN Directory Search Filter and APPN End point, see Protection of your system in an APPN and HPR environment for details.

OM (Object Management Change) journal entries

This table provides the format of the OM (Object Management Change) journal entries.
Table 192. OM (Object Management Change) journal entries. QASYOMJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing.

630

IBM i: Security Security reference

Table 192. OM (Object Management Change) journal entries (continued). QASYOMJE/J4/J5 Field Description File Offset JE 156 J4 224 J5 610 Field Entry Type Format Char(1) Description The type of entry. M R 157 167 177 185 195 205 225 235 245 253 263 273 659 669 225 235 293 303 679 689 611 621 631 639 649 Old Object Name Old Library Name Object Type New Object Name New Library Name (Reserved Area) Object Attribute (Reserved Area) Office User Old Folder or Document Name (Reserved Area) Old Folder Path Char(10) Char(10) Char(8) Char(10) Char(10) Char(20) Char(10) Char(10) Char(10) Char(12) The name of the office user. The old name of the folder or document. The attribute of the object. Object moved to a different library. Object renamed.

The old name of the object. The name of the library in which the old object resides. The type of object. The new name of the object. The name of the library to which the object was moved.

247 255 318

315 323 386

701 709 772

Char(8) Char(63) The old path of the folder. The new name of the folder or document.

New Folder or Char(12) Document Name (Reserved Area) New Folder Path Office on Behalf of User (Reserved Area) Char(8) Char(63) Char(10) Char(20) Char (18) Binary (4) Binary(5)

330 338 401 411

398 406 469

784 792 855

The new path of the folder. User working on behalf of another user.

479 497 431 499

865 883 885

(Reserved Area) Object Name Length Object Name CCSID1

The length of the old object name field. The coded character set identifier for the object name.

Appendix F. Layout of audit journal entries

631

Table 192. OM (Object Management Change) journal entries (continued). QASYOMJE/J4/J5 Field Description File Offset JE 435 J4 503 J5 889 Field Object Name Country or Region ID1 Object Name Language ID1 (Reserved area) Format Char(2) Description The Country or Region ID for the object name.

437 440 443 459 475 987 1003

505 508 511 527 543 1055 1071 1583 1599 1609 1614 1618

891 894 897 913 929 1441 1457 1969 1985 1995 2000 2004

Char(3) Char(3)

The language ID for the object name.

Old Parent File Char(16) ID1,2 Old Object File Char(16) ID1,2 Old Object Name1 New Parent File ID1,2 New Object Name1, 2 ,6 Object File ID1,2 ASP Name7 ASP Number Path Name CCSID Path Name Country or Region ID Path Name Language ID Path Name Length Path Name Indicator
7

The file ID of the old parent directory. The file ID of the old object. The name of the old object. The file ID of the new parent directory. The new name of the object. The file ID of the object. The name of the ASP device. The number of the ASP device. The coded character set identifier for the path name. The Country or Region ID for the path name.

Char(512) Char(16) Char(512) Char(16) Char(10) Char(5) Binary(5) Char(2)

1620 1623 1625

2006 2009 2011

Char(3) Binary(4) Char(1)

1626

2012

Relative Directory File ID3 Absolute Path Name5 Object File ID

Char(16)

1642 6644

2028 7030

Char(5002) Char(16)

632

IBM i: Security Security reference

Table 192. OM (Object Management Change) journal entries (continued). QASYOMJE/J4/J5 Field Description File Offset JE J4 6660 6670 6675 6679 J5 7046 7056 7061 7065 Field ASP Name
8 8

Format Char(10) Char(5) Binary(5) Char(2)

Description The name of the ASP device. The number of the ASP device. The coded character set identifier for the path name. The Country or Region ID for the path name.

ASP Number Path Name CCSID Path Name Country or Region ID Path Name Language ID Path Name Length Path Name Indicator

6681 6684 6686

7067 7070 7072

Char(3) Binary(4) Char(1)

6687

7073

Relative Directory File ID4 Absolute Path Name5

Char(16)

6703

7089

Char(5002)

1 2 3

These fields are used only for objects in the "root" (/), QOpenSys, and user-defined file systems. An ID that has the left-most bit set and the rest of the bits zero indicates that the ID is NOT set. If the Path Name Indicator field is N, but the Relative Directory File ID is hex zeros, then there was some error in determining the path name information. When the path name indicator (offset 6686) is N, this field will contain the relative file ID of the absolute path name at offset 6703. When the path name indicator is Y, this field will contain 16 bytes of hex zeros. This is a variable length field. The first 2 bytes contain the length of the path name. There is no associated length field for this value. The string is null padded unless it is the full 512 characters long. If the old object is in a library, this is the ASP information of the object's library. If the old object is not in a library, this is the ASP information of the object. If the new object is in a library, this is the ASP information of the object's library. If the new object is not in a library, this is the ASP information of the object.

Appendix F. Layout of audit journal entries

633

OR (Object Restore) journal entries

This table provides the format of the OR (Object Restore) journal entries.
Table 193. OR (Object Restore) journal entries. QASYORJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) The type of entry. N E 157 167 177 185 195 205 225 235 245 253 263 273 611 621 631 639 649 659 Restored Object Name Restored Library Name Object Type. Save Object Name Save Library Name Char(10) Char(10) Char(8) Char(10) Char(10) A new object was restored to the system. An existing object was restored to the system.

156

224

610

The name of the restored object. The name of the library of the restored object. The type of object. The name of the save object. The name of the library from which the object was saved. I Y N An inherit state program was restored. A system state program was restored. A user state program was restored. A system command was restored. A user state command was restored.

Program State1 Char(1)

206

274

660

System Command (Reserved Area)

Char(1)
2

Y N

207 275 661

Char(18) The SETUID mode indicator. Y N The SETUID mode bit for the restored object is on. The SETUID mode bit for the restored object is not on.

SETUID Mode Char(1)

276

662

SETGID Mode Char(1)

The SETGID mode indicator. Y N The SETGID mode bit for the restored object is on. The SETGID mode bit for the restored object is not on.

634

IBM i: Security Security reference

Table 193. OR (Object Restore) journal entries (continued). QASYORJE/J4/J5 Field Description File Offset JE J4 277 J5 663 Field Signature Status Format Char(1) Description The signature status of the restored object. B E F I N S T U 278 664 Scan attribute Char(1) Signature was not in i5/OS format Signature exists but is not verified Signature does not match object content Signature ignored Unsignable object Signature is valid Untrusted signature Object unsigned

If the file was an integrated file system object, the value of the scan attribute for that object where Y N *YES *NO

C *CHGONLY See the CHGATR command for descriptions of these values. 279 665 675 225 235 247 255 318 330 338 401 411 479 293 303 315 323 386 398 406 469 679 689 701 709 772 784 792 855 (Reserved Area) Object Attribute (Reserved Area) Office User Restore DLO Name (Reserved Area) Char(14) Char(10) Char(4) Char(10) Char(12) Char(8) The folder into which the DLO was restored. The DLO name of the saved object. The name of the office user. The document library object name of the restored object. The attribute of the object.

Restore Folder Char(63) Path Save DLO Name (Reserved Area) Save Folder Path Office on Behalf of User (Reserved Area) (Reserved Area) Char(12) Char(8) Char(63) Char(10) Char(20) Char(18)

The folder from which the DLO was saved. User working on behalf of another user.

Appendix F. Layout of audit journal entries

635

Table 193. OR (Object Restore) journal entries (continued). QASYORJE/J4/J5 Field Description File Offset JE J4 J5 865 Field Restore Private Authorities Format Char(1) Description Private authorities requested to be restored (PVTAUT(*YES) specified on restore command) Y N 866 Private Authorities Saved8 Private Authorities Restored8 (Reserved Area) Object Name Length Object Name CCSID3 Object Name Country or Region ID3 Object Name Language ID3 (Reserved area) Parent File ID3,4 Object File ID3,4 Object Name3 Old File ID Media File ID Binary(5) PVTAUT(*YES) specified on restore command PVTAUT(*NO) specified on restore command

Number of private authorities saved

870

Binary(5)

Number of private authorities restored

874 497 431 435 499 503 883 885 889

Char(9) Binary (4) Binary(5) Char(2) The length of the Old Object Name field. The coded character set identifer for the object name. The Country or Region ID for the object name.

437 440 443 459 475

505 508 511 527 543 1055 1071

891 894 897 913 929 1441 1457

Char(3) Char(3) Char(16) Char(16) Char(512) Char(16) Char(16)

The language ID for the object name.

The file ID of the parent directory. The file ID of the object. The name of the object. The file ID for the old object. The file ID (FID) that was stored on the media file. Note: The FID stored on the media is the FID the object had on the source system.

1087 1103 1113 1118 1122

1473 1489 1499 1504 1508

Object File ID ASP Name

7 7

Char(16) Char(10) Char(5) Binary(5) Char(2)

The file ID of the object. The name of the ASP device. The number of the ASP device. The coded character set identifier for the path name. The Country or Region ID for the path name.

ASP Number Path Name CCSID Path Name Country or Region ID

636

IBM i: Security Security reference

Table 193. OR (Object Restore) journal entries (continued). QASYORJE/J4/J5 Field Description File Offset JE J4 1124 1127 1129 J5 1510 1513 1515 Field Path Name Language ID Path Name Length Path Name Indicator Format Char(3) Binary(4) Char(1) Description The language ID for the path name. The length of the path name. Path name indicator: Y The Path Name field contains complete absolute path name for the object. The Path Name field does not contain an absolute path name for the object, instead it contains a relative path name. The Relative Directory File ID field is valid and can be used to form an absolute path name with this relative path name.

1130

1516

Relative Directory File ID5 Path Name6

Char(16)

1146
1 2 3 4 5

1532

Char(5002)

This field has an entry only if the object being restored is a program. This field has an entry only if the object being restored is a command. This field is used only for objects in the "root" (/) ,QOpenSys, and user-defined file system. An ID that has the left-most bit set and the rest of the bits zero indicates that the ID is NOT set. If the Path Name Indicator field is N, but the Relative Directory File ID is hex zeros, then there was some error in determining the path name information. This is a variable length field. The first 2 bytes contain the length of the path name. If the object is in a library, this is the ASP information of the object's library. If the object is not in a library, this is the ASP information of the object. This field is zero if Restore Private Authorities (offset 865) is N.

6 7

Appendix F. Layout of audit journal entries

637

OW (Ownership Change) journal entries

This table provides the format of the OW (Ownership Change) journal entries.
Table 194. OW (Ownership Change) journal entries. QASYOWJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) The type of entry. A 157 167 177 185 195 205 225 235 247 255 318 328 396 414 348 352 416 420 782 800 802 806 225 235 245 253 263 273 293 303 315 323 386 611 621 631 639 649 659 679 689 701 709 772 Object Name Library Name Object Type Old Owner New Owner (Reserved Area) Office User DLO Name (Reserved Area) Folder Path Office on Behalf of User (Reserved Area) (Reserved Area) Object Name Length Object Name CCSID1 Object Name Country or Region ID1 Object Name Language ID1 (Reserved area) Parent File ID1,2 Char(10) Char(10) Char(8) Char(10) Char(10) Char(20) Char(10) Char(12) Char(8) Char(63) Char(10) Char(20) Char(18) Binary (4) Binary(5) Char(2) The length of the new object name. The coded character set identifier for the object name. The Country or Region ID for the object name. The path of the folder. User working on behalf of another user. The name of the office user. The name of the document library object. Change of object owner

156

224

610

The name of the object. The name of the library where the object is stored. The type of object. Old owner of the object. New owner of the object.

354 357 360

422 425 428

808 811 814

Char(3) Char(3) Char(16)

The language ID for the object name.

The file ID of the parent directory.

638

IBM i: Security Security reference

Table 194. OW (Ownership Change) journal entries (continued). QASYOWJE/J4/J5 Field Description File Offset JE 376 392 J4 444 460 972 988 998 1003 1007 J5 830 846 1358 1374 1384 1389 1393 Field Object File ID1,2 Object Name1 Object File ID ASP Name
5 5

Format Char(16) Char(512) Char(16) Char(10) Char(5) Binary(5) Char(2)

Description The file ID of the object. The name of the object. The file ID of the object. The name of the ASP device. The number of the ASP device. The coded character set identifier for the path name. The Country or Region ID for the path name.

ASP Number Path Name CCSID Path Name Country or Region ID Path Name Language ID Path Name Length Path Name Indicator

1009 1012 1014

1395 1398 1400

Char(3) Binary(4) Char(1)

The language ID for the path name. The length of the path name. Path name indicator: Y N The Path Name field contains complete absolute path name for the object. The Path Name field does not contain an absolute path name for the object, instead it contains a relative path name. The Relative Directory File ID field is valid and may be used to form an absolute path name with this relative path name.

1015

1401

Relative Directory File ID3 Path Name4

Char(16)

1031
1 2 3

1417

Char(5002)

These fields are used only for objects in the "root" (/), QOpenSys, and user-defined file system. An ID that has the left-most bit set and the rest of the bits zero indicates that the ID is NOT set. If the Path Name Indicator field is N, but the Relative Directory File ID is hex zeros, then there was some error in determining the path name information. This is a variable length field. The first 2 bytes contain the length of the path name. If the object is in a library, this is the ASP information of the object's library. If the object is not in a library, this is the ASP information of the object.

4 5

Appendix F. Layout of audit journal entries

639

O1 (Optical Access) journal entries

This table provides the format of the O1 (Optical Access) journal entries.
Table 195. O1 (Optical Access) journal entries. QASY01JE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) R-Read U-Update D-Delete C-Create Dir X-Release Held File 157 225 611 Object Type Char(1) F-File D-Directory End S-Storage 158 226 612 Access Type Char(1) D-File Data A-File Directory Attributes R-Restore operation S-Save operation 159 169 177 187 219 227 237 245 255 287 613 623 631 641 673 929 939 v Open File or Directory v Create Directory v Delete File Directory v Change or Retrieve Attributes v Release Held Optical File Device Name CSI Name CSI Library Volume Name Object Name ASP name ASP number Char(10) Char(8) Char(10) Char(32) Char(256) Char(10) Char(5) Library LUD name Side Object Name Side Object Library Optical volume name Optical directory/file name ASP name for CSI library ASP number for CSI library

156

224

610

Note: This entry is used to audit the following optical functions:

640

IBM i: Security Security reference

O2 (Optical Access) journal entries

This table provides the format of the O2 (Optical Access) journal entries.
Table 196. O2 (Optical Access) journal entries. QASY02JE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) C-Copy R-Rename B-Backup Dir or File S-Save Held File M-Move File 157 225 611 Object Type Char(1) F-File D-Directory 158 168 176 186 218 474 484 492 502 534 226 236 244 254 286 542 552 560 570 602 612 622 630 640 672 928 938 946 956 988 1244 1254 1259 Src Device Name Src CSI Name Src CSI Library Src Volume Name Src Obj Name Tgt Device Name Char(10) Char(8) Char(10) Char(32) Char(256) Char(10) Source library LUD name Source Side Object Name Source Side Object Library Source Optical volume name Source Optical directory/file name Target library LUD name Target Side Object Name Target Side Object Library Target Optical volume name Target Optical directory/file name ASP name for source CSI library ASP number for source CSI library ASP name for target CSI library

156

224

610

Tgt CSI Name Char(8) Tgt CSI Library Tgt Volume Name Char(10) Char(32)

Tgt Obj Name Char(256) ASP name ASP number ASP name for target CSI library ASP number for target CSI library Char(10) Char(5) Char(10)

1269

Char(5)

ASP number for target CSI library

Appendix F. Layout of audit journal entries

641

O3 (Optical Access) journal entries

This table provides the format of the O3 (Optical Access) journal entries.
Table 197. O3 (Optical Access) journal entries. QASY03JE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562, Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for the field listing. Entry Type Char(1) A B C E I K L M N R 157 167 175 185 217 249 259 269 273 225 235 243 253 285 317 327 337 341 611 621 629 639 671 703 713 723 727 731 741 Device Name CSI Name CSI Library Old Volume Name New Volume Name 1 Old Auth List
2

156

224

610

Change Volume Attributes Backup Volume Convert Backup Volume to Primary Export Initialize Check Volume Change Authorization List Import Rename Absolute Read

Char(10) Char(8) Char(10) Char(32) Char(32) Char(10) Char(10) Binary(5) Binary(5) Char(10) Char(5)

Library LUD name Side Object Name Side Object Library Old Optical volume name New Optical volume name Old Authorization List New Authorization List Starting Block Length read ASP name for CSI library ASP number for CSI library

New Auth List 3 Address Length

4 4

ASP name ASP number

642

IBM i: Security Security reference

Table 197. O3 (Optical Access) journal entries (continued). QASY03JE/J4/J5 Field Description File Offset JE
1

Field

Format

Description

This field contains the new volume name for Initialize, Rename, and Convert functions; it contains the backup bolume name for Backup functions. It contains volume name for Import, Export, Change Authorization List, Change Volume Attributes, and Sector Read. Used for Import, Export, and Change Authorization List only. Used for Change Authorization List only. Used for Sector Read only.

2 3 4

PA (Program Adopt) journal entries

This table provides the format of the PA (Program Adopt) journal entries.
Table 198. PA (Program Adopt) journal entries. QASYPAJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) The type of entry. A J M Change program to adopt owner's authority. Java program adopts owner's authority. Change object's SETUID, SETGID, or Restricted rename and unlink mode indicator.

156

224

610

157 167 177 185

225 235 245 253 263

611 621 631 639 649

Program Name3 Char(10) Program Library3 Object Type Owner IXVTX mode Char(10) Char(8) Char(10) Char(1)

The name of the program. The name of the library where the program is found. The type of object. The name of the owner. The restricted rename and unlink (ISVTX) mode indicator. Y N The ISVTX mode indicator is on for the object. The ISVTX mode indicator is not on for the object.

263 281 283

649 667 669

Reserved Object Name Length1 Object Name CCSID1

Char(17) Binary (4) Binary(5) The length of the object name. The coded character set identifier for the object name.
Appendix F. Layout of audit journal entries

643

Table 198. PA (Program Adopt) journal entries (continued). QASYPAJE/J4/J5 Field Description File Offset JE J4 287 J5 673 Field Object Name Country or Region ID Object Name Language ID1 Reserved Parent ID
1, 2, 3 3

Format Char(2)

Description The Country or Region ID for the object name.

289 292 295 311 327 839

675 678 681 697 713 1225

Char(3) Char(3) Char(16) Char(16) Char(512) Char(1)

The language ID for the object name.

Parent File ID. File ID for the object Object name for the object. The Set effective user ID (SETUID) mode indicator. Y N The SETUID mode bit is on for the object. The SETUID mode bit is not on for the object.

Object File ID Object Name

SETUID Mode

840

1226

SETGID Mode

Char(1)

The Set effective group ID (SETGID) mode indicator. Y N The SETGID mode bit is on for the object. The SETGID mode bit is not on for the object.

841 851 867 877 882 886

1227 1237 1253 1263 1268 1272

Primary Group Owner Object File ID ASP Name

6 6

Char(10) Char(16) Char(10) Char(5) Binary(5) Char(2)

The name of the primary group owner. The file ID of the object. The name of the ASP device. The number of the ASP device. The coded character set identifier for the path name. The Country or Region ID for the path name.

ASP Number Path Name CCSID Path Name Country or Region ID Path Name Language ID Path Name Length Path Name Indicator

888 891 893

1274 1277 1279

Char(3) Binary(4) Char(1)

644

IBM i: Security Security reference

Table 198. PA (Program Adopt) journal entries (continued). QASYPAJE/J4/J5 Field Description File Offset JE J4 894 J5 1280 Field Relative Directory File ID4 Path Name5 Format Char(16) Description When the Path Name Indicator field is N, this field contains the file ID of the directory that contains the object identified in the Path Name field. Otherwise it contains hex zeros.4 The path name of the object.

910
1 2 3

1296

Char(5002)

These fields are used only for objects in the "root" (/), QOpenSys, and user-defined file systems. An ID that has the left-most bit set and the rest of the bits zero indicates that the ID is NOT set. When the entry type is J, the program name and the library name fields will contain *N. In addition, the parent file ID and the object file ID fields will contain binary zeros. If the Path Name Indicator field is N, but the Relative Directory File ID is hex zeros, then there was some error in determining the path name information. This is a variable length field. The first 2 bytes contain the length of the path name. If the object is in a library, this is the ASP information of the object's library. If the object is not in a library, this is the ASP information of the object.

5 6

PG (Primary Group Change) journal entries

This table provides the format of the PG (Primary Group Change) journal entries.
Table 199. PG (Primary Group Change) journal entries. QASYPGJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) The type of entry. A 157 167 177 185 195 225 235 245 253 263 611 621 631 639 649 Object Name Object Library Object Type Old Primary Group New Primary Group Char(10) Char(10) Char(8) Char(10) Char(10) Change primary group.

156

224

610

The name of the object. The name of the library where the object is found. The type of object. The previous primary group for the object.5 The new primary group for the object. Authorities for new primary group:

205 206

273 274

659 660

Object Existence Object Management

Char(1) Char(1)

Y Y

*OBJEXIST *OBJMGT

Appendix F. Layout of audit journal entries

645

Table 199. PG (Primary Group Change) journal entries (continued). QASYPGJE/J4/J5 Field Description File Offset JE 207 208 209 210 220 J4 275 276 277 278 288 J5 661 662 663 664 674 Field Object Operational Object Alter Object Reference Format Char(1) Char(1) Char(1) Description Y Y Y *OBJOPR *OBJALTER *OBJREF

(Reserved Area) Char(10) Authorization List Management Char(1) Y *AUTLMGT

221 222 223 224 225 226 236 237

289 290 291 292 293 294 304 305

675 676 677 678 679 680 690 691

Read Authority Char(1) Add Authority Update Authority Delete Authority Execute Authority Char(1) Char(1) Char(1) Char(1)

Y Y Y Y Y

READ ADD UPD DLT *EXECUTE

(Reserved Area) Char(10) Exclude Authority Revoke Old Primary Group Char(1) Char(1) Y Y '' *EXCLUDE Revoke authority for previous primary group. Do not revoke authority for previous primary group.

238 258 268 280 288 351 361

306 326 336 348 356 419

692 712 722 734 742 805

(Reserved Area) Char (20) Office User DLO Name Char(10) Char(12) The name of the office user. The name of the document library object or folder.

(Reserved Area) Char(8) Folder Path Char(63) The path of the folder. User working on behalf of another user.

Office on Behalf Char(10) of User (Reserved Area) Char(20)

429 447 381 385 449 453

815 833 835 839

(Reserved Area) Char(18) Object Name Length1 Object Name CCSID1 Object Name Country or Region ID1 Binary (4) Binary(5) Char(2) The length of the object name. The coded character set identifier for the object name. The Country or Region ID for the object name.

646

IBM i: Security Security reference

Table 199. PG (Primary Group Change) journal entries (continued). QASYPGJE/J4/J5 Field Description File Offset JE 387 390 393 409 425 J4 455 458 461 477 493 1005 J5 841 844 847 863 879 1391 1407 1417 1035 1040 1422 1426 Field Object Name Language ID1 Format Char(3) Description The language ID for the object name.

(Reserved area) Char(3) Parent File ID1,2 Char(16) Object File ID Object Name
6 6 1 1,2

Char(16) Char(512) Char(16) Char(10) Char(5) Binary(5) Char(2)

Object File ID ASP Name

ASP Number Path Name CCSID Path Name Country or Region ID Path Name Language ID Path Name Length Path Name Indicator

1042 1045 1047

1428 1431 1433

Char(3) Binary(4) Char(1)

1048

1434

Relative Directory File ID3 Path Name4

Char(16)

1064
1 2 3

1450

Char(5002)

These fields are used only for objects in the "root" (/), QOpenSys, and user-defined file systems. An ID that has the left-most bit set and the rest of the bits zero indicates that the ID is NOT set. If the Path Name Indicator field is N, but the Relative Directory File ID is hex zeros, then there was some error in determining the path name information. This is a variable length field. The first 2 bytes contain the length of the path name. A value of *N implies that the value of the Old Primary Group was not available. If the object is in a library, this is the ASP information of the object's library. If the object is not in a library, this is the ASP information of the object.

4 5 6

Appendix F. Layout of audit journal entries

647

PO (Printer Output) journal entries

This table provides the format of the PO (Printer Output) journal entries.
Table 200. PO (Printer Output) journal entries. QASYPOJE/J4/J5 Field Description File Offset JE 1 `J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Output Type Char(1) The type of output. D R S 157 225 611 Status After Printing Char(1) D H S ' ' 158 168 178 184 194 204 214 224 228 232 242 252 262 266 276 286 226 236 246 252 262 272 282 292 296 300 310 320 330 334 344 612 622 632 638 648 658 668 678 682 686 696 706 716 720 730 Job Name Job User Name Job Number User Profile Char(10) Char(10) Zoned(6,0) Char(10) Direct print Sent to remote system for printing Spooled file printed Deleted after printed Held after printed Saved after printed Direct print

156

224

610

The first part of the qualified job name. The second part of the qualified job name. The third part of the qualified job name. The user profile that created the output. The output queue containing the spooled file.1 The name of the library containing the output queue.1 The device where the output was printed2. The type of printer device2. The model of the printer device2. The name of the device file used to access the printer. The name of the library for the device file. The name of the spooled file
1

Output Queue Char(10) Output Queue Char(10) Library Name Device Name Device Type Device Model Device File Name Device File Library Spooled File Name Short Spooled File Number Form Type User Data (Reserved area) Char(10) Char(4) Char(4) Char(10) Char(10) Char(10) Char(4) Char(10) Char(10) Char(20)

The number of the spooled file 1. Set to blank if too long. The form type of the spooled file. The user data associated with the spooled file 1.

648

IBM i: Security Security reference

Table 200. PO (Printer Output) journal entries (continued). QASYPOJE/J4/J5 Field Description File Offset JE `J4 354 360 306 561 374 629 J5 740 746 760 1015 Field Spooled File Number Format Char(6) Description The number of the spooled file.

Reserved Area Char(14) Remote System Remote System Print Queue Spooled File Job system Name Spooled File Create Date Spooled File Create Time ASP Name ASP number Char(255) Char(128) Name of the remote system to which printing was sent. The name of the output queue on the remote system. The name of the system on which the spooled file resides. The spooled file create date (CYYMMDD) The spooled file create time (HHMMSS). ASP name for the device library ASP number for device file library ASP name for output queue library. ASP number for output queue library. The spooled file create date in UTC (This is the same date as the Spool File Create Date (offset 1151) only in UTC). The spooled file create time in UTC (This is the same time as the Spool File Create Time (offset 1158) only in UTC)

757

1143

Char (8)

765 772

1151 1158 1164 1174 1179 1189 1194

Char (7) Char(6) Char(10) Char(5)

Output Queue Char(10) ASP Name Output Queue Char(5) ASP Number Spooled File Create Date UTC Spooled File Create Time UTC Char(7)

1201

Char(6)

1 2

This field is blank if the type of output is direct print. This field is blank if the type of output is remote print.

PS (Profile Swap) journal entries

This table provides the format of the PS (Profile Swap) journal entries.
Table 201. PS (Profile Swap) journal entries. QASYPSJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing.

Appendix F. Layout of audit journal entries

649

Table 201. PS (Profile Swap) journal entries (continued). QASYPSJE/J4/J5 Field Description File Offset JE 156 J4 224 J5 610 Field Entry Type Format Char(1) Description The type of entry. A E H I M P R S V 157 167 175 185 195 205 215 225 235 243 253 263 273 283 611 621 629 639 649 659 669 User Profile Source Location Original Target User Profile New Target User Profile Office User On Behalf of User Profile Token Type Char(10) Char(8) Char(10) Char(10) Char(10) Char(10) Char(1) Profile swap during pass-through. End work on behalf of relationship. Profile handle generated by the QSYGETPH API. All profile tokens were invalidated Maximum number of profile tokens have been generated. Profile token generated for user. All profile tokens for a user have been removed. Start work on behalf of relationship User profile authenticated

User profile name. Pass-through source location. Original pass-through target user profile. New pass-through target user profile. Office user starting or ending on behalf of relationship. User on behalf of whom the office user is working. The type of the profile token that was generated. M R S Multiple-use profile token Multiple-use regenerated profile token Single-use profile token

216

284

670

Profile Token Timeout

Binary(4)

The number of seconds that the profile token is valid.

650

IBM i: Security Security reference

PW (Password) journal entries

This table provides the format of the PW (Password) journal entries.
Table 202. PW (Password) journal entries. QASYPWJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Violation Entry Char(1) Type The type of violation A C D E P Q R APPC bind failure. User authentication with the CHKPWD command failed. Service tools user ID name not valid. Service tools user ID password not valid. Password not valid. Attempted signon (user authentication) failed because user profile is disabled. Attempted signon (user authentication) failed because password was expired. This audit record might not occur for some user authentication mechanisms. Some authentication mechanisms do not check for expired passwords. SQL Decryption password is not valid. User name not valid. Service tools user ID is disabled. Service tools user ID not valid. Service tools user ID password not valid.

156

224

610

S U X Y Z 157 167 225 235 611 621 User Name Device name Char(10) Char(40)

The job user name or the service tools user ID name. The name of the device or communications device on which the password or user ID was entered. If the entry type is X, Y, or Z, this field will contain the name of the service tool being accessed. Name of the remote location for the APPC bind. Name of the local location for the APPC bind. Network ID for the APPC bind.

207 215 223

275 283 291

661 669 677

Remote Char(8) Location Name Local Location Name Network ID Char(8) Char(8)

Appendix F. Layout of audit journal entries

651

Table 202. PW (Password) journal entries (continued). QASYPWJE/J4/J5 Field Description File Offset JE J4 J5 685 695 705 713 723
1 2

Field Object Name Object Library Object Type ASP Name

1 1

Format Char(10) Char(10) Char(8) Char(10) Char(5)

Description The name of the object being decrypted. The library for the object being decrypted. The type of object being decrypted. The name of the ASP device. The number of the ASP device.

ASP Number

If the object is in a library, this is the ASP information for the object's library. If the object is not in a library, this is the ASP information for the object. If the object name is *N and the violation type is S, the user attempted to decrypt data in a host variable.

RA (Authority Change for Restored Object) journal entries

This table provides the format of the RA (Authority Change for Restored Object) journal entries.
Table 203. RA (Authority Change for Restored Object) journal entries. QASYRAJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) The type of entry. A 157 167 177 185 195 196 197 225 235 245 253 263 264 265 611 621 631 639 649 650 651 Object Name Library Name Object Type Authorization List Name Public Authority Private Authority AUTL Removed (Reserved Area) DLO Name Char(10) Char(10) Char(8) Char(10) Char(1) Char(1) Char(1) Changes to authority for object restored

156

224

610

The name of the object. The name of the library where the object is stored. The type of object. The name of the authorization list.

Y Y Y

Public authority set to *EXCLUDE. Private authority removed. Authorization list removed from object.

198 218

266 286

652 672

Char(20) Char(12) The name of the document library object.

652

IBM i: Security Security reference

Table 203. RA (Authority Change for Restored Object) journal entries (continued). QASYRAJE/J4/J5 Field Description File Offset JE 230 238 301 369 387 321 325 389 393 755 773 775 779 J4 298 306 J5 684 692 Field (Reserved Area) Folder Path (Reserved Area) (Reserved Area) Object Name Length Object Name CCSID1 Object Name Country or Region ID1 Object Name Language ID1 (Reserved area) Parent File ID1,2 Object File ID1,2 Object Name1 Object File ID ASP Name5 ASP Number5 Path Name CCSID Path Name Country or Region ID Path Name Language ID Path Name Length Format Char(8) Char(63) Char(20) Char(18) Binary(4) Binary(5) Char(2) The length of the object name. The coded character set identifier for the object name. The Country or Region ID for the object name. The folder containing the document library object. Description

327 330 333 349 365

395 398 401 417 433 945 961 971 976 980

781 784 787 803 819 1331 1347 1357 1362 1366

Char(3) Char(3) Char(16) Char(16) Char(512) Char(16) Char(10) Char(5) Binary(5) Char(2)

The language ID for the object name.

982 985

1368 1371

Char(3) Binary(4)

The language ID for the path name. The length of the path name.

Appendix F. Layout of audit journal entries

653

Table 203. RA (Authority Change for Restored Object) journal entries (continued). QASYRAJE/J4/J5 Field Description File Offset JE J4 987 J5 1373 Field Path Name Indicator Format Char(1) Description Path name indicator: Y The Path Name field contains complete absolute path name for the object. The Path Name field does not contain an absolute path name for the object, instead it contains a relative path name. The Relative Directory File ID field is valid and can be used to form an absolute path name with this relative path name.

988

1374

Relative Directory File ID3 Path Name4

Char(16)

1004
1 2 3

1390

Char(5002)

These fields are used only for objects in the "root" (/), QOpenSys, and user-defined file systems. An ID that has the left-most bit set and the rest of the bits zero indicates that the ID is NOT set. If the Path Name Indicator field is N, but the Relative Directory File ID is hex zeros, then there was some error in determining the path name information. This is a variable length field. The first 2 bytes contain the length of the path name. If the object is in a library, this is the ASP information of the object's library. If the object is not in a library, this is the ASP information of the object.

4 5

RJ (Restoring Job Description) journal entries

This table provides the format of the RJ (Restoring Job Description) journal entries.
Table 204. RJ (Restoring Job Description) journal entries. QASYRJJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) The type of entry. A Restoring a job description that had a user profile specified in the USER parameter.

156

224

610

654

IBM i: Security Security reference

Table 204. RJ (Restoring Job Description) journal entries (continued). QASYRJJE/J4/J5 Field Description File Offset JE 157 J4 225 J5 611 Field Job Description Name Library Name Object Type User Name ASP name ASP number Format Char(10) Description The name of the job description restored.

167 177 185

235 245 253

621 631 639 649 659

Char(10) Char(8) Char(10) Char(10) Char(5)

The name of the library the job description was restored to. The type of object. The name of the user profile specified in the job description. ASP name for JOBD library ASP number for JOBD library

RO (Ownership Change for Restored Object) journal entries

This table provides the format of the RO (Ownership Change for Restored Object) journal entries.
Table 205. RO (Ownership Change for Restored Object) journal entries. QASYROJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) The type of entry. A 157 167 177 185 195 205 225 237 245 308 225 235 245 253 263 273 293 305 313 611 621 631 639 649 659 679 691 699 Object Name Library Name Object Type Old Owner New Owner (Reserved Area) DLO Name (Reserved Area) Folder Path (Reserved Area) Char(10) Char(10) Char(8) Char(10) Char(10) Char(20) Char(12) Char(8) Char(63) Char(20) The folder into which the object was restored. The name of the document library object. Restoring objects that had ownership changed when restored

156

224

610

The name of the object. The name of the library the object is in. The type of object. The name of the owner before ownership was changed. The name of the owner after ownership was changed.

Appendix F. Layout of audit journal entries

655

Table 205. RO (Ownership Change for Restored Object) journal entries (continued). QASYROJE/J4/J5 Field Description File Offset JE J4 376 394 328 332 396 400 J5 762 780 782 786 Field (Reserved Area) Object Name Length1 Object Name CCSID1 Object Name Country or Region ID1 Object Name Language ID1 Format Char(18) Binary(4) Binary(5) Char(2) The length of the object name. The coded character set identifier for the object name. The Country or Region ID for the object name. Description

334 337 340 356 372

402 405 408 424 440 952 968 978 983 987

788 791 794 810 826 1338 1354 1364 1369 1373

Char(3)

The language ID for the object name.

(Reserved area) Char(3) Parent File ID1,2

Char(16)

Object File ID1,2 Char(16) Object Name

5 5

Char(512) Char(16) Char(10) Char(5) Binary(5) Char(2)

Object File ID ASP Name

ASP Number Path Name CCSID Path Name Country or Region ID Path Name Language ID Path Name Length Path Name Indicator

989 992 994

1375 1378 1380

Char(3) Binary(4) Char(1)

995

1381

Relative Directory File ID3 Path Name4

Char(16)

1011

1397

Char(5002)

656

IBM i: Security Security reference

Table 205. RO (Ownership Change for Restored Object) journal entries (continued). QASYROJE/J4/J5 Field Description File Offset JE
1 2 3

Field

Format

Description

These fields are used only for objects in the "root" (/), QOpenSys, and user-defined file systems. An ID that has the left-most bit set and the rest of the bits zero indicates that the ID is NOT set. If the Path Name Indicator field is N, but the Relative Directory File ID is hex zeros, then there was some error in determining the path name information. This is a variable length field. The first 2 bytes contain the length of the path name. If the object is in a library, this is the ASP information of the object's library. If the object is not in a library, this is the ASP information of the object.

4 5

RP (Restoring Programs that Adopt Authority) journal entries

This table provides the format of the RP (Restoring Programs that Adopt Authority) journal entries.
Table 206. RP (Restoring Programs that Adopt Authority) journal entries. QASYRPJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) The type of entry. A 157 167 177 185 225 235 245 253 263 281 283 287 611 621 631 639 649 667 669 673 Program Name Program Library Object Type Owner Name Char(10) Char(10) Char(8) Char(10) Restoring programs that adopt the owner's authority

156

224

610

The name of the program The name of the library where the program is located The type of object Name of the owner

(Reserved Area) Char(18) Object Name Length1 Object Name CCSID1 Object Name Country or Region ID1 Object name Language ID1 Binary (4) Binary (5) Char (2) The length of the object name. The coded character set identifier for the object name. The Country or Region ID for the object name.

289 292 295

675 678 681

Char (3)

The language ID for the object name.

(Reserved Area) Char (3) Parent File ID1,2 Char (16) The file ID of the parent directory.

Appendix F. Layout of audit journal entries

657

Table 206. RP (Restoring Programs that Adopt Authority) journal entries (continued). QASYRPJE/J4/J5 Field Description File Offset JE J4 311 327 839 855 865 870 874 J5 697 713 1225 1241 1251 1256 1260 Field Object File ID Object Name
5 5 1 1,2

Format Char (16) Char (512) Char(16) Char(10) Char(5) Binary(5) Char(2)

Object File ID ASP Name

ASP Number Path Name CCSID Path Name Country or Region ID Path Name Language ID Path Name Length Path Name Indicator

876 879 881

1262 1265 1267

Char(3) Binary(4) Char(1)

882

1268

Relative Directory File ID3 Path Name4

Char(16)

898
1 2 3

1284

Char(5002)

These fields are used only for objects in the "root" (/), QOpenSys, and user-defined file system. If an ID that has the left-most bit set and the rest of the bits are zero, the ID is not set. If the Path Name Indicator field is N, but the Relative Directory File ID is hex zeros, then there was some error in determining the path name information. This is a variable length field. The first 2 bytes contain the length of the path name. If the object is in a library, this is the ASP information of the object's library. If the object is not in a library, this is the ASP information of the object.

4 5

658

IBM i: Security Security reference

RQ (Restoring Change Request Descriptor Object) journal entries

This table provides the format of the RQ (Restoring Change Request Descriptor Object) journal entries.
Table 207. RQ (Restoring Change Request Descriptor Object) journal entries. QASYRQJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) The type of entry. A 157 167 177 225 235 245 611 621 631 639 649 Object Name Object Library Object Type ASP name ASP number Char(10) Char(10) Char(8) Char(10) Char(5) Restore *CRQD object that adopts authority.

156

224

610

The name of the change request descriptor. The name of the library where the change request descriptor is found. The type of object. ASP name for CRQD library ASP number for CRQD library

RU (Restore Authority for User Profile) journal entries

This table provides the format of the RU (Restore Authority for User Profile) journal entries.
Table 208. RU (Restore Authority for User Profile) journal entries. QASYRUJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) The type of entry. A 157 167 177 225 235 245 611 621 631 User Name Library Name Object Type Char(10) Char(10) Char(8) Restoring authority to user profiles

156

224

610

The name of the user profile whose authority was restored. The name of the library. The type of object.

Appendix F. Layout of audit journal entries

659

Table 208. RU (Restore Authority for User Profile) journal entries (continued). QASYRUJE/J4/J5 Field Description File Offset JE J4 253 J5 639 Field Authority Restored Format Char(1) Description Indicates whether all authorities were restored for the user. A S All authorities were restored Some authorities not restored

RZ (Primary Group Change for Restored Object) journal entries

This table provides the format of the RZ (Primary Group Change for Restored Object) journal entries.
Table 209. RZ (Primary Group Change for Restored Object) journal entries. QASYRZJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) The type of entry. A 157 167 177 185 195 205 225 237 245 308 376 394 328 396 762 780 782 225 235 245 253 263 273 293 305 313 611 621 631 639 649 659 679 691 699 Object Name Object Library Object Type Old Primary Group New Primary Group (Reserved Area) DLO Name (Reserved Area) Folder Path (Reserved Area) (Reserved Area) Object Name Length1 Object Name CCSID1 Char(10) Char(10) Char(8) Char(10) Char(10) Char(20) Char(12) Char(8) Char(63) Char(20) Char(18) Binary(4) Binary(5) The length of the object name. The coded character set identifier for the object name. The folder into which the object was restored. The name of the document library object. Primary group changed.

156

224

610

The name of the object. The name of the library where the object is found. The type of object. The previous primary group for the object. The new primary group for the object.

660

IBM i: Security Security reference

Table 209. RZ (Primary Group Change for Restored Object) journal entries (continued). QASYRZJE/J4/J5 Field Description File Offset JE 332 J4 400 J5 786 Field Object Name Country or Region ID1 Object Name Language ID1 Format Char(2) Description The Country or Region ID for the object name.

334 337 340 356 372

402 405 408 424 440 952 968 978 983 987

788 791 794 810 826 1338 1354 1364 1369 1373

Char(3)

The language ID for the object name.

(Reserved area) Char(3) Parent File ID1,2

Char(16)

Object File ID1,2 Char(16) Object Name Char(512) Char(16) Char(10) Char(5) Binary(5) Char(2)

Object File ID ASP Name ASP Number Path Name CCSID Path Name Country or Region ID Path Name Language ID Path Name Length Path Name Indicator

989 992 994

1375 1378 1380

Char(3) Binary(4) Char(1)

The language ID for the path name.

The length of the path name. Path name indicator: Y N The Path Name field contains complete absolute path name for the object. The Path Name field does not contain an absolute path name for the object, instead it contains a relative path name. The Relative Directory File ID field is valid and can be used to form an absolute path name with this relative path name.

995

1381

Relative Directory File ID3 Path Name4

Char(16)

1011
1 2 3

1397

Char(5002)

These fields are used only for objects in the "root" (/), QOpenSys, and user-defined file systems. An ID that has the left-most bit set and the rest of the bits zero indicates that the ID is NOT set. If the Path Name Indicator field is N, but the Relative Directory File ID is hex zeros, then there was some error in determining the path name information. This is a variable length field. The first 2 bytes contain the length of the path name.

Appendix F. Layout of audit journal entries

661

SD (Change System Distribution Directory) journal entries

This table provides the format of the SD (Change System Distribution Directory) journal entries.
Table 210. SD (Change System Distribution Directory) journal entries. QASYSDJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) The type of entry. S 157 225 611 Type of Change Char(3) ADD CHG COL DSP OUT PRT RMV RNM RTV SUP 160 228 614 Type of record Char(4) DIRE DPTD System directory change Add directory entry Change directory entry Collector entry Display directory entry Output file request Print directory entry Remove directory entry Rename directory entry Retrieve details Supplier entry Directory Department details

156

224

610

SHDW Directory shadow SRCH 164 172 182 190 232 240 250 258 618 626 636 644 Originating System User Profile Requesting system Function Requested Char(8) Char(10) Char(8) Char(6) Directory search

The system originating the change The user profile making the change The system requesting the change

INIT OFFLIN

Initialization Offline initialization

REINIT Reinitialization SHADOW Normal shadowing STPSHD Stop shadowing

662

IBM i: Security Security reference

Table 210. SD (Change System Distribution Directory) journal entries (continued). QASYSDJE/J4/J5 Field Description File Offset JE 196 204 212 J4 264 272 280 J5 650 658 666 Field User ID Address Network User ID Format Char(8) Char(8) Char(47) Description The user ID being changed The address being changed The network user ID being changed

SE (Change of Subsystem Routing Entry) journal entries

This table provides the format of the SE (Change of Subsystem Routing Entry) journal entries.
Table 211. SE (Change of Subsystem Routing Entry) journal entries. QASYSEJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) The type of entry. A 157 167 177 185 195 205 209 225 235 245 253 263 273 277 611 621 631 639 649 659 663 Subsystem Name Library Name Object Type Char(10) Char(10) Char(8) Subsystem routing entry changed

156

224

610

The name of the object The name of the library where the object is stored. The type of object. The name of the program that changed the routing entry The name of the library for the program The sequence number The type of command used ADD CHG RMV ADDRTGE CHGRTGE RMVRTGE

Program Name Char(10) Library Name Sequence Number Command Name Char(10) Char(4) Char(3)

666 676

ASP name for SBSD library ASP number for SBSD library ASP name for program library

Char(10) Char(5)

ASP name for SBSD library ASP number for SBSD library

681

Char(10)

ASP name for program library

Appendix F. Layout of audit journal entries

663

Table 211. SE (Change of Subsystem Routing Entry) journal entries (continued). QASYSEJE/J4/J5 Field Description File Offset JE J4 J5 691 Field ASP number for program library Format Char(5) Description ASP number for program library

SF (Action to Spooled File) journal entries

This table provides the format of the SF (Action to Spooled File) journal entries.
Table 212. SF (Action to Spooled File) journal entries. QASYSFJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Access Type Char(1) The type of entry A C D H I R S T U V Spooled file read by someone other than the owner of the spooled file. Spooled file created. Spooled file deleted. Spooled file held. Create of inline file. Spooled file released. Spooled file saved. Spooled file restored. Security-relevant spooled file attributes changed. Only non-security-relevant spooled file attributes changed. Spooled file operation rejected by exit program.

156

224

610

|
157 167 177 185 195 205 225 235 245 253 263 273 611 621 631 639 649 659 Database File Name Library Name Object Type Reserved area Member Name Spooled File Name Char(10) Char(10) Char(8) Char(10) Char(10) Char(10)

The name of the database file containing the spooled file The name of the library for the database file The object type of the database file

The name of the file member. The name of the spooled file 1.

664

IBM i: Security Security reference

Table 212. SF (Action to Spooled File) journal entries (continued). QASYSFJE/J4/J5 Field Description File Offset JE 215 J4 283 J5 669 Field Short Spooled File Number Format Char(4) Description The number of the spooled file 1. If the spooled file number is larger than 4 bytes, this field will be blank and the Spooled File Number field (J5 offset 693) will be used. The name of the output queue containing the spooled file. The name of the library for the output queue.

219 229 239

287 297

673 683

Output Queue Name Output Queue Library Reserved area

Char(10) Char(10) Char(20) Char(6) Char(14) Char(3) Char(3) Char(10) Char(10) Char(10) Char(10)

307 313 259 262 265 275 285 295 305 315 325 333 341 349 357 365 327 330 333 343 353 363 373 383 393 401 409 417 425 433 441 451 461 467 475

693 699 713 716 719 729 739 749 759 769 779 787 795 803 811 819 827 837 847 853 861

Spooled File Number Reserved Area Old Copies New Copies Old Printer New Printer New Output Queue New Output Queue Library

The number of the spooled file.

Number of old copies of the spooled file Number of new copies of the spooled file Old printer for the spooled file New printer for the spooled file New output queue for the spooled file Library for the new output queue Old form type of the spooled file New form type of the spooled file Old restart page for the spooled file New restart page for the spooled file Old page range start of the spooled file New page range start of the spooled file Old page range end of the spooled file New page range end of the spooled file The name of the spooled file job. The user for the spooled file job. The number for the spooled file job. Old source drawer. New source drawer.

Old Form Type Char(10) New Form Type Old Restart Page New Restart Page Old Page Range Start New Page Range Start Old Page Range End New Page Range End Spooled File Job Name Spooled File Job User Spooled File Job Number Old Drawer New Drawer Char(10) Char(8) Char(8) Char(8) Char(8) Char(8) Char(8) Char(10) Char(10) Char(6) Char(8) Char(8)

Appendix F. Layout of audit journal entries

665

Table 212. SF (Action to Spooled File) journal entries (continued). QASYSFJE/J4/J5 Field Description File Offset JE J4 483 J5 869 Field Old Page Definition Name Old Page Definition Library New Page Definition Name New Page Definition Library Old Form Definition Name Old Form Definition library Format Char(10) Description Old page definition name.

493

879

Char(10)

Old page definition library name.

503

889

Char(10)

New page definition name.

513

899

Char(10)

New page definition library.

523

909

Char(10)

Old form definition name.

533

919

Char(10)

Old form definition library name.

543 553

929 939

Name of new Char(10) form definition New Form Definition Library Char(10)

Name of new form definition New form definition library name.

563

949

Char(10) Old User Defined Option 1 Char(10) Old User Defined Option 2 Char(10) Old User Defined Option 3 Char(10) Old User Defined Option 4 New User Char(10) Defined Option 1 Char(10) New User Defined Option 2 New User Char(10) Defined Option 3 New User Char(10) Defined Option 4 Old User Defined Object Char(10)

Old user-defined option 1.

573

959

Old user-defined option 2.

583

969

Old user-defined option 3.

593

979

Old user-defined option 4.

603

989

New user-defined option 1.

613

999

New user-defined option 2.

623

1009

New user-defined option 3.

633

1019

New user-defined option 4.

643

1029

Old user-defined object name.

666

IBM i: Security Security reference

Table 212. SF (Action to Spooled File) journal entries (continued). QASYSFJE/J4/J5 Field Description File Offset JE J4 653 J5 1039 Field Old User Defined Object Library Old User Defined Object Type New User Defined Object New User Defined Object Library New User Defined Object Type Spooled File Job System Name Spooled File Create Date Spooled File Create Time Name of old user defined data Name of new user defined data Format Char(10) Description Old user-defined library name.

663

1049

Char(10)

Old user-defined object type.

673 683

1059 1069

Char(10) Char(10)

New user-defined object. New user-defined object library name.

693

1079

Char(10)

New user-defined object type.

703

1089

Char(8)

The name of the system on which the spooled file resides. The spooled file create date (CYYMMDD). The spooled file create time (HHMMSS). Name of old user defined data

711 718

1097 1104 1110

Char(7) Char(6) Char(255)

1365

Char(255)

Name of new user defined data

1620 1630 1635 1645 1650

File ASP Name Char(10) File ASP Number Output Queue ASP name Output Queue ASP number New Output Queue ASP Name New Output Queue ASP Number Old Spooled File Status New Spooled File Status Original Creation Date Char(5) Char(10) Char(5) Char(10)

ASP name for database file library. ASP number for database file library. ASP name for output queue library. ASP number for output queue library. ASP name for new output queue library.

1660

Char(5)

ASP number for new output queue library.

1665 1668 1671

Char(3) Char(3) Char(7)

Old spooled file status. New spooled file status. Original creation date.

Appendix F. Layout of audit journal entries

667

Table 212. SF (Action to Spooled File) journal entries (continued). QASYSFJE/J4/J5 Field Description File Offset JE J4 J5 1678 1684 Field Original Creation Time Old Spooled File Expiration Date New Spooled File Expiration Date Spooled File Create Date UTC Spooled File Create Time UTC Registered security exit program Registered security exit program library Registered security exit program ASP name Registered security exit program ASP number Format Char(6) Char(7) Description Original creation time. Old spooled file expiration date

1687

Char(7)

New spooled file expiration date

1694

Char(7)

The spooled file create date in UTC (This is the same date as the Spool File Create Date (offset 1097) only in UTC) The spooled file create time in UTC (This is the same time as the Spool File Create Time (offset 1104) only in UTC) The name of the registered security exit program. The library name of the registered security exit program.

1701

Char(6)

| | | | | | | | | | | | | | |
1

1707

Char(10)

1717

Char(10)

1727

Char(10)

The ASP name of the registered security exit program.

1737

Char(5)

The ASP number of the registered security exit program.

This field is blank when the type of entry is I (inline print).

SG (Asychronous Signals) journal entries

This table provides the format of the SG (Asychronous Signals) journal entries.
Table 213. SG (Asychronous Signals) journal entries. QASYSGJ4/J5 Field Description File Offset JE J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562 and Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563 for field listing.

668

IBM i: Security Security reference

Table 213. SG (Asychronous Signals) journal entries (continued). QASYSGJ4/J5 Field Description File Offset JE J4 224 J5 610 Field Entry Type Format Char(1) Description The type of entry. A P 225 229 611 615 Signal Number Char(4) Handle action Char(1) Asynchronous i5/OS signal processed Asynchronous Private Address Space Environment (PASE) signal processed

The signal number that was processed. The action taken on this signal. C E H S T U Continue the process Signal exception Handle by invoking the signal catching function Stop the process End the process End the request

230

616

Signal Source

Char(1)

The source of the signal. M Machine source

P Process source Note: When the signal source value is machine, the source job values are blank. 231 241 251 257 267 617 627 637 643 653 Source Job Name Source Job User Name Source Job Number Source Job Current User Generation Timestamp Char(10) Char(10) Char(6) Char(10) Char(8) The first part of the source job's qualified name. The second part of the source job's qualified name. The third part of the source jobs's qualified name. The current user profile for the source job. The *DTS format of the time when the signal was generated. Note: The QWCCVTDT API can be used to convert a *DTS time stamp to other formats.

SK (Secure Sockets Connections) journal entries

This table provides the format of the SK (Secure Sockets Connections) journal entries.
Table 214. SK (Secure Sockets Connections) journal entries. QASYSKJ4/J5 Field Description File Offset JE J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562 and Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563 for field listing.

Appendix F. Layout of audit journal entries

669

Table 214. SK (Secure Sockets Connections) journal entries (continued). QASYSKJ4/J5 Field Description File Offset JE J4 224 J5 610 Field Entry type Format Char(1) Description A C D F P R U 225 240 245 260 265 269 279 281 795 611 626 631 646 651 655 665 667 1181 Local IP Address3 Local port Remote IP Address3 Remote port Socket Descriptor Filter Description Filter Data Length Filter Data1 Address Family Char(15) Char(5) Char(15) Char(5) Bin(5) Char(10) Bin(4) Char(514) Char(10) Accept Connect DHCP address assigned Filtered mail Port unavailable Reject mail DHCP address not assigned

The local IP address. The local port. The remote IP address. The remote port. The socket descriptor. The mail filter specified. The length of the filter data. The filter data. The address family. *IPV4 *IPV6 Internet Protocol Version 4 Internet Protocol Version 6

805 851 897 929

1 2

1191 1237 1283 1315

Local IP address Remote IP address 2 MAC address Host name

Char(46) Char(46) Char(32) Char(255)

The local IP address. The remote IP address The MAC address of the requesting client. The host name of the requesting client.

This is a variable length field. The first two bytes contain the length of the field. When the entry type is D, this field contains the IP address that the DHCP server assigned to the requesting client. These fields only support IPv4 addresses.

670

IBM i: Security Security reference

SM (Systems Management Change) journal entries

This table provides the format of the SM (Systems Management Change) journal entries.
Table 215. SM (Systems Management Change) journal entries. QASYSMJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) Function accessed B C D F N O P S T 157 225 611 Access Type Char(1) A C D R S T 158 162 169 226 230 237 612 616 623 Sequence Number Message ID Relational Database Name File System Name Char(4) Char(7) Char(18) Backup list changed Automatic cleanup options DRDA HFS file system Network file operation Backup options changed Power on/off schedule System reply list Access path recovery times changed Add Change Delete Remove Display Retrieve or receive

156

224

610

Sequence number of the action Message ID associated with the action Name of the relational database

187 197 207 217

255 265 275 285

641 651 661 671

Char(10)

Name of the file system The backup option that was changed The name of the backup list that was changed The name of the network file that was used

Backup Option Char(10) Changed Backup List Change Network File Name Char(10) Char(10)

Appendix F. Layout of audit journal entries

671

Table 215. SM (Systems Management Change) journal entries (continued). QASYSMJE/J4/J5 Field Description File Offset JE 227 237 243 253 J4 295 305 311 321 J5 681 691 697 707 Field Network File Member Network File Number Network File Owner Network File Originating User Network File Originating Address Format Char(10) Zoned(6,0) Char(10) Char(8) Description The name of the member of the network file The number of the network file The name of the user profile that owns the network file The name of the user profile that originated the network file The address that originated the network file

261

329

715

Char(8)

SO (Server Security User Information Actions) journal entries

This table provides the format of the SO (Server Security User Information Actions) journal entries.
Table 216. SO (Server Security User Information Actions) journal entries. QASYSOJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) The type of entry A C R T 157 225 235 611 621 User Profile User Information Entry Type Char(10) Char(1) Add entry Change entry Remove entry Retrieve entry

156

224

610

The name of the user profile. N U Y Entry type not specified. Entry is a user application information entry. Entry is a server authentication entry. Password not stored No change Password is stored.

236

622

Password Stored

Char(1)

N S Y

237

623

Server Name

Char(200)

The name of the server.

672

IBM i: Security Security reference

Table 216. SO (Server Security User Information Actions) journal entries (continued). QASYSOJE/J4/J5 Field Description File Offset JE J4 437 440 442 462
1

J5 823 826 828 848

Field (Reserved Area) User ID Length (Reserved Area) User ID

Format Char(3) Binary (4) Char(20) Char(1002)1

Description

The length of the user ID.

The ID for the user.

This is a variable length field. The first 2 bytes contain the length of the field.

ST (Service Tools Action) journal entries

This table provides the format of the ST (Service Tools Action) journal entries.
Table 217. ST (Service Tools Action) journal entries. QASYSTJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) The type of entry A 157 225 611 Service Tool Char(2) Service record

156

224

610

The type of entry. AN AR CD CE CS CT DC DD DF DI DJ DM DO ANZJVM ARM diagnostic trace (see ARMSRV QShell command) QTACTLDV, QTADMPDV QWTCTLTR STRCPYSCN DMPCLUTRC DLTCMNTRC DMPDLO QWTDMPFR, QWTDMPLF QSCDIRD DMPJVM, QPYRTJVM DMPMEMINF DMPOBJ

Appendix F. Layout of audit journal entries

673

Table 217. ST (Service Tools Action) journal entries (continued). QASYSTJE/J4/J5 Field Description File Offset JE J4 J5 Field Format Description DS DU DW EC ER DMPSYSOBJ, QTADMPTS, QTADMPDV, QWTDMPLF DMPUSRPRF STRDW, ENDDW, ADDDWDFN, RMVDWDFN ENDCMNTRC ENDRMTSPT FFDC (First Failure Data Capture) QSMGSSTD QYHCHCOP (DASD) QYHCHCOP (LPAR) STRJW, ENDJW, ADDJWDFN, RMVJWDFN EPT created EPT deleted EPT for the job has been changed System EPT has been fixed up Entries in the EPT have been changed EPT compared EPT entries displayed QWTMAINT (change) QWTMAINT (dump) End system job Restart system job Operations console PRTCMNTRC PRTERRLOG, QTADMPDV PRTINTDTA, QTADMPDV QP0FPTOS STRCMNTRC, QSCCHGCT QWTSETTR

FF GS HD HL JW LC LD LE LF LG LH LI MC MD MP MQ OP PC PE PI PS

SC SE

674

IBM i: Security Security reference

Table 217. ST (Service Tools Action) journal entries (continued). QASYSTJE/J4/J5 Field Description File Offset JE J4 J5 Field Format Description SF SJ SN SR SS ST SV TA TC TE TI TO TQ TS QWCCDSIC, QWVRCSTK (Display internal stack entry) STRSRVJOB QPZSYNC STRRMTSPT QFPHPSF STRSST QSRSRV TRCTCPAPP TRCCNN (*FORMAT specified) ENDTRC, ENDPEX, TRCJOB(*OFF or *END specified) TRCINT, or TRCCNN with SET(*ON), SET(*OFF), or SET(*END) QTOBSRV QWCTMQTM STRTRC, STRPEX, TRCJOB(*ON specified) QTAUPDDV ENDWCH, QSCEWCH STRWCH, QSCSWCH WRKTRC WRKWCH, QSCRWCHI, QSCRWCHL

UD WE WS WT

@
159 169 179 187 197 207 213 243 273 281 293 301 227 237 247 255 265 275 281 311 341 349 361 369 432 613 623 633 641 651 661 667 697 727 735 747 755 818 Object Name Library Name Object Type Job Name Char(10) Char(10) Char(8) Char(10)

Name of the object accessed Name of the library for the object Type of object The first part of the qualified job name The second part of the qualified job name The third part of the qualified job name Name of the object for DMPSYSOBJ Name of the library for the object for DMPSYSOBJ Type of the object Name of the document library object

Job User Name Char(10) Job Number Object Name Library Name Object Type DLO Name (Reserved Area) Folder Path8 JUID Field Zoned(6,0) Char(30) Char(30) Char(8) Char(12) Char(8) Char(63) Char(10)

The folder containing the document library object The JUID of the target job
Appendix F. Layout of audit journal entries

675

Table 217. ST (Service Tools Action) journal entries (continued). QASYSTJE/J4/J5 Field Description File Offset JE J4 442 J5 828 Field Early Trace Action1 Format Char(10) Description The action requested for early job tracing *ON *OFF *RESET Early tracing turned off and trace information deleted. 452 838 Application Trace Option2 Char(1) The trace option specified on TRCTCPAPP. A6 D
6

Early tracing turned on Early tracing turned off

Activate Deactivate Collection of trace information started Collection of trace information stopped and trace information written to spooled file Collection of trace information ended and all trace information purged (no output created)

Y7 N
7

453 463

839 849 859 867 877 887

Application Traced2 Service Tools Profile3

Char(10) Char(10)

The name of the application being traced. The name of the service tools profile used for STRSST. Source node ID Source user ASP name for object library ASP number for object library

Source node ID Char(8) Source user ASP name for object library ASP number for object library ASP name for DMPSYSOBJ object library ASP number for DMPSYSOBJ object library Console Type
4

Char(10) Char(10) Char(5)

892

Char(10)

ASP name for DMPSYSOBJ object library

902

Char(5)

ASP number for DMPSYSOBJ object library

907

Char(10)

The console type. Possible values are: v DIRECT v LAN v *HMC

917

Console action
4

Char(10)

The console action. Possible values are: v *RECOVERY v *TAKEOVER The address family. v *IPv4 v *IPv6

927

Address family Char(10)

676

IBM i: Security Security reference

Table 217. ST (Service Tools Action) journal entries (continued). QASYSTJE/J4/J5 Field Description File Offset JE J4 J5 937 938 993 1039 1049 1059 1069 Field Previous IP address 4 Previous device ID
4

Format Char(46) Char(10) Char(46) Char(10) Char(10) Char(10) Char(10)

Description The IP address of the previous console device for *LAN. The service tools device ID of the previous console device for *LAN. The IP address of the current console device for *LAN. The service tools device ID of the current console device for *LAN. Watch session ID. Name of the entry in the entry point table that was changed. Name of related object. v For Service Tool value LC, this field contains the name of the base entry point table. v For Service Tool value LG, this field contains the name of the replacement program. v For Service Tool value LH, this field contains the name of the compare entry point table.

Current IP address 4 Current device ID 4 Watch session5 Entry

Related Object10

1079

Related Object Library10

Char(10)

Name of related object library. v For Service Tool value LC, this field contains the name of the base entry point table library. v For Service Tool value LG, this field contains the name of the replacement program library. v For Service Tool value LH, this field contains the name of the compare entry point table library.

1 2 3 4 5

This field is only used when the Service Tool value (offset 611) is CE. This field is only used when the Service Tool value (offset 611) is AR or TA. This field is only used when the Service Tool value (offset 611) is ST or OP. This field is only used when the Service Tool value (offset 611) is OP. This field is only used when the Service Tool value (offset 611) is WS or WE. This field is only used when the Service Tool value (offset 611) is AR. This field is only used when the Service Tool value (offset 611) is TA. The Folder Path will contain the 30 character Advanced Analysis Command name when the Service Tool value (offset 611) is GS. This field is only used when the Service Tool value (offset 611) is LG. This field is only used when the Service Tool value (offset 611) is LC, LG, or LH.

6 7 8

9 10

Appendix F. Layout of audit journal entries

677

SV (Action to System Value) journal entries

This table provides the format of the SV (Action to System Value) journal entries.
Table 218. SV (Action to System Value) journal entries. QASYSVJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) The type of entry. A B C D E F 157 225 611 System Value or Service Attribute Char(10) Change to system values Change to service attributes Change to system clock Adjustment to Coordinated Universal Time (UTC) Change to option Change to system-wide journal attribute

156

224

610

JRNRCVCNT Changed journal recovery count value MAXCCHWAIT Changed journal maximum cache wait time QINPIDCO Change the current install disk configuration option with QINPIDCO API.

167 417 667 917

235 485 735 985

621 871 1121 1371 1621

New Value Old Value New Value Continued Old Value Continued New Value Continued Extension Old Value Continued Extension

Char(250) Char(250) Char(250) Char(250) Char(1000)

The value to which the system value or service attribute was changed The value of the system value or service attribute before it was changed Continuation of the value to which the system value or service attribute was changed. Continuation of the value of the system value or service attribute before it was changed. Second continuation of the value to which the system value or service attribute was changed. Second continuation of the value of the system value or service attribute before it was changed.

2621

Char(1000)

678

IBM i: Security Security reference

VA (Change of Access Control List) journal entries

This table provides the format of the VA (Change of Access Control List) journal entries.
Table 219. VA (Change of Access Control List) journal entries. QASYVAJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Status Char(1) Status of request. S F 157 167 173 179 187 197 225 235 241 247 255 265 611 621 627 633 641 651 Server Name Server Date Server Time Computer Name Requester Name Action Performed Char(10) Char(6) Zoned(6,0) Char(8) Char(10) Char(1) Successful Failed

156

224

610

The name of the network server description that registered the event. The date on which the event was logged on the network server. The time when the event was logged on the network server. The name of the computer issuing the request to change the access control list. The name of the user issuing the request. The action performed on the access control profile: A C D Addition Modification Deletion

198

266

652

Resource Name Char(260)

The name of the resource to be changed.

VC (Connection Start and End) journal entries

This table provides the format of the VC (Connection Start and End) journal entries.
Table 220. VC (Connection Start and End) journal entries. QASYVCJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing.

Appendix F. Layout of audit journal entries

679

Table 220. VC (Connection Start and End) journal entries (continued). QASYVCJE/J4/J5 Field Description File Offset JE 156 J4 224 J5 610 Field Connect Action. Format Char(1) Description The connection action that occurred. S E R 157 167 173 179 187 197 202 225 235 241 247 255 265 270 611 621 627 633 641 651 656 Server Name Server Date Server Time Computer Name Connection User Connect ID Rejection Reason Char(10) Char(6) Zoned(6,0) Char(8) Char(10) Char(5) Char(1) Start End Reject

The name of the network server description that registered the event. The date on which the event was logged on the network server. The time when the event was logged on the network server. The name of the computer associated with the connection request. The name of the user associated with the connection request. The start or stop connection ID. The reason why the connection was rejected: A Automatic disconnect (timeout), share removed, or administrative permissions lacking Error, session disconnect, or incorrect password Normal disconnection or user name limit No access permission to shared resource

E N P 203 271 657 Network Name Char(12)

The network name associated with the connection.

VF (Close of Server Files) journal entries

This table provides the format of the VF (Close of Server Files) journal entries.
Table 221. VF (Close of Server Files) journal entries. QASYVFJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing.

680

IBM i: Security Security reference

Table 221. VF (Close of Server Files) journal entries (continued). QASYVFJE/J4/J5 Field Description File Offset JE 156 J4 224 J5 610 Field Close Reason Format Char(1) Description The reason why the file was closed. A N S 157 167 173 179 187 197 202 208 225 235 241 247 255 265 270 276 611 621 627 633 641 651 656 662 Server Name Server Date Server Time Computer Name Connection User File ID Duration Char(10) Char(6) Zoned(6,0) Char(8) Char(10) Char(5) Char(6) Administrative disconnection Normal client disconnection Session disconnection

The name of the network server description that registered the event. The date on which the event was logged on the network server. The time when the event was logged on the network server. The name of the computer requesting the close. The name of the user requesting the close. The ID of the file being closed. The number of seconds the file was open. The name of the resource owning the accessed file.

Resource Name Char(260)

VL (Account Limit Exceeded) journal entries

This table provides the format of the VL (Account Limit Exceeded) journal entries.
Table 222. VL (Account Limit Exceeded) journal entries. QASYVLJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Reason Char(1) The reason why the limit was exceeded. A D L U W 157 167 225 235 611 621 Server Name Server Date Char(10) Char(6) Account expired Account disabled Logon hours exceeded Unknown or unavailable Workstation not valid

156

224

610

The name of the network server description that registered the event. The date on which the event was logged on the network server.

Appendix F. Layout of audit journal entries

681

Table 222. VL (Account Limit Exceeded) journal entries (continued). QASYVLJE/J4/J5 Field Description File Offset JE 173 179 187 197 J4 241 247 255 265 J5 627 633 641 651 Field Server Time Computer Name User Format Zoned(6,0) Char(8) Char(10) Description The time when the event was logged on the network server. The name of the computer with the account limit violation. The name of the user with the account limit violation. The name of the resource being used.

Resource Name Char(260)

VN (Network Log On and Off) journal entries

This table provides the format of the VN (Network Log On and Off) journal entries.
Table 223. VN (Network Log On and Off) journal entries. QASYVNJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Log Type Char(1) The type of event that occurred: F O R 157 167 173 179 187 197 225 235 241 247 255 265 611 621 627 633 641 651 Server Name Server Date Server Time Computer Name User User Privilege Char(10) Char(6) Zoned(6,0) Char(8) Char(10) Char(1) Logoff requested Logon requested Logon rejected

156

224

610

198

266

652

Reject Reason

Char(1)

The reason why the log on attempt was rejected: A F P Access denied Forced off due to logon limit Incorrect password

682

IBM i: Security Security reference

Table 223. VN (Network Log On and Off) journal entries (continued). QASYVNJE/J4/J5 Field Description File Offset JE 199 J4 267 J5 653 Field Additional Reason Format Char(1) Description Details of why access was denied: A D L R U Account expired Account disabled Logon hours not valid Requester ID not valid Unknown or unavailable

VO (Validation List) journal entries

This table provides the format of the VO (Validation List) journal entries.
Table 224. VO (Validation List) journal entries. QASYVOJ4/J5 Field Description File Offset JE J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562 andStandard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563 for field listing. Entry Type Char(1) The type of entry. A C F R U V 225 611 Unsuccessful Type Char(1) Add validation list entry Change validation list entry Find validation list entry Remove validation list entry Unsuccessful verify of a validation list entry Successful verify of a validation list entry

224

610

Type of unsuccessful verify. E I V Encrypted data is incorrect Entry ID was not found Validation list was not found

226 236 246

612 622 632

Validation List Library Name

Char(10) Char(10)

The name of the validation list. The name of the library that the validation list is in. Data value to be encrypted. Y N Data to be encrypted was specified on the request. Data to be encrypted was not specified on the request.

Encrypted Data Char(1)

Appendix F. Layout of audit journal entries

683

Table 224. VO (Validation List) journal entries (continued). QASYVOJ4/J5 Field Description File Offset JE J4 247 J5 633 Field Entry Data Format Char(1) Description Entry data value. Y N 248 250 252 634 636 638 Entry ID Length Data length Binary(4) Binary(4) Entry data was specified on the request. Entry data was not specified on the request.

The length of the entry ID. The length of the entry data. Encrypted data. '' 0 An encrypted data attribute was not specified. The data to be encrypted can only be used to verify an entry. This is the default. The data to be encrypted can be used to verify an entry and the data can be returned on a find operation.

Encrypted Data Char (1) Attribute

253

639

X.509 Certificate attribute (Reserved Area) Entry ID Entry Data ASP name for validation list library ASP number for validation list library

Char (1)

X.509 Certificate.

254 282 382

640 668 768 1768

Char (28) Byte(100) Byte(1000) Char(10) The entry ID. The entry data. ASP name for validation list library

1778

Char(5)

ASP number for validation list library

VP (Network Password Error) journal entries

This table provides the format of the VP (Network Password Error) journal entries.
Table 225. VP (Network Password Error) journal entries. QASYVPJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing.

684

IBM i: Security Security reference

Table 225. VP (Network Password Error) journal entries (continued). QASYVPJE/J4/J5 Field Description File Offset JE 156 J4 224 J5 610 Field Error Type Format Char(1) Description The type of error that occurred. P 157 167 173 179 187 225 235 241 247 255 611 621 627 633 641 Server Name Server Date Server Time Computer Name User Char(10) Char(6) Zoned(6,0) Char(8) Char(10) Password error

VR (Network Resource Access) journal entries

This table provides the format of the VR (Network Resource Access) journal entries.
Table 226. VR (Network Resource Access) journal entries. QASYVRJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Status Char(1) The status of the access. F S 157 167 173 179 187 225 235 241 247 255 611 621 627 633 641 Server Name Server Date Server Time Computer Name User Char(10) Char(6) Zoned(6,0) Char(8) Char(10) Resource access failed Resource access succeeded

156

224

610

Appendix F. Layout of audit journal entries

685

Table 226. VR (Network Resource Access) journal entries (continued). QASYVRJE/J4/J5 Field Description File Offset JE 197 J4 265 J5 651 Field Format Description The type of operation being performed: A C D P R W X 198 202 206 211 266 270 274 279 652 656 660 665 Return Code Server Message File ID Char(4) Char(4) Char(5) Resource attributes modified Instance of the resource created Resource deleted Resource permissions modified Data read or run from a resource Data written to resource Resource was run

Operation Type Char(1)

The return code received if resource access is granted. The message code sent when access is granted. The ID of the file being accessed. Name of the resource being used.

Resource Name Char(260)

VS (Server Session) journal entries

This table provides the format of the VS (Server Session) journal entries.
Table 227. VS (Server Session) journal entries. QASYVSJE/J4/J5 field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Session Action Char(1) The session action that occurred. E S 157 167 173 179 187 225 235 241 247 255 611 621 627 633 641 Server Name Server Date Server Time Computer Name User Char(10) Char(6) Zoned(6,0) Char(8) Char(10) End session Start session

156

224

610

The name of the network server description that registered the event. The date the event was logged on the network server. The time the event was logged on the network server. The name of the computer requesting the session. The name of the user requesting the session.

686

IBM i: Security Security reference

Table 227. VS (Server Session) journal entries (continued). QASYVSJE/J4/J5 field Description File Offset JE 197 J4 265 J5 651 Field User Privilege Format Char(1) Description The privilege level of the user for session start: A G U 198 266 652 Reason Code Char(1) Administrator Guest User

The reason code for ending the session. A D Administrator disconnect Automatic disconnect (timeout), share removed, or administrative permissions lacking Error, session disconnect, or incorrect password Normal disconnection or user name limit Account restriction

E N R

VU (Network Profile Change) journal entries

This table provides the format of the VU (Network Profile Change) journal entries.
Table 228. VU (Network Profile Change) journal entries. QASYVUJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Type Char(1) The type of record that was changed. G U M 157 167 173 179 187 225 235 241 247 255 611 621 627 633 641 Server Name Server Date Server Time Computer Name User Char(10) Char(6) Zoned(6,0) Char(8) Char(10) Group record User record User profile global information

156

224

610

Appendix F. Layout of audit journal entries

687

Table 228. VU (Network Profile Change) journal entries (continued). QASYVUJE/J4/J5 Field Description File Offset JE 197 J4 265 J5 651 Field Action Format Char(1) Description Action requested: A C D P 198 266 652 Resource Name Char(260) Addition Change Deletion Incorrect password

Name of the resource.

VV (Service Status Change) journal entries

This table provides the format of the VV (Service Status Change) journal entries.
Table 229. VV (Service Status Change) journal entries. QASYVVJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) The type of entry: C E P R S 157 167 173 179 187 225 235 241 247 255 611 621 627 633 641 Server Name Server Date Server Time Computer Name User Char(10) Char(6) Zoned(6,0) Char(8) Char(10) Service status changed Server stopped Server paused Server restarted Server started

156

224

610

688

IBM i: Security Security reference

Table 229. VV (Service Status Change) journal entries (continued). QASYVVJE/J4/J5 Field Description File Offset JE 197 J4 265 J5 651 Field Status Format Char(1) Description Status of the service request: A B C E H I S 198 206 286 290 266 274 354 358 652 660 740 744 Service Code Text Set Return Value Service Char(8) Char(80) Char(4) Char(20) Service active Start service pending Continue paused service Stop pending for service Service pausing Service paused Service stopped

The code of the service requested. The text being set by the service request. The return value from the change operation. The service that was changed.

X0 (Network Authentication) journal entries

This table provides the format of the X0 (Network Authentication) journal entries.
Table 230. X0 (Network Authentication) journal entries. QASYX0JE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing.

Appendix F. Layout of audit journal entries

689

Table 230. X0 (Network Authentication) journal entries (continued). QASYX0JE/J4/J5 Field Description File Offset JE 156 J4 224 J5 610 Field Entry Type Format Char(1) Description The type of entry: 1 2 3 4 5 6 7 8 9 A B C D E F K L M N O P Q 225 233 241 262 283 611 619 627 648 669 Status Code GSS Status Value Remote IP Address Local IP Address Encrypted Addresses Char(8) Char(8) Char(21) Char(21) Char(256) Service ticket valid Service principals do not match Client principals do not match Ticket IP address mismatch Decryption of the ticket failed Decryption of authenticator failed Realm is not within client local realms Ticket is a replay attempt Ticket not yet valid Decrypt of KRB_AP_PRIV or KRB_AP_SAFE checksum error Remote IP address mismatch Local IP address mismatch KRB_AP_PRIV or KRB_AP_SAFE timestamp error KRB_AP_PRIV or KRB_AP_SAFE replay error KRB_AP_PRIV or KRB_AP_SAFE sequence order error GSS accept expired credential GSS accept checksum error GSS accept channel bindingst GSS unwrap or GSS verify expired context GSS unwrap or GSS verify decrypt/decode GSS unwrap or GSS verify checksum error GSS unwrap or GSS verify sequence error

The status of the request GSS status value Remote IP address Local IP address Encrypted IP addresses

690

IBM i: Security Security reference

Table 230. X0 (Network Authentication) journal entries (continued). QASYX0JE/J4/J5 Field Description File Offset JE J4 539 J5 925 Field Encrypted Addresses Indicator Format Char(1) Description Encrypted IP addresses indicator Y N X 540 548 926 934 Ticket flags Ticket Authentication Time Ticket Start Time Ticket End Time Ticket Renew Time Message Time Stamp GSS Expiration Time Stamp Char(8) Char(8) all addresses included not all addresses included not provided

Ticket flags Ticket authentication time

556 564 572 580 588 596 600 602

942 950 958 966 974 982 986 988

Char(8) Char(8) Char(8) Char(8) Char(8)

Ticket start time Ticket end time Ticket renew until time X0E time stamp GSS credential expiration time stamp or context expiration time stamp Server principal (from ticket) CCSID Server principal (from ticket) length Server principal (from ticket) indicator Y N X server principal complete server principal not complete not provided

Server Principal Binary(5) CCSID Server Principal Binary(4) Length Server Principal Char(1) Indicator

603 1115

989 1501

Server Principal Char(512) Server Principal Binary(5) Parameter CCSID Server Principal Binary(4) Parameter Length Server Principal Char(1) Parameter Indicator

Server principal (from ticket) Server principal (from ticket) parameter CCSID

1119

1505

Server principal (from ticket) parameter length

1121

1507

Server principal (from ticket) parameter indicator Y N X server principal complete server principal not complete not provided

1122 1634 1638

1508 2020 2024

Server Principal Char(512) Parameter Client Principal Binary(5) CCSID Client Principal Binary(4) Length

Server principal parameter that ticket must match Client principal (from authenticator) CCSID Client principal (from authenticator) length

Appendix F. Layout of audit journal entries

691

Table 230. X0 (Network Authentication) journal entries (continued). QASYX0JE/J4/J5 Field Description File Offset JE J4 1640 J5 2026 Field Format Description Client principal (from authenticator) indicator Y N X 1641 2153 2157 2159 2027 2539 2543 2545 Client Principal Char(512) Client Principal Binary(5) CCSID Client Principal Binary(4) Length Client Principal Char(1) Indicator client principal complete client principal not complete not provided

Client Principal Char(1) Indicator

Client principal from authenticator Client principal (from ticket) CCSID Client principal (from ticket) length Client principal (from ticket) indicator Y N X client principal complete client principal not complete not provided

2160 2672

2546 3058

Client Principal Char(512) GSS Server Principal CCSID GSS Server Principal Length GSS Server Principal Indicator Binary(5)

Client principal from ticket Server principal (from GSS credential) CCSID

2676

3062

Binary(4)

Server principal (from GSS credential) length

2678

3064

Char(1)

Server principal (from GSS credential) indicator Y N X server principal complete server principal not complete not provided

2679 3191

3065 3577

GSS Server Principal GSS Local Principal CCSID GSS Local Principal Length GSS Local Principal Indicator

Char(512) Binary(5)

Server principal from GSS credential GSS local principal name CCSID

3195

3581

Binary(4)

GSS local principal name length

3197

3583

Char(1)

GSS local principal name indicator Y N X local principal complete local principal not complete not provided

3198 3710

3584 4096

GSS Local Principal GSS Remote Principal CCSID

Char(512) Binary(5)

GSS local principal GSS remote principal name CCSID

692

IBM i: Security Security reference

Table 230. X0 (Network Authentication) journal entries (continued). QASYX0JE/J4/J5 Field Description File Offset JE J4 3714 J5 4100 Field GSS Remote Principal Length GSS Remote Principal Indicator Format Binary(4) Description GSS remote principal name length

3716

4102

Char(1)

GSS remote principal name indicator Y N X remote principal complete remote principal not complete not provided

3717

4103

GSS Remote Principal

Char(512)

GSS remote principal

X1 (Identity Token) journal entries

This table provides the format of the X1 (Identity Token) journal entries.
Table 231. X1 (Identity Token) journal entries. QASYX1J5 Field Description File Offset JE J4 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) The type of entry: D F G U 611 Reason Code Binary (5) Delegate of identity token was successful Delegate of identity token failed Get user from identity token was successful Get user from identity token failed

610

Reason code for failed request: 9 10 11 12 13 14 16 17 Token length mismatch EIM identifier mismatch Application instance ID mismatch Token signature not valid Identity token not valid Target user not found Key handle not valid Token version not supported

18 Public key not found Note: On a failure, only the information that has been validated up to the point of failure will be filled in the text fields.
Appendix F. Layout of audit journal entries

693

Table 231. X1 (Identity Token) journal entries (continued). QASYX1J5 Field Description File Offset JE J4 J5 615 622 626 630 Field Reserved Data CCSID Receiver length Receiver Format Char(7) Binary(5) Binary(5) Char(508) Description Reserved The CCSID of the data in the text fields The length of the data in the receiver field. The receiver of the identity token that either failed the request or was successful. The data in this field will be in the format: <EIMID>receiver_eimID </EIMID> <APPID>RECEIVER_appID </APPID> <TIMESTAMP>receiver_timestamp </TIMESTAMP>. The timestamp will only be included on delegate requests. The length of the data in the sender field. The last sender of the identity token that either failed the request or was successful. The data in this field will be in the format The data in this field will be in the format: <EIMID>sender_eimID</EIMID> <APPID>sender_appID</APPID> <TIMESTAMP>sender_timestamp</TIMESTAMP> The length of the data in the initiator field. The initiator of the identity token request. If the sender and initiator are the same, the initiator length field will be 0. The data in this field will be in the format: <EIMID>initiator_eimID</EIMID> <APPID>initiator_appID</APPID> <TIMESTAMP>initiator_timestamp</TIMESTAMP> The length of the data in the chain field. The chain of senders between the initiator and the last sender. The chain will be in the order of latest to earliest. If there are no other senders, then the chain length field will be 0. This field will be truncated if the chain is longer than the length of this field. The data in this field will be in the format: <SNDRz><EIMID>sndrz_eimID</EIMID> <APPID>sndrz_appID</APPID> <TIMESTAMP>sndrz_timestamp </TIMESTAMP> </SNDRz> <SNDRy>...</SNDRy>... The number of entries in the chain field. The number of available entries for the chain of senders. This number might be greater than the number of entries in the field if the chain field is truncated. The length of the data in the source registry field.

1138 1142

Sender Length

Binary(5) Char(508)

1650 1654

Initiator Length Initiator

Binary(5) Char(508)

2162 2166

Chain Length Binary(5) Chain Char(2036)

4202 4206

Chain Entries Binary(5) Chain Entries Binary(5) Available

4210

Source Registry Length Source Registry

Binary(5)

4214

Char(508)

The source registry specified in the identity token.

694

IBM i: Security Security reference

Table 231. X1 (Identity Token) journal entries (continued). QASYX1J5 Field Description File Offset JE J4 J5 4722 Field Format Description The length of the data in the source registry user field.

Source Binary(5) Registry User Length Source Char(508) Registry User Target Registry Length Target Registry Binary(5)

4726 5234

The source registry user specified in the identity token. The length of the data in the target registry field.

5238 5746

Char(508)

The target registry specified. The length of the data in the target registry user field.

Target Binary(5) Registry User Length Target Char(508) Registry User

5750

The target registry user to which the identity token maps.

XD (Directory Server Extension) journal entries

This table provides the format of the XD (Directory Server Extension) journal entries.
Table 232. XD (Directory Server Extension) journal entries. QASYXDJ5 Field Description File Offset JE J4 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) The type of entry: G 611 Cross Reference Char(36) Group names. Field 1 through Field 5 contain group names.

610

Cross reference string used to correlate this entry with the DI entry using these groups. More than one DI entry can refer to this XD entry if multiple LDAP requests use the same set of groups.

647 747 751 753

Reserved Field 1 CCSID Field 1 Length Field 1

Char(100) Bin(5) Bin(4) Char(2002) The CCSID value for field 1. The length of the data in field 1. Field 1 data For entry type G, this field will contain a group name from a group membership assertion.

Appendix F. Layout of audit journal entries

695

Table 232. XD (Directory Server Extension) journal entries (continued). QASYXDJ5 Field Description File Offset JE J4 J5 2755 2759 2761 Field Field 2 CCSID Field 2 Length Field 2 Format Bin(5) Bin(4) Char(2002) Description The CCSID value for field 2. The length of the data in field 2. Field 2 data For entry type G, this field will contain a group name from a group membership assertion. 4763 4767 4769 Field 3 CCSID Field 3 Length Field 3 Bin(5) Bin(4) Char(2002) The CCSID value for field 3. The length of the data in field 3. Field 3 data For entry type G, this field will contain a group name from a group membership assertion. 6771 6775 6777 Field 4 CCSID Field 4 Length Field 4 Bin(5) Bin(4) Char(2002) The CCSID value for field 4. The length of the data in field 4. Field 4 data For entry type G, this field will contain a group name from a group membership assertion. 8779 8783 8785 Field 5 CCSID Field 5 Length Field 5 Bin(5) Bin(4) Char(2002) The CCSID value for field 5. The length of the data in field 5. Field 5 data For entry type G, this field will contain a group name from a group membership assertion.

YC (Change to DLO Object) journal entries

This table provides the format of the YC (Change to DLO Object) journal entries.
Table 233. YC (Change to DLO Object) journal entries. QASYYCJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing.

696

IBM i: Security Security reference

Table 233. YC (Change to DLO Object) journal entries (continued). QASYYCJE/J4/J5 Field Description File Offset JE 156 J4 224 J5 610 Field Entry Type Format Char(1) Description Object access C 157 167 177 185 195 225 235 245 253 263 611 621 631 639 649 Object Name Library Name Object Type Office User Folder or Document Name (Reserved Area) Folder Path On Behalf of User Access Type Char(10) Char(10) Char(8) Char(10) Char(12) Change of a DLO object

Name of the object Name of the library Type of object User profile of the office user Name of the document or folder

207 215 278 288

275 283 346 356

661 669 732 742

Char(8) Char(63) Char(10) Packed(5,0) The folder containing the document library object User working on behalf of another user Type of access
1

See Numeric codes for access types on page 704 for a list of the codes for access types.

YR (Read of DLO Object) journal entries

This table provides the format of the YR (Read of DLO Object) journal entries.
Table 234. YR (Read of DLO Object) journal entries. QASYYRJE/J4/J5 Field Description File Offstes JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) Object access R 157 167 177 185 195 225 235 245 253 263 611 621 631 639 649 Object Name Library Name Object Type Office User Folder or Document Name Char(10) Char(10) Char(8) Char(10) Char(12) Read of a DLO object

156

224

610

Name of the object Name of the library Type of object User profile of the office user Name of the document library object

207 215

275 283

661 669

(Reserved Area) Char(8) Folder Path Char(63) The folder containing the document library object
Appendix F. Layout of audit journal entries

697

Table 234. YR (Read of DLO Object) journal entries (continued). QASYYRJE/J4/J5 Field Description File Offstes JE 278 288
1

J4 346 356

J5 732 742

Field On Behalf of User Access Type

Format Char(10) Packed(5,0)

Description User working on behalf of another user Type of access

See Numeric codes for access types on page 704 for a list of the codes for access types.

ZC (Change to Object) journal entries

This table provides the format of the ZC (Change to Object) journal entries.
Table 235. ZC (Change to Object) journal entries. QASYZCJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) Object access C U 157 167 177 185 225 235 245 253 611 621 631 639 Object Name Library Name Object Type Access Type Char(10) Char(10) Char(8) Packed(5,0) Change of an object Upgrade of open access to an object

156

224

610

Name of the object Name of the library in which the object is located Type of object Type of access
1

698

IBM i: Security Security reference

Table 235. ZC (Change to Object) journal entries (continued). QASYZCJE/J4/J5 Field Description File Offset JE 188 J4 256 J5 642 Field Format Description Specific data about the access When the object type is *IMGCLG, this field contains the following format: Char 3 Index number of the image catalog entry. Blank Char 32 Volume ID of the image catalog entry. Blank Indicates the operation was against an image catalog. Indicates the operation was against an image catalog.

Access Specific Char(50) Data

Char 1 Access type for the entry. The possible values are listed below. Blank R W Indicates the operation was against an image catalog. The file containing the image catalog entry is read-only. The file containing the image catalog entry is read/write capable.

Char 1 The write protection for the entry. Blank Y Indicates the operation was against an image catalog. The file containing the image catalog entry is write protected. The file containing the image catalog entry is not write protected.

Char 10 The name of the virtual device. Blank Indicates the operation was against an image catalog or the image catalog is not in Ready status.

Char 3 Not used. When the object type is an integrated file system object, this field contains further information identifying the change request. See the QSYSINC include file, QP0LJRNL.H for the possible values. 238 306 692 (Reserved Area) (Reserved Area) Char(20) Char(18)

Appendix F. Layout of audit journal entries

699

Table 235. ZC (Change to Object) journal entries (continued). QASYZCJE/J4/J5 Field Description File Offset JE J4 324 258 262 326 330 J5 710 712 716 Field Object Name Length 2 Object Name CCSID2 Object Name Country or Region ID2 Object Name Language ID2 Parent File ID2,
3

Format Binary (4) Binary(5) Char(2)

Description The length of the object name. The coded character set identifier for the object name. The Country or Region ID for the object name.

264 267 270 286 302

332 335 338 354 370 882 898 908 913 917

718 721 724 740 756 1268 1284 1294 1299 1303

Char(3)

The language ID for the object name.

(Reserved area) Char(3) Char(16) Char(16) Char(512) Char(16) Char(10)

Object File ID2,

Object Name2 Object File ID ASP Name

ASP Number Path Name CCSID Path Name Country or Region ID Path Name Language ID Path Name Length Path Name Indicator

Char(5) Binary(5) Char(2)

919 922 924

1305 1308 1310

Char(3) Binary(4) Char(1)

925

1311

Relative Directory File ID4 Path Name5

Char(16)

941

1327

Char(5002)

700

IBM i: Security Security reference

Table 235. ZC (Change to Object) journal entries (continued). QASYZCJE/J4/J5 Field Description File Offset JE
1 2 3 4

Field

Format

Description

See Numeric codes for access types on page 704 for a list of the codes for access types. These fields are used only for objects in the "root" (/), QOpenSys, and user-defined file systems. An ID that has the left-most bit set and the rest of the bits zero indicates that the ID is NOT set. If the Path Name Indicator field is N, but the Relative Directory File ID is hex zeros, then there was some error in determining the path name information. This is a variable length field. The first 2 bytes contain the length of the path name. If the object is in a library, this is the ASP information of the object's library. If the object is not in a library, this is the ASP information of the object.

5 6

ZR (Read of Object) journal entries

This table provides the format of the ZR (Read of Object) journal entries.
Table 236. ZR (Read of Object) journal entries. QASYZRJE/J4/J5 Field Description File Offset JE 1 J4 1 J5 1 Field Format Description Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) on page 562,Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) on page 563, and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) on page 565 for field listing. Entry Type Char(1) Object access R 157 167 177 185 225 235 245 253 611 621 631 639 Object Name Library Name Object Type Access Type Char(10) Char(10) Char(8) Packed(5,0) Read of an object

156

224

610

Name of the object Name of the library in which the object is located Type of object Type of access
1

Appendix F. Layout of audit journal entries

701

Table 236. ZR (Read of Object) journal entries (continued). QASYZRJE/J4/J5 Field Description File Offset JE 188 J4 256 J5 642 Field Access Specific Data Format Char(50) Description Specific data about the access. When the object type is *IMGCLG, this field contains the following format: Char 3 Index number of the image catalog entry. Blank Char 32 Volume ID of the image catalog entry. Blank Indicates the operation was against an image catalog. Indicates the operation was against an image catalog.

Char 1 The write protection for the entry. Blank Y N Indicates the operation was against an image catalog. The file containing the image catalog entry is write protected. The file containing the image catalog entry is not write protected.

Char 10 The name of the virtual device. Blank Indicates the operation was against an image catalog or the image catalog is not in Ready status.

Char 3 Not used. 238 306 324 258 262 326 330 692 710 712 716 (Reserved Area) Char(20) (Reserved Area) Char(18) Object Name Length 2 Object Name CCSID2 Object Name Country or Region ID2 Binary(4) Binary(5) Char(2) The length of the object name. The coded character set identifier for the object name. The Country or Region ID for the object name.

702

IBM i: Security Security reference

Table 236. ZR (Read of Object) journal entries (continued). QASYZRJE/J4/J5 Field Description File Offset JE 264 267 270 286 302 J4 332 335 338 354 370 882 898 908 913 917 J5 718 721 724 740 756 1268 1284 1294 1299 1303 Field Object Name Language ID2 (Reserved area) Parent File ID Object File ID Object Name
2 2,3 2,3

Format Char(3) Char(3) Char(16) Char(16) Char(512) Char(16) Char(10) Char(5) Binary(5) Char(2)

Description The language ID for the object name.

Object File ID ASP Name ASP Number Path Name CCSID Path Name Country or Region ID Path Name Language ID Path Name Length Path Name Indicator

919 922 924

1305 1308 1310

Char(3) Binary(4) Char(1)

925

1311

Relative Directory File ID4 Path Name5

Char(16)

941
1 2 3 4

1327

Char(5002)

Appendix F. Layout of audit journal entries

703

Numeric codes for access types

This table lists the access codes used for object auditing journal entries in files QASYYCJE/J4/J5, QASYYRJE/J4/J5, QASYZCJE/J4/J5, and QASYZRJE/J4/J5.
Table 237. Numeric codes for access types Code 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Access type Add Activate Program Analyze Apply Call or TFRCTL Configure Change Check Close Clear Compare Cancel Copy Create Convert Debug Delete Dump Display Edit End File Grant Hold Initialize Code 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 Access type Load List Move Merge Open Print Query Reclaim Receive Read Reorganize Release Remove Rename Replace Resume Restore Retrieve Run Revoke Save Code 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 Access type Send Start Transfer Trace Verify Vary Work Read/Change DLO Attribute Read/Change DLO Security Read/Change DLO Content Read/Change DLO all parts Add Constraint Change Constraint Remove Constraint Start Procedure Get Access on **OOPOOL Sign object Remove all signatures Clear a signed object MOUNT Unload End Rollback

Save with Storage 72 Free Save and Delete Submit Set

704

IBM i: Security Security reference

Appendix G. Commands and menus for security commands

The SECTOOLS (Security Tools) menu, the SECBATCH (Submit or Schedule Security Reports to Batch) menu, the Configure System Security (CFGSYSSEC) and Revoke Public Authority (RVKPUBAUT) commands are four security tools you can use to configure your system security. Two menus are available for security tools: v The SECTOOLS (Security Tools) menu to run commands interactively. v The SECBATCH (Submit or Schedule Security Reports to Batch) menu to run the report commands in batch. The SECBATCH menu has two parts. The first part of the menu uses the Submit Job (SBMJOB) command to submit reports for immediate processing in batch. The second part of the menu uses the Add Job Schedule Entry (ADDJOBSCDE) command. You use it to schedule security reports to be run regularly at a specified day and time.

Options on the Security Tools menu

You can use the Security Tools (SECTOOLS) menu to simplify the management and control of the security on your system with plenty of options and commands that it provides. This figure shows the part of the SECTOOLS menu that relates to user profiles. To access this menu, type GO SECTOOLS.
SECTOOLS Select one of the following: Work with profiles 1. Analyze default passwords 2. Display active profile list 3. Change active profile list 4. Analyze profile activity 5. Display activation schedule 6. Change activation schedule entry 7. Display expiration schedule 8. Change expiration schedule entry 9. Print profile internals Security Tools

Table 238 describes these menu options and the associated commands:
Table 238. Tool commands for user profiles Menu1 option 1 Command name ANZDFTPWD Description Use the Analyze Default Passwords command to report on and take action on user profiles that have a password equal to the user profile name. Use the Display Active Profile List command to display or print the list of user profiles that are exempt from ANZPRFACT processing. Database file used QASECPWD2

DSPACTPRFL

QASECIDL2

705

Table 238. Tool commands for user profiles (continued) Menu1 option 3 Command name CHGACTPRFL Description Database file used Use the Change Active Profile List command QASECIDL2 to add and remove user profiles from the exemption list for the ANZPRFACT command. A user profile that is on the active profile list is permanently active (until you remove the profile from the list). The ANZPRFACT command does not disable a profile that is on the active profile list, no matter how long the profile has been inactive. Use the Analyze Profile Activity command to disable user profiles that have not been used for a specified number of days. After you use the ANZPRFACT command to specify the number of days, the system runs the ANZPRFACT job nightly. You can use the CHGACTPRFL command to exempt user profiles from being disabled. 5 DSPACTSCD Use the Display Activation Schedule command QASECACT2 to display or print information about the schedule for enabling and disabling specific user profiles. You create the schedule with the CHGACTSCDE command. Use the Change Activation Schedule Entry command to make a user profile available for sign on only at certain times of the day or week. For each user profile that you schedule, the system creates job schedule entries for the enable and disable times. Use the Display Expiration Schedule command to display or print the list of user profiles that are scheduled to be disabled or removed from the system in the future. You use the CHGEXPSCDE or CHGUSRPRF command to set up user profiles to expire. Use the Change Expiration Schedule Entry command to schedule a user profile for removal. You can remove it temporarily (by disabling it) or you can delete it from the system. This command uses a job schedule entry that runs every day at 00:01 (1 minute after midnight). Use the DSPEXPSCD command to display the user profiles that are scheduled to expire. 9 PRTPRFINT Use the Print Profile Internals command to print a report of internal information about the number of entries in a user profile (*USRPRF) object. QASECACT2 QASECIDL2

ANZPRFACT

CHGACTSCDE

| | | | | | | | | | | | | | |

DSPEXPSCDE

CHGEXPSCDE

Notes: 1. Options are from the SECTOOLS menu. 2. This file is in the QUSRSYS library.

706

IBM i: Security Security reference

You can page down on the menu to see additional options. Table 239 describes the menu options and associated commands for security auditing:
Table 239. Tool commands for security auditing Menu1 option 10 Command name CHGSECAUD Description Use the Change Security Auditing command to set up security auditing and to change the system values that control security auditing. When you run the CHGSECAUD command, the system creates the security audit (QAUDJRN) journal if it does not exist. The CHGSECAUD command provides options that make it simpler to set the QAUDLVL (audit level) and QAUDLVL2 (audit level extension) system values. You can specify *ALL to activate all of the possible audit level settings. Or, you can specify *DFTSET to activate the most commonly used settings (*AUTFAIL, *CREATE, *DELETE, *SECURITY, and *SAVRST). Note: If you use the security tools to set up auditing, make sure to plan for management of your audit journal receivers. Otherwise, you might quickly encounter problems with disk utilization. 11 DSPSECAUD Use the Display Security Auditing command to display information about the security audit journal and the system values that control security auditing. Use the Copy Audit Journal Entries command to copy entries from the security audit journal to an output file. QASYxxJ52 Database file used

CPYAUDJRNE

1 2

Options are from the SECTOOLS menu. xx is the two-character journal entry type. For example, the model output file for AE journal entries is QSYS/QASYAEJ5. The model output files are described in Appendix F, Layout of audit journal entries, on page 561 of this topic collection.

How to use the Security Batch menu

You can use the security batch menu to submit one or more of the Security Tools reports to a job queue to be run later as a batch job. You can also choose to schedule any of the Security Tools reports as batch jobs to be submitted once or to be submitted at regular intervals. Examples in this topic demonstrate how to use the security batch menu. Here is the first part of the SECBATCH menu:

Appendix G. Commands and menus for security commands

707

SECBATCH

Submit or Schedule Security Reports To Batch System:

Select one of the following: Submit Reports to Batch 1. Adopting objects 2. Audit journal entries 3. Authorization list authorities 4. Command authority 5. Command private authorities 6. Communications security 7. Directory authority 8. Directory private authority 9. Document authority 10. Document private authority 11. File authority 12. File private authority 13. Folder authority

When you select an option from this menu, you see the Submit Job (SBMJOB) display, such as the following example:
Submit Job (SBMJOB) Type choices, press Enter. Command to run . . . . . . . . . > PRTADPOBJ USRPRF(*ALL)

Job name . . . . . . . . . Job description . . . . . Library . . . . . . . . Job queue . . . . . . . . Library . . . . . . . . Job priority (on JOBQ) . . Output priority (on OUTQ) Print device . . . . . . .

. . . . . . . .

JOBD USRPRF JOBD JOBD JOBD CURRENT

... Name, *JOBD Name, *USRPRF Name, *LIBL, *CURLIB Name, *JOBD Name, *LIBL, *CURLIB 1-9, *JOBD 1-9, *JOBD Name, *CURRENT, *USRPRF...

If you want to change the default options for the command, you can press F4 (Prompt) on the Command to run line. To see the Schedule Batch Reports, page down on the SECBATCH menu. By using the options on this part of the menu, you can, for example, set up your system to run changed versions of reports regularly.
SECBATCH Submit or Schedule Security Reports To Batch System: Select one of the following: 28. 29. 30. 31. User objects User profile information User profile internals Check object integrity

Schedule Batch Reports 40. Adopting objects 41. Audit journal entries 42. Authorization list authorities 43. Command authority 44. Command private authority 45. Communications security 46. Directory authority

You can page down for additional menu options. When you select an option from this part of the menu, you see the Add Job Schedule Entry (ADDJOBSCDE) display:

708

IBM i: Security Security reference

Add Job Schedule Entry (ADDJOBSCDE) Type choices, press Enter. Job name . . . . . . . . . . . . Name, *JOBD Command to run . . . . . . . . . > PRTADPOBJ USRPRF(*ALL)

Frequency . . . . Schedule date, or Schedule day . . . + for more values Schedule time . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

... *ONCE, *WEEKLY, *MONTHLY *CURRENT Date, *CURRENT, *MONTHST *NONE *NONE, *ALL, *MON, *TUE. *CURRENT Time, *CURRENT

You can position your cursor on the Command to run line and press F4 (Prompt) to choose different settings for the report. You should assign a meaningful job name so that you can recognize the entry when you display the job schedule entries.

Options on the security batch menu

This table describes the menu options and the associated commands for security reports. When you run security reports, the system prints only information that meets both the selection criteria that you specify and the selection criteria for the tool. For example, job descriptions that specify a user profile name are security-relevant. Therefore, the job description (PRTJOBDAUT) report prints job descriptions in the specified library only if the public authority for the job description is not *EXCLUDE and if the job description specifies a user profile name in the USER parameter. Similarly, when you print subsystem information (PRTSBSDAUT command), the system prints information about a subsystem only when the subsystem description has a communications entry that specifies a user profile. If a particular report prints less information than you expect, consult the online help information to find out the selection criteria for the report.
Table 240. Commands for security reports Menu1 option Command name 1, 40 PRTADPOBJ Description Database file used QSECADPOLD2 Use the Print Adopting Objects command to print a list of objects that adopt the authority of the specified user profile. You can specify a single profile, a generic profile name (such as all profiles that begin with Q), or all user profiles on the system. This report has two versions. The full report lists all adopted objects that meet the selection criteria. The changed report lists differences between adopted objects that are currently on the system and adopted objects that were on the system the last time that you ran the report. 2, 41 DSPAUDJRNE6 Use the Display Audit Journal Entries command to display or print information about entries in the security audit journal. You can select specific entry types, specific users, and a time period. QASYxxJ53

Appendix G. Commands and menus for security commands

709

Table 240. Commands for security reports (continued) Menu1 option Command name 3, 42 PRTPVTAUT *AUTL Description Database file used QSECATLOLD2 When you use the Print Private Authorities command for *AUTL objects, you receive a list of all the authorization lists on the system. The report includes the users who are authorized to each list and what authority the users have for the list. Use this information to help you analyze sources of object authority on your system. This report has three versions. The full report lists all authorization lists on the system. The changed report lists additions and changes to authorization since you last ran the report. The deleted report lists users whose authority to the authorization list has been deleted since you last ran the report. When you print the full report, you have the option to print a list of objects that each authorization list secures. The system will create a separate report for each authorization list. 6, 45 PRTCMNSEC Use the Print Communications Security command to print the security-relevant settings for objects that affect communications on your system. These settings affect how users and jobs can enter your system. This command produces two reports: a report that displays the settings for configuration lists on the system and a report that lists security-relevant parameters for line descriptions, controllers, and device descriptions. Each of these reports has a full version and a changed version. 15, 54 PRTJOBDAUT Use the Print Job Description Authority command to print a list of job descriptions that specify a user profile and have public authority that is not *EXCLUDE. The report shows the special authorities for the user profile that is specified in the job description. This report has two versions. The full report lists all job description objects that meet the selection criteria. The changed report lists differences between job description objects that are currently on the system and job description objects that were on the system the last time that you ran the report. QSECJBDOLD2 QSECCMNOLD2

710

IBM i: Security Security reference

Table 240. Commands for security reports (continued) Menu1 option Command name See note 4 PRTPUBAUT Description Use the Print Publicly Authorized Objects command to print a list of objects whose public authority is not *EXCLUDE. When you run the command, you specify the type of object and the library or libraries for the report. Use the PRTPUBAUT command to print information about objects that every user on the system can access. This report has two versions. The full report lists all objects that meet the selection criteria. The changed report lists differences between the specified objects that are currently on the system and objects (of the same type in the same library) that were on the system the last time that you ran the report. See note 4. PRTPVTAUT Use the Print Private Authorities command to print a list of the private authorities to objects of the specified type in the specified library. Use this report to help you determine the sources of authority to objects. This report has three versions. The full report lists all objects that meet the selection criteria. The changed report lists differences between the specified objects that are currently on the system and objects (of the same type in the same library) that were on the system the last time that you ran the report. The deleted report lists users whose authority to an object has been deleted since you last printed the report. 24, 63 PRTQAUT Use the Print Queue Authority command to print QSECQOLD2 the security settings for output queues and job queues on your system. These settings control who can view and change entries in the output queue or job queue. This report has two versions. The full report lists all output queue and job queue objects that meet the selection criteria. The changed report lists differences between output queue and job queue objects that are currently on the system and output queue and job queue objects that were on the system the last time that you ran the report. QPVxxxxxx5 Database file used QPBxxxxxx5

Appendix G. Commands and menus for security commands

711

Table 240. Commands for security reports (continued) Menu1 option Command name 25, 64 PRTSBSDAUT Description Database file used Use the Print Subsystem Description command to QSECSBDOLD2 print the security-relevant communications entries for subsystem descriptions on your system. These settings control how work can enter your system and how jobs run. The report prints a subsystem description only if it has communications entries that specify a user profile name. This report has two versions. The full report lists all subsystem description objects that meet the selection criteria. The changed report lists differences between subsystem description objects that are currently on the system and subsystem description objects that were on the system the last time that you ran the report. 26, 65 PRTSYSSECA Use the Print System Security Attributes command to print a list of security-relevant system values and network attributes. The report shows the current value and the recommended value. Use the Print Trigger Programs command to QSECTRGOLD2 print a list of trigger programs that are associated with database files on your system. This report has two versions. The full report lists every trigger program that is assigned and meets your selection criteria. The changed report lists trigger programs that have been assigned since the last time that you ran the report. 28, 67 PRTUSROBJ Use the Print User Objects command to print a list of the user objects (objects not supplied by IBM) that are in a library. You might use this report to print a list of user objects that are in a library (such as QSYS) that is in the system portion of the library list. This report has two versions. The full report lists all user objects that meet the selection criteria. The changed report lists differences between user objects that are currently on the system and user objects that were on the system the last time that you ran the report. 29, 68 PRTUSRPRF Use the Print User Profile command to analyze user profiles that meet specified criteria. You can select user profiles based on special authorities, user class, or a mismatch between special authorities and user class. You can print authority information, environment information, or password information. Use the Print Profile Internals command to print a report of internal information about the number of entries contained in a user profile (*USRPRF) object. QSECPUOLD2

27, 66

PRTTRGPGM

30, 69

PRTPRFINT

712

IBM i: Security Security reference

Table 240. Commands for security reports (continued) Menu1 option Command name 31, 70 CHKOBJITG Description Use the Check Object Integrity command to determine whether operable objects (such as programs) have been changed without using a compiler. This command can help you to detect attempts to introduce a virus program on your system or to change a program to perform unauthorized instructions. Database file used

1 2 3

Options are from the SECBATCH menu. This file is in the QUSRSYS library. xx is the two-character journal entry type. For example, the model output file for AE journal entries is QSYS/QASYAEJ5. The model output files are described in Appendix F, Layout of audit journal entries, on page 561 of this topic collection. The SECTOOLS menu contains options for the object types that are typically of concern to security administrators. For example, use options 11 or 50 to run the PRTPUBAUT command against *FILE objects. Use the general options (18 and 57) to specify the object type. Use options 12 and 51 to run the PRTPVTAUT command against *FILE objects. Use the general options (19 and 58) to specify the object type. The xxxxxx in the name of the file is the object type. For example, the file for program objects is called QPBPGM for public authorities and QPVPGM for private authorities. The files are in the QUSRSYS library. The file contains a member for each library for which you have printed the report. The member name is the same as the library name.

The DSPAUDJRNE command cannot process all security audit record types, and the command does not list all the fields for the records it does support.

Commands for customizing security

This table describes the commands that you can use to customize the security on your system, which are on the SECTOOLS menu.
Table 241. Commands for customizing your system Menu1 option 60 Command name CFGSYSSEC Description Use the Configure System Security command to set security-relevant system values to their recommended settings. The command also sets up security auditing on your system. Values that are set by the Configure System Security command on page 714 describes what the command does. Use the Revoke Public Authority command to set the public authority to *EXCLUDE for a set of security-sensitive commands on your system. What the Revoke Public Authority command does on page 716 lists the actions that the RVKPUBAUT command performs. Database file used

RVKPUBAUT

Options are from the SECTOOLS menu.

Appendix G. Commands and menus for security commands

713

Values that are set by the Configure System Security command

This table lists the system values that are set when you run the Configure System Security (CFGSYSSEC) command that runs a program that is called QSYS/QSECCFGS.
Table 242. Values set by the CFGSYSSEC command System value name QAUTOCFG QAUTOVRT QALWOBJRST QDEVRCYACN QDSCJOBITV QDSPSGNINF QINACTITV QINACTMSGQ QLMTDEVSSN QLMTSECOFR QMAXSIGN QMAXSGNACN QPWDEXPITV QPWDMINLEN QPWDMAXLEN QPWDPOSDIF QPWDLMTCHR QPWDLMTAJC QPWDLMTREP Setting 0 (No) 0 *NONE *DSCMSG (Disconnect with message) 120 1 (Yes) 60 *ENDJOB 1 (Yes) 1 (Yes) 3 3 (Both) 60 6 (See note 3 and 5) 8 (See note 4 and 5) 1 (Yes) (See note 5) See note 2 and 5 1 (Yes) (See note 5) 2 (Cannot be repeated consecutively) (See note 5) 1 (Yes) (See note 5) System value description Automatic configuration of new devices The number of virtual device descriptions that the system will automatically create if no device is available for use. Whether system state programs and programs that adopt authority can be restored System action when communications is re-established Time period before the system takes action on a disconnected job Whether users see the sign-on information display Time period before the system takes action on an interactive job Action that the system takes for an inactive job Whether users are limited to signing on at one device at a time Whether *ALLOBJ and *SERVICE users are limited to specific devices How many consecutive, unsuccessful sign-on attempts are allowed Whether the system disables the workstation or the user profile when the QMAXSIGN limit is reached. How often users must change their passwords Minimum length for passwords Maximum length for passwords Whether every position in a new password must differ from the same position in the last password Characters that are not allowed in passwords Whether adjacent numbers are prohibited in passwords Whether repeating characters in are prohibited in passwords

QPWDRQDDGT QPWDRQDDIF

Whether passwords must have at least one number

1 (32 unique passwords) How many unique passwords are required before a password can be repeated

714

IBM i: Security Security reference

Table 242. Values set by the CFGSYSSEC command (continued) System value name QPWDRULES Setting v *MINLEN6 v *MAXLEN10 v *LMTSAMPOS v *LMTPRFNAME v *DGTMIN1 v *CHRLMTAJC v *DGTLMTAJC v *DGTLMTFST v *DGTLMTLST v *SPCCHRLMTAJC v *SPCCHRLMTFST v *SPCCHRLMTLST (see note 6) QPWDVLDPGM QRMTSIGN QRMTSVRATR QSECURITY QVFYOBJRST Notes: 1. If you are currently running with a QSECURITY value of 30 or lower, be sure to review the information in Chapter 2, Using System Security (QSecurity) system value, on page 9 before you change to a higher security level. 2. The restricted characters are stored in message ID CPXB302 in the message file QSYS/QCPFMSG. They are shipped as AEIOU@$#. You can use the Change Message Description (CHGMSGD) command to change the restricted characters. 3. If the minimum length for passwords is already greater than 6, the QPWDMINLEN system value will not be changed. 4. If the maximum length for passwords is already greater than 8, the QPWDMAXLEN system value will not be changed. 5. This system value is only changed when the QPWDRULES system value currently specifies a value of *PWDSYSVAL. 6. This system value will not be changed if its current value is *PWDSYSVAL. *NONE *FRCSIGNON 0 (Off) 50 3 The user exit program that the system calls to validate passwords How the system handles a remote (pass-through or TELNET) sign-on attempt. Allows the system to be analyzed remotely. The level of security that is enforced Verify object on restore System value description Rules for forming a valid password.

The CFGSYSSEC command also sets the password to *NONE for the following IBM-supplied user profiles: v QSYSOPR v QPGMR v QUSER v QSRV v QSRVBAS Finally, the CFGSYSSEC command sets up security auditing according to the values that you have specified by using the Change Security Auditing (CHGSECAUD) command.

Appendix G. Commands and menus for security commands

715

Changing the program

If some system values of the settings are not appropriate for your installation, you can create your own version of the program that processes the Configure System Security (CFGSYSSEC) command. To change the program, perform the following steps: 1. Use the Retrieve CL Source (RTVCLSRC) command to copy the source for the program that runs when you use the CFGSYSSEC command. The program to retrieve is QSYS/QSECCFGS. When you retrieve it, give it a different name. 2. Edit the program to make your changes. Then compile it. When you compile it, make sure that you do not replace the IBM-supplied QSYS/QSECCFGS program. Your program should have a different name. 3. Use the Change Command (CHGCMD) command to change the program to process command (PGM) parameter for the CFGSYSSEC command. Set the PGM value to the name of your program. For example, if you create a program in the QGPL library that is called MYSECCFG, you need to type the following command:
CHGCMD CMD(QSYS/CFGSYSSEC) PGM(QGPL/MYSECCFG)

Notes: a. If you change the QSYS/QSECCFGS program, IBM cannot guarantee or imply reliability, serviceability, performance or function of the program. The implied warranties of merchantability and fitness for a particular purpose are expressly disclaimed. b. If you change the RVKPUBAUT command to use a different command processing program, then the digital signature of this command will no longer be valid.

What the Revoke Public Authority command does

You can use the Revoke Public Authority (RVKPUBAUT) command to set the public authority to *EXCLUDE for a set of commands and programs. The RVKPUBAUT command runs a program that is called QSYS/QSECRVKP. As it is shipped, the QSECRVKP revokes public authority (by setting public authority to *EXCLUDE) for the commands that are listed in Table 243 on page 717 and the application programming interfaces (APIs) that are listed in Table 244 on page 717. When your system arrives, these commands and APIs have their public authority set to *USE. The commands that are listed in Table 243 on page 717 and the APIs that are listed in Table 244 on page 717 all perform functions on your system that might provide an opportunity for mischief. As security administrator, you should explicitly authorize users to run these commands and programs rather than make them available to all system users. When you run the RVKPUBAUT command, you specify the library that contains the commands. The default is the QSYS library. If you have more than one national language on your system, you need to run the command for each QSYSxxx library.

716

IBM i: Security Security reference

Table 243. Commands whose public authority is set by the RVKPUBAUT command ADDAJE ADDCFGLE ADDCMNE ADDJOBQE ADDPJE ADDRTGE ADDWSE CHGAJE CHGCFGL CHGCFGLE CHGCMNE CHGCTLAPPC CHGDEVAPPC CHGJOBQE CHGPJE CHGRTGE CHGSBSD CHGWSE CPYCFGL CRTCFGL CRTCTLAPPC CRTDEVAPPC CRTSBSD ENDRMTSPT RMVAJE RMVCFGLE RMVCMNE RMVJOBQE RMVPJE RMVRTGE RMVWSE RSTLIB RSTOBJ RSTS36F RSTS36FLR RSTS36LIBM STRRMTSPT STRSBS WRKCFGL

The APIs in Table 244 are all in the QSYS library:

Table 244. Programs whose public authority is set by the RVKPUBAUT command QTIENDSUP QTISTRSUP QWTCTLTR QWTSETTR QY2FTML

As of V3R7, when you run the RVKPUBAUT command, the system sets the public authority for the root directory to *USE (unless it is already *USE or less).

Changing the program

If some of the settings are not appropriate for your installation, you can create your own version of the program that processes the Revoke Public Authority (RVKPUBAUT) command. To change the program, perform the following steps: 1. Use the Retrieve CL Source (RTVCLSRC) command to copy the source for the program that runs when you use the RVKPUBAUT command. The program to retrieve is QSYS/QSECRVKP. When you retrieve it, give it a different name. 2. Edit the program to make your changes. Then compile it. When you compile it, make sure that you do not replace the IBM-supplied QSYS/QSECRVKP program. Your program should have a different name. 3. Use the Change Command (CHGCMD) command to change the program to process command (PGM) parameter for the RVKPUBAUT command. Set the PGM value to the name of your program. For example, if you create a program in the QGPL library that is called MYRVKPGM, you need to type the following command:
CHGCMD CMD(QSYS/RVKPUBAUT) PGM(QGPL/MYRVKPGM)

Notes: a. If you change the QSYS/QSECRVKP program, IBM cannot guarantee or imply reliability, serviceability, performance or function of the program. The implied warranties of merchantability and fitness for a particular purpose are expressly disclaimed. b. If you change the RVJPUDAUT command to use a different command processing program, then the digital signature of this command will no longer be valid.

Appendix G. Commands and menus for security commands

717

718

IBM i: Security Security reference

Appendix H. Related information for i5/OS security reference

Listed here are the product manuals and IBM Redbooks (in PDF format), Web sites, and information center topics that relate to the security topic. You can view or print any of the PDFs.

Manuals
v Recovering your system (about 8.42 MB), provides information about planning a backup and recovery strategy, saving information from your system, and recovering your system, auxiliary storage pools, and disk protection options. v Installing, upgrading, or deleting i5/OS and related software (3,053 KB), provides step-by-step procedures for initial install, installing licensed programs, program temporary fixes (PTFs), and secondary languages from IBM. (1,636 KB), provides information about how to set up and use v Remote Workstation Support remote workstation support, such as display station pass-through, distributed host command facility, and 3270 remote attachment. (448 KB), describes the data security capabilities of the Cryptographic v Cryptographic Support/400 Facility licensed program. It explains how to use the facility and provides reference information for programmers. (763 KB), provides information about how to do an initial v Local Device Configuration configuration and how to change that configuration. It also contains conceptual information about device configuration. v SNA Distribution Services, SC41-5410 (2,259 KB), provides information about configuring a network for Systems Network Architecture distribution services (SNADS) and the Virtual Machine/Multiple Virtual Storage (VM/MVS) bridge. In addition, object distribution functions, document library services, and system distribution directory services are discussed. (This manual is not included in this release of the i5/OS Information Center. However, it might be a useful reference to you. The manual is available from the IBM Publications Center as a printed hardcopy that you can order or in an online format that you can download at no charge.) v ADTS for AS/400: Source Entry Utility, SC09-2605 (460 KB), provides information about using the Application Development Tools source entry utility (SEU) to create and edit source members. The book explains how to start and end an SEU session and how to use the many features of this full-screen text editor. The book contains examples to help both new and experienced users accomplish various editing tasks, from the simplest line commands to using pre-defined prompts for high-level languages and data formats. (This manual is not included in this release of the i5/OS Information Center. However, it might be a useful reference to you. The manual is available from the IBM Publications Center as a printed hardcopy that you can order or in an online format that you can download at no charge.)

IBM Redbooks
v AS/400 Internet Security: Protecting Your AS/400 from HARM on the Internet (2.1 MB) This IBM Redbook discusses the security issues and the risk associated with connecting your System i product to the Internet. It provides examples, recommendations, tips, and techniques for applications. (7.36 MB) This IBM Redbook can help you understand v Cool Title About the AS/400 and Internet and then use the Internet (or your own intranet) from your System i product. It helps you to understand how to use the functions and features. This book helps you to get started quickly using e-mail, file transfer, terminal emulation, gopher, HTTP, and 5250 to HTML Gateway.

719

Web sites
| v Lotus Documentation (http://www.lotus.com/ldd/doc) This Web site provides information about Lotus Notes, Domino, and IBM Domino for i5/OS. From this Web site, you can download information in Domino database (.NSF) and Adobe Acrobat (.PDF) format, search databases, and find out how to obtain printed manuals.

Other information
v Planning and setting up system security provides a set of practical suggestions for using the security features of iSeries and for establishing operating procedures that are security-conscious. This book also describes how to set up and use security tools that are part of i5/OS. v Implementing AS/400 Security, 4th Edition (October 15, 2000) by Wayne Madden and Carol Woodbury. Loveland, Colorado: 29th Street Press. Provides guidance and practical suggestions for planning, setting up, and managing your system security. ISBN Order Number 1583040730 IBM i Access for Windows provides technical information about the IBM i Access for Windows programs for all versions of IBM i Access for Windows TCP/IP setup provides information that describes how to use and configure TCP/IP. TCP/IP applications, protocols, and services provides information that describes how to use TCP/IP applications, such as FTP, SMTP, and TELNET. Basic system operations provides information about how to start and stop the system and work with system problems. Integrated file system provides an overview of the integrated file system, including what it is, how it can be used, and what interfaces are available.

v v v v v

v iSeries and Internet security helps you address potential security concerns you may have when connecting your iSeries to the Internet. For more information, visit the following IBM I/T (Information Technology) Security home page: http://www.ibm.com/security. Optical storage provides information about functions that are unique for Optical Support. It also contains helpful information for the use and understanding of; CD-Devices, Directly attached Optical Media Library Devices, and LAN attached Optical Media Library Devices. v Printing provides information about printing elements and concepts of the system, printer file and print spooling support for printing operation, and printer connectivity. v Control language provides a wide-ranging discussion of programming topics, including a general discussion of objects and libraries, CL programming, controlling flow and communicating between programs, working with objects in CL programs, and creating CL programs. Other topics include predefined and impromptu messages and message handling, defining and creating user-defined commands and menus, application testing, including debug mode, breakpoints, traces, and display functions. It also provides a description of all the iSeries control language (CL) and its i5/OS commands. The i5/OS commands are used to request functions of the i5/OS (5722-SS1) licensed program. All the non-i5/OS CL commandsthose associated with the other licensed programs, including all the various languages and utilitiesare described in other books that support those licensed programs. v Programming provides information about many of the languages and utilities available on the iSeries. It contains summaries of: All iSeries CL commands (in i5/OS program and in all other licensed programs), in various forms. Information related to CL commands, such as the error messages that can be monitored by each command, and the IBM-supplied files that are used by some commands. IBM-supplied objects, including libraries. IBM-supplied system values. DDS keywords for physical, logical, display, printer, and ICF files.

720

IBM i: Security Security reference

REXX instructions and built-in functions. Other languages (like RPG) and utilities (like SEU and SDA). v Systems management includes information about performance data collection, system values management, and storage management. v Database file concepts provides an overview of how to design, write, run, and test the statements of DB2 Query Manger and SQL Development Kit for i5/OS. It also describes interactive Structured Query Language (SQL), and provides examples of how to write SQL statements in COBOL, RPG, C, FORTRAN, and PL/I programs. It also provides information about how to: Build, maintain, and run SQL queries Create reports ranging from simple to complex Build, update, manage, query, and report on database tables using a forms-based interface Define and prototype SQL queries and reports for inclusion in application programs

Saving PDF files

To save a PDF on your workstation for viewing or printing: 1. Right-click the PDF in your browser (right-click the link above). 2. Click the option that saves the PDF locally. 3. Navigate to the directory in which you want to save the PDF. 4. Click Save.

Downloading Adobe Reader

You need Adobe Reader installed on your system to view or print these PDFs. You can download a free copy from the Adobe Web site (www.adobe.com/products/acrobat/readstep.html) .

Appendix H. Related information for i5/OS security reference

721

722

IBM i: Security Security reference

Appendix I. Notices
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: | | | | Intellectual Property Licensing Legal and Intellectual Property Law IBM Japan, Ltd. 3-2-12, Roppongi, Minato-ku, Tokyo 106-8711 The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Corporation
Copyright IBM Corp. 1996, 2010

723

Software Interoperability Coordinator, Department YBWA 3605 Highway 52 N Rochester, MN 55901 U.S.A. Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, IBM License Agreement for Machine Code, or any equivalent agreement between us. Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. All IBM prices shown are IBM's suggested retail prices, are current and are subject to change without notice. Dealer prices may vary. This information is for planning purposes only. The information herein is subject to change before the products described become available. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. COPYRIGHT LICENSE: | | | | | | | | This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. The sample programs are provided "AS IS", without warranty of any kind. IBM shall not be liable for any damages arising out of your use of the sample programs. Each copy or any portion of these sample programs or any derivative work, must include a copyright notice as follows: (your company name) (year). Portions of this code are derived from IBM Corp. Sample Programs. Copyright IBM Corp. _enter the year or years_. All rights reserved.

724

IBM i: Security Security reference

If you are viewing this information softcopy, the photographs and color illustrations may not appear.

Programming Interface Information

This Security reference publication documents intended Programming Interfaces that allow the customer to write programs to obtain the services of IBM i5/OS.

Trademarks
| IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business | Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be | trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at | Copyright and trademark information at www.ibm.com/legal/copytrade.shtml. Intel, Intel Inside (logos), MMX, and Pentium are trademarks of Intel Corporation in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Other company, product, and service names may be trademarks or service marks of others.

Terms and conditions

Permissions for the use of these publications is granted subject to the following terms and conditions. Personal Use: You may reproduce these publications for your personal, noncommercial use provided that all proprietary notices are preserved. You may not distribute, display or make derivative works of these publications, or any portion thereof, without the express consent of IBM. Commercial Use: You may reproduce, distribute and display these publications solely within your enterprise provided that all proprietary notices are preserved. You may not make derivative works of these publications, or reproduce, distribute or display these publications or any portion thereof outside your enterprise, without the express consent of IBM. Except as expressly granted in this permission, no other permissions, licenses or rights are granted, either express or implied, to the publications or any information, data, software or other intellectual property contained therein. IBM reserves the right to withdraw the permissions granted herein whenever, in its discretion, the use of the publications is detrimental to its interest or, as determined by IBM, the above instructions are not being properly followed. You may not download, export or re-export this information except in full compliance with all applicable laws and regulations, including all United States export laws and regulations. IBM MAKES NO GUARANTEE ABOUT THE CONTENT OF THESE PUBLICATIONS. THE PUBLICATIONS ARE PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND, EITHER
Appendix I. Notices

725

EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE.

726

IBM i: Security Security reference

Index Special characters

(*Mgt) Management authority 132 (*Ref) Reference authority 132 (Display Link) command object authority required 395 (Move) command object authority required 398 *ADD (add) authority 132, 338 *ADOPTED (adopted) authority 156 *ADVANCED (advanced) assistance level 80 *ALL (all) authority 134, 339 *ALLOBJ user class authority 10 *ALLOBJ (all object) special authority added by system changing security levels 13 auditing 260 failed sign-on 201 functions allowed 85 removed by system changing security levels 13 restoring profile 249 risks 85 *ALRTBL (alert table) object auditing 501 *ASSIST Attention-key-handling program 104 *AUDIT (audit) special authority functions allowed 88 risks 88 *AUTFAIL (authority failure) audit level 270 *AUTHLR (authority holder) object auditing 502 *AUTL (authorization list) object auditing 501 *AUTLMGT (authorization list management) authority 132, 338 *BASIC (basic) assistance level 80 *BNDDIR (binding directory) object auditing 502 *BREAK (break) delivery mode user profile 102 *CFGL (configuration list) object auditing 503 *CHANGE (change) authority 134, 339 *CHRSF (Special Files) object auditing 503 *CHTFMT (chart format) object auditing 503 *CLD (C locale description) object auditing 504 *CLKWD (CL keyword) user option 106, 107, 108 *CLS (Class) object auditing 505 *CMD (command string) audit level 272 *CMD (Command) object auditing 505 *CNNL (connection list) object auditing 506 *COSD (class-of-service description) object auditing 507 *CREATE (create) audit level 272 *CRQD restoring audit journal (QAUDJRN) entry 277 *CRQD (change request description) object auditing 504 *CRQD change (CQ) file layout 587 *CSI (communications side information) object auditing 507 *CSPMAP (cross system product map) object auditing 507 *CSPTBL (cross system product table) object auditing 508 *CTLD (controller description) object auditing 508 *DELETE (delete) audit level 272 *DEVD (device description) object auditing 509 *DFT (default) delivery mode user profile 102 *DIR (directory) object auditing 510 *DISABLED (disabled) user profile status description 78 QSECOFR (security officer) user profile 78 *DLT (delete) authority 132, 338 *DOC (document) object auditing 514 *DTAARA (data area) object auditing 517 *DTADCT (data dictionary) object auditing 518 *DTAQ (data queue) object auditing 518 *EDTD (edit description) object auditing 519 *ENABLED (enabled) user profile status 78 *EXCLUDE (exclude) authority 133 *EXECUTE (execute) authority 132, 338 *EXITRG (exit registration) object auditing 519 *EXPERT (expert) user option 106, 107, 108, 160 *FCT (forms control table) object auditing 520 *FILE (file) object auditing 520 *FNTRSC (font resource) object auditing 524 *FORMDF (form definition) object auditing 524 *FTR (filter) object auditing 524 *GROUP (group) authority 156 *GSS (graphic symbols set) object auditing 525 *HLPFULL (full-screen help) user option 108 *HOLD (hold) delivery mode user profile 102 *IGCDCT (double-byte character set dictionary) object auditing 525 *IGCSRT (double-byte character set sort) object auditing 526 *IGCTBL (double-byte character set table) object auditing 526 *INTERMED (intermediate) assistance level 80 *IOSYSCFG (system configuration) special authority functions allowed 88 risks 88 *JOBCTL (job control) special authority functions allowed 86 output queue parameters 212 priority limit (PTYLMT) 95 risks 86 *JOBD (job description) object auditing 526 *JOBDTA (job change) audit level 273 *JOBQ (job queue) object auditing 527 *JOBSCD (job scheduler) object auditing 528 *JRN (journal) object auditing 528 *JRNRCV (journal receiver) object auditing 530 *LIB (library) object auditing 530 *LIND (line description) object auditing 531 *MENU (menu) object auditing 533 *Mgt (Management) authority 132 *MODD (mode description) object auditing 533 *MODULE (module) object auditing 533 *MSGF (message file) object auditing 534 *MSGQ (message queue) object auditing 535 *NODGRP (node group) object auditing 536 *NODL (node list) object auditing 536 *NOSTSMSG (no status message) user option 108 *NOTIFY (notify) delivery mode user profile 102 *NTBD (NetBIOS description) object auditing 536 *NWID (network interface) object auditing 537 *NWSD (network server description) object auditing 538 *OBJALTER (object alter) authority 132, 338 *OBJEXIST (object existence) authority 132, 338 *OBJMGT (object management) audit level 275 *OBJMGT (object management) authority 132, 338 *OBJOPR (object operational) authority 132, 337

727

*OBJREF (object reference) authority 132, 338 *OFCSRV (office services) audit level 275, 512, 532 *OUTQ (output queue) object auditing 538 *OVL (overlay) object auditing 539 *PAGDFN (page definition) object auditing 540 *PAGSEG (page segment) object auditing 540 *PARTIAL (partial) limit capabilities 83 *PDG (print descriptor group) object auditing 540 *PGM (program) object 540 *PGMADP (adopted authority) audit level 275 *PGMFAIL (program failure) audit level 276 *PNLGRP (panel group) object auditing 542 *PRDAVL (product availability) object auditing 542 *PRDDFN (product definition) object auditing 543 *PRDLOD (product load) object auditing 543 *PRTDTA (printer output) audit level 276 *PRTMSG (printing message) user option 108 *QMFORM (query manager form) object auditing 543 *QMQRY (query manager query) object auditing 544 *QRYDFN (query definition) object auditing 544 *R (read) 134, 339 *RCT (reference code table) object auditing 545 *READ (read) authority 132, 338 *Ref (Reference) authority 132 *ROLLKEY (roll key) user option 108 *RW (read, write) 134, 339 *RWX (read, write, execute) 134, 339 *RX (read, execute) 134, 339 *S36 (S/36 machine description) object auditing 556 *S36 (System/36) special environment 89 *SAVRST (save/restore) audit level 276 *SAVSYS (save system) special authority *OBJEXIST authority 132, 338 description 256 functions allowed 86 removed by system changing security levels 13 risks 86 *SBSD (subsystem description) object auditing 546 *SCHIDX (search index) object auditing 547 *SECADM (security administrator) special authority 85 functions allowed 85 *SECURITY (security) audit level 280 *SERVICE (service tools) audit level 283

*SERVICE (service) special authority failed sign-on 201 functions allowed 87 risks 87 *SIGNOFF initial menu 82 *SOCKET (local socket) object auditing 548 *SPADCT (spelling aid dictionary) object auditing 550 *SPLCTL (spool control) special authority functions allowed 86 output queue parameters 213 risks 86 *SPLFDTA (spooled file changes) audit level 284, 550 *SQLPKG (SQL package) object auditing 552 *SRVPGM (service program) object auditing 552 *SSND (session description) object auditing 553 *STMF (stream file) object auditing 553 *STSMSG (status message) user option 108 *SVRSTG (server storage space) object 553 *SYNLNK (symbolic link) object auditing 555 *SYSMGT (systems management) audit level 284 *SYSTEM (system) domain 15 *SYSTEM (system) state 15 *TBL (table) object auditing 557 *TYPEAHEAD (type-ahead) keyboard buffering 94 *UPD (update) authority 132, 338 *USE (use) authority 134, 339 *USER (user) domain 15 *USER (user) state 15 *USRIDX (user index) object 19 *USRIDX (user index) object auditing 557 *USRPRF (user profile) object auditing 558 *USRQ (user queue) object 19 *USRQ (user queue) object auditing 559 *USRSPC (user space) object 19 *USRSPC (user space) object auditing 559 *VLDL (validation list) object auditing 560 *W (write) 134, 339 *WX (write, execute) 134, 339 *X (execute) 134, 339

A
access preventing unauthorized 262 unsupported interface 15 restricting console 258 workstations 258 access code object authority required for commands 447

access command (Determine File Accessibility) object auditing 510 access control list changing audit journal (QAUDJRN) entry 282 access control list change (VA) journal entry type 282 access path recovery action auditing 500 object authority required for commands 348 accessx command (Determine File Accessibility) object auditing 510 account limit exceeded audit journal (QAUDJRN) entry 284 account limit exceeded (VL) file layout 681 account limit exceeded (VL) journal entry type 284 accounting code (ACGCDE) parameter changing 100 user profile 100 Accumulating Special Authorities 240 ACGCDE (accounting code) parameter changing 100 user profile 100 action auditing access path recovery 500 definition 263 Directory Server 512 mail services 532 office services 532 planning 263 reply list 546 spooled files 550 action auditing (AUDLVL) parameter user profile 113 action to spooled file (SF) file layout 664 action to system value (SV) file layout 678 action when sign-on attempts reached (QMAXSGNACN) system value description 30 value set by CFGSYSSEC command 714 activating security auditing function 290 user profile 705 active profile list changing 705 AD (auditing change) file layout 568 AD (auditing change) journal entry type 280 add (*ADD) authority 132, 338 Add Authorization List Entry (ADDAUTLE) command 167, 309 Add Directory Entry (ADDDIRE) command 314 Add Document Library Object Authority (ADDDLOAUT) command 313

728

IBM i: Security Security reference

Add Job Schedule Entry (ADDJOBSCDE) command SECBATCH menu 708 Add Kerberos Keytab Entry (ADDKRBKTE) command object authority required 420 Add Kerberos Ticket (ADDKRBTKT) command object authority required 420 Add Library List Entry (ADDLIBLE) command 207, 210 Add User display sample 118 ADDACC (Add Access Code) command object auditing 517 object authority required 447 ADDAJE (Add Autostart Job Entry) command object auditing 546 object authority required 481 ADDALRACNE (Add Alert Action Entry) command object auditing 524 object authority required 386 ADDALRD (Add Alert Description) command object auditing 501 object authority required 350 ADDALRSLTE (Add Alert Selection Entry) command object auditing 524 object authority required 386 ADDASPCPYD command authorized IBM-supplied user profiles 325 ADDAUTLE (Add Authorization List Entry) command description 309 object auditing 501 object authority required 352 using 167 ADDBKP (Add Breakpoint) command object authority required 461 ADDBNDDIRE (Add Binding Directory Entry) command object auditing 502 object authority required 353 ADDBSCDEVE (Add BSC Device Entry) command object auditing 521 ADDCADMRE command authorized IBM-supplied user profiles 325 object authority required 355 ADDCADNODE command authorized IBM-supplied user profiles 325 object authority required 355 ADDCFGLE (Add Configuration List Entries) command object auditing 503 object authority required 362 ADDCKMKSFE command object authority required 365 ADDCLUMON command authorized IBM-supplied user profiles 325

ADDCLUMON command (continued) object authority required 355 ADDCLUNODE command authorized IBM-supplied user profiles 325 object authority required 355 ADDCMDCRQA (Add Command Change Request Activity) command authorized IBM-supplied user profiles 325 object auditing 504 object authority required 353 ADDCMNDEVE (Add Communications Device Entry) command object auditing 521 ADDCMNE (Add Communications Entry) command object auditing 546 object authority required 481 ADDCNNLE (Add Connection List Entry) command object auditing 506 ADDCOMSNMP (Add Community for SNMP) command object authority required 488 ADDCRGDEVE command authorized IBM-supplied user profiles 325 object authority required 355 ADDCRGNODE command authorized IBM-supplied user profiles 325 object authority required 355 ADDCRSDMNK (Add Cross Domain Key) command authorized IBM-supplied user profiles 325 ADDDEVDMNE command authorized IBM-supplied user profiles 325 object authority required 355 ADDDIRE (Add Directory Entry) command description 314 object authority required 369 ADDDIRSHD (Add Directory Shadow System) command object authority required 369 ADDDLOAUT (Add Document Library Object Authority) command description 313 object auditing 515 object authority required 372 ADDDSPDEVE (Add Display Device Entry) command object auditing 521 ADDDSTLE (Add Distribution List Entry) command object authority required 372 ADDDSTQ (Add Distribution Queue) command authorized IBM-supplied user profiles 325 object authority required 371

ADDDSTRTE (Add Distribution Route) command authorized IBM-supplied user profiles 325 object authority required 371 ADDDSTSYSN (Add Distribution Secondary System Name) command authorized IBM-supplied user profiles 325 object authority required 371 ADDDTADFN (Add Data Definition) command object authority required 408 ADDDWDFN command authorized IBM-supplied user profiles 325 ADDEMLCFGE (Add Emulation Configuration Entry) command object authority required 368 ADDENVVAR (Add Environment Variable) command object authority required 378 ADDEWCBCDE (Add Extended Wireless Controller Bar Code Entry) command object authority required 379 ADDEWCM (Add Extended Wireless Controller Member) command object authority required 379 ADDEWCPTCE (Add Extended Wireless Controller PTC Entry) command object authority required 379 ADDEWLM (Add Extended Wireless Line Member) command object authority required 379 ADDEXITPGM (Add Exit Program) command authorized IBM-supplied user profiles 325 object auditing 519 object authority required 467 ADDFCTE (Add Forms Control Table Entry) command object authority required 468 ADDFNTTBLE (Add DBCS Font Table Entry) object authority required for commands 349 ADDICFDEVE (Add Intersystem Communications Function Program Device Entry) command object auditing 521 object authority required 379 ADDIMGCLGE command object authority required 389 adding authorization list entries 167, 309 objects 167 users 167, 309 directory entry 314 document library object (DLO) authority 313 library list entry 207, 210 server authentication entry 314 user authority 161 user profiles 118

Index

729

ADDIPSIFC (Add IP over SNA Interface) command object authority required 350 ADDIPSLOC (Add IP over SNA Location Entry) command object authority required 350 ADDIPSRTE (Add IP over SNA Route) command object authority required 350 ADDJOBQE (Add Job Queue Entry) command object auditing 527, 546 object authority required 481 ADDJOBSCDE (Add Job Schedule Entry) command object auditing 528 object authority required 415 SECBATCH menu 708 ADDJWDFN command authorized IBM-supplied user profiles 325 ADDLANADPI (Add LAN Adapter Information) command object authority required 435 ADDLFM (Add Logical File Member) command object auditing 521 object authority required 379 ADDLIBLE (Add Library List Entry) command 207, 210 object authority required 428 ADDLICKEY (Add License Key) command object authority required 432 ADDLNK (Add Link) command object auditing 548, 553 object authority required 390 ADDMFS (Add Mounted File System) command authorized IBM-supplied user profiles 325 object authority required 489 ADDMFS (Add Mounted File System) command) command object authority required 443 ADDMSGD (Add Message Description) command object auditing 534 object authority required 439 ADDMSTPART command authorized IBM-supplied user profiles 325 object authority required 365 ADDNETJOBE (Add Network Job Entry) command authorized IBM-supplied user profiles 325 object authority required 442 ADDNETTBLE (Add Network Table Entry) command object authority required 488 ADDNODLE (Add Node List Entry) command object auditing 536 object authority required 447

ADDNWSSTGL (Add Network Server Storage Link) command object authority required 444 ADDOBJCRQA (Add Object Change Request Activity) command authorized IBM-supplied user profiles 326 object auditing 504 object authority required 353 ADDOFCENR (Add Office Enrollment) command object auditing 515 ADDOPTCTG (Add Optical Cartridge) command authorized IBM-supplied user profiles 326 object authority required 449 ADDOPTSVR (Add Optical Server) command authorized IBM-supplied user profiles 326 object authority required 449 ADDPCST (Add Physical File Constraint) command object authority required 379 ADDPEXDFN () command authorized IBM-supplied user profiles 326 ADDPEXDFN (Add Performance Explorer Definition) command object authority required 453 ADDPEXFTR () command authorized IBM-supplied user profiles 326 ADDPFCST (Add Physical File Constraint) command object auditing 521 ADDPFM (Add Physical File Member) command object auditing 521 object authority required 379 ADDPFTRG (Add Physical File Trigger) command object auditing 521 object authority required 380 ADDPFVLM (Add Physical File Variable-Length Member) command object auditing 521 ADDPGM (Add Program) command object authority required 461 ADDPJE (Add Prestart Job Entry) command object auditing 546 object authority required 481 ADDPRBACNE (Add Problem Action Entry) command object auditing 524 object authority required 386, 460 ADDPRBSLTE (Add Problem Selection Entry) command object auditing 524 object authority required 386, 460 ADDPRDCRQA (Add Product Change Request Activity) command authorized IBM-supplied user profiles 326 object auditing 504

ADDPRDCRQA (Add Product Change Request Activity) command (continued) object authority required 353 ADDPRDLICI (Add Product License Information) command object auditing 543 ADDPTFCRQA (Add PTF Change Request Activity) command authorized IBM-supplied user profiles 326 object auditing 504 object authority required 353 ADDRDBDIRE (Add Relational Database Directory Entry) command object authority required 467 ADDRJECMNE (Add RJE Communications Entry) command object authority required 468 ADDRJERDRE (Add RJE Reader Entry) command object authority required 468 ADDRJEWTRE (Add RJE Writer Entry) command object authority required 469 ADDRMTJRN (Add Remote Journal) command object auditing 529 ADDRMTSVR (Add Remote Server) command object authority required 445 ADDRPYLE (Add Reply List Entry) command authorized IBM-supplied user profiles 326 object auditing 546 object authority required 484 ADDRSCCRQA (Add Resource Change Request Activity) command authorized IBM-supplied user profiles 326 object auditing 504 object authority required 353 ADDRTGE (Add Routing Entry) command object auditing 546 object authority required 481 ADDSCHIDXE (Add Search Index Entry) command object auditing 542, 547 object authority required 409 ADDSOCE (Add Sphere of Control Entry) command object authority required 478 ADDSRVTBLE (Add Service Table Entry) command object authority required 488 ADDSVRAUTE (Add Server Authentication Entry) command object authority required 473 ADDTAPCTG (Add Tape Cartridge) command object authority required 436 ADDTCPHTE (Add TCP/IP Host Table Entry) command object authority required 488

730

IBM i: Security Security reference

ADDTCPIFC (Add TCP/IP Interface) command object authority required 488 ADDTCPPORT (Add TCP/IP Port Entry) command object authority required 488 ADDTCPRSI (Add TCP/IP Remote System Information) command object authority required 488 ADDTCPRTE (Add TCP/IP Route) command object authority required 488 ADDTRC (Add Trace) command object authority required 461 ADDTRCFTR authorized IBM-supplied user profiles 326 ADDWSE (Add Workstation Entry) command object auditing 546 object authority required 481 adopted authority displaying 156 adopted (*ADOPTED) authority 156 adopted authority *PGMADP (program adopt) audit level 275 AP (adopted authority) file layout 577 AP (adopted authority) journal entry type 275 application design 230, 232, 233 Attention (ATTN) key 150 audit journal (QAUDJRN) entry 275, 577 auditing 261 authority checking example 190, 192 bound programs 151 break-message-handling program 150 changing audit journal (QAUDJRN) entry 281 authority required 151 job 151 creating program 151 debug functions 150 definition 149 displaying command description 312 critical files 236 programs that adopt a profile 151 USRPRF parameter 151 example 230, 232, 233 flowchart 182 group authority 150 ignoring 152, 232 job initiation 200 library security 136 object ownership 151 printing list of objects 709 purpose 149 recommendations 152 restoring programs changes to ownership and authority 253

adopted authority (continued) risks 152 service programs 151 special authority 150 system request function 150 transferring to group job 150 adopting owners authority 261 ADSM (QADSM) user profile 319 advanced (*ADVANCED) assistance level 74, 80 advanced function printing (AFP) object authority required for commands 349 AF (authority failure) file layout 571 AF (authority failure) journal entry type default sign-on violation 16 description 270, 276 hardware protection violation 17 job description violation 16 program validation 17, 18 restricted instruction 18 unsupported interface 16, 18 AF_INET sockets over SNA object authority required for commands 350 AFDFTUSR (QAFDFTUSR) user profile 319 AFOWN (QAFOWN) user profile 319 AFP (Advanced Function Printing) object authority required for commands 349 AFUSR (QAFUSR) user profile 319 ALCOBJ (Allocate Object) command object auditing 499 object authority required 341 alert object authority required for commands 350 alert description object authority required for commands 350 alert table object authority required for commands 350 alert table (*ALRTBL) object auditing 501 all (*ALL) authority 134, 339 all object (*ALLOBJ) special authority added by system changing security levels 13 auditing 260 failed sign-on 201 functions allowed 85 removed by system changing security levels 13 restoring profile 249 risks 85 all-numeric password 76 allow limited user (ALWLMTUSR) parameter Change Command (CHGCMD) command 83 Create Command (CRTCMD) command 83 limit capabilities 83 allow object difference (ALWOBJDIF) parameter 250

allow object restore (QALWOBJRST) system value value set by CFGSYSSEC command 714 allow object restore option (QALWOBJRST) system value 44 allow remote sign-on (QRMTSIGN) system value value set by CFGSYSSEC command 714 allow user objects (QALWUSRDMN) system value 20, 25 allowed function limit capabilities (LMTCPB) 83 allowing users to change passwords 259 alter service function *SERVICE (service) special authority 87 ALWLMTUSR (allow limited user) parameter Change Command (CHGCMD) command 83 Create Command (CRTCMD) command 83 limit capabilities 83 ALWOBJDIF (allow object difference) parameter 250 Analyze Default Passwords (ANZDFTPWD) command description 705 Analyze Profile Activity (ANZPRFACT) command creating exempt users 705 description 705 analyzing audit journal entries, methods 295 object authority 303 program failure 303 user profile by special authorities 709 by user class 709 user profiles 301 ANSLIN (Answer Line) command object auditing 531 ANSQST (Answer Questions) command authorized IBM-supplied user profiles 326 object authority required 466 ANZBESTMDL authorized IBM-supplied user profiles 326 ANZBESTMDL (Analyze BEST/1 Model) command object authority required 454 ANZCMDPFR command authorized IBM-supplied user profiles 326 object authority required 454 ANZDBF authorized IBM-supplied user profiles 326 ANZDBF (Analyze Database File) command object authority required 454

Index

731

ANZDBFKEY authorized IBM-supplied user profiles 326 ANZDBFKEY (Analyze Database File Keys) command object authority required 454 ANZDFTPWD (Analyze Default Password) command object authority required 490 ANZDFTPWD (Analyze Default Passwords) command authorized IBM-supplied user profiles 326 description 705 ANZJVM authorized IBM-supplied user profiles 326 ANZJVM command object authority required 409 ANZOBJCVN authorized IBM-supplied user profiles 326 ANZOBJCVN command object authority required 341 ANZPFRDT2 (Analyze Performance Data) command object authority required 454 ANZPFRDTA authorized IBM-supplied user profiles 326 ANZPFRDTA (Analyze Performance Data) command object authority required 454 ANZPGM (Analyze Program) command object auditing 541 object authority required 454 ANZPRB (Analyze Problem) command authorized IBM-supplied user profiles 326 object authority required 460 ANZPRFACT authorized IBM-supplied user profiles 326 ANZPRFACT (Analyze Profile Activity) command creating exempt users 705 description 705 object authority required 490 ANZQRY (Analyze Query) command object auditing 544 object authority required 464 ANZS34OCL (Analyze System/34 OCL) command authorized IBM-supplied user profiles 326 object authority required 440 ANZS34OCL (Analyze System/36 OCL) command object authority required 440 ANZS36OCL (Analyze System/36 OCL) command authorized IBM-supplied user profiles 326 ANZUSROBJ command object authority required 341 AP (adopted authority) file layout 577

AP (adopted authority) journal entry type 275 API (application programming interface) security level 40 15 application design adopted authority 230, 233 general security recommendations 220 ignoring adopted authority 232 libraries 225 library lists 226 menus 228 profiles 226 Application development commands 351 application programming interface (API) security level 40 15 APPN directory (ND) file layout 629 APPN end point (NE) file layout 630 approval program, password 60, 61, 62 approving password 60 APYJRNCHG (Apply Journaled Changes) command authorized IBM-supplied user profiles 326 object auditing 498, 529 object authority required 415 APYJRNCHGX (Apply Journal Changes Extend) command object auditing 521, 529 APYPTF (Apply Program Temporary Fix) command authorized IBM-supplied user profiles 326 object authority required 473 APYRMTPTF (Apply Remote Program Temporary Fix) command authorized IBM-supplied user profiles 326 ASKQST (Ask Question) command object authority required 466 assistance level advanced 74, 80 basic 74, 80 definition 74 example of changing 80 intermediate 74, 80 stored with user profile 80 user profile 80 ASTLVL (assistance level) parameter user profile 80 ATNPGM (Attention-key-handling program) parameter user profile 104 Attention (ATTN) key adopted authority 150 Attention (ATTN) key buffering 93 Attention-key-handling program *ASSIST 104 changing 104 initial program 104 job initiation 200 QATNPGM system value 104 QCMD command processor 104 QEZMAIN program 104 setting 104 user profile 104

attribute change (AU) file layout 577 AU (attribute change) file layout 577 audit (*AUDIT) special authority functions allowed 88 risks 88 audit (QAUDJRN) journal 497, 643 AD (auditing change) entry type 280 AD (auditing change) file layout 568 AF (authority failure) entry type 276 default sign-on violation 16 description 270 hardware protection violation 17 job description violation 16 program validation 18 restricted instruction violation 18 unsupported interface 16 unsupported interface violation 18 AF (authority failure) file layout 571 analyzing with query 296 AP (adopted authority) entry type 275 AP (adopted authority) file layout 577 AU (attribute change) file layout 577 auditing level (QAUDLVL) system value 67 auditing level extension (QAUDLVL2) system value 69 automatic cleanup 293 CA (authority change) entry type 280 CA (authority change) file layout 578 CD (command string) entry type 272 CD (command string) file layout 581 changing receiver 294 CO (create object) entry type 144, 272 CO (create object) file layout 582 CP (user profile change) entry type 277 CP (user profile change) file layout 584 CQ (*CRQD change) file layout 587 CQ (change *CRQD object) entry type 277 creating 291 CU(Cluster Operations file layout 587 CV(connection verification) file layout 589 CY(cryptographic configuration) file layout 591 damaged 292 detaching receiver 293, 294 DI(Directory Server) file layout 594 displaying entries 263, 295 DO (delete operation) entry type 272 DO (delete operation) file layout 599 DS (DST password reset) entry type 277 DS (IBM-Supplied Service Tools User ID Reset) file layout 601 error conditions 66 EV (Environment variable) file layout 602 force level 66

732

IBM i: Security Security reference

audit (QAUDJRN) journal (continued) GR(generic record) file layout 603 GS (give descriptor) entry type 281 GS (give descriptor) file layout 608 introduction 262 IP (change ownership) entry type 281 IP (interprocess communication actions) file layout 612 IP (interprocess communications) entry type 271 IR(IP rules actions) file layout 613 IS (Internet security management) file layout 615 JD (job description change) entry type 281 JD (job description change) file layout 617 JS (job change) entry type 273 JS (job change) file layout 618 KF (key ring file) file layout 623 LD (link, unlink, search directory) file layout 626 managing 292 methods for analyzing 295 ML (mail actions) entry type 275 ML (mail actions) file layout 628 NA (network attribute change) entry type 281 NA (network attribute change) file layout 628 ND (APPN directory) file layout 629 NE (APPN end point) file layout 630 O1 (optical access) file layout 640, 641 O3 (optical access) file layout 642 OM (object management) entry type 275 OM (object management) file layout 630 OR (object restore) entry type 276 OR (object restore) file layout 634 OW (ownership change) entry type 281 OW (ownership change) file layout 638 PA (program adopt) entry type 281 PG (primary group change) entry type 281 PG (primary group change) file layout 645 PO (printed output) entry type 276 PO (printer output) file layout 648 PS (profile swap) entry type 281 PS (profile swap) file layout 649 PW (password) entry type 271 PW (password) file layout 651 RA (authority change for restored object) entry type 276 RA (authority change for restored object) file layout 652 receiver storage threshold 293 RJ (restoring job description) entry type 276 RJ (restoring job description) file layout 654

audit (QAUDJRN) journal (continued) RO (ownership change for restored object) entry type 276 RO (ownership change for restored object) file layout 655 RP (restoring programs that adopt authority) entry type 276 RP (restoring programs that adopt authority) file layout 657 RQ (restoring *CRQD object that adopts authority) file layout 659 RQ (restoring *CRQD object) entry type 277 RU (restore authority for user profile) entry type 277 RU (restore authority for user profile) file layout 659 RZ (primary group change for restored object) entry type 277 RZ (primary group change for restored object) file layout 660 SD (change system distribution directory) entry type 275 SD (change system distribution directory) file layout 662 SE (change of subsystem routing entry) entry type 282 SE (change of subsystem routing entry) file layout 663 SF (action to spooled file) file layout 664 SF (change to spooled file) entry type 284 SG file layout 668, 669 SM (systems management change) entry type 284 SM (systems management change) file layout 671 SO (server security user information actions) file layout 672 ST (service tools action) entry type 283 ST (service tools action) file layout 673 stopping 295 SV (action to system value) entry type 282 SV (action to system value) file layout 678 system entries 292 VA (access control list change) entry type 282 VA (changing access control list) file layout 679 VC (connection start and end) file layout 679 VC (connection start or end) entry type 273 VF (close of server files) file layout 680 VL (account limit exceeded) entry type 284 VL (account limit exceeded) file layout 681 VN (network log on and off) file layout 682

audit (QAUDJRN) journal (continued) VN (network log on or off) entry type 273 VO (validation list) file layout 683 VP (network password error) entry type 271 VP (network password error) file layout 684 VR (network resource access) file layout 685 VS (server session) entry type 273 VS (server session) file layout 686 VU (network profile change) entry type 282 VU (network profile change) file layout 687 VV (service status change) entry type 283 VV (service status change) file layout 688 X0 (kerberos authentication) file layout 689 YC (change to DLO object) file layout 696 YR (read of DLO object) file layout 697 ZC (change to object) file layout 698 ZR (read of object) file layout 701 audit control (QAUDCTL) system value changing 315, 707 displaying 315, 707 audit function activating 290 starting 290 stopping 295 audit journal displaying entries 315 printing entries 709 working with 294 audit journal receiver creating 291 deleting 294 naming 291 saving 294 audit level (AUDLVL) parameter *AUTFAIL (authority failure) value 270 *CMD (command string) value 272 *CREATE (create) value 272 *DELETE (delete) value 272 *JOBDTA (job change) value 273 *OBJMGT (object management) value 275 *OFCSRV (office services) value 275 *PGMADP (adopted authority) value 275 *PGMFAIL (program failure) value 276 *SAVRST (save/restore) value 276 *SECURITY (security) value 280 *SERVICE (service tools) value 283 *SPLFDTA (spooled file changes) value 284 *SYSMGT (systems management) value 284 changing 127

Index

733

audit level (QAUDLVL) system value *AUTFAIL (authority failure) value 270 *CREATE (create) value 272 *DELETE (delete) value 272 *JOBDTA (job change) value 273 *OBJMGT (object management) value 275 *OFCSRV (office services) value 275 *PGMADP (adopted authority) value 275 *PGMFAIL (program failure) value 276 *PRTDTA (printer output) value 276 *SAVRST (save/restore) value 276 *SECURITY (security) value 280 *SERVICE (service tools) value 283 *SPLFDTA (spooled file changes) value 284 *SYSMGT (systems management) value 284 changing 292, 315, 707 displaying 315, 707 purpose 263 user profile 113 auditing 290, 497 *ALLOBJ (all object) special authority 260 *AUDIT (audit) special authority 88 abnormal end 66 access path recovery 500 actions 263 activating 290 adopted authority 261 authority user profiles 261 authorization 261 changing command description 310, 313 checklist for 257 communications 262 controlling 65 Directory Server 512 encryption of sensitive data 262 ending 65 error conditions 66 group profile *ALLOBJ (all object) special authority 260 membership 260 password 259 IBM-supplied user profiles 258 inactive users 260 job descriptions 261 library lists 261 limit capabilities 260 mail services 532 methods 299 network attributes 262 object default 288 planning 286 object authority 303 object integrity 304 office services 532 overview 257 password controls 259

auditing (continued) physical security 258 planning overview 263 system values 288 program failure 303 programmer authorities 260 QTEMP objects 290 remote sign-on 262 reply list 546 save operations 256 security officer 305 sensitive data authority 261 encrypting 262 setting up 290 sign-on without user ID and password 261 spooled files 550 starting 290 steps to start 290 stopping 65, 295 system values 64, 258, 288 unauthorized access 262 unauthorized programs 262 unsupported interfaces 262 user profile *ALLOBJ (all object) special authority 260 administration 260 using journals 300 QHST (history) log 299 QSYSMSG message queue 262 working on behalf 532 working with user 127 auditing change (AD) file layout 568 auditing change (AD) journal entry type 280 auditing control (QAUDCTL) system value overview 65 auditing end action (QAUDENDACN) system value 66, 289 auditing force level (QAUDFRCLVL) system value 66, 288 auditing level (QAUDLVL) system value 67 auditing level extension (QAUDLVL2) system value 69 AUDLVL (audit level) parameter *CMD (command string) value 272 user profile 113 AUT (authority) parameter creating libraries 157 creating objects 158 specifying authorization list (*AUTL) 166 user profile 112 AUTCHK (authority to check) parameter 212 authentication digital ID 116 Authorities, Accumulating Special 240 authorities, field 136 Authorities, Special 240 authority 169

authority (continued) *ADD (add) 132, 338 *ALL (all) 134, 339 *ALLOBJ (all object) special authority 85 *AUDIT (audit) special authority 88 *AUTLMGT (authorization list management) 132, 139, 338 *CHANGE (change) 134, 339 *DLT (delete) 132, 338 *EXCLUDE (exclude) 133 *EXECUTE (execute) 132, 338 *IOSYSCFG (system configuration) special authority 88 *JOBCTL (job control) special authority 86 *Mgt 132 *OBJALTER (object alter) 132, 338 *OBJEXIST (object existence) 132, 338 *OBJMGT (object management) 132, 338 *OBJOPR (object operational) 132, 337 *OBJREF (object reference) 132, 338 *R (read) 134, 339 *READ (read) 132, 338 *Ref (Reference) 132 *RW (read, write) 134, 339 *RWX (read, write, execute) 134, 339 *RX (read, execute) 134, 339 *SAVSYS (save system) special authority 86 *SECADM (security administrator) special authority 85 *SERVICE (service) special authority 87 *SPLCTL (spool control) special authority 86 *UPD (update) 132, 338 *USE (use) 134, 339 *W (write) 134, 339 *WX (write, execute) 134, 339 *X (execute) 134, 339 adding users 161 adopted 577 application design 230, 232, 233 audit journal (QAUDJRN) entry 275 auditing 303 authority checking example 190, 192 displaying 156, 236 ignoring 232 purpose 149 assigning to new object 145 authorization for changing 159 authorization list format on save media 247 management (*AUTLMGT) 132, 338 stored on save media 247 storing 247 changing 578 audit journal (QAUDJRN) entry 280 command description 310 procedures 159

734

IBM i: Security Security reference

authority (continued) checking 169 batch job initiation 200 interactive job initiation 199 sign-on process 199 commonly used subsets 133 copying command description 311 example 121 recommendations 165 renaming profile 127 data definition 132 definition 132 deleting user 161 detail, displaying (*EXPERT user option) 106, 107, 108 directory 5 displaying command description 310 displaying detail (*EXPERT user option) 106, 107, 108 displays 154 field definition 132 group displaying 156 example 187, 191 holding when deleting file 153 ignoring adopted 152 introduction 5 library 5 Management authority *Mgt(*) 132 multiple objects 162 new object CRTAUT (create authority) parameter 139, 157 example 145 GRPAUT (group authority) parameter 98, 143 GRPAUTTYP (group authority type) parameter 98 QCRTAUT (create authority) system value 26 QUSEADPAUT (use adopted authority) system value 35 object *ADD (add) 132, 338 *DLT (delete) 132, 338 *EXECUTE (execute) 132, 338 *OBJEXIST (object existence) 132, 338 *OBJMGT (object management) 132, 338 *OBJOPR (object operational) 132, 337 *READ (read) 132, 338 *Ref (Reference) 132 *UPD (update) 132, 338 definition 132 exclude (*EXCLUDE) 133 format on save media 247 stored on save media 247 storing 246 object alter (*OBJALTER) 132, 338 object reference (*OBJREF) 132, 338

authority (continued) primary group 131, 144 example 187 working with 124 private definition 131 restoring 245, 250 saving 245 public definition 131 example 189, 191 restoring 245, 250 saving 245 referenced object using 165 removing user 161 restoring audit journal (QAUDJRN) entry 277 command description 312 description of process 252 overview of commands 245 procedure 251 special (SPCAUT) authority parameter 84 storing authorization list 247 with object 246 with user profile 246 system-defined subsets 133 user profile format on save media 247 stored on save media 247 storing 246 user-defined 160 using generic to grant 162 working with command description 310 authority (AUT) parameter creating libraries 157 creating objects 158 specifying authorization list (*AUTL) 166 user profile 112 authority cache private authorities 197 authority change (CA) file layout 578 authority change (CA) journal entry type 280 authority change for restored object (RA) file layout 652 authority change for restored object (RA) journal entry type 276 authority checking 169 adopted authority example 190, 192 flowchart 182 authorization list example 193 group authority example 187, 191 owner authority flowchart 175 primary group example 187 private authority flowchart 174

authority checking (continued) public authority example 189, 191 flowchart 181 sequence 169 authority failure audit journal (QAUDJRN) entry 276 default sign-on violation 16 device description 201 hardware protection violation 17 job description violation 16 job initiation 199 program validation 17, 18 restricted instruction 18 sign-on process 199 unsupported interface 16, 18 authority failure (*AUTFAIL) audit level 270 authority failure (AF) file layout 571 authority failure (AF) journal entry type 270 description 276 authority holder automatically created 154 commands for working with 309, 314 creating 153, 309, 314 deleting 154, 309 description 153 displaying 153, 309 maximum storage limit exceeded 145 object auditing 502 object authority required for commands 352 printing 315 restoring 245 risks 154 saving 245 System/36 migration 154 authority profile (QAUTPROF) user profile 319 authority table 248 authority, object 303 authorization auditing 261 authorization list adding entries 167, 309 objects 167 users 167 authority changing 167 storing 247 authority checking example 193 changing entry 309 comparison group profile 241 creating 166, 309 damaged 254 deleting 169, 309 description 138 displaying document library objects (DLO) 313 objects 168, 309 Index

735

authorization list (continued) displaying (continued) users 309 document library object (DLO) displaying 313 editing 167, 309 entry adding 167 group profile comparison 241 introduction 5 management (*AUTLMGT) authority 132, 139, 338 object auditing 501 object authority required for commands 352 printing authority information 709 QRCLAUTL (reclaim storage) 255 reclaim storage (QRCLAUTL) 255 recovering damaged 254 removing entries 309 objects 169 users 167, 309 restoring association with object 250 description of process 254 overview of commands 245 retrieving entries 309 saving 245 securing IBM-supplied objects 139 securing objects 167 set up 168 storing authority 247 user adding 167 working with 309 Authorization lists advantages 166 planning 166 authorization methods combining example 195 authorized IBM-supplied user profiles 328, 336 authorized user displaying 311 AUTOCFG (automatic device configuration) value 37 automatic configuration (QAUTOCFG) system value value set by CFGSYSSEC command 714 automatic configuration of virtual devices (QAUTOVRT) system value 37 automatic creation user profile 73 automatic device configuration (AUTOCFG) value 37 automatic device configuration (QAUTOCFG) system value overview 37 automatic install (QLPAUTO) user profile default values 319

automatic virtual-device configuration (QAUTOVRT) system value value set by CFGSYSSEC command 714 availability 1

B
backing up security information 245 backup object authority required for commands 448 backup media protecting 258 basic (*BASIC) assistance level 74, 80 basic service (QSRVBAS) user profile authority to console 203 default values 319 batch restricting jobs 218 batch job *SPLCTL (spool control) special authority 86 priority 95 security when starting 199, 200 BCHJOB (Batch Job) command object authority required 410 binding directory object authority required for commands 353 binding directory object auditing 502 block password change QPWDCHGBLK system value 47 requiring change (QPWDCHGBLK system value) 47 bound program adopted authority 151 definition 151 break (*BREAK) delivery mode user profile 102 break-message-handling program adopted authority 150 BRM (QBRMS) user profile 319 buffering Attention key 93 keyboard 93

C
C locale description (*CLD) auditing 504 CA (authority change) file layout 578 CA (authority change) journal entry type 280 CALL (Call Program) command object authority required 461 transferring adopted authority 150 Call Program (CALL) command transferring adopted authority 150 call-level interface security level 40 15

calling program transferring adopted authority 150 canceling audit function 295 cartridge object authority required for commands 436 CCSID (coded character set identifier) parameter user profile 106 CD (command string) file layout 581 CD (command string) journal entry type 272 CFGDSTSRV (Configure Distribution Services) command authorized IBM-supplied user profiles 326 object authority required 371 CFGIPS (Configure IP over SNA Interface) command object authority required 350 CFGRPDS (Configure VM/MVS Bridge) command authorized IBM-supplied user profiles 326 object authority required 371 CFGSYSSEC (Configure System Security) command authorized IBM-supplied user profiles 326 description 316, 713 object authority required 472 CFGTCP (Configure TCP/IP) command object authority required 488 CFGTCPAPP (Configure TCP/IP Applications) command object authority required 488 CFGTCPLPD (Configure TCP/IP LPD) command object authority required 488 CFGTCPSMTP (Configure TCP/IP SMTP) command object authority required 488 CFGTCPTELN (Change TCP/IP TELNET) command object authority required 488 change password (QPWDCHGBLK system value) 47 change (*CHANGE) authority 134, 339 change *CRQD object (CQ) journal entry type 277 Change Accounting Code (CHGACGCDE) command 100 Change Activation Schedule Entry (CHGACTSCDE) command description 705 Change Active Profile List (CHGACTPRFL) command description 705 Change Auditing (CHGAUD) command description 310, 313 using 127 Change Authority (CHGAUT) command 159, 310

736

IBM i: Security Security reference

Change Authorization List Entry (CHGAUTLE) command description 309 using 167 Change Command (CHGCMD) command ALWLMTUSR (allow limited user) parameter 83 PRDLIB (product library) parameter 210 security risks 210 Change Command Default (CHGCMDDFT) command 235 Change Current Library (CHGCURLIB) command restricting 210 Change Dedicated Service Tools Password (CHGDSTPWD) command 311 Change Directory Entry (CHGDIRE) command 314 Change Document Library Object Auditing (CHGDLOAUD) command *AUDIT (audit) special authority 88 description 313 QAUDCTL (Auditing Control) system value 65 Change Document Library Object Authority (CHGDLOAUT) command 313 Change Document Library Object Owner (CHGDLOOWN) command 313 Change Document Library Object Primary (CHGDLOPGP) command description 313 Change Expiration Schedule Entry (CHGEXPSCDE) command description 705 Change Job (CHGJOB) command adopted authority 151 Change Journal (CHGJRN) command 293, 294 Change Kerberos Password (CHGKRBPWD) command object authority required 420 Change Library List (CHGLIBL) command 207 Change Library Owner (CHGLIBOWN) tool 242 Change Menu (CHGMNU) command PRDLIB (product library) parameter 210 security risks 210 Change Network Attributes (CHGNETA) command 214 Change Node Group Attributes (Change Node Group Attributes) command object auditing 536 Change Object Auditing (CHGOBJAUD) command *AUDIT (audit) special authority 88 description 310, 313 QAUDCTL (Auditing Control) system value 65 Change Object Owner (CHGOBJOWN) command 163, 310 Change Object Primary Group (CHGOBJPGP) command 144, 164, 310

change of subsystem routing entry (SE) file layout 663 change of subsystem routing entry (SE) journal entry type 282 change of system value (SV) journal entry type 282 Change Output Queue (CHGOUTQ) command 211 Change Owner (CHGOWN) command 163, 310 change ownership (IP) journal entry type 281 Change Password (CHGPWD) command auditing 259 description 311 enforcing password system values 47 setting password equal to profile name 76 Change Primary Group (CHGPGP) command 164, 310 Change Profile (CHGPRF) command 122, 311 Change Program (CHGPGM) command specifying USEADPAUT parameter 152 change request description object authority required for commands 353 change request description (*CRQD) object auditing 504 Change Security Auditing (CHGSECAUD) auditing one-step 290 Change Security Auditing (CHGSECAUD) command description 315, 707 Change Service Program (CHGSRVPGM) command specifying USEADPAUT parameter 152 Change Spooled File Attributes (CHGSPLFA) command 211 change system distribution directory (SD) file layout 662 change system distribution directory (SD) journal entry type 275 Change System Library List (CHGSYSLIBL) command 207, 228 change to DLO object (YC) file layout 696 change to object (ZC) file layout 698 change to spooled file (SF) journal entry type 284 Change User Audit (CHGUSRAUD) command 311 *AUDIT (audit) special authority 88 description 313 QAUDCTL (Auditing Control) system value 65 using 127 Change User Audit display 127 Change User Profile (CHGUSRPRF) command 311 description 311 password composition system values 47

Change User Profile (CHGUSRPRF) command (continued) setting password equal to profile name 76 using 122 changing access control list audit journal (QAUDJRN) entry 282 accounting code 100 active profile list 705 adopted authority authority required 151 audit journal receiver 293, 294 auditing command description 310, 313 authority audit journal (QAUDJRN) entry 280 command description 310 procedures 159 authorization list entry 309 user authority 167 changing audit journal (QAUDJRN) entry 281 command ALWLMTUSR (allow limited user) parameter 83 defaults 235 current library 207, 210 device description owner 203 directory entry 314 document library object (DLO) authority 313 owner 313 primary group 313 document library object auditing command description 313 DST (dedicated service tools) password 129 DST (dedicated service tools) user ID 129 IBM-supplied user profile passwords 129 IPC object audit journal (QAUDJRN) entry 281 job adopted authority 151 audit journal (QAUDJRN) entry 273 job description audit journal (QAUDJRN) entry 281 library list 207 menu PRDLIB (product library) parameter 210 security risks 210 network attribute audit journal (QAUDJRN) entry 281 security-related 214

Index

737

changing (continued) network profile audit journal (QAUDJRN) entry 282 object auditing 88, 310, 313 command description 313 object owner 163, 310 object ownership moving application to production 242 output queue 211 ownership device description 203 password description 311 DST (dedicated service tools) 129, 311 enforcing password system values 47 IBM-supplied user profiles 129 setting password equal to profile name 76 primary group 144, 310 audit journal (QAUDJRN) entry 281 primary group during restore audit journal (QAUDJRN) entry 277 profile 311 program specifying USEADPAUT parameter 152 program adopt audit journal (QAUDJRN) entry 281 QAUDCTL (audit control) system value 315 QAUDLVL (audit level) system value 315 routing entry audit journal (QAUDJRN) entry 282 security auditing 315, 707 security level (QSECURITY) system value level 10 to level 20 12 level 20 to level 30 13 level 20 to level 40 18 level 20 to level 50 20 level 30 to level 20 13 level 30 to level 40 18 level 30 to level 50 20 level 40 to level 20 13 level 40 to level 30 19 level 50 to level 30 or 40 21 server authentication entry 314 spooled file audit journal (QAUDJRN) entry 284 system directory audit journal (QAUDJRN) entry 275 system library list 207, 228 system value audit journal (QAUDJRN) entry 282

changing (continued) systems management audit journal (QAUDJRN) entry 284 user auditing 88, 311, 313 user authority authorization list 167 user ID DST (dedicated service tools) 129 user profile audit journal (QAUDJRN) entry 277 command descriptions 311 methods 122 password composition system values 47 setting password equal to profile name 76 changing access control list (VA) file layout 679 characters password 49 chart format object authority required for commands 354 chart format (*CHTFMT) auditing 503 Check Object Integrity (CHKOBJITG) command auditing use 262 description 304, 311, 709 Check Password (CHKPWD) command 128, 311 checking 169 altered objects 304 default passwords 705 object integrity 709 auditing use 262 description 304, 311 password 128, 311 checklist auditing security 257 planning security 257 CHGACGCDE (Change Accounting Code) command object authority required 410 relationship to user profile 100 CHGACTPRFL (Change Active Profile List) command description 705 object authority required 490 CHGACTSCDE authorized IBM-supplied user profiles 326 CHGACTSCDE (Change Activation Schedule Entry) command description 705 CHGACTSCDE (Change Activity Schedule Entry) command object authority required 490 CHGAJE (Change Autostart Job Entry) command object auditing 546 object authority required 481 CHGALRACNE (Change Alert Action Entry) command object auditing 524 object authority required 386

CHGALRD (Change Alert Description) command object auditing 501 object authority required 350 CHGALRSLTE (Change Alert Selection Entry) command object auditing 524 object authority required 386 CHGALRTBL (Change Alert Table) command object auditing 501 object authority required 350 CHGASPA authorized IBM-supplied user profiles 326 CHGASPA command 366 CHGASPACT authorized IBM-supplied user profiles 326 CHGASPACT command object authority required 366 CHGASPCPYD authorized IBM-supplied user profiles 326 CHGASPSSN authorized IBM-supplied user profiles 326 CHGATR (Change Attribute) command object auditing 510 CHGATR (Change Attributes) command object auditing 511 CHGAUD (Change Audit) command using 127 CHGAUD (Change Auditing) command description 310, 313 object auditing 511, 548, 553 object authority required 390 CHGAUT (Change Authority) command 159 description 310 object auditing 511, 548, 553 object authority required 391 CHGAUTLE (Change Authorization List Entry) command description 309 object auditing 501 object authority required 352 using 167 CHGBCKUP (Change Backup Options) command object authority required 448 CHGCAD authorized IBM-supplied user profiles 326 CHGCAD command object authority required 355 CHGCDEFNT (Change Coded Font) object authority required for commands 349 CHGCFGL (Change Configuration List) command object auditing 503 object authority required 362 CHGCFGLE (Change Configuration List Entry) command object auditing 503 object authority required 362

738

IBM i: Security Security reference

CHGCLNUP (Change Cleanup) command object authority required 448 CHGCLS (Change Class) command object auditing 505 object authority required 354 CHGCLU authorized IBM-supplied user profiles 326 CHGCLU command object authority required 355 CHGCLUCFG authorized IBM-supplied user profiles 326 CHGCLUMON authorized IBM-supplied user profiles 326 CHGCLUMON command object authority required 355 CHGCLUNODE authorized IBM-supplied user profiles 326 CHGCLUNODE command object authority required 356 CHGCLURCY authorized IBM-supplied user profiles 327 CHGCLUVER authorized IBM-supplied user profiles 327 CHGCLUVER command object authority required 356 CHGCMD (Change Command) command ALWLMTUSR (allow limited user) parameter 83 object auditing 505 object authority required 359 PRDLIB (product library) parameter 210 security risks 210 CHGCMDCRQA (Change Command Change Request Activity) command authorized IBM-supplied user profiles 327 object auditing 504 object authority required 353 CHGCMDDFT (Change Command Default) command object auditing 505 object authority required 359 using 235 CHGCMNE (Change Communications Entry) command object auditing 546 object authority required 481 CHGCNNL (Change Connection List) command object auditing 506 CHGCNNLE (Change Connection List Entry) command object auditing 506 CHGCOMSNMP (Change Community for SNMP) command object authority required 488 CHGCOSD (Change Class-of-Service Description) command object auditing 507

CHGCOSD (Change Class-of-Service Description) command (continued) object authority required 354 CHGCRG authorized IBM-supplied user profiles 327 CHGCRG command object authority required 356 CHGCRGDEVE authorized IBM-supplied user profiles 327 CHGCRGDEVE command object authority required 356 CHGCRGPRI authorized IBM-supplied user profiles 327 CHGCRGPRI command object authority required 356 CHGCRQD (Change Change Request Description) command object auditing 504 object authority required 353 CHGCRSDMNK (Change Cross Domain Key) command authorized IBM-supplied user profiles 327 CHGCSI (Change Communications Side Information) command object auditing 507 object authority required 360 CHGCSPPGM (Change CSP/AE Program) command object auditing 541 CHGCTLAPPC (Change Controller Description (APPC)) command object authority required 363 CHGCTLASC (Change Controller Description (Async)) command object authority required 363 CHGCTLBSC (Change Controller Description (BSC)) command object authority required 363 CHGCTLFNC (Change Controller Description (Finance)) command object authority required 363 CHGCTLHOST (Change Controller Description (SNA Host)) command object authority required 363 CHGCTLLWS (Change Controller Description (Local Workstation)) command object authority required 363 CHGCTLNET (Change Controller Description (Network)) command object authority required 363 CHGCTLRTL (Change Controller Description (Retail)) command object authority required 363 CHGCTLRWS (Change Controller Description (Remote Workstation)) command object authority required 363 CHGCTLTAP (Change Controller Description (TAPE)) command object authority required 363

CHGCTLVWS (Change Controller Description (Virtual Workstation)) command object authority required 363 CHGCURDIR (Change Current Directory) command object auditing 512 CHGCURLIB (Change Current Library) command object authority required 428 restricting 210 CHGDBG (Change Debug) command object authority required 461 CHGDDMF (Change Distributed Data Management File) command object auditing 521 object authority required 380 CHGDEVAPPC (Change Device Description (APPC)) command object authority required 366 CHGDEVASC (Change Device Description (Async)) command object authority required 366 CHGDEVASP (Change Device Description for Auxiliary Storage Pool) command object authority required 366 CHGDEVBSC (Change Device Description (BSC)) command object authority required 366 CHGDEVCRP command object authority required 366 CHGDEVDSP (Change Device Description (Display)) command object authority required 366 CHGDEVFNC (Change Device Description (Finance)) command object authority required 366 CHGDEVHOST (Change Device Description (SNA Host)) command object authority required 366 CHGDEVINTR (Change Device Description (Intrasystem)) command object authority required 366 CHGDEVMLB command object authority required 366 CHGDEVNET (Change Device Description (Network)) command object authority required 366 CHGDEVNWSH command object authority required 366 CHGDEVOPT (Change Device Description (Optical) command object authority required 366 CHGDEVOPT (Change Device Description (Optical)) command object authority required 449 CHGDEVPRT (Change Device Description (Printer)) command object authority required 366 CHGDEVRTL (Change Device Description (Retail)) command object authority required 366 CHGDEVSNPT (Change Device Description (SNPT)) command object authority required 367

Index

739

CHGDEVSNUF (Change Device Description (SNUF)) command object authority required 367 CHGDEVTAP (Change Device Description (Tape)) command object authority required 367 CHGDIRE (Change Directory Entry) command description 314 object authority required 369 CHGDIRSHD (Change Directory Shadow System) command object authority required 369 CHGDIRSRVA (Change Directory Server Attributes) command object authority required 369 CHGDIRSRVA command authorized IBM-supplied user profiles 327 CHGDKTF (Change Diskette File) command object auditing 521 object authority required 380 CHGDLOAUD (Change Document Library Object Auditing command *AUDIT (audit) special authority 88 CHGDLOAUD (Change Document Library Object Auditing) command description 313 object auditing 515 QAUDCTL (Auditing Control) system value 65 CHGDLOAUT (Change Document Library Object Auditing) command object authority required 372 CHGDLOAUT (Change Document Library Object Authority) command description 313 object auditing 515 object authority required 372 CHGDLOOWN (Change Document Library Object Owner) command description 313 object auditing 515 object authority required 372 CHGDLOPGP (Change Document Library Object Primary Group) command object auditing 515 object authority required 372 CHGDLOPGP (Change Document Library Object Primary) command 313 description 313 CHGDLOUAD (Change Document Library Object Auditing) command description 313 CHGDOCD (Change Document Description) command object auditing 515 object authority required 372 CHGDSPF (Change Display File) command object auditing 521 object authority required 380 CHGDSTD (Change Distribution Description) command object auditing 515

CHGDSTD (Change Distribution Description) command (continued) object authority required 371 CHGDSTL (Change Distribution List) command object authority required 372 CHGDSTPWD (Change Dedicated Service Tools Password) command description 311 object authority required 490 CHGDSTQ (Change Distribution Queue) command authorized IBM-supplied user profiles 327 object authority required 371 CHGDSTRTE (Change Distribution Route) command authorized IBM-supplied user profiles 327 object authority required 371 CHGDTA (Change Data) command object authority required 380 CHGDTAARA (Change Data Area) command object auditing 517 object authority required 365 CHGEMLCFGE (Change Emulation Configuration Entry) command object authority required 368 CHGENVVAR (Change Environment Variable) command object authority required 378 CHGEWCBCDE (Change Extended Wireless Controller Bar Code Entry) command object authority required 379 CHGEWCM (Change Extended Wireless Controller Member) command object authority required 379 CHGEWCPTCE (Change Extended Wireless Controller PTC Entry) command object authority required 379 CHGEWLM (Change Extended Wireless Line Member) command object authority required 379 CHGEXPSCDE (Change Expiration Schedule Entry) command authorized IBM-supplied user profiles 327 description 705 object authority required 491 CHGFCNARA authorized IBM-supplied user profiles 327 CHGFCT (Change Forms Control Table) command object authority required 469 CHGFCTE (Change Forms Control Table Entry) command object authority required 469 CHGFNTTBLE (Change DBCS Font Table Entry) object authority required for commands 349 CHGFTR (Change Filter) command object auditing 525

CHGFTR (Change Filter) command (continued) object authority required 386 CHGGPHFMT authorized IBM-supplied user profiles 327 CHGGPHFMT (Change Graph Format) command object authority required 454 CHGGPHPKG (Change Graph Package) command authorized IBM-supplied user profiles 327 object authority required 454 CHGGRPA (Change Group Attributes) command object authority required 410 CHGHLLPTR (Change High-Level Language Pointer) command object authority required 461 CHGICFDEVE (Change Intersystem Communications Function Program Device Entry) command object authority required 380 CHGICFF (Change Intersystem Communications Function File) command object authority required 380 CHGIMGCLG command object authority required 389 CHGIMGCLGE command object authority required 389 CHGIPLA command 409 CHGIPSIFC (Change IP over SNA Interface) command object authority required 350 CHGIPSLOC (Change IP over SNA Location Entry) command object authority required 350 CHGIPSTOS (Change IP over SNA Type of Service) command object authority required 350 CHGJOB (Change Job) command adopted authority 151 object auditing 527 object authority required 410 CHGJOBD (Change Job Description) command object auditing 527 object authority required 413 CHGJOBQ (Change Job Queue) command object auditing 527 object authority required 414 CHGJOBQE (Change Job Queue Entry) command object auditing 527, 546 object authority required 482 CHGJOBSCDE (Change Job Schedule Entry) command object auditing 528 object authority required 415 CHGJOBTRC authorized IBM-supplied user profiles 327

740

IBM i: Security Security reference

CHGJOBTYP (Change Job Type) command authorized IBM-supplied user profiles 327 object authority required 454 CHGJRN (Change Journal) command authorized IBM-supplied user profiles 327 detaching receiver 293, 294 object auditing 529, 530 object authority required 416 CHGJRNA (Change Journal Attributes) command authorized IBM-supplied user profiles 327 object authority required 416 CHGJRNOBJ (Change Journaled Object ) command object auditing 498 CHGLANADPI (Change LAN Adapter Information) command object authority required 435 CHGLF (Change Logical File) command object auditing 521 object authority required 380 CHGLFM (Change Logical File Member) command object auditing 522 object authority required 380 CHGLIB (Change Library) command object auditing 531 object authority required 428 CHGLIBL (Change Library List) command object authority required 428 using 207 CHGLIBOWN (Change Library Owner) tool 242 CHGLICINF (Change License Information) command authorized IBM-supplied user profiles 327 object authority required 433 CHGLINASC (Change Line Description (Async)) command object authority required 433 CHGLINBSC (Change Line Description (BSC)) command object authority required 433 CHGLINETH (Change Line Description (Ethernet)) command object authority required 433 CHGLINFAX (Change Line Description (FAX)) command object authority required 433 CHGLINFR (Change Line Description (Frame Relay Network)) command object authority required 433 CHGLINIDD (Change Line Description (DDI Network)) command object authority required 433 CHGLINSDLC (Change Line Description (SDLC)) command object authority required 433 CHGLINTDLC (Change Line Description (TDLC)) command object authority required 433

CHGLINTRN (Change Line Description (Token-Ring Network)) command object authority required 433 CHGLINWLS (Change Line Description (Wireless)) command object authority required 434 CHGLINX25 (Change Line Description (X.25)) command object authority required 434 CHGLPDA (Change LPD Attributes) command object authority required 488 CHGMGDSYSA (Change Managed System Attributes) command authorized IBM-supplied user profiles 327 CHGMGRSRVA (Change Manager Service Attributes) command authorized IBM-supplied user profiles 327 CHGMGTCOL command object authority required 454 CHGMNU (Change Menu) command object auditing 533 object authority required 437 PRDLIB (product library) parameter 210 security risks 210 CHGMOD (Change Module) command object auditing 534 object authority required 441 CHGMODD (Change Mode Description) command object auditing 533 object authority required 440 CHGMSGD (Change Message Description) command object auditing 534 object authority required 439 CHGMSGF (Change Message File) command object auditing 534 object authority required 439 CHGMSGQ (Change Message Queue) command object auditing 535 object authority required 439 CHGMSTK (Change Master Key) command authorized IBM-supplied user profiles 327 CHGMWSD (Change Network Server Description) command object auditing 538 CHGNETA (Change Network Attributes) command authorized IBM-supplied user profiles 327 object authority required 442 using 214 CHGNETJOBE (Change Network Job Entry) command authorized IBM-supplied user profiles 327 object authority required 442

CHGNFSEXP (Change Network File System Export) command authorized IBM-supplied user profiles 327 object authority required 443 CHGNTBD (Change NetBIOS Description) command object auditing 537 object authority required 441 CHGNWIFR (Change Network Interface Description (Frame Relay Network)) command object authority required 444 CHGNWIISDN (Change Network Interface Description for ISDN) command object auditing 537 CHGNWSA (Change Network Server Attribute) command object authority required 445 CHGNWSA (Change Network Server Attributes) command authorized IBM-supplied user profiles 327 CHGNWSALS (Change Network Server Alias) command object authority required 445 CHGNWSCFG command authorized IBM-supplied user profiles 327 object authority required 446 CHGNWSD (Change Network Server Description) command object authority required 446 CHGNWSSTG (Change Network Server Storage Space) command object authority required 444 CHGNWSVRA (Create Network Server Attribute) command object authority required 444 CHGOBJAUD (Change Object Audit) command object authority required 341 CHGOBJAUD (Change Object Auditing command *AUDIT (audit) special authority 88 CHGOBJAUD (Change Object Auditing) command description 310 QAUDCTL (Auditing Control) system value 65 CHGOBJCRQA (Change Object Change Request Activity) command authorized IBM-supplied user profiles 327 object auditing 504 object authority required 353 CHGOBJD (Change Object Description) command object auditing 498 object authority required 341 CHGOBJOWN (Change Object Owner) command description 310 object auditing 498 object authority required 342 using 163 Index

741

CHGOBJPGP (Change Object Primary Group) command 144, 164 description 310 CHGOBJPGP (Change Object Primary) command object authority required 342 CHGOBJUAD (Change Object Auditing) command description 313 CHGOPTA (Change Optical Attributes) command authorized IBM-supplied user profiles 327 object authority required 449 CHGOPTVOL (Change Optical Volume) command object authority required 449 CHGOUTQ (Change Output Queue) command object auditing 538 object authority required 452 using 211 CHGOWN (Change Owner) command 163 description 310 object auditing 511, 548, 553, 556 object authority required 391 CHGPCST (Change Physical File Constraint) command object authority required 380 CHGPDGPRF (Change Print Descriptor Group Profile) command object auditing 540 object authority required 459 CHGPEXDFN (Change Performance Explorer Definition) command authorized IBM-supplied user profiles 327 object authority required 454 CHGPF (Change Physical File) command object auditing 522 object authority required 380 CHGPFCNARA Change Functional Area) command object authority required 454 CHGPFCST (Change Physical File Constraint) command object auditing 522 CHGPFM (Change Physical File Member) command object auditing 522 object authority required 380 CHGPFTRG (Change Physical File Trigger) command object auditing 523 object authority required 380 CHGPGM (Change Program) command object auditing 541 object authority required 461 specifying USEADPAUT parameter 152 CHGPGMVAR (Change Program Variable) command object authority required 461 CHGPGP (Change Primary Group) command 164 description 310

CHGPGP (Change Primary Group) command (continued) object auditing 511, 548, 554, 556 object authority required 391 CHGPJ (Change Prestart Job) command object authority required 410 CHGPJE (Change Prestart Job Entry) command object auditing 546 object authority required 482 CHGPRB (Change Problem) command authorized IBM-supplied user profiles 327 object authority required 460 CHGPRBACNE (Change Problem Action Entry) command object auditing 525 object authority required 386, 460 CHGPRBSLTE (Change Problem Selection Entry) command object auditing 525 object authority required 386, 460 CHGPRDCRQA (Change Product Change Request Activity) command authorized IBM-supplied user profiles 327 object auditing 504 object authority required 353 CHGPRF (Change Profile) command description 311 object auditing 558 object authority required 491 using 122 CHGPRTF (Change Printer File) command object auditing 522 object authority required 380 CHGPSFCFG (Change Print Services Facility Configuration) command object authority required 459 CHGPTFCRQA (Change PTF Change Request Activity) command authorized IBM-supplied user profiles 327 object auditing 504 object authority required 353 CHGPTR (Change Pointer) command authorized IBM-supplied user profiles 327 object authority required 461 CHGPWD (Change Password) command auditing 259 description 311 enforcing password system values 47 object auditing 558 object authority required 491 setting password equal to profile name 76 CHGPWRSCD (Change Power On/Off Schedule) command object authority required 448 CHGPWRSCDE (Change Power On/Off Schedule Entry) command object authority required 448 CHGQRYA (Change Query Attribute) command object authority required 464

CHGQSTDB (Change Question-and-Answer Database) command authorized IBM-supplied user profiles 327 object authority required 466 CHGRCYAP (Change Recovery for Access Paths) command authorized IBM-supplied user profiles 327 object auditing 500 object authority required 348 CHGRDBDIRE (Change Relational Database Directory Entry) command object authority required 467 CHGRJECMNE (Change RJE Communications Entry) command object authority required 469 CHGRJERDRE (Change RJE Reader Entry) command object authority required 469 CHGRJEWTRE (Change RJE Writer Entry) command object authority required 469 CHGRMTJRN (Change Remote Journal) command object auditing 529 CHGRPYLE (Change Reply List Entry) command authorized IBM-supplied user profiles 327 object auditing 546 object authority required 484 CHGRSCCRQA (Change Resource Change Request Activity) command authorized IBM-supplied user profiles 327 object auditing 505 object authority required 353 CHGRTGE (Change Routing Entry) command object auditing 546 object authority required 482 CHGS34LIBM (Change System/34 Library Members) command authorized IBM-supplied user profiles 328 object authority required 440 CHGS36 (Change System/36) command object auditing 556 object authority required 484 CHGS36A (Change System/36 Attributes) command object auditing 556 object authority required 484 CHGS36PGMA (Change System/36 Program Attributes) command object auditing 541 object authority required 484 CHGS36PRCA (Change System/36 Procedure Attributes) command object auditing 522 object authority required 484 CHGS36SRCA (Change System/36 Source Attributes) command object authority required 484

742

IBM i: Security Security reference

CHGSAVF (Change Save File) command object auditing 522 object authority required 380 CHGSBSD (Change Subsystem Description) command object auditing 547 object authority required 482 CHGSCHIDX (Change Search Index) command object auditing 547 object authority required 409 CHGSECA (Change Security Attributes) command object authority required 472 CHGSECAUD (Change Security Audit) command object authority required 472 CHGSECAUD (Change Security Auditing) security auditing function 290 CHGSECAUD (Change Security Auditing) command description 315, 707 CHGSHRPOOL (Change Shared Storage Pool) command object authority required 483 CHGSNMPA (Change SNMP Attributes) command object authority required 488 CHGSPLFA (Change Spooled File Attributes) command action auditing 551 DSPDTA parameter of output queue 211 object auditing 538, 539 object authority required 479 CHGSRCPF (Change Source Physical File) command object authority required 380 CHGSRVA (Change Service Attributes) command object authority required 473 CHGSRVPGM (Change Service Program) command object auditing 552 object authority required 461 specifying USEADPAUT parameter 152 CHGSSND (Change Session Description) command object authority required 469 CHGSSNMAX (Change Session Maximum) command object auditing 533 object authority required 440 CHGSVRAUTE (Change Server Authentication Entry) command object authority required 473 CHGSYSDIRA (Change System Directory Attributes) command object auditing 513 object authority required 369 CHGSYSJOB (Change System Job) command object authority required 410

CHGSYSLIBL (Change System Library List) command authorized IBM-supplied user profiles 327 object authority required 428 programming example 228 using 207 CHGSYSVAL (Change System Value) command authorized IBM-supplied user profiles 327 object authority required 484 CHGTAPCTG (Change Tape Cartridge) command object authority required 436 CHGTAPF (Change Tape File) command object auditing 522 object authority required 380 CHGTCPA (Change TCP/IP Attributes) command object authority required 488 CHGTCPHTE (Change TCP/IP Host Table Entry) command object authority required 488 CHGTCPIFC (Change TCP/IP Interface) command object authority required 488 CHGTCPRTE (Change TCP/IP Route Entry) command object authority required 488 CHGTELNA (Change TELNET Attributes) command object authority required 488 CHGTIMZON command 489 CHGUSRAUD (Change User Audit) command *AUDIT (audit) special authority 88 description 311, 313 object authority required 491 QAUDCTL (Auditing Control) system value 65 using 127 CHGUSRPRF (Change User Profile) command description 311 object auditing 558 object authority required 491 password composition system values 47 setting password equal to profile name 76 using 122 CHGUSRTRC (Change User Trace) command object authority required 410 CHGVTMAP (Change VT100 Keyboard Map) command object authority required 488 CHGWSE (Change Workstation Entry) command object auditing 547 object authority required 482 CHGWTR (Change Writer) command object authority required 494 CHKASPBAL authorized IBM-supplied user profiles 328

CHKCMNTRC (Check Communications Trace) command authorized IBM-supplied user profiles 328 object authority required 473 CHKDLO (Check Document Library Object) command object authority required 373 CHKDNSCFG (DNS Configuration Utility) command object authority required 376 CHKDNSZNE (DNS Zone Utility) command object authority required 376 CHKDOC (Check Document) command object auditing 514 object authority required 373 CHKIGCTBL (Check DBCS Font Table) command object auditing 526 CHKIN (Check In) command object auditing 548, 554 object authority required 392 CHKMSTKVV command authorized IBM-supplied user profiles 328 object authority required 365 CHKOBJ (Check Object) command object auditing 499 object authority required 342 CHKOBJITG (Check Object Integrity) command 3 auditing use 262 description 304, 311, 709 object authority required 342 CHKOUT (Check Out) command object auditing 548, 554 object authority required 392 CHKPRDOPT (Check Product Option) command authorized IBM-supplied user profiles 328 object authority required 473 CHKPWD (Check Password) command description 311 object auditing 558 object authority required 491 using 128 CHKTAP (Check Tape) command object authority required 436 CHRIDCTL (user options) parameter user profile 106 CL keyword (*CLKWD) user option 106, 107, 108 class object authority required for commands 354 relationship to security 217 Class (*CLS) auditing 505 class files jar files 243 class-of-service description object authority required for commands 354 class-of-service description (*COSD) auditing 507 class, user 79 Index

743

cleanup object authority required for commands 448 client request access (PCSACC) network attribute 215 close of server files (VF) file layout 680 CLP38 programs 137 CLRJOBQ (Clear Job Queue) command object auditing 527 object authority required 414 CLRLIB (Clear Library) command object auditing 531 object authority required 429 CLRMSGQ (Clear Message Queue) command object auditing 535 object authority required 439 CLRMSTKEY (Clear Master Key) command authorized IBM-supplied user profiles 328 CLRMSTKEY command object authority required 365 CLROUTQ (Clear Output Queue) command action auditing 551 object auditing 538 object authority required 452 CLRPFM (Clear Physical File Member) command object auditing 522 object authority required 381 CLRSAVF (Clear Save File) command object authority required 381 CLRTRCDTA (Clear Trace Data) command object authority required 461 cluster object authority required for commands 355 Cluster Operations(CU) file layout 587 CMPJRNIMG (Compare Journal Images) command object auditing 528 object authority required 416 CNLRJERDR (Cancel RJE Reader) command object authority required 469 CNLRJEWTR (Cancel RJE Writer) command object authority required 470 CNTRYID (country or region identifier) parameter user profile 105 CO (create object) file layout 582 CO (create object) journal entry type 144, 272 coded character set identifier CCSID user profile parameter 106 QCCSID system value 106 combining authorization methods example 195 command auditing audit journal (QAUDJRN) entry 272

command (continued) changing ALWLMTUSR (allow limited user) parameter 83 defaults 235 PRDLIB (product library) parameter 210 security risks 210 creating ALWLMTUSR (allow limited user) parameter 83 PRDLIB (product library) parameter 210 security risks 210 NLV (national language version) security 235 planning security 235 revoking public authority 316, 713 System/38 security 235 command (*CMD object type) object authority required for commands 359 Command (*CMD) auditing 505 command capability listing users 302 command string audit journal (QAUDJRN) file layout 581 command string (*CMD) audit level 272 command string (CD) file layout 581 command string (CD) journal entry type 272 command, CL activation schedule 705 Add Authorization List Entry (ADDAUTLE) 167, 309 Add Directory Entry (ADDDIRE) 314 Add Document Library Object Authority (ADDDLOAUT) 313 Add Library List Entry (ADDLIBLE) 207, 210 Add Server Authentication Entry (ADDSVRAUTE) 314 ADDAUTLE (Add Authorization List Entry) 167, 309 ADDDIRE (Add Directory Entry) 314 ADDDLOAUT (Add Document Library Object Authority) 313 ADDJOBSCDE (Add Job Schedule Entry) SECBATCH menu 708 ADDLIBLE (Add Library List Entry) 207, 210 ADDSVRAUTE (Add Server Authentication Entry) 314 allowed for limit capabilities user 83 ALWLMTUSR (allow limited user) parameter 83 ANZDFTPWD (Analyze Default Passwords) description 705 ANZPRFACT (Analyze Profile Activity) creating exempt users 705

command, CL (continued) ANZPRFACT (Analyze Profile Activity) (continued) description 705 authority holders, table 309, 314 authorization lists 309 CALL (Call Program) transferring adopted authority 150 Call Program (CALL) transferring adopted authority 150 CFGSYSSEC (Configure System Security) description 316, 713 Change Accounting Code (CHGACGCDE) 100 Change Authorization List Entry (CHGAUTLE) description 309 using 167 Change Command (CHGCMD) ALWLMTUSR (allow limited user) parameter 83 PRDLIB (product library) parameter 210 security risks 210 Change Command Default (CHGCMDDFT) 235 Change Current Library (CHGCURLIB) restricting 210 Change Dedicated Service Tools Password (CHGDSTPWD) 311 Change Directory Entry (CHGDIRE) 314 Change Document Library Object Auditing (CHGDLOAUD) 313 *AUDIT (audit) special authority 88 description 313 QAUDCTL (Auditing Control) system value 65 Change Document Library Object Authority (CHGDLOAUT) 313 Change Document Library Object Owner (CHGDLOOWN) 313 Change Document Library Object Primary (CHGDLOPGP) 313 Change Job (CHGJOB) adopted authority 151 Change Journal (CHGJRN) 293, 294 Change Library List (CHGLIBL) 207 Change Menu (CHGMNU) PRDLIB (product library) parameter 210 security risks 210 Change Network Attributes (CHGNETA) 214 Change Object Auditing (CHGOBJAUD) 310 *AUDIT (audit) special authority 88 description 313 QAUDCTL (Auditing Control) system value 65

744

IBM i: Security Security reference

command, CL (continued) Change Object Owner (CHGOBJOWN) 163, 310 Change Object Primary Group (CHGOBJPGP) 144, 164, 310 Change Output Queue (CHGOUTQ) 211 Change Password (CHGPWD) auditing 259 description 311 enforcing password system values 47 setting password equal to profile name 76 Change Profile (CHGPRF) 122, 311 Change Program (CHGPGM) specifying USEADPAUT parameter 152 Change Security Auditing (CHGSECAUD) description 315 Change Server Authentication Entry (CHGSVRAUTE) 314 Change Service Program (CHGSRVPGM) specifying USEADPAUT parameter 152 Change Spooled File Attributes (CHGSPLFA) 211 Change System Library List (CHGSYSLIBL) 207, 228 Change User Audit (CHGUSRAUD) 311 *AUDIT (audit) special authority 88 description 313 QAUDCTL (Auditing Control) system value 65 using 127 Change User Profile (CHGUSRPRF) 311 description 311 password composition system values 47 setting password equal to profile name 76 using 122 Check Object Integrity (CHKOBJITG) auditing use 262 description 304, 311 Check Password (CHKPWD) 128, 311 CHGACGCDE (Change Accounting Code) 100 CHGACTPRFL (Change Active Profile List) description 705 CHGACTSCDE (Change Activation Schedule Entry) description 705 CHGAUTLE (Change Authorization List Entry) description 309 using 167 CHGCMD (Change Command) ALWLMTUSR (allow limited user) parameter 83

command, CL (continued) CHGCMD (Change Command) (continued) PRDLIB (product library) parameter 210 security risks 210 CHGCMDDFT (Change Command Default) 235 CHGCURLIB (Change Current Library) restricting 210 CHGDIRE (Change Directory Entry) 314 CHGDLOAUD (Change Document Library Object Auditing) 313 *AUDIT (audit) special authority 88 QAUDCTL (Auditing Control) system value 65 CHGDLOAUT (Change Document Library Object Authority) 313 CHGDLOOWN (Change Document Library Object Owner) 313 CHGDLOPGP (Change Document Library Object Primary) 313 CHGDLOUAD (Change Document Library Object Auditing) description 313 CHGDSTPWD (Change Dedicated Service Tools Password) 311 CHGEXPSCDE (Change Expiration Schedule Entry) description 705 CHGJOB (Change Job) adopted authority 151 CHGJRN (Change Journal) 293, 294 CHGLIBL (Change Library List) 207 CHGMNU (Change Menu) PRDLIB (product library) parameter 210 security risks 210 CHGNETA (Change Network Attributes) 214 CHGOBJAUD (Change Object Auditing) 310 *AUDIT (audit) special authority 88 description 313 QAUDCTL (Auditing Control) system value 65 CHGOBJOWN (Change Object Owner) 163, 310 CHGOBJPGP (Change Object Primary Group) 144, 164, 310 CHGOUTQ (Change Output Queue) 211 CHGPGM (Change Program) specifying USEADPAUT parameter 152 CHGPRF (Change Profile) 122, 311 CHGPWD (Change Password) auditing 259 description 311 enforcing password system values 47 setting password equal to profile name 76

command, CL (continued) CHGSECAUD (Change Security Auditing) description 315, 707 CHGSPLFA (Change Spooled File Attributes) 211 CHGSRVPGM (Change Service Program) specifying USEADPAUT parameter 152 CHGSVRAUTE (Change Server Authentication Entry) 314 CHGSYSLIBL (Change System Library List) 207, 228 CHGUSRAUD (Change User Audit) 311 *AUDIT (audit) special authority 88 description 313 QAUDCTL (Auditing Control) system value 65 using 127 CHGUSRPRF (Change User Profile) 311 description 311 password composition system values 47 setting password equal to profile name 76 using 122 CHKOBJITG (Check Object Integrity) auditing use 262 description 304, 311, 709 CHKPWD (Check Password) 128, 311 Configure System Security (CFGSYSSEC) description 316 Copy Spooled File (CPYSPLF) 211 CPYSPLF (Copy Spooled File) 211 Create Authority Holder (CRTAUTHLR) 153, 309, 314 Create Authorization List (CRTAUTL) 166, 309 Create Command (CRTCMD) ALWLMTUSR (allow limited user) parameter 83 PRDLIB (product library) parameter 210 security risks 210 Create Journal (CRTJRN) 291 Create Journal Receiver (CRTJRNRCV) 291 Create Library (CRTLIB) 157 Create Menu (CRTMNU) PRDLIB (product library) parameter 210 security risks 210 Create Output Queue (CRTOUTQ) 211, 214 Create User Profile (CRTUSRPRF) description 118, 311 CRTAUTHLR (Create Authority Holder) 153, 309, 314 CRTAUTL (Create Authorization List) 166, 309

Index

745

command, CL (continued) CRTCMD (Create Command) ALWLMTUSR (allow limited user) parameter 83 PRDLIB (product library) parameter 210 security risks 210 CRTJRN (Create Journal) 291 CRTJRNRCV (Create Journal Receiver) 291 CRTLIB (Create Library) 157 CRTMNU (Create Menu) PRDLIB (product library) parameter 210 security risks 210 CRTOUTQ (Create Output Queue) 211, 214 CRTUSRPRF (Create User Profile) description 118, 311 Delete Authority Holder (DLTAUTHLR) 154, 309 Delete Authorization List (DLTAUTL) 169, 309 Delete Journal Receiver (DLTJRNRCV) 294 Delete User Profile (DLTUSRPRF) description 311 example 122 object ownership 143 Display Audit Journal Entries (DSPAUDJRNE) description 315 Display Authority Holder (DSPAUTHLR) 153, 309 Display Authorization List (DSPAUTL) 309 Display Authorization List Document Library Objects (DSPAUTLDLO) 313 Display Authorization List Objects (DSPAUTLOBJ) 168, 309 Display Authorized Users (DSPAUTUSR) auditing 301 description 311 example 125 Display Document Library Object Auditing (DSPDLOAUD) 288, 313 Display Document Library Object Authority (DSPDLOAUT) 313 Display Job Description (DSPJOBD) 261 Display Journal (DSPJRN) audit (QAUDJRN) journal example 295 auditing file activity 236, 300 creating output file 296 displaying QAUDJRN (audit) journal 263 Display Library (DSPLIB) 303 Display Library Description (DSPLIBD) CRTAUT parameter 158 Display Object Authority (DSPOBJAUT) 303, 310 Display Object Description (DSPOBJD) 288, 310

command, CL (continued) created by 144 object domain 15 program state 15 using output file 302 Display Program (DSPPGM) adopted authority 151 program state 15 Display Programs That Adopt (DSPPGMADP) auditing 303 description 312 using 151, 236 Display Security Auditing (DSPSECAUD Values) description 315 Display Service Program (DSPSRVPGM) adopted authority 151 Display Spooled File (DSPSPLF) 211 Display User Profile (DSPUSRPRF) description 311 using 125 using output file 302 displaying keywords (*CLKWD user option) 106, 107, 108 DLTAUTHLR (Delete Authority Holder) 154, 309 DLTAUTL (Delete Authorization List) 169, 309 DLTJRNRCV (Delete Journal Receiver) 294 DLTUSRPRF (Delete User Profile) description 311 example 122 object ownership 143 document library object (DLO) table 313 DSPACTPRFL (Display Active Profile List) description 705 DSPACTSCD (Display Activation Schedule) description 705 DSPAUDJRNE (Display Audit Journal Entries) description 315, 709 DSPAUTHLR (Display Authority Holder) 153, 309 DSPAUTL (Display Authorization List) 309 DSPAUTLDLO (Display Authorization List Document Library Objects) 313 DSPAUTLOBJ (Display Authorization List Objects) 168, 309 DSPAUTUSR (Display Authorized Users) auditing 301 description 311 example 125 DSPDLOAUD (Display Document Library Object Auditing) 288, 313 DSPDLOAUT (Display Document Library Object Authority) 313 DSPEXPSCD (Display Expiration Schedule) description 705

command, CL (continued) DSPJOBD (Display Job Description) 261 DSPJRN (Display Journal) audit (QAUDJRN) journal example 295 auditing file activity 236, 300 creating output file 296 displaying QAUDJRN (audit) journal 263 DSPLIB (Display Library) 303 DSPLIBD (Display Library Description) CRTAUT parameter 158 DSPOBJAUT (Display Object Authority) 303, 310 DSPOBJD (Display Object Description) 288, 310 created by 144 object domain 15 program state 15 using output file 302 DSPPGM (Display Program) adopted authority 151 program state 15 DSPPGMADP (Display Programs That Adopt) auditing 303 description 312 using 151, 236 DSPSECAUD (Display Security Auditing Values) description 315 DSPSECAUD (Display Security Auditing) description 707 DSPSPLF (Display Spooled File) 211 DSPSRVPGM (Display Service Program) adopted authority 151 DSPUSRPRF (Display User Profile) description 311 using 125 using output file 302 Edit Authorization List (EDTAUTL) 167, 309 Edit Document Library Object Authority (EDTDLOAUT) 313 Edit Library List (EDTLIBL) 207 Edit Object Authority (EDTOBJAUT) 159, 310 EDTAUTL (Edit Authorization List) 167, 309 EDTDLOAUT (Edit Document Library Object Authority) 313 EDTLIBL (Edit Library List) 207 EDTOBJAUT (Edit Object Authority) 159, 310 End Job (ENDJOB) QINACTMSGQ system value 28 ENDJOB (End Job) QINACTMSGQ system value 28 Grant Object Authority (GRTOBJAUT) 310 affect on previous authority 162 multiple objects 162

746

IBM i: Security Security reference

command, CL (continued) Grant User Authority (GRTUSRAUT) copying authority 121 description 311 recommendations 165 renaming profile 127 Grant User Permission (GRTUSRPMN) 313 GRTOBJAUT (Grant Object Authority) 310 affect on previous authority 162 multiple objects 162 GRTUSRAUT (Grant User Authority) copying authority 121 description 311 recommendations 165 renaming profile 127 GRTUSRPMN (Grant User Permission) 313 keywords, displaying (*CLKWD user option) 106, 107, 108 object authority, table 310 parameter names, displaying (*CLKWD user option) 106, 107, 108 passwords, table 311 Print Communications Security Attributes (PRTCMNSEC) description 316 Print Job Description Authority (PRTJOBDAUT) 315 Print Private Authorities (PRTPVTAUT) 315 Print Publicly Authorized Objects (PRTPUBAUT) 315 Print Queue Authority (PRTQAUT) description 315 Print Subsystem Description Authority (PRTSBSDAUT) description 315 Print System Security Attributes (PRTSYSSECA) description 316 Print Trigger Programs (PRTTRGPGM) description 315 Print User Objects (PRTUSROBJ) description 315 PRTADPOBJ (Print Adopting Objects) description 709 PRTCMNSEC (Print Communications Security) description 316, 709 PRTJOBDAUT (Print Job Description Authority) 315 description 709 PRTPUBAUT (Print Publicly Authorized Objects) 315 description 709 PRTPVTAUT (Print Private Authorities) 315 authorization list 709 description 711 PRTQAUT (Print Queue Authority) description 315, 711

command, CL (continued) PRTSBSDAUT (Print Subsystem Description Authority) description 315 PRTSBSDAUT (Print Subsystem Description) description 709 PRTSYSSECA (Print System Security Attributes) description 316, 709 PRTTRGPGM (Print Trigger Programs) description 315, 709 PRTUSROBJ (Print User Objects) description 315, 709 PRTUSRPRF (Print User Profile) description 709 RCLSTG (Reclaim Storage) 19, 26, 145, 255 Reclaim Storage (RCLSTG) 19, 26, 145, 255 Remove Authorization List Entry (RMVAUTLE) 167, 309 Remove Directory Entry (RMVDIRE) 314 Remove Document Library Object Authority (RMVDLOAUT) 313 Remove Library List Entry (RMVLIBLE) 207 Remove Server Authentication Entry (RMVSVRAUTE) 314 Restore Authority (RSTAUT) audit journal (QAUDJRN) entry 277 description 312 procedure 252 role in restoring security 245 using 251 Restore Document Library Object (RSTDLO) 245 Restore Library (RSTLIB) 245 Restore Licensed Program (RSTLICPGM) recommendations 253 security risks 253 Restore Object (RSTOBJ) using 245 Restore User Profiles (RSTUSRPRF) 245, 312 Retrieve Authorization List Entry (RTVAUTLE) 309 Retrieve User Profile (RTVUSRPRF) 128, 311 Revoke Object Authority (RVKOBJAUT) 169, 310 Revoke Public Authority (RVKPUBAUT) description 316 Revoke User Permission (RVKUSRPMN) 313 RMVAUTLE (Remove Authorization List Entry) 167, 309 RMVDIRE (Remove Directory Entry) 314 RMVDLOAUT (Remove Document Library Object Authority) 313

command, CL (continued) RMVLIBLE (Remove Library List Entry) 207 RMVSVRAUTE (Remove Server Authentication Entry) 314 RSTAUT (Restore Authority) audit journal (QAUDJRN) entry 277 description 312 procedure 252 role in restoring security 245 using 251 RSTDLO (Restore Document Library Object) 245 RSTLIB (Restore Library) 245 RSTLICPGM (Restore Licensed Program) recommendations 253 security risks 253 RSTOBJ (Restore Object) using 245 RSTUSRPRF (Restore User Profiles) 245, 312 RTVAUTLE (Retrieve Authorization List Entry) 309 RTVUSRPRF (Retrieve User Profile) 128, 311 RVKOBJAUT (Revoke Object Authority) 169, 310 RVKPUBAUT (Revoke Public Authority) description 316, 713 details 716 RVKUSRPMN (Revoke User Permission) 313 SAVDLO (Save Document Library Object) 245 Save Document Library Object (SAVDLO) 245 Save Library (SAVLIB) 245 Save Object (SAVOBJ) 245, 294 Save Security Data (SAVSECDTA) 245, 312 Save System (SAVSYS) 245, 312 SAVLIB (Save Library) 245 SAVOBJ (Save Object) 245, 294 SAVSECDTA (Save Security Data) 245, 312 SAVSYS (Save System) 245, 312 SBMJOB (Submit Job) 200 SECBATCH menu 708 security tools 315, 705 security, list 309 Send Journal Entry (SNDJRNE) 292 Send Network Spooled File (SNDNETSPLF) 211 Set Attention Program (SETATNPGM) 104 SETATNPGM (Set Attention Program) 104 setting QALWUSRDMN (allow user objects) system value 26 SNDJRNE (Send Journal Entry) 292 SNDNETSPLF (Send Network Spooled File) 211

Index

747

command, CL (continued) Start System/36 (STRS36) user profile, special environment 89 STRS36 (Start System/36) user profile, special environment 89 Submit Job (SBMJOB) 200 system distribution directory, table 314 TFRCTL (Transfer Control) transferring adopted authority 150 TFRGRPJOB (Transfer to Group Job) adopted authority 150 Transfer Control (TFRCTL) transferring adopted authority 150 Transfer to Group Job (TFRGRPJOB) adopted authority 150 user profiles (related), table 312 user profiles (working with), table 311 Work with Authorization Lists (WRKAUTL) 309 Work with Directory (WRKDIRE) 314 Work with Journal (WRKJRN) 294, 301 Work with Journal Attributes (WRKJRNA) 294, 301 Work with Objects (WRKOBJ) 310 Work with Objects by Owner (WRKOBJOWN) auditing 261 description 310 using 163 Work with Objects by Primary Group (WRKOBJPGP) 144, 164 description 310 Work with Output Queue Description (WRKOUTQD) 211 Work with Spooled Files (WRKSPLF) 211 Work with System Status (WRKSYSSTS) 218 Work with System Values (WRKSYSVAL) 258 Work with User Profiles (WRKUSRPRF) 117, 311 WRKAUTL (Work with Authorization Lists) 309 WRKDIRE (Work with Directory) 314 WRKJRN (Work with Journal) 294, 301 WRKJRNA (Work with Journal Attributes) 294, 301 WRKOBJ (Work with Objects) 310 WRKOBJOWN (Work with Objects by Owner) auditing 261 description 310 using 163 WRKOBJPGP (Work with Objects by Primary Group) 144, 164 description 310

command, CL (continued) WRKOUTQD (Work with Output Queue Description) 211 WRKSPLF (Work with Spooled Files) 211 WRKSYSSTS (Work with System Status) 218 WRKSYSVAL (Work with System Values) 258 WRKUSRPRF (Work with User Profiles) 117, 311 command, generic Change Authority (CHGAUT) 159 Change Owner (CHGOWN) 163 Change Primary Group (CHGPGP) 164 CHGAUT (Change Authority) 159 CHGOWN (Change Owner) 163 CHGPGP (Change Primary Group) 164 Grant Object Authority (GRTOBJAUT) 159 GRTOBJAUT (Grant Object Authority) 159 Revoke Object Authority (RVKOBJAUT) 159 RVKOBJAUT (Revoke Object Authority) 159 Work with Authority (WRKAUT) 159 WRKAUT (Work with Authority) 159 command, generic object Change Auditing (CHGAUD) 310 description 313 Change Authority (CHGAUT) 310 Change Owner (CHGOWN) 310 Change Primary Group (CHGPGP) 310 CHGAUD (Change Auditing) 310 description 313 CHGAUT (Change Authority) 310 CHGOWN (Change Owner) 310 CHGPGP (Change Primary Group) 310 Display Authority (DSPAUT) 310 DSPAUT (Display Authority) 310 Work with Authority (WRKAUT) 310 WRKAUT (Work with Authority) 310 command, integrated file system Change Auditing (CHGAUD) using 127 CHGAUD (Change Auditing) using 127 commands Application development 351 COMMIT (Commit) command object authority required 360 commitment control object authority required for commands 360 Common Criteria security description 6 communications monitoring 262

communications entry job description 206 communications side information object authority required for commands 360 communications side information (*CSI) auditing 507 comparison group profile and authorization list 241 complete change of password 53 complex authority example 195 confidential data protecting 261 confidentiality 1 configuration automatic virtual devices (QAUTOVRT system value) 37 object authority required for commands 361 configuration list object authority required for commands 362 configuration list object auditing 503 Configure System Security (CFGSYSSEC) command description 316, 713 connection ending audit journal (QAUDJRN) entry 273 starting audit journal (QAUDJRN) entry 273 connection list object authority required for commands 362 connection list (*CNNL) auditing 506 connection start and end (VC) file layout 679 connection start or end (VC) journal entry type 273 connection verification (CV) file layout 589 console authority needed to sign on 203 QCONSOLE system value 203 QSECOFR (security officer) user profile 203 QSRV (service) user profile 203 QSRVBAS (basic service) user profile 203 restricting access 258 contents security tools 315, 705 controller description object authority required for commands 363 printing security-relevant parameters 709 controller description (*CTLD) auditing 508

748

IBM i: Security Security reference

controlling access DDM request (DDM) 216 iSeries Access 215 objects 15 system programs 15 auditing 65 remote job submission 214 sign-on (QRMTSIGN system value) 32 restore operations 216 save operations 216 user library list 227 Convert Performance Collection (CVTPFRCOL) command authorized IBM-supplied user profiles 329 object authority required 456 converting performance collection authorized IBM-supplied user profiles 329 object authority required 456 Copy Performance Collection (CPYPFRCOL) command authorized IBM-supplied user profiles 328 object authority required 455 Copy Spooled File (CPYSPLF) command 211 Copy User display 121 copying performance collection authorized IBM-supplied user profiles 328 object authority required 455 spooled file 211 user authority command description 311 example 121 recommendations 165 renaming profile 127 user profile 119 country or region dentifier QCNTRYID system value 106 countryor region identifier CNTRYID user profile parameter 105 CP (user profile change) file layout 584 CP (user profile change) journal entry type 277 CPHDTA (Cipher Data) command authorized IBM-supplied user profiles 328 CPROBJ (Compress Object) command object auditing 499 object authority required 342 CPY (Copy Object) command object auditing 510 CPY (Copy) command object auditing 511, 553, 554, 555, 556 object authority required 393 CPYAUDJRNE command object authority required 416 CPYCFGL (Copy Configuration List) command object auditing 503

CPYCFGL (Copy Configuration List) command (continued) object authority required 362 CPYCNARA (Copy Functional Area) command object authority required 454 CPYDOC (Copy Document) command object auditing 514, 515 object authority required 373 CPYF (Copy File) command object auditing 520, 522 object authority required 381 CPYFCNARA command authorized IBM-supplied user profiles 328 CPYFRMDIR (Copy from Directory) command object authority required 369 CPYFRMDKT (Copy from Diskette) command object authority required 381 CPYFRMIMPF (Copy from Import File) command object authority required 381 CPYFRMLDIF (Copy From LDIF) command object authority required 370 CPYFRMLDIF command authorized IBM-supplied user profiles 328 CPYFRMQRYF (Copy from Query File) command object authority required 381 CPYFRMSTMF (Copy from Stream File) command object authority required 381 CPYFRMTAP (Copy from Tape) command object authority required 381 CPYGPHFMT authorized IBM-supplied user profiles 328 CPYGPHFMT (Copy Graph Format) command object authority required 455 CPYGPHPKG authorized IBM-supplied user profiles 328 CPYGPHPKG (Copy Graph Package) command object authority required 455 CPYIGCSRT (Copy DBCS Sort Table) command object auditing 526 CPYIGCTBL (Copy DBCS Font Table) command object auditing 526 object authority required 378 CPYLIB (Copy Library) command object authority required 429 CPYOPT (Copy Optical) command object authority required 449 CPYPFRCOL (Copy Performance Collection) command authorized IBM-supplied user profiles 328 object authority required 455

CPYPFRDTA authorized IBM-supplied user profiles 328 CPYPFRDTA (Copy Performance Data) command object authority required 455 CPYPTF (Copy Program Temporary Fix) command authorized IBM-supplied user profiles 328 object authority required 473 CPYPTFGRP (Copy Program Temporary Fix Group) 328 CPYPTFGRP (Copy PTF Group) command object authority required 473 CPYSPLF (Copy Spooled File) command action auditing 550 DSPDTA parameter of output queue 211 object auditing 539 object authority required 479 CPYSRCF (Copy Source File) command object authority required 381 CPYTCPHT command object authority required 487 CPYTODIR (Copy to Directory) command object authority required 369 CPYTODKT (Copy to Diskette) command object authority required 382 CPYTOIMPF (Copy to Import File) command object authority required 382 CPYTOLDIF (Copy To LDIF) command object authority required 370 CPYTOLDIF command 328 CPYTOSTMF (Copy to Stream File) command object authority required 382 CPYTOTAP (Copy to Tape) command object authority required 382 CQ (*CRQD change) file layout 587 CQ (change *CRQD object) journal entry type 277 create (*CREATE) audit level 272 create authority (CRTAUT) parameter description 139 displaying 158 risks 140 create authority (QCRTAUT) system value description 26 risk of changing 26 using 139 Create Authority Holder (CRTAUTHLR) command 153, 309, 314 Create Authorization List (CRTAUTL) command 166, 309 Create Command (CRTCMD) command ALWLMTUSR (allow limited user) parameter 83 PRDLIB (product library) parameter 210 security risks 210 Create Journal (CRTJRN) command 291

Index

749

Create Journal Receiver (CRTJRNRCV) command 291 Create Library (CRTLIB) command 157 Create Menu (CRTMNU) command PRDLIB (product library) parameter 210 security risks 210 create object (CO) file layout 582 create object (CO) journal entry type 144, 272 create object auditing (CRTOBJAUD) value 70 create object auditing (QCRTOBJAUD) system value overview 70 Create Output Queue (CRTOUTQ) command 211, 214 Create User Profile (CRTUSRPRF) command description 311 using 118 Create User Profile display 117 Create Validation Lists (CRTVLDL) 243 creating audit journal 291 audit journal receiver 291 authority holder 153, 309, 314 authorization list 166, 309 command ALWLMTUSR (allow limited user) parameter 83 PRDLIB (product library) parameter 210 security risks 210 library 157 menu PRDLIB (product library) parameter 210 security risks 210 object audit journal (QAUDJRN) entry 144, 272 output queue 211, 214 program adopted authority 151 user profile audit journal (QAUDJRN) entry 277 command descriptions 311 example 118 methods 117 creating object object auditing 498 cross system product map (*CSPMAP) auditing 507 cross system product table (*CSPTBL) auditing 508 CRTADMDMN command authorized IBM-supplied user profiles 328 CRTALRTBL (Create Alert Table) command object authority required 350 CRTAUT (create authority) parameter description 139 displaying 158 risks 140

CRTAUTHLR (Create Authority Holder) command authorized IBM-supplied user profiles 328 considerations 153 description 309, 314 object authority required 352 CRTAUTL (Create Authorization List) command description 309 object authority required 352 using 166 CRTBESTMDL (Create Best/1-400 Model) command object authority required 455 CRTBNDC (Create Bound C Program) command object authority required 422 CRTBNDCBL (Create Bound COBOL Program) command object authority required 422 CRTBNDCL object authority required 422 CRTBNDCPP (Create Bound CPP Program) command object authority required 423 CRTBNDDIR (Create Binding Directory) command object authority required 353 CRTBNDRPG (Create Bound RPG Program) command object authority required 423 CRTBSCF (Create Bisync File) command object auditing 520 CRTCAD command authorized IBM-supplied user profiles 328 object authority required 356 CRTCBLMOD (Create COBOL Module) command object authority required 423 CRTCBLPGM (Create COBOL Program) command object authority required 424 CRTCFGL (Create Configuration List) command object authority required 362 CRTCKMKSF command object authority required 365 CRTCLD (Create C Locale Description) command object authority required 423 CRTCLMOD object authority required 423 CRTCLPGM (Create Control Language Program) command object authority required 424 CRTCLS (Create Class) command authorized IBM-supplied user profiles 328 object authority required 354 CRTCLU authorized IBM-supplied user profiles 328 CRTCLU command object authority required 356

CRTCMD (Create Command) command ALWLMTUSR (allow limited user) parameter 83 object authority required 359 PRDLIB (product library) parameter 210 security risks 210 CRTCMNF (Create Communications File) command object auditing 520 CRTCMOD (Create C Module) command object authority required 424 CRTCOSD (Create Class-of-Service Description) command object authority required 354 CRTCPPMOD (Create Bound CPP Module) command object authority required 424 CRTCRG authorized IBM-supplied user profiles 328 CRTCRQD (Create Change Request Description) command object authority required 353 CRTCSI (Create Communications Side Information) command object authority required 360 CRTCTLAPPC (Create Controller Description (APPC)) command object authority required 363 CRTCTLASC (Create Controller Description (Async)) command object authority required 363 CRTCTLBSC (Create Controller Description (BSC)) command object authority required 363 CRTCTLFNC (Create Controller Description (Finance)) command object authority required 363 CRTCTLHOST (Create Controller Description (SNA Host)) command object authority required 364 CRTCTLLWS (Create Controller Description (Local Workstation)) command object authority required 364 CRTCTLNET (Create Controller Description (Network)) command object authority required 364 CRTCTLRTL (Create Controller Description (Retail)) command object authority required 364 CRTCTLRWS (Create Controller Description (Remote Workstation)) command object authority required 364 CRTCTLTAP (Create Controller Description (Tape)) command object authority required 364 CRTCTLVWS (Create Controller Description (Virtual Workstation)) command object authority required 364 CRTDDMF (Create Distributed Data Management File) command object authority required 382

750

IBM i: Security Security reference

CRTDEVAPPC (Create Device Description (APPC)) command object authority required 367 CRTDEVASC (Create Device Description (Async)) command object authority required 367 CRTDEVASP (Create Device Description for Auxiliary Storage Pool) command object authority required 367 CRTDEVBSC (Create Device Description (BSC)) command object authority required 367 CRTDEVDSP (Create Device Description (Display)) command object authority required 367 CRTDEVFNC (Create Device Description (Finance)) command object authority required 367 CRTDEVHOST (Create Device Description (SNA Host)) command object authority required 367 CRTDEVINTR (Create Device Description (Intrasystem)) command object authority required 367 CRTDEVMLB command object authority required 367 CRTDEVNET (Create Device Description (Network)) command object authority required 367 CRTDEVNWSH command object authority required 367 CRTDEVOPT (Create Device Description (Optical) command object authority required 367 CRTDEVOPT (Create Device Description (Optical)) command object authority required 450 CRTDEVPRT (Create Device Description (Printer)) command object authority required 367 CRTDEVRTL (Create Device Description (Retail)) command object authority required 367 CRTDEVSNPT (Create Device Description (SNPT)) command object authority required 367 CRTDEVSNUF (Create Device Description (SNUF)) command object authority required 367 CRTDEVTAP (Create Device Description (Tape)) command object authority required 367 CRTDIR (Create Directory) command object auditing 511 CRTDKTF (Create Diskette File) command object authority required 382 CRTDOC (Create Document) command object authority required 373 CRTDSPF (Create Display File) command object auditing 520 object authority required 382 CRTDSTL (Create Distribution List) command object authority required 372

CRTDTAARA (Create Data Area) command object authority required 365 CRTDTADCT (Create a Data Dictionary) command object authority required 408 CRTDTAQ (Create Data Queue) command object authority required 366 CRTDUPOBJ (Create Duplicate Object) command object auditing 497 object authority required 342 CRTEDTD (Create Edit Description) command object authority required 378 CRTFCNARA authorized IBM-supplied user profiles 328 CRTFCNARA (Create Functional Area) command object authority required 455 CRTFCT (Create Forms Control Table) command object authority required 470 CRTFLR (Create Folder) command object auditing 515 object authority required 373 CRTFNTRSC (Create Font Resources) command object authority required 349 CRTFNTTBL (Create DBCS Font Table) object authority required for commands 349 CRTFORMDF (Create Form Definition) command object authority required 349 CRTFTR (Create Filter) command object authority required 386 CRTGDF (Create Graphics Data File) command object auditing 503 CRTGPHFMT authorized IBM-supplied user profiles 328 CRTGPHPKG authorized IBM-supplied user profiles 328 CRTGPHPKG (Create Graph Package) command object authority required 455 CRTGSS (Create Graphics Symbol Set) command object authority required 388 CRTHSTDTA authorized IBM-supplied user profiles 328 CRTHSTDTA (Create Historical Data) command object authority required 455 CRTICFF (Create ICF File) command object auditing 520 CRTICFF (Create Intersystem Communications Function File) command object authority required 383

CRTIGCDCT (Create DBCS Conversion Dictionary) command object authority required 378 CRTIMGCLG command object authority required 389 CRTJOBD (Create Job Description) command authorized IBM-supplied user profiles 328 object authority required 413 CRTJOBQ (Create Job Queue) command object authority required 414 CRTJRN (Create Journal) command creating audit (QAUDJRN) journal 291 object authority required 416 CRTJRNRCV (Create Journal Receiver) command creating audit (QAUDJRN) journal receiver 291 object authority required 419 CRTLASREP (Create Local Abstract Syntax) command authorized IBM-supplied user profiles 328 CRTLF (Create Logical File) command object auditing 520, 557 object authority required 383 CRTLIB (Create Library) command 157 object authority required 429 CRTLINASC (Create Line Description (Async)) command object authority required 434 CRTLINBSC (Create Line Description (BSC)) command object authority required 434 CRTLINDDI (Create Line Description (DDI Network)) command object authority required 434 CRTLINETH (Create Line Description (Ethernet)) command object authority required 434 CRTLINFAX (Create Line Description (FAX)) command object authority required 434 CRTLINFR (Create Line Description (Frame Relay Network)) command object authority required 434 CRTLINSDLC (Create Line Description (SDLC)) command object authority required 434 CRTLINTDLC (Create Line Description (TDLC)) command object authority required 434 CRTLINTRN (Create Line Description (Token-Ring Network)) command object authority required 434 CRTLINWLS (Create Line Description (Wireless)) command object authority required 435 CRTLINX25 (Create Line Description (X.25)) command object authority required 435 CRTLOCALE (Create Locale) command object authority required 435 CRTMNU (Create Menu) command object authority required 437 Index

751

CRTMNU (Create Menu) command (continued) PRDLIB (product library) parameter 210 security risks 210 CRTMODD (Create Mode Description) command object authority required 440 CRTMSDF (Create Mixed Device File) command object auditing 520 CRTMSGF (Create Message File) command object authority required 439 CRTMSGFMNU (Create Message File Menu) command object authority required 484 CRTMSGQ (Create Message Queue) command object authority required 439 CRTNODL (Create Node List) command object authority required 447 CRTNTBD (Create NetBIOS Description) command object authority required 441 CRTNWIFR (Create Network Interface Description (Frame Relay Network)) command object authority required 444 CRTNWSALS (Create Network Server Alias) command object authority required 445 CRTNWSCFG command authorized IBM-supplied user profiles 328 object authority required 446 CRTNWSD (Create Network Server Description) command object authority required 446 CRTNWSSTG (Create Network Server Storage Space) command object authority required 444 CRTOBJAUD (create object auditing) value 70, 288 CRTOUTQ (Create Output Queue) command examples 214 object authority required 452 using 211 CRTOVL (Create Overlay) command object authority required 349 CRTPAGDFN (Create Page Definition) command object authority required 349 CRTPAGSEG (Create Page Segment) command object authority required 349 CRTPDG (Create Print Descriptor Group) command object authority required 459 CRTPEXDTA (Create Performance Explorer Data) command authorized IBM-supplied user profiles 328 CRTPF (Create Physical File) command object auditing 520 object authority required 383

CRTPFRDTA authorized IBM-supplied user profiles 328 CRTPFRDTA (Create Performance Data) command object authority required 456 CRTPFRSUM authorized IBM-supplied user profiles 328 CRTPFRSUM command object authority required 456 CRTPGM (Create Program) command object auditing 502, 533, 541, 552 CRTPNLGRP (Create Panel Group) command object authority required 437 CRTPRTF (Create Printer File) command object auditing 520 object authority required 383 CRTPSFCFG (Create Print Services Facility Configuration) command object authority required 459 CRTQMFORM (Create Query Management Form) command object auditing 543 object authority required 464 CRTQMQRY (Create Query Management Query) command object auditing 544 CRTQSTDB (Create Question and Answer Database) command authorized IBM-supplied user profiles 328 object authority required 466 CRTQSTLOD (Create Question-and-Answer Load) command authorized IBM-supplied user profiles 328 object authority required 466 CRTRJEBSCF (Create RJE BSC File) command object authority required 470 CRTRJECFG (Create RJE Configuration) command object authority required 470 CRTRJECMNF (Create RJE Communications File) command object authority required 470 CRTRNDCCFG (RNDC Configuration Utility) command object authority required 377 CRTRPGMOD (Create RPG Module) command object authority required 424 CRTRPGPGM (Create RPG/400 Program) command object authority required 425 CRTRPTPGM (Create Auto Report Program) command object authority required 425 CRTS36CBL (Create System/36 COBOL) command object authority required 425 CRTS36DSPF (Create System/36 Display File) command object authority required 383, 484

CRTS36MNU (Create System/36 Menu) command object authority required 437, 485 CRTS36MSGF (Create System/36 Message File) command object authority required 485 CRTS36RPG (Create System/36 RPG) command object authority required 425 CRTS36RPGR (Create System/36 RPGR) command object authority required 425 CRTS36RPT (Create System/36 Auto Report) command object authority required 425 CRTSAVF (Create Save File) command object authority required 383 CRTSBSD (Create Subsystem Description) command authorized IBM-supplied user profiles 328 object authority required 482 CRTSCHIDX (Create Search Index) command object authority required 409 CRTSPADCT (Create Spelling Aid Dictionary) command object auditing 550 object authority required 478 CRTSQLCBL (Create Structured Query Language COBOL) command object authority required 426 CRTSQLCBLI (Create Structured Query Language ILE COBOL Object) command object authority required 426 CRTSQLCI (Create Structured Query Language ILE C Object) command object authority required 425 CRTSQLCPPI (Create SQL ILE C++ Object) command object authority required 426 CRTSQLFTN (Create Structured Query Language FORTRAN) command object authority required 426 CRTSQLPKG (Create Structured Query Language Package) command object authority required 453 CRTSQLPLI (Create Structured Query Language PL/I) command object authority required 427 CRTSQLRPG (Create Structured Query Language RPG) command object authority required 427 CRTSQLRPGI (Create Structured Query Language ILE RPG Object) command object authority required 427 CRTSRCPF (Create Source Physical File) command object authority required 383 CRTSRVPGM (Create Service Program) command object auditing 502, 534, 552 object authority required 461 CRTSSND (Create Session Description) command object authority required 470

752

IBM i: Security Security reference

CRTTAPF (Create Tape File) command object authority required 384 CRTTBL (Create Table) command object authority required 487 CRTTIMZON command 489 CRTUDFS authorized IBM-supplied user profiles 328 CRTUDFS (Create User-Defined File System) command authorized IBM-supplied user profiles 328 object authority required 489 CRTUSRPRF (Create User Profile) command description 311 object authority required 491 using 118 CRTVLDL (Create Validation List) command authorized IBM-supplied user profiles 328 object authority required 493 CRTWSCST (Create Workstation Customizing Object) command object authority required 494 cryptographic configuration (CY) file layout 591 cryptography object authority required for commands 364 CU (Cluster Operations) file layout 587 CURLIB (current library) parameter user profile 81 current library changing limit capabilities 81 methods 207 recommendations 210 definition 81 library list 207, 210 limit capabilities 81 recommendations 210 user profile 81 current library (CURLIB) parameter user profile 81 customizing security values 713 CV (connection verification) file layout 589 CVTBASSTR (Convert BASIC Stream Files) command authorized IBM-supplied user profiles 328 object authority required 440 CVTBASUNF (Convert BASIC Unformatted Files) command authorized IBM-supplied user profiles 329 object authority required 440 CVTBGUDTA (Convert BGU Data) command authorized IBM-supplied user profiles 329 object authority required 440

CVTCLSRC (Convert CL Source) command object authority required 462 CVTDIR authorized IBM-supplied user profiles 329 CVTDIR (Convert Directory) command object authority required 394 CVTEDU (Convert Education) command object authority required 448 CVTIPSIFC (Convert IP over SNA Interface) command object authority required 350 CVTIPSLOC (Convert IP over SNA Location Entry) command object authority required 350 CVTOPTBKU (Convert Optical Backup) command object authority required 450 CVTPFRCOL (Convert Performance Collection) command authorized IBM-supplied user profiles 329 object authority required 456 CVTPFRDTA authorized IBM-supplied user profiles 329 CVTPFRDTA (Convert Performance Data) command object authority required 456 CVTPFRTHD authorized IBM-supplied user profiles 329 CVTPFRTHD (Convert Performance Thread Data) command object authority required 456 CVTRJEDTA (Convert RJE Data) command object authority required 470 CVTRPGSRC (Convert RPG Source) command object authority required 427 CVTS36FCT (Convert System/36 Forms Control Table) command authorized IBM-supplied user profiles 329 object authority required 440 CVTS36JOB (Convert System/36 Job) command authorized IBM-supplied user profiles 329 object authority required 440 CVTS38JOB (Convert System/38 Job) command authorized IBM-supplied user profiles 329 object authority required 440 CVTSQLCPP (Convert SQL C++ Source) command object authority required 427 CVTTCPCL (Convert TCP/IP CL) command object authority required 487 CVTTCPCL (Convert TCP/IP Control Language) command authorized IBM-supplied user profiles 329

CVTTOFLR (Convert to Folder) command object auditing 515 CY(cryptographic configuration) file layout 591

D
damaged audit journal 292 damaged authorization list recovering 254 data area object authority required for commands 365 data authority definition 132 data queue object authority required for commands 366 database share (QDBSHR) user profile 319 DB2LDIF command object authority required 370 DCEADM (QDCEADM) user profile 319 DCPOBJ (Decompress Object) command object auditing 499 object authority required 342 DDM (distributed data management) security 216 DDM request access (DDMACC) network attribute 216 DDMACC (DDM request access) network attribute 216 DDMACC (distributed data management access) network attribute 262 debug functions adopted authority 150 dedicated service tools (DST) auditing passwords 258 changing passwords 129 changing user ID 129 resetting password audit journal (QAUDJRN) entry 277 command description 311 Dedicated Service Tools (DST) users 128 default 319 *DFT delivery mode user profile 102 job description (QDFTJOBD) 96 object auditing 288 owner (QDFTOWN) user profile audit journal (QAUDJRN) entry 276 default values 319 description 145 restoring programs 253 sign-on security level 40 16 subsystem description 205 value IBM-supplied user profile 317 user profile 317 delete (*DELETE) audit level 272 delete (*DLT) authority 132, 338 Index

753

Delete Authority Holder (DLTAUTHLR) command 154, 309, 314 Delete Authorization List (DLTAUTL) command 169, 309 Delete Journal Receiver (DLTJRNRCV) command 294 Delete Kerberos Credentials Cache File (DLTKRBCCF) command object authority required 421 delete operation (DO) file layout 599 delete operation (DO) journal entry type 272 Delete Performance Collection (DLTPFRCOL) command authorized IBM-supplied user profiles 329 object authority required 456 Delete User Profile (DLTUSRPRF) command description 311 example 122 object ownership 143 Delete User Profile display 122 Delete Validation Lists (DLTVLDL) 243 deleting audit journal receiver 294 authority for user 161 authority holder 154, 309 authorization list 169, 309 object audit journal (QAUDJRN) entry 272 object owner profile 143 performance collection authorized IBM-supplied user profiles 329 object authority required 456 user profile command description 311 directory entry 122 distribution lists 122 message queue 122 owned objects 122 primary group 122 spooled files 124 user's authority 161 deleting object object auditing 498 delivery (DLVRY) parameter user profile 102 describing library security requirements 228 menu security 230 description (TEXT) parameter user profile 84 descriptor giving audit journal (QAUDJRN) entry 281 designing libraries 225 security 219 detaching audit journal receiver 293, 294 journal receiver 293 DEV (print device) parameter user profile 103

development commands Application 351 device authority to sign-on 201 securing 201 virtual automatic configuration (QAUTOVRT system value) 37 definition 37 device description authority to use 201 creating public authority 140 QCRTAUT (create authority) system value 140 definition 201 object authority required for commands 366 ownership changing 203 default owner 203 owned by QPGMR (programmer) profile 203 owned by QSECOFR (security officer) user profile 203 printing security-relevant parameters 709 securing 201 device description (*DEVD) auditing 509 device recovery action (QDEVRCYACN) system value 38 value set by CFGSYSSEC command 714 device session limiting LMTDEVSSN user profile parameter 93 QLMTDEVSSN system value 29 DI(Directory Server) file layout 594 digital ID if private authorization is not found. 116 directory authority 5 new objects 140 object authority required for commands 355, 369, 388, 390 security 138 working with 314 directory (*DIR) auditing 510 directory entry adding 314 changing 314 deleting user profile 122 removing 314 directory server auditing 512 object authority required for commands 369 directory server (DI) file layout 594 directory, system distribution commands for working with 314 disabled (*DISABLED) user profile status description 78 QSECOFR (security officer) user profile 78

disabling audit function 295 security level 40 19 security level 50 21 user profile 78 automatically 705 disconnected job time-out interval (QDSCJOBITV) system value 38 value set by CFGSYSSEC command 714 disk limiting use (MAXSTG) parameter 94 diskette object authority required for commands 436 Display Activation Schedule (DSPACTSCD) command description 705 Display Audit Journal Entries (DSPAUDJRNE) command description 315, 709 Display Authority (DSPAUT) command 310 Display Authority Holder (DSPAUTHLR) command 153, 309 Display Authorization List (DSPAUTL) command 309 Display Authorization List display displaying detail (*EXPERT user option) 106, 107, 108 Display Authorization List Document Library Objects (DSPAUTLDLO) command 313 Display Authorization List Objects (DSPAUTLOBJ) command 168, 309 Display Authorized Users (DSPAUTUSR) command auditing 301 description 311 example 125 Display Authorized Users (DSPAUTUSR) display 125, 301 Display Document Library Object Auditing (DSPDLOAUD) command 313 using 288 Display Document Library Object Authority (DSPDLOAUT) command 313 Display Expiration Schedule (DSPEXPSCD) command description 705 Display Job Description (DSPJOBD) command 261 Display Journal (DSPJRN) command audit (QAUDJRN) journal example 295 auditing file activity 236, 300 creating output file 296 displaying QAUDJRN (audit) journal 263 Display Kerberos Credentials Cache File (DSPKRBCCF) command object authority required 421

754

IBM i: Security Security reference

Display Kerberos Keytab Entries (DSPKRBKTE) command object authority required 421 Display Library (DSPLIB) command 303 Display Library Description (DSPLIBD) command CRTAUT parameter 158 Display Object Authority (DSPOBJAUT) command 303, 310 Display Object Authority display displaying detail (*EXPERT user option) 106, 107, 108 example 157, 159 Display Object Description (DSPOBJD) command 310 created by 144 object domain 15 program state 15 using 288 using output file 302 Display Program (DSPPGM) command adopted authority 151 program state 15 Display Programs That Adopt (DSPPGMADP) command auditing 303 description 312 using 151, 236 Display Security Auditing (DSPSECAUD) command description 707 Display Security Auditing Values(DSPSECAUD) command description 315 display service function *SERVICE (service) special authority 87 Display Service Program (DSPSRVPGM) command adopted authority 151 display sign-on information (QDSPSGNINF) system value value set by CFGSYSSEC command 714 Display Spooled File (DSPSPLF) command 211 display station pass-through object authority required for commands 370 target profile change audit journal (QAUDJRN) entry 281 Display User Profile (DSPUSRPRF) command description 311 using 125 using output file 302 displaying adopted authority command description 312 critical files 236 programs that adopt a profile 151 USRPRF parameter 151 all user profiles 125 audit (QAUDJRN) journal entries 263, 295 audit journal entries 315

displaying (continued) authority 154, 310 authority holders 153 command description 309 authorization list document library objects (DLO) 313 users 309 authorization list objects 168, 309 authorized users 301, 311 CRTAUT (create authority) parameter 158 document library object authority 313 job description 261 journal auditing file activity 236, 300 object originator 144 object auditing 288 object authority 303, 310 object description 310 object domain 15 path name 164 program adopt 151 program state 15 Display Program (DSPPGM) command 15 programs that adopt 151, 303 QAUDCTL (audit control) system value 315, 707 QAUDLVL (audit level) system value 315, 707 security auditing 315, 707 sign-on information DSPSGNINF user profile parameter 91 QDSPSGNINF system value 26 recommendations 91 spooled file 211 user profile activation schedule 705 active profile list 705 command description 311 expiration schedule 705 individual 125 summary list 125 distributed data management access (DDMACC) network attribute 262 distributed systems node executive (QDSNX) user profile 319 distribution object authority required for commands 371 distribution directory changing audit journal (QAUDJRN) entry 275 distribution directory, system commands for working with 314 distribution list deleting user profile 122 object authority required for commands 372 DLCOBJ (Deallocate Object) command object auditing 499 object authority required 342

DLO (document library object) authority command descriptions 313 DLTADMDMN command authorized IBM-supplied user profiles 329 DLTALR (Delete Alert) command object authority required 350 DLTALRTBL (Delete Alert Table) command object authority required 350 DLTAPARDTA (Delete APAR Data) command authorized IBM-supplied user profiles 329 object authority required 473 DLTAUTHLR (Delete Authority Holder) command description 309, 314 object authority required 352 using 154 DLTAUTL (Delete Authorization List) command description 309 object authority required 352 using 169 DLTBESTMDL (Delete BEST/1 Model) command authorized IBM-supplied user profiles 329 DLTBESTMDL (Delete Best/1-400 Model) command object authority required 456 DLTBNDDIR (Delete Binding Directory) command object authority required 353 DLTCAD authorized IBM-supplied user profiles 329 DLTCAD command object authority required 357 DLTCFGL (Delete Configuration List) command object authority required 362 DLTCHTFMT (Delete Chart Format) command object authority required 354 DLTCLD (Delete C Locale Description) command object authority required 428 DLTCLS (Delete Class) command object authority required 354 DLTCLU authorized IBM-supplied user profiles 329 DLTCLU command object authority required 357 DLTCMD (Delete Command) command object authority required 359 DLTCMNTRC (Delete Communications Trace) command authorized IBM-supplied user profiles 329 object authority required 473 DLTCNNL (Delete Connection List) command object authority required 362 Index

755

DLTCOSD (Delete Class-of Service Description) command object authority required 354 DLTCRGCLU authorized IBM-supplied user profiles 329 DLTCRQD (Delete Change Request Description) command object authority required 353 DLTCSI (Delete Communications Side Information) command object authority required 360 DLTCTLD (Delete Controller Description) command object authority required 364 DLTDEVD (Delete Device Description) command object auditing 557 object authority required 367 DLTDFUPGM (Delete DFU Program) command object authority required 462 DLTDLO (Delete Document Library Object) command object auditing 515 object authority required 373 DLTDOCL (Delete Document List) command object auditing 515 object authority required 373 DLTDST (Delete Distribution) command object auditing 515 object authority required 371 DLTDSTL (Delete Distribution List) command object authority required 372 DLTDTAARA (Delete Data Area) command object authority required 365 DLTDTADCT (Delete Data Dictionary) command object authority required 408 DLTDTAQ (Delete Data Queue) command object authority required 366 DLTEDTD (Delete Edit Description) command object authority required 378 DLTEXPSPLF authorized IBM-supplied user profiles 329 DLTF (Delete File) command object authority required 384 DLTFCNARA authorized IBM-supplied user profiles 329 DLTFCNARA (Delete Functional Area) command object authority required 456 DLTFCT (Delete Forms Control Table) command object authority required 471 DLTFNTRSC (Delete Font Resources) command object authority required 349

DLTFNTTBL (Delete DBCS Font Table) object authority required for commands 349 DLTFORMDF (Delete Form Definition) command object authority required 349 DLTFTR (Delete Filter) command object authority required 386 DLTGPHFMT authorized IBM-supplied user profiles 329 DLTGPHFMT (Delete Graph Format) command object authority required 456 DLTGPHPKG authorized IBM-supplied user profiles 329 DLTGPHPKG (Delete Graph Package) command object authority required 456 DLTGSS (Delete Graphics Symbol Set) command object authority required 388 DLTHSTDTA authorized IBM-supplied user profiles 329 DLTHSTDTA (Delete Historical Data) command object authority required 456 DLTIGCDCT (Delete DBCS Conversion Dictionary) command object authority required 378 DLTIGCSRT (Delete IGC Sort) command object authority required 378 DLTIGCTBL (Delete DBCS Font Table) command object authority required 378 DLTIMGCLG command object authority required 389 DLTINTSVR command authorized IBM-supplied user profiles 329 DLTIPXD command 409 DLTJOBD (Delete Job Description) command object authority required 413 DLTJOBQ (Delete Job Queue) command object authority required 414 DLTJRN (Delete Journal) command object authority required 416 DLTJRNRCV (Delete Journal Receiver) command object authority required 419 stopping auditing function 294 DLTLIB (Delete Library) command object authority required 429 DLTLICPGM (Delete Licensed Program) command authorized IBM-supplied user profiles 329 object authority required 433 DLTLIND (Delete Line Description) command object authority required 435 DLTLOCALE (Create Locale) command object authority required 435

DLTMNU (Delete Menu) command object authority required 437 DLTMOD (Delete Module) command object authority required 441 DLTMODD (Delete Mode Description) command object authority required 440 DLTMSGF (Delete Message File) command object authority required 439 DLTMSGQ (Delete Message Queue) command object authority required 439 DLTNETF (Delete Network File) command object authority required 442 DLTNODL (Delete Node List) command object authority required 447 DLTNTBD (Delete NetBIOS Description) command object authority required 442 DLTNWID (Delete Network Interface Description) command object authority required 444 DLTNWSALS (Delete Network Server Alias) command object authority required 445 DLTNWSCFG command authorized IBM-supplied user profiles 329 object authority required 446 DLTNWSD (Delete Network Server Description) command object authority required 446 DLTNWSSTG (Delete Network Server Storage Space) command object authority required 444 DLTOBJ (Delete Object) command object authority required 342 DLTOUTQ (Delete Output Queue) command object authority required 452 DLTOVL (Delete Overlay) command object authority required 349 DLTPAGDFN (Delete Page Definition) command object authority required 349 DLTPAGSEG (Delete Page Segment) command object authority required 349 DLTPDG (Delete Print Descriptor Group) command object authority required 459 DLTPEXDTA authorized IBM-supplied user profiles 329 DLTPEXDTA (Delete Performance Explorer Data) command object authority required 456 DLTPFRCOL (Delete Performance Collection) command authorized IBM-supplied user profiles 329 object authority required 456 DLTPFRDTA authorized IBM-supplied user profiles 329

756

IBM i: Security Security reference

DLTPFRDTA (Delete Performance Data) command object authority required 456 DLTPGM (Delete Program) command object authority required 462 DLTPNLGRP (Delete Panel Group) command object authority required 437 DLTPRB (Delete Problem) command authorized IBM-supplied user profiles 329 object authority required 460 DLTPSFCFG (Delete Print Services Facility Configuration) command object authority required 459 DLTPTF (Delete PTF) command authorized IBM-supplied user profiles 329 object authority required 474 DLTQMFORM (Delete Query Management Form) command object authority required 465 DLTQMQRY (Delete Query Management Query) command object authority required 465 DLTQRY (Delete Query) command object auditing 545 object authority required 465 DLTQST (Delete Question) command authorized IBM-supplied user profiles 329 object authority required 466 DLTQSTDB (Delete Question-and-Answer Database) command authorized IBM-supplied user profiles 329 object authority required 466 DLTRJECFG (Delete RJE Configuration) command object authority required 471 DLTRMTPTF (Delete Remote PTF) command authorized IBM-supplied user profiles 329 DLTSBSD (Delete Subsystem Description) command object authority required 482 DLTSCHIDX (Delete Search Index) command object authority required 409 DLTSHF (Delete Bookshelf) command object auditing 515 DLTSMGOBJ (Delete Systems Management Object) command authorized IBM-supplied user profiles 329 DLTSPADCT (Delete Spelling Aid Dictionary) command object authority required 478 DLTSPLF (Delete Spooled File) command action auditing 551 object auditing 538 object authority required 479 DLTSQLPKG (Delete Structured Query Language Package) command object authority required 453

DLTSRVPGM (Delete Service Program) command object authority required 462 DLTSSND (Delete Session Description) command object authority required 471 DLTTBL (Delete Table) command object authority required 487 DLTTIMZON command 489 DLTTRC (Delete Trace) command object authority required 474 DLTUDFS (Delete User-Defined File System) command authorized IBM-supplied user profiles 329 object authority required 489 DLTUSRIDX (Delete User Index) command object authority required 489 DLTUSRPRF (Delete User Profile) command description 311 example 122 object auditing 558 object authority required 491 object ownership 143 DLTUSRQ (Delete User Queue) command object authority required 489 DLTUSRSPC (Delete User Space) command object authority required 489 DLTUSRTRC (Delete User Trace) command object authority required 410 DLTVLDL (Delete Validation List) command authorized IBM-supplied user profiles 329 object authority required 493 DLTWNTSVR command authorized IBM-supplied user profiles 329 DLTWSCST (Delete Workstation Customizing Object) command object authority required 494 DLVRY (message queue delivery) parameter user profile 102 DLYJOB (Delay Job) command object authority required 410 DMPCLPGM (Dump CL Program) command object auditing 541 object authority required 462 DMPDLO (Dump Document Library Object) command authorized IBM-supplied user profiles 329 object auditing 514 object authority required 373 DMPJOB (Dump Job) command authorized IBM-supplied user profiles 329 object authority required 474

DMPJOBINT (Dump Job Internal) command authorized IBM-supplied user profiles 330 object authority required 474 DMPJVM authorized IBM-supplied user profiles 330 DMPMEMINF authorized IBM-supplied user profiles 330 DMPOBJ (Dump Object) command authorized IBM-supplied user profiles 330 object auditing 497 object authority required 342 DMPSYSOBJ (Dump System Object) command authorized IBM-supplied user profiles 330 object auditing 497 object authority required 342 DMPTAP (Dump Tape) command object authority required 436 DMPTRC (Dump Trace) command authorized IBM-supplied user profiles 330 object authority required 456 DMPUSRPRF(Dump User Profile) command authorized IBM-supplied user profiles 330 DMPUSRTRC (Dump User Trace) command object authority required 410 DO (delete operation) file layout 599 DO (delete operation) journal entry type 272 DOCPWD (document password) parameter user profile 100 document library object (DLO) 245 object authority required for commands 372 password changes when restoring profile 248 password (DOCPWD user profile parameter) 100 QDOC profile 319 restoring 245 saving 245 document library object object auditing 514 document library object (DLO) adding authority 313 changing authority 313 changing owner 313 changing primary group 313 commands 313 displaying authority 313 displaying authorization list 313 editing authority 313 object authority required for commands 372 removing authority 313 Index

757

document library object auditing changing command description 313 domain attribute, object description 15 displaying 15 Domain Name System object authority required for commands 376 double byte-character set dictionary (*IGCDCT) object auditing 525 double byte-character set sort (*IGCSRT) object auditing 526 double byte-character set table (*IGCTBL) object auditing 526 double-byte character set (DBCS) object authority required for commands 378 DS (DST password reset) journal entry type 277 DS (IBM-Supplied Service Tools User ID Reset) file layout 601 DSCJOB (Disconnect Job) command object authority required 410 DSPACC (Display Access Code) command object auditing 517 object authority required 447 DSPACCAUT (Display Access Code Authority) command object authority required 447 DSPACTPJ (Display Active Prestart Jobs) command object authority required 411 DSPACTPRFL (Display Active Profile List) command description 705 object authority required 491 DSPACTSCD (Display Activation Schedule) command description 705 object authority required 492 DSPASPCPYD command authorized IBM-supplied user profiles 330 DSPASPSSN command authorized IBM-supplied user profiles 330 DSPASPSTS command object authority required 367 DSPAUDJRNE (Display Audit Journal Entries) command description 315, 709 object authority required 416 DSPAUT (Display Authority) command description 310 object auditing 512, 549, 555 object authority required 394 DSPAUTHLR (Display Authority Holder) command description 309 object auditing 502 object authority required 352 using 153 DSPAUTL (Display Authorization List) command description 309

DSPAUTL (Display Authorization List) command (continued) object auditing 501 object authority required 352 DSPAUTLDLO (Display Authorization List Document Library Objects) command description 313 object auditing 502 object authority required 352, 373 DSPAUTLOBJ (Display Authorization List Objects) command description 309 object auditing 501 object authority required 352 using 168 DSPAUTUSR (Display Authorized Users) command auditing 301 description 311 example 125 object authority required 492 DSPBCKSTS (Display Backup Status) command object authority required 448 DSPBCKUP (Display Backup Options) command object authority required 448 DSPBCKUPL (Display Backup List) command object authority required 448 DSPBKP (Display Breakpoints) command object authority required 462 DSPBNDDIR (Display Binding Directory) command object authority required 353 DSPBNDDIRE (Display Binding Directory) command object auditing 502 DSPCDEFNT (Display Coded Font) object authority required for commands 349 DSPCFGL (Display Configuration List) command object auditing 503 object authority required 362 DSPCHT (Display Chart) command object auditing 503 object authority required 354 DSPCKMKSFE command object authority required 365 DSPCLS (Display Class) command object auditing 505 object authority required 354 DSPCLUINF command authorized IBM-supplied user profiles 330 DSPCMD (Display Command) command object auditing 505 object authority required 359 DSPCNNL (Display Connection List) command object auditing 506 object authority required 362 DSPCNNSTS (Display Connection Status) command object authority required 367

DSPCOSD (Display Class-of-Service Description) command object auditing 507 object authority required 355 DSPCPCST (Display Check Pending Constraint) command object authority required 384 DSPCPCST (Display Check Pending Constraints) command object auditing 523 DSPCRGINF command authorized IBM-supplied user profiles 330 DSPCSI (Display Communications Side Information) command object auditing 507 object authority required 360 DSPCSPOBJ (Display CSP/AE Object) command object auditing 507, 508, 541 DSPCTLD (Display Controller Description) command object auditing 508 object authority required 364 DSPCURDIR (Display Current Directory) command object auditing 510 object authority required 394 DSPDBG (Display Debug) command object authority required 462 DSPDBGWCH (Display Debug Watches) command object authority required 462 DSPDBR (Display Database Relations) command object auditing 523 object authority required 384 DSPDDMF (Display Distributed Data Management File) command object authority required 384 DSPDEVD (Display Device Description) command object auditing 509 object authority required 367 DSPDIRE (Display Directory Entry) command object authority required 369 DSPDLOAUD (Display Document Library Object Auditing) command description 313 object auditing 514 object authority required 373 using 288 DSPDLOAUT (Display Document Library Object Authority) command description 313 object auditing 514 object authority required 373 DSPDLONAM (Display Document Library Object Name) command object authority required 373 DSPDOC (Display Document) command object auditing 514 object authority required 373 DSPDSTL (Display Distribution List) command object authority required 372

758

IBM i: Security Security reference

DSPDSTLOG (Display Distribution Log) command authorized IBM-supplied user profiles 330 object authority required 371 DSPDSTSRV (Display Distribution Services) command object authority required 371 DSPDTA (Display Data) command object authority required 384 DSPDTA (display data) parameter 211 DSPDTAARA (Display Data Area) command object auditing 517 object authority required 365 DSPDTADCT (Display Data Dictionary) command object authority required 408 DSPEDTD (Display Edit Description) command object auditing 519 object authority required 378 DSPEWCBCDE (Display Extended Wireless Controller Bar Code Entry) command object authority required 379 DSPEWCM (Display Extended Wireless Controller Member) command object authority required 379 DSPEWCPTCE (Display Extended Wireless Controller PTC Entry) command object authority required 379 DSPEWLM (Display Extended Wireless Line Member) command object authority required 379 DSPEXPSCD (Display Expiration Schedule) command description 705 object authority required 492 DSPF (Display File) command 394 DSPFD (Display File Description) command object auditing 523 object authority required 384 DSPFFD (Display File Field Description) command object auditing 523 object authority required 384 DSPFLR (Display Folder) command object authority required 373 DSPFNTRSCA (Display Font Resource Attributes) command object authority required 349 DSPFNTTBL (Display DBCS Font Table) object authority required for commands 349 DSPGDF (Display Graphics Data File) command object authority required 354 DSPHDWRSC (Display Hardware Resources) command object authority required 468 DSPHLPDOC (Display Help Document) command object auditing 514

DSPHSTGPH authorized IBM-supplied user profiles 330 DSPHSTGPH (Display Historical Graph) command object authority required 456 DSPIGCDCT (Display DBCS Conversion Dictionary) command object auditing 525 object authority required 378 DSPIPXD command 409 DSPJOB (Display Job) command object authority required 411 DSPJOBD (Display Job Description) command object auditing 527 object authority required 413 using 261 DSPJOBLOG (Display Job Log) command object authority required 411 DSPJRN (Display Journal) command audit (QAUDJRN) journal example 295 auditing file activity 236, 300 creating output file 296 displaying QAUDJRN (audit) journal 263 object auditing 528, 530 object authority required 417 DSPJRNA (S/38E) Work with Journal Attributes object auditing 530 DSPJRNMNU (S/38E) Work with Journal object auditing 530 DSPJRNRCVA (Display Journal Receiver Attributes) command object auditing 530 object authority required 420 DSPJVMJOB command object authority required 409 DSPLANADPP (Display LAN Adapter Profile) command object authority required 435 DSPLANSTS (Display LAN Status) command object authority required 435 DSPLIB (Display Library) command object auditing 530 object authority required 429 using 303 DSPLIBD (Display Library Description) command CRTAUT parameter 158 object authority required 429 DSPLICKEY (Display License Key) command object authority required 432 DSPLIND (Display Line Description) command object auditing 531 object authority required 435 DSPLNK object authority required 395 DSPLNK (Display Links) command object auditing 510, 548, 553, 556 DSPLOG (Display Log) command object auditing 535

DSPLOG (Display Log) command (continued) object authority required 439 DSPMFSINF (Display Mounted File System Information) command object authority required 443 DSPMGDSYSA (Display Managed System Attributes) command authorized IBM-supplied user profiles 330 DSPMNUA (Display Menu Attributes) command object auditing 533 object authority required 437 DSPMOD (Display Module) command object auditing 534 object authority required 441 DSPMODD (Display Mode Description) command object auditing 533 object authority required 440 DSPMODSRC (Display Module Source) command object auditing 520 object authority required 462 DSPMODSTS (Display Mode Status) command object auditing 509 object authority required 440 DSPMSG (Display Messages) command object auditing 535 object authority required 438 DSPMSGD (Display Message Descriptions) command object auditing 534 object authority required 439 DSPNETA (Display Network Attributes) command object authority required 442 DSPNTBD (Display NetBIOS Description) command object auditing 537 object authority required 442 DSPNWID (Display Network Interface Description) command object auditing 537 object authority required 444 DSPNWSA (Display Network Server Attribute) command object authority required 445 DSPNWSALS (Display Network Server Alias) command object authority required 445 DSPNWSCFG command authorized IBM-supplied user profiles 330 object authority required 446 DSPNWSD (Display Network Server Description) command object auditing 538 object authority required 446 DSPNWSSSN (Display Network Server Session) command object authority required 445 DSPNWSSTC (Display Network Server Statistics) command object authority required 445 Index

759

DSPNWSSTG (Display Network Server Storage Space) command object authority required 445 DSPNWSUSR (Display Network Server User) command object authority required 445 DSPNWSUSRA (Display Network Server User Attribute) command object authority required 445 DSPOBJAUT (Display Object Authority) command description 310 object auditing 500 object authority required 342 using 303 DSPOBJD (Display Object Description) command created by 144 description 310 object auditing 500 object authority required 343 using 288 using output file 302 DSPOPT (Display Optical) command object authority required 450 DSPOPTLCK (Display Optical Lock) command object authority required 450 DSPOPTSVR (Display Optical Server) command object authority required 450 DSPPDGPRF (Display Print Descriptor Group Profile) command object authority required 459 DSPPFM (Display Physical File Member) command object auditing 520 object authority required 384 DSPPFRDTA authorized IBM-supplied user profiles 330 DSPPFRDTA (Display Performance Data) command object authority required 457 DSPPFRGPH authorized IBM-supplied user profiles 330 DSPPFRGPH (Display Performance Graph) command object authority required 457 DSPPGM (Display Program) command adopted authority 151 object auditing 541 object authority required 462 program state 15 DSPPGMADP (Display Program Adopt) command object authority required 492 DSPPGMADP (Display Programs that Adopt) command object auditing 558 DSPPGMADP (Display Programs That Adopt) command auditing 303 description 312 using 151, 236

DSPPGMREF (Display Program References) command object auditing 523 object authority required 462 DSPPGMVAR (Display Program Variable) command object authority required 462 DSPPRB (Display Problem) command object authority required 460 DSPPTF (Display Program Temporary Fix) command authorized IBM-supplied user profiles 330 object authority required 474 DSPPWRSCD (Display Power On/Off Schedule) command object authority required 448 DSPRCYAP (Display Recovery for Access Paths) command object auditing 501 object authority required 348 DSPRDBDIRE (Display Relational Database Directory Entry) command object authority required 467 DSPRJECFG (Display RJE Configuration) command object authority required 471 DSPS36 (Display System/36) command object auditing 557 object authority required 485 DSPSAVF (Display Save File) command object authority required 384 DSPSBSD (Display Subsystem Description) command object auditing 547 object authority required 482 DSPSECA (Display Security Attributes) command object authority required 472 DSPSECAUD (Display Security Auditing Values) command description 315 object authority required 472 DSPSECAUD (Display Security Auditing) command description 707 DSPSFWRSC (Display Software Resources) command object authority required 468 DSPSGNINF (display sign-on information) parameter user profile 91 DSPSOCSTS (Display Sphere of Control Status) command object authority required 478 DSPSPLF (Display Spooled File) command action auditing 550 DSPDTA parameter of output queue 211 object auditing 539 object authority required 480 DSPSRVA (Display Service Attributes) command object authority required 474

DSPSRVPGM (Display Service Program) command adopted authority 151 object auditing 552 object authority required 462 DSPSRVSTS (Display Service Status) command authorized IBM-supplied user profiles 330 object authority required 474 DSPSSTUSR (Display service tools user ID) command object authority required 474 DSPSSTUSR command object authority required 492 DSPSYSSTS (Display System Status) command object authority required 483 DSPSYSVAL (Display System Value) command object authority required 484 DSPTAP (Display Tape) command object authority required 436 DSPTAPCTG (Display Tape Cartridge) command object authority required 436 DSPTRC (Display Trace) command object authority required 462 DSPTRCDTA (Display Trace Data) command object authority required 462 DSPUDFS (Display User-Defined File System) command object authority required 489 DSPUSRPMN (Display User Permission) command object auditing 517 object authority required 447 DSPUSRPRF (Display User Profile) command description 311 object auditing 558 object authority required 492 using 125 using output file 302 DSPVTMAP (Display VT100 Keyboard Map) command object authority required 488 DST (dedicated service tools) auditing passwords 258 changing passwords 129 changing user ID 129 resetting password audit journal (QAUDJRN) entry 277 command description 311 DST password reset (DS) journal entry type 277 dump function *SERVICE (service) special authority 87 duplicate password (QPWDRQDDIF) system value 51 DUPOPT (Duplicate Optical) command object authority required 450 DUPTAP (Duplicate Tape) command object authority required 436

760

IBM i: Security Security reference

E
Edit Authorization List (EDTAUTL) command 167, 309 Edit Authorization List display displaying detail (*EXPERT user option) 106, 107, 108 edit description object authority required for commands 378 Edit Document Library Object Authority (EDTDLOAUT) command 313 Edit Library List (EDTLIBL) command 207 Edit Object Authority (EDTOBJAUT) command 159, 310 Edit Object Authority display displaying detail (*EXPERT user option) 106, 107, 108 editing authorization list 167, 309 document library object (DLO) authority 313 library list 207 object authority 159, 310 EDTAUTL (Edit Authorization List) command description 309 object auditing 501 object authority required 352 using 167 EDTBCKUPL (Edit Backup List) command object authority required 448 EDTCPCST (Edit Check Pending Constraints) command authorized IBM-supplied user profiles 330 object auditing 523 object authority required 384 EDTDEVRSC (Edit Device Resources) command object authority required 468 EDTDLOAUT (Edit Document Library Object Authority) command description 313 object auditing 514, 515 object authority required 373 EDTDOC (Edit Document) command object auditing 515 object authority required 373 EDTF (Edit file) command 397 EDTIGCDCT (Edit DBCS Conversion Dictionary) command object auditing 525 object authority required 378 EDTLIBL (Edit Library List) command object authority required 429 using 207 EDTOBJAUT (Edit Object Authority) command description 310 object auditing 500 object authority required 343 using 159

EDTQST (Edit Questions and Answers) command authorized IBM-supplied user profiles 330 object authority required 466 EDTRBDAP (Edit Rebuild Of Access Paths) command authorized IBM-supplied user profiles 330 EDTRCYAP (Edit Recovery for Access Paths) command authorized IBM-supplied user profiles 330 object auditing 500 object authority required 348 EDTS36PGMA (Edit System/36 Program Attributes) command object auditing 541 object authority required 485 EDTS36PRCA (Edit System/36 Procedure Attributes) command object auditing 522 object authority required 485 EDTS36SRCA (Edit System/36 Source Attributes) command object auditing 522 object authority required 485 EDTWSOAUT (Edit Workstation Object Authority) command object authority required 387 eim association (EIMASSOC) parameter user profile 110 EIMASSOC (eim association) parameter user profile 110 EJTEMLOUT (Eject Emulation Output) command object authority required 368 EML3270 (Emulate 3270 Display) command object authority required 369 EMLPRTKEY (Emulate Printer Key) command object authority required 368 emulation object authority required for commands 368 enabled (*ENABLED) user profile status 78 enabling QSECOFR (security officer) user profile 78 user profile automatically 705 sample program 125 ENCCPHK (Encipher Cipher Key) command authorized IBM-supplied user profiles 330 ENCFRMMSTK (Encipher from Master Key) command authorized IBM-supplied user profiles 330 encrypting password 76

ENCTOMSTK (Encipher to Master Key) command authorized IBM-supplied user profiles 330 End Job (ENDJOB) command QINACTMSGQ system value 28 ENDASPBAL authorized IBM-supplied user profiles 330 ENDASPBAL command 368 ENDASPSSN authorized IBM-supplied user profiles 330 ENDCAD authorized IBM-supplied user profiles 330 ENDCAD command object authority required 357 ENDCBLDBG (End COBOL Debug) command object authority required 428, 462 ENDCHTSVR authorized IBM-supplied user profiles 330 ENDCLNUP (End Cleanup) command object authority required 448 ENDCLUNOD authorized IBM-supplied user profiles 330 ENDCLUNOD command object authority required 357 ENDCMNTRC authorized IBM-supplied user profiles 330 ENDCMNTRC (End Communications Trace) command object authority required 474 ENDCMTCTL (End Commitment Control) command object authority required 360 ENDCPYSCN (End Copy Screen) command object authority required 474 ENDCRG authorized IBM-supplied user profiles 330 ENDCTLRCY (End Controller Recovery) command object auditing 508 object authority required 364 ENDDBG (End Debug) command object authority required 462 ENDDBGSVR (End Debug Server) command authorized IBM-supplied user profiles 330 ENDDBMON (End Database Monitor) command object authority required 459 ENDDEVRCY (End Device Recovery) command object auditing 509 object authority required 368 ENDDIRSHD (End Directory Shadow System) command object authority required 369

Index

761

ENDDIRSHD (End Directory Shadowing) command object auditing 513 ENDDSKRGZ (End Disk Reorganization) command object authority required 370 ENDDW command authorized IBM-supplied user profiles 330 object authority required 457 ENDGRPJOB (End Group Job) command object authority required 411 ENDHOSTSVR authorized IBM-supplied user profiles 330 ENDHOSTSVR (End Host Server) command object authority required 388 ENDIDXMON (End Index Monitor) command authorized IBM-supplied user profiles 330 ending audit function 295 auditing 65, 66 connection audit journal (QAUDJRN) entry 273 disconnected job 38, 41 inactive job 27 ENDIPSIFC (End IP over SNA Interface) command authorized IBM-supplied user profiles 330 object authority required 350 ENDJOB (End Job) command action auditing 551 object authority required 411 QINACTMSGQ system value 28 ENDJOBABN (End Job Abnormal) command authorized IBM-supplied user profiles 330 object authority required 411 ENDJOBTRC authorized IBM-supplied user profiles 330 ENDJOBTRC (End Job Trace) command object authority required 457 ENDJRN (End Journal) command object authority required 398, 417 ENDJRN (End Journaling) command object auditing 498 ENDJRNAP (End Journal Access Path) command object authority required 417 ENDJRNLIB (End Journaling the Library) command object authority required 417 ENDJRNPF (End Journal Physical File Changes) command object authority required 417 ENDJRNxxx (End Journaling) command object auditing 529 ENDJW command authorized IBM-supplied user profiles 331

ENDJW command (continued) object authority required 457 ENDLINRCY (End Line Recovery) command object auditing 531 object authority required 435 ENDLOGSVR (End Job Log Server) command object authority required 411 ENDMGDSYS (End Managed System) command authorized IBM-supplied user profiles 331 ENDMGRSRV (End Manager Services) command authorized IBM-supplied user profiles 331 ENDMOD (End Mode) command object auditing 533 object authority required 440 ENDMSF (End Mail Server Framework) command authorized IBM-supplied user profiles 331 object authority required 436 ENDNFSSVR (End Network File System Server) command authorized IBM-supplied user profiles 331 object authority required 443 ENDNWIRCY (End Network Interface Recovery) command object auditing 537 ENDPASTHR (End Pass-Through) command object authority required 370 ENDPEX (End Performance Explorer) command authorized IBM-supplied user profiles 331 object authority required 457 ENDPFRMON (End Performance Monitor) command object authority required 459 ENDPFRTRC (End Performance Trace) command authorized IBM-supplied user profiles 331 ENDPJ (End Prestart Jobs) command action auditing 551 object authority required 411 ENDPRTEML (End Printer Emulation) command object authority required 368 ENDRDR (End Reader) command object authority required 467 ENDRJESSN (End RJE Session) command object authority required 471 ENDRQS (End Request) command object authority required 462 ENDS36 (End System/36) command object auditing 557 ENDSBS (End Subsystem) command object auditing 546 object authority required 482

ENDSRVJOB (End Service Job) command authorized IBM-supplied user profiles 331 object authority required 474 ENDSYS (End System) command object authority required 483 ENDSYSMGR (End System Manager) command authorized IBM-supplied user profiles 331 ENDTCP (End TCP/IP) command authorized IBM-supplied user profiles 331 ENDTCPCNN (End TCP/IP Connection) command authorized IBM-supplied user profiles 331 ENDTCP (End TCP/IP) command object authority required 488 ENDTCPIFC (End TCP/IP Interface) command object authority required 488 object authority required 488 ENDTCPIFC authorized IBM-supplied user profiles 331 ENDTCPPTP (End Point-to-Point TCP/IP) command object authority required 487 ENDTCPSRV (End TCP/IP Service) command object authority required 487 ENDTCPSVR (End TCP/IP Server) command authorized IBM-supplied user profiles 331 ENDTRC (End Trace) command object authority required 474 ENDWCH (End Watch) command authorized IBM-supplied user profiles 331 ENDWCH command object authority required 474 ENDWTR (End Writer) command object authority required 494 enhanced hardware storage protection audit journal (QAUDJRN) entry 276 security level 40 17 enrolling users 118 ENTCBLDBG (Enter COBOL Debug) command object authority required 428, 462 Entries journal entries auditing 270 security 270 EV (Environment variable) file layout 602 example adopted authority application design 230, 233 authority checking process 190, 192 assistance level changing 80

762

IBM i: Security Security reference

example (continued) authority checking adopted authority 190, 192 authorization list 193 group authority 187 ignoring group authority 191 primary group 187 public authority 189, 191 changing assistance levels 80 system portion of library list 227 controlling user library list 227 describing library security 228 menu security 230 enabling user profile 125 ignoring adopted authority 232 JKL Toy Company applications 219 library list changing system portion 227 controlling user portion 227 program 227 security risk 208 library security describing 228 planning 225 menu security describing 230 password validation exit program 62 password validation program 61 public authority creating new objects 139 restricting save and restore commands 217 RSTLICPGM (Restore Licensed Program) command 253 securing output queues 214 exceeding account limit audit journal (QAUDJRN) entry 284 exclude (*EXCLUDE) authority 133 execute (*EXECUTE) authority 132, 338 existence (*OBJEXIST) authority 132, 338 exit 62 exit points user profile 128 expert (*EXPERT) user option 106, 107, 108, 160 expiration password (QPWDEXPITV system value) 47 password (QPWDEXPWRN system value) 48 user profile displaying schedule 705 setting schedule 705 extended wireless LAN configuration object authority required for commands 379 EXTPGMINF (Extract Program Information) command object authority required 462

F
faccessx (Determine file accessibility for a class of users by descriptor) command object auditing 510 failure sign-on *ALLOBJ (all object) special authority 201 *SERVICE (service) special authority 201 QSECOFR (security officer) user profile 201 field authorities 136 field authority definition 132 field-level security 236 FILDOC (File Document) command object auditing 516 object authority required 373 file journaling security tool 236 object authority required for commands 379 planning security 236 program-described holding authority when deleted 153 securing critical 236 fields 236 records 236 source securing 242 file (*FILE) object auditing 520 file layout 568 file security SQL 239 file transfer securing 216 filter object authority required for commands 386 filter (*FTR) object auditing 524 finance object authority required for commands 387 finance (QFNC) user profile 319 flowchart authority checking 170 determining special environment 90 device description authority 202 FNDSTRPDM (Find String Using PDM) command object authority required 351 folder security shared 216 font resource (*FNTRSC) object auditing 524 force conversion on restore (QFRCCVNRST) system value 43 force level audit records 66 form definition (*FORMDF) object auditing 524

forms control table object authority required for commands 468 FTP (File Transfer Protocol) command object authority required 487 full audit (QAUDJRN) journal receiver 293 full-screen help (*HLPFULL) user option 108

G
GENCAT (Merge Message Catalog) command object authority required 384 GENCKMKSFE command object authority required 365 GENCMDDOC (Generate Command Documentation) command object authority required 359 GENCPHK (Generate Cipher Key) command authorized IBM-supplied user profiles 331 GENCRSDMNK (Generate Cross Domain Key) command authorized IBM-supplied user profiles 331 generic name example 163 generic record(GR) file layout 603 GENJVMDMP command object authority required 409 GENMAC (Generate Message Authentication Code) command authorized IBM-supplied user profiles 331 GENPIN (Generate Personal Identification Number) command authorized IBM-supplied user profiles 331 GENS36RPT (Generate System/36 Report) command authorized IBM-supplied user profiles 331 object authority required 440 GENS38RPT (Generate System/38 Report) command authorized IBM-supplied user profiles 331 object authority required 440 gid (group identification number) restoring 249 give descriptor (GS) file layout 608 give descriptor (GS) journal entry type 281 giving descriptor audit journal (QAUDJRN) entry 281 socket audit journal (QAUDJRN) entry 281 GO (Go to Menu) command object authority required 438 GR (generic record) file layout 603 Index

763

Grant Object Authority (GRTOBJAUT) command 159, 310 affect on previous authority 162 multiple objects 162 Grant User Authority (GRTUSRAUT) command copying authority 121 description 311 recommendations 165 renaming profile 127 Grant User Permission (GRTUSRPMN) command 313 granting authority using referenced object 165 object authority 310 affect on previous authority 162 multiple objects 162 user authority command description 311 user permission 313 graphic symbols set (*GSS) object auditing 525 graphical operations object authority required for commands 387 graphics symbol set object authority required for commands 388 group authority displaying 156 primary introduction 5 group (*GROUP) authority 156 group authority adopted authority 150 authority checking example 187, 191 description 131 GRPAUT user profile parameter 98, 143, 145 GRPAUTTYP user profile parameter 98, 145 group authority type GRPAUTTYP user profile parameter 98 group identification number (gid)) restoring 249 group job adopted authority 150 group profile auditing *ALLOBJ special authority 260 membership 260 password 259 authorization list comparison 241 comparison authorization list 241 GRPPRF user profile parameter changes when restoring profile 248 description 97 introduction 4, 74 multiple planning 240 naming 76 object ownership 143

group profile (continued) password 76 planning 239 primary 144 planning 240 resource security 5, 131 supplemental SUPGRPPRF (supplemental groups) parameter 99 user profile description 97 user profile parameter changes when restoring profile 248 GRPAUT (group authority) parameter user profile 98, 143, 145 GRPAUTTYP (group authority type) parameter user profile 98, 145 GRPPRF (group profile) parameter user profile description 97 example 145 GRTACCAUT (Grant Access Code Authority) command authorized IBM-supplied user profiles 331 object auditing 516 object authority required 447 GRTOBJAUT (Grant Object Authority) command 159 affect on previous authority 162 description 310 multiple objects 162 object auditing 498 object authority required 343 GRTUSRAUT (Grant User Authority) command copying authority 121 description 311 object auditing 558 object authority required 492 recommendations 165 renaming profile 127 GRTUSRPMN (Grant User Permission) command description 313 object auditing 516 object authority required 447 GRTWSOAUT (Grant Workstation Object Authority) command object authority required 387 GS (give descriptor) file layout 608 GS (give descriptor) journal entry type 281

history (QHST) log using to monitor security 299 HLDCMNDEV (Hold Communications Device) command authorized IBM-supplied user profiles 331 object auditing 509 object authority required 368 HLDDSTQ (Hold Distribution Queue) command authorized IBM-supplied user profiles 331 object authority required 371 HLDJOB (Hold Job) command object authority required 411 HLDJOBQ (Hold Job Queue) command object auditing 527 object authority required 414 HLDJOBSCDE (Hold Job Schedule Entry) command object auditing 528 object authority required 415 HLDOUTQ (Hold Output Queue) command object auditing 538 object authority required 452 HLDRDR (Hold Reader) command object authority required 467 HLDSPLF (Hold Spooled File) command action auditing 551 object auditing 539 object authority required 480 HLDWTR (Hold Writer) command object authority required 494 hold (*HOLD) delivery mode user profile 102 home directory (HOMEDIR) parameter user profile 109 HOMEDIR (home directory) parameter user profile 109 host server object authority required for commands 388

I
IBM-supplied objects securing with authorization list 139 IBM-Supplied Service Tools User ID Reset (DS) file layout 601 IBM-supplied user profile ADSM (QADSM) 319 AFDFTUSR (QAFDFTUSR) 319 AFOWN (QAFOWN) 319 AFUSR (QAFUSR) 319 auditing 258 authority profile (QAUTPROF) 319 automatic install (QLPAUTO) 319 basic service (QSRVBAS) 319 BRM (QBRMS) 319 BRM user profile (QBRMS) 319 changing password 129 database share (QDBSHR) 319 DCEADM (QDCEADM) 319 default owner (QDFTOWN) default values 319 description 145

H
hardware enhanced storage protection 17 object authority required for commands 468 help full screen (*HLPFULL) user option 108 help information displaying full screen (*HLPFULL user option) 108

764

IBM i: Security Security reference

IBM-supplied user profile (continued) default values table 317 distributed systems node executive (QDSNX) 319 document (QDOC) 319 finance (QFNC) 319 IBM authority profile (QAUTPROF) 319 install licensed programs (QLPINSTALL) 319 mail server framework (QMSF) 319 NFS user profile (QNFSANON) 319 programmer (QPGMR) 319 purpose 128 QADSM (ADSM) 319 QAFDFTUSR (AFDFTUSR) 319 QAFOWN (AFOWN) 319 QAFUSR (AFUSR) 319 QAUTPROF (database share) 319 QAUTPROF (IBM authority profile) 319 QBRMS (BRM user profile) 319 QBRMS (BRM) 319 QDBSHR (database share) 319 QDCEADM (DCEADM) 319 QDFTOWN (default owner) default values 319 description 145 QDOC (document) 319 QDSNX (distributed systems node executive) 319 QFNC (finance) 319 QGATE (VM/MVS bridge) 319 QLPAUTO (licensed program automatic install) 319 QLPINSTALL (licensed program install) 319 QMSF (mail server framework) 319 QNFSANON (NFS user profile) 319 QPGMR (programmer) 319 QRJE (remote job entry) 319 QSECOFR (security officer) 319 QSNADS (Systems Network Architecture distribution services) 319 QSPL (spool) 319 QSPLJOB (spool job) 319 QSRV (service) 319 QSRVBAS (service basic) 319 QSYS (system) 319 QSYSOPR (system operator) 319 QTCP (TCP/IP) 319 QTMPLPD (TCP/IP printing support) 319 QTSTRQS (test request) 319 QUSER (workstation user) 319 remote job entry (QRJE) 319 restoring 249 restricted commands 325 security officer (QSECOFR) 319 service (QSRV) 319 service basic (QSRVBAS) 319 SNA distribution services (QSNADS) 319 spool (QSPL) 319 spool job (QSPLJOB) 319 system (QSYS) 319

IBM-supplied user profile (continued) system operator (QSYSOPR) 319 TCP/IP (QTCP) 319 TCP/IP printing support (QTMPLPD) 319 test request (QTSTRQS) 319 VM/MVS bridge (QGATE) 319 workstation user (QUSER) 319 ignoring adopted authority 152 image object authority required for commands 388 inactive job message queue (QINACTMSGQ) system value 28 time-out interval (QINACTITV) system value 27 user listing 302 inactive job message (CPI1126) 28 inactive job message queue (QINACTMSGQ) system value value set by CFGSYSSEC command 714 inactive job time-out interval (QINACTITV) system value value set by CFGSYSSEC command 714 INCLUDE command object authority required 428 incorrect password audit journal (QAUDJRN) entry 271 incorrect user ID audit journal (QAUDJRN) entry 271 information search index object authority required 409 initial library list current library 81 job description (JOBD) user profile 96 recommendations 210 relationship to library list for job 207 risks 210 initial menu *SIGNOFF 82 changing 82 preventing display 82 recommendation 84 user profile 82 initial menu (INLMNU) parameter user profile 82 initial program (INLPGM) parameter changing 81 user profile 81 initial program load (IPL) *JOBCTL (job control) special authority 86 INLMNU (initial menu) parameter user profile 82 INLPGM (initial program) parameter changing 81 user profile 81

INSINTSVR command authorized IBM-supplied user profiles 331 INSPTF (Install Program Temporary Fix) command authorized IBM-supplied user profiles 331 object authority required 474 INSRMTPRD (Install Remote Product) command authorized IBM-supplied user profiles 331 install licensed program (QLPINSTALL) user profile default values 319 restoring 249 install licensed program automatic (QLPAUTO) user profile restoring 249 installing operating system 255 INSWNTSVR command authorized IBM-supplied user profiles 331 integrated file system object authority required for commands 390 integrity 1 checking auditing use 262 description 304, 311 interactive data definition object authority required for commands 408 interactive data definition utility (IDDU) object auditing 518 interactive job routing SPCENV (special environment) parameter 90 security when starting 199 intermediate assistance level 74, 80 internal control block preventing modification 20 Internet security management (GS) file layout 615 Internet user validation lists 243 interprocess communication actions (IP) file layout 612 interprocess communications incorrect audit journal (QAUDJRN) entry 271 interprocess communications (IP) journal entry type 271 INZDSTQ (Initialize Distribution Queue) command authorized IBM-supplied user profiles 331 object authority required 371 INZNWSCFG command authorized IBM-supplied user profiles 331 object authority required 446 INZOPT (Initialize Optical) command object authority required 450 Index

765

INZPFM (Initialize Physical File Member) command object auditing 522 object authority required 384 INZSYS (Initialize System) command authorized IBM-supplied user profiles 331 object authority required 433 INZTAP (Initialize Tape) command object authority required 436 IP (change ownership) journal entry type 281 IP (interprocess communication actions) file layout 612 IP (interprocess communications) journal entry type 271 IP rules actions (IR) file layout 613 IPC object changing audit journal (QAUDJRN) entry 281 IPL (initial program load) *JOBCTL (job control) special authority 86 IR (IP rules actions) file layout 613 IS (Internet security management) file layout 615 iSeries Access controlling sign-on 32 file transfer security 216 message function security 216 shared folder security 216 virtual printer security 216

J
jar files class files 243 Java object authority required for commands 409 JD (job description change) file layout 617 JD (job description change) journal entry type 281 JKL Toy Company diagram of applications 219 job *JOBCTL (job control) special authority 86 automatic cancelation 38, 41 changing adopted authority 151 audit journal (QAUDJRN) entry 273 disconnected job interval (QDSCJOBITV) system value 38 inactive time-out interval (QINACTITV) system value 27 object authority required for commands 410 restricting to batch 218 scheduling 218 security when starting 199 verify object on restore (QVFYOBJRST) system value 41

job accounting user profile 100 job action (JOBACN) network attribute 214, 262 job change (*JOBDTA) audit level 273 job change (JS) file layout 618 job change (JS) journal entry type 273 job control (*JOBCTL) special authority functions allowed 86 output queue parameters 212 priority limit (PTYLMT) 95 risks 86 job description changing audit journal (QAUDJRN) entry 281 communications entry 206 default (QDFTJOBD) 96 displaying 261 monitoring 261 object authority required for commands 413 printing security-relevant parameters 709 protecting 16 protecting system resources 218 QDFTJOBD (default) 96 recommendations 96 restoring audit journal (QAUDJRN) entry 276 security issues 206 security level 40 16 USER parameter 206 user profile 96 workstation entry 206 job description (*JOBD) object auditing 526 job description (JOBD) parameter user profile 96 job description change (JD) file layout 617 job description change (JD) journal entry type 281 job description violation audit journal (QAUDJRN) entry 16 job initiation adopted authority 200 Attention-key-handling program 200 job queue *JOBCTL (job control) special authority 86 *OPRCTL (operator control) parameter 86 *SPLCTL (spool control) special authority 86 object authority required for commands 414 printing security-relevant parameters 315, 711 job queue (*JOBQ) auditing 527 job schedule object authority required for commands 415 job scheduler (*JOBSCD) auditing 528 JOBACN (job action) network attribute 214, 262

JOBD (job description) parameter user profile 96 journal audit (QAUDJRN) introduction 262 displaying auditing file activity 236, 300 managing 293 object authority required for commands 415 using to monitor security 300 working with 301 journal (*JRN) auditing 528 journal attributes working with 301 Journal Entries security auditing 270 journal entry sending 292 journal receiver changing 294 deleting 294 detaching 293, 294 managing 293 maximum storage (MAXSTG) 94 object authority required for commands 419 storage needed 94 journal receiver (*JRNRCV) auditing 530 journal receiver, audit creating 291 naming 291 saving 294 storage threshold 293 journal, audit 291 working with 294 journaling security tool 236 JRNAP (Journal Access Path) command object authority required 417 JRNAP (Start Journal Access Path) command object auditing 529 JRNPF (Journal Physical File) command object authority required 417 JRNPF (Start Journal Physical File) command object auditing 529 JS (job change) file layout 618 JS (job change) journal entry type 273

K
Kerberos object authority required for commands 420 kerberos authentication (X0) file layout 689 keyboard buffering KBDBUF user profile parameter QKBDBUF system value 94 keylock security 2 keylock switch auditing 258 KF (key ring file) file layout 623

766

IBM i: Security Security reference

L
LANGID (language identifier) parameter SRTSEQ user profile parameter 105 user profile 105 language identifier LANGID user profile parameter 105 QLANGID system value 105 SRTSEQ user profile parameter 105 language, programming object authority required for commands 422 large profiles planning applications 226 large user profile 302 LCLPWDMGT (local password management) parameter 92 LD (link, unlink, search directory) file layout 626 LDIF2DB command authorized IBM-supplied user profiles 331 object authority required 370 length of password 50 level 10 QSECURITY (security level) system value 12 level 20 QSECURITY (security level) system value 12 level 30 QSECURITY (security level) system value 13 level 40 internal control blocks 20 QSECURITY (security level) system value 14 level 50 internal control blocks 20 message handling 20 QSECURITY (security level) system value 19 QTEMP (temporary) library 19 validating parameters 17 level of security (QSECURITY) system value comparison of levels 9 level 20 12 level 30 13 level 40 14 level 50 19 overview 9 recommendations 11 special authority 11 user class 11 library authority definition 5 description 136 new objects 139 AUTOCFG (automatic device configuration) value 37 automatic device configuration (AUTOCFG) value 37 create authority (CRTAUT) parameter description 139 example 145 risks 140

library (continued) create authority (CRTAUT) parameter (continued) specifying 157 create object auditing (CRTOBJAUD) value 70 creating 157 CRTAUT (create authority) parameter description 139 example 145 risks 140 specifying 157 CRTOBJAUD (create object auditing) value 70 current 81 designing 225 listing all libraries 303 contents 303 object authority required for commands 428 object ownership 242 planning 225 printing list of subsystem descriptions 315 public authority specifying 157 QRETSVRSEC (retain server security) value 31 QTEMP (temporary) security level 50 19 restoring 245 retain server security (QRETSVRSEC) value 31 saving 245 security adopted authority 136 description 136 designing 225 example 225 guidelines 225 risks 135 library (*LIB) auditing 530 library list adding entries 207, 210 adopted authority 136 changing 207 current library description 207 recommendations 210 user profile 81 definition 207 editing 207 job description (JOBD) user profile 96 monitoring 261 product library description 207 recommendations 209 recommendations 209 removing entries 207 security risks 207, 208 system portion changing 227 description 207 recommendations 209

library list (continued) user portion controlling 227 description 207 recommendations 210 licensed program automatic install (QLPAUTO) user profile description 319 install (QLPINSTALL) user profile default values 319 object authority required for commands 433 restoring recommendations 253 security risks 253 licensed program automatic install (QLPAUTO) user profile restoring 249 licensed program install (QLPINSTALL) user profile restoring 249 limit capabilities (LMTCPB) parameter user profile 83 limit characters (QPWDLMTCHR) system value 51 limit repeated characters (QPWDLMTREP) system value 52 limit security officer (QLMTSECOFR) system value value set by CFGSYSSEC command 714 limiting capabilities 83 changing Attention-key-handling program 104 changing current library 81, 210 changing initial menu 82 changing initial program 81 commands allowed 83 functions allowed 83 listing users 302 LMTCPB user profile parameter 83 command line use 83 device sessions auditing 260 LMTDEVSSN user profile parameter 93 recommendations 93 device sessions (QLMTDEVSSN) system value sign-on description 29 multiple devices 29 disk usage (MAXSTG) 94 security officer (QLMTSECOFR) changing security levels 13 security officer (QLMTSECOFR) system value auditing 258 authority to device descriptions 201 description 29 sign-on process 203 sign-on attempts (QMAXSGNACN) system value 30 Index

767

limiting (continued) sign-on (continued) attempts (QMAXSIGN) system value 30 sign-on attempts auditing 258, 262 use of system resources priority limit (PTYLMT) parameter 95 line description object authority required for commands 433 line description (*LIND) auditing 531 link object authority required for commands 355, 390 listing all libraries 303 authority holders 153 library contents 303 selected user profiles 302 system values 258 user profile individual 125 summary list 125 Lists, Create Validation 243 Lists, Delete Validation 243 LMTDEVSSN (limit device sessions) parameter user profile 93 LNKDTADFN (Link Data Definition) command object auditing 518 object authority required 408 local socket (*SOCKET) auditing 548 locale object authority required for commands 435 LOCALE (user options) parameter user profile 107 LODIMGCLG command object authority required 389 LODIMGCLGE command object authority required 389 LODOPTFMW authorized IBM-supplied user profiles 331 LODOPTFMW command object authority required 450 LODPTF (Load Program Temporary Fix) command authorized IBM-supplied user profiles 331 object authority required 474 LODQSTDB (Load Question-and-Answer Database) command authorized IBM-supplied user profiles 331 object authority required 466 logging off network audit journal (QAUDJRN) entry 273 logging on network audit journal (QAUDJRN) entry 273

logical file securing fields 236 records 236 LPR (Line Printer Requester) command object authority required 487

M
mail handling audit journal (QAUDJRN) entry 275 mail actions (ML) file layout 628 mail actions (ML) journal entry type 275 mail server framework object authority required for commands 436 mail server framework (QMSF) user profile 319 mail services action auditing 532 management (*OBJMGT) authority object 132, 338 managing audit journal 292 maximum auditing 258 length of password (QPWDMAXLEN system value) 50 sign-on attempts (QMAXSIGN) system value 258 description 30 size audit (QAUDJRN) journal receiver 293 storage (MAXSTG) parameter authority holder 145 group ownership of objects 143 journal receiver 94 restore operation 94 user profile 94 maximum sign-on attempts (QMAXSIGN) system value value set by CFGSYSSEC command 714 maximum storage (MAXSTG) parameter authority holder transferred to QDFTOWN (default owner) 145 group ownership of objects 143 journal receiver 94 restore operation 94 user profile 94 MAXSTG (maximum storage) parameter authority holder transferred to QDFTOWN (default owner) 145 group ownership of objects 143 journal receiver 94 restore operation 94 user profile 94 media object authority required for commands 436

memory sharing control QSHRMEMCTL (share memory control) system value 35 menu changing PRDLIB (product library) parameter 210 security risks 210 creating PRDLIB (product library) parameter 210 security risks 210 designing for security 228 initial 82 object authority required for commands 437 security tools 705 user profile 82 menu (*MENU) auditing 533 Merge Source (Merge Source) command object authority required 384 message inactive timer (CPI1126) 28 print notification (*PRTMSG user option) 108 printing completion (*PRTMSG user option) 108 restricting content 20 security monitoring 299 status displaying (*STSMSG user option) 108 not displaying (*NOSTSMSG user option) 108 message description object authority required for commands 439 message file object authority required for commands 439 message file (*MSGF) auditing 534 message function (iSeries Access) securing 216 message queue *BREAK (break) delivery mode 102 *DFT (default) delivery mode 102 *HOLD (hold) delivery mode 102 *NOTIFY (notify) delivery mode 102 automatic creation 101 default responses 102 inactive job (QINACTMSGQ) system value 28 object authority required for commands 439 QSYSMSG 299 QMAXSGNACN (action when attempts reached) system value 31 QMAXSIGN (maximum sign-on attempts) system value 30 recommendation MSGQ user profile parameter 101 restricting 207 severity (SEV) parameter 102

768

IBM i: Security Security reference

message queue (continued) user profile deleting 122 delivery (DLVRY) parameter 102 recommendations 101 severity (SEV) parameter 102 message queue (*MSGQ) auditing 535 message queue (MSGQ) parameter user profile 101 MGRS36 (Migrate System/36) command authorized IBM-supplied user profiles 331 MGRS36APF authorized IBM-supplied user profiles 331 MGRS36CBL authorized IBM-supplied user profiles 331 MGRS36DFU authorized IBM-supplied user profiles 331 MGRS36DSPF authorized IBM-supplied user profiles 331 MGRS36ITM (Migrate System/36 Item) command authorized IBM-supplied user profiles 331 object authority required 440 MGRS36LIB authorized IBM-supplied user profiles 332 MGRS36MNU authorized IBM-supplied user profiles 332 MGRS36MSGF authorized IBM-supplied user profiles 332 MGRS36QRY authorized IBM-supplied user profiles 332 MGRS36RPG authorized IBM-supplied user profiles 332 MGRS36SEC authorized IBM-supplied user profiles 332 MGRS38OBJ (Migrate System/38 Objects) command authorized IBM-supplied user profiles 332 object authority required 440 MGRTCPHT (Merge TCP/IP Host Table) command object authority required 488 MIGRATE authorized IBM-supplied user profiles 332 migrating security level (QSECURITY) system value level 10 to level 20 12 level 20 to level 30 13 level 20 to level 40 18 level 20 to level 50 20 level 30 to level 20 13 level 30 to level 40 18

migrating (continued) security level (QSECURITY) system value (continued) level 30 to level 50 20 level 40 to level 20 13 migration object authority required for commands 440 minimum length of password (QPWDMINLEN) system value 50 ML (mail actions) file layout 628 ML (mail actions) journal entry type 275 mode description object authority required for commands 440 mode description (*MODD) auditing 533 mode of access definition 132 module binding directory 441 object authority required for commands 441 module (*MODULE) auditing 533 monitoring *ALLOBJ (all object) special authority 260 adopted authority 261 authority user profiles 261 authorization 261 checklist for 257 communications 262 encryption of sensitive data 262 group profile membership 260 password 259 IBM-supplied user profiles 258 inactive users 260 job descriptions 261 library lists 261 limit capabilities 260 message security 299 methods 299 network attributes 262 object authority 303 object integrity 304 overview 257 password controls 259 physical security 258 program failure 303 programmer authorities 260 remote sign-on 262 security officer 305 sensitive data authority 261 encrypting 262 sign-on without user ID and password 261 system values 258 unauthorized access 262 unauthorized programs 262 unsupported interfaces 262 user profile administration 260

monitoring (continued) using journals 300 QHST (history) log 299 QSYSMSG message queue 262 MOUNT (Add Mounted File System) command object authority required 489 MOUNT (Add Mounted File System) command) command object authority required 443 MOV object authority required 398 MOV (Move) command object auditing 511, 553, 554, 556 MOVDOC (Move Document) command object auditing 516 object authority required 373 moving object audit journal (QAUDJRN) entry 275 spooled file 211 MOVOBJ (Move Object) command object auditing 498, 531 object authority required 343 MRGDOC (Merge Document) command object auditing 514, 516 object authority required 373 MRGFORMD (Merge Form Description) command object authority required 351 MRGMSGF (Merge Message File) command object auditing 534 object authority required 439 MSGQ (message queue) parameter user profile 101 multiple group example 194 planning 240

N
NA (network attribute change) file layout 628 NA (network attribute change) journal entry type 281 naming audit journal receiver 291 group profile 75, 76 user profile 75 national language version (NLV) command security 235 ND (APPN directory) file layout 629 NE (APPN end point) file layout 630 NetBIOS description object authority required for commands 441 NetBIOS description (*NTBD) auditing 536 NETSTAT (Network Status) command object authority required 488 network logging off audit journal (QAUDJRN) entry 273 Index

769

network (continued) logging on audit journal (QAUDJRN) entry 273 password audit journal (QAUDJRN) entry 271 network attribute *SECADM (security administrator) special authority 85 changing audit journal (QAUDJRN) entry 281 command 214 client request access (PCSACC) 215 command for setting 316, 713 DDM request access (DDMACC) 216 DDMACC (DDM request access) 216 DDMACC (distributed data management access) 262 distributed data management access (DDMACC) 262 job action (JOBACN) 214, 262 JOBACN (job action) 214, 262 object authority required for commands 442 PC Support (PCSACC) 262 PCSACC (client request access) 215 PCSACC (PC Support access) 262 printing security-relevant 709 network attribute change (NA) file layout 628 network attribute change (NA) journal entry type 281 network attributes printing securitycommunications 316 printing security-relevant 316 network interface (*NWID) auditing 537 network interface description object authority required for commands 444 network log on and off (VN) file layout 682 network log on or off (VN) journal entry type 273 network password error (VP) file layout 684 network password error (VP) journal entry type 271 network profile changing audit journal (QAUDJRN) entry 282 network profile change (VU) file layout 687 network profile change (VU) journal entry type 282 network resource access (VR) file layout 685 Network Server object authority required for commands 444 network server configuration object authority required for commands 446

network server description object authority required for commands 446 network server description (*NWSD) auditing 538 network spooled file sending 211 new object authority CRTAUT (create authority) parameter 139, 157 GRPAUT (group authority) parameter 98, 143 GRPAUTTYP (group authority type) parameter 98 authority (QCRTAUT system value) 26 authority (QUSEADPAUT system value) 35 authority example 145 ownership example 145 NLV (national language version) command security 235 node group (*NODGRP) auditing 536 node list object authority required for commands 447 node list (*NODL) auditing 536 notification, message DLVRY (message queue delivery) parameter user profile 102 no status message (*NOSTSMSG) user option 108 notify (*NOTIFY) delivery mode user profile 102 number required in password 53 numeric character required in password 53 numeric password 76 numeric user ID 75

O
OBJAUD (object auditing) parameter user profile 112 object (*Mgt) authority 132 (*Ref) authority 132 add (*ADD) authority 132, 338 altered checking 304 assigning authority and ownership 145 auditing changing 88 default 288 authority *ALL (all) 134, 339 *CHANGE (change) 134, 339 *USE (use) 134, 339 changing 159 commonly used subsets 133 new 140 new object 139 storing 247 system-defined subsets 133

object (continued) authority (continued) using referenced 165 authority required for commands 341 controlling access 15 default owner (QDFTOWN) user profile 145 delete (*DLT) authority 132, 338 displaying originator 144 domain attribute 15 execute (*EXECUTE) authority 132, 338 existence (*OBJEXIST) authority 132, 338 failure of unsupported interface 15 management (*OBJMGT) authority 132, 338 non-IBM printing list 315 operational (*OBJOPR) authority 132, 337 ownership introduction 5 primary group 122, 144 printing adopted authority 709 authority source 709 non-IBM 709 read (*READ) authority 132, 338 restoring 245, 249 saving 245 securing with authorization list 167 state attribute 15 storing authority 246, 247 update (*UPD) authority 132, 338 user domain restricting 19 security exposure 19 working with 310 object alter (*OBJALTER) authority 132, 338 object auditing *ALRTBL (alert table) object 501 *AUTHLR (authority holder) object 502 *AUTL (authorization list) object 501 *BNDDIR (binding directory) object 502 *CFGL (configuration list) object 503 *CHTFMT (chart format) object 503 *CLD (C locale description) object 504 *CLS (Class) object 505 *CMD (Command) object 505 *CNNL (connection list) object 506 *COSD (class-of-service description) object 507 *CRQD (change request description) object 504 *CSI (communications side information) object 507 *CSPMAP (cross system product map) object 507

770

IBM i: Security Security reference

object auditing (continued) *CSPTBL (cross system product table) object 508 *CTLD (controller description) object 508 *DEVD (device description) object 509 *DIR (directory) object 510 *DOC (document) object 514 *DTAARA (data area) object 517 *DTADCT (data dictionary) object 518 *DTAQ (data queue) object 518 *EDTD (edit description) object 519 *EXITRG (exit registration) object 519 *FCT (forms control table) object 520 *FILE (file) object 520 *FLR (folder) object 514 *FNTRSC (font resource) object 524 *FORMDF (form definition) object 524 *FTR (filter) object 524 *GSS (graphic symbols set) object 525 *IGCDCT (double-byte character set dictionary) object 525 *IGCSRT (double-byte character set sort) object 526 *IGCTBL (double-byte character set table) object 526 *JOBD (job description) object 526 *JOBQ (job queue) object 527 *JOBSCD (job scheduler) object 528 *JRN (journal) object 528 *JRNRCV (journal receiver) object 530 *LIB (library) object 530 *LIND (line description) object 531 *MENU (menu) object 533 *MODD (mode description) object 533 *MODULE (module) object 533 *MSGF (message file) object 534 *MSGQ (message queue) object 535 *NODGRP (node group) object 536 *NODL (node list) object 536 *NTBD (NetBIOS description) object 536 *NWID (network interface) object 537 *NWSD (network server description) object 538 *OUTQ (output queue) object 538 *OVL (overlay) object 539 *PAGDFN (page definition) object 540 *PAGSEG (page segment) object 540 *PDG (print descriptor group) object 540 *PGM (program) object 540 *PNLGRP (panel group) object 542 *PRDAVL (product availability) object 542 *PRDDFN (product definition) object 543 *PRDLOD (product load) object 543

object auditing (continued) *QMFORM (query manager form) object 543 *QMQRY (query manager query) object 544 *QRYDFN (query definition) object 544 *RCT (reference code table) object 545 *S36 (S/36 machine description) object 556 *SBSD (subsystem description) object 546 *SCHIDX (search index) object 547 *SOCKET (local socket) object 548 *SPADCT (spelling aid dictionary) object 550 *SQLPKG (SQL package) object 552 *SRVPGM (service program) object 552 *SSND (session description) object 553 *STMF (stream file) object 553 *SVRSTG (server storage space) object 553 *SYMLNK (symbolic link) object 555 *TBL (table) object 557 *USRIDX (user index) object 557 *USRPRF (user profile) object 558 *USRQ (user queue) object 559 *USRSPC (user space) object 559 *VLDL (validation list) object 560 alert table (*ALRTBL) object 501 authority holder (*AUTHLR) object 502 authorization list (*AUTL) object 501 binding directory (*BDNDIR) object 502 C locale description (*CLD) object 504 change request description (*CRQD) object 504 changing command description 310, 313 chart format (*CHTFMT) object 503 Class (*CLS) object 505 class-of-service description (*COSD) object 507 Command (*CMD) object 505 common operations 497 communications side information (*CSI) object 507 configuration list (*CFGL) object 503 connection list (*CNNL) object 506 controller description (*CTLD) object 508 cross system product map (*CSPMAP) object 507 cross system product table (*CSPTBL) object 508 data area (*DTAARA) object 517 data dictionary (*DTADCT) object 518 data queue (*DTAQ) object 518 definition 286 device description (*DEVD) object 509

object auditing (continued) directory (*DIR) object 510 displaying 288 document (*DOC) object 514 double byte-character set dictionary (*IGCDCT) object 525 double byte-character set sort (*IGCSRT) object 526 double byte-character set table (*IGCTBL) object 526 edit description (*EDTD) object 519 exit registration (*EXITRG) object 519 file (*FILE) object 520 filter (*FTR) object 524 folder (*FLR) object 514 font resource (*FNTRSC) object 524 form definition (*FORMDF) object 524 forms control table (*FCT) object 520 graphic symbols set (*GSS) object 525 job description (*JOBD) object 526 job queue (*JOBQ) object 527 job scheduler (*JOBSCD) object 528 journal (*JRN) object 528 journal receiver (*JRNRCV) object 530 library (*LIB) object 530 line description (*LIND) object 531 local socket (*SOCKET) object 548 menu (*MENU) object 533 message file (*MSGF) object 534 message queue (*MSGQ) object 535 mode description (*MODD) object 533 module (*MODULE) object 533 NetBIOS description (*NTBD) object 536 network interface (*NWID) object 537 network server description (*NWSD) object 538 node group (*NODGRP) object 536 node list (*NODL) object 536 output queue (*OUTQ) object 538 overlay (*OVL) object 539 page definition (*PAGDFN) object 540 page segment (*PAGSEG) object 540 panel group (*PNLGRP) object 542 planning 286 print descriptor group (*PDG) object 540 product availability (*PRDAVL) object 542 product definition (*PRDDFN) object 543 product load (*PRDLOD) object 543 program (*PGM) object 540 query definition (*QRYDFN) object 544 query manager form (*QMFORM) object 543 query manager query (*QMQRY) object 544 reference code table (*RCT) object 545 Index

771

object auditing (continued) S/36 machine description (*S36) object 556 search index (*SCHIDX) object 547 server storage space (*SVRSTG) object 553 service program (*SRVPGM) object 552 session description (*SSND) object 553 spelling aid dictionary (*SPADCT) object 550 SQL package (*SQLPCK) object 552 stream file (*STMF) object 553 subsystem description (*SBSD) object 546 symbolic link (*SYMLNK) object 555 table (*TBL) object 557 user index (*USRIDX) object 557 user profile (*USRPRF) object 558 user queue (*USRQ) object 559 user space (*USRSPC) object 559 validation list (*VLDL) object 560 object auditing (OBJAUD) parameter user profile 112 object authority *ALLOBJ (all object) special authority 85 *SAVSYS (save system) special authority 86 access code commands 447 access path recovery 348 Advanced Function Printing commands 349 AF_INET sockets over SNA 350 alert commands 350 alert description commands 350 alert table commands 350 analyzing 303 authority holder commands 352 authorization list commands 352 backup commands 448 binding directory 353 change request description commands 353 changing audit journal (QAUDJRN) entry 280 procedures 159 chart format commands 354 class commands 354 class-of-service description commands 354 cleanup commands 448 commands 310 commitment control commands 360 common object commands 341 communications side information commands 360 configuration commands 361 configuration list commands 362 connection list commands 362 controller description commands 363 cryptography commands 364 data area commands 365 data queue commands 366 definition 132

object authority (continued) detail, displaying (*EXPERT user option) 106, 107, 108 device description commands 366 directory commands 369 directory server commands 369 display station pass-through commands 370 displaying 303, 310 displaying detail (*EXPERT user option) 106, 107, 108 distribution commands 371 distribution list commands 372 DNS commands 376 document commands 372 document library object (DLO) commands 372 Domain Name System commands 376 double-byte character set commands 378 edit description commands 378 editing 159, 310 emulation commands 368 extended wireless LAN configuration commands 379 file commands 379 filter commands 386 finance commands 387 format on save media 247 forms control table commands 468 granting 310 affect on previous authority 162 multiple objects 162 graphical operations 387 graphics symbol set commands 388 hardware commands 468 host server 388 information search index commands 409 interactive data definition 408 job commands 410 job description commands 413 job queue commands 414 job schedule commands 415 journal commands 415 journal receiver commands 419 Kerberos commands 420 language commands 422 library commands 428 licensed program commands 433 line description commands 433 locale commands 435 mail server framework commands 436 media commands 436 menu commands 437 message description commands 439 message file commands 439 message queue commands 439 migration commands 440 mode description commands 440 NetBIOS description commands 441 network attribute commands 442 network interface description commands 444 Network Server commands 444

object authority (continued) network server configuration commands 446 network server description commands 446 node list commands 447 online education commands 448 Operational Assistant commands 448 optical commands 449 output queue commands 452 package commands 453 panel group commands 437 performance commands 453 printer output commands 479 printer writer commands 494 problem commands 460 program commands 461 program temporary fix (PTF) commands 473 programming language commands 422 PTF (program temporary fix) commands 473 Query Management/400 commands 464 question and answer commands 466 reader commands 467 relational database directory commands 467 reply list commands 483 required for *CMD commands 359 resource commands 468 revoking 310 RJE (remote job entry) commands 468 search index commands 409 security attributes commands 472 security audit commands 472 server authentication 473 service commands 473 session commands 468 spelling aid dictionary commands 478 sphere of control commands 478 spooled file commands 479 storing 246, 247 subsystem commands 481 system commands 483 system reply list commands 483 system value commands 484 System/36 environment commands 484 table commands 487 TCP/IP (Transmission Control Protocol/Internet Protocol) commands 487 text index commands 447 token-ring commands 435 user index, queue, and space commands 489 user permission commands 447 user profile commands 489, 490 validation list 493 workstation customizing object commands 494 writer commands 494

772

IBM i: Security Security reference

object description displaying 310 object domain definition 15 displaying 15 object integrity auditing 304 object management (*OBJMGT) audit level 275 object management (OM) journal entry type 275 object ownership adopted authority 151 ALWOBJDIF (allow object differences) parameter 250 changes when restoring 249 changing audit journal (QAUDJRN) entry 281 authority required 143 command description 310 methods 163 moving application to production 242 deleting owner profile 122, 143 description 143 flowchart 175 group profile 143 managing owner profile size 143 private authority 131 responsibilities 261 restoring 245, 249 saving 245 working with 163, 310 object reference (*OBJREF) authority 132, 338 object restore (OR) journal entry type 276 object signing 3 objective availability 1 confidentiality 1 integrity 1 objects by primary group working with 144 office services action auditing 532 office services (*OFCSRV) audit level 275, 512, 532 OM (object management) journal entry type 275 on behalf auditing 532 online education object authority required for commands 448 online help information displaying full screen (*HLPFULL user option) 108 operating system security installation 255 operational (*OBJOPR) authority 132, 337 Operational Assistant Attention Program Attention-key-handling program 104

Operational Assistant commands object authority required for commands 448 OPNDBF (Open Database File) command object authority required 384 OPNQRYF (Open Query File) command object authority required 384 OPRCTL (operator control) parameter 212 optical object authority required for commands 449 OR (object restore) journal entry type 276 output object authority required for commands 479 output priority 218 output queue *JOBCTL (job control) special authority 86 *OPRCTL (operator control) parameter 86 *SPLCTL (spool control) special authority 86 AUTCHK (authority to check) parameter 212 authority to check (AUTCHK) parameter 212 changing 211 creating 211, 214 display data (DSPDTA) parameter 211 DSPDTA (display data) parameter 211 object authority required for commands 452 operator control (OPRCTL) parameter 212 OPRCTL (operator control) parameter 212 printing security-relevant parameters 315, 711 securing 211, 214 user profile 103 working with description 211 output queue (*OUTQ) auditing 538 output queue (OUTQ) parameter user profile 103 OUTQ (output queue) parameter user profile 103 overlay (*OVL) auditing 539 Override commands 239 OVRMSGF (Override with Message File) command object auditing 535 OW (ownership change) file layout 638 OW (ownership change) journal entry type 281 owner 145 OWNER user profile parameter description 143 OWNER (owner) parameter user profile 145 owner authority flowchart 175

ownership adopted authority 151 ALWOBJDIF (allow object differences) parameter 250 assigning to new object 145 change when restoring audit journal (QAUDJRN) entry 276 changes when restoring 249 changing audit journal (QAUDJRN) entry 281 authority required 143 methods 163 default (QDFTOWN) user profile 145 deleting owner profile 122, 143 description 143 device description 203 flowchart 175 group profile 143 introduction 5 managing owner profile size 143 new object 145 object managing 242 private authority 131 OWNER user profile parameter description 97 printer output 211 restoring 245, 249 saving 245 spooled file 211 working with 163 workstation 203 ownership change (OW) file layout 638 ownership change (OW) journal entry type 281 ownership change for restored object (RO) file layout 655 ownership change for restored object (RO) journal entry type 276 ownership, object responsibilities 261

P
PA (program adopt) file layout 643 PA (program adopt) journal entry type 281 package object authority required for commands 453 PAGDOC (Paginate Document) command object auditing 516 object authority required 373 page definition (*PAGDFN) auditing 540 page down key reversing (*ROLLKEY user option) 108 page segment (*PAGSEG) auditing 540 page up key reversing (*ROLLKEY user option) 108

Index

773

panel group object authority required for commands 437 panel group (*PNLGRP) auditing 542 parameter validating 17 partial (*PARTIAL) limit capabilities 83 pass-through controlling sign-on 32 target profile change audit journal (QAUDJRN) entry 281 password all-numeric 76 allowing users to change 259 approval program example 61, 62 QPWDVLDPGM system value 60 requirements 60 security risk 61 auditing DST (dedicated service tools) 258 user 259 changes when restoring profile 248 changing description 311 DST (dedicated service tools) 311 enforcing password system values 47 setting password equal to profile name 76 checking 128, 311 checking for default 705 commands for working with 311 communications 50 document DOCPWD user profile parameter 100 DST (dedicated service tools) auditing 258 changing 129 encrypting 76 equal to user profile name 47, 76 expiration interval auditing 259 PWDEXPITV user profile parameter 91 QPWDEXPITV system value 47 expiration interval (QPWDEXPITV) system value value set by CFGSYSSEC command 714 expiration warning QPWDEXPWRN system value 48 expired (PWDEXP) parameter 77 IBM-supplied user profile auditing 258 changing 129 immediate expiration 47 incorrect audit journal (QAUDJRN) entry 271 length maximum (QPWDMAXLEN) system value 50 minimum (QPWDMINLEN) system value 50

password (continued) limit repeated characters (QPWDLMTREP) system value value set by CFGSYSSEC command 714 local password management LCLPWDMGT user profile parameter 92 lost 76 maximum length (QPWDMAXLEN system value) 50 maximum length (QPWDMAXLEN) system value value set by CFGSYSSEC command 714 minimum length (QPWDMINLEN system value) 50 minimum length (QPWDMINLEN) system value value set by CFGSYSSEC command 714 network audit journal (QAUDJRN) entry 271 position characters (QPWDPOSDIF) system value 53 possible values 77 preventing adjacent digits (QPWDLMTAJC system value) 52 repeated characters 52 trivial 46, 259 use of words 51 PWDEXP (set password to expired) 77 QPGMR (programmer) user profile 715 QSRV (service) user profile 715 QSRVBAS (basic service) user profile 715 QSYSOPR (system operator) user profile 715 QUSER (user) user profile 715 recommendations 77, 78 require numeric character (QPWDRQDDGT) system value value set by CFGSYSSEC command 714 require position difference (QPWDPOSDIF) system value value set by CFGSYSSEC command 714 required difference (QPWDRQDDIF) system value value set by CFGSYSSEC command 714 requiring change (PWDEXPITV parameter) 91 change (QPWDEXPITV system value) 47 complete change 53 different (QPWDRQDDIF system value) 51 numeric character 53 resetting DST (dedicated service tools) 277

password (continued) resetting (continued) user 76 restrict adjacent characters (QPWDLMTAJC) system value value set by CFGSYSSEC command 714 restrict characters (QPWDLMTCHR) system value value set by CFGSYSSEC command 714 restricting adjacent digits (QPWDLMTAJC system value) 52 characters 51 repeated characters 52 rules 76 setting to expired (PWDEXP) 77 system 131 system values overview 46 trivial preventing 46, 259 user profile 76 validation exit program example 62 validation program example 61 QPWDVLDPGM system value 60 requirements 60 security risk 61 validation program (QPWDVLDPGM) system value value set by CFGSYSSEC command 714 password (PW) journal entry type 271 password characters 49 password expiration interval (PWDEXPITV) recommendations 91 password expiration interval (QPWDEXPITV) system value auditing 259 Password Level (QPWDLVL) description 48 Password Level (QPWDLVL) system value description 48 password required difference (QPWDRQDDIF) system value value set by CFGSYSSEC command 714 password validation program (QPWDVLDPGM) system value 60 passwords password levels 302 Passwords 48 path name displaying 164 PC (personal computer) preventing access 215 PC Organizer allowing for limit capabilities user 83 disconnecting (QINACTMSGQ system value) 28 PC Support access (PCSACC) network attribute 262

774

IBM i: Security Security reference

PC text-assist function (PCTA) disconnecting (QINACTMSGQ system value) 28 PCSACC (client request access) network attribute 215 PCSACC (PC Support access) network attribute 262 performance class 217 job description 218 job scheduling 218 object authority required for commands 453 output priority 218 pool 218 priority limit 218 restricting jobs to batch 218 routing entry 218 run priority 217 storage pool 218 subsystem description 218 time slice 217 performance tuning security 217 permission definition 134 PG (primary group change) file layout 645 PG (primary group change) journal entry type 281 physical security 2 auditing 258 planning 258 PING (Verify TCP/IP Connection) command object authority required 488 PKGPRDDST (Package Product Distribution) command authorized IBM-supplied user profiles 332 planning application programmer security 242 audit system values 288 auditing actions 263 objects 286 overview 263 checklist for 257 command security 235 file security 236 group profiles 239 library design 225 menu security 228 multiple groups 240 password controls 259 physical security 258 primary group 240 security 1 system programmer security 243 planning password level changes changing assword levels (0 to 1) 222 changing password level from 1to 0 225 changing password level from 2 to 0 224

planning password level changes (continued) changing password level from 2 to 1 224 changing password level from 3 to 0 224 changing password level from 3 to 1 224 changing password level from 3 to 2 224 changing password levels planning level changes 221, 222 changing password levels (2 to 3) 223 decreasing password levels 224, 225 increasing password level 222 QPWDLVL changes 221, 222 PO (printer output) file layout 648 PO (printer output) journal entry type 276 pool 218 position characters (QPWDPOSDIF) system value 53 preventing access DDM request (DDM) 216 iSeries Access 215 modification of internal control blocks 20 performance abuses 217 remote job submission 214 sign-on without user ID and password 261 trivial passwords 46, 259 unauthorized access 262 unauthorized programs 262 preventing large profiles planning applications 226 primary group changes when restoring 250 changing 144 audit journal (QAUDJRN) entry 281 command description 310 changing during restore audit journal (QAUDJRN) entry 277 definition 131 deleting profile 122 description 144 introduction 5 new object 145 planning 240 restoring 245, 250 saving 245 working with 124, 164 working with objects 310 primary group authority authority checking example 187 primary group change (PG) file layout 645 primary group change (PG) journal entry type 281 primary group change for restored object (RZ) file layout 660

primary group change for restored object (RZ) journal entry type 277 Print Adopting Objects (PRTADPOBJ) command description 709 Print Communications Security (PRTCMNSEC) command description 316, 709 print descriptor group (*PDG) auditing 540 print device (DEV) parameter user profile 103 Print Job Description Authority (PRTJOBDAUT) command 315 description 709 Print Private Authorities (PRTPVTAUT) command 315 authorization list 709 description 711 Print Publicly Authorized Objects (PRTPUBAUT) command 315 description 711 Print Queue Authority (PRTQAUT) command description 315, 711 Print Subsystem Description (PRTSBSDAUT) command description 709 Print Subsystem Description Authority (PRTSBSDAUT) command description 315 Print System Security Attributes (PRTSYSSECA) command description 316, 709 Print Trigger Programs (PRTTRGPGM) command description 315, 709 Print User Objects (PRTUSROBJ) command description 315, 709 Print User Profile (PRTUSRPRF) command description 709 printed output (*PRTDTA) audit level 276 printer user profile 103 virtual securing 216 printer output *JOBCTL (job control) special authority 86 *SPLCTL (spool control) special authority 86 object authority required for commands 479 owner 211 securing 211 printer output (PO) file layout 648 printer output (PO) journal entry type 276 printer writer object authority required for commands 494 printing 108 adopted object information 709 audit journal (QAUDJRN) entry 276 Index

775

printing (continued) audit journal entries 709 authority holder 315 authorization list information 709 communications 316 list of non-IBM objects 315, 709 list of subsystem descriptions 315 network attributes 316, 709 notification (*PRTMSG user option) 108 publicly authorized objects 711 security 211 security-relevant communications settings 709 security-relevant job queue parameters 315, 711 security-relevant output queue parameters 315, 711 security-relevant subsystem description values 709 sending message (*PRTMSG user option) 108 system values 258, 316, 709 trigger programs 315, 709 printing message (*PRTMSG) user option 108 priority 218 priority limit (PTYLMT) parameter recommendations 96 user profile 95 private authorities authority cache 197 private authority definition 131 flowchart 174 object ownership 131 planning applications 226 restoring 245, 250 saving 245 privilege definition 131 problem object authority required for commands 460 problem analysis remote service attribute (QRMTSRVATR) system value 39 processor keylock 258 processor password 131 product availability (*PRDAVL) auditing 542 product definition (*PRDDFN) auditing 543 product library library list 209 description 207 recommendations 209 product load (*PRDLOD) auditing 543 profile action auditing (AUDLVL) 113 analyzing with query 301 auditing *ALLOBJ special authority 260 authority to use 261 auditing membership 260 auditing password 259 AUDLVL (action auditing) 113

profile (continued) changing 311 default values table 317 group 259, 260 auditing 260 introduction 4, 74 naming 76 object ownership 143 password 76 planning 239 resource security 5 handle audit journal (QAUDJRN) entry 281 IBM-supplied auditing 258 authority profile (QAUTPROF) 319 automatic install (QLPAUTO) 319 basic service (QSRVBAS) 319 BRM user profile (QBRMS) 319 database share (QDBSHR) 319 default owner (QDFTOWN) 319 distributed systems node executive (QDSNX) 319 document (QDOC) 319 finance (QFNC) 319 IBM authority profile (QAUTPROF) 319 install licensed programs (QLPINSTALL) 319 mail server framework (QMSF) 319 network file system (QNFS) 319 programmer (QPGMR) 319 QAUTPROF (IBM authority profile) 319 QBRMS (BRM user profile) 319 QDBSHR (database share) 319 QDFTOWN (default owner) 319 QDOC (document) 319 QDSNX (distributed systems node executive) 319 QFNC (finance) 319 QGATE (VM/MVS bridge) 319 QLPAUTO (licensed program automatic install) 319 QLPINSTALL (licensed program install) 319 QMSF (mail server framework) 319 QNFSANON (network file system) 319 QPGMR (programmer) 319 QRJE (remote job entry) 319 QSECOFR (security officer) 319 QSNADS (Systems Network Architecture distribution services) 319 QSPL (spool) 319 QSPLJOB (spool job) 319 QSRV (service) 319 QSRVBAS (service basic) 319 QSYS (system) 319 QSYSOPR (system operator) 319 QTCP (TCP/IP) 319

profile (continued) IBM-supplied (continued) QTMPLPD (TCP/IP printing support) 319 QTSTRQS (test request) 319 QUSER (workstation user) 319 remote job entry (QRJE) 319 restricted commands 325 security officer (QSECOFR) 319 service (QSRV) 319 service basic (QSRVBAS) 319 SNA distribution services (QSNADS) 319 spool (QSPL) 319 spool job (QSPLJOB) 319 system (QSYS) 319 system operator (QSYSOPR) 319 TCP/IP (QTCP) 319 TCP/IP printing support (QTMPLPD) 319 test request (QTSTRQS) 319 VM/MVS bridge (QGATE) 319 workstation user (QUSER) 319 OBJAUD (object auditing) 112 object auditing (OBJAUD) 112 QDFTOWN (default owner) restoring programs 253 swap audit journal (QAUDJRN) entry 281 user 112, 113, 301 accounting code (ACGCDE) 100 ACGCDE (accounting code) 100 assistance level (ASTLVL) 80 ASTLVL (assistance level) 80 ATNPGM (Attention-key-handling program) 104 Attention-key-handling program (ATNPGM) 104 auditing 260 authority (AUT) 112 automatic creation 73 CCSID (coded character set identifier) 106 changing 122 CHRIDCTL (user options) 106 CNTRYID (country or region identifier) 105 coded character set identifier (CCSID) 106 country or region identifier (CNTRYID) 105 CURLIB (current library) 81 current library (CURLIB) 81 delivery (DLVRY) 102 description (TEXT) 84 DEV (print device) 103 display sign-on information (DSPSGNINF) 91 DLVRY (message queue delivery) 102 DOCPWD (document password) 100 document password (DOCPWD) 100 DSPSGNINF (display sign-on information) 91

776

IBM i: Security Security reference

profile (continued) user (continued) eim association (EIMASSOC) 110 group (GRPPRF) 97 group authority (GRPAUT) 98, 143 group authority type (GRPAUTTYP) 98 group identification number(gid ) 109 GRPAUT (group authority) 98, 143 GRPAUTTYP (group authority type) 98 GRPPRF (group) 97 home directory (HOMEDIR) 109 IBM-supplied 128 initial menu (INLMNU) 82 initial program (INLPGM) 81 INLMNU (initial menu) 82 INLPGM (initial program) 81 introduction 4 job description (JOBD) 96 JOBD (job description) 96 KBDBUF (keyboard buffering) 93 keyboard buffering (KBDBUF) 93 LANGID (language identifier) 105 language identifier (LANGID) 105 large, examining 302 LCLPWDMGT (local password management) 92 limit capabilities 83, 260 limit device sessions (LMTDEVSSN) 93 listing inactive 302 listing selected 302 listing users with command capability 302 listing users with special authorities 302 LMTCPB (limit capabilities) 83 LMTDEVSSN (limit device sessions) 93 local password management (LCLPWDMGT) 92 LOCALE (user options) 107 maximum storage (MAXSTG) 94 MAXSTG (maximum storage) 94 message queue (MSGQ) 101 message queue delivery (DLVRY) 102 message queue severity (SEV) 102 MSGQ (message queue) 101 name (USRPRF) 75 naming 75 output queue (OUTQ) 103 OUTQ (output queue) 103 owner of objects created (OWNER) 97, 143 password 76 password expiration interval (PWDEXPITV) 91 print device (DEV) 103 priority limit (PTYLMT) 95

profile (continued) user (continued) PTYLMT (priority limit) 95 public authority (AUT) 112 PWDEXP (set password to expired) 77 PWDEXPITV (password expiration interval) 91 renaming 126 retrieving 128 roles 73 set password to expired (PWDEXP) 77 SETJOBATR (user options) 107 SEV (message queue severity) 102 severity (SEV) 102 sort sequence (SRTSEQ) 105 SPCAUT (special authority) 84 SPCENV (special environment) 89 special authority (SPCAUT) 84 special environment (SPCENV) 89 SRTSEQ (sort sequence) 105 status (STATUS) 78 SUPGRPPRF (supplemental groups) 99 supplemental groups (SUPGRPPRF) 99 System/36 environment 89 text (TEXT) 84 user class (USRCLS) 79 user expiration date (USREXPDATE) 111 user expiration interval (USREXPITV) 111 user identification number 108 user options (CHRIDCTL) 106 user options (LOCALE) 107 user options (SETJOBATR) 107 user options (USROPT) 106, 107, 108 USRCLS (user class) 79 USREXPDATE (user expiration date) 111 USREXPITV (user expiration interval) 111 USROPT (user options) 106, 107, 108 USRPRF (name) 75 profile swap (PS) file layout 649 profile swap (PS) journal entry type 281 program adopt authority function auditing 303 adopted authority audit journal (QAUDJRN) entry 281 auditing 261 creating 151 displaying 151 ignoring 152 purpose 149 restoring 253 transferring 150

program (continued) bound adopted authority 151 changing specifying USEADPAUT parameter 152 creating adopted authority 151 displaying adopted authority 151 ignoring adopted authority 152 object authority required for commands 461 password validation example 61 QPWDVLDPGM system value 60 requirements 60 password validation exit example 62 preventing unauthorized 262 program failure audit journal (QAUDJRN) entry 281 restoring adopted authority 253 risks 252 validation value 17 service adopted authority 151 transferring adopted authority 150 translation 17 trigger listing all 315 unauthorized 262 working with user profiles 128 program (*PGM) auditing 540 program adopt (PA) file layout 643 program adopt (PA) journal entry type 281 program adopt function 261 program failure auditing 303 restoring programs audit journal (QAUDJRN) entry 276 program failure (*PGMFAIL) audit level 276 program state definition 15 displaying 15 program temporary fix (PTF) object authority required for commands 473 program validation definition 17 program-described file holding authority when deleted 153 programmer application planning security 242 auditing access to production libraries 260 system planning security 243 Index

777

programmer (QPGMR) user profile default values 319 device description owner 203 programming language object authority required for commands 422 programs that adopt displaying 303 protecting backup media 258 protection enhanced hardware storage 17 PRTACTRPT authorized IBM-supplied user profiles 332 PRTACTRPT (Print Activity Report) command object authority required 457 PRTADPOBJ (Print Adopted Object) command object authority required 343 PRTADPOBJ (Print Adopting Objects) command description 709 PRTCADMRE command object authority required 357 PRTCMDUSG (Print Command Usage) command object auditing 505, 541 object authority required 462 PRTCMNSEC (Print Communication Security) command object authority required 364 PRTCMNSEC (Print Communications Security) command description 316, 709 object authority required 368, 435 PRTCMNTRC (Print Communications Trace) command authorized IBM-supplied user profiles 332 object authority required 474 PRTCPTRPT authorized IBM-supplied user profiles 332 PRTCPTRPT (Print Component Report) command object authority required 457 PRTCSPAPP (Print CSP/AE Application) command object auditing 542 PRTDEVADR (Print Device Addresses) command object auditing 508 object authority required 361 PRTDOC (Print Document) command object auditing 514 PRTDSKINF authorized IBM-supplied user profiles 332 PRTDSKINF (Print Disk Activity Information) command object authority required 448 PRTERRLOG authorized IBM-supplied user profiles 332

PRTERRLOG (Print Error Log) command object authority required 474 PRTINTDTA authorized IBM-supplied user profiles 332 PRTINTDTA (Print Internal Data) command object authority required 474 PRTIPSCFG (Print IP over SNA Configuration) command object authority required 350 PRTJOBDAUT (Print Job Description Authority) command description 315, 709 object authority required 413 PRTJOBRPT authorized IBM-supplied user profiles 332 PRTJOBRPT (Print Job Report) command object authority required 457 PRTJOBTRC authorized IBM-supplied user profiles 332 PRTJOBTRC (Print Job Trace) command object authority required 457 PRTJVMJOB command object authority required 410 PRTLCKRPT authorized IBM-supplied user profiles 332 PRTLCKRPT (Print Lock Report) command object authority required 457 PRTPEXRPT (Print Performance Explorer Report) command object authority required 457 PRTPOLRPT authorized IBM-supplied user profiles 332 PRTPOLRPT (Print Pool Report) command object authority required 457 PRTPRFINT (Print Profile Internals) command authorized IBM-supplied user profiles 332 PRTPUBAUT (Print Public Authorities) command object authority required 343 PRTPUBAUT (Print Publicly Authorized Objects) command description 315, 709 PRTPVTAUT (Print Private Authorities) command authorization list 709 description 315, 711 object authority required 343 PRTQAUT (Print Queue Authorities) command object authority required 414, 452 PRTQAUT (Print Queue Authority) command description 315, 711 PRTRSCRPT authorized IBM-supplied user profiles 332

PRTRSCRPT (Print Resource Report) command object authority required 457 PRTSBSDAUT (Print Subsystem Description Authority) command description 315 object authority required 482 PRTSBSDAUT (Print Subsystem Description) command description 709 PRTSQLINF (Print SQL Information) command object auditing 542, 552 PRTSQLINF (Print Structured Query Language Information) command object authority required 453 PRTSYSRPT authorized IBM-supplied user profiles 332 PRTSYSRPT (Print System Report) command object authority required 458 PRTSYSSECA (Print System Security Attribute) command object authority required 472 PRTSYSSECA (Print System Security Attributes) command description 316, 709 PRTTNSRPT authorized IBM-supplied user profiles 332 PRTTNSRPT (Print Transaction Report) command object authority required 458 PRTTRC (Print Trace) command object authority required 474 PRTTRCRPT authorized IBM-supplied user profiles 332 PRTTRGPGM (Print Trigger Program) command object authority required 384 PRTTRGPGM (Print Trigger Programs) command description 315, 709 PRTUSROBJ (Print User Object) command object authority required 343 PRTUSROBJ (Print User Objects) command description 315, 709 PRTUSRPRF (Print User Profile) command description 709 object authority required 492 PS (profile swap) file layout 649 PS (profile swap) journal entry type 281 PTF (program temporary fix) object authority required for commands 473 PTYLMT (priority limit) parameter recommendations 96 user profile 95 public authority authority checking example 189, 191 definition 131 flowchart 181

778

IBM i: Security Security reference

public authority (continued) library 157 new objects description 139 specifying 157 printing 711 restoring 245, 250 revoking 316, 713 revoking with RVKPUBAUT command 716 saving 245 user profile recommendation 112 PW (password) journal entry type 271 PWDEXP (set password to expired) parameter 77 PWDEXPITV (password expiration interval) parameter 91 PWRDWNSYS (Power Down System) command authorized IBM-supplied user profiles 332 object authority required 483

Q
QADSM (ADSM) user profile 319 QAFDFTUSR (AFDFTUSR) user profile 319 QAFOWN (AFOWN) user profile 319 QAFUSR (AFUSR) user profile 319 QALWOBJRST (allow object restore option) system value 44 QALWOBJRST (allow object restore) system value value set by CFGSYSSEC command 714 QALWUSRDMN (allow user objects) system value 20, 25 QASYADJE (auditing change) file layout 568 QASYAFJE (authority failure) file layout 571 QASYAPJE (adopted authority) file layout 577 QASYAUJ5 (attribute change) file layout 577 QASYCAJE (authority change) file layout 578 QASYCDJE (command string) file layout 581 QASYCOJE (create object) file layout 582 QASYCPJE (user profile change) file layout 584 QASYCQJE (*CRQD change) file layout 587 QASYCUJ4 (Cluster Operations) file layout 587 QASYCVJ4 (connection verification) file layout 589 QASYCYJ4 (cryptographic configuration) file layout 591 QASYCYJ4 (Directory Server) file layout 594 QASYDOJE (delete operation) file layout 599

QASYDSJE (IBM-Supplied Service Tools User ID Reset) file layout 601 QASYEVJE (EV) file layout 602 QASYGRJ4 (generic record) file layout 603 QASYGSJE (give descriptor) file layout 608 QASYGSJE (Internet security management) file layout 615 QASYGSJE (interprocess communication actions) file layout 612 QASYIRJ4 (IP rules actions) file layout 613 QASYJDJE (job description change) file layout 617 QASYJSJE (job change) file layout 618 QASYKFJ4 (key ring file) file layout 623 QASYLDJE (link, unlink, search directory) file layout 626 QASYMLJE (mail actions) file layout 628 QASYNAJE (network attribute change) file layout 628 QASYNDJE (APPN directory) file layout 629 QASYNEJE (APPN end point) file layout 630 QASYO1JE (optical access) file layout 640, 641 QASYO3JE (optical access) file layout 642 QASYOMJE (object management) file layout 630 QASYORJE (object restore) file layout 634 QASYOWJE (ownership change) file layout 638 QASYPAJE (program adopt) file layout 643 QASYPGJE (primary group change) file layout 645 QASYPOJE (printer output) file layout 648 QASYPSJE (profile swap) file layout 649 QASYPWJE (password) file layout 651 QASYRAJE (authority change for restored object) file layout 652 QASYRJJE (restoring job description) file layout 654 QASYROJE (ownership change for object program) file layout 655 QASYRPJE (restoring programs that adopt authority) file layout 657 QASYRQJE (restoring *CRQD that adopts authority) file layout 659 QASYRUJE (restore authority for user profile) file layout 659 QASYRZJE (primary group change for restored object) file layout 660 QASYSDJE (change system distribution directory) file layout 662 QASYSEJE (change of subsystem routing entry) file layout 663 QASYSFJE (action to spooled file) file layout 664 QASYSGJ4() file layout 668, 669

QASYSMJE (systems management change) file layout 671 QASYSOJ4 (server security user information actions) file layout 672 QASYSTJE (service tools action) file layout 673 QASYSVJE (action to system value) file layout 678 QASYVAJE (changing access control list) file layout 679 QASYVCJE (connection start and end) file layout 679 QASYVFJE (close of server files) file layout 680 QASYVLJE (account limit exceeded) file layout 681 QASYVNJE (network log on and off) file layout 682 QASYVOJ4 (validation list) file layout 683 QASYVPJE (network password error) file layout 684 QASYVRJE (network resource access) file layout 685 QASYVSJE (server session) file layout 686 QASYVUJE (network profile change) file layout 687 QASYVVJE (service status change) file layout 688 QASYX0JE (kerberos authentication) file layout 689 QASYYCJE (change to DLO object) file layout 696 QASYYRJE (read of DLO object) file layout 697 QASYZCJE (change to object) file layout 698 QASYZRJE (read of object) file layout 701 QATNPGM (Attention-key-handling program) system value 104 QAUDCTL (audit control) system value changing 315, 707 displaying 315, 707 QAUDCTL (auditing control) system value overview 65 QAUDENDACN (auditing end action) system value 66, 289 QAUDFRCLVL (auditing force level) system value 66, 288 QAUDJRN (audit) journal 281, 284, 497 AD (auditing change) entry type 280 AD (auditing change) file layout 568 AF (authority failure) entry type 276 default sign-on violation 16 description 270 hardware protection violation 17 job description violation 16 program validation 18 restricted instruction 18 unsupported interface 16, 18 AF (authority failure) file layout 571 analyzing with query 296

Index

779

QAUDJRN (audit) journal (continued) AP (adopted authority) entry type 275 AP (adopted authority) file layout 577 AU (attribute change) file layout 577 auditing level (QAUDLVL) system value 67 auditing level extension (QAUDLVL2) system value 69 automatic cleanup 293 CA (authority change) entry type 280 CA (authority change) file layout 578 CD (command string) entry type 272 CD (command string) file layout 581 changing receiver 294 CO (create object) entry type 144, 272 CO (create object) file layout 582 CP (user profile change) entry type 277 CP (user profile change) file layout 584 CQ (*CRQD change) file layout 587 CQ (change *CRQD object) entry type 277 creating 291 CU(Cluster Operations) file layout 587 CV(connection verification) file layout 589 CY(cryptographic configuration) file layout 591 damaged 292 detaching receiver 293, 294 DI(Directory Server) file layout 594 displaying entries 263, 295 DO (delete operation) entry type 272 DO (delete operation) file layout 599 DS (DST password reset) entry type 277 DS (IBM-Supplied Service Tools User ID Reset) file layout 601 error conditions 66 EV (Environment variable) file layout 602 force level 66 GR(generic record) file layout 603 GS (give descriptor) file layout 608 introduction 262 IP (Interprocess Communication actions) file layout 612 IP (interprocess communications) entry type 271 IR(IP rules actions) file layout 613 IS (Internet security management) file layout 615 JD (job description change) entry type 281 JD (job description change) file layout 617 JS (job change) entry type 273 JS (job change) file layout 618 KF (key ring file) file layout 623 LD (link, unlink, search directory) file layout 626 managing 292

QAUDJRN (audit) journal (continued) methods for analyzing 295 ML (mail actions) entry type 275 ML (mail actions) file layout 628 NA (network attribute change) entry type 281 NA (network attribute change) file layout 628 ND (APPN directory) file layout 629 NE (APPN end point) file layout 630 O1 (optical access) file layout 640, 641 O3 (optical access) file layout 642 OM (object management) entry type 275 OM (object management) file layout 630 OR (object restore) entry type 276 OR (object restore) file layout 634 OW (ownership change) entry type 281 OW (ownership change) file layout 638 PA (program adopt) entry type 281 PA (program adopt) file layout 643 PG (primary group change) entry type 281 PG (primary group change) file layout 645 PO (printer output) entry type 276 PO (printer output) file layout 648 PS (profile swap) entry type 281 PS (profile swap) file layout 649 PW (password) entry type 271 PW (password) file layout 651 RA (authority change for restored object) entry type 276 RA (authority change for restored object) file layout 652 receiver storage threshold 293 RJ (restoring job description) entry type 276 RJ (restoring job description) file layout 654 RO (ownership change for restored object) entry type 276 RO (ownership change for restored object) file layout 655 RP (restoring programs that adopt authority) entry type 276 RP (restoring programs that adopt authority) file layout 657 RQ (restoring *CRQD object that adopts authority) file layout 659 RQ (restoring *CRQD object) entry type 277 RU (restore authority for user profile) entry type 277 RU (restore authority for user profile) file layout 659 RZ (primary group change for restored object) entry type 277 RZ (primary group change for restored object) file layout 660 SD (change system distribution directory) entry type 275

QAUDJRN (audit) journal (continued) SD (change system distribution directory) file layout 662 SE (change of subsystem routing entry) entry type 282 SE (change of subsystem routing entry) file layout 663 SF (action to spooled file) file layout 664 SF (change to spooled file) entry type 284 SG file layout 668, 669 SM (systems management change) entry type 284 SM (systems management change) file layout 671 SO (server security user information actions) file layout 672 ST (service tools action) entry type 283 ST (service tools action) file layout 673 stopping 295 SV (action to system value) entry type 282 SV (action to system value) file layout 678 system entries 292 VA (access control list change) entry type 282 VA (changing access control list) file layout 679 VC (connection start and end) file layout 679 VC (connection start or end) entry type 273 VF (close of server files) file layout 680 VL (account limit exceeded) file layout 681 VN (network log on and off) file layout 682 VN (network log on or off) entry type 273 VO (validation list) file layout 683 VP (network password error) entry type 271 VP (network password error) file layout 684 VR (network resource access) file layout 685 VS (server session) entry type 273 VS (server session) file layout 686 VU (network profile change) entry type 282 VU (network profile change) file layout 687 VV (service status change) entry type 283 VV (service status change) file layout 688 X0 (kerberos authentication) file layout 689 YC (change to DLO object) file layout 696 YR (read of DLO object) file layout 697

780

IBM i: Security Security reference

QAUDJRN (audit) journal (continued) ZC (change to object) file layout 698 ZR (read of object) file layout 701 QAUDLVL (audit level) system value *AUTFAIL value 270 *CREATE (create) value 272 *DELETE (delete) value 272 *JOBDTA (job change) value 273 *OBJMGT (object management) value 275 *OFCSRV (office services) value 275 *PGMADP (adopted authority) value 275 *PGMFAIL (program failure) value 276 *PRTDTA (printer output) value 276 *SAVRST (save/restore) value 276 *SECURITY (security) value 280 *SERVICE (service tools) value 283 *SPLFDTA (spooled file changes) value 284 *SYSMGT (systems management) value 284 changing 292, 315, 707 displaying 315, 707 purpose 263 user profile 113 QAUDLVL (auditing level) system value overview 67 QAUDLVL2 (auditing level extension) system value overview 69 QAUTOCFG (automatic configuration) system value value set by CFGSYSSEC command 714 QAUTOCFG (automatic device configuration) system value 37 QAUTOVRT (automatic configuration of virtual devices) system value 37 QAUTOVRT (automatic virtual-device configuration) system value value set by CFGSYSSEC command 714 QAUTPROF (authority profile) user profile 319 QBRMS (BRM) user profile 319 QCCSID (coded character set identifier) system value 106 QCL program 137 QCMD command processor Attention-key-handling program 104 special environment (SPCENV) 89 QCNTRYID (country or region identifier) system value 106 QCONSOLE (console) system value 203 QCRTAUT (create authority) system value description 26 risk of changing 26 using 139 QCRTOBJAUD (create object auditing) system value 70 QDBSHRDO (database share) user profile 319 QDCEADM (DCEADM) user profile 319

QDEVRCYACN (device recovery action) system value 38 value set by CFGSYSSEC command 714 QDFTJOBD (default) job description 96 QDFTOWN (default owner) user profile audit journal (QAUDJRN) entry 276 default values 319 description 145 restoring programs 253 QDOC (document) user profile 319 QDSCJOBITV (disconnected job time-out interval) system value 38 value set by CFGSYSSEC command 714 QDSNX (distributed systems node executive) user profile 319 QDSPSGNINF (display sign-on information) system value 26, 91 value set by CFGSYSSEC command 714 QEZMAIN program 104 QFNC (finance) user profile 319 QGATE (VM/MVS bridge) user profile 319 QHST (history) log using to monitor security 299 QINACTITV (inactive job time-out interval) system value 27 value set by CFGSYSSEC command 714 QINACTMSGQ (inactive job message queue) system value 28 value set by CFGSYSSEC command 714 QjoAddRemoteJournal (Add Remote Journal) API object auditing 529 QjoChangeJournal State(Change Journal State) API object auditing 529 QjoEndJournal (End journaling) API object auditing 498 QjoEndJournal (End Journaling) API object auditing 529 QJORDJE2 record format 562 QjoRemoveRemoteJournal (Remove Remote Journal) API object auditing 529 QjoRetrieveJournalEntries (Retrieve Journal Entries) API object auditing 529 QjoRetrieveJournalInformation (Retrieve Journal Information) API object auditing 530 QJORJIDI (Retrieve Journal Identifier (JID) Information) API object auditing 529 QjoSJRNE (Send Journal Entry) API object auditing 529 QjoStartJournal (Start Journaling) API object auditing 499, 529 QKBDBUF (keyboard buffering) system value 94 QLANGID (language identifier) system value 105

QlgAccess command (Detremine File Accessibility) object auditing 510 QlgAccessx command (Determine File Accessibility) object auditing 510 QLMTDEVSSN (limit device sessions) system value auditing 260 description 29 LMTDEVSSN user profile parameter 93 QLMTSECOFR (limit security officer) system value auditing 258 authority to device descriptions 201 changing security levels 13 description 29 sign-on process 203 value set by CFGSYSSEC command 714 QLPAUTO (licensed program automatic install) user profile default values 319 restoring 249 QLPINSTALL (licensed program install) user profile default values 319 restoring 249 QMAXSGNACN (action when sign-on attempts reached) system value description 30 user profile status 78 value set by CFGSYSSEC command 714 QMAXSIGN (maximum sign-on attempts) system value auditing 258, 262 description 30 user profile status 78 value set by CFGSYSSEC command 714 QMSF (mail server framework) user profile 319 QPGMR (programmer) user profile default values 319 device description owner 203 password set by CFGSYSSEC command 715 QPRTDEV (print device) system value 103 QPWDCHGBLK (block password change) system value description 47 QPWDEXPITV (password expiration interval) system value auditing 259 description 47 PWDEXPITV user profile parameter 91 value set by CFGSYSSEC command 714 QPWDEXPWRN (password expiration warning) system value description 48 QPWDLMTAJC (password limit adjacent) system value 52 Index

781

QPWDLMTAJC (password restrict adjacent characters) system value value set by CFGSYSSEC command 714 QPWDLMTCHR (limit characters) system value 51 QPWDLMTCHR (password restrict characters) system value value set by CFGSYSSEC command 714 QPWDLMTCHR command 77 QPWDLMTREP (limit repeated characters) system value 52 QPWDLVL case sensitive passwords 53, 76 Password levels (maximum length) 50 Password levels (minimum length) 50 Password levels (QPWDLVL) 50, 51 QPWDLVL (case sensitive) case sensitive passwords QPWDLVL case sensitive 52 Password levels (case sensitive) 52 QPWDLVL (current or pending value) and program name 60 QPWDMAXLEN (password maximum length) system value 50 value set by CFGSYSSEC command 714 QPWDMINLEN (password minimum length) system value 50 value set by CFGSYSSEC command 714 QPWDPOSDIF (password require position difference) system value value set by CFGSYSSEC command 714 QPWDPOSDIF (position characters) system value 53 QPWDRQDDGT (password require numeric character) system value value set by CFGSYSSEC command 714 QPWDRQDDGT (required password digits) system value 53 QPWDRQDDIF (duplicate password) system value 51 QPWDRQDDIF (password required difference) system value value set by CFGSYSSEC command 714 QPWDVLDPGM (password validation program) system value 60 value set by CFGSYSSEC command 714 QRCL (reclaim storage) library setting QALWUSRDMN (allow user objects) system value 26 QRCLAUTL (reclaim storage) authorization list 255 QRETSVRSEC (retain server security) system value 31 QRETSVRSEC (retain server security) value 31 QRJE (remote job entry) user profile 319

QRMTSIGN (allow remote sign-on) system value value set by CFGSYSSEC command 714 QRMTSIGN (remote sign-on) system value 32, 262 QRMTSRVATR (remote service attribute) system value 2, 39 QRYDOCLIB (Query Document Library) command object auditing 516 object authority required 374 QRYDST (Query Distribution) command object authority required 371 QRYPRBSTS (Query Problem Status) command object authority required 460 QSCANFS (Scan File Systems) system value 33 QSCANFSCTL (Scan File Systems Control) system value 33 QSECOFR (security officer) user profile authority to console 203 default values 319 device description owner 203 disabled status 78 enabling 78 restoring 249 QSECURITY (security level) system value auditing 258 automatic user profile creation 73 changing, 20 from higher level 13 changing, level 10 to level 20 12 changing, level 20 to 30 13 changing, to level 40 18 changing, to level 50 20 comparison of levels 9 disabling level 40 19 disabling level 50 21 enforcing QLMTSECOFR system value 203 internal control blocks 20 introduction 2 level 10 12 level 20 12 level 30 13 level 40 14 level 50 19 message handling 20 validating parameters 17 overview 9 recommendations 11 special authority 11 user class 11 value set by CFGSYSSEC command 714 QSH (Start QSH) command alias for STRQSH 464 QSHRMEMCTL (share memory control) system value description 35 possible values 35 QSNADS (Systems Network Architecture distribution services) user profile 319 QSPCENV (special environment) system value 89 QSPL (spool) user profile 319

QSPLJOB (spool job) user profile 319 QSPRJOBQ (Retrieve job queue information) API object auditing 527 QsrRestore object auditing 499 QSRRSTO (Restore Object) API object auditing 499 QsrSave object auditing 497 QSRSAVO object auditing 497 QSRTSEQ (sort sequence) system value 105 QSRV (service) user profile authority to console 203 default values 319 password set by CFGSYSSEC command 715 QSRVBAS (basic service) user profile authority to console 203 default values 319 password set by CFGSYSSEC command 715 QSSLCSL (SSL cipher specification list) system value 39 QSSLCSLCTL (SSL cipher control) system value 40 QSSLPCL (SSL protocols) system value 40 QSYS (system) library authorization lists 139 QSYS (system) user profile default values 319 restoring 249 QSYSLIBL (system library list) system value 207 QSYSMSG message queue auditing 262, 299 QMAXSGNACN (action when attempts reached) system value 31 QMAXSIGN (maximum sign-on attempts) system value 30 QSYSOPR (system operator) message queue restricting 207 QSYSOPR (system operator) user profile 319 password set by CFGSYSSEC command 715 QTCP (TCP/IP) user profile 319 QTEMP (temporary) library security level 50 19 QTMPLPD (TCP/IP printing support) user profile 319 QTSTRQS (test request) user profile 319 query analyzing audit journal entries 296 query definition (*QRYDFN) auditing 544 Query Management/400 object authority required for commands 464 query manager form (*QMFORM) auditing 543 query manager query (*QMQRY) auditing 544

782

IBM i: Security Security reference

question and answer object authority required for commands 466 QUSEADPAUT (use adopted authority) system value description 35 risk of changing 36 QUSER (user) user profile password set by CFGSYSSEC command 715 QUSER (workstation user) user profile 319 QUSER38 library 137 QVFYOBJRST (verify object on restore) system value 41 QVFYOBJRST (Verify Object Restore) system value 3 QWCLSCDE (List job schedule entry) API object auditing 528

R
RA (authority change for restored object) journal entry type 276 RCLACTGRP (Reclaim Activation Group) command object authority required 483 RCLDBXREF command authorized IBM-supplied user profiles 332 object authority required 343 RCLDLO (Reclaim Document Library Object) command object auditing 517 object authority required 374 RCLLNK (Reclaim Object Links) command object authority required 399 RCLOBJOWN (Reclaim Objects by Owner) command authorized IBM-supplied user profiles 332 object authority required 343 RCLOPT (Reclaim Optical) command authorized IBM-supplied user profiles 332 object authority required 451 RCLRSC (Reclaim Resources) command object authority required 483 RCLSPLSTG (Reclaim Spool Storage) command authorized IBM-supplied user profiles 332 object authority required 480 RCLSTG (Reclaim Storage) command authorized IBM-supplied user profiles 332 damaged authorization list 255 object auditing 499 object authority required 343 QDFTOWN (default owner) profile 145 security level 50 19 setting QALWUSRDMN (allow user objects) system value 26

RCLTMPSTG (Reclaim Temporary Storage) command authorized IBM-supplied user profiles 332 object auditing 500 object authority required 343 RCVDST (Receive Distribution) command object auditing 516 object authority required 371 RCVJRNE (Receive Journal Entry) command object auditing 529 object authority required 418 RCVMGRDTA (Receive Migration Data) command object authority required 440 RCVMSG (Receive Message) command object auditing 535 object authority required 438 RCVNETF (Receive Network File) command object authority required 442 read (*READ) authority 132, 338 read of DLO object (YR) file layout 697 read of object (ZR) file layout 701 reader object authority required for commands 467 receiver changing 294 deleting 294 detaching 293, 294 saving 294 reclaim storage (QRCL) library setting QALWUSRDMN (allow user objects) system value 26 reclaim storage (QRCLAUTL) authorization list 255 Reclaim Storage (RCLSTG) command 19, 145, 255 setting QALWUSRDMN (allow user objects) system value 26 reclaiming storage 19, 145, 255 setting QALWUSRDMN (allow user objects) system value 26 recommendation adopted authority 152 application design 226 display sign-on information (DSPSGNINF) 91 initial library list 96 initial menu (INLMNU) 84 initial program (INLPGM) 84 job descriptions 96 library design 225 library list current library 210 product library portion 209 system portion 209 user portion 210 limit capabilities (LMTCPB) 84 limiting device sessions 93 message queue 101 naming group profile 76

recommendation (continued) naming (continued) user profiles 75 password expiration interval (PWDEXPITV) 91 passwords 77 priority limit (PTYLMT) parameter 96 public authority user profiles 112 QUSRLIBL system value 96 RSTLICPGM (Restore Licensed Program) command 253 security design 220 security level (QSECURITY) system value 11 set password to expired (PWDEXP) 78 special authority (SPCAUT) 88 special environment (SPCENV) 89 summary 220 user class (USRCLS) 79 record-level security 236 recovering authority holder 245 authorization list 245 damaged audit journal 292 damaged authorization list 254 object ownership 245 private authority 245 public authority 245 security information 245 user profiles 245 reference code table (*RCT) auditing 545 referenced object 165 rejecting access DDM request (DDM) 216 iSeries Access access 215 remote job submission 214 relational database directory object authority required for commands 467 remote job entry (QRJE) user profile 319 remote job entry (RJE) object authority required for commands 468 remote job submission securing 214 remote service attribute (QRMTSRVATR) system value 39 remote sign-on QRMTSIGN system value 32 remote sign-on (QRMTSIGN) system value 32, 262 Remove Authorization List Entry (RMVAUTLE) command 167, 309 Remove Directory Entry (RMVDIRE) command 314 Remove Document Library Object Authority (RMVDLOAUT) command 313 Remove Kerberos Keytab Entry (RMVKRBKTE) command object authority required 422 Remove Library List Entry (RMVLIBLE) command 207 Index

783

Remove User display 123 removing authority for user 161 authorization list object 169 user authority 167, 309 directory entry 314 document library object authority 313 employees who no longer need access 260 library list entry 207 security level 40 19 security level 50 21 server authentication entry 314 user authority authorization list 167 object 161 user profile automatically 705 directory entry 122 distribution lists 122 message queue 122 owned objects 122 primary group 122 renaming object audit journal (QAUDJRN) entry 275 user profile 126 repeated characters (QPWDLMTREP) system value 52 repeating passwords 51 reply list action auditing 546 object authority required for commands 483 required password digits (QPWDRQDDGT) system value 53 resetting DST (dedicated service tools) password audit journal (QAUDJRN) entry 277 RESMGRNAM (Resolve Duplicate and Incorrect Office Object Names) command authorized IBM-supplied user profiles 332 object authority required 440 resource object authority required for commands 468 resource security definition 131 introduction 5 limit access 244 restore security risks 216 Restore Authority (RSTAUT) command audit journal (QAUDJRN) entry 277 description 312 procedure 252 role in restoring security 245 using 251 restore authority for user profile (RU) file layout 659

restore authority for user profile (RU) journal entry type 277 Restore Document Library Object (RSTDLO) command 245 Restore Library (RSTLIB) command 245 Restore Licensed Program (RSTLICPGM) command recommendations 253 security risks 253 Restore Object (RSTOBJ) command using 245 restore operation maximum storage (MAXSTG) 94 storage needed 94 Restore Performance Collection (RSTPFRCOL) command authorized IBM-supplied user profiles 333 object authority required 458 restore system value security-related overview 41 Restore User Profiles (RSTUSRPRF) command 245, 312 restoring *ALLOBJ (all object) special authority all object (*ALLOBJ) special authority 249 *CRQD object audit journal (QAUDJRN) entry 277 *CRQD object that adopts authority (RQ) file layout 659 adopted authority changes to ownership and authority 253 allow object differences (ALWOBJDIF) parameter 250 ALWOBJDIF (allow object differences) parameter 250 authority audit journal (QAUDJRN) entry 277 command description 312 description of process 252 overview of commands 245 procedure 251 authority changed by system audit journal (QAUDJRN) entry 276 authority holder 245 authorization list association with object 250 description of process 254 overview of commands 245 document library object (DLO) 245 gid (group identification number) 249 job description audit journal (QAUDJRN) entry 276 library 245 licensed program recommendations 253 security risks 253 maximum storage (MAXSTG) 94

restoring (continued) object audit journal (QAUDJRN) entry 276 commands 245 ownership 245, 249 security issues 249 operating system 255 ownership change audit journal (QAUDJRN) entry 276 performance collection authorized IBM-supplied user profiles 333 object authority required 458 primary group 245, 250 private authority 245, 250 program failure audit journal (QAUDJRN) entry 276 program validation 17 programs 252 public authority 245, 250 QDFTOWN (default) owner audit journal (QAUDJRN) entry 276 restricting 216, 217 security information 245 storage needed 94 uid (user identification number) 249 user profile audit journal (QAUDJRN) entry 277 command description 312 procedures 245, 248 restoring *CRQD (RQ) file layout 660 restoring *CRQD object (RQ) journal entry type 277 restoring job description (RJ) file layout 654 restoring job description (RJ) journal entry type 276 restoring programs that adopt authority (RP) file layout 657 restoring programs that adopt authority (RP) journal entry type 276 restricted instruction audit journal (QAUDJRN) entry 276 restricting access console 258 workstations 258 adjacent digits in passwords (QPWDLMTAJC system value) 52 capabilities 83 characters in passwords 51 command line use 83 commands (ALWLMTUSR) 83 consecutive digits in passwords (QPWDLMTAJC system value) 52 messages 20 QSYSOPR (system operator) message queue 207 repeated characters in passwords 52 restore operations 216 save operations 216

784

IBM i: Security Security reference

restricting (continued) security officer (QLMTSECOFR system value) 258 retain server security (QRETSVRSEC) system value overview 31 retain server security (QRETSVRSEC) value 31 Retrieve Authorization List Entry (RTVAUTLE) command 309 Retrieve Journal Receiver Information API object auditing 530 Retrieve User Profile (RTVUSRPRF) command 128, 311 retrieving authorization list entry 309 user profile 128, 311 RETURN (Return) command object authority required 483 reversing page down (*ROLLKEY user option) 108 page up (*ROLLKEY user option) 108 Revoke Object Authority (RVKOBJAUT) command 159, 169, 310 Revoke Public Authority (RVKPUBAUT) command description 316, 713 details 716 Revoke User Permission (RVKUSRPMN) command 313 revoking object authority 310 public authority 316, 713 user permission 313 RGZDLO (Reorganize Document Library Object) command object auditing 516 object authority required 374 RGZPFM (Reorganize Physical File Member) command object auditing 522 object authority required 385 risk *ALLOBJ (all object) special authority 85 *AUDIT (audit) special authority 88 *IOSYSCFG (system configuration) special authority 88 *JOBCTL (job control) special authority 86 *SAVSYS (save system) special authority 86 *SERVICE (service) special authority 87 *SPLCTL (spool control) special authority 86 adopted authority 152 authority holder 154 create authority (CRTAUT) parameter 140 library list 208 password validation program 61 restore commands 216

risk (continued) restoring programs that adopt authority 253 restoring programs with restricted instructions 252 RSTLICPGM (Restore Licensed Program) command 253 save commands 216 special authorities 85 RJ (restoring job description) file layout 654 RJ (restoring job description) journal entry type 276 RJE (remote job entry) object authority required for commands 468 RLSCMNDEV (Release Communications Device) command authorized IBM-supplied user profiles 332 object auditing 509, 531 object authority required 368 RLSDSTQ (Release Distribution Queue) command authorized IBM-supplied user profiles 332 object authority required 371 RLSIFSLCK (Release IFS Lock) command authorized IBM-supplied user profiles 332 RLSIFSLCK (Release IFS Lock) command) command object authority required 443 RLSJOB (Release Job) command object authority required 411 RLSJOBQ (Release Job Queue) command object auditing 527 object authority required 414 RLSJOBSCDE (Release Job Schedule Entry) command object auditing 528 object authority required 415 RLSOUTQ (Release Output Queue) command object auditing 539 object authority required 452 RLSRDR (Release Reader) command object authority required 467 RLSRMTPHS (Release Remote Phase) command authorized IBM-supplied user profiles 332 RLSSPLF (Release Spooled File) command object auditing 539 object authority required 480 RLSWTR (Release Writer) command object authority required 494 RMVACC (Remove Access Code) command authorized IBM-supplied user profiles 332 object auditing 516 object authority required 447 RMVAJE (Remove Autostart Job Entry) command object auditing 547

RMVAJE (Remove Autostart Job Entry) command (continued) object authority required 482 RMVALRD (Remove Alert Description) command object auditing 501 object authority required 350 RMVASPCPYD authorized IBM-supplied user profiles 332 RMVAUTLE (Remove Authorization List Entry) command description 309 object auditing 501 object authority required 352 using 167 RMVBKP (Remove Breakpoint) command object authority required 462 RMVBNDDIRE (Remove Binding Directory Entry) command object auditing 502 object authority required 353 RMVCADMRE authorized IBM-supplied user profiles 332 RMVCADMRE command object authority required 358 RMVCADNODE authorized IBM-supplied user profiles 332 RMVCADNODE command object authority required 358 RMVCFGLE (Remove Configuration List Entries) command object authority required 362 RMVCFGLE (Remove Configuration List Entry) command object auditing 503 RMVCLUMON authorized IBM-supplied user profiles 333 RMVCLUMON command object authority required 358 RMVCLUNODE authorized IBM-supplied user profiles 333 RMVCLUNODE command object authority required 358 RMVCMNE (Remove Communications Entry) command object auditing 547 object authority required 482 RMVCNNLE (Remove Connection List Entry) command object auditing 506 RMVCOMSNMP (Remove Community for SNMP) command object authority required 488 RMVCRGDEVE authorized IBM-supplied user profiles 333 RMVCRGNODE authorized IBM-supplied user profiles 333 RMVCRQD (Remove Change Request Description Activity) command object auditing 505 Index

785

RMVCRQDA (Remove Change Request Description Activity) command object authority required 354 RMVCRSDMNK (Remove Cross Domain Key) command authorized IBM-supplied user profiles 333 RMVDEVDMNE command authorized IBM-supplied user profiles 333 object authority required 358 RMVDFRID (Remove Defer ID) command object auditing 500 RMVDFRID command authorized IBM-supplied user profiles 333 object authority required 343 RMVDIR (Remove Directory) command object auditing 511 object authority required 399 RMVDIRE (Remove Directory Entry) command description 314 object authority required 369 RMVDIRSHD (Remove Directory Shadow System) command object authority required 369 RMVDLOAUT (Remove Document Library Object Authority) command description 313 object auditing 516 object authority required 374 RMVDSTLE (Remove Distribution List Entry) command object authority required 372 RMVDSTQ (Remove Distribution Queue) command authorized IBM-supplied user profiles 333 object authority required 372 RMVDSTRTE (Remove Distribution Route) command authorized IBM-supplied user profiles 333 object authority required 372 RMVDSTSYSN (Remove Distribution Secondary System Name) command authorized IBM-supplied user profiles 333 object authority required 372 RMVDWDFN command 333 RMVEMLCFGE (Remove Emulation Configuration Entry) command object authority required 369 RMVENVVAR (Remove Environment Variable) command object authority required 378 RMVEWCBCDE (Remove Extended Wireless Controller Bar Code Entry) command object authority required 379 RMVEWCPTCE (Remove Extended Wireless Controller PTC Entry) command object authority required 379

RMVEXITPGM (Add Exit Program) command object auditing 520 RMVEXITPGM (Remove Exit Program) command authorized IBM-supplied user profiles 333 object authority required 467 RMVFCTE (Remove Forms Control Table Entry) command object authority required 471 RMVFNTTBLE (Remove DBCS Font Table Entry) object authority required for commands 349 RMVFTRACNE (Remove Filter Action Entry) command object auditing 525 object authority required 386 RMVFTRSLTE (Remove Filter Selection Entry) command object auditing 525 object authority required 386 RMVICFDEVE (Remove Intersystem Communications Function Program Device Entry) command object authority required 385 RMVIMGCLGE command object authority required 389 RMVIPSIFC (Remove IP over SNA Interface) command object authority required 350 RMVIPSLOC (Remove IP over SNA Location Entry) command object authority required 350 RMVIPSRTE (Remove IP over SNA Route) command object authority required 350 RMVJOBQE (Remove Job Queue Entry) command object auditing 527, 547 object authority required 482 RMVJOBSCDE (Remove Job Schedule Entry) command object auditing 528 object authority required 415 RMVJRNCHG (Remove Journaled Changes) command authorized IBM-supplied user profiles 333 object auditing 499, 529 object authority required 418 RMVJWDFN command 333 RMVLANADP (Remove LAN Adapter) command authorized IBM-supplied user profiles 333 RMVLANADPI (Remove LAN Adapter Information) command object authority required 435 RMVLANADPT (Remove LAN Adapter) command object authority required 435 RMVLIBLE (Remove Library List Entry) command using 207

RMVLICKEY (Remove License Key) command object authority required 432 RMVLNK (Remove Link) command object auditing 549, 554, 556 object authority required 400 RMVM (Remove Member) command object auditing 522 object authority required 385 RMVMFS (Remove Mounted File System) object authority required 489 RMVMFS (Remove Mounted File System) command authorized IBM-supplied user profiles 333 object authority required 443 RMVMSG (Remove Message) command object auditing 535 object authority required 438 RMVMSGD (Remove Message Description) command object auditing 535 object authority required 439 RMVNETJOBE (Remove Network Job Entry) command authorized IBM-supplied user profiles 333 object authority required 442 RMVNETTBLE (Remove Network Table Entry) command object authority required 488 RMVNODLE (Remove Node List Entry) command object auditing 536 object authority required 447 RMVNWSSTGL (Remove Network Server Storage Link) command object authority required 445 RMVOPTCTG (Remove Optical Cartridge) command authorized IBM-supplied user profiles 333 object authority required 451 RMVOPTSVR (Remove Optical Server) command authorized IBM-supplied user profiles 333 object authority required 451 RMVPEXDFN (Remove Performance Explorer Definition) command authorized IBM-supplied user profiles 333 object authority required 458 RMVPEXFTR command authorized IBM-supplied user profiles 333 RMVPFCST (Remove Physical File Constraint) command object auditing 523 object authority required 385 RMVPFTGR (Remove Physical File Trigger) command object auditing 523 RMVPFTRG (Remove Physical File Trigger) command object authority required 385

786

IBM i: Security Security reference

RMVPGM (Remove Program) command object authority required 462 RMVPJE (Remove Prestart Job Entry) command object auditing 547 object authority required 482 RMVPTF (Remove Program Temporary Fix) command authorized IBM-supplied user profiles 333 object authority required 474 RMVRDBDIRE (Remove Relational Database Directory Entry) command object authority required 468 RMVRJECMNE (Remove RJE Communications Entry) command object authority required 471 RMVRJERDRE (Remove RJE Reader Entry) command object authority required 471 RMVRJEWTRE (Remove RJE Writer Entry) command object authority required 471 RMVRMTJRN (Remove Remote Journal) command object auditing 529 RMVRMTPTF (Remove Remote Program Temporary Fix) command authorized IBM-supplied user profiles 333 RMVRPYLE (Remove Reply List Entry) command authorized IBM-supplied user profiles 333 object auditing 546 object authority required 484 RMVRTGE (Remove Routing Entry) command object auditing 547 object authority required 482 RMVSCHIDXE (Remove Search Index Entry) command object auditing 548 object authority required 409 RMVSOCE (Remove Sphere of Control Entry) command object authority required 478 RMVSVRAUTE (Remove Server Authentication Entry) command object authority required 473 RMVTAPCTG (Remove Tape Cartridge) command object authority required 436 RMVTCPHTE (Remove TCP/IP Host Table Entry) command object authority required 488 RMVTCPIFC (Remove TCP/IP Interface) command object authority required 488 RMVTCPPORT (Remove TCP/IP Port Entry) command object authority required 488 RMVTCPRSI (Remove TCP/IP Remote System Information) command object authority required 488

RMVTCPRTE (Remove TCP/IP Route) command object authority required 488 RMVTRC (Remove Trace) command object authority required 462 RMVTRCFTR authorized IBM-supplied user profiles 333 RMVWSE (Remove Workstation Entry) command object auditing 547 object authority required 482 RNM (Rename) command object auditing 511, 549, 554, 556 object authority required 400 RNMCNNLE (Rename Connection List Entry) command object auditing 506 RNMDIRE (Rename Directory Entry) command object authority required 369 RNMDLO (Rename Document Library Object) command object auditing 516 object authority required 374 RNMDSTL (Rename Distribution List) command object authority required 372 RNMM (Rename Member) command object auditing 523 object authority required 385 RNMOBJ (Rename Object) command object auditing 499, 531, 557 object authority required 343 RNMTCPHTE (Rename TCP/IP Host Table Entry) command object authority required 488 RO (ownership change for restored object) file layout 655 RO (ownership change for restored object) journal entry type 276 roll key (*ROLLKEY) user option 108 ROLLBACK (Rollback) command object authority required 360 routing entry authority to program 200 changing audit journal (QAUDJRN) entry 282 performance 218 RP (restoring programs that adopt authority) file layout 657 RP (restoring programs that adopt authority) journal entry type 276 RPLDOC (Replace Document) command object auditing 516 object authority required 374 RQ (restoring *CRQD object that adopts authority) file layout 659 RQ (restoring *CRQD object) journal entry type 277 RRTJOB (Reroute Job) command object authority required 411 RSMBKP (Resume Breakpoint) command object authority required 462

RSMCTLRCY (Resume Controller Recovery) command object auditing 508 object authority required 364 RSMDEVRCY (Resume Device Recovery) command object auditing 509 object authority required 368 RSMLINRCY (Resume Line Recovery) command object auditing 532 object authority required 435 RSMNWIRCY (Resume Network Interface Recovery) command object auditing 537 RST (Restore) command authorized IBM-supplied user profiles 333 object auditing 499, 511, 549, 554, 556 object authority required 401 RSTAUT (Restore Authority) command audit journal (QAUDJRN) entry 277 authorized IBM-supplied user profiles 333 description 312 object authority required 492 procedure 252 role in restoring security 245 using 251 RSTCFG (Restore Configuration) command authorized IBM-supplied user profiles 333 object auditing 499 object authority required 361 RSTDFROBJ (Restore Deferred Object) command object auditing 500 RSTDFROBJ command authorized IBM-supplied user profiles 333 object authority required 344 RSTDLO (Restore Document Library Object) command 245 authorized IBM-supplied user profiles 333 object auditing 516 object authority required 374 RSTLIB (Restore Library) command 245 authorized IBM-supplied user profiles 333 object auditing 499 object authority required 430 RSTLICPGM (Restore Licensed Program) command authorized IBM-supplied user profiles 333 object auditing 499 object authority required 433 recommendations 253 security risks 253 RSTOBJ (Restore Object) command authorized IBM-supplied user profiles 333 object auditing 499 object authority required 344 using 245 Index

787

RSTPFRCOL (Restore Performance Collection) command authorized IBM-supplied user profiles 333 object authority required 458 RSTPFRDTA command 333 RSTS36F (Restore System/36 File) command authorized IBM-supplied user profiles 333 object authority required 385, 486 RSTS36FLR (Restore System/36 Folder) command authorized IBM-supplied user profiles 333 object authority required 374, 486 RSTS36LIBM (Restore System/36 Library Members) command authorized IBM-supplied user profiles 333 object authority required 430, 486 RSTS38AUT (Restore System/38 Authority) command authorized IBM-supplied user profiles 333 object authority required 440 RSTSHF (Restore Bookshelf) command object auditing 516 RSTSYSINF object authority required 344 RSTUSRPRF (Restore User Profiles) command authorized IBM-supplied user profiles 333 description 245, 312 object auditing 558 object authority required 492 RTVAUTLE (Retrieve Authorization List Entry) command description 309 object auditing 502 object authority required 352 RTVBCKUP (Retrieve Backup Options) command object authority required 448 RTVBNDSRC (Retrieve Binder Source) command *SRVPGM, retrieving exports from 441 object auditing 502, 534, 552 object authority required 441 RTVCFGSRC (Retrieve Configuration Source) command object auditing 506, 507, 508, 509, 532, 537, 538 object authority required 361 RTVCFGSTS (Retrieve Configuration Status) command object auditing 508, 510, 532, 537, 538 object authority required 361 RTVCLDSRC (Retrieve C Locale Source) command object auditing 504 RTVCLNUP (Retrieve Cleanup) command object authority required 448

RTVCLSRC (Retrieve CL Source) command object auditing 534, 541, 552 object authority required 463 RTVCLSRC command object authority required 428 RTVCURDIR (Retrieve Current Directory) command object auditing 510 object authority required 402 RTVDLONAM (Retrieve Document Library Object Name) command object authority required 374 RTVDOC (Retrieve Document) command object auditing 514, 516 object authority required 374 RTVDSKINF (Retrieve Disk Activity Information) command authorized IBM-supplied user profiles 334 object authority required 448 RTVDTAARA (Retrieve Data Area) command object auditing 517 object authority required 365 RTVGRPA (Retrieve Group Attributes) command object authority required 483 RTVIMGCLG command object authority required 389 RTVJOBA (Retrieve Job Attributes) command object authority required 411 RTVJRNE (Retrieve Journal Entry) command object auditing 529 object authority required 418 RTVLIBD (Retrieve Library Description) command object authority required 430 RTVMBRD (Retrieve Member Description) command object auditing 523 object authority required 385 RTVMSG (Retrieve Message) command object auditing 534 RTVNETA (Retrieve Network Attributes) command object authority required 442 RTVOBJD (Retrieve Object Description) command object auditing 500 object authority required 345 RTVPDGPRF (Retrieve Print Descriptor Group Profile) command object authority required 459 RTVPRD (Retrieve Product) command authorized IBM-supplied user profiles 334 RTVPTF (Retrieve PTF) command authorized IBM-supplied user profiles 334 RTVPWRSCDE (Retrieve Power On/Off Schedule Entry) command object authority required 448

RTVQMFORM (Retrieve Query Management Form) command object auditing 545 object authority required 465 RTVQMQRY (Retrieve Query Management Query) command object auditing 544, 545 object authority required 465 RTVS36A (Retrieve System/36 Attributes) command object auditing 557 object authority required 486 RTVSMGOBJ (Retrieve Systems Management Object) command authorized IBM-supplied user profiles 334 RTVSYSVAL (Retrieve System Value) command object authority required 484 RTVUSRPRF (Retrieve User Profile) command description 311 object auditing 559 object authority required 492 using 128 RTVWSCST (Retrieve Workstation Customizing Object) command object auditing 560 object authority required 494 RU (restore authority for user profile) file layout 659 RU (restore authority for user profile) journal entry type 277 run priority 217, 218 RUNBCKUP (Run Backup) command object authority required 448 RUNDNSUPD command object authority required 377 RUNLPDA (Run LPDA-2) command authorized IBM-supplied user profiles 334 object auditing 531 object authority required 474 RUNQRY (Run Query) command object auditing 545 object authority required 465 RUNRNDCCMD command object authority required 377 RUNSMGCMD (Run Systems Management Command) command authorized IBM-supplied user profiles 334 RUNSMGOBJ (Run Systems Management Object) command authorized IBM-supplied user profiles 334 RUNSQLSTM (Run Structured Query Language Statement) command object authority required 428 RVKACCAUT (Revoke Access Code Authority) command object auditing 516 object authority required 447 RVKOBJAUT (Revoke Object Authority) command 159 description 310 object auditing 499

788

IBM i: Security Security reference

RVKOBJAUT (Revoke Object Authority) command (continued) object authority required 345 using 169 RVKPUBAUT (Revoke Public Authority) command authorized IBM-supplied user profiles 334 description 316, 713 details 716 object authority required 344 RVKUSRPMN (Revoke User Permission) command description 313 object auditing 516 object authority required 447 RVKWSOAUT (Revoke Workstation Object Authority) command object authority required 387 RZ (primary group change for restored object) file layout 660 RZ (primary group change for restored object) journal entry type 277

S
S/36 machine description (*S36) auditing 556 SAV (Save) command object auditing 497, 510, 553, 556 object authority required 402 SAVAPARDTA (Save APAR Data) command authorized IBM-supplied user profiles 334 object authority required 475 SAVCFG (Save Configuration) command object auditing 508, 509, 531, 537, 538 object authority required 361 SAVCHGOBJ (Save Changed Object) command object auditing 497 object authority required 345 SAVDLO (Save Document Library Object) command object auditing 497, 514 object authority required 375 using 245 Save Document Library Object (SAVDLO) command 245 Save Library (SAVLIB) command 245 Save Object (SAVOBJ) command 245, 294 Save Performance Collection (SAVPFRCOL) command authorized IBM-supplied user profiles 334 object authority required 458 Save Security Data (SAVSECDTA) command 245, 312 save system (*SAVSYS) special authority *OBJEXIST authority 132, 338 description 256 functions allowed 86 removed by system changing security levels 13

save system (*SAVSYS) special authority (continued) risks 86 Save System (SAVSYS) command 245, 312 save/restore (*SAVRST) audit level 276 saving audit journal receiver 294 auditing 256 authority holder 245 authorization list 245 document library object (DLO) 245 library 245 object 245 object ownership 245 performance collection authorized IBM-supplied user profiles 334 object authority required 458 primary group 245 private authority 245 public authority 245 restricting 216, 217 security data 245, 312 security information 245 security risks 216 system 245, 312 user profile commands 245 SAVLIB (Save Library) command object auditing 497 object authority required 431 using 245 SAVLICPGM (Save Licensed Program) command authorized IBM-supplied user profiles 334 object auditing 497 object authority required 433 SAVOBJ (Save Object) command object auditing 497 object authority required 345 saving audit journal receiver 294 using 245 SAVPFRCOL (Save Performance Collection) command authorized IBM-supplied user profiles 334 object authority required 458 SAVPFRDTA command 334 SAVRSOBJ (Save Restore Object) command object authority required 346 SAVRSTCFG (Save Restore Configuration) command object authority required 361 SAVRSTCHG authorized IBM-supplied user profiles 334 SAVRSTCHG (Save Restore Change) command object authority required 346 SAVRSTDLO (Save Restore Document Library Object) command object authority required 375

SAVRSTLIB authorized IBM-supplied user profiles 334 SAVRSTLIB (Save Restore Library) command object authority required 431 SAVRSTOBJ authorized IBM-supplied user profiles 334 SAVS36F (Save System/36 File) command object authority required 385, 486 SAVS36LIBM (Save System/36 Library Members) command object authority required 385, 431 SAVSAVFDTA (Save Save File Data) command object auditing 497 object authority required 385 SAVSECDTA (Save Security Data) command description 312 object authority required 492 using 245 SAVSHF (Save Bookshelf) command object auditing 498, 514 SAVSTG (Save Storage) command object auditing 500 object authority required 346 SAVSYS (Save System) command description 312 object authority required 346 using 245 SAVSYSINF object authority required 346 SBMCRQ (Submit Change Request) command object auditing 504 SBMDBJOB (Submit Database Jobs) command object authority required 411 SBMDKTJOB (Submit Diskette Jobs) command object authority required 411 SBMFNCJOB (Submit Finance Job) command authorized IBM-supplied user profiles 334 object authority required 387 SBMJOB (Submit Job) command authority checking 200 object authority required 411 SECBATCH menu 708 SBMNETJOB (Submit Network Job) command object authority required 411 SBMNWSCMD (Submit Network Server Command) command authorized IBM-supplied user profiles 334 object authority required 445 SBMRJEJOB (Submit RJE Job) command object authority required 471 SBMRMTCMD (Submit Remote Command) command object authority required 359 scan object alterations 262, 304, 311 Index

789

scan file systems (QSCANFS) system value 33 scan file systems control (QSCANFSCTL) system value 33 scheduling security reports 708 user profile activation 705 expiration 705 scheduling priority limiting 95 scrolling reversing (*ROLLKEY user option) 108 SD (change system distribution directory) file layout 662 SD (change system distribution directory) journal entry type 275 SE (change of subsystem routing entry) file layout 663 SE (change of subsystem routing entry) journal entry type 282 search index object authority required 409 search index (*SCHIDX) auditing 547 SECBATCH (Submit Batch Reports) menu scheduling reports 708 submitting reports 707 SECTOOLS (Security Tools) menu 705 Secure Sockets Layer (SSL) cipher control (QSSLCSLCTL) system value 40 Secure Sockets Layer (SSL) cipher specification list (QSSLCSL) system value 39 Secure Sockets Layer (SSL) protocols (QSSLPCL) system value 40 security Common Criteria description 6 critical files 236 designing 219 job description 206 keylock 2 library lists 207 objective availability 1 confidentiality 1 integrity 1 output queue 211 overall recommendations 220 physical 2 planning 1 printer output 211 source files 242 spooled file 211 starting batch job 200 interactive job 199 jobs 199 subsystem description 205 system values 3 tools 315 why needed 1 security (*SECURITY) audit level 280 security administrator (*SECADM) special authority functions allowed 85

security attribute object authority required for commands 472 security audit object authority required for commands 472 security audit journal displaying entries 315 printing entries 709 security auditing displaying 315, 707 setting up 315, 707 security auditing function activating 290 CHGSECAUD 290 stopping 295 Security Auditing Journal Entries 270 security command list 309 security data saving 245, 312 security information backup 245 format on save media 247 format on system 246 recovery 245 restoring 245 saving 245 stored on save media 247 stored on system 246 security level (QSECURITY) system value auditing 258 automatic user profile creation 73 changing level 10 to level 20 12 level 20 to level 30 13 level 20 to level 40 18 level 20 to level 50 20 level 30 to 20 13 level 30 to level 40 18 level 30 to level 50 20 level 40 to 20 13 level 40 to level 30 19 level 50 to level 30 or 40 21 comparison of levels 9 disabling level 40 19 disabling level 50 21 enforcing QLMTSECOFR system value 203 internal control blocks 20 introduction 2 level 10 12 level 20 12 level 30 13 level 40 14 level 50 message handling 20 overview 19 QTEMP (temporary) library 19 validating parameters 17 overview 9 recommendations 11 special authority 11 user class 11 value set by CFGSYSSEC command 714

security officer limiting workstation access 29 monitoring actions 305 restricting to certain workstations 258 security officer (QSECOFR) user profile authority to console 203 default values 319 device description owner 203 disabled status 78 enabling 78 restoring 249 security tools commands 315, 705 contents 315, 705 menus 705 Security Tools (SECTOOLS) menu 705 security value setting 713 Send Journal Entry (SNDJRNE) command 292 Send Network Spooled File (SNDNETSPLF) command 211 sending journal entry 292 network spooled file 211 sensitive data encrypting 262 protecting 261 server authentication object authority required for commands 473 server authentication entry adding 314 changing 314 removing 314 server security user information actions (SO) file layout 672 server session audit journal (QAUDJRN) entry 273 server session (VS) file layout 686 server session VS) journal entry type 273 server storage space (*SVRSTG) object 553 service object authority required for commands 473 service (*SERVICE) special authority failed sign-on 201 functions allowed 87 risks 87 service (QSRV) user profile authority to console 203 default values 319 service basic (QSRVBAS) user profile 319 service program adopted authority 151 service program (*SRVPGM) auditing 552 service status change (VV) file layout 688 service status change (VV) journal entry type 283 service tools (*SERVICE) audit level 283 service tools action (ST) file layout 673

790

IBM i: Security Security reference

service tools action (ST) journal entry type 283 session object authority required for commands 468 session description (*SSND) auditing 553 Set Attention Program (SETATNPGM) command 104 set password to expired (PWDEXP) parameter 77 SETATNPGM (Set Attention Program) command job initiation 104 object authority required 463 SETCSTDTA (Set Customization Data) command object authority required 387 SETJOBATR (user options) parameter user profile 107 SETMSTK (Set Master Key) command authorized IBM-supplied user profiles 334 SETMSTKEY command authorized IBM-supplied user profiles 334 object authority required 365 SETOBJACC (Set Object Access) command object authority required 346 SETPGMINF (Set Program Information) command object authority required 463 SETTAPCGY (Set Tape Category) command object authority required 436 setting Attention-key-handling program (ATNPGM) 104 network attributes 316, 713 security values 713 system values 316, 713 setting up auditing function 290 security auditing 315, 707 SETVTMAP (Set VT100 Keyboard Map) command object authority required 488 STRTCP (Start TCP/IP) command object authority required 488 STRTCPIFC (Start TCP/IP Interface) command object authority required 488 SETVTTBL (Set VT Translation Tables) command object authority required 487 SEV (message queue severity) parameter user profile 102 severity (SEV) parameter user profile 102 SF (action to spooled file) file layout 664 SF (change to spooled file) journal entry type 284 share memory control (QSHRMEMCTL) system value description 35 possible values 35

shared folder securing 216 sign-on action when attempts reached (QMAXSGNACN system value) 30 authorities required 199 authority failures 199 console 203 incorrect password audit journal (QAUDJRN) entry 271 incorrect user ID audit journal (QAUDJRN) entry 271 limiting attempts 30 preventing default 261 remote (QRMTSIGN system value) 32 restricting security officer 201 security checking 199 security officer fails 201 service user fails 201 user with *ALLOBJ special authority fails 201 user with *SERVICE special authority fails 201 without user ID 205 without user ID and password 16 workstation authority needed 201 sign-on information displaying DSPSGNINF user profile parameter 91 QDSPSGNINF system value 26 Sign-on Information display DSPSGNINF user profile parameter 90 example 27 expiration warning message 48 expired password message 47, 78 signing integrity 3 object 3 SIGNOFF (Sign Off) command object authority required 483 Signon screen changing 204 displaying source for 204 Signon screen display file 204 size of password 50 SLTCMD (Select Command) command object authority required 359 SM (systems management change) file layout 671 SM (systems management change) journal entry type 284 SNA distribution services (QSNADS) user profile 319 SNADS (Systems Network Architecture distribution services) QSNADS user profile 319 SNDBRKMSG (Send Break Message) command object authority required 438 SNDDOC (Send Document) command object auditing 514

SNDDST (Send Distribution) command object auditing 515 object authority required 372 SNDDSTQ (Send Distribution Queue) command authorized IBM-supplied user profiles 334 object authority required 372 SNDDTAARA (Send Data Area) command object auditing 517 SNDEMLIGC (Send DBCS 3270PC Emulation Code) command object authority required 369 SNDFNCIMG (Send Finance Diskette Image) command object authority required 387 SNDJRNE (Send Journal Entry) command 292 object auditing 529 object authority required 418 SNDMGRDTA (Send Migration Data) command object authority required 440 SNDMSG (Send Message) command object authority required 438 SNDNETF (Send Network File) command object authority required 442 SNDNETMSG (Send Network Message) command object authority required 442 SNDNETSPLF (Send Network Spooled File) command action auditing 550 object auditing 539 object authority required 480 output queue parameters 211 SNDNWSMSG (Send Network Server Message) command object authority required 445 SNDPGMMSG (Send Program Message) command object authority required 438 SNDPRD (Send Product) command authorized IBM-supplied user profiles 334 SNDPTF (Send PTF) command authorized IBM-supplied user profiles 334 SNDPTFORD (Send Program Temporary Fix Order) command authorized IBM-supplied user profiles 334 object authority required 475 SNDRJECMD (Send RJE Command) command object authority required 471 SNDRJECMD (Send RJE) command object authority required 471 SNDRPY (Send Reply) command object auditing 536 object authority required 438 SNDSMGOBJ (Send Systems Management Object) command authorized IBM-supplied user profiles 334

Index

791

SNDSRVRQS (Send Service Request) command authorized IBM-supplied user profiles 334 object authority required 475 SNDTCPSPLF (Send TCP Spooled File) command object authority required 480 SNDTCPSPLF (Send TCP/IP Spooled File) command action auditing 550 object auditing 560 object authority required 487 SNDUSRMSG (Send User Message) command object authority required 438 SO (server security user information actions) file layout 672 socket giving audit journal (QAUDJRN) entry 281 sockets object authority required for commands 350 sort sequence QSRTSEQ system value 105 shared weight 105 unique weight 105 user profile 105 source file securing 242 SPCAUT (special authority) parameter recommendations 88 user profile 84 SPCENV (special environment) parameter recommendations 89 routing interactive job 90 Special Authorities authorities, special 240 Special Authorities, Accumulating 240 special authority *ALLOBJ (all object) auditing 260 automatically added 13 automatically removed 13 failed sign-on 201 functions allowed 85 risks 85 *AUDIT (audit) functions allowed 88 risks 88 *IOSYSCFG (system configuration) functions allowed 88 risks 88 *JOBCTL (job control) functions allowed 86 output queue parameters 212 priority limit (PTYLMT) parameter 95 risks 86 *SAVSYS (save system) *OBJEXIST authority 132, 338 automatically removed 13 description 256 functions allowed 86 risks 86

special authority (continued) *SECADM (security administrator) functions allowed 85 *SERVICE (service) failed sign-on 201 functions allowed 87 risks 87 *SPLCTL (spool control) functions allowed 86 output queue parameters 213 risks 86 added by system changing security level 13 adopted authority 150 analyzing assignment 709 changing security level 13 definition 84 listing users 302 recommendations 88 removed by system automatically removed 249 changing security level 13 user profile 84 special authority (SPCAUT) parameter recommendations 88 user profile 84 special environment (QSPCENV) system value 89 special environment (SPCENV) parameter recommendations 89 routing interactive job 90 Special Files (*CHRSF) auditing 503 spelling aid dictionary object authority required for commands 478 spelling aid dictionary (*SPADCT) auditing 550 sphere of control object authority required for commands 478 spool (QSPL) user profile 319 spool control (*SPLCTL) special authority functions allowed 86 output queue parameters 213 risks 86 spool job (QSPLJOB) user profile 319 spooled file *JOBCTL (job control) special authority 86 *SPLCTL (spool control) special authority 86 action auditing 550 changing audit journal (QAUDJRN) entry 284 copying 211 deleting user profile 124 displaying 211 moving 211 object authority required for commands 479 owner 211 securing 211 working with 211 spooled file changes (*SPLFDTA) audit level 284, 550

SQL file security 239 SQL catalog 239 SQL package (*SQLPKG) auditing 552 SRC (system reference code) B900 3D10 (auditing error) 66 SRTSEQ (sort sequence) parameter user profile 105 ST (service tools action) file layout 673 ST (service tools action) journal entry type 283 Start QSH (STRQSH) command object authority required alias, QSH 464 Start System/36 (STRS36) command user profile special environment 89 starting auditing function 290 connection audit journal (QAUDJRN) entry 273 state program 15 state attribute object 15 state attribute, program displaying 15 STATFS (Display Mounted File System Information) command object authority required 443 status (STATUS) parameter user profile 78 status message displaying (*STSMSG user option) 108 not displaying (*NOSTSMSG user option) 108 stopping audit function 295 auditing 65 storage enhanced hardware protection 17 maximum (MAXSTG) parameter 94 reclaiming 19, 145, 255 setting QALWUSRDMN (allow user objects) system value 26 threshold audit (QAUDJRN) journal receiver 293 user profile 94 storage pool 218 STRAPF (Start Advanced Printer Function) command object authority required 351, 385 STRASPBAL authorized IBM-supplied user profiles 334 STRASPBAL command 368 STRASPSSN authorized IBM-supplied user profiles 334 STRBEST (Start Best/1-400 Capacity Planner) command object authority required 458

792

IBM i: Security Security reference

STRBEST (Start BEST/1) command authorized IBM-supplied user profiles 334 STRBGU (Start Business Graphics Utility) command object authority required 351 STRCAD authorized IBM-supplied user profiles 334 STRCAD command object authority required 358 STRCBLDBG (Start COBOL Debug) command object authority required 428, 463 STRCGU (Start CGU) command object authority required 378 STRCHTSVR (Start Clustered Hash Table Server authorized IBM-supplied user profiles 334 STRCLNUP (Start Cleanup) command object authority required 449 STRCLUNOD authorized IBM-supplied user profiles 334 STRCLUNOD command object authority required 358 STRCMNTRC (Start Communications Trace) command authorized IBM-supplied user profiles 334 object authority required 475 STRCMTCTL (Start Commitment Control) command object authority required 360 STRCPYSCN (Start Copy Screen) command object authority required 475 STRCRG authorized IBM-supplied user profiles 334 STRCSP (Start CSP/AE Utilities) command object auditing 542 STRDBG (Start Debug) command authorized IBM-supplied user profiles 334 object auditing 521, 541 object authority required 463 STRDBGSVR (Start Debug Server) command authorized IBM-supplied user profiles 334 STRDBMON (Start Database Monitor) command object authority required 458 STRDBRDR (Start Database Reader) command object authority required 467 STRDFU (Start DFU) command object authority required 351, 385 STRDIGQRY (Start DIG Query) command object authority required 377 STRDIRSHD (Start Directory Shadow System) command object authority required 369

STRDIRSHD (Start Directory Shadowing) command object auditing 513 STRDKTRDR (Start Diskette Reader) command object authority required 467 STRDKTWTR (Start Diskette Writer) command object authority required 495 STRDSKRGZ (Start Disk Reorganization) command object authority required 370 STRDW (Start Disk Watcher) command authorized IBM-supplied user profiles 334 object authority required 458 stream file (*STMF) auditing 553 STREDU (Start Education) command object authority required 448 STREML3270 (Start 3270 Display Emulation) command object authority required 369 STRFMA (Start Font Management Aid) command object auditing 526 object authority required 378 STRHOSTQRY (Start HOST Query) command object authority required 377 STRHOSTSVR authorized IBM-supplied user profiles 334 STRHOSTSVR (Start Host Server) command object authority required 388 STRIDD (Start Interactive Data Definition Utility) command object authority required 408 STRIDXMON (Start Index Monitor) command authorized IBM-supplied user profiles 334 STRIPSIFC (Start IP over SNA Interface) command authorized IBM-supplied user profiles 334 object authority required 350 STRJOBTRC (Start Job Trace) command authorized IBM-supplied user profiles 335 object authority required 458 STRJRN (Start Journal) command object authority required 403, 418 STRJRN (Start Journaling) command object auditing 499 STRJRNAP (Start Journal Access Path) command object authority required 418 STRJRNLIB (Start Journaling the Llibrary) command object authority required 419 STRJRNOBJ (Start Journal Object) command object authority required 419 STRJRNPF (Start Journal Physical File) command object authority required 419

STRJRNxxx (Start Journaling) command object auditing 529 STRJW command authorized IBM-supplied user profiles 334 object authority required 458 STRLOGSVR (Start Job Log Server) command object authority required 411 STRMGDSYS (Start Managed System) command authorized IBM-supplied user profiles 335 STRMGRSRV (Start Manager Services) command authorized IBM-supplied user profiles 335 STRMOD (Start Mode) command object auditing 533 object authority required 440 STRMSF (Start Mail Server Framework) command authorized IBM-supplied user profiles 335 object authority required 436 STRNETINS (Start Network Install ) command authorized IBM-supplied user profiles 335 STRNETINS (Start Network Install) command object authority required 451 STRNETINS command object authority required 389 STRNFSSVR (Start Network File System Server) command authorized IBM-supplied user profiles 335 STRNFSSVR (Start Network File System Server) command) command object authority required 443 STROBJCVN authorized IBM-supplied user profiles 335 STROBJCVN command 346 STRPASTHR (Start Pass-Through) command object auditing 509 object authority required 371 STRPDM (Start Programming Development Manager) command object authority required 351 STRPEX (Start Performance Explorer) command authorized IBM-supplied user profiles 335 object authority required 458 STRPFRG authorized IBM-supplied user profiles 335 STRPFRG (Start Performance Graphics) command object authority required 458 STRPFRT authorized IBM-supplied user profiles 335

Index

793

STRPFRT (Start Performance Tools) command object authority required 458 STRPFRTRC (Start Performance Trace) command authorized IBM-supplied user profiles 335 object authority required 459 STRPJ (Start Prestart Jobs) command object authority required 411 STRPRTEML (Start Printer Emulation) command object authority required 369 STRPRTWTR (Start Printer Writer) command object auditing 538, 560 object authority required 495 STRQMQRY (Start Query Management Query) command object auditing 543, 544, 545 object authority required 465 STRQRY (Start Query) command object authority required 465 STRQSH (Start QSH) command object authority required alias, QSH 464 STRQST (Start Question and Answer) command object authority required 466 STRREXPRC (Start REXX Procedure) command object authority required 428 STRRGZIDX (Start Reorganization of Index) command authorized IBM-supplied user profiles 335 STRRJECSL (Start RJE Console) command object authority required 471 STRRJERDR (Start RJE Reader) command object authority required 471 STRRJESSN (Start RJE Session) command object authority required 471 STRRJEWTR (Start RJE Writer) command object authority required 472 STRRLU (Start Report Layout Utility) command object authority required 351 STRRMTWTR (Start Remote Writer) command action auditing 550, 560 object auditing 538 object authority required 495 STRS36 (Start System/36) command object auditing 557 user profile special environment 89 STRS36MGR (Start System/36 Migration) command authorized IBM-supplied user profiles 335 object authority required 440 STRS38MGR (Start System/38 Migration) command authorized IBM-supplied user profiles 335 object authority required 440

STRSAVSYNC (Set Object Access) command object authority required 346 STRSBS (Start Subsystem) command object auditing 546 object authority required 482 STRSCHIDX (Start Search Index) command object auditing 547 object authority required 409 STRSDA (Start SDA) command object authority required 351 STRSEU (Start SEU) command object authority required 351 STRSPLRCL command authorized IBM-supplied user profiles 335 object authority required 480 STRSQL (Start Structured Query Language) command object authority required 428, 453 STRSRVJOB (Start Service Job) command authorized IBM-supplied user profiles 335 object authority required 475 STRSST (Start System Service Tools) command authorized IBM-supplied user profiles 335 object authority required 475 STRSSYSMGR (Start System Manager) command authorized IBM-supplied user profiles 335 STRTCP (Start TCP/IP) command authorized IBM-supplied user profiles 335 STRTCPFTP (Start TCP/IP File Transfer Protocol) command object authority required 487 STRTCPIFC (Start TCP/IP Interface) command authorized IBM-supplied user profiles 335 STRTCPPTP (Start Point-to-Point TCP/IP) command object authority required 487 STRTCPSVR (Start TCP/IP Server) command authorized IBM-supplied user profiles 335 object authority required 487 STRTCPTELN (Start TCP/IP TELNET) command object authority required 488 STRTRC (Start Trace) command object authority required 475 STRUPDIDX (Start Update of Index) command authorized IBM-supplied user profiles 335 STRWCH (Start Watch) command authorized IBM-supplied user profiles 335 STRWCH command object authority required 475 Submit Job (SBMJOB) command 200

Submit Job (SBMJOB) command (continued) SECBATCH menu 708 submitting security reports 707 subset authority 133 subsystem *JOBCTL (job control) special authority 86 object authority required for commands 481 sign on without user ID and password 16 subsystem description authority 315 communications entry 206 default user 315 entry 315 performance 218 printing list of descriptions 315 printing security-relevant parameters 709 routing entry change audit journal (QAUDJRN) entry 282 security 205 subsystem description (*SBSD) auditing 546 SUPGRPPRF (supplemental groups) parameter user profile 99 supplemental group planning 240 supplemental groups SUPGRPPRF user profile parameter 99 SV (action to system value) file layout 678 SV (action to system value) journal entry type 282 symbolic link (*SYMLNK) auditing 555 system object authority required for commands 483 saving 245, 312 system (*SYSTEM) domain 15 system (*SYSTEM) state 15 system (QSYS) library authorization lists 139 system (QSYS) user profile default values 319 restoring 249 system change-journal management support 293 system configuration *IOSYSCFG (system configuration) special authority 88 system configuration (*IOSYSCFG) special authority functions allowed 88 risks 88 system console 203 QCONSOLE system value 203

794

IBM i: Security Security reference

system directory changing audit journal (QAUDJRN) entry 275 system distribution directory *SECADM (security administrator) special authority 85 commands for working with 314 deleting user profile 122 system library list changing 207, 228 QSYSLIBL system value 207 system operations special authority (SPCAUT) parameter 84 system operator (QSYSOPR) user profile 319 system password 131 system portion library list changing 227 description 207 recommendations 209 system program calling directly 15 system reference code (SRC) B900 3D10 (auditing error) 66 system reply list object authority required for commands 483 system request function adopted authority 150 System request menu options and commands 234 using 234 System Request menu limit device sessions (LMTDEVSSN) 93 system resources limiting use priority limit (PTYLMT) parameter 95 preventing abuse 217 system signing 3 system status working with 218 system value action when sign-on attempts reached (QMAXSGNACN) description 30 user profile status 78 allow object restore option (QALWOBJRST) 44 allow user objects (QALWUSRDMN) 20, 25 Attention-key-handling program (QATNPGM) 104 audit planning 288 audit control (QAUDCTL) changing 315 displaying 315 audit level (QAUDLVL) *AUTFAIL (authority failure) description 270 *CREATE (create) value 272 *DELETE (delete) value 272

system value (continued) audit level (QAUDLVL) (continued) *JOBDTA (job change) value 273 *OBJMGT (object management) value 275 *OFCSRV (office services) value 275 *PGMADP (adopted authority) value 275 *PGMFAIL (program failure) value 276 *PRTDTA (printer output) value 276 *SAVRST (save/restore) value 276 *SECURITY (security) value 280 *SERVICE (service tools) value 283 *SPLFDTA (spooled file changes) value 284 *SYSMGT (systems management) value 284 changing 292, 315 displaying 315 purpose 263 user profile 113 auditing 258 overview 64 auditing control (QAUDCTL) overview 65 auditing end action (QAUDENDACN) 66, 289 auditing force level (QAUDFRCLVL) 66, 288 auditing level (QAUDLVL) overview 67 auditing level extension (QAUDLVL2) overview 69 automatic configuration of virtual devices (QAUTOVRT) 37 automatic device configuration (QAUTOCFG) 37 block password change (QPWDCHGBLK) 47 changing *SECADM (security administrator) special authority 85 audit journal (QAUDJRN) entry 282 coded character set identifier (QCCSID) 106 command for setting 316, 713 console (QCONSOLE) 203 country or region identifier (QCNTRYID) 106 create authority (QCRTAUT) description 26 risk of changing 26 using 139 create object auditing (QCRTOBJAUD) 70 disconnected job time-out interval (QDSCJOBITV) 38 display sign-on information (QDSPSGNINF) 26, 91 file systems scan (QSCANFS) 33

system value (continued) file systems control scan (QSCANFCTLS) 33 inactive job message queue (QINACTMSGQ) 28 time-out interval (QINACTITV) 27 integrated file systems scan (QSCANFS) 33 integrated file systems control scan (QSCANFSCTL) 33 keyboard buffering (QKBDBUF) 94 language identifier (QLANGID) 105 limit device sessions (QLMTDEVSSN) auditing 260 description 29 LMTDEVSSN user profile parameter 93 QLMTDEVSSN (limit device sessions) 29 limit security officer (QLMTSECOFR) authority to device descriptions 201 changing security levels 13 description 29 sign-on process 203 listing 258 maximum sign-on attempts (QMAXSIGN) auditing 258, 262 description 30 user profile status 78 object authority required for commands 484 password approval program (QPWDVLDPGM) 60 auditing expiration 259 duplicate (QPWDRQDDIF) 51 expiration interval (QPWDEXPITV) 47, 91 expiration warning (QPWDEXPWRN) 48 limit adjacent (QPWDLMTAJC) 52 limit characters (QPWDLMTCHR) 51 limit repeated characters (QPWDLMTREP) 52 maximum length (QPWDMAXLEN) 50 minimum length (QPWDMINLEN) 50 overview 46 position characters (QPWDPOSDIF) 53 preventing trivial 259 required password digits (QPWDRQDDGT) 53 restriction of consecutive digits (QPWDLMTAJC) 52 validation program (QPWDVLDPGM) 60

Index

795

system value (continued) password expiration interval (QPWDEXPITV) PWDEXPITV user profile parameter 91 print device (QPRTDEV) 103 printing 258 printing securitycommunications 316 printing security-relevant 316, 709 QALWOBJRST (allow object restore option) 44 QALWOBJRST (allow object restore) value set by CFGSYSSEC command 714 QALWUSRDMN (allow user objects) 20, 25 QATNPGM (Attention-key-handling program) 104 QAUDCTL (audit control) changing 315, 707 displaying 315, 707 QAUDCTL (auditing control) overview 65 QAUDENDACN (auditing end action) 66, 289 QAUDFRCLVL (auditing force level) 66, 288 QAUDLVL (audit level) *AUTFAIL (authority failure) description 270 *CREATE (create) value 272 *DELETE (delete) value 272 *JOBDTA (job change) value 273 *OBJMGT (object management) value 275 *OFCSRV (office services) value 275 *PGMADP (adopted authority) value 275 *PGMFAIL (program failure) value 276 *PRTDTA (printed output) value 276 *SAVRST (save/restore) value 276 *SECURITY (security) value 280 *SERVICE (service tools) value 283 *SPLFDTA (spooled file changes) value 284 *SYSMGT (systems management) value 284 changing 292, 315, 707 displaying 315, 707 purpose 263 user profile 113 QAUDLVL (auditing level) overview 67 QAUDLVL2 (auditing level extension) overview 69 QAUTOCFG (automatic configuration) value set by CFGSYSSEC command 714 QAUTOCFG (automatic device configuration) 37 QAUTOVRT (automatic configuration of virtual devices) 37

system value (continued) QAUTOVRT (automatic virtual-device configuration) value set by CFGSYSSEC command 714 QCCSID (coded character set identifier) 106 QCNTRYID (country or region identifier) 106 QCONSOLE (console) 203 QCRTAUT (create authority) description 26 risk of changing 26 using 139 QCRTOBJAUD (create object auditing) 70 QDEVRCYACN (device recovery action) value set by CFGSYSSEC command 714 QDSCJOBITV (disconnected job time-out interval) 38 value set by CFGSYSSEC command 714 QDSPSGNINF (display sign-on information) 26, 91 value set by CFGSYSSEC command 714 QFRCCVNRST (force conversion on restore) 43 QINACTITV (inactive job time-out interval) 27 value set by CFGSYSSEC command 714 QINACTMSGQ (inactive job message queue) 28 value set by CFGSYSSEC command 714 QKBDBUF (keyboard buffering) 94 QLANGID (language identifier) 105 QLMTDEVSSN (limit device sessions) auditing 260 LMTDEVSSN user profile parameter 93 QLMTSECOFR (limit security officer) auditing 258 authority to device descriptions 201 changing security levels 13 description 29 sign-on process 203 value set by CFGSYSSEC command 714 QMAXSGNACN (action when sign-on attempts reached) description 30 user profile status 78 value set by CFGSYSSEC command 714 QMAXSIGN (maximum sign-on attempts) auditing 258, 262 description 30 user profile status 78 value set by CFGSYSSEC command 714 QPRTDEV (print device) 103

system value (continued) QPWDCHGBLK (block password change) description 47 QPWDEXPITV (password expiration interval) auditing 259 description 47 PWDEXPITV user profile parameter 91 value set by CFGSYSSEC command 714 QPWDEXPWRN (password expiration warning) description 48 QPWDLMTAJC (password limit adjacent) 52 QPWDLMTAJC (password restrict adjacent characters) value set by CFGSYSSEC command 714 QPWDLMTCHR (limit characters) 51 QPWDLMTCHR (password restrict characters) value set by CFGSYSSEC command 714 QPWDLMTREP (limit repeated characters) 52 QPWDLMTREP (password limit repeated characters) value set by CFGSYSSEC command 714 QPWDLMTREP (password require position difference) value set by CFGSYSSEC command 714 QPWDMAXLEN (password maximum length) 50 value set by CFGSYSSEC command 714 QPWDMINLEN (password minimum length) 50 value set by CFGSYSSEC command 714 QPWDPOSDIF (position characters) 53 QPWDRQDDGT (password require numeric character) value set by CFGSYSSEC command 714 QPWDRQDDGT (required password digits) 53 QPWDRQDDIF (duplicate password) 51 QPWDRQDDIF (password required difference) value set by CFGSYSSEC command 714 QPWDVLDPGM (password validation program) 60 value set by CFGSYSSEC command 714 QRETSVRSEC (retain server security) 31 QRMTSIGN (allow remote sign-on) value set by CFGSYSSEC command 714

796

IBM i: Security Security reference

system value (continued) QRMTSIGN (remote sign-on) 32, 262 QRMTSRVATR (remote service attribute) 39 QSCANFS (scan file systems) 33 QSCANFSCTL (scan file systems control) 33 QSECURITY (security level) auditing 258 automatic user profile creation 73 changing, 20 from higher level 13 changing, level 10 to level 20 12 changing, level 20 to 30 13 changing, to level 40 18 changing, to level 50 20 comparison of levels 9 disabling level 40 19 disabling level 50 21 enforcing QLMTSECOFR system value 203 internal control blocks 20 introduction 2 level 10 12 level 20 12 level 30 13 level 40 14 level 50 19 message handling 20 overview 9 recommendations 11 special authority 11 user class 11 validating parameters 17 value set by CFGSYSSEC command 714 QSHRMEMCTL (share memory control) description 35 possible values 35 QSPCENV (special environment) 89 QSRTSEQ (sort sequence) 105 QSSLCSL (SSL cipher specification list) 39 QSSLCSLCTL (SSL cipher control) 40 QSSLPCL (SSL protocols) 40 QSYSLIBL (system library list) 207 QUSEADPAUT (use adopted authority) description 35 risk of changing 36 QUSRLIBL (user library list) 96 QVFYOBJRST (verify object on restore) 41 remote service attribute (QRMTSRVATR) 39 remote sign-on (QRMTSIGN) 32, 262 retain server security (QRETSVRSEC) 31 Scan File Systems (QSCANFS) 33 Scan File Systems (QSCANFSCTL) 33 Secure Sockets Layer (SSL) cipher control (QSSLCSLCTL) 40 Secure Sockets Layer (SSL) cipher specification list (QSSLCSL) 39 Secure Sockets Layer (SSL) protocols (QSSLPCL) 40

system value (continued) security introduction 3 overview 24 setting 713 security level (QSECURITY) auditing 258 automatic user profile creation 73 changing, 20 from higher level 13 changing, level 10 to level 20 12 changing, level 20 to 30 13 changing, to level 40 18 changing, to level 50 20 comparison of levels 9 disabling level 40 19 disabling level 50 21 enforcing QLMTSECOFR system value 203 introduction 2 level 10 12 level 20 12 level 30 13 level 40 14 level 50 19 overview 9 recommendations 11 special authority 11 user class 11 security-related overview 36 share memory control (QSHRMEMCTL) description 35 possible values 35 sign-on 48 action when attempts reached (QMAXSGNACN) 30, 78 maximum attempts (QMAXSIGN) 30, 78, 258, 262 remote (QRMTSIGN) 32, 262 sort sequence (QSRTSEQ) 105 special environment (QSPCENV) 89 system library list (QSYSLIBL) 207 use adopted authority (QUSEADPAUT) description 35 risk of changing 36 user library list (QUSRLIBL) 96 verify object on restore (QVFYOBJRST) 41 working with 258 system-defined authority 133 System/36 authority for deleted files 153 migration authority holders 154 System/36 environment object authority required for commands 484 user profile 89 System/38 command security 235 System/38 environment 89 System/38 Environment 137

systems management changing audit journal (QAUDJRN) entry 284 systems management (*SYSMGT) audit level 284 systems management change (SM) file layout 671 systems management change (SM) journal entry type 284 Systems Network Architecture (SNA) distribution services (QSNADS) user profile 319 Systems Network Architecture distribution services (SNADS) QSNADS user profile 319

T
table object authority required for commands 487 table (*TBL) auditing 557 tape object authority required for commands 436 protecting 258 tape cartridge object authority required for commands 436 TCP/IP (QTCP) user profile 319 TCP/IP (Transmission Control Protocol/Internet Protocol) object authority required for commands 487 TCP/IP printing support (QTMPLPD) user profile 319 TELNET (Start TCP/IP TELNET) command object authority required 488 temporary (QTEMP) library security level 50 19 test request (QTSTRQS) user profile 319 text (TEXT) parameter user profile 84 text index object authority required for commands 447 TFRBCHJOB (Transfer Batch Job) command object auditing 527 object authority required 412 TFRCTL (Transfer Control) command object authority required 463 transferring adopted authority 150 TFRGRPJOB (Transfer to Group Job) command adopted authority 150 object authority required 412 TFRJOB (Transfer Job) command object auditing 527 object authority required 412 TFRPASTHR (Transfer Pass-Through) command object authority required 371

Index

797

TFRSECJOB (Transfer Secondary Job) command object authority required 412 time slice 217 time zone description commands 489 time-out interval inactive jobs (QINACTITV) system value 27 message queue (QINACTMSGQ) system value 28 token-ring object authority required for commands 435 total change of password 53 Transfer Control (TFRCTL) command transferring adopted authority 150 Transfer to Group Job (TFRGRPJOB) command adopted authority 150 transferring adopted authority 150 to group job 150 translation of programs 17 Transmission Control Protocol/Internet Protocol (TCP/IP) object authority required for commands 487 TRCASPBAL authorized IBM-supplied user profiles 335 TRCASPBAL command 368 TRCCNN (Trace Connection) command object authority required 475 TRCCPIC (Trace CPI Communications) command authorized IBM-supplied user profiles 335 object authority required 475 TRCCSP (Trace CSP/AE Application) command object auditing 542 TRCICF (Trace ICF) command authorized IBM-supplied user profiles 335 object authority required 475 TRCINT (Trace Internal) command authorized IBM-supplied user profiles 335 object authority required 475 TRCJOB (Trace Job) command authorized IBM-supplied user profiles 335 object authority required 475 TRCTCPAPP authorized IBM-supplied user profiles 335 TRCTCPAPP command object authority required 476 trigger program listing all 315, 709 trivial password preventing 46, 259 TRMPRTEML (Terminate Printer Emulation) command object authority required 369 TRNCKMKSF command object authority required 365

TRNPIN (Translate Personal Identification Number) command authorized IBM-supplied user profiles 335 type-ahead (*TYPEAHEAD) keyboard buffering 94

U
uid (user identification number) restoring 249 unauthorized programs 262 UNMOUNT (Remove Mounted File System) object authority required 489 UNMOUNT (Remove Mounted File System) command object authority required 443 unsupported interface audit journal (QAUDJRN) entry 16, 276 update (*UPD) authority 132, 338 UPDDTA (Update Data) command object authority required 385 UPDPGM (Update Program) command object auditing 502, 534, 541 object authority required 463 UPDPTFINF (Update PTF Information) command authorized IBM-supplied user profiles 335 UPDSRVPGM (Create Service Program) command object auditing 534 UPDSRVPGM (Update Service Program) command object auditing 502, 552 object authority required 463 use (*USE) authority 134, 339 use adopted authority (QUSEADPAUT) system value description 35 risk of changing 36 use adopted authority (USEADPAUT) parameter 152 USEADPAUT (use adopted authority) parameter 152 user adding 118 auditing changing 88 working with 127 enrolling 118 user (*USER) domain 15 user (*USER) state 15 user auditing changing command description 313 command descriptions 311 user authority adding 161 copying command description 311 example 121 recommendations 165 renaming profile 127

user class analyzing assignment 709 user class (USRCLS) parameter description 79 recommendations 79 USER DEF (user-defined) authority 160 user domain object restricting 19 security exposure 19 user expiratin date (USREXPDATE) parameter user profile 111 user expiration interval (USREXPITV) parameter user profile 111 user ID DST (dedicated service tools) changing 129 incorrect audit journal (QAUDJRN) entry 271 user identification number (uid) restoring 249 user identification number parameter user profile 108 user index (*USRIDX) auditing 557 user index (*USRIDX) object 19 user option (CHRIDCTL) parameter user profile 106 user option (LOCALE) parameter user profile 107 user option (SETJOBATR) parameter user profile 107 user option (USROPT) parameter *CLKWD (CL keyword) 106, 107, 108 *EXPERT (expert) 106, 107, 108, 160 *HLPFULL (help full screen) 108 *NOSTSMSG (no status message) 108 *PRTMSG (printing message) 108 *ROLLKEY (roll key) 108 *STSMSG (status message) 108 user profile 106, 107, 108 USER parameter on job description 206 user permission granting 313 object authority required for commands 447 revoking 313 user portion library list controlling 227 description 207 recommendations 210 user profile (gid) group identification number 109 *ALLOBJ (all object) special authority 85 *AUDIT (audit) special authority 88 *IOSYSCFG (system configuration) special authority 88 *JOBCTL (job control) special authority 86 *SAVSYS (save system) special authority 86

798

IBM i: Security Security reference

user profile (continued) *SECADM (security administrator) special authority 85 *SERVICE (service) special authority 87 *SPLCTL (spool control) special authority 86 accounting code (ACGCDE) 100 ACGCDE (accounting code) 100 action auditing (AUDLVL) 113 all numeric user ID 75 all object (*ALLOBJ) special authority 85 analyzing by special authorities 709 by user class 709 analyzing with query 301 assistance level (ASTLVL) 80 ASTLVL (assistance level) 80 ATNPGM (Attention-key-handling program) 104 Attention-key-handling program (ATNPGM) 104 audit (*AUDIT) special authority 88 audit level (AUDLVL) *CMD (command string) value 272 auditing *ALLOBJ special authority 260 authority to use 261 authorized users 301 AUDLVL (action auditing) 113 AUDLVL (audit level) *CMD (command string) value 272 AUT (authority) 112 authority storing 247 authority (AUT) 112 automatic creation 73 CCSID (coded character set identifier) 106 changes when restoring 248 changing audit journal (QAUDJRN) entry 277 command descriptions 311 methods 122 password 311 password composition system values 47 setting password equal to profile name 76 checking for default password 705 CNTRYID (country or region identifier) 105 coded character set identifier (CCSID) 106 commands for working with 311 copying 119 countryor region identifier (CNTRYID) 105 creating audit journal (QAUDJRN) entry 277 command descriptions 311 example description 118

user profile (continued) creating (continued) methods 117 CURLIB (current library) 81 current library (CURLIB) 81 default values table 317 deleting command description 311 directory entry 122 distribution lists 122 message queue 122 spooled files 124 delivery (DLVRY) 102 description (TEXT) 84 DEV (print device) 103 displaying command description 311 individual 125 programs that adopt 151 sign-on information (DSPSGNINF) 91 DLVRY (message queue delivery) 102 DOCPWD (document password) 100 document password (DOCPWD) 100 DSPSGNINF (display sign-on information) 91 eim association (EIMASSOC) 110 EIMASSOC (eim association) 110 enabling sample program 125 exit points 128 expiration date (USREXPDATE) 111 expiration interval (USREXPITV) 111 group authority (GRPAUT) 98, 143, 145 group authority type (GRPAUTTYP) 98, 145 group identification number (gid ) 109 group profile (GRPPRF) 145 changes when restoring profile 248 description 97 GRPAUT (group authority) 98, 143, 145 GRPAUTTYP (group authority type) 98, 145 GRPPRF (group profile) 145 changes when restoring profile 248 description 97 home directory (HOMEDIR) 109 HOMEDIR (home directory) 109 IBM-supplied auditing 258 default values table 317 purpose 128 initial menu (INLMNU) 82 initial program (INLPGM) 81 INLMNU (initial menu) 82 INLPGM (initial program) 81 introduction 4 job control (*JOBCTL) special authority 86 job description (JOBD) 96 JOBD (job description) 96

user profile (continued) KBDBUF (keyboard buffering) 93 keyboard buffering (KBDBUF) 93 LANGID (language identifier) 105 language identifier (LANGID) 105 large, examining 302 LCLPWDMGT (local password management) 92 limit capabilities auditing 260 description 83 library list 210 limit device sessions (LMTDEVSSN) 93 list of permanently active changing 705 listing all users 125 inactive 302 selected 302 users with command capability 302 users with special authorities 302 listing all 125 LMTCPB (limit capabilities) 83, 210 LMTDEVSSN (limit device sessions) 93 local password management (LCLPWDMGT) 92 LOCALE (locale) 107 LOCALE (user options) 107 maximum storage (MAXSTG) description 94 group ownership of objects 143 MAXSTG (maximum storage) description 94 group ownership of objects 143 message queue (MSGQ) 101 message queue delivery (DLVRY) 102 message queue severity (SEV) 102 MSGQ (message queue) 101 name (USRPRF) 75 naming 75 OBJAUD (object auditing) 112 object auditing (OBJAUD) 112 object authority required for commands 489, 490 object owner deleting 143 output queue (OUTQ) 103 OUTQ (output queue) 103 owned object information 115 OWNER (owner of objects created) 97, 143 owner (OWNER) 145 OWNER (owner) 145 owner of objects created (OWNER) 97, 143 password 76 password expiration interval (PWDEXPITV) 91 performance save and restore 115 primary group 124 print device (DEV) 103 printing 302 Index

799

user profile (continued) priority limit (PTYLMT) 95 private authorities 115 PTYLMT (priority limit) 95 public authority (AUT) 112 PWDEXP (set password to expired) 77 PWDEXPITV (password expiration interval) 91 related commands for working with 312 renaming 126 restoring audit journal (QAUDJRN) entry 277 command description 312 commands 245 procedures 248 restoring authority audit journal (QAUDJRN) entry 277 retrieving 128, 311 roles 73 save system (*SAVSYS) special authority 86 saving 245 security administrator (*SECADM) special authority 85 service (*SERVICE) special authority 87 set job attribute (user options) 106, 107 set password to expired (PWDEXP) 77 SEV (message queue severity) 102 severity (SEV) 102 sort sequence (SRTSEQ) 105 SPCAUT (special authority) 84 SPCENV (special environment) 89 special authority (SPCAUT) 84 special environment (SPCENV) 89 spool control (*SPLCTL) special authority 86 SRTSEQ (sort sequence) 105 status (STATUS) 78 storing authority 246, 247 SUPGRPPRF (supplemental groups) 99 supplemental groups (SUPGRPPRF) 99 system configuration (*IOSYSCFG) special authority 88 System/36 environment 89 text (TEXT) 84 types of displays 126 types of reports 126 used in job description 16 user class (USRCLS) 79 user identification number 108 user options (CHRIDCTL) 106 user options (LOCALE) 107 user options (SETJOBATR) 107 user options (USROPT) 106, 107, 108 USRCLS (user class) 79 USREXPDATE (user expiration date) 111

user profile (continued) USREXPITV (user expiration interval) 111 USROPT (user options) 106, 107, 108 USRPRF (name) 75 working with 117, 311 user profile (*USRPRF) auditing 558 user profile change (CP) file layout 584 user profile change (CP) journal entry type 277 user profile parameter group identification number(gid) 109 user queue (*USRQ) auditing 559 user queue (*USRQ) object 19 user space (*USRSPC) auditing 559 user space (*USRSPC) object 19 user-defined (USER DEF) authority 160 USRCLS (user class) parameter description 79 recommendations 79 USREXPDATE (user expiration date) parameter user profile 111 USREXPITV (user expiration interval) parameter user profile 111 USROPT (user option) parameter *CLKWD (CL keyword) 106, 107, 108 *EXPERT (expert) 106, 107, 108, 160 *HLPFULL (help full screen) 108 *NOSTSMSG (no status message) 108 *PRTMSG (printing message) 108 *ROLLKEY (roll key) 108 *STSMSG (status message) 108 USROPT (user options) parameter user profile 106, 107, 108 USRPRF (name) parameter 75

V
VA (access control list change) journal entry type 282 VA (changing access control list) file layout 679 validating restored programs 17 validating parameters 17 validating password 60 validation list object authority required for commands 493 validation list (*VLDL) auditing 560 validation list (VO) file layout 683 validation lists Internet user 243 Validation Lists, Create 243 Validation Lists, Delete 243 validation program, password 60, 61, 62 validation value audit journal (QAUDJRN) entry 276 definition 17 VC (connection start and end) file layout 679 VC (connection start or end) journal entry type 273

verify object on restore (QVFYOBJRST) system value 41 VF (close of server files) file layout 680 VFYCMN (Verify Communications) command authorized IBM-supplied user profiles 335 object auditing 508, 509, 531 object authority required 460, 476 VFYIMGCLG command object authority required 389 VFYLNKLPDA (Verify Link supporting LPDA-2) command authorized IBM-supplied user profiles 335 object authority required 476 VFYLNKLPDA (Verify Link Supporting LPDA-2) command object auditing 531 VFYMSTK (Verify Master Key) command authorized IBM-supplied user profiles 335 VFYPIN (Verify Personal Identification Number) command authorized IBM-supplied user profiles 335 VFYPRT (Verify Printer) command authorized IBM-supplied user profiles 335 object authority required 460, 476 VFYTAP (Verify Tape) command authorized IBM-supplied user profiles 335 object authority required 460, 476 VFYTCPCNN (Verify TCP/IP Connection) command object authority required 488 viewing audit journal entries 295 virtual device automatic configuration (QAUTOVRT system value) 37 definition 37 virtual printer securing 216 virus detecting 262, 304, 311 scanning 304 VL (account limit exceeded) file layout 681 VL (account limit exceeded) journal entry type 284 VM/MVS bridge (QGATE) user profile 319 VN (network log on and off) file layout 682 VN (network log on or off) journal entry type 273 VO (validation list) file layout 683 VP (network password error) file layout 684 VP (network password error) journal entry type 271 VR (network resource access) file layout 685

800

IBM i: Security Security reference

VRYCFG (Vary Configuration) command object auditing 508, 509, 531, 537, 538 object authority required 361 VS (server session) file layout 686 VS (server session) journal entry type 273 VU (network profile change) file layout 687 VU (network profile change) journal entry type 282 VV (service status change) file layout 688 VV (service status change) journal entry type 283

W
wireless LAN configuration object authority required for commands 379 Work with Authority (WRKAUT) command 159, 310 Work with Authorization Lists (WRKAUTL) command 309 Work with Database Files Using IDDU (WRKDBFIDD) command object authority required 408 Work with Directory (WRKDIRE) command 314 Work with Journal (WRKJRN) command 294, 301 Work with Journal Attributes (WRKJRNA) command 294, 301 Work with Objects (WRKOBJ) command 310 Work with Objects by Owner (WRKOBJOWN) command auditing 261 description 310 using 163 Work with Objects by Owner display 123, 163 Work with Objects by Primary Group (WRKOBJPGP) command 144, 164 description 310 Work with Output Queue Description (WRKOUTQD) command 211 Work with Spooled Files (WRKSPLF) command 211 Work with System Status (WRKSYSSTS) command 218 Work with System Values (WRKSYSVAL) command 258 Work with User Enrollment display 118 Work with User Profiles (WRKUSRPRF) command 117, 311 Work with User Profiles display 117 working on behalf auditing 532 working with authority 310 authority holders 309, 314 authorization lists 309 directory 314 document library objects (DLO) 313 journal 301

working with (continued) journal attributes 294, 301 object authority 310 object ownership 163 objects 310 objects by owner 310 objects by primary group 144, 310 output queue description 211 password 311 primary group 164 spooled files 211 system directory 314 system status 218 user auditing 127 user profiles 117, 311, 312 workstation authority to sign-on 201 limiting user to one at a time 29 restricting access 258 securing 201 security officer access 29 workstation customizing object object authority required for commands 494 workstation entry job description 206 sign on without user ID and password 16 workstation user (QUSER) user profile 319 writer *JOBCTL (job control) special authority 86 object authority required for commands 494 WRKACTJOB (Work with Active Jobs) command object authority required 412 WRKALR (Work with Alerts) command object authority required 350 WRKALRD (Work with Alert Description) command object auditing 501 WRKALRD (Work with Alert Descriptions) command object authority required 350 WRKALRTBL (Work with Alert Table) command object auditing 501 WRKALRTBL (Work with Alert Tables) command object authority required 350 WRKARMJOB command object authority required 412 WRKASPCPYD authorized IBM-supplied user profiles 335 WRKASPJOB command object authority required 412 WRKAUT (Work with Authority Directory) command object authority required 403 WRKAUT (Work with Authority) command 159 description 310 object auditing 511, 549, 554

WRKAUTL (Work with Authorization List) command object auditing 502 WRKAUTL (Work with Authorization Lists) command description 309 object authority required 352 WRKBNDDIR (Work with Binding Directory) command object auditing 502 object authority required 353 WRKBNDDIRE (Work with Binding Directory Entry) command object auditing 503 object authority required 353 WRKCFGL (Work with Configuration List) command object auditing 503 WRKCFGL (Work with Configuration Lists) command object authority required 362 WRKCFGSTS (Work with Configuration Status) command object auditing 510, 532, 537 object authority required 361 WRKCHTFMT (Work with Chart Formats) command object authority required 354 WRKCLS (Work with Class) command object auditing 505 WRKCLS (Work with Classes) command object authority required 354 WRKCMD (Work with Command) command object auditing 506 WRKCMD (Work with Commands) command object authority required 359 WRKCMTDFN (Work with Commitment Definition) command object authority required 360 WRKCNNL (Work with Connection Lists) command object auditing 506 object authority required 362 WRKCNNLE (Work with Connection List Entries) command object auditing 506 WRKCNTINF (Work with Contact Information) command authorized IBM-supplied user profiles 335 object authority required 466, 476 WRKCOSD (Work with Class-of-Service Descriptions) command object auditing 507 object authority required 355 WRKCRQD (Work with Change Request Description) command object authority required 354 WRKCRQD (Work with Change Request Descriptions) command object auditing 505 WRKCSI (Work with Communications Side Information) command object auditing 507 object authority required 360 Index

801

WRKCTLD (Work with Controller Descriptions) command object auditing 508 object authority required 364 WRKDBFIDD (Work with Database Files Using IDDU) command object authority required 408 WRKDDMF (Work with Distributed Data Management Files) command object authority required 386 WRKDEVD (Work with Device Descriptions) command object auditing 510 object authority required 368 WRKDEVTBL (Work with Device Tables) command authorized IBM-supplied user profiles 336 object authority required 387 WRKDIRE (Work with Directory Entry) command object authority required 369 WRKDIRE (Work with Directory) command description 314 WRKDIRLOC (Work with Directory Locations) command object authority required 369 WRKDIRSHD (Work with Directory Shadow Systems) command object authority required 369 WRKDOC (Work with Documents) command object auditing 515 object authority required 375 WRKDOCLIB (Work with Document Libraries) command object auditing 517 object authority required 447 WRKDOCPRTQ (Work with Document Print Queue) command object auditing 517 object authority required 447 WRKDPCQ (Work with DSNX/PC Distribution Queues) command authorized IBM-supplied user profiles 336 object authority required 372 WRKDSKSTS (Work with Disk Status) command object authority required 370 WRKDSTL (Work with Distribution Lists) command object authority required 372 WRKDSTQ (Work with Distribution Queue) command authorized IBM-supplied user profiles 336 object authority required 372 WRKDTAARA (Work with Data Areas) command object auditing 518 object authority required 365 WRKDTADCT (Work with Data Dictionaries) command object authority required 408

WRKDTADFN (Work with Data Definitions) command object authority required 408 WRKDTAQ (Work with Data Queues) command object auditing 518 object authority required 366 WRKEDTD (Work with Edit Descriptions) command object auditing 519 object authority required 378 WRKENVVAR (Work with Environment Variable) command object authority required 378 WRKF (Work with Files) command object auditing 523 object authority required 386 WRKFCNARA authorized IBM-supplied user profiles 336 WRKFCNARA (Work with Functional Areas) command object authority required 458 WRKFCT (Work with Forms Control Table) command object authority required 472 WRKFLR (Work with Folders) command object authority required 375 WRKFNTRSC (Work with Font Resources) command object auditing 524 object authority required 349 WRKFORMDF (Work with Form Definitions) command object auditing 524 object authority required 349 WRKFSTAF (Work with FFST Alert Feature) command object authority required 476 WRKFSTPCT (Work with FFST Probe Control Table) command object authority required 476 WRKFTR (Work with Filters) command object auditing 525 object authority required 387 WRKFTRACNE (Work with Filter Action Entries) command object auditing 525 object authority required 387 WRKFTRSLTE (Work with Filter Selection Entries) command object auditing 525 object authority required 387 WRKGSS (Work with Graphics Symbol Sets) command object auditing 525 object authority required 388 WRKHDWRSC (Work with Hardware Resources) command object authority required 468 WRKHLDOPTF (Work with Help Optical Files) command object authority required 451 WRKIMGCLG command object authority required 389 WRKIMGCLGE command object authority required 389

WRKIPXD command 409 WRKJOB (Work with Job) command object authority required 412 WRKJOBD (Work with Job Descriptions) command object auditing 527 object authority required 413 WRKJOBLOG (Work with Job Logs) command object authority required 412 WRKJOBQ (Work with Job Queue) command object auditing 528 object authority required 414 WRKJOBQD (Work with Job Queue Description) command object authority required 414 WRKJOBSCDE (Work with Job Schedule Entries) command object auditing 528 object authority required 415 WRKJRN (Work with Journal) command authorized IBM-supplied user profiles 336 object auditing 530 object authority required 419 using 294, 301 WRKJRNA (Work with Journal Attributes) command object auditing 530 object authority required 419 using 294, 301 WRKJRNRCV (Work with Journal Receivers) command object auditing 530 object authority required 420 WRKJVMJOB command object authority required 410 WRKLANADPT (Work with LAN Adapters) command object authority required 435 WRKLIB (Work with Libraries) command object authority required 431 WRKLIBPDM (Work with Libraries Using PDM) command object authority required 351 WRKLICINF (Work with License Information) command authorized IBM-supplied user profiles 336 WRKLIND (Work with Line Descriptions) command object auditing 532 object authority required 435 WRKLNK (Work with Links) command object auditing 510, 511, 548, 549, 553, 554, 556 object authority required 404 WRKMBRPDM (Work with Members Using PDM) command object authority required 351 WRKMNU (Work with Menus) command object auditing 533 object authority required 438 WRKMOD (Work with Module) command object authority required 441

802

IBM i: Security Security reference

WRKMOD (Work with Modules) command object auditing 534 WRKMODD (Work with Mode Descriptions) command object auditing 533 object authority required 440 WRKMSG (Work with Messages) command object auditing 536 object authority required 438 WRKMSGD (Work with Message Descriptions) command object auditing 534 object authority required 439 WRKMSGF (Work with Message Files) command object auditing 535 object authority required 439 WRKMSGQ (Work with Message Queues) command object auditing 536 object authority required 439 WRKNAMSMTP (Work with Names for SMTP) command object authority required 488 WRKNETF (Work with Network Files) command object authority required 442 WRKNETJOBE (Work with Network Job Entries) command object authority required 442 WRKNETTBLE (Work with Network Table Entries) command object authority required 488 WRKNODL (Work with Node List) command object auditing 536 object authority required 447 WRKNODLE (Work with Node List Entries) command object auditing 536 object authority required 447 WRKNTBD (Work with NetBIOS Description) command object auditing 537 object authority required 442 WRKNWID (Work with Network Interface Description Command) command object authority required 444 WRKNWID (Work with Network Interface Description) command object auditing 537 WRKNWSALS (Work with Network Server Alias) command object authority required 445 WRKNWSCFG command authorized IBM-supplied user profiles 336 object authority required 446 WRKNWSD (Work with Network Server Description) command object auditing 538 object authority required 446

WRKNWSENR (Work with Network Server User Enrollment) command object authority required 445 WRKNWSSSN (Work with Network Server Session) command object authority required 445 WRKNWSSTG (Work with Network Server Storage Space) command object authority required 445 WRKNWSSTS (Work with Network Server Status) command object authority required 445 WRKOBJ (Work with Objects) command description 310 object authority required 346 WRKOBJCSP (Work with Objects for CSP/AE) command object auditing 508, 542 WRKOBJLCK (Work with Object Lock) command object auditing 500 WRKOBJLCK (Work with Object Locks) command object authority required 346 WRKOBJOWN (Work with Objects by Owner) command auditing 261 description 310 object auditing 500, 559 object authority required 346 using 163 WRKOBJPDM (Work with Objects Using PDM) command object authority required 351 WRKOBJPGP (Work with Objects by Primary Group) command 144, 164 object authority required 346 WRKOBJPGP (Work with Objects by Primary) command description 310 WRKOPTDIR (Work with Optical Directories) command object authority required 451 WRKOPTF (Work with Optical Files) command object authority required 451 WRKOPTVOL (Work with Optical Volumes) command object authority required 451 WRKOUTQ (Work with Output Queue) command object auditing 539 object authority required 452 WRKOUTQD (Work with Output Queue Description) command object auditing 539 object authority required 452 security parameters 211 WRKOVL (Work with Overlays) command object auditing 539 object authority required 349 WRKPAGDFN (Work with Page Definitions) command object auditing 540 object authority required 349

WRKPAGSEG (Work with Page Segments) command object auditing 540 object authority required 350 WRKPCLTBLE (Work with Protocol Table Entries) command object authority required 488 WRKPDG (Work with Print Descriptor Group) command object auditing 540 WRKPEXDFN command authorized IBM-supplied user profiles 336 WRKPEXFTR command authorized IBM-supplied user profiles 336 WRKPFCST (Work with Physical File Constraints) command object auditing 523 object authority required 386 WRKPGM (Work with Programs) command object auditing 542 object authority required 463 WRKPGMTBL (Work with Program Tables) command authorized IBM-supplied user profiles 336 object authority required 387 WRKPNLGRP (Work with Panel Groups) command object auditing 542 object authority required 438 WRKPRB (Work with Problem) command authorized IBM-supplied user profiles 336 object authority required 460, 476 WRKPTFGRP (Work with Program Temporary Fix Groups) 336 WRKPTFGRP (Work with PTF Group) command object authority required 476 WRKPTFORD 336 WRKQMFORM (Work with Query Management Form) command object auditing 544 object authority required 465 WRKQMQRY (Work with Query Management Query) command object authority required 465 WRKQRY (Work with Query) command object authority required 465 WRKQST (Work with Questions) command object authority required 466 WRKRDBDIRE (Work with Relational Database Directory Entries) command object authority required 468 WRKREGINF (Work with Registration Information) command object auditing 520 WRKREGINF (Work with Registration) command object authority required 467 WRKRJESSN (Work with RJE Session) command object authority required 472 Index

803

WRKRPYLE (Work with System Reply List Entries) command object auditing 546 object authority required 484 WRKS36PGMA (Work with System/36 Program Attributes) command object auditing 541 object authority required 486 WRKS36PRCA (Work with System/36 Procedure Attributes) command object auditing 523 object authority required 486 WRKS36SRCA (Work with System/36 Source Attributes) command object auditing 523 object authority required 486 WRKSBMJOB (Work with Submitted Jobs) command object authority required 412 WRKSBS (Work with Subsystems) command object auditing 547 object authority required 482 WRKSBSD (Work with Subsystem Descriptions) command object auditing 547 object authority required 482 WRKSBSJOB (Work with Subsystem Jobs) command object auditing 547 object authority required 412 WRKSCHIDX (Work with Search Indexes) command object auditing 548 object authority required 409 WRKSCHIDXE (Work with Search Index Entries) command object auditing 547 object authority required 409 WRKSHRPOOL (Work with Shared Storage Pools) command object authority required 483 WRKSOC (Work with Sphere of Control) command object authority required 478 WRKSPADCT (Work with Spelling Aid Dictionaries) command object authority required 478 WRKSPLF (Work with Spooled Files) command 211 object auditing 539 object authority required 480 WRKSPLFA (Work with Spooled File Attributes) command object auditing 539 WRKSPTPRD (Work with Supported Products) command object auditing 542, 543 WRKSRVPGM (Work with Service Programs) command object auditing 553 object authority required 463 WRKSRVPVD (Work with Service Providers) command authorized IBM-supplied user profiles 336 object authority required 476

WRKSRVTBLE (Work with Service Table Entries) command object authority required 488 WRKSSND (Work with Session Description) command object authority required 472 WRKSYSACT authorized IBM-supplied user profiles 336 WRKSYSACT (Work with System Activity) command object authority required 458 WRKSYSSTS (Work with System Status) command 218 object authority required 483 WRKSYSVAL (Work with System Values) command object authority required 484 using 258 WRKTAPCTG (Work with Tape Cartridge) command object authority required 436 WRKTBL (Work with Tables) command object auditing 557 object authority required 487 WRKTCPSTS (Work with TCP/IP Network Status) command object authority required 488 WRKTIMZON command 489 WRKTRC command authorized IBM-supplied user profiles 336 WRKTXTIDX (Work with Text Index) command authorized IBM-supplied user profiles 336 WRKUSRJOB (Work with User Jobs) command object authority required 412 WRKUSRPRF (Work with User Profiles) command description 311 object auditing 559 object authority required 492 using 117 WRKUSRTBL (Work with User Tables) command authorized IBM-supplied user profiles 336 object authority required 387 WRKWCH command authorized IBM-supplied user profiles 336 WRKWTR (Work with Writers) command object authority required 495

Z
ZC (change to object) file layout 698 ZR (read of object) file layout 701

X
X0 (kerberos authentication) file layout 689

Y
YC (change to DLO object) file layout 696 YR (read of DLO object) file layout 697

804

IBM i: Security Security reference

Printed in USA

SC41-5302-11

Managing Serviceguard - 12th Edition
No ratings yet
Managing Serviceguard - 12th Edition
494 pages
OpenScape Voice V7, Security Checklist, Planning Guide, Issue 2 - Addfiles
No ratings yet
OpenScape Voice V7, Security Checklist, Planning Guide, Issue 2 - Addfiles
45 pages
Managing Linux SG
No ratings yet
Managing Linux SG
322 pages
Windows Server 2012 Security Baseline Checklist
No ratings yet
Windows Server 2012 Security Baseline Checklist
6 pages
SG 247430
No ratings yet
SG 247430
418 pages
Cisco Sec Usr CFG Xe 16 Book
No ratings yet
Cisco Sec Usr CFG Xe 16 Book
144 pages
AS400 Security Manual
No ratings yet
AS400 Security Manual
688 pages
Gnupg
No ratings yet
Gnupg
242 pages
Red Hat Certified Specialist in Security (EX415) : Study Guide
100% (4)
Red Hat Certified Specialist in Security (EX415) : Study Guide
47 pages
AIX7.1 Security PDF
No ratings yet
AIX7.1 Security PDF
520 pages
SecurOS IIDK Programming Guide 11.7
No ratings yet
SecurOS IIDK Programming Guide 11.7
27 pages
Aix7.1 Security
No ratings yet
Aix7.1 Security
518 pages
Zos User Guide
No ratings yet
Zos User Guide
452 pages
FTOS Configuration Guide
No ratings yet
FTOS Configuration Guide
1,220 pages
CICS TS For ZOS - System Programming Reference
No ratings yet
CICS TS For ZOS - System Programming Reference
633 pages
Mde 5523e
No ratings yet
Mde 5523e
100 pages
SecurOS UinP Programming Guide 11.7
No ratings yet
SecurOS UinP Programming Guide 11.7
24 pages
AS400 Internet Security Securing Your AS400 From HARM in The Internet
No ratings yet
AS400 Internet Security Securing Your AS400 From HARM in The Internet
274 pages
Configure System Security Features: User Manual
No ratings yet
Configure System Security Features: User Manual
144 pages
CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0
No ratings yet
CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0
255 pages
Gnupg PDF
No ratings yet
Gnupg PDF
212 pages
All-Products Esuprt Ser Stor Net Esuprt Force10 Force10-S4820 Reference Guide2 En-Us
No ratings yet
All-Products Esuprt Ser Stor Net Esuprt Force10 Force10-S4820 Reference Guide2 En-Us
1,114 pages
Nshield Edge v13 4 User Guide
No ratings yet
Nshield Edge v13 4 User Guide
441 pages
Security PDF
No ratings yet
Security PDF
516 pages
Manual Allied Telesis X210
No ratings yet
Manual Allied Telesis X210
1,447 pages
Iea1a331 PDF
No ratings yet
Iea1a331 PDF
328 pages
Sys Verilog PPT PDF
80% (5)
Sys Verilog PPT PDF
544 pages
Master Server 2012 (Non-R2) Compliance Analysis - CIS
No ratings yet
Master Server 2012 (Non-R2) Compliance Analysis - CIS
121 pages
WindowsSecurityChecklist Group Policy
100% (1)
WindowsSecurityChecklist Group Policy
17 pages
Big-Ip Advanced Routing™: Integrated Management Interface Command Line Interface Reference Guide
No ratings yet
Big-Ip Advanced Routing™: Integrated Management Interface Command Line Interface Reference Guide
162 pages
Gnupg
No ratings yet
Gnupg
206 pages
Using The GNU Privacy Guard
100% (1)
Using The GNU Privacy Guard
144 pages
Administration Guide NMC2 R161 Ed03
No ratings yet
Administration Guide NMC2 R161 Ed03
197 pages
DiskSafe User Guide
No ratings yet
DiskSafe User Guide
103 pages
ServerIron 12400 AdminGuide
No ratings yet
ServerIron 12400 AdminGuide
194 pages
CUS2 (1) .Auto ID Generation in T24-R10.01 PDF
100% (4)
CUS2 (1) .Auto ID Generation in T24-R10.01 PDF
26 pages
Using The GNU Privacy Guard
No ratings yet
Using The GNU Privacy Guard
212 pages
Network Management Card For Easy UPS
No ratings yet
Network Management Card For Easy UPS
45 pages
Sicherheitseinstellungen in WinCC DOC en
No ratings yet
Sicherheitseinstellungen in WinCC DOC en
26 pages
Security Handbook: Network-Enabled Devices, AOS v7.x
No ratings yet
Security Handbook: Network-Enabled Devices, AOS v7.x
38 pages
Cics 1
No ratings yet
Cics 1
260 pages
Aix Security PDF
No ratings yet
Aix Security PDF
540 pages
Security Handbook
No ratings yet
Security Handbook
43 pages
Force10-S25p - Reference Guide - En-Us PDF
No ratings yet
Force10-S25p - Reference Guide - En-Us PDF
1,262 pages
Configuration Recommendations of A Gnu/Linux System: Anssi Guidelines
No ratings yet
Configuration Recommendations of A Gnu/Linux System: Anssi Guidelines
62 pages
Pan Os
0% (1)
Pan Os
952 pages
FTOS Configuration Guide For The S55 System FTOS 8.3.5.5
No ratings yet
FTOS Configuration Guide For The S55 System FTOS 8.3.5.5
780 pages
Redp 5716
No ratings yet
Redp 5716
38 pages
Redp 5716
No ratings yet
Redp 5716
36 pages
Force10-S60 Reference Guide3 En-Us
No ratings yet
Force10-S60 Reference Guide3 En-Us
830 pages
IBM OS 390 Server User Manual
0% (1)
IBM OS 390 Server User Manual
76 pages
Mcafee Endpoint Security 10.7.0 - Threat Prevention Product Guide - Linux
No ratings yet
Mcafee Endpoint Security 10.7.0 - Threat Prevention Product Guide - Linux
73 pages
UMX User Manual
No ratings yet
UMX User Manual
78 pages
The BSD Associate Study Guide
No ratings yet
The BSD Associate Study Guide
167 pages
Windows Default Security and Services Configuration
No ratings yet
Windows Default Security and Services Configuration
66 pages
Gnupg
No ratings yet
Gnupg
148 pages
Question Bank of Multiple-Choice Questions 2021-22 Class Xii Subject Computer Science - Chief Patron Patron
No ratings yet
Question Bank of Multiple-Choice Questions 2021-22 Class Xii Subject Computer Science - Chief Patron Patron
109 pages
Case Study On Firewall
No ratings yet
Case Study On Firewall
4 pages
Guardian Edge Client Administrator Guide
No ratings yet
Guardian Edge Client Administrator Guide
49 pages
Anti Textbook Py
No ratings yet
Anti Textbook Py
74 pages
Website: Vce To PDF Converter: Facebook: Twitter:: Az-304.Vceplus - Premium.Exam.67Q
No ratings yet
Website: Vce To PDF Converter: Facebook: Twitter:: Az-304.Vceplus - Premium.Exam.67Q
55 pages
Psd4135G2: Flash In-System-Programmable Peripherals For 16-Bit Mcus
No ratings yet
Psd4135G2: Flash In-System-Programmable Peripherals For 16-Bit Mcus
94 pages
Memory Test Updated V3 Reduced
No ratings yet
Memory Test Updated V3 Reduced
96 pages
Rishabh Singh 2
No ratings yet
Rishabh Singh 2
90 pages
SnapProtect v10 SP9 Customer Overview Jan 2015
No ratings yet
SnapProtect v10 SP9 Customer Overview Jan 2015
18 pages
Abb 10K
No ratings yet
Abb 10K
371 pages
Abb 10K
No ratings yet
Abb 10K
371 pages
Cse Previous Year Paper Computer Network
No ratings yet
Cse Previous Year Paper Computer Network
13 pages
MF DB2
No ratings yet
MF DB2
5 pages
Destination Ålesund Sunnmøre
No ratings yet
Destination Ålesund Sunnmøre
8 pages
Important Questions
No ratings yet
Important Questions
13 pages
Memory - System - Cache - Memory and Virtual Memory
No ratings yet
Memory - System - Cache - Memory and Virtual Memory
66 pages
WM Capture 8 Setup Log
No ratings yet
WM Capture 8 Setup Log
19 pages
English PART 02 Gampaha Zone
No ratings yet
English PART 02 Gampaha Zone
8 pages
Unit 3 Topic Tuple
No ratings yet
Unit 3 Topic Tuple
19 pages
Alfresco Day Zero Configuration Guide v0.14
No ratings yet
Alfresco Day Zero Configuration Guide v0.14
22 pages
Origin C
No ratings yet
Origin C
110 pages
Flight Data Application Denner ABAP Trainning
No ratings yet
Flight Data Application Denner ABAP Trainning
7 pages
M1 introDB
No ratings yet
M1 introDB
40 pages
Type of Operating System Services
No ratings yet
Type of Operating System Services
5 pages
Python
No ratings yet
Python
3 pages
Qlik Sense Allocating Token License PDF
No ratings yet
Qlik Sense Allocating Token License PDF
13 pages
Jawaban Uas A11201811163
No ratings yet
Jawaban Uas A11201811163
12 pages
Class 9 SIP Unit Test 1
No ratings yet
Class 9 SIP Unit Test 1
1 page
I Don't Even Know What's This
No ratings yet
I Don't Even Know What's This
3 pages
Abb Group Borrowing Structure
No ratings yet
Abb Group Borrowing Structure
1 page
Data Services Cheat Sheet
No ratings yet
Data Services Cheat Sheet
1 page
Lesson 4 For Tuesday, January 05, 2010 Creating Relationships
No ratings yet
Lesson 4 For Tuesday, January 05, 2010 Creating Relationships
5 pages
Plain JavaScript: Learning the Front-End
From Everand
Plain JavaScript: Learning the Front-End
Roger Beans-Rivet
No ratings yet
Advanced Multiplayer Game Development with Ureal Engine 5: A Comprehensive Guide to C++ Scripting
From Everand
Advanced Multiplayer Game Development with Ureal Engine 5: A Comprehensive Guide to C++ Scripting
Vladimir Kiselev
No ratings yet
Cybersecurity for Executives: A Guide to Protecting Your Business
From Everand
Cybersecurity for Executives: A Guide to Protecting Your Business
Matthew C. Smith
No ratings yet
Gray Hat Hacking the Ethical Hacker's
From Everand
Gray Hat Hacking the Ethical Hacker's
Çağatay Şanlı
5/5 (1)
ChatGPT for Business: Strategies for Success
From Everand
ChatGPT for Business: Strategies for Success
Matthew C. Smith
No ratings yet
Securing ChatGPT: Best Practices for Protecting Sensitive Data in AI Language Models
From Everand
Securing ChatGPT: Best Practices for Protecting Sensitive Data in AI Language Models
Matthew C. Smith
No ratings yet

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.