AS400 Security Manual
AS400 Security Manual
AS400 Security Manual
iSeries
Security Reference
Version 5
SC41-5302-05
Note
Before using this information and the product it supports, be sure to read the information in
“Appendix H. Notices” on page 583.
Contents v
Appendix C. Commands Shipped with Journal Receiver Commands . . . . . . . 364
Public Authority *Exclude . . . . . . 287 Language Commands . . . . . . . . . 365
Library Commands . . . . . . . . . . 371
License Key Commands . . . . . . . . . 375
Appendix D. Authority Required for Licensed Program Commands . . . . . . . 375
Objects Used by Commands . . . . . 297 Line Description Commands . . . . . . . 376
Assumptions . . . . . . . . . . . . . 299 Local Area Network (LAN) Commands . . . 378
General Rules for Object Authorities on Commands 299 Locale Commands. . . . . . . . . . . 378
Commands Common for Most Objects . . . . . 301 Mail Server Framework Commands . . . . . 378
Authorities Needed . . . . . . . . . . . 306 Media Commands . . . . . . . . . . . 379
Access Path Recovery Commands . . . . . 306 Menu and Panel Group Commands . . . . . 380
Advanced Function Printing™ Commands. . . 307 Message Commands . . . . . . . . . . 381
AF_INET Sockets Over SNA Commands . . . 308 Message Description Commands . . . . . . 381
Alerts . . . . . . . . . . . . . . . 308 Message File Commands . . . . . . . . 382
Application Development Commands . . . . 309 Message Queue Commands . . . . . . . 382
Authority Holder Commands . . . . . . . 310 Migration Commands . . . . . . . . . 382
Authorization List Commands. . . . . . . 310 Mode Description Commands . . . . . . . 383
Binding Directory Commands . . . . . . . 311 Module Commands . . . . . . . . . . 383
Change Request Description Commands . . . 312 NetBIOS Description Commands . . . . . . 384
Chart Commands . . . . . . . . . . . 312 Network Commands . . . . . . . . . . 384
Class Commands . . . . . . . . . . . 313 Network File System Commands . . . . . . 385
Class-of-Service Commands . . . . . . . 313 Network Interface Description Commands . . 386
Command (*CMD) Commands . . . . . . 313 Network Server Commands . . . . . . . 387
Commitment Control Commands . . . . . 314 Network Server Description Commands . . . 388
Communications Side Information Commands 314 Node List Commands . . . . . . . . . 388
Configuration Commands . . . . . . . . 315 Office Services Commands . . . . . . . . 388
Configuration List Commands. . . . . . . 316 Online Education Commands . . . . . . . 389
Connection List Commands . . . . . . . 316 Operational Assistant Commands . . . . . 389
Controller Description Commands . . . . . 316 Optical Commands . . . . . . . . . . 390
Cryptography Commands . . . . . . . . 318 Output Queue Commands . . . . . . . . 392
Data Area Commands . . . . . . . . . 319 Package Commands . . . . . . . . . . 393
Data Queue Commands . . . . . . . . . 320 Performance Commands . . . . . . . . 393
Device Description Commands . . . . . . 320 Print Descriptor Group Commands . . . . . 398
Device Emulation Commands . . . . . . . 322 Print Services Facility™ Configuration
Directory and Directory Shadowing Commands 323 Commands . . . . . . . . . . . . . 398
Disk Commands . . . . . . . . . . . 323 Problem Commands . . . . . . . . . . 399
Display Station Pass-Through Commands . . . 323 Program Commands . . . . . . . . . . 400
Distribution Commands . . . . . . . . . 324 Query Commands . . . . . . . . . . . 403
Distribution List Commands . . . . . . . 325 QSH Shell Interpreter Commands . . . . . 404
Document Library Object Commands . . . . 325 Question and Answer Commands . . . . . 405
Double-Byte Character Set Commands . . . . 328 Reader Commands . . . . . . . . . . 405
Edit Description Commands . . . . . . . 329 Registration Facility Commands . . . . . . 406
Environment Variable Commands . . . . . 329 Relational Database Commands . . . . . . 406
Extended Wireless LAN Configuration Resource Commands . . . . . . . . . . 406
Commands . . . . . . . . . . . . . 329 RJE (Remote Job Entry) Commands . . . . . 407
File Commands . . . . . . . . . . . 330 Security Attributes Commands . . . . . . 411
Filter Commands . . . . . . . . . . . 337 Server Authentication Entry Commands . . . 411
Finance Commands . . . . . . . . . . 338 Service Commands . . . . . . . . . . 411
OS/400 Graphical Operations . . . . . . . 338 Spelling Aid Dictionary Commands . . . . . 414
Graphics Symbol Set Commands . . . . . . 339 Sphere of Control Commands . . . . . . . 415
Host Server Commands . . . . . . . . . 339 Spooled File Commands. . . . . . . . . 415
Integrated File System Commands . . . . . 339 Subsystem Description Commands . . . . . 416
Interactive Data Definition Commands . . . . 354 System Commands . . . . . . . . . . 418
Internetwork Packet Exchange (IPX) Commands 355 System Reply List Commands . . . . . . . 419
Information Search Index Commands . . . . 356 System Value Commands . . . . . . . . 419
IPL Attribute Commands . . . . . . . . 356 System/36 Environment Commands . . . . 419
Job Commands . . . . . . . . . . . . 357 Table Commands . . . . . . . . . . . 421
Job Description Commands. . . . . . . . 359 TCP/IP Commands . . . . . . . . . . 422
Job Queue Commands . . . . . . . . . 360 Upgrade Order Information Data Commands 423
Job Schedule Commands . . . . . . . . 361 User Index, User Queue, User Space Commands 424
Journal Commands . . . . . . . . . . 361 User Profile Commands . . . . . . . . . 424
Contents vii
viii OS/400 Security Reference V5R1
Figures
1. Types of iSeries Displays . . . . . . . . xvi 19. Flowchart 2: Fast Path for Object Authority 152
2. Validation Checking and System Action When 20. Flowchart 3: Check User Authority . . . . 153
Restoring a Program . . . . . . . . . 17 21. Flowchart 4: Owner Authority Checking 154
3. How User Profiles Are Created . . . . . . 54 22. Flowchart 5: Fast Path for User Authority 155
4. Password Expiration Message . . . . . . 59 23. Flowchart 6: Group Authority Checking 158
5. Determining the Special Environment . . . . 71 24. Flowchart 7: Check Public Authority 159
6. Sign-On Information Display. . . . . . . 72 25. Flowchart 8A: Checking Adopted Authority
7. Assistance Level for User Profile Displays 94 User *ALLOBJ and Owner . . . . . . . 160
8. Display Object Authority display showing 26. Flowchart 8B: Checking Adopted Authority
F16=Display field authorities. This function Using Private Authorities . . . . . . . 161
key will be displayed when a database file 27. Authority for the PRICES File . . . . . . 162
has field authorities. . . . . . . . . . 117 28. Authority for the CREDIT File . . . . . . 163
9. Display Field Authority display. When 29. Display Object Authority. . . . . . . . 167
F17=Position to, is pressed the Position the 30. Authority for the ARWRK01 File . . . . . 168
List prompt will be displayed. If F16 is 31. Authority for the ARLST1 Authorization List 168
pressed, the previous position to operation 32. Authority for the CRLIM File . . . . . . 169
will be repeated . . . . . . . . . . . 117 33. Authority for CRLIMWRK File. . . . . . 170
10. Example of an Authorization List (Conceptual 34. Authority for the CRLST1 Authorization List 170
Representation) . . . . . . . . . . . 119 35. Authority Checking for Workstations 178
11. New Object Example: Public Authority from 36. Library List–Expected Environment . . . . 184
Library, Group Given Private Authority . . . 125 37. Library List–Actual Environment . . . . . 184
12. New Object Example: Public Authority from 38. Example Applications . . . . . . . . . 196
System Value, Group Given Private Authority 126 | 39. Program to Replace and Restore Library List 203
13. New Object Example: Public Authority from 40. Format for Describing Library Security 204
Library, Group Given Primary Group 41. Sample Inquiry Menu. . . . . . . . . 205
Authority . . . . . . . . . . . . . 127 42. Sample Initial Menu . . . . . . . . . 206
14. New Object Example: Public Authority 43. Sample Initial Application Program . . . . 206
Specified, Group Owns Object . . . . . . 128 44. Sample Program for Query with Adopted
15. Adopted Authority and the CALL Command 129 Authority . . . . . . . . . . . . . 206
16. Adopted Authority and the TFRCTL 45. Sample Application Menu with Query 208
Command . . . . . . . . . . . . 130 46. Format for Menu Security Requirements 209
17. Display Object Authority Display . . . . . 134 47. Using a Logical File for Security . . . . . 212
18. Flowchart 1: Main Authority Checking 48. Viewing QAUDJRN Information . . . . . 241
Process. . . . . . . . . . . . . . 150
Tables xiii
xiv OS/400 Security Reference V5R1
About Security - Reference (SC41-5302)
This book provides information about planning, setting up, managing, and
auditing security on your iSeries 400 system. It describes all the features of security
on the system and discusses how security features relate to other aspects of the
system, such as work management, backup and recovery, and application design.
| This book does not provide complete operational instructions for setting up
| security on your system. For a step-by-step example of setting up security, consult
| the iSeries Information Center (see “Prerequisite and related information” on
| page xvi) and the Tips and Tools for Securing Your iSeries, SC41-5300-07 book.
| Information on planning and setting up Basic System Security and Planning can
| also be found in the Information Center (see “Prerequisite and related information”
| on page xvi).
| This book does not provide complete information about planning for Lotus®
| Domino™ users. For Lotus Domino users, see the URL
| http://notes.net/notesua.nsf. This Web site provides information on Lotus Notes™,
| Domino, and Domino for AS/400®. From this web site, you can download
| information in Domino database (.NSF) and Adobe Acrobat (.PDF) format, search
| databases, and find out how to obtain printed manuals.
| This book does not contain complete information about the application
| programming interfaces (APIs) that are available to access security information.
| APIs are described in System API Programming, SC41-5800-00. This book does not
| contain information about the Internet. For information about considerations when
| you connect your system to the Internet see these books: IBM® SecureWay®: iSeries
| and the Internet, G325-6321-00 or Tips and Tools for Securing Your iSeries.
“Chapter 9. Auditing Security on the iSeries System” on page 235 is intended for
anyone who wants to perform a security audit of the system.
This book assumes you are familiar with entering commands on the system. To use
some of the examples in this book, you need to know how to:
v Edit and create a control language (CL) program.
v Use a query tool, such as the Query/400 licensed program.
The information in the following chapters can help the application programmer
and systems programmers understand the relationship between security and
application and system design:
“Chapter 5. Resource Security” on page 111
“Chapter 6. Work Management Security” on page 175
“Chapter 7. Designing Security” on page 195
“Chapter 8. Backup and Recovery of Security Information” on page 223
|
| Figure 1. Types of iSeries Displays
|
For more information on using Operations Navigator, refer to the iSeries
Information Center (see“Prerequisite and related information”).
| The iSeries Information Center contains advisors and important topics such as CL
| commands, system application programming interfaces (APIs), logical partitions,
| clustering, Java™, TCP/IP, Web serving, and secured networks. It also includes
| With every new hardware order, you receive the following CD-ROM information:
| v iSeries 400 Installation and Service Library, SK3T-4096-00. This CD-ROM contains
| PDF manuals needed for installation and system maintenance of an IBM ~
| iSeries server.
| v iSeries 400 Setup and Operations CD-ROM, SK3T-4098-00. This CD-ROM contains
| IBM iSeries Client Access Express for Windows and the EZ-Setup wizard. Client
| Access Express offers a powerful set of client and server capabilities for
| connecting PCs to iSeries servers. The EZ-Setup wizard automates many of the
| iSeries setup tasks.
| Operations Navigator
| IBM iSeries 400 Operations Navigator is a powerful graphical interface for
| managing your iSeries and AS/400e™ servers. Operations Navigator functionality
| includes system navigation, configuration, planning capabilities, and online help to
| guide you through your tasks. Operations Navigator makes operation and
| administration of the server easier and more productive and is the only user
| interface to the new, advanced features of the OS/400 operating system. It also
| includes Management Central for managing multiple servers from a central server.
| For more information on Operations Navigator, see the iSeries Information Center.
| Changed:
| v Verify Object on Restore (QVFYOBJRST) system value. This system value
| determines whether software-related objects are required to have digital
| signatures in order to be restored to your system. See “Verify Object on Restore
| (QVFYOBJRST)” on page 36.
| v Share Memory Control (QSHRMEMCTL) system value. This system value
| defines which users are allowed to use shared memory or mapped memory that
| has write capability. See “Share Memory Control (QSHRMEMCTL)” on page 32.
Important reminders:
| v Remember to change Dedicated Service Tools (DST) default passwords
| immediately to prevent security exposure on your system. See “Changing User
| IDs and Passwords for Dedicated Service Tools (DST) Users” on page 107 for
| details.
v Do not assign all (or nearly all) objects to only one owner profile.
Profiles that own many objects with many private authorities can become very
large. To prevent impacts to either performance or system operations, distribute
ownership of objects to multiple profiles.
v Avoid having applications owned by IBM-supplied user profiles, such as
QSECOFR or QPGMR.
These profiles can become difficult to manage because they own a large number
of IBM-supplied objects.
Security on the iSeries system is flexible enough to meet the requirements of this
wide range of users and situations. You need to understand the features and
options available so that you can adapt them to your own security requirements.
This chapter provides an overview of the security features on the system.
Confidentiality:
v Protecting against disclosing information to unauthorized people.
v Restricting access to confidential information.
v Protecting against curious system users and outsiders.
Integrity:
v Protecting against unauthorized changes to data.
v Restricting manipulation of data to authorized programs.
v Providing assurance that data is trustworthy.
Availability:
v Preventing accidental changes or destruction of data.
v Protecting against attempts by outsiders to abuse or destroy system resources.
The best security system functions cannot produce good results without good
planning. Security that is set up in small pieces, without planning, can be
confusing. It is difficult to maintain and to audit. Planning does not imply
designing the security for every file, program, and device in advance. It does
imply establishing an overall approach to security on the system and
communicating that approach to application designers, programmers, and system
users.
As you plan security on your system and decide how much security you need,
consider these questions:
v Is there a company policy or standard that requires a certain level of security?
v Do the company auditors require some level of security?
v How important is your system and the data on it to your business?
v How important is the error protection provided by the security features?
v What are your company security requirements for the future?
Physical Security
Physical security includes protecting the system unit, system devices, and backup
media from accidental or deliberate damage. Most measures you take to ensure the
physical security of your system are external to the system. However, the system is
equipped with a keylock that prevents unauthorized functions at the system unit.
Keylock Security
The keylock on the 940x control panel controls access to various system control
panel functions. The keylock position can be retrieved and changed under program
control by using either of the following:
v Retrieve IPL Attributes (QWCRIPLA) API
v Change IPL Attributes (CHGIPLA) command
This allows the remote user access to additional functions available at the control
panel. For example, it controls where the machine will IPL from and to what
environment, either OS/400 or Dedicated Service Tools (DST).
The OS/400 System Value, QRMTSRVATR, controls the remote access. This value is
shipped defaulted to off which will not allow the keylock to be overridden. The
system value can be changed to allow remote access, but does require *SECADM
and *ALLOBJ special authorities to change.
Security Level
You can choose how much security you want the system to enforce by setting the
security level (QSECURITY) system value. The system offers five levels of security:
Level 10:
Level 10 is no longer supported. See “Chapter 2. Using System Security
(QSecurity) System Values” on page 7 for information about security levels
(10, 20, 30, 40, and 50).
Level 20:
The system requires a user ID and password for sign-on. All users are
given access to all objects.
Level 30:
The system requires a user ID and password for sign-on. The security of
resources is enforced.
Level 40:
The system requires a user ID and password for sign-on. The security of
resources is enforced. Additional integrity protection features are also
enforced.
The system security levels are described in “Chapter 2. Using System Security
(QSecurity) System Values” on page 7.
System Values
System values allow you to customize many characteristics of your system. A
group of system values are used to define system-wide security settings. For
example, you can specify:
v How many sign-on attempts you allow at a device.
v Whether the system automatically signs off an inactive workstation.
v How often passwords need to be changed.
v The length and composition of passwords.
The system values that relate to security are described in “Chapter 3. Security
System Values” on page 23.
| Signing
| A key component of security is integrity: being able to trust that objects on the
| system have not been tampered with or altered. Your operating system software is
| protected by digital signatures, and now you can reinforce integrity by signing
| software objects which you rely on (for more information on using signing to
| protect your system, see Tips and Tools for Securing Your iSeries). This is particularly
| important if the object has been transmitted across the internet or stored on media
| which you feel might have been modified. The digital signature can be used to
| detect if the object has been altered.
| Digital signatures, and their use for verification of software integrity, can be
| managed according to your security policies using the Verify Object Restore
| (QVFYOBJRST) system value, the Check Object Integrity (CHKOBJITG) command,
| and the Digital Certificate Manager tool. Additionally, you can choose to sign your
| own programs (all licensed programs shipped with the iSeries are signed). DCM is
| described in the Information Center (see “Prerequisite and related information” on
| page xvi for details).
User Profiles
Every system user has a user profile. At security level 10, the system automatically
creates a profile when a user first signs on. At higher security levels, you must
create a user profile before a user can sign on.
The user profile is a powerful and flexible tool. It controls what the user can do
and customizes the way the system appears to the user. Following are descriptions
of a few important security features of the user profile:
Group Profiles
A group profile is a special type of user profile. You can use a group profile to
define authority for a group of users, rather than giving authority to each user
individually. A group profile can own objects on the system. You can also use a
group profile as a pattern when creating individual user profiles by using the copy
profile function.
“Planning Group Profiles” on page 216 discusses using group authority. “Group
Ownership of Objects” on page 122 discusses what objects should be owned by
group profiles. “Primary Group for an Object” on page 123 discusses using primary
group and primary group authority for an object. “Copying User Profiles” on
page 97 describes how to copy a group profile to create an individual user profile.
Resource Security
Resource security on the system allows you to define who can use objects and how
those objects can be used. The ability to access an object is called authority. You
can specify detailed authorities, such as adding records or changing records. Or
you can use the system-defined subsets of authorities: *ALL, *CHANGE, *USE, and
*EXCLUDE.
Files, programs, and libraries are the most common objects requiring security
protection, but you can specify authority for any object on the system. Following
are descriptions of the features of resource security:
Group profiles
A group of similar users can share the same authority to use objects.
Authorization lists
Objects with similar security needs can be grouped on one list; authority
can be granted to the list rather than to the individual objects.
Object ownership
Every object on the system has an owner. Objects can be owned by an
individual user profile or by a group profile. Proper assignment of object
ownership helps you manage applications and delegate responsibility for
the security of your information.
Primary group
You can specify a primary group for an object. The primary group’s
C2 Security
By using security level 50 and following the instructions in the Security - Enabling
for C2, SC41-5303-00, you can bring a Version 4 Release 4 AS/400 system to a C2
level of security. C2 is a security standard defined by the U.S. government in the
Department of Defense Trusted System Evaluation Criteria (DoD 5200.28.STD).
To achieve a C2 rating, a system must meet strict criteria in the following areas:
v Discretionary access control
v User accountability
v Security auditing
v Resource isolation
Overview:
Purpose:
Specify level of security to be enforced on the system.
How To:
WRKSYSVAL *SEC (Work with System Values command) or Menu
SETUP, option 1 (Change System Options)
Authority:
*ALLOBJ and *SECADM
Journal Entry:
SV
Notes: Before changing on a production system, read appropriate
section on migrating from one level to another.
Attention: Beginning in Version 4 Release 3, you cannot set the system value
QSECURITY to security level 10.
Your system is shipped at level 40, which provides sign-on and resource security
and provides integrity protection. For more information, see “Security Level 40” on
page 11.
If you want to change the security level, use the Work with System Values
(WRKSYSVAL) command. The minimum security level you should use is 30.
However, level 40 or higher is recommended. The change takes effect the next time
you perform an initial program load (IPL). Table 1 compares the levels of security
on the system:
Table 1. Security Levels: Function Comparison
Function Level 20 Level 30 Level 40 Level 50
The system security level determines what the default special authorities are for
each user class. When you create a user profile, you can select special authorities
based on the user class. Special authorities are also added and removed from user
profiles when you change security levels.
*ALLOBJ All 10 or 20 10 or 20 10 or 20 10 or 20
*AUDIT All
*IOSYSCFG All
*JOBCTL All 10 or 20 10 or 20 All
*SAVSYS All 10 or 20 10 or 20 All 10 or 20
*SECADM All All
*SERVICE All
*SPLCTL All
Note: The topics “User Class” on page 60 and “Special Authority” on page 65
provide more information about user classes and special authorities.
Recommendations:
Also, at security level 30 (or below), users are able to call system interfaces that
swap to QSECOFR user profile or allow users access to resources that they would
not normally be allowed to access. At security level 40, users are not allowed to
directly call these interfaces; therefore, security level 40 or higher is strongly
recommended.
Security level 50 is intended for systems with very high security requirements. If
you run your system at security level 50, you may notice some performance
impact because of the additional checking the system performs.
Even if you want to give all users access to all information, consider running your
system at security level 30. You can use the public authority capability to give
users access to information. Using security level 30 from the beginning gives you
the flexibility of securing a few critical resources when you need to without having
to test all your applications again.
Security Level 10
At security level 10, you have no security protection; therefore, security level 10 is
not recommended by IBM. Beginning in Version 4 Release 3, you cannot set your
security level to 10. If your system is currently at level 10, your system will remain
at level 10 when you install Version 4 Release 3. If you change the system level to
some other value, you cannot change it back to level 10.
The system performs authority checking at all levels of security. Because all user
profiles created at security level 10 are given *ALLOBJ special authority, users
successfully pass every authority check and have access to all resources. If you
want to test the effect of moving to a higher security level, you can remove
*ALLOBJ special authority from user profiles and grant those profiles the authority
to use specific resources. However, this does not give you any security protection.
Anyone can sign on with a new user ID, and a new profile is created with
*ALLOBJ special authority. You cannot prevent this at security level 10.
Security Level 20
Level 20 provides the following security functions:
v Both user ID and password are required to sign on.
v Only a security officer or someone with *SECADM special authority can create
user profiles.
v The limit capabilities value specified in the user profile is enforced.
All profiles are created with *ALLOBJ special authority at security level 20 by
default. Therefore, security level 20 is not recommended by IBM.
Attention: When you change to level 20 from a higher security level, the system
adds *ALLOBJ special authority to every user profile. This allows users to view,
change, or delete any object on the system.
If your system has been running applications at a lower security level, you should
set up and test resource security before changing to security level 30. Following is
a recommended list of activities:
v For each application, set the appropriate authorities for application objects.
v Test each application using either actual user profiles or special test user profiles:
– Remove *ALLOBJ special authority from the user profiles used for testing.
– Grant appropriate application authorities to the user profiles.
– Run the application using the user profiles.
– Check for authority failures either by looking for error messages or by using
the security audit journal.
v When all applications run successfully with test profiles, grant the appropriate
authorities for application objects to all production user profiles.
v If the QLMTSECOFR (limit security officer) system value is 1 (Yes), users with
*ALLOBJ or *SERVICE special authority must be specifically authorized to
devices at security level 30 or higher. Give these users *CHANGE authority to
selected devices, give QSECOFR *CHANGE authority to the devices, or change
the QLMTSECOFR system value to 0.
v Change the security level on your system and perform an initial program load
(IPL).
Note: See the topic “Defining How Information Can Be Accessed” on page 112 for
more information about object authorities.
Security Level 40
Security level 40 prevents potential integrity or security risks from programs that
could circumvent security in special cases. Security level 50 provides enhanced
integrity protection for installations with strict security requirements. Table 3 on
page 12 compares how security functions are supported at levels 30, 40, and 50.
These functions are explained in more detail in the sections that follow.
If you use the auditing function at lower security levels, the system logs journal
entries for most of the actions shown in Table 3, except those detected by the
enhanced hardware protection function. You receive warnings in the form of
journal entries for potential integrity violations. At level 40 and higher, integrity
violations cause the system to fail the attempted operation.
The system uses the domain attribute of an object and the state attribute of a
program to enforce this protection:
v Domain:
Every object belongs to either the *SYSTEM domain or the *USER domain.
*SYSTEM domain objects can be accessed only by *SYSTEM state programs or
by *INHERIT state programs that are called by *SYSTEM state programs.
You can display the domain of an object by using the Display Object Description
(DSPOBJD) command and specifying DETAIL(*FULL). You can also use the
following commands:
– Display Program (DSPPGM) to display the domain of a program
– Display Service Porgram (DSPSRVPGM) to display the domain of a service
program
v State:
Program are either *SYSTEM state, *INHERIT state, or *USER state. The *USER
state programs can directly access only *USER domain objects. Objects that are
*SYSTEM domain can be accessed using the appropriate command or
application programming interface (API). The *SYSTEM and *INHERIT states are
reserved for IBM-supplied programs.
You can display the state of a program using the Display Program (DSPPGM)
command. You can display the state of a service program using the Display
Service Program (DSPSRVPGM) command.
1
A domain or state violation causes the operation to fail at security level 40 and
higher. At all security levels, an AF type entry is written to the audit journal if the
auditing function is active.
Journal Entry:
If the auditing function is active and the QAUDLVL system value includes
*PGMFAIL, an authority failure (AF) entry, violation type D, is written to the
QAUDJRN journal when an attempt is made to use an unsupported interface.
Journal Entry:
If the auditing function is active and the QAUDLVL system value includes
*AUTFAIL, an AF entry, violation type J, is written to the QAUDJRN journal when
a user submits a job and is not authorized to the user profile in a job description.
Journal Entry:
Journal Entry:
If the auditing function is active and the QAUDLVL system value includes
*PGMFAIL, an AF entry, violation type R, is written to the QAUDJRN journal
when a program attempts to write to an area of disk protected by the enhanced
hardware storage protection feature. This support is available only at security level
40 and higher.
If the validation values do not match, the actions taken by the system are
determined by the security level and by the ALWOBJDIF parameter on the Restore
Object (RSTOBJ) command. The system actions may be:
v Try to create the program again.
v Log an entry in the audit journal.
v Send a message to the job log.
v Change ownership of the restored program to QDFTOWN.
v Revoke authority to the restored program.
| Note: Programs that are created for iSeries Version 5 Release 1 or later contain
| information that allows the program to be re-created at restore time if
| necessary. The information needed to re-create the program remains with the
| program even when the observability of the program is removed. If a
| program validation error is determined to exist at the time the program is
| restored, the program will be re-created in order to correct the program
| validation error. The action of re-creating the program at restore time is not
| new to iSeries Version 5 Release 1. In previous releases, any program
| validation error that was encountered at restore time resulted in the
| program being re-created if possible (if observability existsed in the program
| being restored). The difference with iSeries Version 5 Release 1 or later
| programs is that the information needed to re-create the program remains
| even when observability was removed from the program. Thus, any Version
| 5 release 1 or later program, for which a validation failure is detected, is
| re-created during restore and the alteration that caused the validation failure
| is removed.
Figure 2 on page 17 shows the procedure used by the system to determine what
action to take when a CISC program is restored to a CISC system or a RISC
program is restored to a RISC system. On the figure, the process of re-creating the
program is called translation, which means creating the object code again from the
observable information that is stored with the object code. The program source is
not required for translation. On the figure, Version 1 Release 3 is abbreviated as
V1R3.
For programs created prior to Version 1 Release 3, you can use the Change
Program (CHGPGM) command with the Force Create (FRCCRT) parameter to have
the system create a validation value. This improves restore performance after
migrating to security level 40 or higher.
You can use the Force Object Conversion (FRCOBJCVN) parameter on the Restore
Object (RSTOBJ) command to force translation during the restore. If the observable
information of the program is available, the program is translated and restored.
There are no messages, no audit entries in QAUDJRN, and no changes in
ownership or authorities when the program is translated and restored.
Note: Restore program libraries as part of your application test. Check the
audit journal for validation failures.
5. Based on the entries in the audit journal, take steps to correct your applications
and prevent program failures.
6. Change the QSECURITY system value to 40 and perform an IPL.
You can change from security level 40 to level 30 without jeopardizing your
resource security. No changes are made to special authorities in user profiles when
you move from level 40 to level 30. After you have tested your applications and
resolved any errors in the audit journal, you can move back to level 40.
Attention: If you move from level 40 to level 20, some special authorities are
added to all user profiles. (See Table 2 on page 9.) This removes resource security
protection.
These security functions are included for security level 50. They are described in
the topics that follow:
v Restricting user domain object types (*USRSPC, *USRIDX, and *USRQ)
v Validating parameters
v Restricting message handling between user and system state programs
v Preventing modification of internal control blocks
v Making the QTEMP library a temporary object
Note: Objects of type *PGM, *SRVPGM and *SQLPKG can also be in the user
domain. Their contents cannot be manipulated directly, and they are not
affected by the restrictions.
When you run your system at security level 50, the system specifically checks
every parameter passed between a user state program and a system state program
in the user domain. This is required for your system to separate the system and
user domain and to meet the requirements of a C2 level of security. You may
notice some performance impact because of this additional checking.
Note: The user state program sending the exception message does not have
to be the program called by the system state program. For example, in
this program stack, an exception message can be sent to Program A by
Program B, C, or D:
v When a user state program receives a message from an external source (*EXT),
any pointers in the message replacement text are removed.
At security level 50, no system internal control blocks can be modified. This
includes the open data path (ODP), the spaces for CL commands and programs,
and the S/36 environment job control block.
If you are currently running your system at security level 30, complete the steps
described in “Changing to Security Level 40” on page 17 to prepare for changing to
security level 50.
If you are currently running your system at security level 30 or 40, do the
following to prepare for security level 50:
v Evaluate setting the QALWUSRDMN system value. Controlling user domain
objects is important to system integrity. See “Restricting User Domain Objects”
on page 19.
v Recompile any COBOL programs that assign the device in the SELECT clause to
WORKSTATION if the COBOL programs were compiled using a pre-V2R3
compiler.
v Recompile any S/36 environment COBOL programs that were compiled using a
pre-V2R3 compiler.
v Recompile any RPG/400* or System/38™ environment RPG* programs that use
display files if they were compiled using a pre-V2R2 compiler.
You can go directly from security level 30 to security level 50. Running at security
level 40 as an intermediate step does not provide significant benefits for testing.
If you are currently running at security level 40, you can change to security level
50 without extra testing. Security level 50 cannot be tested in advance. The
additional integrity protection that is enforced at security level 50 does not produce
error messages or journal entries at lower security levels.
You can change from security level 50 to level 30 or 40 without jeopardizing your
resource security. No changes are made to special authorities in user profiles when
you move from level 50 to level 30 or 40. After you have tested your applications
and resolved any errors in the audit journal, you can move back to level 50.
Attention: If you move from level 50 to level 20, some special authorities are
added to all user profiles. This removes resource security protection. (See Table 2
on page 9.)
Following are the general system values that control security on your system:
QALWOBJRST
Allow object restore option
QALWUSRDMN
Allow user domain objects in the libraries
QCRTAUT
Create default public authority
QDSPSGNINF
Display sign-on information
QINACTITV
Inactive job time-out interval
QINACTMSGQ
Inactive job message queue
QLMTDEVSSN
Limit device sessions
QLMTSECOFR
Limit security officer
QMAXSIGN
Maximum sign-on attempts
Descriptions of these system values follow. The possible choices are shown. The
choices that are underlined are the system-supplied defaults. For most system
values, a recommended choice is listed.
When your system is shipped, the QALWOBJRST system value is set to *ALL. This
value is necessary to install your system successfully.
You may specify multiple values for the QALWOBJRST system value, unless you
specify *ALL or *NONE.
Table 5. Possible Values for the QALWOBJRST System Value:.
*ALL Any object may be restored to your system by a user with the
proper authority.
*NONE Security-sensitive objects, such as system state programs or
programs that adopt authority, may not be restored to the
system.
*ALWSYSSTT System state objects may be restored to the system.
*ALWPGMADP Objects that adopt authority may be restored to the system.
| *ALWPTF System state objects, objects that adopt authority, objects that
| have the S_ISUID(set-user-ID) attribute enabled, and objects
| that have S_ISGID (set-group-ID) attribute enabled can be
| restored to the system during PTF install.
Recommended Value: For most systems, the recommended value is *ALL. If your
system has a high security requirement, you should allow user domain objects
only in the QTEMP library. At security level 50, the QTEMP library is a temporary
object and cannot be used to pass confidential data between users.
| Some systems have application software that relies on object types *USRSPC,
| *USRIDX, or *USRQ. For those systems, the list of libraries for the
| QALWUSRDMN system value should include the libraries that are used by the
| application software. The public authority of any library placed in
| QALWUSRDMN, except QTEMP, should be set to *EXCLUDE. This limits the
| number of users that may use MI interface, that cannot be audited, to read or
| change the dat in user domain objects in these libraries.
Note: If you run the Reclaim Storage (RCLSTG) command, user domain objects
may need to be moved in and out of the QRCL (reclaim storage) library. To
run the RCLSTG command successfully, you may need to add the QRCL
library to the QALWUSRDMN system value. To protect system security, set
the public authority to the QRCL library to *EXCLUDE. Remove the QRCL
library from the QALWUSRDMN system value when you have finished
running the RCLSTG command.
Recommended Value:
*CHANGE
The QCRTAUT system value is not used for objects created in directories in the
enhanced file system.
Sign-on Information
System:
Previous sign-on . . . . . . . . . . . . . : 10/30/91 14:15:00
Emulation sessions through Client Access are included. Local jobs that are signed
on to a remote system are excluded. Jobs that are connected by file transfer
protocol (FTP) are excluded. Prior to Version 4, Release 2, telnet jobs were also
excluded. To control the time-out of FTP connections, change the INACTTIMO
parameter on the Change FTP Attribute (CHGFTPA) command. To control the
time-out of telnet sessions prior to V4R2, use the Change Telnet Attribute
(CHGTELNA) command.
Following are examples of how the system determines which jobs are inactive:
v A user uses the system request function to start a second interactive job. A
system interaction, such as the Enter key, on either job causes both jobs to be
marked as active.
v A Client Access job may appear inactive to the system if the user is performing
PC functions such as editing a document without interacting with the iSeries
system.
The QINACTMSGQ system value determines what action the system takes when
an inactive job exceeds the specified interval.
When the system is started, it checks for inactive jobs at the interval specified by
the QINACTITV system value. For example, if the system is started at 9:46 in the
morning and the QINACTITV system value is 30 minutes, it checks for inactive
jobs at 10:16, 10:46, 11:16, and so on. If it discovers a job that has been inactive for
30 minutes or more, it takes the action specified by the QINACTMSGQ system
value. In this example, if a job becomes inactive at 10:17, it will not be acted upon
until 11:16. At the 10:46 check, it has been inactive for only 29 minutes.
The message queue must exist before it can be specified for the
QINACTMSGQ system value. This message queue is
automatically cleared during an IPL. If you assign
QINACTMSGQ as the user’s message queue, all messages in
the user’s message queue are lost during each IPL.
1
The Work Management book describes group jobs and secondary jobs.
Recommended Value: *DSCJOB unless your users run Client Access jobs. Using
*DSCJOB when some Client Access jobs are running is the equivalent of ending the
jobs. It can cause significant loss of information. Use the message-queue option if
you have the Client Access licensed program. The CL Programming book shows an
example of writing a program to handle messages.
Using a Message Queue: A user or a program can monitor the message queue and
take action as needed, such as ending the job or sending a warning message to the
user. Using a message queue allows you to make decisions about particular
devices and user profiles, rather than treating all inactive devices in the same way.
This method is recommended when you use the Client Access licensed program.
If a workstation with two secondary jobs is inactive, two messages are sent to the
message queue (one for each secondary job). A user or program can use the End
Job (ENDJOB) command to end one or both secondary jobs. If an inactive job has
one or more group jobs, a single message is sent to the message queue. Messages
continue to be sent to the message queue for each interval that the job is inactive.
Recommended Value: 1 (Yes) because limiting users to a single device reduces the
likelihood of sharing passwords and leaving devices unattended.
Note: Limiting device sessions can also be specified in individual user profiles.
The QLMTSECOFR system value is only enforced at security level 30 and higher.
“Workstations” on page 177 provides more information about the authority
required to sign on at a workstation.
You can always sign on at the system console with the QSECOFR, QSRV, and
QSRVBAS profiles, no matter how the QLMTSECOFR value is set.
Table 12. Possible Values for the QLMTSECOFR System Value:
1 A user with *ALLOBJ or *SERVICE special authority can sign
on at a display station only if that user is specifically
authorized (that is, given *CHANGE authority) to the display
station or if user profile QSECOFR is authorized (given
*CHANGE authority) to the display station. This authority
cannot come from public authority.
0 Users with *ALLOBJ or *SERVICE special authority can sign on
at any display station for which they have *CHANGE
authority. They can receive *CHANGE authority through
private or public authority or because they have *ALLOBJ
special authority.
If you create the QSYSMSG message queue in the QSYS library, messages about
critical system events are sent to that message queue as well as to QSYSOPR. The
QSYSMSG message queue can be monitored separately by a program or a system
operator. This provides additional protection of your system resources. Critical
system messages in QSYSOPR are sometimes missed because of the volume of
messages sent to that message queue.
Recommended Value: 3.
The system disables a device by varying it off. The device is disabled only if the
sign-on attempts that are not valid are consecutive on the same device. One valid
sign-on resets the count of incorrect sign-on attempts for the device.
If you create the QSYSMSG message queue in QSYS, the message sent (CPF1397)
contains the user and device name. Therefore, it is possible to control the disabling
of the device based on the device being used.
If the QSECOFR profile is disabled, you may sign on as QSECOFR at the console
and enable the profile. If the console is varied off and no other user can vary it on,
you must IPL the system to make the console available.
Recommended Value: 3.
If you change the value from 1 to 0, the system removes the decryptable
authentication information from the system.
If you have a large number of user profiles or validation lists on your system
when you make this change, the CHGSYSVAL command may run for an extensive
period of time.
Table 15. Possible Values for the QRETSVRSEC System Value:
0 Server security data is not retained.
1 Server security data is retained.
Recommended Value: 0.
The Remote Work Station Support book contains detailed information about the
QRMTSIGN system value. It also contains the requirements for a remote sign-on
program and an example.
|
| 1 Users can use shared memory or mapped memory that has
| write capability.
| This value means that users can use shared-memory APIs (for
| example, shmat() — Shared Memory Attach API), and can use
| mapped memory objects that have write capability (for
| example, mmap() — Memory Map a File API provides this
| function).
|
| Recommended Value: 1.
The system value can contain the name of an authorization list. The user’s
authority is checked against this list. If the user has at least *USE authority to the
named authorization list, the user can create, change, or update programs or
service programs with the USEADPAUT(*YES) attribute. The authority to the
authorization list cannot come from adopted authority.
If an authorization list is named in the system value and the authorization list is
missing, the function being attempted will not complete. A message is sent
indicating this.
If more than one function is requested on the command or API, and the
authorization list is missing, the function is not performed. If the command being
attempted when the authorization list cannot be found is Create Pascal Program
(CRTPASPGM) or Create Basic Program (CRTBASPGM), the result is a function
check.
Table 18. Possible Values for the QUSEADPAUT System Value:
authorization list name A diagnostic message is signaled to indicate that the program is
created with USEADPAUT(*NO) if all of the following are true:
v An authorization list is specified for the QUSEADPAUT
system value.
v The user does not have authority to the authorization list
mentioned above.
v There are no other errors when the program or service
program is created.
*NONE All users can create or change programs and service programs
to use adopted authority if the users have the necessary
authority to the program or service program.
You should carefully consider the security design of your application before
creating the authorization list for QUSEADPAUT system value. This is especially
important for application development environments.
Descriptions of these system values follow. For each value, the possible choices are
shown. The choices that are underlined are the system-supplied defaults.
Recommended Value: When initiating system setup or when adding many new
devices, the system value should be set to 1. At all other times the system value
should be set at 0.
A virtual device is a device description that does not have hardware associated
with it. It is used to form a connection between a user and a physical workstation
attached to a remote system.
Allowing the system to automatically configure virtual devices makes it easier for
users to break into your system using pass-through or telnet. Without automatic
configuration, a user attempting to break in has a limited number of attempts at
each virtual device. The limit is defined by the security officer using the
QMAXSIGN system value. With automatic configuration active, the actual limit is
higher. The system sign-on limit is multiplied by the number of virtual devices that
can be created by the automatic configuration support. This support is defined by
the QAUTOVRT system value.
1. This system value is also discussed in the Information Center (see “Prerequisite and related information” on page xvi for details).
Recommended Value: 0
The Remote Work Station Support book has more information about using display
station pass-through. The TCP/IP Configuration and Reference book as more
information about using TELNET.
When a value of *MSG or *DSCMSG is specified, the device recovery action is not
performed until the next I/O operation is performed by the job. In a LAN/WAN
environment, this may allow one device to disconnect and another to connect,
using the same address, before the next I/O operation for the job occurs. The job
may recover from the I/O error message and continue running to the second
device. To avoid this, a device recovery action of *DSCENDRQS, *ENDJOB, or
*ENDJOBNOLIST should be specified. These device recovery actions are performed
immediately when an I/O error, such as a power-off operation, occurs.
Recommended Value:
*DSCMSG
Note: *ALLOBJ and *SECADM special authorities are not required to change this
value.
Before Version 3, Release 6, the default value was *MSG. To leave as *MSG
presents a potential security exposure.
If you set the QINACTMSGQ system value to disconnect inactive jobs (*DSCJOB),
you should set the QDSCJOBITV to end the disconnected jobs eventually. A
disconnected job uses up system resources, as well as retaining any locks on
objects.
Table 22. Possible Values for the QDSCJOBITV System Value:
240 The system ends a disconnected job after 240 minutes.
*NONE The system does not automatically end a disconnected job.
time-in-minutes Specify a value between 5 and 1440.
Recommended Value: 0
For information about remote access and the QRMTSRVATR system value, see
“Keylock Security” on page 2.
| If Digital Certificate Manager (OS/400 option 34) is not installed on the system, all
| objects except those signed by OS/400 are treated as unsigned when determining
| the effects of this system value during a restore operation.
| This value should not be used unless you have signed objects
| to restore which will fail their signature verification for some
| acceptable reason.
| This value should be used only if there are specific objects with
| signatures that are not valid which you want to restore. In
| general, it is dangerous to restore objects with signatures that
| are not valid on your system.
|
| 3 Verify signatures on restore. Restore unsigned user-state objects.
| Restore signed user-state objects only if the signatures are valid.
|
| 4 Verify signatures on restore. Do not restore unsigned user-state
| objects. Restore signed user-state objects, even if the signatures
| are not valid.
| This value should be used only if there are specific objects with
| signatures that are not valid which you want to restore, but
| you do not want the possibility of unsigned objects being
| restored. In general, it is dangerous to restore objects with
| signatures that are not valid on your system.
|
| 5 Verify signatures on restore. Do not restore unsigned user-state
| objects. Restore signed user-state objects only if the signatures
| are valid.
|
|
| Objects which have the system-state attribute and objects which have the
| inherit-state attribute are required to have valid signatures. The only value which
| will allow a system-state or inherit-state object to restore without a valid signature
| is 1. Allowing such a program represents an integrity risk to your system. If you
| change the QVFYOBJRST system value to 1 to allow such an object to restore on
| your system, be sure to change the QVFYOBJRST system value back to its previous
| value after the object has been restored.
| Recommended Value: 3.
Following are the system values that control passwords. These system values
require users to change passwords regularly and help prevent users from assigning
trivial, easily guessed passwords. They can also make sure passwords meet the
requirements of your communications network:
QPWDEXPITV 2
Expiration interval
| QPWDLVL
| Password level
QPWDMINLEN 2
Minimum length
QPWDMAXLEN 2
Maximum length
QPWDRQDDIF 2
Required difference
QPWDLMTCHR
Restricted characters
QPWDLMTAJC
Restrict adjacent characters
QPWDLMTREP
Restrict repeating characters
QPWDPOSDIF
Character position difference
QPWDRQDDGT
Require numeric character
QPWDVLDPGM
Password validation program
The password-composition system values are enforced only when the password is
changed using the CHGPWD command, the ASSIST menu option to change a
password, or the QSYCHGPW application programming interface (API). They are
not enforced when the password is set using the CRTUSRPRF or CHGUSRPRF
command.
2. These system values are also discussed in the Information Center (see“Prerequisite and related information” on page xvi for
details).
If a password is forgotten, the security officer can use the Change User Profile
(CHGUSRPRF) command to set the password equal to the profile name or to any
other value. The Set password to expired field in the user profile can be used to
require that a password be changed the next time the user signs on.
|
| Sign-on Information
| System:
| Password has expired. Password must be changed to continue sign-on
| request.
|
| Previous sign-on . . . . . . . . . . . . . : 10/30/91 14:15:00
|
| Sign-on attempts not valid . . . . . . . . : 3
|
||
|
Table 25. Possible Values for the QPWDEXPITV System Value:
*NOMAX Users are not required to change their passwords.
limit-in-days Specify a value from 1 through 366.
| The password level can be set to allow a ’passphrase’ as the password value. The
| term ’passphrase’ is sometimes used in the computer industry to describe a
| password value which can be very long and has few, if any, restrictions on the
| characters used in the password value. Blanks can be used between letters in a
| passphrase, which allows you to have a password value that is a sentence or
| sentence fragment. The only restrictions on a passphrase are that it cannot start
| with an asterisk (’*’) and trailing blanks will be removed. Before changing the
| password level of your system, please review the section “Planning Password
| Level Changes” on page 197.
| Changing the password level of the system from 1-10 character passwords to 1-128
| character passwords requires careful consideration. If your system communicates
| with other systems in a network, then all systems must be able to handle the
| longer passwords.
| A change to this system value takes effect at the next IPL. To see the current and
| pending password level values, use the CL command DSPSECA (Display Security
| Attributes).
Recommended Value: 6, to prevent users from assigning passwords that are easily
guessed, such as initials or a single character.
Recommended Value: 8.
Note: The value of the QPWDRQDDIF system value determines how many of
these previous passwords are checked for a duplicate password.
Table 29. Possible Values for the QPWDRQDDIF System Value:
Value Number of Previous Passwords Checked for Duplicates
0 0 Duplicate passwords are allowed.
1 32
2 24
3 18
4 12
5 10
6 8
7 6
8 4
| The QPWDLMTCHR system value is not enforced when the password level
| (QPWDLVL) system value has a value of 2 or 3. The QPWDLMTCHR system value
| can be changed at QPWDLVL 2 or 3, but will not be enforced until QPWDLVL is
| changed to a value of 0 or 1.
| When the password level (QPWDLVL) system value has a value of 2 or 3, the test
| for repeated characters is case sensitive. This means that a lowercase ’a’ is not the
| same as an uppercase ’A’.
Table 32. Possible Values for the QPWDLMTREP System Value:
0 The same characters can be used more than once in a
password.
1 The same character cannot be used more than once in a
password.
2 The same character cannot be used consecutively in a
password.
| When the password level (QPWDLVL) system value has a value of 2 or 3, the test
| for the same character is case sensitive. This means that a lowercase ’a’ is not the
| same as an uppercase ’A’.
Table 35. Possible Values for the QPWDPOSDIF System Value:
0 The same characters can be used in a position corresponding to
the same position in the previous password.
1 The same character cannot be used in a position corresponding
to the same position in the previous password.
Recommended Value: 1.
In case it is necessary to recover your system from a disk failure, place the
password approval program in library QSYS. This way the password approval
program is loaded when you restore library QSYS.
If your program determines that the new password is not valid, you can either
send your own exception message (using the SNDPGMMSG command ) or set the
return code to a value other than 0 and let the system display an error message.
Exception messages that are signaled by your program must be created with the
DMPLST(*NONE) option of the Add Message Description (ADDMSGD) command.
The new password is accepted only if the user-written program ends with no
escape message and a return code of 0. Because the return code is initially set for
Attention: The current and new password are passed to the validation program
without encryption. The validation program could store passwords in a database
file and compromise security on the system. Make sure the functions of the
validation program are reviewed by the security officer and that changes to the
program are strictly controlled.
| This example checks to make sure the new password is in CCSID 37 (or if it is in
| CCSID 13488 it converts the new password to CCSID 37), that the new password
| does not end in a numeric character, and that the new password does not contain
| the user profile name. The example assumes that a message file (PWDERRORS)
| has been created and message descriptions (PWD0001 and PWD0002) have been
| added to the message file. Additional calculations can be added to the program to
| check other criteria for passwords:
| /**********************************************************/
| /* */
| /* NAME: PWDEXITPGM1 - Password validation exit 1 */
Descriptions of these system values follow. The possible choices are shown. The
choices that are underlined are the system-supplied defaults. For most system
values, a recommended choice is listed.
You can specify more than one value for the QAUDCTL system value, unless you
specify *NONE.
Table 39. Possible Values for the QAUDCTL System Value:
*NONE No auditing of user actions and no auditing of objects is
performed.
*OBJAUD Auditing is performed for objects that have been selected using
the CHGOBJAUD, CHGDLOAUD, or CHGAUD commands.
*AUDLVL Auditing is performed for any functions selected on the
QAUDLVL system value and on the AUDLVL parameter of
individual user profiles. The audit level for a user is specified
using the Change User Audit (CHGUSRAUD) command.
*NOQTEMP Auditing is not performed for most actions if the object is in
QTEMP library. See “Chapter 9. Auditing Security on the iSeries
System” on page 235 for more details. You must specify this
value with either *OBJAUD or *AUDLVL.
See “Planning Security Auditing” on page 241 for a complete
description of the process for controlling auditing on your
system.
Only very unusual circumstances cause the system to be unable to write audit
journal entries. However, if this does happen and the QAUDENDACN system
value is *PWRDWNSYS, your system ends abnormally. This could cause a lengthy
initial program load (IPL) when your system is powered on again.
For the QAUDLVL system value to take effect, the QAUDCTL system value must
include *AUDLVL.
See “Planning the Auditing of Actions” on page 241 for a complete description of
the journal entry types and the possible values for QAUDLVL.
For example, the CRTOBJAUD value for the CUSTLIB library is *SYSVAL. The
QCRTOBJAUD value is *CHANGE. If you create a new object in the CUSTLIB
library, its object auditing value is automatically set to *CHANGE. You can change
the object auditing value using the CHGOBJAUD command.
Table 43. Possible Values for the QCRTOBJAUD System Value:
*NONE No auditing is done for the object.
*USRPRF Auditing of the object is based on the value in the profile of the
user accessing the object.
*CHANGE An audit record is written whenever the object is changed.
*ALL An audit record is written for any action that affects the
contents of the object. An audit record is also written if an
object’s contents change.
Recommended Value: The value you select depends upon the auditing
requirements of your installation. The section “Planning the Auditing of Object
Access” on page 252 provides more information about methods for setting up
object auditing on your system. You may also control the auditing value at the
library level with the CRTOBJAUD parameter with the CRTLIB command and the
CHGLIB command.
Overview:
Purpose:
Create and maintain user profiles and group profiles on the
system.
How To:
Work with User Profiles (WRKUSRPRF) command
Change User Audit (CHGUSRAUD) command
Authority:
*SECADM special authority
*AUDIT special authority to change user auditing
Journal Entry:
CP for changes to users profiles
AD for changes to user auditing
ZC for changes to a user profile that are not relevant to security
If the security level (QSECURITY) system value on your system is 10, the system
automatically creates a user profile when someone signs on with a user ID that
does not already exist on the system. Table 132 in Appendix B shows the values
assigned when the system creates a user profile.
Group Profiles
A group profile is a special type of user profile. It serves two purposes on the
system:
You create group profiles in the same way that you create individual profiles. The
system recognizes a group profile when you add the first member to it. At that
point, the system sets information in the profile indicating that it is a group profile.
The system also generates a group identification number (gid) for the profile. You
can also designate a profile as a group profile at the time that you create it by
specifying a value in the GID parameter. “Planning Group Profiles” on page 216
shows an example of setting up a group profile.
┌──────────┐ ┌─────────┐
│ Work │ │ Work │
│ with │ │ with │
│ User │ │ User │
│ Profiles │ │ Enroll- │
│ Display │ │ ment │
│ │ │ Display │
└────┬─────┘ └────┬────┘
│ │
Option 1 Option 1
(create) (add)
│ │
b b
┌─────────┐ ┌─────────┐ ┌─────────┐
│ Create │ Prompt │ Create │ │ │
│ User │ (F4) │ User │ │ Add │
│ Profile │ ─────c │ Profile │ │ User │
│ Command │ │ Command │ │ Display │
│ │ │ Prompt │ │ │
└─────────┘ └─────────┘ └─────────┘
│ │ │
│ │ │
└───────────────────┼─────────────────┘
│
b
┌──────────────┐
│ User │
│ Profile │
└──────────────┘
Following are explanations of each field in the user profile. The fields are described
in the order they appear on the Create User Profile command prompt.
Many system displays have different versions, called assistance levels, to meet the
needs of different users:
v Basic assistance level, which contains less information and does not use technical
terminology.
v Intermediate assistance level, which shows more information and uses technical
terms.
v Advanced assistance level, which uses technical terms and shows the maximum
amount of data by not always displaying function key and option information.
The sections that follow show what the user profile fields are called on both the
basic assistance level and the intermediate assistance level displays. This is the
format used:
Field Title
The title of the section shows how the field name appears on the Create
User Profile command prompt, which is shown when you create a user
profile with intermediate assistance level or the Create User Profile
(CRTUSRPRF) command.
Add User prompt:
This shows how the field name appears on the Add User display and other
user-profile displays that use basic assistance level. The basic assistance
level displays show a subset of the fields in the user profile. Not shown
means the field does not appear on the basic assistance level display. When
you use the Add User display to create a user profile, default values are
used for all fields that are not shown.
CL parameter:
You use the CL parameter name for a field in a CL program or when you
enter a user profile command without prompting.
Length:
If you use the Retrieve User Profile (RTVUSRPRF) command in a CL
program, this is the length you should use to define the parameter
associated with the field.
Authority:
If a field refers to a separate object, such as a library or a program, you are
told the authority requirements for the object. To specify the object when
you create or change a user profile, you need the authority listed. To sign
on using the profile, the user needs the authority listed. For example, if
you create user profile USERA with job description JOBD1, you must have
*USE authority to JOBD1. USERA must have *USE authority to JOBD1 to
successfully sign on with the profile.
In addition, each section describes the possible values for the field and a
recommended value.
The user profile name identifies the user to the system. This user profile name is
also known as the user ID. It is the name the user types in the User prompt on the
Sign On display.
The user profile name can be a maximum of 10 characters. The characters can be:
v Any letter (A through Z)
v Any number (0 through 9)
v These special characters: pound (#), dollar ($), underscore (_), at (@).
Note: The Add User display allows only an eight-character user name.
Note: It is possible to create a user profile so that when a user signs on, the user
ID is only numerals. To create a profile like this, specify a Q as the first
character, such as Q12345. A user can then sign on by entering 12345 or
Q12345 for the User prompt on the Sign On display.
For more information about specifying names on the system, see the CL
Programming book.
| One technique for assigning user profile names is to use the first seven characters
| of the last name followed by the first character of the first name. For example:
Password
Add User prompt:
Password
CL parameter:
PASSWORD
Length:
| 128
The password is used to verify a user’s authority to sign on the system. A user ID
and a password must be specified to sign on when password security is active
(QSECURITY system value is 20 or higher).
| When the password level (QPWDLVL) system value is 0 or 1, the rules for
| specifying passwords are the same as those used for user profile names. When the
| first character of the password is a Q and the second character is a numeric
| character, the Q can be omitted on the Sign On display. If a user specifies Q12345
| as the password on the Change Password display, the user can specify either 12345
| or Q12345 as the password on the Sign On display. When QPWDLVL is 2 or 3, the
| user must specify the password as Q12345 on the signon display if the user profile
| was created with a password of Q12345. An all numeric password is allowed when
| QPWDLVL is 2 or 3, but the user profile password must be created as all numeric.
| When the password level (QPWDLVL) system value is 2 or 3, the password is case
| sensitive and can contain any character including blank characters. However, the
| password may not begin with an asterisk character (’*’) and trailing blank
| characters are removed.
| You can set system values to control the passwords that users assign. The
| password composition system values apply only when a user changes a password
| using the Change Password(CHGPWD) command, the Change password option
| from the ASSIST menu, or the QSYCHGPW API. If the password minimum length
| (QPWDMINLEN) system value is not 1 or the password maximum length
| (QPWDMAXLEN) system value is not 10 or any of the other password
| composition system values have been changed from the default values, a user
See the topic “System Values That Apply to Passwords” on page 37 for information
about setting the password composition system values.
| Table 44. Possible Values for PASSWORD:
| *USRPRF The password for this user is the same as the user profile
| name. When the password level (QPWDLVL) system value is 2
| or 3, the password is the uppercased value of the user profile
| name. For profile JOHNDOE, the password would be
| JOHNDOE, not johndoe.
| *NONE No password is assigned to this user profile. Sign-on is not
| allowed with this user profile. You can submit a batch job
| using a user profile with password *NONE if you have proper
| authority to the user profile.
| user- password A character string (128 characters or less).
|
Recommendations for Passwords:
v Set the password for a group profile to *NONE. This prevents anyone from
signing on with the group profile.
v When creating an individual user profile, set the password to an initial value
and require a new password to be assigned when the user signs on (set
password expired to *YES). The default password when creating a user profile is
the same as the user profile name.
v If you use a trivial or default password when creating a new user profile, make
sure the user intends to sign on immediately. If you expect a delay before the
user signs on, set the status of the user profile to *DISABLED. Change the status
to *ENABLED when the user is ready to sign on. This protects a new user
profile from being used by someone who is not authorized.
v Use the password composition system values to prevent users from assigning
trivial passwords.
| v Some communications methods send passwords between systems and limit the
| length of password and the characters that passwords can contain. If your
| system communicates with other systems, use the QPWDMAXLEN system value
| to limit the passwords length. At password levels 0 and 1, the QPWDLMTCHR
| system value can be used to specify characters that cannot be used in
| passwords.
The Set password to expired field allows a security administrator to indicate in the
user profile that the user’s password is expired and must be changed the next time
the user signs on. This value is reset to *NO when the password is changed. You
can change the password by using either the CHGPWD or CHGUSRPRF
command, or the QSYCHGPW API, or as part of the next sign-on process.
When a user’s password has expired, the user receives a message at sign-on (see
Figure 4). The user can either press the Enter key to assign a new password or
press F3 (Exit) to cancel the sign-on attempt without assigning a new password. If
the user chooses to change the password, the Change Password display is shown
and password validation is run for the new password.
Sign-on Information
System:
Password has expired. Password must be changed to continue sign-on
request.
Recommendations: Set the password to expired whenever you create a new user
profile or assign a temporary password to a user.
Status
Add User prompt:
Not shown
CL parameter:
STATUS
Length:
10
The value of the Status field indicates if the profile is valid for sign-on. If the
profile status is enabled, the profile is valid for sign-on. If the profile status is
disabled, an authorized user has to enable the profile again to make it valid for
sign-on.
You can use the CHGUSRPRF command to enable a profile that has been disabled.
You must have *SECADM special authority and *OBJMGT and *USE authority to
the profile to change its status. The topic “Enabling a User Profile” on page 101
shows an example of an adopted authority program to allow a system operator to
enable a profile.
The system may disable a profile after a certain number of incorrect sign-on
attempts with that profile, depending on the settings of the QMAXSIGN and
QMAXSGNACN system values.
User Class
Add User prompt:
Type of User
CL parameter:
USRCLS
Length:
10
User class is used to control what menu options are shown to the user on OS/400
menus. This does not necessarily limit the use of commands. The Limit capabilities
field controls whether the user can enter commands. User class may not affect
what options are shown on menus provided by other licensed programs.
If no special authorities are specified when a user profile is created, the user class
and the security level (QSECURITY) system value are used to determine the
special authorities for the user.
Possible Values for USRCLS: Table 47 shows the possible user classes and what
the default special authorities are for each user class. The entries indicate that the
authority is given at security levels 10 and 20 only, at all security levels, or not at
all.
*ALLOBJ All 10 or 20 10 or 20 10 or 20 10 or 20
*SECADM All All
*JOBCTL All 10 or 20 10 or 20 All
*SPLCTL All
*SAVSYS All 10 or 20 10 or 20 All 10 or 20
*SERVICE All
*AUDIT All
*IOSYSCFG All
Recommendations: Most users do not need to perform system functions. Set the
user class to *USER, unless a user specifically needs to use system functions.
For each user, the system keeps track of the last assistance level used for every
system display that has more than one assistance level. That level is used the next
time the user requests that display. During an active job, a user can change the
assistance level for a display or group of related displays by pressing F21 (Select
assistance level). The new assistance level for that display is stored with the user
information.
The Assistance level field in the user profile is used to specify the default assistance
level for the user when the profile is created. If the assistance level in the user
profile is changed using the CHGUSRPRF or the Change Profile (CHGPRF)
command, the assistance levels stored for all displays for that user are reset to the
new value.
For example, assume the user profile for USERA is created with the default
assistance level (basic). Table 48 shows whether USERA sees the Work with User
Profiles display or the Work with User Enrollment display when using different
options. The table also shows whether the system changes the version for the
display that is stored with USERA’s profile.
Table 48. How Assistance Levels Are Stored and Changed
Action Taken Version of Display Shown Version of Display Stored
Use WRKUSRPRF command Work with User Enrollment No change (basic assistance
display level)
From Work with User Work with User Profiles Changed to intermediate
Enrollment display, press F21 display assistance level
and select intermediate
assistance level.
Use WRKUSRPRF command Work with User Profiles No change (intermediate)
display
Select the work with user Work with User Profiles No change (intermediate)
enrollment option from the display
SETUP menu.
Type CHGUSRPRF USERA Changed to basic assistance
ASTLVL(*BASIC) level
Use WRKUSRPRF command Work with User Enrollment No change (basic)
display
Type WRKUSRPRF Work with User Profiles No change (basic)
ASTLVL(*INTERMED) display
Note: The User option field in the user profile also affects how system displays are
shown. This field is described on page 88.
Current Library
Add User prompt:
Default library
CL parameter:
CURLIB
Length:
10
Authority
*USE
The current library is searched before the libraries in the user portion of the library
list for any objects specified as *LIBL. If the user creates objects and specifies
*CURLIB, the objects are put in the current library.
The current library is automatically added to the user’s library list when the user
signs on. It does not need to be included in the initial library list in the user’s job
description.
The user cannot change the current library if the Limit capabilities field in the user
profile is *YES or *PARTIAL.
The topic “Library Lists” on page 183 provides more information about using
library lists and the current library.
Table 50. Possible Values for CURLIB:
*CRTDFT This user has no current library. If objects are created using
*CURLIB on a create command, the library QGPL is used as
the default current library.
current-library-name The name of a library.
Recommendations: Use the Current library field to control where users are allowed
to put new objects, such as Query programs. Use the Limit capabilities field to
prevent users from changing the current library.
Initial Program
Add User prompt:
Sign on program
CL parameter:
INLPGM
You can specify the name of a program to call when a user signs on. This program
runs before the initial menu, if any, is displayed. If the Limit capabilities field in the
user’s profile is *YES or *PARTIAL, the user cannot specify an initial program on
the Sign On display.
The initial program is called only if the user’s routing program is QCMD or QCL.
See “Starting an Interactive Job” on page 175 for more information about the
processing sequence when a user signs on.
Parameters cannot be passed to an initial program. If the initial program fails, the
user is not able to sign on.
Table 51. Possible Values for INLPGM:
*NONE No program is called when the user signs on. If a menu name
is specified on the initial menu (INLMNU) parameter, that
menu is displayed.
program-name The name of the program that is called when the user signs on.
Initial Menu
Add User prompt:
First menu
CL parameter:
INLMNU
Length:
10 (menu name) 10 (library name)
Authority
*USE for menu *EXECUTE for library
You can specify the name of a menu to be shown when the user signs on. The
initial menu is displayed after the user’s initial program runs. The initial menu is
called only if the user’s routing program is QCMD or QCL.
If the Limit capabilities field in the user’s profile is *YES, the user cannot specify a
different initial menu on the Sign On display. If a user is allowed to specify an
initial menu on the Sign On display, the menu specified overrides the menu in the
user profile.
Table 53. Possible Values for MENU:
MAIN The iSeries system Main Menu is shown.
*SIGNOFF The system signs off the user when the initial program
completes. Use this to limit users to running a single program.
menu-name The name of the menu that is called when the user signs on.
Limit Capabilities
Add User prompt:
Restrict command line use
CL parameter:
LMTCPB
Length:
10
You can use the Limit capabilities field to limit the user’s ability to enter commands
and to override the initial program, initial menu, current library, and
attention-key-handling program specified in the user profile. This field is one tool
for preventing users from experimenting on the system.
A user with LMTCPB(*YES) can only run commands that are defined as allow
limited user (ALWLMTUSR) *YES. These commands are shipped by IBM with
ALWLMTUSR(*YES):
Sign off (SIGNOFF)
Send message (SNDMSG)
Display messages (DSPMSG)
Display job (DSPJOB)
Display job log (DSPJOBLOG)
Start PC Organizer (STRPCO)
Work with Messages (WRKMSG)
The Limit capabilities field in the user profile and the ALWLMTUSR parameter on
commands apply only to commands that are run from the command line, the
Command Entry display or an option from a command grouping menu. Users are
not restricted from doing the following:
You can allow the limited capability user to run additional commands, or remove
some of these commands from the list, by changing the ALWLMTUSR parameter
for a command. Use the Change Command (CHGCMD)command. If you create
your own commands, you can specify the ALWLMTUSR parameter on the Create
Command (CRTCMD) command.
Possible Values: Table 55 shows the possible values for Limit capabilities and what
functions are allowed for each value.
Table 55. Functions Allowed for Limit Capabilities Values
Function *YES *PARTIAL *NO
Text
Add User prompt:
User description
CL parameter:
TEXT
Length:
50
The text in the user profile is used to describe the user profile or what it is used
for. For user profiles, the text should have identifying information, such as the
user’s name and department. For group profiles, the text should identify the
group, such as what departments the group includes.
Table 56. Possible Values for text:
*BLANK: No text is specified.
description Specify no more than 50 characters.
Recommendations: The Text field is truncated on many system displays. Put the
most important identifying information at the beginning of the field.
Special Authority
Add User prompt:
Not shown
Special authority is used to specify the types of actions a user can perform on
system resources. A user can be given one or more special authorities.
Table 57. Possible Values for SPCAUT:
*USRCLS Special authorities are granted to this user based on the user
class (USRCLS) field in the user profile and the security level
(QSECURITY) system value. If *USRCLS is specified, no
additional special authorities can be specified for this user.
Risks: *ALLOBJ special authority gives the user extensive authority over all
resources on the system. The user can view, change, or delete any object. The user
can also grant to other users the authority to use objects.
A user with *ALLOBJ authority cannot directly perform operations that require
another special authority. For example, *ALLOBJ special authority does not allow a
user to create another user profile, because creating user profiles requires
*SECADM special authority. However, a user with *ALLOBJ special authority can
submit a batch job to run using a profile that has the needed special authority.
Giving *ALLOBJ special authority essentially gives a user access to all functions on
the system.
Only a user with *SECADM and *ALLOBJ special authority can give *SECADM
special authority to another user.
Securing printer output and output queues is discussed in “Printing” on page 186.
You can change the job priority (JOBPTY) and the output priority (OUTPTY) of
your own job without job control special authority. You must have *JOBCTL special
authority to change the run priority (RUNPTY) of your own job.
Changes to the output priority and job priority of a job are limited by the priority
limit (PTYLMT) in the profile of the user making the change.
Risks: A user with *JOBCTL special authority can change the priority of jobs and
of printing, end a job before it has finished, or delete output before it has printed.
*JOBCTL special authority can also give a user access to confidential spooled
output, if output queues are specified OPRCTL(*YES). A user who abuses *JOBCTL
special authority can cause negative impacts on individual jobs and on overall
system performance.
*SPLCTL special authority also allows the user to manage job queues, including
holding, releasing, and clearing the job queue. The user can perform these
functions on all job queues, regardless of any authorities for the job queue or the
OPRCTL parameter for the job queue.
Risks: The user with *SPLCTL special authority can perform any operation on any
spooled file in the system. Confidential spooled files cannot be protected from a
user with *SPLCTL special authority.
| Risks: A user with *SERVICE special authority can display and change confidential
information using service functions. The user must have *ALLOBJ special authority
to change the information using service functions.
| To minimize the risk for trace commands, users can be given authorization to
| perform service tracing without needing to give the user *SERVICE special
| authority. In this way, only specific users will have the ability to perform a trace
| command, which would grant them access to sensitive data. The user must be
| authorized to the command and have either *SERVICE special authority, or be
| authorized to the Service Trace function of the operating system through Operation
| Navigator’s Application Administration support. The Change Function Usage
| Information (QSYSCHFUI) API, with the function ID of QIBM_SERVICE_TRACE,
| can also be used to change the list of users that are allowed to perform trace
| operations.
Risks: A user with *AUDIT special authority can stop and start auditing on the
system or prevent auditing of particular actions. If having an audit record of
security-relevant events is important for your system, carefully control and monitor
the use of *AUDIT special authority.
Note: Only a user with *ALLOBJ, *SECADM, and *AUDIT special authorities can
give another user *AUDIT special authority.
Note: You need *ALLOBJ to be able to change data using service functions.
In addition, you should control the following situations for user profiles and
programs:
v Whether user profiles with special authorities can be used to submit jobs
v Whether programs created by these users can run using the authority of the
program owner.
Special Environment
Add User prompt:
Not shown
CL parameter:
SPCENV
Length:
10
Special environment determines the environment the user operates in after signing
on. The user can operate in the iSeries, the System/36, or the System/38
environment. When the user signs on, the system uses the routing program and
the special environment in the user’s profile to determine the user’s environment.
See Figure 5 on page 71.
Table 59. Possible Values for SPCENV:
*SYSVAL The QSPCENV system value is used to determine the
environment when the user signs on, if the user’s routing
program is QCMD.
*NONE The user operates in the iSeries environment.
*S36 The user operates in the System/36 environment if the user’s
routing program is QCMD.
Sign-on Information
System:
Previous sign-on . . . . . . . . . . . . . : 10/30/91 14:15:00
Requiring users to change their passwords after a specified length of time reduces
the risk of an unauthorized person accessing the system. The password expiration
interval controls the number of days that a valid password can be used before it
must be changed.
When a user’s password has expired, the user receives a message at sign-on. The
user can either press the Enter key to assign a new password or press F3 (Exit) to
cancel the sign-on attempt without assigning a new password. If the user chooses
to change the password, the Change Password display is shown and full password
validation is run for the new password. Figure 4 on page 59 shows an example of
the password expiration message.
Recommendations: Use the user profile password interval to require profiles with
*SERVICE, *SAVSYS, or *ALLOBJ special authorities to change passwords more
frequently than other users.
The Limit device sessions field controls whether a user can be signed on at more
than one workstation at a time. The value does not restrict the use of the System
Request menu or a second sign-on from the same device.
Table 62. Possible Values for LMTDEVSSN:
*SYSVAL The QLMTDEVSSN system value is used.
*NO The user may be signed on to more than one device at the
same time.
*YES The user may not be signed on to more than one device at the
same time.
Keyboard Buffering
Add User prompt:
Not shown
CL parameter:
KBDBUF
Length:
10
This parameter specifies the keyboard buffering value used when a job is
initialized for this user profile. The new value takes effect the next time the user
signs on.
Maximum Storage
Add User prompt:
Not shown
CL parameter:
MAXSTG
Length:
11,0
You can specify the maximum amount of auxiliary storage that is used to store
permanent objects that are owned by a user profile, including objects placed in the
temporary library (QTEMP) during a job. Maximum storage is specified in
kilobytes (1024 bytes).
If the storage needed is greater than the maximum amount specified when the user
attempts to create an object, the object is not created.
When planning maximum storage for user profiles, consider the following system
functions, which can affect the maximum storage needed by a user:
v A restore operation first assigns the storage to the user doing the restore
operation, and then transfers the objects to the OWNER. Users who do large
restore operations should have MAXSTG(*NOMAX) in their user profiles.
v The user profile that owns a journal receiver is assigned the storage as the
receiver size grows. If new receivers are created, the storage continues to be
assigned to the user profile that owns the active journal receiver. Users who own
active journal receivers should have MAXSTG(*NOMAX) in their user profiles.
v If a user profile specifies OWNER(*GRPPRF), ownership of any object created by
the user is transferred to the group profile after the object is created. However,
the user creating the object must have adequate storage to contain any created
object before the object ownership is transferred to the group profile.
v The owner of a library is assigned the storage for the descriptions of the objects
that are placed in a library, even when the objects are owned by another user
profile. Examples of such descriptions are text and program references.
v Storage is assigned to the user profile for temporary objects that are used during
the processing of a job. Examples of such objects are commitment control blocks,
file editing spaces, and documents.
Table 64. Possible Values for MAXSTG:
*NOMAX As much storage as required can be assigned to this profile.
maximum- KB Specify the maximum amount of storage in kilobytes (1
kilobyte equals 1024 bytes) that can be assigned to this user
profile.
The priority limit in the user profile determines the maximum scheduling priorities
(job priority and output priority) allowed for any jobs the user submits. It controls
priority when the job is submitted, as well as any changes made to priority while
the job is running or waiting in a queue.
The priority limit also limits changes that a user with *JOBCTL special authority
can make to another user’s job. You cannot give someone else’s job a higher
priority than the limit specified in your own user profile.
If a batch job runs under a different user profile than the user submitting the job,
the priority limits for the batch job are determined by the profile the job runs
under. If a requested scheduling priority on a submitted job is higher than the
priority limit in the user profile, the priority of the job is reduced to the level
permitted by the user profile.
Table 65. Possible Values for PTYLMT:
3 The default priority limit for user profiles is 3. The default
priority for both job priority and output priority on job
descriptions is 5. Setting the priority limit for the user profile at
3 gives the user the ability to move some jobs ahead of others
on the queues.
priority- limit Specify a value, 1 through 9. The highest priority is 1; the
lowest priority is 9.
Recommendations: Using the priority values in job descriptions and on the submit
job commands is usually a better way to manage the use of system resources than
changing the priority limit in user profiles.
Use the priority limit in the user profile to control changes that users can make to
submitted jobs. For example, system operators may need a higher priority limit so
that they can move jobs in the queues.
When a user signs on, the system looks at the workstation entry in the subsystem
description to determine what job description to use for the interactive job. If the
workstation entry specifies *USRPRF for the job description, the job description in
the user profile is used.
The job description for a batch job is specified when the job is started. It can be
specified by name, or it can be the job description from the user profile under
which the job runs.
A job description contains a specific set of job-related attributes, such as which job
queue to use, scheduling priority, routing data, message queue severity, library list
and output information. The attributes determine how each job is run on the
system.
See the Work Management book for more information about job descriptions and
their uses.
Table 66. Possible Values for JOBD:
QDFTJOBD The system-supplied job description found in library QGPL is
used. You can use the Display Job Description (DSPJOBD)
command to see the attributes contained in this job description.
job- description- name Specify the name of the job description, 10 characters or less.
Group Profile
Add User prompt:
User Group
CL parameter:
GRPPRF
Length:
10
Specifying a group profile name makes the user a member of the group profile.
The group profile can provide the user with authority to use objects for which the
user does not have specific authority. You may specify up to 15 additional groups
for the user in the Supplemental group profile (SUPGRPPRF) parameter.
If a profile specified in the GRPPRF parameter is not already a group profile, the
system sets information in the profile marking it as a group profile. The system
also generates a gid for the group profile, if it does not already have one.
See “Planning Group Profiles” on page 216 for more information about using group
profiles.
Table 68. Possible Values for GRPPRF:
*NONE No group profile is used with this user profile.
user- profile- name Specify the name of a group profile of which this user profile is
a member.
Owner
Add User prompt:
Not shown
CL parameter:
OWNER
Length:
10
If the user is a member of a group, you use the owner parameter in the user profile
to specify who owns any new objects created by the user. Objects can be owned
either by the user or by the user’s first group (the value of the GRPPRF
parameter). You can specify the OWNER field only if you have specified the Group
profile field.
Group Authority
Add User prompt:
Not shown
CL parameter:
GRPAUT
Length:
10
Group authority can be specified only when GRPPRF is not *NONE and OWNER
is *USRPRF. Group authority applies to the profile specified in the GRPPRF
parameter. It does not apply to supplemental group profiles specified in the
SUPGRPPRF parameter.
Table 70. Possible Values for GRPAUT:1
*NONE No specific authority is given to the group profile when this
user creates objects.
*ALL The group profile is given all management and data authorities
to any new objects the user creates.
*CHANGE The group profile is given the authority to change any objects
the user creates.
*USE The group profile is given authority to view any objects the
user creates.
*EXCLUDE The group profile is specifically denied access to any new
objects created by the user.
1
See “Defining How Information Can Be Accessed” on page 112 for a complete
explanation of the authorities that can be granted.
When a user creates a new object, the Group authority type parameter in the user’s
profile determines what type of authority the user’s group receives to the new
object. The GRPAUTTYP parameter works with the OWNER, GRPPRF, and
GRPAUT parameters to determine the group’s authority to a new object.
Table 71. Possible Values for GRPAUTTYP: 1
*PRIVATE The authority defined in the GRPAUT parameter is assigned to
the group profile as a private authority.
*PGP The group profile defined in the GRPPRF parameter is the
primary group for the newly created object. The primary group
authority for the object is the authority specified in the
GRPAUT parameter.
1
Private authority and primary group authority provide the same access to the
object, but they may have different performance characteristics. “Primary Group for
an Object” on page 123 explains how primary group authority works.
Supplemental Groups
Add User prompt:
Not shown
CL parameter:
SUPGRPPRF
Length:
150
Authority:
To specify supplemental groups when creating or changing a user profile,
you must have *OBJMGT, *OBJOPR, *READ, *ADD, *UPD, and *DLT
authority to each group profile.
Note: *OBJMGT authority cannot come from adopted authority. For more
information, see “Objects That Adopt the Owner’s Authority” on page 128.
You may specify the names of up to 15 profiles from which this user is to receive
authority. The user becomes a member of each supplemental group profile. The
user cannot have supplemental group profiles if the GRPPRF parameter is *NONE.
When supplemental group profiles are specified in a user profile, the user is
automatically granted *OBJMGT, *OBJOPR, *READ, *ADD, *UPD, and *DLT
authorities to each group profile, if the group profile is not already one of the
user’s group profiles. These authorities are necessary for system functions and
should not be removed. If a profile specified in the SUPGRPPRF parameter is not
already a group profile, the system sets information in the profile marking it as a
group profile. The system also generates a gid for the group profile, if it does not
already have one.
Accounting Code
Add User prompt:
Not shown
CL parameter:
ACGCDE
Length:
15
Job accounting is an optional function used to gather information about the use of
system resources. The accounting level (QACGLVL) system value determines
whether job accounting is active. The accounting code for a job comes from either
the job description or the user profile. The accounting code can also be specified
when a job is running using the Change Accounting Code (CHGACGCDE)
command.
See the Work Management book for more information about job accounting.
Table 73. Possible Values for ACGCDE:
*BLANK An accounting code of 15 blanks is assigned to this user profile.
accounting- code Specify a 15-character accounting code. If less than 15
characters are specified, the string is padded with blanks on the
right.
Document Password
Add User prompt:
Not shown
CL parameter:
DOCPWD
Length:
8
You can specify a document password for the user to protect the distribution of
personal mail from being viewed by people working on behalf of the user. The
document password is supported by some Document Interchange Architecture
(DIA) products, such as the Displaywriter.
Message Queue
Add User prompt:
Not shown
CL parameter:
MSGQ
Length:
10 (message queue name) 10 (library name)
Authority:
*USE for message queue, if it exists. *EXECUTE for the message queue
library.
You can specify the name of a message queue for a user. A message queue is an
object on which messages are placed when they are sent to a person or a program.
A message queue is used when a user sends or receives messages. If the message
queue does not exist, it is created when the profile is created or changed. The
message queue is owned by the profile being created or changed. The user creating
the profile is given *ALL authority to the message queue.
If the message queue for a user profile is changed using the Change User Profile
(CHGUSRPRF) command, the previous message queue is not automatically deleted
by the system.
For more information about message queues, see the System Operation book.
Table 75. Possible Values for MSGQ:
*USRPRF A message queue with the same name as the user profile name
is used as the message queue for this user. If the message
queue does not exist, it is created in library QUSRSYS.
message- queue-name Specify the message queue name that is used for this user. If
you specify a message queue name, you must specify the
library parameter.
Recommendations: When a user signs on, the message queue in the user profile is
allocated to that user’s job. If the message queue is already allocated to another
Delivery
Add User prompt:
Not shown
CL parameter:
DLVRY
Length:
10
The delivery mode of a message queue determines whether the user is interrupted
when a new message arrives on the queue. The delivery mode specified in the user
profile applies to the user’s personal message queue. If you change the message
queue delivery in the user profile and the user is signed on, the change takes affect
the next time the user signs on. You can also change the delivery of a message
queue with the Change Message Queue (CHGMSGQ) command.
Table 77. Possible Values for DLVRY:
*NOTIFY The job that the message queue is assigned to is notified when
a message arrives at the message queue. For interactive jobs at
a workstation, the audible alarm is sounded and the
message-waiting light is turned on. The type of delivery cannot
be changed to *NOTIFY if the message queue is also being
used by another user.
*BREAK The job that the message queue is assigned to is interrupted
when a message arrives at the message queue. If the job is an
interactive job, the audible alarm is sounded (if the alarm is
installed). The type of delivery cannot be changed to *BREAK if
the message queue is also being used by another user.
*HOLD The messages are held in the message queue until they are
requested by the user or program.
*DFT Messages requiring replies are answered with their default
reply; information-only messages are ignored.
Severity
Add User prompt:
Not shown
CL parameter:
SEV
Length:
2,0
If you change the message queue severity in the user profile and the user is signed
on, the change takes effect the next time the user signs on. You can also change the
severity of a message queue with the CHGMSGQ command.
Print Device
Add User prompt:
Default printer
CL parameter:
PRTDEV
Length:
10
You can specify the printer used to print the output for this user. Spooled files are
placed on an output queue with the same name as the printer when the output
queue (OUTQ) is specified as the print device (*DEV).
The print device and output queue information from the user profile are used only
if the printer file specifies *JOB and the job description specifies *USRPRF. For
more information about directing printer output, see the Printer Device Programming
book.
Table 79. Possible Values for PRTDEV:
*WRKSTN The printer assigned to the user’s workstation (in the device
description) is used.
*SYSVAL The default system printer specified in the QPRTDEV system
value is used.
print- device- name Specify the name of the printer that is used to print the output
for this user.
Output Queue
Add User prompt:
Not shown
CL parameter:
OUTQ
Length:
10 (output queue name) 10 (library name)
Authority:
*USE for output queue *EXECUTE for library
Both interactive and batch processing may result in spooled files that are to be sent
to a printer. Spooled files are placed on an output queue. The system can have
many different output queues. An output queue does not have to be attached to a
printer to receive new spooled files.
Attention-Key-Handling Program
Add User prompt:
Not shown
CL parameter:
ATNPGM
Length:
10 (program name) 10 (library name)
Authority:
*USE for program
*EXECUTE for library
The ATNPGM is activated only if the user’s routing program is QCMD. The
ATNPGM is activated before the initial program is called. If the initial program
changes the ATNPGM, the new ATNPGM remains active only until the initial
program ends. If the Set Attention-Key-Handling Program (SETATNPGM)
command is run from a command line or an application, the new ATNPGM
specified overrides the ATNPGM from the user profile.
Note: See “Starting an Interactive Job” on page 175 for more information about the
processing sequence when a user signs on.
The Limit capabilities field determines if a different Attention-key-handling program
can be specified by the user with the Change Profile (CHGPRF) command.
Table 82. Possible Values for ATNPGM:
*SYSVAL The QATNPGM system value is used.
*NONE No Attention-key-handling program is used by this user.
*ASSIST Operational Assistant Attention Program (QEZMAIN) is used.
program- name Specify the name of the Attention-key-handling program. If a
program name is specified, a library must be specified.
Sort Sequence
Add User prompt:
Not shown
CL parameter:
SRTSEQ
Length:
10 (value or table name) 10 (library name)
Authority:
*USE for table *EXECUTE for library
| You can specify what sort sequence is used for this user’s output. You can use
| system-provided sort tables or create your own. A sort table may be associated
| with a particular language identifier on the system.
Table 84. Possible Values for SRTSEQ:
*SYSVAL The QSRTSEQ system value is used.
*HEX The standard hexadecimal sort sequence is used for this user.
*LANGIDSHR The sort sequence table associated with the user’s language
identifier is used. The table can contain the same weight for
multiple characters.
*LANGIDUNQ The sort sequence table associated with the user’s language
identifier is used. The table must contain a unique weight for
each character in the code page.
table-name Specify the name of the sort sequence table for this user.
Language Identifier
Add User prompt:
Not shown
CL parameter:
LANGID
Length:
10
Country Identifier
Add User prompt:
Not shown
CL parameter:
CNTRYID
Length:
10
You can specify the country identifier to be used by the system for the user. To see
a list of country identifiers, press F4 (prompt) on the country identifier parameter
from the Create User Profile display or the Change User Profile display.
Table 87. Possible Values for CNTRYID:
*SYSVAL The system value QCNTRYID is used to determine the country
identifier.
country- identifier Specify the country identifier for this user.
You can specify the coded character set identifier to be used by the system for the
user. To see a list of coded character set identifiers, press F4 (prompt) on the coded
character set identifier parameter from the Create User Profile display or the
Change User Profile display.
Table 88. Possible Values for CCSID:
*SYSVAL The QCCSID system value is used to determine the coded
character set identifier.
coded-character- set-identifier Specify the coded character set identifier for this user.
The CHRIDCTL attribute controls the type of coded character set conversion that
occurs for display files, printer files and panel groups. The character identifier
control information from the user profile is used only if the *CHRIDCTL special
value is specified on the CHRID command parameter on the create, change, or
override commands for display files, printer files, and panel groups.
Table 89. Possible Values for CHRIDCTL:
*SYSVAL The system value QCHRIDCTL is used to determine the
character identifier control.
*DEVD The CHRID of the device is used to represent the CCSID of the
data. No conversions occur, since the CCSID of the data is
always the same as the CHRID of the device.
*JOBCCSID Character conversion occurs when a difference exists between
the device CHRID, job CCSID, or data CCSID values. On input,
character data is converted from the device CHRID to the job
CCSID when it isnecessary. On output, character data is
converted from the job CCSID to the device CHRID when it is
necessary. On output, character data is converted from the file
or panel group CCSID to the device CHRID when it is
necessary.
Job Attributes
Add User prompt:
Not shown
CL parameter:
SETJOBATR
Length:
160
The SETJOBATR field specifies which job attributes are to be taken at job initiation
from the locale specified in the LOCALE parameter.
Table 90. Possible Values for SETJOBATR:
*SYSVAL The system value QSETJOBATR is used to determine which job
attributes are to be taken from the locale.
*NONE No job attributes are to be taken from the locale.
The LOCALE field specifies the path name of the locale that is assigned to the
LANG environment variable for this user.
Table 91. Possible Values for LOCALE:
*SYSVAL The system value QLOCALE is used to determine the locale
path name to be assigned for this user.
*NONE No locale is assigned for this user.
*C The C locale is assigned for this user.
*POSIX The POSIX locale is assigned for this user.
locale path name The path name of the locale to be assigned to this user.
User Options
Add User prompt:
Not shown
CL parameter:
USROPT
Length:
240 (10 characters each)
The User options field allows you to customize certain system displays and
functions for the user. You can specify multiple values for the user option
parameter.
Table 92. Possible Values for USROPT:
*NONE No special options are used for this user. The standard system
interface is used.
*CLKWD Keywords are shown instead of the possible parameter values
when a control language (CL) command is prompted. This is
equivalent to pressing F11 from the normal control language
(CL) command prompting display.
*EXPERT When the user views displays that show object authority, such
as the Edit Object Authority display or the Edit Authorization
List Display, detailed authority information is shown without
the user having to press F11 (Display detail). “Authority
Displays” on page 134 shows an example of the expert version
of the display.
*HLPFULL The user sees full display help information instead of a
window.
*PRTMSG A message is sent to the user’s message queue when a spooled
file is printed for this user.
*ROLLKEY The actions of the Page Up and Page Down keys are reversed.
*NOSTSMSG Status messages usually shown at the bottom of the display are
not shown to the user.
*STSMSG Status messages are displayed when sent to the user.
The integrated file system uses the user identification number (uid) to identify a
user and verify the user’s authority. Every user on the system must have a unique
uid.
Table 93. Possible Values for UID:
*GEN The system generates a unique uid for this user. The generated
uid will be greater than 100.
uid A value from 1 to 4294967294 to be assigned as the uid for this
user. The uid must not be already assigned to another user.
Recommendations: For most installations, let the system generate a uid for new
users by specifying UID(*GEN). However, if your system is part of a network, you
may need to assign uids to match those assigned on other systems in the network.
Consult your network administrator.
The integrated file system uses the group identification number (gid) to identify
this profile as a group profile. A profile that is used as a group profile by the
integrated file system must have a gid.
Table 94. Possible Values for GID:
*NONE This profile does not have a gid.
*GEN The system generates a unique gid for this profile. The
generated gid will be greater than 100.
gid A value from 1 to 4294967294 to be assigned as the gid for this
profile. The gid must not be already assigned to another
profile.
Recommendations: For most installations, let the system generate a gid for new
group profiles by specifying GID(*GEN). However, if your system is part of a
network, you may need to assign gids to match those assigned on other systems in
the network. Consult your network administrator.
Do not assign a gid to a user profile that you do not plan to use as a group profile.
In some environments, a user who is signed on and has a gid is restricted from
performing certain functions.
The home directory is the user’s initial working directory for the integrated file
system. The home directory is the user’s current directory if a different current
directory has not been specified. If the home directory specified in the profile does
not exist when the user signs on, the user’s home directory is the root (/)
directory.
Table 95. Possible Values for HOMEDIR:
*USRPRF The home directory assigned to the user is /home/xxxxx, where
xxxxx is the user’s profile name.
home-directory The name of the home directory to assign to this user.
Authority
Add User prompt:
Not shown
CL parameter:
AUT
Length:
10
The Authority field specifies the public authority to the user profile. The authority
to a profile controls many functions associated with the profile, such as:
Changing it
Displaying it
Deleting it
Submitting a job using it
Specifying it in a job description
Transferring object ownership to it
Adding members, if it is a group profile
Table 96. Possible Values for AUT:
*EXCLUDE The public is specifically denied access to the user profile.
*ALL The public is given all management and data authorities to the
user profile.
*CHANGE The public is given the authority to change the user profile.
*USE The public is given authority to view the user profile.
See “Defining How Information Can Be Accessed” on page 112 for a complete
explanation of the authorities that can be granted.
Object Auditing
Add User prompt:
Not shown
CL parameter:
OBJAUD
Length:
10
The object auditing value for a user profile works with the object auditing value
for an object to determine whether the user’s access of an object is audited. Object
auditing for a user profile cannot be specified on any user profile displays. Use the
CHGUSRAUD command to specify object auditing for a user. Only a user with
*AUDIT special authority can use the CHGUSRAUD command.
Table 97. Possible Values for OBJAUD:
*NONE The OBJAUD value for objects determines whether object
auditing is done for this user.
*CHANGE If the OBJAUD value for an object specifies *USRPRF, an audit
record is written when this user changes the object.
*ALL If the OBJAUD value for an object specifies *USRPRF, an audit
record is written when this user changes or reads the object.
Table 98 shows how the OBJAUD values for the user and the object work together:
Table 98. Auditing Performed for Object Access
OBJAUD Value for User
OBJAUD Value for
Object *NONE *CHANGE *ALL
“Planning the Auditing of Object Access” on page 252 provides information about
how to use system values and the object auditing values for users and objects to
meet your security auditing needs.
Action Auditing
Add User prompt:
Not shown
CL parameter:
AUDLVL
Length:
640
For an individual user, you can specify which security-relevant actions should be
recorded in the audit journal. The actions specified for an individual user apply in
addition to the actions specified for all users by the QAUDLVL system value.
“Planning the Auditing of Actions” on page 241 provides information about how to
use system values and the action auditing for users to meet your security auditing
needs.
The amount of this information affects the time it takes to save and restore profiles
and to build authority displays. “How Security Information Is Stored” on page 224
provides more information about how user profiles are stored and saved.
Private Authorities
All the private authorities a user has to objects are stored with the user profile.
When a user needs authority to an object, the user’s private authorities may be
searched. “Flowchart 3: How User Authority to an Object Is Checked” on page 153
provides more information about authority checking.
You can display a user’s private authorities using the Display User Profile
command: DSPUSRPRF user-profile-name TYPE(*OBJAUT). To change a user’s
private authorities, you use the commands that work with object authorities, such
as Edit Object Authority (EDTOBJAUT).
You can copy all the private authorities from one user profile to another using the
Grant User Authority (GRTUSRAUT) command. See “Copying Authority from a
User” on page 145 for more information.
Digital ID Authentication
The iSeries 400 security infrastructure allows x.509 digital certificates to be used for
identification. The digital certificates allow users to secure communications and
ensure message integrity.
| The digital ID APIs create, distribute, and manage digital certificates associated
| with user profiles. See the API topic in the Information Center (see “Prerequisite
| and related information” on page xvi) for details about the following APIs:
| v Add User Certificate (QSYADDUC)
| v Remove User Certificate (QSYRMVUC)
| v List User Certificate (QSYLSTUC)
| v Find Certificate User (QSYFNDUC)
| v Add Validation List Certificate (QSYADDVC)
| v Remove Validation List Certificate (QSYRMVVC)
| v List Validation List Certificate (QSYLSTVC)
| v Check Validation List Certificate (QSYCHKVC)
| v Parse Certificate (QSYPARSC)
You must have *SECADM special authority to create, change, or delete user
profiles.
A user profile cannot be created with more authorities or capabilities than those of
the user who creates the profile.
┌────────────────┐
│ WRKUSRPRF │
│ Command │
└───────┬────────┘
│
b
┌────────────────┐
*BASIC │ Test for │ *INTERMED
┌────────┤ Assistance ├───────┐
│ │ Level │ │
│ └────────────────┘ │
│ │
b b
┌────────────────┐ ┌────────────────┐
│ Work with │ │ Work with │
│ User │ │ User │
│ Enrollment │ │ Profiles │
│ Display │ │ Display │
└────────────────┘ └────────────────┘
You can specify the ASTLVL (assistance level) parameter on the command. If you
do not specify ASTLVL, the system uses the assistance level stored with your user
profile.
On the Work with User Profiles display, type 1 and the name of the profile you
want to create:
User
Opt Profile Text
1 NEWUSER
__ DPTSM Sales and Marketing Departme
__ DPTWH Warehouse Department
The Create User Profile display shows all the fields in the user profile. Use F10
(Additional parameters) and page down to enter more information. Use F11
(Display keywords) to see the parameter names.
| The Create User Profile display does not add the user to the system directory.
On the Work with User Enrollment display, use option 1 (Add) to add a new user
to the system.
User . . . . . . . . . . NEWUSER
User description . . . .
Password . . . . . . . . NEWUSER
Type of user . . . . . . *USER
User group . . . . . . . *NONE
Default library . . . . .
Default printer . . . . . *WRKSTN
Sign on program . . . . . *NONE
Library . . . . . . . .
First menu . . . . . . .
Library . . . . . . . .
The Add User display is designed for a security administrator without a technical
background. It does not show all of the fields in the user profile. Default values are
used for all fields that are not shown.
Note: If you use the Add User display, you are limited to eight-character user
profile names.
Add User
The Add user display automatically adds an entry in the system directory with the
same user ID as the user profile name (the first eight characters) and an address of
the system name.
The main menu also includes user Options 51—59. These additional options
(Options 51--59) are processed similar to Option 50, except the default values for
the following fields are blank:
v Text for menu options
v User program
v Library
You can copy a profile interactively from either the Work with User Enrollment
display or the Work with User Profiles display. No command exists to copy a user
profile.
All the values from the copy-from user profile are shown on the Create User
Profile display, except these fields:
| Home directory
| *USRPRF
| Locale job attributes
| Locale job attributes
| Locale Locale
| User profile
| Blank. Must be filled in.
| Password
| *USRPRF
| Message queue
| *USRPRF
| Document password
| *NONE
| User Identification Number
| *GEN
| Group Identification Number
| *NONE
| Authority
| *EXCLUDE
Copy User
User . . . . . . . . . .
User description . . . . Warehouse Department
Password . . . . . . . .
Type of user . . . . . . USER
User group . . . . . . .
All values from the copy-from profile appear on the Add User display, except the
following:
User Blank. Must be filled in. Limited to 8 characters.
Password
Blank. If you do not enter a value, the profile is created with the password
equal to the default value specified for the PASSWORD parameter of the
CRTUSRPRF command.
You can change any fields on the Copy User display. User profile fields that do not
appear on the basic assistance level version are still copied from the copy-from
profile, with the following exceptions:
Message queue
*USRPRF
Document password
*NONE
User Identification Number
*GEN
Group Identification Number
*NONE
Authority
*EXCLUDE
The topic “Copying Authority from a User” on page 145 has more information
about using this command.
Users who are allowed to enter commands can change some parameters of their
own profiles using the Change Profile (CHGPRF) command.
A user cannot change a user profile to have more special authorities or capabilities
than the user who changes the profile.
You cannot delete a user profile if it is the primary group for any objects. When
you use the intermediate assistance level to delete a user profile, you can change
or remove the primary group for objects. You can use the DSPUSRPRF command
with the *OBJPGP (object primary group) option to list any objects for which a
profile is the primary group.
When you delete a user profile, the user is removed from all distribution lists and
from the system directory.
You do not need to change ownership of or delete the user’s message queue. The
system automatically deletes the message queue when the profile is deleted.
You cannot delete a group profile that has members. To list the members of a
group profile, type DSPUSRPRF group-profile-name *GRPMBR. Change the GRPPRF
field in each member profile before deleting the group profile.
You can delete all the owned objects or transfer them to a new owner. If you want
to handle owned objects individually, you can use the Work with Objects by
Owner (WRKOBJOWN) command. You can change the primary group for all
objects for which the group profile is the primary group. If you want to handle
objects individually, you can use the Work with Objects by Primary Group
(WRKOBJPGP) command. The displays for both commands are similar:
Remove User
User . . . . . . . . . . . : HOGANR
User description . . . . . : Sales and Marketing Department
To change the ownership of all objects before deleting the profile, select option 1.
You see a display prompting you for the new owner.
To handle the objects individually, select option 2. You see a detailed Remove User
display:
User . . . . . . . . . . . : HOGANR
User description . . . . . : Hogan, Richard - Warehouse DPT
Use the options on the display to delete objects or transfer them to a new owner.
When all objects have been removed from the display, you can delete the profile.
Notes:
1. You can use F13 to delete all the objects owned by the user profile.
2. Spooled files do not appear on the Work with Objects by Owner display. You
can delete a user profile even though that profile still owns spooled files. After
you have deleted a user profile, use the Work with Spooled Files (WRKSPLF)
command to locate and delete any spooled files owned by the user profile, if
they are no longer needed.
3. Any objects for which the deleted user profile was the primary group will have
a primary group of *NONE.
Working with Objects by Primary Group: You can use the Work with Objects by
Primary Group (WRKOBJPGP) command to display and work with objects for
which a profile is the primary group. You can use this display to change an
object’s primary group to another profile or to set it’s primary group to *NONE.
Password
Group User Last No
Profile Profile Changed Password Text
DPTSM
ANDERSR 08/04/9x Anders, Roger
VINCENT 09/15/9x Vincent, Mark
DPTWH
ANDERSR 08/04/9x Anders, Roger
HOGANR 09/06/9x Hogan, Richard
QUINN 09/06/9x Quinn, Rose
QSECOFR
JONESS 09/20/9x Jones, Sharon
HARRISON 08/29/9x Harrison, Ken
*NO GROUP
DPTSM 09/05/9x X Sales and Marketing
DPTWH 09/18/9x X Warehouse
| By pressing F11, you are able to see which user profiles have passwords defined
| for use at the various password levels.
A new profile can be created with the same authorities for a user with a new
name. Some information, however, cannot be transferred to the new profile. The
following are examples of information that cannot be transferred:
v Spool files.
v Internal objects containing user preferences and other information about the user
will be lost.
v Digital certificates that contain the user name will be invalidated.
Applications that are run by the user can have ″application profiles″. Creating a
new iSeries user profile to rename a user does not rename any application profiles
the user may have. A Lotus Notes profile is one example of an application profile.
The following example shows how to create a new profile for a user with a new
name and the same authorities. The old profile name is SMITHM. The new user
profile name is JONESM:
| 1. Copy the old profile (SMITHM) to a new profile (JONESM) using the copy
| option from the Work with User Enrollment display.
| 2. Give JONESM all the private authorities of SMITHM using the Grant User
| Authority (GRTUSRAUT) command:
| GRTUSRAUT JONESM REFUSER(SMITHM)
| 3. Change the primary group of all objects that SMITHM is the primary group of
| using the Work with Objects by Primary Group (WRKOBJPGP) command:
| WRKOBJPGP PGP(SMITHM)
| Enter option 9 on all objects that need their primary group changed and enter
| NEWPGP (JONESM) on the command line.
| Note: JONESM must have a gid assigned using the GID parameter on the
| Create or Change User Profile (CRTUSRPRF or CHGUSRPRF) command.
| 4. Display the SMITHM user profile using the Display User Profile (DSPUSRPRF)
| command:
| DSPUSRPRF USRPRF(SMITHM)
You can specify the auditing characteristics for more than one user at a time by
listing user profile names.
The AUDLVL (user action auditing) parameter can have more than one value. The
values you specify on this command replace the current AUDLVL values for the
users. The values you specify are not added to the current AUDLVL values for the
users.
You can use the Display User Profile (DSPUSRPRF) command to see audit
characteristics for a user.
You may also want to use the CRTUSRPRF or CHGUSRPRF command within a CL
program. If you use variables for the parameters of these commands, define the
variables as character fields to match the Create User Profile prompt display. The
variable sizes do not have to match the field sizes.
You cannot retrieve a user’s password, because the password is stored with
one-way encryption. If you want the user to enter the password again before
accessing critical information, you can use the Check Password (CHKPWD)
command in your program. The system compares the password entered to the
user’s password and sends an escape message to your program if the password is
not correct.
| For more information about the Security exit programs, see the API topic in the
| Information Center (see “Prerequisite and related information” on page xvi for
| details).
When you install a new release of the operating system, passwords for
IBM-supplied profiles are not changed. If profiles such as QPGMR and QSYSOPR
have passwords, those passwords are not set to *NONE automatically.
Appendix B contains a complete list of all the IBM-supplied user profiles and the
field values for each profile.
Note: IBM-supplied profiles are provided, but they are used by the Operating
System/400. Therefore, signing on with these profiles or using the profiles to
own user (non-IBM supplied ) objects is not recommended.
Type new password below for IBM-supplied user, type password again to verify
change, then press Enter.
| Note: To protect the security of your system, the default passwords for these
| profiles should be changed.
| Because DST profiles are not related to user profile objects, you cannot change DST
| user IDs and passwords with the CHGUSRPRF command. They can be changed by
| using the Change Dedicated Service Tools (QSYCHGDS) API or through the DST
| function.
You can use either the “Manual Mode Procedure” on page 108 or the “Manual IPL
Procedure” on page 108 to change the DST passwords.
| Additional information on using DST can be found in Tips and Tools for Securing
| Your iSeries.
|
| IPL or Install the System
|
| Select one of the following:
|
| 1. Perform an IPL
| 2. Install the operating system
| 3. Use Dedicated Service Tools (DST)
| 4. Perform automatic install of the operating system
| 5. Save Licensed Internal Code
|
||
|
| 2. Type the DST security capability user ID and password on the Dedicated
| Service Tools (DST) Sign On display. When your system is shipped, this
| password is QSECOFR (upper case).
| 3. Select menu options in the documented sequence.
|| Menu or display name Select this option:
| Use Dedicated Service Tools (DST) menu Option 5 (Work with DST environment)
| Work with DST Environment menu Option 3 (Service tools user profiles)
| Work with Service tools user profiles menu Option 2 (Change password) to change the
| password for the SECOFR, QSRV, 11111111,
| and 22222222 DST profiles.
|
| 4. To leave DST, press F3 (Exit) until you return to the IPL or Install the System
menu. Continue with a normal IPL. Return the key to the secure position and
remove it.
Attention:
v Write down the user IDs and passwords you assign and keep them in a safe
place. If you lose or forget both the QSECOFR and the DST security capability
user ID and password, you may need to install your operating system again to
recover them. Contact your service provider for assistance. The topic
“Recovering a Lost DST or QSECOFR Password” on page 109 tells how to
recover one of these passwords if you know the other password.
v You must provide the DST basic capability user ID and password whenever
your system needs service. Your system cannot be serviced without this
password.
v Change the DST passwords on your system after service personnel have finished
using them.
Resetting the QSECOFR User Profile Password: You can use the DST security
capability password to reset the QSECOFR user profile password to its initial value
(QSECOFR):
| 1. The topic “Changing User IDs and Passwords for Dedicated Service Tools
| (DST) Users” on page 107 describes how to reach the Use Dedicated Service
| Tools (DST) menu. You must follow the Manual IPL procedure to reach the
| Use Dedicated Service Tools (DST) menu because an IPL is required to change
| the QSECOFR user profile password to the default value.
| 2. Select option 5 (Work with DST environment).
| 3. Select option 6 (Service tools security data).
| 4. Select option 1 (Reset operating system default password).
| 5. You receive a message confirming that the Operating system password
| override is set.
| 6. Press F12 to return to the Work with Service Tools Security Data menu.
| 7. Continue the IPL of the system
| 8. Continue pressing F3 (Exit) to return to the Use Dedicated Service Tools (DST)
| menu.
| 9. When the IPL has completed, return the keylock to the Auto position.
| 10. Sign on as QSECOFR using the upper case password QSECOFR. Use the
| CHGPWD command to change the QSECOFR password to a new value. Write
| down the new value and store it in a safe place.
| Attention: Do not leave the QSECOFR password set to the default. This poses
| a security exposure, because this is the value shipped with every system and
| is commonly known.
Resetting the DST Security Capability Password: If you know the password for
the QSECOFR profile, you can reset the DST security capability password to the
initial setting (QSECOFR):
1. The system should be in normal operating mode (not DST). Sign on at any
workstation using the QSECOFR profile.
2. On a command line, type CHGDSTPWD (Change DST Password). You see the
Change DST Password (CHGDSTPWD) display:
3. Type *DEFAULT and press the Enter key. The DST security capability password is
set to QSECOFR.
4. Change the DST security capability password to a value that is different than
the default value. This can be done by using the Change Dedicated Service
Tools Profiles (QSYCHGDS) API or by performing an attended IPL and using
DST to change the password.
System Password
The system password is used to authorize system model changes, certain service
conditions, and ownership changes. If these changes have occurred on your
system, you may be prompted for the system password when you perform an IPL.
The System Operation book provides more information about the system password.
This chapter describes each of the components of resource security and how they
all work together to protect information on your system. It also explains how to
use CL commands and displays to set up resource security on your system.
The topic “How the System Checks Authority” on page 148 provides detailed
flowcharts and notes about how the system checks authority. You may find it
useful to consult this information as you read the explanations that follow.
Public Authority:
The public consists of anyone who is authorized to sign on to your system. Public
authority is defined for every object on the system, although the public authority
for an object may be *EXCLUDE. Public authority to an object is used if no other
specific authority is found for the object.
Private Authority:
You can define specific authority to use (or not use) an object. You can grant
authority to an individual user profile or to a group profile. An object has private
authority if any authority other than public authority, object ownership, or primary
group authority is defined for the object.
User Authority:
Individual user profiles may be given authority to use objects on the system. This
is one type of private authority.
Group Authority:
Object Ownership:
Every object on the system has an owner. The owner has *ALL authority to the
object by default. However, the owner’s authority to the object can be changed or
removed. The owner’s authority to the object is not considered private authority.
You can specify a primary group for an object and the authority the primary group
has to the object. Primary group authority is stored with the object and may
provide better performance than private authority granted to a group profile. Only
a user profile with a group identification number (gid) may be the primary group
for an object. Primary group authority is not considered private authority.
Note: In some environments, the authority associated with an object is called the
object’s mode of access.
Authority to an object is divided into three categories: 1) Object Authority defines
Table 100 describes the types of authority available and lists some examples of how
the authorities are used. In most cases, accessing an object requires a combination
of object, data, field authorities. Appendix D provides information about the
authority that is required to perform a specific function.
Table 100. Description of Authority Types
Authority Name Functions Allowed
Object Authorities:
*OBJOPR Object Operational Look at the description of an object. Use the
object as determined by the user’s data
authorities.
*OBJMGT Object Management Specify the security for the object. Move or
rename the object. All functions defined for
*OBJALTER and *OBJREF.
*OBJEXIST Object Existence Delete the object. Free storage of the object.
Perform save and restore operations for the
object 1. Transfer ownership of the object.
*OBJALTER Object Alter Add, clear, initialize and reorganize
members of the database files. Alter and add
attributes of database files: add and remove
triggers. Change the attributes of SQL
packages.
*OBJREF Object Reference Specify a database file as the parent in a
referential constraint. For example, you want
to define a rule that a customer record must
exist in the CUSMAS file before an order for
the customer can be added to the CUSORD
file. You need *OBJREF authority to the
CUSMAS file to define this rule.
*AUTLMGT Authorization List Add and remove users and their authorities
Management from the authorization list 2.
Data Authorities:
*READ Read Display the contents of the object, such as
viewing records in a file.
*ADD Add Add entries to an object, such as adding
messages to a message queue or adding
records to a file.
*UPD Update Change the entries in an object, such as
changing records in a file.
*DLT Delete Remove entries from an object, such as
removing messages from a message queue
or deleting records from a file.
*EXECUTE Execute Run a program, service program, or SQL
package. Locate an object in a library or a
directory.
Field Authorities:
*Mgt Management Specify the security for the field.
*Alter Alter Change the attributes of the field.
*Ref Reference Specify the field as part of the parent key in
a referential constraint.
*Read Read Access the contents of the field. For
example, display the contents of the field.
*Add Add Add entries to data, such as adding
information to a specific field.
*Update Update Change the content of existing entries in the
field.
1
If a user has save system (*SAVSYS) special authority, object existence authority is
not required to perform save and restore operations on the object.
2
See the topic “Authorization List Management” on page 120 for more information.
Object Authorities
*OBJOPR X X X
*OBJMGT X
*OBJEXIST X
*OBJALTER X
*OBJREF X
Data Authorities
*READ X X X
*ADD X X
*UPD X X
*DLT X X
*EXECUTE X X X
Table 102 shows additional system-defined authorities that are available using the
WRKAUT and CHGAUT commands:
Table 102. System-Defined Authority
Authority *RWX *RW *RX *R *WX *W *X
Object Authorities
*OBJOPR X X X X X X X
*OBJMGT
*OBJEXIST
*OBJALTER
*OBJREF
Data Authorities
*READ X X X X
*ADD X X X X
*UPD X X X X
*DLT X X X X
*EXECUTE X X X X
The LAN Server licensed program uses access control lists to manage authority. A
user’s authorities are called permissions. Table 103 shows how the LAN Server
permissions map to object and data authorities:
Table 103. LAN Server Permissions
Authority LAN Server Permissions
*EXCLUDE None
Object Authorities
*OBJOPR See note 1
*OBJMGT Permission
*OBJEXIST Create, Delete
*OBJALTER Attribute
*OBJREF No equivalent
Data Authorities
*READ Read
*ADD Create
*UPD Write
*DLT Delete
*EXECUTE Execute
1
Unless NONE is specified for a user in the access control list, the user is
implicitly given *OBJOPR.
Library Security
Most objects on the system reside in libraries. To access an object, you need
authority both to the object itself and the library in which the object resides. For
most operations, including deleting an object, *USE authority to the object library
is sufficient (in addition to the authority required for the object). Creating a new
object requires *ADD authority to the object library. Appendix D shows what
authority is required by CL commands for objects and the object libraries.
When access is requested to an object and *LIBL is specified for the object, the
library list information is used to check authority for the library. If a qualified
name is specified, the authority for the library is specifically checked, even if the
library is included in the user’s library list.
In addition, applications that use library lists rather than qualified library names
have a potential security exposure. A user who is authorized to the commands to
work with library lists could potentially run a different version of a program. See
“Library Lists” on page 183 for more information.
Field Authorities
Field authorities are now supported for database files. Authorities supported are
Reference and Update. You can only administer these authorities through the SQL
statements, GRANT and REVOKE. You can display these authorities through the
Display Object Authority (DSPOBJAUT) and the Edit Object Authority
(EDTOBJAUT) commands. You can only display the field authorities with the
EDTOBJAUT command; you cannot edit them.
Figure 8. Display Object Authority display showing F16=Display field authorities. This function
key will be displayed when a database file has field authorities.
Figure 9. Display Field Authority display. When F17=Position to, is pressed the Position the
List prompt will be displayed. If F16 is pressed, the previous position to operation will be
repeated
Library QUSER38 is not shipped with the operating system. However, it can be
created by anyone with enough authority to create a library.
See the System/38 Environment Programming manual for more information about the
System/38 Environment.
Directory Security
When accessing an object in a directory, you must have authority to all the
directories in the path containing the object. You must also have the necessary
authority to the object to perform the operation you requested.
You may want to use directory security in the same way that you use library
security. Limit access to directories and use public authority to the objects within
the directory. Limiting the number of private authorities defined for objects
improves the performance of the authority checking process.
┌───────────────────────────────────┐
│ Authorization list name: AUTL1 │
│ Owner: KARENS │
│ Public authority: *EXCLUDE │
│ │
│ User Authority │
│ KARENS *ALL *AUTLMGT │
│ TERRY *USE │
│ JUDY *CHANGE │
│ SCOTT *ALL │
│ MARY *CHANGE *AUTLMGT │
└────────┬──────────────────────────┘
│
│ Objects secured by
│ authorization list
│ ┌───────────────┐
│ ┌────│ File A │
│ │ └───────────────┘
│ │ ┌───────────────┐
│ ├────│ Program B │
└─────┤ └───────────────┘
│ ┌───────────────┐
├────│ File C │
│ └───────────────┘
│ ┌───────────────┐
└────│ Library D │
└───────────────┘
You can also use an authorization list to define public authority for the objects on
the list. If the public authority for an object is set to *AUTL, the object gets its
public authority from its authorization list.
Only the owner of the object, a user with all object (*ALLOBJ) special authority, or
a user with all (*ALL) authority to the object, can add or remove the authorization
list for an object.
Objects in the system library (QSYS) can be secured with an authorization list.
However, the name of the authorization list that secures an object is stored with
the object. In some cases, when you install a new release of the operating system,
all the objects in the QSYS library are replaced. The association between the objects
and your authorization list would be lost.
A user with *AUTLMGT authority can give only the same or less authority to
others. For example, assume USERA has *CHANGE and *AUTLMGT authority to
authorization list CPLIST1. USERA can add USERB to CPLIST1 and give USERB
*CHANGE authority or less. USERA cannot give USERB *ALL authority to
CPLIST1, because USERA does not have *ALL authority.
A user with *AUTLMGT authority can remove the authority for a user if the
*AUTLMGT user has equal or greater authority to the list than the user profile
name being removed. If USERC has *ALL authority to CPLIST1, then USERA
cannot remove USERC from the list, because USERA has only *CHANGE and
*AUTLMGT.
Objects in IBM-supplied libraries, other than the QUSRSYS and QGPL libraries, are
replaced whenever you install a new release of the operating system. Therefore, the
link between objects in IBM-supplied libraries and authorization lists is lost. Also,
if an authorization list secures an object in QSYS and a complete system restore is
required, the link between the objects in QSYS and the authorization list is lost.
After you install a new release or restore your system, use the EDTOBJAUT or
GRTOBJAUT command to re-establish the link between the IBM-supplied object
and the authorization list.
The Implementation Guide for AS/400 Security and Auditing redbook contains sample
programs, such as ALLAUTL and FIXAUTL, that can be used to attach
authorization lists to the objects after the authorization lists are restored.
For example, assume library CUSTLIB has a CRTAUT value of *USE. Both of the
commands below create a data area called DTA1 with public authority *USE:
v Specifying the AUT parameter:
CRTDTAARA DTAARA(CUSTLIB/DTA1) +
TYPE(*CHAR) AUT(*LIBCRTAUT)
v Allowing the AUT parameter to default. *LIBCRTAUT is the default:
The default CRTAUT value for a library is *SYSVAL. Any new objects created in
the library using AUT(*LIBCRTAUT) have public authority set to the value of the
QCRTAUT system value. The QCRTAUT system value is shipped as *CHANGE.
For example, assume the ITEMLIB library has a CRTAUT value of *SYSVAL. This
command creates the DTA2 data area with public authority of change:
CRTDTAARA DTAARA(ITEMLIB/DTA2) +
TYPE(*CHAR) AUT(*LIBCRTAUT)
“Assigning Authority and Ownership to New Objects” on page 124 shows more
examples of how the system assigns ownership and authority to new objects.
The CRTAUT value for a library can also be set to an authorization list name. Any
new object created in the library with AUT(*LIBCRTAUT) is secured by the
authorization list. The public authority for the object is set to *AUTL.
The CRTAUT value of the library is not used during a move (MOVOBJ), create
duplicate (CRTDUPOBJ), or restore of an object into the library. The public
authority of the existing object is used.
If the REPLACE (*YES) parameter is used on the create command, then the
authority of the existing object is used instead of the CRTAUT value of the library.
Object Ownership
Each object is assigned an owner when it is created. The owner is either the user
who creates the object or the group profile if the member user profile has specified
that the group profile should be the owner of the object. When the object is
created, the owner is given all the object and data authorities to the object.
“Assigning Authority and Ownership to New Objects” on page 124 shows
examples of how the system assigns ownership to new objects.
The owner of an object always has all the authority for the object unless any or all
authority is removed specifically. As an object owner, you may choose to remove
When changing an object’s owner, you have the option to keep or revoke the
former owner’s authority. A user with *ALLOBJ authority can transfer ownership,
as can any user who has the following:
v Object existence authority for the object (except for an authorization list)
v Ownership of the object, if the object is an authorization list
v Add authority for the new owner’s user profile
v Delete authority for the present owner’s user profile
You cannot delete a profile that owns objects. Ownership of objects must be
transferred to a new owner or the objects must be deleted before the profile can be
deleted. The Delete User Profile (DLTUSRPRF) command allows you to handle
owned objects when you delete the profile.
Object ownership is used as a management tool by the system. The owner profile
for an object contains a list of all users who have private authority to the object.
This information is used to build displays for editing or viewing object authority.
Profiles that own many objects with many private authorities can become very
large. The size of a profile that owns many objects affects performance when
displaying and working with the authority to objects it owns, and when saving or
restoring profiles. System operations can also be impacted. To prevent impacts to
either performance or system operations, do not assign objects to only one owner
profile for your entire iSeries system. Each application and the application objects
should be owned by a separate profile. Also, IBM-supplied user profiles should not
own user data or objects.
The owner of an object also needs sufficient storage for the object. See “Maximum
Storage” on page 74 for more information.
If the group owns the object (OWNER is *GRPPRF), the user creating the object is
not automatically given any specific authority to the object. The user gets authority
to the object through the group. If the user owns the object (OWNER is *USRPRF),
the group’s authority to the object is determined by the GRPAUT field in the user
profile.
The group authority type (GRPAUTTYP) field in the user profile determines whether
the group 1) becomes the primary group for the object or 2) is given private
authority to the object. “Assigning Authority and Ownership to New Objects” on
page 124 shows several examples.
Even if the Owner field in a user profile is *GRPPRF, the user must still have
sufficient storage to hold a new object while it is being created. After it is created,
ownership is transferred to the group profile. The MAXSTG parameter in the user
profile determines how much auxiliary storage a user is allowed.
Evaluate the objects a user might create, such as query programs, when choosing
between group and individual user ownership:
v If the user moves to a different department and a different user group, should
the user still own the objects?
v Is it important to know who creates objects? The object authority displays show
the object owner, not the user who created the object.
Note: The Display Object Description display shows the object creator.
If the audit journal function is active, a Create Object (CO) entry is written to the
QAUDJRN audit journal at the time an object is created. This entry identifies the
creating user profile. The entry is written only if the QAUDLVL system value
specifies *CREATE and the QAUDCTL system value includes *AUDLVL.
A profile must be a group profile (have a gid) to be assigned as the primary group
for an object. The same profile cannot be the owner of the object and its primary
group.
When a user creates a new object, parameters in the user profile control whether
the user’s group is given authority to the object and the type of authority given.
The Group authority type (GRPAUTTYP) parameter in a user profile can be used to
make the user’s group the primary group for the object. “Assigning Authority and
Ownership to New Objects” on page 124 shows examples of how authority is
assigned when new objects are created.
Use the Change Object Primary Group (CHGOBJPGP) command or the Work with
Objects by Primary Group (WRKOBJPGP) command to specify the primary group
for an object. You can change the authority the primary group has using the Edit
Object Authority display or the grant and revoke authority commands.
The system supplies the QDFTOWN user profile because all objects must have an
owner. When the system is shipped, only a user with *ALLOBJ special authority
can display and access this user profile and transfer ownership of objects
associated with the QDFTOWN user profile. You can grant other users authority to
the QDFTOWN profile. QDFTOWN user profile is intended for system use only.
You should not design your security such that QDFTOWN normally owns object.
or
CRTDTAARA DTAARA(CUSTLIB/DTA1)
TYPE(*CHAR)
Note:
Figure 11. New Object Example: Public Authority from Library, Group Given Private Authority
Figure 12. New Object Example: Public Authority from System Value, Group Given Private
Authority
Figure 13. New Object Example: Public Authority from Library, Group Given Primary Group
Authority
Figure 14. New Object Example: Public Authority Specified, Group Owns Object
When an object uses the owner’s authority, this is called adopted authority.
Objects of type *PGM, *SRVPGM, *SQLPKG and Java programs can adopt
authority.
When you create a program, you specify a user profile (USRPRF) parameter on the
CRTxxxPGM command. This parameter determines whether the program uses the
authority of the owner of the program in addition to the authority of the user
running the program.
Program Stack before CALL Command: Program Stack after CALL Command:
QCMD QCMD
. .
. .
. .
PGMA PGMA
PGMB
Because PGMA remains in the program stack after PGMB is called, PGMB
uses the adopted authority of PGMA. (The use adopted authority
(USEADPAUT) parameter can override this. See “Programs That Ignore
Adopted Authority” on page 132 for more information about the
USEADPAUT parameter.)
– If PGMA starts PGMB using the Transfer Control (TFRCTL) command, the
program stacks look like this:
PGMB does not use the adopted authority of PGMA, because PGMA is no
longer in the program stack.
v If the program running under adopted authority is interrupted, the use of
adopted authority is suspended. The following functions do not use adopted
authority:
– System request
– Attention key (If a Transfer to Group Job (TFRGRPJOB) command is running,
adopted authority is not passed to the group job.)
– Break-message-handling program
– Debug functions
For example, USERA runs the program PGM1, which adopts the authority of
USERB. PGM1 uses the SETATNPGM command and specifies PGM2. USERB has
*USE authority to PGM2. USERA has *EXCLUDE authority to PGM2. The
SETATNPGM function is successful because it is run using adopted authority.
USERA receives an authority error when attempting to use the attention key
because USERB’s authority is no longer active.
v If a program that uses adopted authority submits a job, that submitted job does
not have the adopted authority of the submitting program.
| v When a trigger program or exit point program is called, adopted authority from
| previous programs in the call stack will not be used as a source of authority for
| the trigger program or exit point program.
v The program adopt function is not used when you use the Change Job
(CHGJOB) command to change the output queue for a job. The user profile
making the change must have authority to the new output queue.
v Any objects created, including spooled files that may contain confidential data,
are owned by the user of the program or by the user’s group profile, not by the
owner of the program.
v Adopted authority can be specified on either the command that creates the
program (CRTxxxPGM) or on the Change Program (CHGPGM) command.
v If a program is created using REPLACE(*YES) on the CRTxxxPGM command,
the new copy of the program has the same USRPRF, USEADPAUT, and AUT
values as the replaced program. The USRPRF and AUT parameters specified on
the CRTxxxPGM parameter are ignored.
v Only the owner of the program can specify REPLACE(*YES) on the CRTxxxPGM
command when USRPRF(*OWNER) is specified on the original program.
v Only a user who owns the program or has *ALLOBJ and *SECADM special
authorities can change the value of the USRPRF parameter.
To activate an ILE program successfully, the user must have *EXECUTE authority
to the ILE program and to all service programs to which it is bound. If an ILE
program uses adopted authority from a program higher in the program call stack,
that adopted authority is used to check authority to all service programs to which
the ILE program is bound. If the ILE program adopts authority, the adopted
authority will not be checked when the system checks the user’s authority to the
service programs at program activation time.
When you create a program, the default is to use adopted authority from previous
programs in the stack. If you do not want the program to use adopted authority,
you can change the program with the Change Program (CHGPGM) command or
Change Service Program (CHGSRVPGM) command to set the USEADPAUT
parameter to *NO. If a program is created using REPLACE(*YES) on the
CRTxxxPGM command, the new copy of the program has the same USRPRF,
USEADPAUT, and AUT values as the replaced program.
The topic “Ignoring Adopted Authority” on page 208 shows an example of how to
use this parameter in menu design. See “Use Adopted Authority (QUSEADPAUT)”
on page 32 for information on the QUSEADPAUT system value.
Authority Holders
An authority holder is a tool for keeping the authorities for a program-described
database file that does not currently exist on the system. Its primary use is for
System/36 environment applications, which often delete program-described files
and create them again.
An authority holder can be created for a file that already exists or for a file that
does not exist, using the Create Authority Holder (CRTAUTHLR) command. The
following applies to authority holders:
v The authority holder is associated with a specific file and library. It has the same
name as the file.
v Authority holders can be used only for program-described database files and
logical files created in the S/36 environment.
v Once the authority holder is created, you add private authorities for it like a file.
Use the commands to grant, revoke, and display object authorities, and specify
object type *FILE. On the object authority displays, the authority holder is
indistinguishable from the file itself. The displays do not indicate whether the
file exists nor do they show that the file has an authority holder.
v If a file is associated with an authority holder, the authorities defined for the
authority holder are used during authority checking. Any private authorities
defined for the file are ignored.
v Use the Display Authority Holder (DSPAUTHLR) command to display or print
all the authority holders on the system. You can also use it to create an output
file (Outfile) for processing.
You need authority holders only for files that are deleted and re-created by your
applications. Use the Delete Authority Holder (DLTAUTHLR) command to delete
any authority holders that you do not need.
Authority Displays
Four displays show object authorities:
Display Object Authority display
Edit Object Authority display
Display Authority display
Work with Authority display
This section describes some characteristics of these displays. Figure 17 shows the
basic version of the Display Object Authority display:
Object
User Group Authority
PGMR1 *ALL
DPTAR *CHANGE
DPTSM *USE
*PUBLIC
.. *EXCLUDE
.
F3=Exit F11=Display detail object authorities F12=Cancel F17=Top
The system-defined names of the authorities are shown on this display. F11 acts as
a toggle between this and two other versions of the display. One shows detailed
object authorities:
Object ----------Object-----------
User Group Authority Opr Mgt Exist Alter Ref
PGMR1 *ALL X X X X X
DPTAR *CHANGE X
DPTSM *USE X
*PUBLIC
.. *EXCLUDE X
.
F3=Exit F11=Display data authorities F12=Cancel F17=Top F18=Bottom
If you have *OBJMGT authority to an object, you see all private authorities for that
object. If you do not have *OBJMGT authority, you see only your own sources of
authority for the object.
For example, if USERA displays authority for the CUSTNO data area, only public
authority is shown.
If USERB, who is a member of the DPTAR group profile, displays the authority for
the CUSTNO data area, it looks like this:
Object
User Group Authority
*GROUP DPTAR *CHANGE
Object
User Group Authority
PGMR1 *ALL
*GROUP DPTAR *CHANGE
DPTSM *USE
*PUBLIC *EXCLUDE
*ADOPTED USER DEF
The *ADOPTED authority indicates only the additional authority received from the
program owner. USERB receives from PGMR1 all the authorities that are not
included in *CHANGE. The display shows all private authorities because USERB
has adopted *OBJMGT. The detailed display looks like this:
Object -----------Object-----------
User Group Authority Opr Mgt Exist Alter Ref
PGMR1 *ALL X X X X X
*GROUP DPTAR *CHANGE X
DPTSM *USE X
*PUBLIC *EXCLUDE
*ADOPTED
.. USER DEF X X X X
.
F3=Exit F11=Display data authorities F12=Cancel F17=Top F18=Bottom
If the user option (USROPT) field in USERB’s user profile includes *EXPERT, this is
how the display looks:
Authority Reports
Several reports are available to help you monitor your security implementation.
For example, you can monitor objects with *PUBLIC authority other than
*EXCLUDE and objects with private authorities with the following commands:
v Print Public Authority (PRTPUBAUT)
v Print Private Authority (PRTPVTAUT)
For more information about security tools, see the Tips and Tools for Securing Your
iSeries, SC41-5300-07.
Authority (AUT): The AUT parameter can be used to specify either of the
following:
v The public authority for the library
v The authorization list that secures the library.
The AUT parameter applies to the library itself, not to the objects in the library. If
you specify an authorization list name, the public authority for the library is set to
*AUTL.
If you do not specify AUT when you create a library, *LIBCRTAUT is the default.
The system uses the CRTAUT value from the QSYS library, which is shipped as
*SYSVAL.
Note: You can change the CRTAUT value for a library using the Change Library
(CHGLIB) command.
If user PGMR1 enters this command:
CRTLIB TESTLIB AUT(LIBLST) CRTAUT(OBJLST)
Object
User Group Authority
PGMR1 *ALL
*PUBLIC *AUTL
v Because an authorization list was specified for the AUT parameter, public
authority is set to *AUTL.
v The user entering the CRTLIB command owns the library, unless the user’s
profile specifies OWNER(GRPPRF). The owner is automatically given *ALL
authority.
v The CRTAUT value is not shown on the object authority displays. Use the
Display Library Description (DSPLIBD) command to see the CRTAUT value for
a library.
Library . . . . . . . . . . . . . . . . . : CUSTLIB
Type . . . . . . . . . . . . . . . . . . . : PROD
ASP of library . . . . . . . . . . . . . . : 1
Create authority . . . . . . . . . . . . . : *OBJLST
Text description . . . . . . . . . . . . . : Customer Rec
Creating Objects
When you create a new object, you can either specify the authority (AUT) or use
the default, *LIBCRTAUT. If PGMR1 enters this command:
CRTDTAARA (TESTLIB/DTA1) +
TYPE(*CHAR)
Object
User Group Authority
PGMR1 *ALL
*PUBLIC *AUTL
The authorization list (OBJLST) comes from the CRTAUT parameter that was
specified when TESTLIB was created.
Object
User Group Authority
PGMR1 *ALL
*PUBLIC *CHANGE
Note: The group’s authority is not used if you have private authority to the
object.
v Ownership of the object. If a group profile owns the object, any member of the
group can act as the object owner, unless the member has been given specific
authority that does not meet the requirements for changing the object’s
authority.
v *OBJMGT authority to the object and any authorities being granted or revoked
(except *EXCLUDE). Any user who is allowed to work with the object’s
authority can grant or revoke *EXCLUDE authority.
The easiest way to change authority for an individual object is with the Edit Object
Authority display. This display can be called directly by using the Edit Object
Object
User Group Authority
PGMR1 *ALL
*PUBLIC *AUTL
Note: If the User options (USROPT) field in your user profile is set to *EXPERT,
you always see this detailed version of the display without having to press
F11.
OBJECT ----------Object-----------
User Group Authority Opr Mgt Exist Alter Ref
PGMR1 USER DEF X X X X
*PUBLIC *AUTL
OBJECT ---------------Data---------------
User Group Authority Read Add Update Delete Execute
PGMR1 USER DEF X X X X X
*PUBLIC *AUTL
Object . . . . . . . : DTA1
Library . . . . . : TESTLIB
Object
User Authority
USER1 *USE
USER2 *CHANGE
PGMR2 *ALL
You can remove a user’s authority using the Edit Object Authority display. Type
blanks in the Object Authority field for the user and press the Enter key. The user
is removed from the display. You can also use the Revoke Object Authority
(RVKOBJAUT) command. Either revoke the specific authority the user has or
revoke *ALL authority for the user.
Note: The RVKOBJAUT command revokes only the authority you specify. For
example, USERB has *ALL authority to FILEB in library LIBB. You revoke
*CHANGE authority:
RVKOBJAUT OBJ(LIBB/FILEB) OBJTYPE(*FILE) +
USER(*USERB) AUT(*CHANGE)
Object --------Object------------
ser Group Authority Opr Mgt Exist Alter Ref
USERB USER DEF X X X X
Object ---------------Data---------------
User Group Authority Read Add Update Delete Execute
PGMR1 USER DEF
Following are examples of using the GRTOBJAUT command, showing the prompt
display. When the command runs, you receive a message for each object indicating
whether the change was made. Authority changes require an exclusive lock on the
object and cannot be made when an object is in use. Print your job log for a record
of changes attempted and made.
v To give all the objects in the TESTLIB library a public authority of *USE:
This example for the GRTOBJAUT command gives the authority you specify, but
it does not remove any authority that is greater than you specified. If some
objects in the TESTLIB library have public authority *CHANGE, the command
just shown would not reduce their public authority to *USE. To make sure that
The REPLACE parameter indicates whether the authorities you specify replaces
the existing authority for the user. The default value of REPLACE(*NO) gives
the authority that you specify, but it does not remove any authority that is
greater than the authority you specify, unless you are granting *EXCLUDE
authority.
These commands set public authority only for objects that currently exist in the
library. To set the public authority for any new objects that are created later, use
the CRTAUT parameter on the library description.
v To give *ALL authority to the work files in the TESTLIB library to users AMES
and SMITHR. In this example, work files all start with the characters WRK:
Object . . . .. . . . . . . . . WRK*
Library . .. . . . . . . . . TESTLIB
Object type .. . . . . . . . . *FILE
Users . . . .. . . . . . . . . AMES
+ for more values SMITHR
Authority . . . . . . . . . . . *ALL
This command uses a generic name to specify the files. You specify a generic
name by typing a character string followed by an asterisk (*). Online information
tells which parameters of a command allow a generic name.
v To secure all the files starting with the characters AR* using an authorization list
called ARLST1 and have the files get their public authority from the list, use the
following two commands:
1. Secure the files with the authorization list using the GRTOBJAUT command:
Object . . . . . . . . . . . . . AR*
Library . . . . . . . . . . . TESTLIB
Object
.. type . . . . . . . . . . *FILE
.
Authorization list . . . . . . . ARLST1
2. Set public authority for the files to *AUTL, using the GRTOBJAUT command:
Object . . . . . . . . . . . . . AR*
Library . . . . . . . . . . . TESTLIB
Object type . . . . . . . . . . *FILE
Users . . . . . . . . . . . . . *PUBLIC
+ for more values
Authority . . . . . . . . . . . *AUTL
The Work with Objects by Owner display shows all the objects owned by a profile.
You can assign individual objects to a new owner. You can also change ownership
for more than one object at a time by using the NEWOWN (new owner) parameter
at the bottom of the display:
Parameters or command
===> NEWOWN(OWNIC)
F3=Exit F4=Prompt F5=Refresh F9=Retrieve
F18=Bottom
When you change ownership using either method, you can choose to remove the
previous owner’s authority to the object. The default for the CUROWNAUT
(current owner authority) parameter is *REVOKE.
You cannot delete a user profile that owns objects. The topic “Deleting User
Profiles” on page 99 shows methods for handling owned objects when deleting a
profile.
When you change an object’s primary group, you specify what authority the new
primary group has. You can also revoke the old primary group’s authority. If you
do not revoke the old primary group’s authority, it becomes a private authority.
To change an object’s primary group, you must have all of the following:
v *OBJEXIST authority for the object.
v If the object is a file, library, or subsystem description, *OBJOPR and *OBJEXIST
authority.
v If the object is an authorization list, *ALLOBJ special authority or be the owner
of the authorization list.
v If revoking authority for the old primary group, *OBJMGT authority.
v If a value other than *PRIVATE is specified, *OBJMGT authority and all the
authorities being given.
The GRTUSRAUT command copies private authorities only. It does not copy
special authorities, nor does it transfer object ownership.
To use the GRTUSRAUT command, you must have all the authorities being copied.
If you do not have an authority, that authority is not granted to the target profile.
The system issues a message for each authority that is granted or not granted to
the target user profile. Print the job log for a complete record. To avoid having a
partial set of authorities copied, the GRTUSRAUT command should be run by a
user with *ALLOBJ special authority.
Additional Parameters
Authority . . . . . . . . . . . *use
The public authority from the authorization list is used only when the public
authority for an object secured by the list is *AUTL.
You can use the Edit Authorization List (EDTAUTL) display to change user
authority to the authorization list or to add new users to the list:
Object List
User Authority Mgt
PGMR1 *ALL X
*PUBLIC *USE
To give new users authority to the authorization list, press F6 (Add new users):
Each user’s authority to the list is actually stored as a private authority in that
Object List
User Authority Mgt
AMES *CHANGE
SMITHR *CHANGE
user’s profile. You can also use commands to work with authorization list users,
either interactively or in batch:
v Add Authorization List Entry (ADDAUTLE) to define authority for additional
users
v Change Authorization List Entry (CHGAUTLE) to change authority for users
who are already authorized to the list
v Remove Authorization List Entry (RMVAUTLE) to remove a user’s authority to
the list.
Use the Edit Object Authority display or the GRTOBJAUT command to secure an
object with an authorization list:
Object
User Authority
PGMR1 *ALL
*PUBLIC *AUTL
Set the public authority for the object to *AUTL if you want public authority to
come from the authorization list.
On the Edit Authorization List display, you can use F15 (Display authorization list
objects) to list all the objects secured by the list:
This is an information list only. You cannot add or remove objects from the list.
Primary
Object Library Type Owner group Text
CUSTMAS CUSTLIB *FILE OWNAR
CUSTADDR CUSTLIB *FILE OWNAR
You can also use the Display Authorization List Objects (DSPAUTLOBJ) command
to view or print a list of all objects secured by the list.
Note: Authority from one or more of the user’s groups may be accumulated to
find sufficient authority for the object being accessed.
The process of checking authority is divided into a primary flowchart and several
smaller flowcharts showing specific parts of the process. Depending on the
combination of authorities for an object, the steps in some flowcharts may be
repeated several times.
The numbers at the upper left of figures on the flowcharts are used in the
examples following the flowcharts.
The steps representing the search of a profile’s private authorities are highlighted:
Step 6 in Flowchart 3 on page 153
Step 6 in Flowchart 6 on page 158
Step 2 in Flowchart 8B on page 161
1
┌──────────────────────────────┐
│ Does the profile have │
│ *ALLOBJ special authority? ├────────────────c Authorized
└──────────────────────────────┘
│ No
2 b
┌──────────────────────────────┐
│ Set object to test equal to │
│ original object. │
└──────────────────────────────┘
│
┌───────────────────c│
│ 3 b
│ ┌──────────────────────────────┐ Authority is
│ │ Check owner authority. │ insufficient
│ │ (See flowchart 4.) │──────────────────────────┐
│ └──────────────────────────────┘ │
│ │ No authority │
│ │ is found │
│ 4 b │
│ ┌──────────────────────────────┐ │
│ │ Do fast path check if │ │
│ │ original object. │ │
│ │ (See flowchart 5.) │ │
│ └──────────────────────────────┘ │
│ │ Authority is │
│ │ insufficient │
│ 5 b │
│ No ┌──────────────────────────────┐ │
│ ┌──┤ Does object have private │ │
│ │ │ authorities? │ │
│ │ └──────────────────────────────┘ │
│ │ │ Yes │
│ │ 6 b │
│ │ ┌──────────────────────────────┐ Authority │
│ │ │ Look up private authorities │ is │
│ │ │ in the user profile. │ sufficient │
│ │ │ │────────────cAuthorized │
│ │ └──────────────────────────────┘ │
│ │ │ No authority │ Authority is │
│ │ │ is found │ not sufficient │
│ └───────────c│ └───────────────────────────c│
│ 7 b 8 b
│ ┌──────────────────────────────┐ ┌──────────────────────┐
│ │ Is the object secured by │ No │ Set object to test │
│ │ an authorization list? │───────c│ equal to the │
│ │ │ │ original object. │
│ └──────────────────────────────┘ └──────────┬───────────┘
│ │ Yes │
│ 9 b b
│ ┌──────────────────────────────┐ Return to the calling
│ │ Set object to test equal to │ flowchart with
└──────│ the authorization list. │ insufficient authority
│ │ or no authority found.
└──────────────────────────────┘
Several possibilities exist for using the owner’s authority to access an object:
v The user profile owns the object.
v The user profile owns the authorization list.
v The user’s group profile owns the object.
v The user’s group profile owns the authorization list.
v Adopted authority is used, and the program owner owns the object.
v Adopted authority is used, and the program owner owns the authorization list.
Object Authorities:
*OBJOPR X X
*OBJMGT X
*OBJEXIST
*OBJALTER
*OBJREF
Data Authorities
*READ X X
*ADD X
*UPD X
*DLT X
*EXECUTE X X
*EXCLUDE X
2. This path provides a method for using public authority, if possible, even
though private authority exists for an object. The system tests to make sure that
nothing later in the authority checking process might deny access to the object.
If the result of these tests is Sufficient, searching private authorities can be
avoided.
Authority from one or more of the user’s groups may be accumulated to find
sufficient authority for the object being accessed. For example, WAGNERB needs
*CHANGE authority to the CRLIM file. *CHANGE authority includes *OBJOPR,
*READ, *ADD, *UPD, *DLT, and *EXECUTE. Table 105 shows the authorities for
the CRLIM file:
Table 105. Accumulated Group Authority
Users
Object Authorities:
*OBJOPR X X X
*OBJMGT X
*OBJEXIST X
*OBJALTER X
*OBJREF X
Data Authorities
*READ X X X
*ADD X X
*UPD X X X
*DLT X X
*EXECUTE X X X
*EXCLUDE X
Note: If the user is signed on as the profile that is the primary group for an object,
the user cannot receive authority to the object through the primary group.
1 2
┌───────────────────────┐ ┌───────────────────────┐
│ Is public authority │ Yes │ Set object to check │
│ for the original │───────────c│ equal to the │
│ object *AUTL? │ │ authorization list. │
│ │ │ │
└──────────┬────────────┘ └──────────┬────────────┘
│ No │
│ │
3 b │
┌───────────────────────┐ │
│ Set object to check │ │
│ equal to the │ │
│ original object. │ │
│ │ │
└──────────┬────────────┘ │
│ │
│f───────────────────────────────────┘
4 b
┌───────────────────────┐
│ Is public authority │ Yes
│ sufficient? ├────────────────c Authorized
│ │
└───────────────────────┘
│ No. Return to the
│ calling flowchart
│ with insufficient
│ authority.
b
If sufficient authority is not found, the system checks to see if the program owner
has private authority for the object being checked. This is repeated for every
program in the stack that uses adopted authority.
Figure 25 on page 160 and Figure 26 on page 161 show the process for checking
adopted authority.
Figure 25. Flowchart 8A: Checking Adopted Authority User *ALLOBJ and Owner
Figure 26. Flowchart 8B: Checking Adopted Authority Using Private Authorities
Figure 27 shows the authorities for the PRICES file. Following the figure are
several examples of requested access to this file and the authority checking process.
In the examples, searching private authorities (Flowchart 4, step 6) is highlighted
because this is the part of the authority checking process that can cause
performance problems if it is repeated several times.
Result: ROSSM is authorized because the group profile DPTSM has *CHANGE
authority.
Analysis: Using group authority in this example is a good method for managing
authorities. It reduces the number of private authorities on the system and is easy
to understand and audit. However, using private group authority usually causes
two searches of private authorities (for the user and the group), when public
authority is not adequate. One search of the private authority could have been
avoided by making DPTSM the primary group for the PRICES file.
The system performs these steps to determine whether to allow ANDERSJ to have
*CHANGE access to the CREDIT file:
1. Flowchart 1, step 1.
a. Flowchart 2, step 1. DPTAR’s authority is primary group authority, not
private authority.
b. Flowchart 2, steps 2, 3, 4, 5, and 6. Public authority is not sufficient.
2. Flowchart 1, step 2.
a. Flowchart 3, steps 1 and 2. Object to check = ACCTSRCV/CREDIT *FILE.
b. Flowchart 3, step 3.
1) Flowchart 4, step 1. ANDERSJ does not own the CREDIT file. Return to
Flowchart 3 with no authority found.
c. Flowchart 3, step 4.
1) Flowchart 5, step 1. The CREDIT file has no private authorities.
2) Flowchart 5, step 3. Public authority is not sufficient. Return to
Flowchart 3 with no authority found.
d. Flowchart 3, steps 5, 7, and 8. The CREDIT file is not secured by an
authorization list. Return to Flowchart 1 with no authority found.
3. Flowchart 1, steps 3 and 4. ANDERSJ is a member of the DPTAR group profile.
a. Flowchart 6, steps 1 and 2. Object to check = ACCTSRCV/CREDIT *FILE.
b. Flowchart 6, step 3.
1) Flowchart 4, step 1. DPTAR does not own the CREDIT file. Return to
Flowchart 6 with no authority found.
Result: ANDERSJ is authorized because DPTAR is the primary group for the
CREDIT file and has *CHANGE authority.
Analysis: If you use primary group authority, the authority checking performance
is better than if you specify private authority for the group. This example does not
require any search of private authorities.
Analysis: This example shows the performance benefit gained when you avoid
defining any private authorities for an object.
Analysis: This example shows the performance benefit gained when you avoid
defining any private authorities for an object that are less than public authority.
Although private authority exists for the PRICES file, the public authority is
sufficient for this request and can be used without searching private authorities.
The number of steps required to perform authority checking has almost no impact
on performance, because most of the steps do not require retrieving new
information. In this example, although many steps are performed, private
authorities are searched only once (for user SMITHG).
Analysis: This example demonstrates that a user can be denied access to an object
even though the user’s group has sufficient authority.
Giving a user the same authority as the public but less than the user’s group does
not affect the performance of authority checking for other users. However, if
WILSONJ had *EXCLUDE authority (less than public), you would lose the
performance benefits shown in Case 4.
Although this example has many steps, private authorities are searched only once.
This should provide acceptable performance.
Object
User Group Authority
OWNIC *ALL
*PUBLIC *USE
ROSSM needs *USE authority to the ITEM file. ROSSM is a member of the DPTSM
group profile. These are the authority-checking steps:
1. Flowchart 1, step 1.
a. Flowchart 2, steps 1, 2, and 3. OWNIC’s authority is sufficient.
b. Flowchart 2, step 4. The ITEM file does not have a primary group.
c. Flowchart 2, step 6. Authorized. Public authority is sufficient.
Analysis: Public authority provides the best performance when it is used without
any private authorities. In this example, private authorities are never searched.
Object
User Group Authority
OWNCP *ALL
*PUBLIC *USE
Object List
User Group Authority Mgt
OWNCP *ALL
AMESJ *CHANGE
*PUBLIC *USE
User AMESJ, who is not a member of a group profile, needs *CHANGE authority
to the ARWRK01 file. These are the authority-checking steps:
1. Flowchart 1, step 1.
a. Flowchart 2, steps 1 and 2. The ARWRK01 file is secured by an
authorization list.
2. Flowchart 1, step 2.
a. Flowchart 3, steps 1 and 2. Object to check = CUSTLIB/ARWRK01 *FILE.
b. Flowchart 3, step 3.
1) Flowchart 4, step 1. AMESJ does not own the ARWRK01 file. Return to
Flowchart 2 with no authority found.
c. Flowchart 3, step 4.
1) Flowchart 5, steps 1 and 3. Public authority is not sufficient. Return to
Flowchart 3 with no authority found.
d. Flowchart 3, steps 5, 7, and 9. Object to check = ARLST1 *AUTL.
e. Flowchart 3, step 3.
Analysis: This example demonstrates that authorization lists can make authorities
easy to manage and provide good performance. This is particularly true if objects
secured by the authorization list do not have any private authorities.
If AMESJ were a member of a group profile, it would add additional steps to this
example, but it would not add an additional search of private authorities, as long
as no private authorities are defined for the ARWRK01 file. Performance problems
are most likely to occur when private authorities, authorization lists, and group
profiles are combined, as in “Case 11: Combining Authorization Methods” on
page 170.
Object
User Group Authority
OWNAR *ALL
DPTAR *CHANGE
DPTSM *USE
*PUBLIC *EXCLUDE
Object
User Group Authority
OWNAR *ALL
DPTSM *USE
WILSONJ *EXCLUDE
*PUBLIC *USE
The CRLIMWRK file is secured by the CRLST1 authorization list. Figure 34 shows
the authority for the CRLST1 authorization list.
Object List
User Group Authority Mgt
OWNAR *ALL X
DPTAR *ALL
*PUBLIC *EXCLUDE
This example shows many of the possibilities for authority checking. It also
demonstrates how using too many authority options for an object can result in
poor performance.
Job Initiation
When you start a job on the system, objects are associated with the job, such as an
output queue, a job description, and the libraries on the library list. Authority for
some of these objects is checked before the job is allowed to start and for other
objects after the job starts. Inadequate authority may cause errors or may cause the
job to end.
Objects that are part of the job structure for a job may be specified in the job
description, the user profile, and on the Submit Job (SBMJOB) command for a
batch job.
When an authority failure occurs during the sign-on process, a message appears at
the bottom of the Sign On display describing the error. Some authority failures also
cause a job log to be written. If a user is unable to sign on because of an authority
failure, either change the users profile to specify a different object or grant the user
authority to the object.
After the user enters a user ID and password, these steps are performed before a
job is actually started on the system:
1. The user profile and password are verified. The status of the user profile must
be *ENABLED. The user profile that is specified on the sign-on display must
have *OBJOPR, and *CHANGE authority to itself.
2. The user’s authority to use the workstation is checked. See “Workstations” on
page 177 for details.
3. The system verifies authority for the values in the user profile and in the user’s
job description that are used to build the job structure, such as:
Job description
If any of these objects does not exist or the user does not have adequate
authority, a message is displayed at the bottom of the Sign On display, and the
user is unable to sign on. If authority is successfully verified for these objects,
the job is started on the system.
Note: Authority to the print device and job queue is not verified until the user
attempts to use them.
After the job is started, these steps are performed before the user sees the first
display or menu:
1. If the routing entry for the job specifies a user program, normal authority
checking is done for the program, the program library, and any objects used by
the program. If authority is not adequate, a message is sent to the user on the
Sign On display and the job ends.
2. If the routing entry specifies the command processor (QCMD):
a. Authority checking is done for the QCMD processor program, the program
library, and any objects used, as described in step 1.
b. The user’s authority to the Attention-key-handling program and library is
checked. If authority is not adequate, a message is sent to the user and
written to the job log. Processing continues.
If authority is adequate, the Attention-key-handling program is activated.
The program is not started until the first time the user presses the Attention
key. At that time, normal authority checking is done for the objects used by
the program.
c. Normal authority checking is done for the initial program (and its
associated objects) specified in the user profile. If authority is adequate, the
program is started. If authority is not adequate, a message is sent to the
user and written to the job log. The job ends.
d. Normal authority checking is done for the initial menu (and its associated
objects) specified in the user profile. If authority is adequate, the menu is
displayed. If authority is not adequate, a message is sent to the user and
written to the job log. The job ends.
When you enter the SBMJOB command, this checking is performed before the job
is added to the job queue:
1. If you specify a user profile on the SBMJOB command, you must have *USE
authority to the user profile.
2. Authority is checked for objects specified as parameters on the SBMJOB
command and in the job description. Authority is checked for the user profile
the job will run under.
When the system selects the job from the job queue and attempts to start the job,
the authority checking sequence is similar to the sequence for starting an
interactive job.
You can change characteristics of a batch job when it is waiting to run, using the
Change Job (CHGJOB) command. See 357 for the authority that is required to
change parameters for a job.
Workstations
A device description contains information about a particular device or logical unit
that is attached to the system. When you sign on the system, your workstation is
attached to either a physical or virtual device description. To successfully sign on,
you must have *CHANGE authority to the device description.
The QLMTSECOFR (limit security officer) system value controls whether users
with *ALLOBJ or *SERVICE special authority must be specifically authorized to
device descriptions.
Figure 35 on page 178 shows the logic for determining whether a user is allowed to
sign on at a device:
Note: Normal authority checking is performed to determine whether the user has
at least *CHANGE authority to the device description. *CHANGE authority
may be found by using the following:
v *ALLOBJ special authority from the user profile, group profile, or
supplemental group profiles.
v Private authority to the device description in the user profile, the group
profile, or supplemental group profiles.
Authority checking for the device description is done before any programs
are in the program stack for the job; therefore, adopted authority does not
apply.
The security officer (QSECOFR), service (QSRV), and basic service (QSRVBAS) user
profiles are always allowed to sign on at the console. The QCONSOLE (console)
system value is used to determine which device is the console. If the QSRV or
QSRVBAS profile attempts to sign on at the console and does not have *CHANGE
authority, the system grants *CHANGE authority to the profile and allows sign-on.
To limit the users who can sign on at a workstation, set the public authority for the
workstation to *EXCLUDE and give *CHANGE authority to specific users or
groups.
The security officer (QSECOFR) is not specifically given authority to any devices. If
the QLMTSECOFR system value is set to 1 (YES), you must give the security
officer *CHANGE authority to devices. Anyone with *OBJMGT and *CHANGE
authority to a device can give *CHANGE authority to another user.
If a device description is created by the security officer, the security officer owns
that device and is specifically given *ALL authority to it. When the system
automatically configures devices, most devices are owned by the QPGMR profile.
Devices created by the QLUS program (*APPC type devices) are owned by the
QSYS profile.
If you plan to use the QLMTSECOFR system value to limit where the security
officer can sign on, any devices you create should be owned by a profile other than
QSECOFR.
| The file QSYS/QAWTSSRC is deleted and restored each time the OS/400
| operating system is installed. If you plan to create your own version of the signon
| screen, then you should first copy the appropriate source file member, either
| QDSIGNON or QDSIGNON2, to your own source file and make changes to the
| copy in your source file.
At security levels 30 and higher, the system logs an entry (type AF, sub-type S) in
the audit journal, if default sign-on is attempted and the auditing function is
active. At security level 40 and higher, the system does not permit default sign-on,
even if a combination of workstation entry and job description exists that would
allow it. See “Signing On without a User ID and Password” on page 14 for more
information.
Make sure all workstation entries for interactive subsystems refer to job
descriptions with USER(*RQD). Control the authority to change job descriptions
and monitor any changes that are made to job descriptions. If the auditing function
is active, the system writes a JD type journal entry every time the USER parameter
in a job description is changed.
A job description also represents a potential security exposure. In some cases, a job
description that specifies a profile name for the USER parameter can allow a job to
enter the system without appropriate security checking. “Controlling How Jobs
Enter the System” on page 181 discusses how this can be prevented for interactive
and communications jobs.
When a batch job is submitted, the job might run using a different profile other
than the user who submitted the job. The profile can be specified on the SBMJOB
command, or it can come from the USER parameter of the job description. If your
system is at security level (QSECURITY system value) 30 or lower, the user
submitting a job needs authority to the job description but not to the user profile
specified on the job description. This represents a security exposure. At security
level 40 and higher, the submitter needs authority to both the job description and
the user profile.
For example:
v USERA is not authorized to file PAYROLL.
v USERB has *USE authority to the PAYROLL file and to program PRLIST, which
lists the PAYROLL file.
v Job description PRJOBD specifies USER(USERB). Public authority for PRJOBD is
*USE.
At security level 30 or lower, USERA can list the payroll file by submitting a batch
job:
SBMJOB RQSDTA("Call PRLIST") JOBD(PRJOBD) +
USER(*JOBD)
You can prevent this by using security level 40 and higher or by controlling the
authority to job descriptions that specify a user profile.
Sometimes, a specific user profile name in a job description is required for certain
types of batch work to function properly. For example, the QBATCH job
description is shipped with USER(QPGMR). This job description is shipped with
the public authority of *CHANGE.
If your system is at security level 30 or lower, any user on the system who has
authority to the Submit Job (SBMJOB) command or the start reader commands can
submit work under the programmer (QPGMR) user profile, whether or not the
user has authority to the QPGMR profile. At security level 40 and higher, *USE
authority to the QPGMR profile is required. Depending on your security needs,
you may want to change the public authority of the QBATCH job description to
*EXCLUDE.
Attention: All jobs need the ability to add new messages to the QSYSOPR message
queue. Do not make the public authority to QSYSOPR *EXCLUDE.
Library Lists
The library list for a job indicates which libraries are to be searched and the order
in which they are to be searched. When a program specifies an object, the object
can be specified with a qualified name, which includes both the object name and
the library name. Or, the library for the object can be specified as *LIBL (library
list). The libraries on the library list are searched, in order, until the object is found.
Table 106 summarizes the parts of the library list and how they are built during a
job. The sections that follow discuss the risks and protection measures for library
lists.
Table 106. Parts of the Library List. The library list is searched in this sequence:
Part How It Is Built
System Portion 15 Initially built using the QSYSLIBL system value. Can be changed during
entries a job with the CHGSYSLIBL command.
Product Library Initially blank. A library is added to the product library portion of the
Portion 2 entries library list when a command or menu runs that was created with a
library in the PRDLIB parameter. The library remains in the product
library portion of the library list until the command or menu ends.
Current Library 1 Specified in the user profile or on the Sign On display. Can be changed
entry when a command or menu runs that specifies a library for the CURLIB
parameter. Can be changed during the job with the CHGCURLIB
command.
| User Portion 250 Initially built using the initial library list from the user’s job description.
| entries If the job description specifies *SYSVAL, the QUSRLIBL system value is
| used. During a job, the user portion of the library list can be changed
| with the ADDLIBLE, RMVLIBLE, CHGLIBL, and EDTLIBL commands.
Following are two examples of how changes to a library list might break security
requirements:
Change in Function
Figure 36 shows an application library. Program A calls Program B, which is
expected to be in LIBA. Program B performs updates to File A. Program B is called
without a qualified name, so the library list is searched until Program B is found.
Library List
┌─────────┐ ┌─────────────────────────────┐
│ QSYS │ │ ┌─────────────┐ ┌──────┐ │
├─────────┤ │ │ Program A │ │ File │ │
│ LIBA │─────────c│ └─────────────┘ │ A │ │
└─────────┘ │ └──────┘ │
│ ┌─────────────┐ │
│ │ Program B │ │
│ └─────────────┘ │
└─────────────────────────────┘
Library List
┌─────────┐ ┌─────────────────────────────┐
│ QSYS │ │ ┌─────────────┐ │
├─────────┤ │ │ Program B │ │
│ LIBB │─────────c│ └─────────────┘ │
├─────────┤ └─────────────────────────────┘
│ LIBA │
└─────────┘ ┌─────────────────────────────┐
│ │ ┌─────────────┐ ┌──────┐ │
│ │ │ Program A │ │ File │ │
└──────────────c│ └─────────────┘ │ A │ │
│ └──────┘ │
│ ┌─────────────┐ │
│ │ Program B │ │
│ └─────────────┘ │
└─────────────────────────────┘
Only a user with *ALLOBJ and *SECADM special authority can change the
QSYSLIBL system value. Control and monitor any changes to the system portion of
the library list. Follow these guidelines when adding libraries:
v Only libraries that are specifically controlled should be placed on this list.
v The public should not have *ADD authority to these libraries.
v A few IBM-supplied libraries, such as QGPL are shipped with public authority
*ADD for production reasons. Regularly monitor what objects (particularly
programs, source files, and commands) are added to these libraries.
As long as CMDX is running, LIBB is in the product portion of the library list.
Use these measures to protect the product portion of the library list:
v Control authority to the Create Command (CRTCMD), Change Command
(CHGCMD), Create Menu (CRTMNU), and Change Menu (CHGMNU)
commands.
v When you create commands and menus, specify PRDLIB(*NONE), which
removes any entries currently in the product portion of the library list. This
protects you from having unknown libraries searched ahead of the library you
expect when your command or menu runs.
Following are some suggested alternatives for controlling the user portion of the
library list to make sure unauthorized libraries with substitute programs and files
are not used during processing:
v Restrict users of production applications to a menu environment. Set the Limit
capabilities field in user profiles to *YES to restrict their ability to enter
commands. “Planning Menus” on page 204 provides an example of this
environment.
v Use qualified names (object and library) in your applications. This prevents the
system from searching the library list to find an object.
v Control the ability to change job descriptions, because the job description sets
the initial library list for a job.
v Use the Add Library List Entry (ADDLIBLE) command at the beginning of the
program to ensure the desired objects are at the beginning of the user portion of
the library list. At the end of the program, the library can be removed.
If the library is already on the library list, but you are not sure if it is at the
beginning of the list, you must remove the library and add it. If the sequence of
the library list is important to other applications on the system, use the next
method instead.
v Use a program that retrieves and saves the library list for a job. Replace the
library list with the list desired for the application. When the application ends,
return the library list to its original setting. See “Controlling the User Library
List” on page 203 for an example of this technique.
Printing
Most information that is printed on your system is stored as a spooled file on an
output queue while it is waiting to print. Unless you control the security of output
queues on your system, unauthorized users can display, print, and even copy
confidential information that is waiting to print.
One method for protecting confidential output is to create a special output queue.
Send confidential output to the output queue and control who can view and
manipulate the spooled files on the output queue.
When you create a spooled file, you are the owner of that file. You can always
view and manipulate any spooled files you own, regardless of how the authority
for the output queue is defined. You must have *READ authority to add new
entries to an output queue. If your authority to an output queue is removed, you
can still access any entries you own on that queue using the Work with Spooled
Files (WRKSPLF) command.
The security parameters for an output queue are specified using the Create Output
Queue (CRTOUTQ) command or the Change Output Queue (CHGOUTQ)
command. You can display the security parameters for an output queue using the
Work with Output Queue Description (WRKOUTQD) command.
Attention: A user with *SPLCTL special authority can perform all functions on all
entries, regardless of how the output queue is defined. Some parameters on the
output queue allow a user with *JOBCTL special authority to view the contents of
entries on the output queue.
*OWNER Only the owner of a spooled file or a user with *SPLCTL (spool
control) can display, copy, send, or move the file. If the
OPRCTL value is *YES, users with *JOBCTL special authority
can hold, change, delete, and release spooled files on the
output queue, but they cannot display, copy, send, or move the
spooled files. This is intended to allow operators to manage
entries on an output queue without being able to view the
contents.
The authority and output queue parameters for all commands associated with
spooled files are listed on “Spooled File Commands” on page 415. Output queue
commands are listed on “Output Queue Commands” on page 392.
Attention: A user with *SPLCTL (spool control) special authority is not subject to
any authority restrictions associated with output queues. *SPLCTL special
authority allows the user to perform all operations on all output queues. Carefully
evaluate giving *SPLCTL special authority to any user.
Even if the security officers on a system have *ALLOBJ special authority, they
are not able to access spooled files owned by others on the SECOUTQ output
queue.
v Create an output queue that is shared by users printing confidential files and
documents. Users can work with only their own spooled files. System operators
can work with the spooled files, but they cannot display the contents of the files.
CRTOUTQ OUTQ(QGPL/CFOUTQ) DSPDTA(*OWNER) +
AUTCHK(*OWNER) OPRCTL(*YES) AUT(*USE)
Network Attributes
Network attributes control how your system communicates with other systems.
Some network attributes control how remote requests to process jobs and access
information are handled. These network attributes directly affect security on your
system and are discussed in the topics that follow:
Job action (JOBACN)
Client request access (PCSACC)
DDM request access (DDMACC)
Possible values for each network attribute are shown. The default value is
underlined. To set the value of a network attribute, use the Change Network
Attribute (CHGNETA) command.
Recommendations
If you do not expect to receive remote job requests on your system, set the
JOBACN network attribute to *REJECT.
For more information about the JOBACN attribute, refer to the SNA Distribution
Services book.
Note: PCSACC network attribute controls only the DOS and OS/2® clients. This
attribute has no effect on any other Client Access clients.
*REJECT Client Access rejects every request from the personal computer
to access objects on the iSeries system. An error message is sent
to the PC application.
*OBJAUT The Client Access programs on the system verify normal object
authorities for any object requested by a PC program. For
example, if file transfer is requested, authority to copy data
from the database file is checked.
*REGFAC The system uses the system’s registration facility to determine
which exit program (if any) to run. If no exit program is
defined for an exit point and this value is specified, *OBJAUT
is used.
qualified- program- name The Client Access program calls this user-written exit program
to determine if the PC request should be rejected. The exit
program is called only if normal authority checking for the
object is successful. The Client Access program passes
information about the user and the requested function to the
exit program. The program returns a code indicating whether
the request should be allowed or rejected. If the return code
indicates the request should be rejected or if an error occurs, an
error message is sent to the personal computer.
Several methods are available to prevent an iSeries workstation user with *USE
authority to a file from copying the file:
v Setting LMTCPB(*YES) in the user profile.
v Restricting authority to commands that copy files.
v Restricting authority to commands used by Client Access.
v Not giving the user *ADD authority to any library. *ADD authority is required
to create a new file in a library.
v Not giving the user access to any *SAVRST device.
None of these methods work for the PC user of the Client Access licensed
program. Using an exit program to verify all requests is the only adequate
protection measure.
The Client Access program passes information for the following types of access to
the user exit program called by the PCSACC network attribute:
| For additional information on Client Access, refer to the Information Center (see
| “Prerequisite and related information” on page xvi for details).
*REJECT The system does not allow any DDM or DRDA® requests from
remote systems. *REJECT does not prevent this system from
functioning as the requester system and sending requests to
other server systems.
*OBJAUT Remote requests are controlled by the object authority on the
system.
qualified- program- name This user-written exit program is called after normal object
authority has been verified. The exit program is called only for
DDM files, not for distributed relational database functions.
The exit program is passed a parameter list, built by the remote
system, that identifies the local system user and the request.
The program evaluates the request and sends a return code,
granting or denying the requested access.
| For more information about the DDMACC network attribute and the security
| issues associated with DDM, see the Information Center (see “Prerequisite and
| related information” on page xvi for details).
A user with *OBJEXIST authority to an object can also restore a new copy of an
object over an existing object. In the case of a program, the restored program might
have been created on a different system. It might perform different functions. For
example, assume the original program worked with confidential data. The new
version might perform the same functions, but it might also write a copy of
confidential information to a secret file in the programmer’s own library. The
programmer does not need authority to the confidential data because the regular
users of the program will be accessing the data.
Note: You may want your system operators to have authority only to the save
commands. In that case, secure the save commands and the restore
commands with two separate authorization lists.
7. To restrict the save and restore APIs and secure it with the authorization list,
type the following commands:
| GRTOBJAUT OBJ(QSRSAVO) OBJTYPE(*PGM) AUTL(SRLIST)
| GRTOBJAUT OBJ(QSRSAVO) OBJTYPE(*PGM) USER(*PUBLIC)
| AUT(*AUTL)
| GRTOBJAUT OBJ(QSRLIB01) OBJTYPE(*SRVPGM) AUTL(SRLIST)
| GRTOBJAUT OBJ(QSRLIB01) OBJTYPE(*SRVPGM) USER(*PUBLIC)
| AUT(*AUTL)
Several work management objects affect the performance of jobs in the system:
v The class sets the run priority and time slice for a job.
v The routing entry in the subsystem description determines the class and the
storage pool the job uses.
v The job description can determine the output queue, output priority, job queue,
and job priority.
Knowledgeable users with appropriate authority can create their own environment
on the system and give themselves better performance than other users. Control
this by limiting the authority to create and change work management objects. Set
the public authority to work management commands to *EXCLUDE and grant
authority to a few trusted users.
For example, to restrict the command that runs program RPTA to batch, do the
following:
v Create a command to run RPTA and specify that the command can be run only
in batch:
CRTCMD CMD(RPTA) PGM(RPTA) ALLOW(*BATCH *BPGM)
To restrict compiles to batch, do the following for the create command for each
program type:
CHGCMD CMD(CRTxxxPGM) ALLOW(*BATCH *BPGM)
| The Basic System Security and Planning topic in the Information Center is
| intended for the security administrator. It contains forms, examples, and guidelines
| for planning security for applications that have already been developed. If you
| have responsibility for designing an application, you may find it useful to review
| the forms and examples in the Information Center (see “Prerequisite and related
| information” on page xvi for details). They can help you view your application
| from the perspective of a security administrator and understand what information
| you need to provide.
| The Basic System Security and Planning topic in the Information Center also uses a
| set of example applications for a fictional company called the JKL Toy Company.
| This chapter discusses design considerations for the same set of example
| applications. Figure 38 on page 196 shows the relationships between user groups,
| applications, and libraries for the JKL Toy Company:
Libraries
Overall Recommendations
The recommendations in this chapter and in theBasic System Security and
Planning topic in the Information Center rely on one important principle:
simplicity. Keeping your security design as simple as possible makes it easier to
manage and audit security. It also improves application performance and backup
performance.
Attention: It is not sufficient to use only limited capabilities in the user profile
and menu access control to secure your system if you use a product
such as Client Access/400 or have communication lines attached to
your system. You must use resource security to secure those objects
you do not want accessible through these interfaces.
v Secure only those objects that really require security. Analyze a library to
determine which objects, such as data files, are confidential and secure those
objects. Use public authority for other objects, such as data areas and message
queues.
v Move from the general to the specific:
– Plan security for libraries. Deal with individual objects only when necessary.
– Plan public authority first, followed by group authority and individual
authority.
| Products that you use on the system, and on clients with which the system
| interfaces, may have problems when the password level (QPWDLVL) system value
| is set to 2 or 3. Any product or client that sends passwords to the system in an
| encrypted form, rather than in the clear text a user enters on a sign-on screen,
| must be upgraded to work with the new password encryption rules for QPWDLVL
| 2 or 3. Sending the encrypted password is known as password substitution.
| Password substitution is used to prevent a password from being captured during
| transmission over a network. Password substitutes generated by older clients that
| do not support the new algorithm for QPWDLVL 2 or 3, even if the specific
| characters typed in are correct, will not be accepted. This also applies to any iSeries
| to iSeries peer access which utilizes the encrypted values to authenticate from one
| system to another.
| The problem is compounded by the fact that some affected products (i.e. Java
| Toolbox) are provided as middleware. A third party product that incorporates a
| prior version of one of these products will not work correctly until rebuilt using an
| updated version of the middleware.
| Given this and other scenarios, it is easy to see why careful planning is necessary
| before changing the QPWDLVL system value.
| Regardless of the password level of the system, password level 2 and 3 passwords
| are created whenever a password is changed or a user signs on to the system.
| Having a level 2 and 3 password created while the system is still at password level
| 0 or 1 helps prepare for the change to password level 2 or 3.
| If a user profile does not have a password that is usable at password levels 2 and
| 3, the user profile does have a password that is usable at password levels 0 and 1,
| and the user signs on through a product that sends clear text passwords, then the
| system validates the user against the password level 0 password and creates two
| password level 2 passwords (as described above) for the user profile. Subsequent
| sign ons will be validated against the password level 2 passwords.
| Any client/service which uses password substitution will not work correctly at
| QPWDLVL 2 if the client/service hasn’t been updated to use the new password
| (passphrase) substitution scheme. The administrator should check whether a
| client/service which hasn’t been updated to the new password substitution scheme
| is required.
| The following sections each discuss the work required to move back to a lower
| password level.
| Additionally, the password system values may have to be changed back to values
| compatible with NetServer and password level 0 or 1 passwords, if those
| passwords are needed.
| For example, changing the password to a value of RainyDay would result in the
| system generating a password level 0 and 1 password of RAINYDAY. But
| changing the the password value to Rainy Days In April would cause the system
| to clear the password level 0 and 1 password (because the password is too long
| and it contains blanks).
Planning Libraries
Many factors affect how you choose to group your application information into
libraries and manage libraries. This topic addresses some of the security issues
associated with library design.
To access an object, you need authority to the object itself and to the library
containing the object. You can restrict access to an object by restricting the object
itself, the library containing the object, or both.
A library is like a directory used to locate the objects in the library. *USE authority
to a library allows you to use the directory to find objects in the library. The
authority for the object itself determines how you can use the object. *USE
authority to a library is sufficient to perform most operations on the objects in the
library. See “Library Security” on page 115 for more information about the
relationship between library and object authority.
Using public authority for objects and restricting access to libraries can be a
simple, effective security technique. Putting programs in a separate library from
other application objects can also simplify security planning. This is particularly
true if files are shared by more than one application. You can use authority to the
libraries containing application programs to control who can perform application
functions.
Following are two examples of using library security for the JKL Toy Company
applications. (See Figure 38 on page 196 for a diagram of the applications.)
v The information in the CONTRACTS library is considered confidential. The
public authority for all the objects in the library is sufficient to perform the
functions of the Pricing and Contracts application (usually *CHANGE). The
public authority to the CONTRACTS library itself is *EXCLUDE. Only users or
groups authorized to the Contracts and Pricing application are granted *USE
authority to the library.
v The JKL Toy Company is a small company with a nonrestrictive approach to
security, except for the contract and pricing information. All system users are
allowed to view customer and inventory information, although only authorized
users can change it. The CUSTLIB and the ITEMLIB libraries, and the objects in
the libraries, have public authority of *USE. Users can view information in these
libraries through their primary application or by using Query. The program
libraries have public authority *EXCLUDE. Only users who are allowed to
change inventory information have access to the ICPGMLIB. Programs that
Library Lists
The library list for a job provides flexibility. It also represents a security exposure.
This exposure is particularly important if you use public authority for objects and
rely on library security as your primary means of protecting information. In this
case, a user who gains access to a library has uncontrolled access to the
information in the library. The topic “Library Lists” on page 183 provides a
discussion of security issues associated with library lists.
To avoid the security risks of library lists, your applications can specify qualified
names. When both the object name and the library are specified, the system does
not search the library list. This prevents a potential intruder from using the library
list to circumvent security.
| PGM
| DCL &USRLIBL *CHAR LEN(2750)
| DCL &CURLIB *CHAR LEN(10)
| DCL &ERROR *LGL
| DCL &CMD *CHAR LEN(2800)
| MONMSG MSGID(CPF0000) +
| EXEC(GOTO SETERROR)
| RTVJOBA USRLIBL(&USRLIBL) +
| CURLIB(&CURLIB)
| IF COND(&CURLIB=('*NONE')) +
| THEN(CHGVAR &CURLIB '*CRTDFT ')
| CHGLIBL LIBL(QGPL) CURLIB(*CRTDFT)
| /*********************************/
| /* */
| /* Normal processing */
| /* */
| /*********************************/
| GOTO ENDPGM
| SETERROR: CHGVAR &ERROR '1'
| ENDPGM: CHGVAR &CMD +
| ('CHGLIBL LIBL+
| (' *CAT &USRLIBL *CAT') +
| CURLIB(' *CAT &CURLIB *TCAT ' )')
| CALL QCMDEXC PARM(&CMD 2800)
| IF &ERROR SNDPGMMSG MSGID(CPF9898) +
| MSGF(QCPFMSG) MSGTYPE(*ESCAPE) +
| MSGDTA('The xxxx error occurred')
| ENDPGM
|
| Figure 39. Program to Replace and Restore Library List
Notes:
1. Regardless of how the program ends (normally or abnormally), the library list
is returned to the version it held when the program was called, because error
handling includes restoring the library list.
2. Because the CHGLIBL command requires a list of library names, it cannot be
run directly. The RTVJOBA command, therefore, retrieves the libraries used to
build the CHGLIBL command as a variable. The variable is passed as a
parameter to the QCMDEXC function.
3. If you exit to an uncontrolled function (for example, a user program, a menu
that allows commands to be entered, or the Command Entry display) in the
middle of a program, your program should replace the library list on return, to
ensure adequate control.
Include on library lists? No. Library is added to library list by initial application program or initial
query program.
No objects are added to the library during normal application processing. List any objects requiring *OBJMGT
or *OBJEXIST authority and what functions need that authority:
All work files, whose names begin with the characters ICWRK, are cleared at month-end. This requires
*OBJMGT authority.
Figure 40. Format for Describing Library Security
Planning Menus
Menus are a good method for providing controlled access on your system. You can
use menus to restrict a user to a set of strictly controlled functions by specifying
limited capabilities and an initial menu in the user profile.
To use menus as an access control tool, follow these guidelines when designing
them:
v Do not provide a command line on menus designed for restricted users.
At the JKL Toy Company, all users see an inquiry menu allowing access to most
files. For users who are not allowed to change information, this is the initial menu.
The return option on the menu signs the user off. For other users, this menu is
called by an inquiry option from application menus. By pressing F12 (Return), the
user returns to the calling menu. Because library security is used for program
libraries, this menu and the programs it calls are kept in the QGPL library:
1. Item Descriptions
2. Item Balances
3. Customer Information
4. Query
5. Office
No method exists in the resource security definitions for a user to have different
authority to a file in different circumstances. However, using adopted authority
allows you to define authority to meet different requirements.
Note: “Objects That Adopt the Owner’s Authority” on page 128 describes how
adopted authority works. “Flowchart 8: How Adopted Authority Is
Checked” on page 159 describes how the system checks for adopted
authority.
The programs that start applications (ICSTART and COSTART) adopt the authority
of a profile that owns the application objects. The programs add application
libraries to the library list and display the initial application menu. Following is an
example of the Inventory Control program (ICSTART).
PGM
ADDLIBLE ITEMLIB
ADDLIBLE ICPGMLIB
GO ICMENU
RMVLIBLE ITEMLIB
RMVLIBLE ICPGMLIB
ENDPGM
The program that starts Query (QRYSTART) adopts the authority of a profile
(QRYUSR) provided to allow access to files for queries. Figure 44 shows the
QRYSTART program:
PGM
ADDLIBLE ITEMLIB
ADDLIBLE CUSTLIB
STRQRY
RMVLIBLE ITEMLIB
RMVLIBLE CUSTLIB
ENDPGM
The menu system uses three types of user profiles, shown in Table 108. Table 109
on page 207 describes the objects used by the menu system.
Table 108. User Profiles for Menu System
Limit Special Initial
Profile Type Description Password Capabilities Authorities Menu
Application owner Owns all application objects and has *NONE N/A As needed by N/A
*ALL authority. OWNIC owns application
Inventory Control application.
Application user 1 Example profile for anyone who uses Yes *YES None MENU1
the menu system
Query Profile Used to provide access to libraries for *NONE N/A None N/A
query
1
The current library specified in the application user profile is used to store any queries created. The
Attention-key-handling program is *ASSIST, giving the user access to basic system functions.
MENU1 in QGPL library See Note *EXCLUDE *USE authority for any In QGPL library because
users who are allowed to users do not have authority
use the menu to application libraries
ICSTART program in QGPL OWNIC *EXCLUDE *USE authority for users Created with
authorized to Inventory USRPRF(*OWNER) to
Control application adopt OWNIC authority
QRYSTART program in QRYUSR *EXCLUDE *USE authority for users Created with
QGPL authorized to create or run USRPRF(*OWNER) to
queries adopt QRYUSR authority
ITEMLIB OWNIC *EXCLUDE QRYUSR has *USE
ICPGMLIB OWNIC *EXCLUDE
Files available for Query in OWNIC *USE
ITEMLIB
Files not available for OWNIC *EXCLUDE
Query in ITEMLIB
Programs in ICPGMLIB OWNIC *USE
Note: A special owner profile can be created for objects used by multiple applications.
When USERA exits ICMENU and returns to MENU1, the ITEMLIB and ICPGMLIB
libraries are removed from the USERA library list, and program ICSTART is
removed from the program stack. USERA is no longer running under adopted
authority.
When USERA selects option 3 (Query) from MENU1, program QRYSTART runs.
The program adopts the authority of QRYUSR, giving *USE authority to the
ITEMLIB library. The public authority to the files in ITEMLIB determines which
files USERA is allowed to query.
This technique has the advantage of minimizing the number of private authorities
and providing good performance when checking authority:
v The objects in the application libraries do not have private authorities. For some
application functions, public authority is adequate. If public authority is not
adequate, owner authority is used. “Case 8: Adopted Authority without Private
Authority” on page 167 shows the authority checking steps.
v Access to the files for query uses public authority to the files. The QRYUSR
profile is only specifically authorized to the ITEMLIB library.
Note: “Programs That Ignore Adopted Authority” on page 132 provides more
information about ignoring adopted authority. “Flowchart 8: How Adopted
Authority Is Checked” on page 159 describes how the system checks for
adopted authority.
1. Issues (ICPGM1)
2. Receipts (ICPGM2)
3. Purchases (ICPGM3)
4. Query (QRYSTART)
The authority information for the QRYSTART program is the same as shown in
Table 109 on page 207. The program is created with the use adopted authority
(USEADPAUT) parameter set to *NO, to ignore the adopted authority of previous
programs in the stack.
Following are comparisons of the program stacks when USERA selects query from
MENU1 (see Figure 42 on page 206) and from ICMENU:
Program stack when query selected from MENU1
MENU1 (no adopted authority)
QRYSTART (adopted authority QRYUSR)
Program stack when query selected from ICMENU
MENU1 (no adopted authority)
ICMENU (adopted authority OWNIC)
When USERA ends query and returns to ICMENU, adopted authority is once
again active. Adopted authority is ignored only as long as the QRYSTART program
is active.
The inquiry menu (Figure 41 on page 205) at the JKL Toy Company also uses this
technique, because it can be called from menus in different application libraries. It
adopts the authority of QRYUSR and ignores any other adopted authority in the
program stack.
You can prevent users from selecting specific options from the System Request
Menu by restricting the authority to the associated commands. Table 110 shows the
commands associated with the menu options:
Table 110. Options and Commands for the System Request Menu
Option Command
1 Transfer Secondary Job (TFRSECJOB)
2 End Request (ENDRQS)
3 Display Job (DSPJOB)
4 Display Message (DSPMSG)
5 Send Message (SNDMSG)
6 Display Message (DSPMSG)
7 Display Work Station User (DSPWSUSR)
10 Start System Request at Previous System (TFRPASTHR). (See note
below.)
11 Transfer to previous system (TFRPASTHR). (See note below.)
12 Display 3270 emulation options (See note below.)
13 Start System Request at Home System (TFRPASTHR). (See note
below.)
14 Transfer to Home System (TFRPASTHR). (See note below.)
15 Transfer to End System (TFRPASTHR). (See note below.)
50 End Request on Remote System (ENDRDBRQS). (See note below.)
80 Disconnect Job (DSCJOB)
90 Sign-Off (SIGNOFF)
Notes:
1. Options 10, 11, 13, 14, and 15 are displayed only if display station pass-through has been
started with the Start Pass-Through (STRPASTHR) command. Option 10, 13, and 14 are
only displayed on the target system.
2. Option 12 is only displayed when 3270 emulation is active.
3. Option 50 is displayed only if a remote jobs is active.
| 4. Some of the options have restrictions for the System/36 environment.
If a user selects an option for which the user does not have authority, a message is
displayed.
If you want to prevent users from general use of the commands from the System
Request menu but still want them to be able to run a command at a specific time
(such as sign-off), you can create a CL program that adopts the authority of an
authorized user and runs the command.
You can change the authority to commands to meet your security requirements.
For example, you may want to prevent most users on your system from working
with communications. You can set the public authority to *EXCLUDE for all
commands that work with communications objects, such the CHGCTLxxx,
CHGLINxxx, and CHGDEVxxx commands.
If you need to control which commands can be run by users, you can use object
authority to the commands themselves. Every command on the system has object
type *CMD and can be authorized to the public or only to specific users. To run a
command, the user needs *USE authority to it. Appendix C lists all the commands
that are shipped with the public authority set to *EXCLUDE.
If you use the System/38 library, you need to restrict security-relevant commands
in that library also. Or, you could restrict access to the entire library. If you use one
or more national language versions of the OS/400 licensed program on your
system, you need to restrict commands in the additional QSYSxxx libraries on your
system as well.
Another useful security measure is to change the default values for some
commands. The Change Command Default (CHGCMDDFT) command allows you
to do this.
For critical files on your system, keep a record of what users have authority to the
file. If you use group authority and authorization lists, you need to keep track of
users who have authority through those methods, as well as users who are directly
You can also use the journaling function on the system to monitor activity against
a critical file. Although the primary intent of a journal is to recover information, it
can be used as a security tool. It contains a record of who has accessed a file and
in what way. You can use the Display Journal (DSPJRN) command to view a
sampling of journal entries periodically.
A logical file can be used to specify a subset of records that a user can access (by
using select and omit logic). Therefore, specific users can be prevented from
accessing certain record types. A logical file can be used to specify a subset of fields
in a record that a user can access. Therefore, specific users can be prevented from
accessing certain fields in a record.
A logical file does not contain any data. It is a particular view of one or more
physical files that contain the data. Providing access to the information defined by
a logical file requires data authority to both the logical file and the associated
physical files.
Figure 47 shows an example of a physical file and three different logical files
associated with it.
┌───────────────────────────────────────────────────┐
│ L O G I C A L F I L E S │
└───────────────────────────────────────────────────┘
Members of the sales department (group profile DPTSM) are allowed to view all
fields, but they cannot change the credit limit. Members of the accounts receivable
department (group profile DPTAR) are allowed to view all fields, but they cannot
Authority *PUBLIC
Object Authorities
*OBJOPR
*OBJMGT
*OBJEXIST
*OBJALTER
*OBJREF
Data Authorities
*READ X
*ADD X
*UPD X
*DLT X
*EXECUTE X
*EXCLUDE
The public should have all data rights but no operational rights to the CUSTMAST
physical file. The public cannot access the CUSTMAST file directly because
*OBJOPR authority is required to open a file. The public’s authority makes all the
data rights potentially available to users of the logical file.
Object
User Group Authority
*PUBLIC *USE
Object
User Group Authority
DPTAR *CHANGE
*PUBLIC *USE
Object
User Group Authority
DPTSM *CHANGE
*PUBLIC *USE
Making the group profile, such as DPTSM, the primary group for the logical file is
not necessary for this authority scheme to work. However, using primary group
authority eliminates searching private authorities for both the user attempting to
access the file and the user’s group. “Case 2: Using Primary Group Authority” on
page 163 shows how using primary group authority affects the authority checking
process.
You can specify data authorities for logical files beginning with V3R1 of the
OS/400 licensed program. When you move to V3R1 from an earlier version, the
system converts your logical files when the system is installed. The first time a
logical file is accessed, the system gives it all data authorities.
Overriding Files
Override commands can be used to have a program use a different file with the
same format. For example, assume that a program in the contracts and pricing
application at the JKL Toy Company writes pricing information to a work file
before making price changes. A user with access to a command line who wanted to
capture confidential information could use an override command to cause the
program to write data to a different file in a library controlled by the user. You can
make sure a program processes the correct files by using override commands with
SECURE(*YES) before the program runs.
If you use authorization lists, then you should not have private authorities on the
object. Two searches of the user’s private authorities are required during the
authority checking if the object has private authorities and the object is also
secured by an authorization list. The first search is for the private authorities on
the object; the second search is for the private authorities on the authorization list.
Two searches require use of system resources; therefore, the performance can be
impacted. If you use only the authorization list, only one search is performed.
Also, because of the use of authority caching with the authorization list, the
performance for the authority check will be the same as it is for checking only
private authorities on the object.
You can create profiles specifically to be group profiles, or you can make an
existing profile into a group profile. A group profile is simply a special type of user
profile. It becomes a group profile when one of the following occurs:
v Another profile designates it as a group profile
v You assign a group identification number (gid) to it.
For example:
1. Create a profile called GRPIC:
CRTUSRPRF GRPIC
2. When the profile is created, it is an ordinary profile, not a group profile.
3. Designate GRPIC as the group profile for another group profile:
CHGUSRPRF USERA GRPPRF(GRPIC)
4. The system now treats GRPIC as a group profile and assigns a gid to it.
Often, one group of users is responsible for some information on the system, such
as customer information. That group needs more authority to the information than
other system users. By using primary group authority, you can set up this type of
authority scheme without affecting the performance of authority checking. “Case 2:
Using Primary Group Authority” on page 163 shows an example of this.
| Note: The sequence in which private authorities are specified for an object has
| no effect on authority checking performance.
| v If you plan to use multiple groups, study the authority checking process
described in “How the System Checks Authority” on page 148. Be sure you
understand how using multiple groups in combination with other authority
techniques, such as authorization lists, may affect your system performance.
Note: ATTENTION
If a group member owns a program, the program adopts only the authority
of the owner. The authorities of the group are not adopted.
When a source file is created on the system, the default public authority is
*CHANGE, which allows any user to update any source member. By default, only
the owner of the source file or a user with *ALLOBJ special authority can add or
remove members. In most cases, this default authority for source physical files
should be changed. Programmers working on an application need *OBJMGT
authority to the source files to add new members. The public authority should
probably be reduced to *USE or *EXCLUDE, unless the source files are in a
controlled library.
You can use adopted authority to provide a set of display commands for system
programmers, rather than giving special authorities in their user profiles.
For example, the Internet Connection Server (ICS) uses validation lists to
implement the concept of an Internet user. For Version 4, Release 1, the ICS can
perform basic authentication before a web page is served. Basic authentication
requires users to provide some type of authentication information, such as a
password, PIN, or account number. The name of the user and the authentication
information can be stored securely in a validation list. The ICS can use the
information from the validation list rather than require all users of the ICS to have
an iSeries user id and password.
An internet user can be permitted or denied access to the iSeries from the web
server. The user, however, has no authority to any iSeries resources or authority to
sign-on or run jobs. An iSeries user profile is never created for the internet users.
| To create and delete validation lists, you can use the CL commands Create
| Validation List (CRTVLDL) and the Delete Validation List (DLTVLDL). Application
| Programming Interfaces (APIs) are also provided to allow applications to add,
| change, remove, verify (authenticate), and find entries in a validation list. For more
| information and examples, see the API topic in the Information Center
| (see“Prerequisite and related information” on page xvi for details).
Validation list objects are available for all applications to use. For example, if an
application requires a password, the application passwords can be stored in a
validation list object rather than a database file. The application can use the
validation list APIs to verify a user’s password, which is encrypted, rather than the
application performing the verification itself.
| The Backup and Recovery book provides more information about backup and
| recovery. You may also refer to the Backup and Recovery topics in the iSeries
| Information Center (see“Prerequisite and related information” on page xvi for
| details).
Saving your security information is just as important as saving your data. In some
situations, you may need to recover user profiles, object authorities, and the data
on your system. If you do not have your security information saved, you may
need to manually rebuild user profiles and object authorities. This can be
time-consuming and can lead to errors and security exposures.
| Table 113 shows the commands used to save and restore security information. The
| sections that follow discuss saving and restoring security information in more
| detail.
Table 113. How Security Information Is Saved and Restored
Save and Restore Commands Used
SAVCHGOBJ
SAVOBJ RSTOBJ
SAVLIB RSTLIB
SAVSECDTA SAVDLO RSTDLO
Security Information Saved or Restored SAVSYS SAVCFGRSTUSRPRF RSTCFG RSTAUT
User profiles X X
Object ownership 1 X X
Primary group 1 X X
Public authorities 1 X X
Private authorities X X
Authorization lists X X
Authority holders X X
Link with the authorization list and authority holders X X
Object auditing value X X
Function registration information 2 X X
Function usage information X X X
1
| The SAVSECDTA, SAVSYS, and RSTUSRPRF commands save and restore ownership, primary group,
| primary group authority, and public authority for these object types : User profile (*USRPRF), Authorization
| list (*AUTL), and Authority holder (*AUTHLR).
2
The object to save/restore is QUSEXRGOBJ, type *EXITRG in QUSRSYS library.
The Backup and Recovery book provides more information about planning recovery.
ATTENTION: The system uses the machine serial number on the system and
on the save media to determine whether objects are being
restored to the same system or a different system.
Restoring Objects
When you restore an object to the system, the system uses the authority
information stored with the object. The following applies to security of the restored
object:
Primary group:
When an existing object is restored, the primary group for the object is not
changed by the restore operation.
Public authority:
v If the object being restored does not exist on the system, public authority is set
to the public authority of the saved object.
v If the object being restored does exist and is being replaced, public authority is
not changed. The public authority from the saved version of the object is not
used.
v The CRTAUT for the library is not used when restoring objects to the library.
Authorization list:
v If an object, other than a document or folder, already exists on the system and is
linked to an authorization list, the ALWOBJDIF parameter determines the result:
– If ALWOBJDIF(*NONE) is specified, the existing object must have the same
authorization list as the saved object. If not, the object is not restored.
– If ALWOBJDIF(*ALL) is specified, the object is restored. The object is linked
to the authorization list associated with the existing object.
v If a document or folder that already exists on the system is restored, the
authorization list associated with the object on the system is used. The
authorization list from the saved document or folder is not used.
v If the authorization list does not exist on the system, the object is restored
without being linked to an authorization list and the public authority is changed
to *EXCLUDE.
v If the object is being restored on the same system from which it was saved, the
object is linked to the authorization list again.
v If the object is being restored on a different system, the ALWOBJDIF parameter
on the restore command is used to determine whether the object is linked to the
authorization list:
– If ALWOBJDIF(*ALL) is specified, the object is linked to the authorization list.
Private authorities:
v Private authority is saved with user profiles, not with objects.
v If user profiles have private authority to an object being restored, those private
authorities are usually not affected. Restoring certain types of programs may
result in private authorities being revoked. See “Restoring Programs” on
page 229 for more information.
v If an object is deleted from the system and then restored from a saved version,
private authority for the object no longer exists on the system. When an object is
deleted, all private authority to the object is removed from user profiles.
v If private authorities need to be recovered, the Restore Authority (RSTAUT)
command must be used. The normal sequence is:
1. Restore user profiles
2. Restore objects
3. Restore authority
Object Auditing:
v If the object being restored does not exist on the system, the object auditing
(OBJAUD) value of the saved object is restored.
v If the object being restored does exist and is being replaced, the object auditing
value is not changed. The OBJAUD value of the saved version of the object is
not restored.
v If a library being restored does not exist on the system, the create object auditing
(CRTOBJAUD) value for the library is restored.
v If a library being restored exists and is being replaced, the CRTOBJAUD value
for the library is not restored. The CRTOBJAUD value for the existing library is
used.
Authority Holder:
v If a file is restored and an authority holder exists for that file name and the
library to which it is being restored, the file is linked to the authority holder.
v The authority information associated with the authority holder replaces the
public authority and owner information saved with the file.
Restoring Authority
When security information is restored, private authorities must be rebuilt. When
you restore a user profile that has an authority table, the authority table for the
profile is also restored.
The Restore Authority (RSTAUT) command rebuilds the private authority in the
user profile using the information from the authority table. The grant authority
operation is run for each private authority in the authority table. If authority is
being restored for many profiles and many private authorities exist in the authority
tables, this can be a lengthy process.
| The RSTUSRPRF and RSTAUT commands can be run for a single profile, a list of
| profiles, a generic profile name, or all profiles. The system searches the save media
| or save file created by the SAVSECDTA or SAVSYS command or the QSRSAVO
| API to find the profiles you want to restore.
The following steps are required to restore private field authorities for database
files that do not already exist on the system:
v Restore or create the necessary user profiles.
v Restore the files.
v Run the Restore Authority (RSTAUT) command.
The private field authorities are not fully restored until the private object
authorities that they restrict are also established again.
Restoring Programs
| Restoring programs to your system that are obtained from an unknown source
| poses a security exposure. Programs might perform operations that break your
| security requirements. Of particular concern are programs that contain restricted
| instructions and programs that adopt owner authority. This includes object types
| *PGM, *SRVPGM, *MODULE, and *CRQD. You can use the QALWOBJRST system
| value to prevent these object types from being restored to your system. See “Allow
| Restoring of Security-Sensitive Objects (QALWOBJRST)” on page 24 for more
| information about this system value.
If you do allow these types of programs to be restored to your system, the system
performs special checking.
To protect against programs that contain restricted instructions, the system uses a
validation value. This value is stored with a program and recalculated when the
program is restored. The system’s actions are determined by the ALWOBJDIF
parameter on the restore command and by the security level (QSECURITY) system
value. “Validation of Programs Being Restored” on page 15 provides a detailed
chart and description of the alternatives.
When a program is restored that adopts owner authority, the ownership and
authority to the program may be changed. The following applies:
v The user profile doing the restore operation must either own the program or
have *ALLOBJ and *SECADM special authorities.
v The user profile doing the restore operation can receive the authority to restore
the program by
– Being the program owner.
– Being a member of the group profile that owns the program (unless you have
private authority to the program).
– Having *ALLOBJ and *SECADM special authority.
– Being a member of a group profile that has *ALLOBJ and *SECADM special
authority.
– Running under adopted authority that meets one of the tests just listed.
v If the restoring profile does not have adequate authority, all public and private
authorities to the program are revoked, and the public authority is changed to
*EXCLUDE.
v If the owner of the program does not exist on the system, ownership is given to
the QDFTOWN user profile. Public authority is changed to *EXCLUDE and the
authorization list is removed.
When your system is shipped, only users with *ALLOBJ special authority can use
the RSTLICPGM command. The RSTLICPGM procedure calls an exit program to
install programs that are not supplied by IBM.
To protect security on your system, the exit program should not run using a profile
with *ALLOBJ special authority. Use a program that adopts *ALLOBJ special
authority to run the RSTLICPGM command, instead of having a user with
*ALLOBJ authority run the command directly.
When you restore an authorization list, authority and ownership are established
just as they are for any other object that is restored. The link between authorization
lists and objects is established if the objects are restored after the authorization list.
See “Restoring Objects” on page 226 for more information. Users’ private
authorities to the list are restored using the RSTAUT command.
If it is not possible to create the authorization list again because you do not know
all the user authorities, the authorization list can be restored and the users restored
to the authorization list using your last SAVSYS or SAVSECDTA tapes. To restore
the authorization list, do the following:
Attention: This procedure restores user profile values from the save media. See
“Restoring User Profiles” on page 225 for more information.
*SAVSYS special authority gives a user the capability to save an object and take it
to a different system to be restored or to display (dump) the media to view the
data. It also gives a user the capability to save an object and free storage thus
deleting the data in the object. When saving documents, a user with *SAVSYS
special authority has the option to delete those documents. *SAVSYS special
authority should be given carefully.
The RSTCFG command does not create an audit record for each object restored. If
you want to have an audit record of this command, set object auditing for the
command itself. One audit record will be written whenever the command is run.
The techniques described in this chapter are appropriate for all these situations.
Which things you audit and how often depends on the size and security needs of
your organization. The purpose of this chapter is to discuss what information is
available, how to obtain it, and why it is needed, rather than to give guidelines for
the frequency of audits.
Security auditing involves using commands on the iSeries system and accessing
log and journal information on the system. You may want to create a special
profile to be used by someone doing a security audit of your system. The auditor
profile will need *AUDIT special authority to be able to change the audit
characteristics of your system. Some of the auditing tasks suggested in this chapter
require a user profile with *ALLOBJ and *SECADM special authority. Be sure that
you set the password for the auditor profile to *NONE when the audit period has
ended.
Physical Security
| Note: The Basic System Security and Planning topic in the Information Center
| contains a complete discussion of physical security on the iSeries system.
| See “Prerequisite and related information” on page xvi for details.
The system unit and system console are in a secure location.
Backup media is protected from damage and theft.
The keylock switch setting on the processor unit is in the Secure or Auto
position. The key is removed. The keys are kept separately, both under tight
physical security. See the Information Center for more information about the
keylock switch (see “Prerequisite and related information” on page xvi for
details).
Access to publicly located workstations and the console is restricted. Use the
DSPOBJAUT command to see who has *CHANGE authority to the
workstations. Look for AF entries in the audit journal with the object type field
equal to *DEVD to find attempts to sign on at restricted workstations.
Sign-on for users with *ALLOBJ or *SERVICE special authority is limited to a
few workstations. Check to see that the QLMTSECOFR system value is 1. Use
the DSPOBJAUT command for devices to see if the QSECOFR profile has
*CHANGE authority.
System Values
Security system values follow recommended guidelines. To print the security
system values, type: WRKSYSVAL *SEC OUTPUT(*PRINT). Two important system
values to audit are:
– QSECURITY, which should be set to 40 or higher.
– QMAXSIGN, which should not be greater than 5.
Note: See “IBM-Supplied User Profiles and Dedicated Service Tool (DST)
Users” on page 106 and Appendix B for more information about
IBM-supplied user profiles.
Password Control
Users can change their own passwords. Allowing users to define their own
passwords reduces the need for users to write down their passwords. Users
should have access to the CHGPWD command or to the Change Password
function from the Security (GO SECURITY) menu.
A password change is required according to the organization’s security
guidelines, usually every 30 to 90 days. The QPWDEXPITV system value is set
to meet the security guidelines.
If a user profile has a password expiration interval that is different from the
system value, it meets the security guidelines. Review user profiles for a
PWDEXPITV value other than *SYSVAL.
Trivial passwords are prevented by using the system values to set the password
rules and by using a password approval program. Use the WRKSYSVAL *SEC
command and look at the settings for the values beginning with QPWD.
Group profiles have a password of *NONE. Use the DSPAUTUSR command to
check for any group profiles that have passwords.
| Whenever the system is not operating at password level 3 and users change their
| password, the system will attempt to create an equivalent password that is usable
| at the other password levels, if possible. You can use the DSPAUTUSR or
| PRTUSRPRF TYPE(*PWDINFO) commands to see which user profiles have
| passwords that are usable at the various password levels.
| Note: The equivalent password is a best effort attempt to create a usable password
| for the other password levels but it may not have passed all of the password
| rules if the other password level was in effect. For example, if password
| BbAaA3x is specified at password level 2, the system will create an
| equivalent password of BBAAA3X for use at password levels 0 and 1. This
| would be true even if the QPWDLMTCHR system value includes ’A’ as one
| of the limited characters (QPWDLMTCHR is not enforced at password level
Authorization Control
Owners of data understand their obligation to authorize users on a
need-to-know basis.
Owners of objects regularly verify the authority to use the objects, including
public authority. The WRKOBJOWN command provides a display for working
with the authorities to all objects owned by a user profile.
Sensitive data is not public. Check the authority for user *PUBLIC for critical
objects using the DSPOBJAUT command.
To check the User parameter of a job description, use the Display Job
Description (DSPJOBD) command. To check the authority to a job description,
use the DSPOBJAUT command.
Note: At security level 40 or 50, a user submitting a job using a job description
that specifies a user profile name must have *USE authority to both the
job description and the user profile. At all security levels, an attempt to
submit or schedule a job without *USE authority to the user specified in
the job description causes an AF entry with violation type J in the audit
journal.
Users are not allowed to sign on by pressing the Enter key on the Sign On
display. Make sure no workstation entries in subsystem descriptions specify a
job description that has a user profile name specified for the USER parameter.
Default sign-on is prevented at security level 40 or 50, even if a subsystem
description allows it. At all security levels, an AF entry with violation type S is
written to the audit journal if default sign-on is attempted and a subsystem
description is defined to allow it.
The library list in application programs is controlled to prevent a library that
contains a similar program from being added before the production libraries.
The topic “Library Lists” on page 183 discusses methods for controlling the
library list.
Programs that adopt authority are used only when required and are carefully
controlled. See the topic “Analyzing Programs That Adopt Authority” on
page 268 for an explanation of how to evaluate the use of the program adopt
function.
Application program interfaces (APIs) are secured.
Good object security techniques are used to avoid performance problems.
Unauthorized Access
Security-related events are logged to the security auditing journal (QAUDJRN)
when the auditing function is active. To audit authority failures, use the
following system values and settings:
– QAUDCTL must be set to *AUDLVL
– QAUDLVL must include the values of *PGMFAIL and *AUTFAIL.
The best method to detect unauthorized attempts to access information is to
review entries in the audit journal on a regular basis.
Unauthorized Programs
The QALWOBJRST system value is set to *NONE to prevent anyone from
restoring security-sensitive programs to the system.
The Check Object Integrity (CHKOBJITG) command is run periodically to
detect unauthorized changes to program objects. This command is described in
“Checking for Objects That Have Been Altered” on page 268.
Communications
Telephone communications is protected by call-back procedures.
Encryption is used on sensitive data.
Remote sign-on is controlled. The QRMTSIGN system value is set to
*FRCSIGNON or a pass-through validation program is used.
Access to data from other systems, including personal computers, is controlled
using the JOBACN, PCSACC, and DDMACC network attributes. The JOBACN
network attribute should be *FILE.
You use system values, user profile parameters, and object parameters to define
auditing. “Planning Security Auditing” on page 241 describes how to do this.
When a security-related event that may be audited occurs, the system checks
whether you have selected that event for audit. If you have, the system writes a
journal entry in the current receiver for the security auditing journal (QAUDJRN in
library QSYS).
When you want to analyze the audit information you have collected in the
QAUDJRN journal, you can use the Display Journal (DSPJRN) command. With this
command, information from the QAUDJRN journal can be written to a database
file. An application program or a query tool can be used to analyze the data.
The security auditing function is optional. You must take specific steps to set up
security auditing.
The following sections describe how to plan, set up, and manage security auditing,
what information is recorded, and how to view that information. Appendix F
shows record layouts for the audit journal entries. Appendix E describes what
operations are audited for each type of object.
Which events you choose to log depends on both your security objectives and your
potential exposures. Table 114 describes the possible audit level values and how
you might use them. It shows whether they are available as a system value, a user
profile parameter, or both.
Table 115 on page 244 provides more information about the journal entries that are
written for the action auditing values specified on the QAUDLVL system value
and in the user profile. It shows:
v The type of entry written to the QAUDJRN journal.
v The model database outfile that can be used to define the record when you
create an output file with the DSPJRN command. Complete layouts for the
model database outfiles are found in Appendix F.
v The detailed entry type. Some journal entry types are used to log more than one
type of event. The detailed entry type field in the journal entry identifies the
type of event.
v The ID of the message that can be used to define the entry-specific information
in the journal entry.
| Table 114. Action Auditing Values
| Available on Available on
| QAUDLVL System CHGUSRAUD
| Possible Value Value Command Description
| *NONE Yes Yes If the QAUDLVL system value is *NONE, no
| actions are logged on a system-wide basis.
| Actions are logged for individual users based on
| the AUDLVL value in their user profiles.
Table 116 shows how the OBJAUD values for the object and the user profile work
together.
Table 116. How Object and User Auditing Work Together
OBJAUD Value for User
OBJAUD Value for
Object *NONE *CHANGE *ALL
You can use object auditing to keep track of all users accessing a critical object on
the system. You can also use object auditing to keep track of all the object accesses
by a particular user. Object auditing is a flexible tool that allows you to monitor
those object accesses that are important to your organization.
Object . . . . . . . . . . . . . file-name
Library . . . . . . . . . . . library-name
Object type . . . . . . . . . . *FILE
Object auditing value . . . . . *USRPRF
2. Set the OBJAUD value for each user in your sample to *CHANGE or *ALL
using the CHGUSRAUD command.
3. Make sure the QAUDCTL system value includes *OBJAUD.
4. When sufficient time has elapsed to collect a representative sample, set the
OBJAUD value in the user profiles to *NONE or remove *OBJAUD from the
QAUDCTL system value.
5. Analyze the audit journal entries using the techniques described in
“Analyzing Audit Journal Entries with Query or a Program” on page 262.
v If you are concerned about who is using a particular file, you can collect
information about all accesses of that file for a period of time:
1. Set object auditing for the file independent of user profile values:
CHGOBJAUD OBJECT(library-name/file-name)
OBJTYPE(*FILE) OBJAUD(*CHANGE or *ALL)
2. Make sure the QAUDCTL system value includes *OBJAUD.
3. When sufficient time has elapsed to collect a representative sample, set the
OBJAUD value in the object to *NONE.
4. Analyze the audit journal entries using the techniques described in
“Analyzing Audit Journal Entries with Query or a Program” on page 262.
v To audit all object accesses for a specific user, do the following:
1. Set the OBJAUD value for all objects to *USRPRF using the CHGOBJAUD
command:
Object . . . . . . . . . . . . . *ALL
Library . . . . . . . . . . . *ALL
Object type . . . . . . . . . . *ALL
Object auditing value . . . . . *USRPRF
Displaying Object Auditing: Use the DSPOBJD command to display the current
object auditing level for an object. Use the DSPDLOAUD command to display the
current object auditing level for a document library object.
Setting Default Auditing for Objects: You can use the QCRTOBJAUD system
value and the CRTOBJAUD value for libraries and directories to set object auditing
for new objects that are created. For example, if you want all new objects in the
INVLIB library to have an audit value of *USRPRF, use the following command:
CHGLIB LIB(INVLIB) CRTOBJAUD(*USRPRF)
This command affects the auditing value of new objects only. It does not change
the auditing value of objects that already exist in the library.
Use the default auditing values carefully. Improper use could result in many
unwanted entries in the security audit journal. Effective use of the object auditing
capabilities of the system requires careful planning.
Audit Force Level: The QAUDFRCLVL system value determines how often the
system writes audit journal entries from memory to auxiliary storage. The
QAUDFRCLVL system value works like the force level for database files. You
should follow similar guidelines in determining the correct force level for your
installation.
If you allow the system to determine when to write entries to auxiliary storage, it
balances the performance impact against the potential loss of information in a
power outage. *SYS is the default and the recommended choice.
If you set the force level to a low number, you minimize the possibility of losing
audit records, but you may notice a negative performance impact. If your
installation requires that no audit records be lost in a power failure, you must set
the QAUDFRCLVL to 1.
Audit End Action: The QAUDENDACN system value determines what the
system does if it is unable to write an entry to the audit journal. The default value
is *NOTIFY. The system does the following if it is unable to write audit journal
entries and QAUDENDACN is *NOTIFY:
1. The QAUDCTL system value is set to *NONE to prevent additional attempts to
write entries.
2. Message CPI2283 is sent to the QSYSOPR message queue and the QSYSMSG
message queue (if it exists) every hour until auditing is successfully restarted.
3. Normal processing continues.
4. If an IPL is performed on the system, message CPI2284 is sent to the QSYSOPR
and QSYSMSG message queues during the IPL.
You can set the QAUDENDACN to power down your system if auditing fails
(*PWRDWNSYS). Use this value only if your installation requires that auditing be
active for the system to run. If the system is unable to write an audit journal entry
and the QAUDENDACN system value is *PWRDWNSYS, the following happens:
1. The system powers down immediately (the equivalent of issuing the
PWRDWNSYS *IMMED command).
2. SRC code B900 3D10 is displayed.
CHGSECAUD
DSPSECAUD
Authority:
CO (create object)
SV (system value change)
AD (object and user audit changes)
Notes: The CHGSECAUD command creates the journal and journal
receiver if it does not exist. The CHGSECAUD then sets the
QAUDCTL and QAUDLVL system values.
CRTJRNRCV
CRTJRN QSYS/QAUDJRN
WRKSYSVAL *SEC
CHGOBJAUD
CHGDLOAUD
CHGUSRAUD
Authority:
CO (create object)
SV (system value change)
AD (object and user audit changes)
Notes: QSYS/QAUDJRN must exist before QAUDCTL can be
changed.
The Backup and Recovery book provides more information about working with
journals and journal receivers.
3. Set the audit level (QAUDLVL) system value using the WRKSYSVAL
command. The QAUDLVL system value determines which actions are logged
to the audit journal for all users on the system. See “Planning the Auditing of
Actions” on page 241.
4. Set action auditing for individual users if necessary using the CHGUSRAUD
command. See “Planning the Auditing of Actions” on page 241.
5. Set object auditing for specific objects if necessary using the CHGOBJAUD and
CHGDLOAUD commands. See “Planning the Auditing of Object Access” on
page 252.
6. Set object auditing for specific users if necessary using the CHGUSRAUD
command.
7. Set the QAUDENDACN system value to control what happens if the system
cannot access the audit journal. See “Audit End Action” on page 254.
8. Set the QAUDFRCLVL system value to control how often audit records are
written to auxiliary storage. See “Preventing Loss of Auditing Information” on
page 254.
9. Start auditing by setting the QAUDCTL system value to a value other than
*NONE.
The QSYS/QAUDJRN journal must exist before you can change the QAUDCTL
system value to a value other than *NONE. When you start auditing, the system
attempts to write a record to the audit journal. If the attempt is not successful, you
receive a message and auditing does not start.
Special locking protection is used to ensure that the system can write audit entries
to the audit journal. When auditing is active (the QAUDCTL system value is not
*NONE), the system arbitrator job (QSYSARB) holds a lock on the
QSYS/QAUDJRN journal. You cannot perform certain operations on the audit
journal when auditing is active, such as:
v DLTJRN command
| v ENDJRNxxx (End Journaling) commands
v APYJRNCHG command
v RMVJRNCHG command
v DMPOBJ or DMPSYSOBJ command
v Moving the journal
v Restoring the journal
v Operations that work with authority, such as the GRTOBJAUT command
v WRKJRN command
If damage occurs to the journal or to its current receiver so that the auditing
entries cannot be journaled, the QAUDENDACN system value determines what
action the system takes. Recovery from a damaged journal or journal receiver is the
same as for other journals.
You may want to have the system manage the changing of journal receivers.
Specify MNGRCV(*SYSTEM) when you create the QAUDJRN journal, or change
the journal to that value. If you specify MNGRCV(*SYSTEM), the system
automatically detaches the receiver when it reaches its threshold size and creates
and attaches a new journal receiver. This is called system change-journal
management.
The default message queue for a journal is QSYSOPR. If your installation has a
large volume of messages in the QSYSOPR message queue, you may want to
associate a different message queue, such as AUDMSG, with the QAUDJRN
journal. You can use a message handling program to monitor the AUDMSG
See the Backup and Recovery book for complete information about managing
journals and journal receivers.
Note: The QAUDJRN journal is created during an IPL if it does not exist and the
QAUDCTL system value is set to a value other than *NONE. This occurs
only after an unusual situation, such as replacing a disk device or clearing
an auxiliary storage pool.
You should regularly detach the current audit journal receiver and attach a new
one for two reasons:
v Analyzing journal entries is easier if each journal receiver contains the entries for
a specific, manageable time period.
v Large journal receivers can affect system performance, in addition to taking
valuable space on auxiliary storage.
If you have set up action auditing and object auditing to log many different events,
you may need to specify a large threshold value for the journal receiver. If you are
managing receivers manually, you may need to change journal receivers daily. If
you log only a few events, you may want to change receivers to correspond with
the backup schedule for the library containing the journal receiver.
| You use the CHGJRN command to detach a receiver and attach a new receiver.
Note: An alternative to the above procedure could be done using the journal
message queue and monitoring for the CPF7020 message which indicates
that the system change journal has completed successfully. See the Backup
and Recovery for more information on this support.
For example, if the current receiver is AUDRCV0003, the system creates and
attaches a new receiver called AUDRCV0004.
The Work with Journal Attributes (WRKJRNA) command tells you which
receiver is currently attached: WRKJRNA QAUDJRN.
2. Use the Save Object (SAVOBJ) command to save the detached journal receiver.
Specify object type *JRNRCV.
3. Use the Delete Journal Receiver (DLTJRNRCV) command to delete the receiver.
If you try to delete the receiver without saving it, you receive a warning
message.
You can also use the Receive Journal Entry (RCVJRNE) command on the
QAUDJRN journal to receive the entries as they are written to the QAUDJRN
journal.
The Display Journal (DSPJRN) command allows you to view selected journal
entries at your workstation. To view journal entries, do the following:
1. Type DSPJRN QAUDJRN and press F4. On the prompt display, you can enter
information to select the range of entries that is shown. For example, you can
select all entries in a specific range of dates, or you can select only a certain
type of entry, such as an incorrect sign-on attempt (journal entry type PW).
The default is to display entries from only the attached receiver. You can use
RCVRNG(*CURCHAIN) to see entries from all receivers that are in the receiver
chain for the QAUDJRN journal, up to and including the receiver that is
currently attached.
2. When you press the Enter key, you see the Display Journal Entries display:
F3=Exit F12=Cancel
3. Use option 5 (Display entire entry) to see information about a specific entry:
4. You can use F6 (Display only entry specific data) for entries with a large
amount of entry-specific data. You can also select a hexadecimal version of that
display. You can use F10 to display details about the journal entry without any
entry-specific information.
Appendix F contains the layout for each type of QAUDJRN journal entry.
You can use the Display Journal (DSPJRN) command to write selected entries from
the audit journal receivers to an output file. You can use a program or a query to
view the information in the output file.
For the output parameter of the DSPJRN command, specify *OUTFILE. You see
additional parameters prompting you for information about the output file:
All security-related entries in the audit journal contain the same heading
information, such as the entry type, the date of the entry, and the job that caused
the entry. The QJORDJE4 record format is provided to define these fields when
you specify *TYPE4 as the outfile format parameter. See Table 139 on page 489 for
more information.
For more information on other records and their outfile formats see Appendix F.
If you want to perform a detailed analysis of a particular entry type, use one of the
model database outfiles provided. For example, to create an output file called
AUDJRNAF in QGPL that includes only authority failure entries:
1. Create an empty output file with the format defined for AF journal entries:
CRTDUPOBJ OBJ(QASYAFJ4) FROMLIB(QSYS) +
OBJTYPE(*FILE) TOLIB(QGPL) NEWOBJ(AUDJRNAF)
2. Use the DSPJRN command to write selected journal entries to the output file:
DSPJRN JRN(QAUDJRN) ... +
JRNCDE(T) ENTTYP(AF) OUTPUT(*OUTFILE) +
OUTFILFMT(*TYPE4) OUTFILE(QGPL/AUDJRNAF)
3. Use Query or a program to analyze the information in the AUDJRNAF file.
Table 115 on page 244 shows the name of the model database outfile for each entry
type. Appendix F shows the file layouts for each model database outfile.
Following are a few examples of how you might use QAUDJRN information:
v If you suspect someone is trying to break into your system:
1. Make sure the QAUDLVL system value includes *AUTFAIL.
2. Use the CRTDUPOBJ object command to create an empty output file with
the QASYPWJ4 format.
Note: Table 115 on page 244 shows which journal entry is written for each
authority violation message.
You will find additional information in “Appendix G. Commands and Menus for
Security Commands” on page 571. This appendix includes examples to use the
commands and information about the menus for the security tools.
If you create the QSYSMSG message queue in the QSYS library, messages about
critical system events are sent to that message queue as well as to QSYSOPR. The
QSYSMSG message queue can be monitored separately by a program or a system
operator. This provides additional protection of your system resources. Critical
system messages in QSYSOPR are sometimes missed because of the volume of
messages sent to that message queue.
| The audit journal records only that the object was accessed. It does not log every
| transaction to the object. For critical objects on your system, you may want more
| detailed information about the specific data that was accessed and changed. Object
| journaling is used primarily for object integrity and recovery. Refer to the Backup
| and Recovery book for a list of object types which can be journaled, and what is
| journaled for each object type. A security officer or auditor can also use these
| journal entries to review object changes. Do not journal any objects to the
| QAUDJRN journal.
| A journal entry cannot be altered by any user, even the security officer. A complete
| journal or journal receiver can be deleted, but this is easily detected.
| If you are journaling files and want to print all information about a particular file,
| type the following:
| DSPJRN JRN(library/journal) +
| FILE(library/file) OUTPUT(*PRINT)
| You can then do a query or use SQL to select all of the records from this outfile for
| a specific object name.
| If you want to find out which journals are on the system, use the Work with
| Journals (WRKJRN) command. If you want to find out which objects are being
| journaled by a particular journal, use the Work with Journal Attributes
| (WRKJRNA) command.
| The Backup and Recovery book provides complete information about journaling.
Password
Group User Last No
Profile Profile Changed Password Text
DPTSM
ANDERSOR 08/04/9x Roger Anders
VINCENTM 09/15/9x Mark Vincent
DPTWH
ANDERSOR 08/04/9x Roger Anders
WAGNERR 09/06/9x Rose Wagner
QSECOFR
JONESS 09/20/9x Sharon Jones
HARRISOK 08/29/9x Ken Harrison
*NO GROUP
DPTSM 09/05/9x X Sales and Marketing
DPTWH 08/13/9x X Warehouse
RICHARDS 09/05/9x Janet Richards
SMITHJ 09/18/9x John Smith
You can use a query tool to create a variety of analysis reports of your output file,
such as:
v A list of all users who have both *ALLOBJ and *SPLCTL special authority.
v A list of all users sequenced by a user profile field, such as initial program or
user class.
Some IBM-supplied user profiles are very large because of the number of
objects they own. Listing and analyzing them is usually not necessary.
However, you should check for programs adopting the authority of the
IBM-supplied user profiles that have *ALLOBJ special authority, such as
QSECOFR and QSYS. See “Analyzing Programs That Adopt Authority” on
page 268.
Appendix B provides information about all the IBM-supplied user profiles and
their functions.
Using these reports, you can determine what is in a library and who has access to
the library. If necessary, you can use the DSPOBJAUT command to view the
authority for selected objects in the library also.
Note: The topic “Printing Selected User Profiles” on page 266 shows how to list
users with *ALLOBJ authority.
2. Use the DSPOBJAUT command to determine who is authorized to use each
adopting program and what the public authority is to the program:
DSPOBJAUT OBJ(library-name/program-name) +
OBJTYPE(*PGM) OUTPUT(*PRINT)
3. Inspect the source code and program description to evaluate:
v Whether the user of the program is prevented from excess function, such as
using a command line, while running under the adopted profile.
v Whether the program adopts the minimum authority level needed for the
intended function. Applications that use program failure can be designed
using the same owner profile for objects and programs. When the authority
of the program owner is adopted, the user has *ALL authority to application
objects. In many cases, the owner profile does not need any special
authorities.
4. Verify when the program was last changed, using the DSPOBJD command:
DSPOBJD OBJ(library-name/program-name) +
OBJTYPE(*PGM) DETAIL(*FULL)
| When you run the command, the system creates a database file containing
| information about any potential integrity problems. You can check objects owned
| by one or more profiles, objects that match a path name, or all objects on the
| system. You can look for objects whose domain has been altered and objects that
| have been tampered with. You can recalculate program validation values to look
| for objects of type *PGM, *SRVPGM, *MODULE, and *SQLPKG that have been
| altered. You can also check the signature of objects that can be digitally signed.
Note: Profiles that own many objects with many private authorities can become
very large. The size of an owner profile affects performance when displaying
and working with the authority to owned objects, and when saving or
restoring profiles. System operations can also be impacted. To prevent
impacts to either performance or system operations, distribute ownership of
objects to multiple profiles. Do not assign all (or nearly all) objects to only
one owner profile.
Note: Table 114 on page 242 shows all the possible values for action auditing.
2. Remove the *AUDIT special authority from user profiles with *ALLOBJ and
*SECADM special authority. This prevents these users from changing the
auditing characteristics of their own profiles.
Note: You cannot remove special authorities from the QSECOFR profile.
Therefore, you cannot prevent a user signed on as QSECOFR from
changing the auditing characteristics of that profile. However, if a user
signed on as QSECOFR uses the CHGUSRAUD command to change
auditing characteristics, an AD entry type is written to the audit journal.
| The CL topic in the Information Center contains more detailed information about
| these commands. See “Prerequisite and related information” on page xvi for details.
| The tables in Appendix D show what object authorities are required to use these
| commands.
Table 117. Commands for Working with Authority Holders
Command Name Descriptive Name Function
CRTAUTHLR Create Authority Holder Allows you to secure a file before the file exists.
Authority holders are valid only for program-described
database files.
DLTAUTHLR Delete Authority Holder Allows you to delete an authority holder. If the
associated file exists, the authority holder information is
copied to the file.
DSPAUTHLR Display Authority Holder Allows you to display all the authority holders on the
system.
ADDAUTLE Add Authorization List Entry Allows you to add a user to an authorization list. You
specify what authority the user has to all the objects on
the list.
CHGAUTLE Change Authorization List Entry Allows you to change users’ authorities to the objects on
the authorization list.
CRTAUTL Create Authorization List Allows you to create an authorization list.
DLTAUTL Delete Authorization List Allows you to delete an entire authorization list.
DSPAUTL Display Authorization List Allows you to display a list of users and their authorities
to an authorization list.
DSPAUTLOBJ Display Authorization List Objects Allows you to display a list of objects secured by an
authorization list.
EDTAUTL Edit Authorization List Allows you to add, change, and remove users and their
authorities on an authorization list.
RMVAUTLE Remove Authorization List Entry Allows you to remove a user from an authorization list.
RTVAUTLE Retrieve Authorization List Entry Used in a control language (CL) program to get one or
more values associated with a user on the authorization
list. The command can be used with the CHGAUTLE
command to give a user new authorities in addition to
the existing authorities that the user already has.
WRKAUTL Work with Authorization Lists Allows you to work with authorization lists from a list
display.
CHGAUD Change Auditing Allows you to change the auditing value for an object.
CHGAUT Change Authority Allows you to change the authority of users to objects.
CHGOBJAUD Change Object Auditing Allows you to specify whether access to an object is
audited.
CHGOBJOWN Change Object Owner Allows you to change the ownership of an object from
one user to another.
CHGOBJPGP Change Object Primary Group Allows you to change the primary group for an object to
another user or to no primary group.
CHGOWN Change Owner Allows you to change the ownership of an object from
one user to another.
CHGPGP Change Primary Group Allows you to change the primary group for an object to
another user or to no primary group.
DSPAUT Display Authority Allows you to display users’ authority to an object.
DSPOBJAUT Display Object Authority Displays the object owner, public authority to the object,
any private authorities to the object, and the name of the
authorization list used to secure the object.
DSPOBJD Display Object Description Displays the object auditing level for the object.
EDTOBJAUT Edit Object Authority Allows you to add, change, or remove a user’s authority
for an object.
GRTOBJAUT Grant Object Authority Allows you to specifically give authority to named users,
all users (*PUBLIC), or users of the referenced object for
the objects named in this command.
RVKOBJAUT Revoke Object Authority Allows you to remove one or more (or all) of the
authorities given specifically to a user for the named
objects.
WRKAUT Work with Authority Allows you to work with object authority by selecting
options on a list display.
WRKOBJ Work with Objects Allows you to work with object authority by selecting
options on a list display.
WRKOBJOWN Work with Objects by Owner Allows you to work with the objects owned by a user
profile.
WRKOBJPGP Work with Objects by Primary Group Allows you to work with the objects for which a profile
is the primary group using options from a list display.
| CHGDSTPWD Change Dedicated Service Tools Allows you to reset the DST security capabilites profile
| Password to the default password shipped with the system.
CHGPWD Change Password Allows a user to change the user’s own password.
CHGUSRPRF Change User Profile Allows you to change the values specified in a user’s
profile, including the user’s password.
CHKPWD Check Password Allows verification of a user’s password. For example, if
you want the user to enter the password again to run a
particular application, you can use CHKPWD in your CL
program to verify the password.
CRTUSRPRF Create User Profile When you add a user to the system, you assign a
password to the user.
CHGPRF Change Profile Allows a user to change some of the attributes of the
user’s own profile.
CHGUSRAUD Change User Audit Allows you to specify the action and object auditing for
a user profile.
CHGUSRPRF Change User Profile Allows you to change the values specified in a user’s
profile such as the user’s password, special authorities,
initial menu, initial program, current library, and priority
limit.
| CHKOBJITG Check Object Integrity Check the objects owned by one or more user profiles or
| check the objects that match the pathname to ensure the
| objects have not been tampered with.
CRTUSRPRF Create User Profile Allows you to add a user to the system and to specify
values such as the user’s password, special authorities,
initial menu, initial program, current library, and priority
limit.
DLTUSRPRF Delete User Profile Allows you to delete a user profile from the system. This
command provides an option to delete or change
ownership of objects owned by the user profile.
| DSPAUTUSR Display Authorized Users Displays or prints the following for all user profiles on
| the system: associated group profile (if any), whether the
| user profile has a password usable at any password
| level, whether the user profile has a password usable at
| the various password levels, whether the user profile has
| a password usable with NetServer, the date the
| password was last changed, and the user profile text.
DSPUSRPRF Display User Profile command Allows you to display a user profile in several different
formats.
GRTUSRAUT Grant User Authority Allows you to copy private authorities from one user
profile to another user profile.
PRTPRFINT Print Pofile Internals Allows you to print a report of internal information on
the number of entries.
PRTUSRPRF Print User Profile Allows you to analyze user profiles that meet specified
criteria.
RTVUSRPRF Retrieve User Profile Used in a control language (CL) program to get and use
one or more values that are stored and associated with a
user profile.
WRKUSRPRF Work with User Profiles Allows you to work with user profiles by entering
options on a list display.
DSPPGMADP Display Programs That Adopt Allows you to display a list of programs and SQL
packages that adopt a specified user profile.
RSTAUT Restore Authority Allows you to restore authorities for objects held by a
user profile when the user profile was saved. These
authorities can only be restored after a user profile is
restored with the Restore User Profile (RSTUSRPRF)
command.
RSTUSRPRF Restore User Profile Allows you to restore a user profile and its attributes.
Restoring specific authority to objects is done with the
RSTAUT command after the user profile is restored. The
RSTUSRPRF command also restores all authorization
lists and authority holders if RSTUSRPRF(*ALL) is
specified.
SAVSECDTA Save Security Data Saves all user profiles, authorization lists, and authority
holders without using a system that is in a restricted
state.
SAVSYS Save System Saves all user profiles, authorization lists, and authority
holders on the system. A dedicated system is required to
use this function.
CHGAUD Change Auditing Allows you to specify the auditing for an object.
CHGDLOAUD Change Document Library Object Allows you to specify whether access is audited for a
Auditing document library object.
CHGOBJAUD Change Object Auditing Allows you to specify the auditing for an object.
CHGUSRAUD Change User Audit Allows you to specify the action and object auditing for
a user profile.
ADDDLOAUT Add Document Library Object Allows you to give a user access to a document or folder
Authority or to secure a document or folder with an authorization
list or an access code.
CHGDLOAUD Change Document Library Object Allows you to specify the object auditing level for a
Auditing document library object.
CHGDLOAUT Change Document Library Object Allows you to change the authority for a document or
Authority folder.
CHGDLOOWN Change Document Library Object Transfers document or folder ownership from one user
Owner to another user.
CHGDLOPGP Change Document Library Object Allows you to change the primary group for a document
Primary Group library object.
DSPAUTLDLO Display Authorization List Document Allows you to display the documents and folders that
Library Objects are secured by the specified authorization list.
DSPDLOAUD Display Document Library Object Displays the object auditing level for a document library
Auditing object.
DSPDLOAUT Display Document Library Object Allows you to display authority information for a
Authority document or a folder.
EDTDLOAUT Edit Document Library Object Used to add, change, or remove users’ authorities to a
Authority document or folder.
GRTUSRPMN Grant User Permission Gives permission to a user to handle documents and
folders or to do office-related tasks on behalf of another
user.
RMVDLOAUT Remove Document Library Object Used to remove a user’s authority to documents or
Authority folders.
RVKUSRPMN Revoke User Permission Takes away document authority from one user (or all
users) to access documents on behalf of another user.
| ADDSVRAUTE Add Server Authentication Entry Allows you to add server authentication information for
| a user profile.
CHGSVRAUTE Change Server Authentication Entry Allows you to change existing server authentication
entries for a user profile.
RMVSVRAUTE Remove Server Authentication Entry Allows you to remove server authentication entries from
the specified user profile.
These commands allow a user to specify a user name, the associated password, and the name of a remote
server machine. Distributed Relational Database Access (DRDA) uses these entries to run database access
requests as the specified user on the remote server.
Table 126. Commands for Working with the System Distribution Directory
Command Name Descriptive Name Function
ADDDIRE Add Directory Entry Adds new entries to the system distribution directory.
The directory contains information about a user, such as
the user ID and address, system name, user profile
name, mailing address, and telephone number.
CHGDIRE Change Directory Entry Changes the data for a specific entry in the system
distribution directory. The system administrator has
authority to update any of the data contained in a
directory entry, except the user ID, address, and the user
description. Users can update their own directory entries,
but they are limited to updating certain fields.
RMVDIRE Remove Directory Entry Removes a specific entry from the system distribution
directory. When a user ID and address is removed from
the directory, it is also removed from any distribution
lists.
WRKDIRE Work with Directory Provides a set of displays that allow a user to view, add,
change, and remove entries in the system distribution
directory.
CHGSECA 1 Change Security Attributes Allows you to set new starting values for generating
user ID numbers or group ID numbers. Users can specify
a starting user ID number and a starting group ID
number.
| DSPSECA Display Security Attributes Allows you to display the user ID number that is used
| the next time a user ID number is generated, the group
| ID number that is used the next time a group ID number
| is generated, the current and pending security level of
| the system, and the current and pending password level
| of the system.
1
To use this command, you must have *SECADM special authority
The following tables describe several different kinds of security tools. For more
information on the security tools, see Appendix G. Commands and Menus for
Security Commands.
Table 129. Security Tools for Working with Auditing
Command Name Descriptive Name Function
CHGSECAUD Change Security Auditing Allows you to set up security auditing and to change the
system values that control security auditing.
DSPAUDJRNE Display Audit Journal Entries Allows you to display or print information about entries
in the security audit journal. You can select specific entry
types, specific users, and a time period.
DSPSECAUD Display Security Auditing Values Allows you to display information about the security
audit journal and the system values that control security
auditing.
PRTJOBDAUT Print Job Description Authority Allows you to print a list of job descriptions whose
public authority is not *EXCLUDE. You can use this
command to print information about job descriptions
that specify a user profile that every user on the system
can access.
PRTPUBAUT Print Publicly Authorized Objects Allows you to print a list of objects of the specified type
whose public authority is not *EXCLUDE.
PRTPVTAUT Print Private Authorities Allows you to print a list of private authorities for
objects of the specified type.
PRTQAUT Print Queue Authority Allows you to print the security settings for output
queues and job queues on your system. These settings
control who can view and change entries in the output
queue or job queue.
PRTSBSDAUT Print Subsystem Description Allows you to print a list of subsystem descriptions in a
Authority library that contains a default user in a subsystem entry.
PRTTRGPGM Print Trigger Programs Allows you to print a list of trigger programs that are
associated with database files on your system.
PRTUSROBJ Print User Objects Allows you to print a list of the user objects (objects not
supplied by IBM) that are in a library.
CFGSYSSEC Configure System Security Allows you to set security-relevant system values to their
recommended settings. The command also sets up
security auditing on your system.
PRTCMNSEC Print Communications Security Allows you to print the security attributes of the *DEVD,
*CTL, and *LIND objects on the system.
PRTSYSSECA Print System Security Attributes Allows you to print a list of security-relevant system
values and network attributes. The report shows the
current value and the recommended value.
RVKPUBAUT Revoke Public Authority Allows you to set the public authority to *EXCLUDE for
a set of security-sensitive commands on your system.
For more information on tools and suggestions about how to use the security tools,
see the Tips for Making Your iSeries 400 Secure book, GC41-0615.
Table 132 shows the default values that are used for all IBM-supplied user profiles
and on the Create User Profile (CRTUSRPRF) command. The parameters are
sequenced in the order they appear on the Create User Profile display.
Table 133 lists each IBM-supplied profile, its purpose, and any values for the
profile that are different from the defaults for IBM-supplied user profiles.
Note:
Table 133 now includes additional user profiles that are shipped with the
licensed program products. The table includes only some, but not all user
profiles for licensed program products; therefore, the list is not inclusive.
Attention:
v Password for the QSECOFR profile
You must change the password for the QSECOFR profile after you install your
system. This password is the same for every iSeries system and poses a security
exposure until it is changed. However, do not change any other values for
IBM-supplied user profiles. Changing these profiles may cause system functions
to fail.
v Authorities for IBM-supplied profies
Use caution when removing authorities that IBM-supplied profiles have to
objects that are shipped with the operating system. Some IBM-supplied profiles
are granted private authorities to objects that are shipped with the operating
system. Removing any of these authorities may cause system functions to fail.
Table 132. Default Values for User Profiles
Default Values
1
| When the system security level is changed from level 10 or 20 to level 30 or above, this value is removed.
|
|
In Table 134, commands that are restricted to the security officer, and any user
profile with *ALLOBJ authority, have an R in the QSECOFR profile. Commands
that are specifically authorized to one or more IBM-supplied user profiles, in
addition to the security officer, have an S under the profile names for which they
are authorized).
Any commands not listed here are public, which means they can be used by all
users. However, some commands require special authority, such as *SERVICE or
*JOBCTL. The special authorities required for a command are listed in
“Appendix D. Authority Required for Objects Used by Commands” on page 297
If you choose to grant other users or the public *USE authority to these commands,
update this table to indicate that commands are no longer restricted on your
system. Using some commands may require the authority to certain objects on the
system as well as to the commands themselves. See “Appendix D. Authority
Required for Objects Used by Commands” on page 297 for the object authorities
required for commands.
Table 134. Authorities of IBM-Supplied User Profiles to Restricted Commands
Command Name QSECOFR QPGMR QSYSOPR QSRV QSRVBAS
ADDCMDCRQA S S S S
ADDCRSDMNK R
ADDDSTQ S S
ADDDSTRTE S S
ADDDSTSYSN S S
ADDEXITPGM R
ADDMFS R
ADDNETJOBE R
ADDOBJCRQA S S S S
ADDOPTCTG R
ADDOPTSVR R
| ADDPEXDFN R S S
ADDPRDCRQA S S S S
ADDPTFCRQA S S S S
ADDRPYLE S
ADDRSCCRQA S S S S
ANSQST R
1
The CHGDSTPWD command is shipped with public authority *USE, but you must be signed on as
QSECOFR to use this command.
2
The QMSF user profile is also authorized to this command.
3
QSRV can only run this command if an IPL is not being done.
The tables are organized in alphabetical order according to object type. In addition,
tables are included for items that are not OS/400 objects (jobs, spooled files,
network attributes, and system values) and for some functions (device emulation
and finance). Additional considerations (if any) for the commands are included as
footnotes to the table.
Referenced Object: The objects listed in the Referenced Object column are objects to
which the user needs authority when using the command. See “Assumptions” on
page 299 for information about objects which are not listed for each command.
Authority Needed for Object: The authorities specified in the tables show the
object authorities and the data authorities required for the object when using the
command. Table 135 describes the authorities that are specified in the Authority
Needed column. The description includes examples of how the authority is used. In
most cases, accessing an object requires a combination of object and data
authorities.
Authority Needed for Library: This column shows what authority is needed for
the library containing the object. For most operations, *EXECUTE authority is
needed to locate the object in the library. Adding an object to a library usually
requires *READ and *ADD authority. Table 135 describes the authorities that are
specified in the Authority Needed column.
Table 135. Description of Authority Types
Authority Name Functions Allowed
Object Authorities:
*OBJOPR Object Operational Look at the description of an object. Use the
object as determined by the user’s data
authorities.
*OBJMGT Object Management Specify the security for the object. Move or
rename the object. All functions defined for
*OBJALTER and *OBJREF.
*OBJEXIST Object Existence Delete the object. Free storage of the object.
Perform save and restore operations for the
object 1. Transfer ownership of the object.
*OBJALTER Object Alter Add, clear, initialize and reorganize
members of the database files. Alter and add
attributes of database files: add and remove
triggers. Change the attributes of SQL
packages. Move a library or folder to a
different ASP.
In addition to these values, the Authority Needed columns of the table may show
system-defined subsets of these authorities. Table 136 shows the subsets of object
authorities and data authorities.
Table 136. System-Defined Authority
Authority *ALL *CHANGE *USE *EXCLUDE
Object Authorities
*OBJOPR X X X
*OBJMGT X
*OBJEXIST X
*OBJALTER X
*OBJREF X
Data Authorities
*READ X X X
*ADD X X
*UPD X X
*DLT X X
*EXECUTE X X X
Table 137 on page 299 shows additional authority subsets that are supported by the
CHGAUT and WRKAUT commands.
Object
Authorities
*OBJOPR X X X X X X X
*OBJMGT
*OBJEXIST
*OBJALTER
*OBJREF
Data
Authorities
*READ X X X X
*ADD X X X X
*UPD X X X X
*DLT X X X X
*EXECUTE X X X X
For more information on these authorities and their descriptions, see “Defining
How Information Can Be Accessed” on page 112.
Assumptions
1. To use any command, *USE authority is required to the command. This
authority is not specifically listed in the tables.
2. To enter any display command, you need operational authority to the
IBM-supplied display file, printer output file, or panel group used by the
command. These files and panel groups are shipped with public authority
*USE.
1
The user profile running the copy command becomes the owner of the to-file, unless the user is a member
of a group profile and has OWNER(*GRPPRF). If the user’s profile specifies OWNER(*GRPPRF), the group
profile becomes the owner of the to-file. In that case, the user running the command must have *ADD
authority to the group profile and the authority to add a member and write data to the new file. The to-file
is given the same public authority, primary group authority, private authorities, and authorization list as
the from-file.
2
The user profile running the create command becomes the owner of the newly created object, unless the
user is a member of a group profile and has OWNER(*GRPPRF). If the user’s profile specifies
OWNER(*GRPPRF), the group profile becomes the owner of the newly created object. Public authority to
the object is controlled by the AUT parameter.
3
The user profile running the display command becomes the owner of the newly created output file, unless
the user is a member of a group profile and has OWNER(*GRPPRF). If the user’s profile specifies
OWNER(*GRPPRF), the group profile becomes the owner of the output file. Public authority to the output
file is controlled by the CRTAUT parameter of the output file library.
4
If the output queue is defined as OPRCTL (*YES), a user with *JOBCTL special authority does not need any
authority to the output queue. A user with *SPLCTL special authority does not need any authority to the
output queue.
5
For device files, *OBJOPR authority is also required.
6
The REPLACE parameter is not available in the S/38 environment. REPLACE(*YES) is equivalent to using
a function key from the programmer menu to delete the current object.
7
Authority to the corresponding (DSP) command is also required.
8
The *UPDADD option in only available on the MBROPT parameter of the CPYF command.
9
This does not apply to the REPLACE parameter on the CRTJVAPGM command.
Authority Needed
Command Referenced Object For Object For Library
1,2,11
ALCOBJ Object *OBJOPR *EXECUTE
20
ANZUSROBJ
18
CHGOBJAUD
3
CHGOBJD Object, if it is a file *OBJOPR, *OBJMGT *EXECUTE
Object, if it is not a file *OBJMGT *EXECUTE
3,4
CHGOBJOWN Object *OBJEXIST *EXECUTE
Object (if file, library, subsystem description) *OBJOPR, *OBJEXIST *EXECUTE
Object (if authorization list) Ownership or *EXECUTE
*ALLOBJ
Old user profile *DLT *EXECUTE
New user profile *ADD *EXECUTE
1
See the OBJTYPE keyword of the ALCOBJ command for the list of object types that can be allocated and
deallocated.
2
Some authority to the object (other than *EXCLUDE) is required.
3
This command cannot be used for documents or folders. Use the equivalent Document Library Object
(DLO) command.
4
You must have *ALLOBJ and *SECADM special authority to change the object owner of a program, service
program, or SQL package that adopts authority.
5
You must be the owner or have *OBJMGT authority and the authorities being granted or revoked.
6
You must be the owner or have *ALLOBJ special authority to grant *OBJMGT or *AUTLMGT authority.
7
This command cannot be used for user profiles, controller descriptions, device descriptions, line
descriptions, documents, document libraries, and folders.
8
If you have *SAVSYS special authority, you do not need the authority specified.
9
If the user running the CRTDUPOBJ command has OWNER(*GRPPRF) in his user profile, the owner of the
new object is the group profile. To successfully copy authorities to a new object owned by the group
profile, the following applies:
v The user running the command must have some private authority to the from-object.
v If the user has some private authority to the object, additional authorities can be obtained from adopted
authority.
v If an error occurs while copying authorities to the new object, the newly created object is deleted.
v *OBJMGT authority is only copied if the user running the CRTDUPOBJ command is the object owner or
has *ALLOBJ special authority. Adopted authority can be used to obtain ownership or *ALLOBJ special
authority.
10
You must have *SAVSYS special authority.
11
This command cannot be used for journals and journal receivers.
12
This command cannot be used for journals and journal receivers, unless the from-library is QRCL and the
to-library is the original library for the journal or journal receiver.
13
You must have *ALLOBJ special authority to specify ALWOBJDIF(*ALL).
14
To check a user’s authority to an object, you must have the authority you are checking. For example, to
check whether a user has *OBJEXIST authority for FILEB, you must have *OBJEXIST authority to FILEB.
15
To secure an object with an authorization list or remove the authorization list from the object, you must
(one of the following):
v Own the object.
v Have *ALL authority to the object.
v Have *ALLOBJ special authority.
16
If either the original file or the renamed file has an associated authority holder, *ALL authority to the
authority holder is required.
17
This command does not support the QOPT file system.
18
You must have *AUDIT special authority.
19
To use an individual operation, you must have the authority required by the individual operation.
20
You must have *ALLOBJ special authority.
21
All authorities on the from-object are duplicated to the new object. The primary group of the new object is
determined by the group authority type (GRPAUTTYP) field in the user profile that is running the
command. If the from-object has a primary group, the new object may not have the same primary group,
but the authority that the primary group has on the from-object will be duplicated to the new object.
22
This authority check is only made when the Optical media format is Universal Disk Format.
23
| This authority check is only made if you are clearing the optical volume
24
| Optical volumes are not actual system objects. The link between the optical volume and the authorization
| list used to secure the volume is maintained by the optical support function.
Authorities Needed
1
You must have *JOBCTL special authority to use this command.
2
You must have *ALLOBJ special authority to use this command.
1
To use individual operations, you must have the authority required by the individual operation.
1
You must have *IOSYSCFG special authority to use this command.
Alerts
Commands identified by (Q) are shipped with public authority *EXCLUDE.
Appendix C shows which IBM-supplied user profiles are authorized to the
command. The security officer can grant *USE to others.
Authority Needed
Command Referenced Object For Object For Library
ADDALRD Alert table *USE, *ADD *EXECUTE
CHGALRD Alert table *USE, *UPD *EXECUTE
CHGALRTBL (Q) Alert table *CHANGE *EXECUTE
CRTALRTBL (Q) Alert table *READ, *ADD
DLTALR Physical file QAALERT *USE, *DLT *EXECUTE
DLTALRTBL (Q) Alert table *OBJEXIST *EXECUTE
RMVALRD Alert table *USE, *DLT *EXECUTE
1
WRKALR Physical file QAALERT *USE *EXECUTE
1
WRKALRD Alert table *USE *EXECUTE
1
WRKALRTBL Alert table *READ *USE
1
To use individual operations, you must have the authority required by the individual operation.
1
To use the individual operations, you must have the authority required by the individual operation.
2
A group corresponds to a library.
3
A project consists of one or more groups (libraries).
4
For more information, see the ADTS/400: Application Development Manager User’s Guide book.
Authority Needed
Command Referenced Object For Object For Library
CRTAUTHLR (Q) Associated object if it exists *ALL *EXECUTE
DLTAUTHLR Authority holder *ALL *EXECUTE
DSPAUTHLR Output file See General Rules on See General Rules on
page 299 page 299
1
You must be the owner or have authorization list management authority and have the authorities being
given or taken away.
2
If do not have *OBJMGT or *AUTLMGT, you can retrieve *PUBLIC authority and your own authority. You
must have *READ authority to your own profile to retrieve your own authority.
3
To use an individual operation, you must have the authority required by the operation
4
You must not be excluded (*EXCLUDE) from the authorization list.
5
Some authority to the authorization list is required.
1
To use individual operations, you must have the authority required by the operation.
Authority Needed
Command Referenced Object For Object For Library
ADDCMDCRQA (Q) Change request description *CHANGE *EXECUTE
ADDOBJCRQA (Q) Change request description *CHANGE *EXECUTE
ADDPRDCRQA (Q) Change request description *CHANGE *EXECUTE
ADDPTFCRQA (Q) Change request description *CHANGE *EXECUTE
ADDRSCCRQA (Q) Change request description *CHANGE *EXECUTE
CHGCMDCRQA (Q) Change request description *CHANGE *EXECUTE
CHGOBJCRQA (Q) Change request description *CHANGE *EXECUTE
CHGPRDCRQA (Q) Change request description *CHANGE *EXECUTE
CHGPTFCRQA (Q) Change request description *CHANGE *EXECUTE
CHGCRQD Change request description *CHANGE *EXECUTE
CHGRSCCRQA (Q) Change request description *CHANGE *EXECUTE
CRTCRQD Change request description *READ, *ADD
DLTCRQD Change request description *OBJEXIST *EXECUTE
RMVCRQDA Change request description *CHANGE *EXECUTE
1
WRKCRQD Change request description *EXECUTE
1
To use an individual operation, you must have the authority required by the operation
Chart Commands
Authority Needed
Command Referenced Object For Object For Library
DLTCHTFMT Chart format *OBJEXIST *EXECUTE
DSPCHT Chart format *USE *USE
Database file *USE *USE
DSPGDF Database file *USE *USE
2
STRBGU (Option 3) Chart format *CHANGE, *EXECUTE
*OBJEXIST
1
WRKCHTFMT Chart format Any authority *USE
1
To use an individual operation, you must have the authority required by the operation .
2
Option 3 on the BGU menu (shown when STRGBU is run) is the Change chart format option.
1
To use an individual operation, you must have the authority required by the operation .
Class-of-Service Commands
Authority Needed
Command Referenced Object For Object For Library
3
CHGCOSD Class-of-service description *CHANGE, OBJMGT *EXECUTE
3
CRTCOSD Class-of-service description
DLTCOSD Class-of-service description *OBJEXIST *EXECUTE
DSPCOSD Class-of-service description *USE *EXECUTE
1,2
WRKCOSD Class-of-service description *OBJOPR *EXECUTE
1
To use individual operations, you must have the authority required by the individual operation.
2
Some authority to the object is required.
3
To use this command, you must have *IOSYSCFG special authority.
1
Ownership or some authority to the object is required.
2
To use individual operations, you must have the authority required by the individual operation.
1
Any user can run this command for commitment definitions that belong to a job that is running under the
user profile of the user. A user who has job control (*JOBCTL) special authority can run this command for
any commitment definition.
1
Authority is verified when the communications side information object is used.
Authority Needed
Command Referenced Object For Object For Library
PRTDEVADR Controller description (CTL) *USE *EXECUTE
Device description *USE *EXECUTE
5 1
| RSTCFG (Q) Every object being restored over by a saved *OBJEXIST *EXECUTE
| version
1
| To-library *ADD, *EXECUTE
1
| User profile owning objects being created *ADD
| Tape unit *USE *EXECUTE
1
| Tape file (QSYSTAP) *USE *EXECUTE
| Save file, if specified *USE *EXECUTE
| Print file (QPSRLDSP), if output(*print) is *USE *EXECUTE
| specified
| Output file, if specified See General Rules on See General Rules on
| page 299 page 299
| QSYS/QASRRSTO field reference file, if *USE *EXECUTE
| output file is specified and it does not exist
RTVCFGSTS Object *OBJOPR *EXECUTE
RTVCFGSRC Object *USE *EXECUTE
Source file *OBJOPR, *OBJMGR, *EXECUTE
*ADD, *DLT
2
SAVCFG Save file, if empty *USE, *ADD *EXECUTE
Save file, if records exist in it *USE, *ADD, *EXECUTE
*OBJMGT
SAVRSTCFG On the source system, same authority as
required by SAVCFG command.
On the target system, same authority as
required by RSTCFG command.
3,6
VRYCFG Object *USE, *OBJMGT *EXECUTE
4
WRKCFGSTS Object *OBJOPR *EXECUTE
1
If you have *SAVSYS special authority, you do not need the authority specified.
2
You must have *SAVSYS special authority.
3
If a user has *JOBCTL special authority, authority to the device is not needed.
4
To use the individual operations, you must have the authority required by the individual operation.
5
You must have *ALLOBJ special authority to specify ALWOBJDIF(*ALL).
6
You must have *IOSYSCFG special authority for media library when status is *ALLOCATE or
*DEALLOCATE.
1
To use the individual operations, you must have the authority required by the individual operation.
2
To use this command, you must have *IOSYSCFG special authority.
1
To use the individual operations, you must have the authority required by the individual operation.
2
To use this command, you must have *IOSYSCFG special authority.
1
To use the individual operations, you must have the authority required by the individual operation.
2
To use this command, you must have *IOSYSCFG special authority.
3
To use this command, you must have *ALLOBJ special authority.
Cryptography Commands
Commands identified by (Q) are shipped with public authority *EXCLUDE.
Appendix C shows which IBM-supplied user profiles are authorized to the
command. The security officer can grant *USE authority to others.
Authority Needed
Command Referenced Object For Object For Library
ADDCRSDMNK (Q) QUSRSYS/QACRKTBL *FILE *OBJOPR, *ADD *EXECUTE
QHST message queue *OBJOPR, *ADD *EXECUTE
CHGCRSDMNK (Q) QUSRSYS/QACRKTBL *FILE *OBJOPR, *READ, *EXECUTE
*UPD
QHST message queue *OBJOPR, *ADD *EXECUTE
CHGMSTK (Q) QUSRSYS/QACRKTBL *FILE *OBJOPR, *READ, *EXECUTE
*UPD
QHST message queue *OBJOPR, *ADD *EXECUTE
CPHDTA (Q)
1
If the create and change data area commands are run using high-level language functions, these authorities
are still required although authority to the command is not.
2
Authority is verified at run time, but not at compilation time.
3
To use an individual operation, you must have the authority required by the operation.
4
Authority is verified when the data area is used.
1
To use individual operations, you must have the authority required by the individual operation.
2
| Authority is verified when the data area is used.
1
To remove an associated output queue, object existence (*OBJEXIST) authority to the output queue and
read authority to the QUSRSYS library are required.
2
You must have job control (*JOBCTL) special authority and object operational authority to the device
description.
3
To use individual operations, you must have the authority required by the individual operation.
4
You must have *IOSYSCFG special authority to run this command.
5
You must have *ALLOBJ special authority to run this command.
1
You must have *SECADM special authority.
2
You must have *SECADM or *ALLOBJ special authority.
3
A user with *SECADM special authority can work with all directory entries. Users without *SECADM
special authority can work only with their own entries.
4
You must have *JOBCTL special authority.
5
To use an individual operation, you must have the authority required by the operation.
Disk Commands
Commands identified by (Q) are shipped with public authority *EXCLUDE.
Appendix C shows which IBM-supplied user profiles are authorized to the
command. The security officer can grant *USE authority to others.
1
To use this command, you must have *ALLOBJ special authority.
Authority Needed
Command Referenced Object For Object For Library
ENDPASTHR
STRPASTHR APPC device on source system *CHANGE *EXECUTE
APPC device on target system *CHANGE *EXECUTE
1
Virtual controller on target system *USE *EXECUTE
1 2
Virtual device on target system , *CHANGE *EXECUTE
Program specified in the QRMTSIGN system *USE *USE
value on target system, if any1
TFRPASTHR
1
The user profile that requires this authority is the profile that runs the pass-through batch job. For
pass-through that bypasses the sign-on display, the user profile is the one specified in the remote user
(RMTUSER) parameter. For pass-through that uses the normal sign-on procedure (RMTUSER(* NONE)),
the user is the default user profile specified in the communications entry of the subsystem that handles the
pass-through request. Generally, this is QUSER.
2
If the pass-through is one that uses the normal sign-on procedure, the user profile specified on the sign-on
display on the target system must have authority to this object.
Distribution Commands
Commands identified by (Q) are shipped with public authority *EXCLUDE.
Appendix C shows which IBM-supplied user profiles are authorized to the
command. The security officer can grant *USE authority to others.
Authority Needed
Command Referenced Object For Object For Library
ADDDSTQ (Q)
ADDDSTRTE (Q)
ADDDSTSYSN (Q)
CFGDSTSRV (Q)
CFGRPDS (Q)
1 2
CHGDSTD Document *CHANGE *EXECUTE
CHGDSTQ (Q)
CHGDSTRTE (Q)
1
DLTDST
DSPDSTLOG (Q) Journal *USE *EXECUTE
Journal receiver *USE *EXECUTE
DSPDSTSRV (Q)
HLDDSTQ (Q)
INZDSTQ (Q)
1
QRYDST Requested file *CHANGE *EXECUTE
1
RCVDST Requested file *CHANGE *EXECUTE
Folder *CHANGE *EXECUTE
RLSDSTQ (Q)
RMVDSTQ (Q)
RMVDSTRTE (Q)
RMVDSTSYSN (Q)
1
SNDDST Requested file or document *USE *EXECUTE
SNDDSTQ (Q)
WRKDSTQ (Q)
WRKDPCQ (Q)
1
If the user is asking for distribution for another user, the user must have the authority to work on behalf of
the other user.
2
When the Distribution is filed.
1
You must have *SECADM special authority or own the distribution list.
2
To use an individual operation, you must have the authority required by the operation.
1
You must have *AUDIT special authority.
2
If the user is working on behalf of another user, the other user’s authority to the object is checked.
3
The user must have *ALL authority to all the objects in the folder in order to delete the folder and all the
objects in the folder.
4
If you have *ALLOBJ or *SECADM special authority, you do not need all *ALL authority to the document
library list.
5
The user must have authority to the object being used as the merge source. For example, if
MRGTYPE(*QRY) is specified, the user must have use authority to the query specified for the QRYDFN
parameter.
6
Only objects that meet the criteria of the query and to which the user has at least *USE authority are
returned in the document list or output file.
7
*SAVSYS, *ALLOBJ, or enrollment in the system distribution directory is required.
8
*SAVSYS or *ALLOBJ special authority is required to use the following parameter combination: RSTDLO
DLO(*MAIL).
9
*ALLOBJ is required to specify ALWOBJDIF(*ALL).
10
If you have *SAVSYS or *ALLOBJ special authority, you do not need the authority specified.
11
You need *ALL authority to the document if replacing it. You need operational and all the data authorities
to the folder if restoring new information into the folders, or you need *ALLOBJ special authority.
12
If used for a data dictionary, only the authority to the command is required.
13
*SAVSYS or *ALLOBJ special authority is required to use the following parameter combinations:
SAVDLO DLO(*ALL) FLR(*ANY)
SAVDLO DLO(*MAIL)
SAVDLO DLO(*CHG)
SAVDLO DLO(*SEARCH) OWNER(not *CURRENT)
14
You must be enrolled in the system distribution directory if the source folder is a document folder.
15
You must have *ALLOBJ special authority to dump internal document library objects.
16
You must have *ALLOBJ or *SECADM special authority.
17
This authority check is only made when the Optical Media Format is Universal Disk Format (UDF).
18
| This authority check is only made when you are clearing the optical volume.
19
| Optical volumes are not actual system objects. The link between the optical volume and the authorization
| list used to secure the volume is maintained by the optical support function.
1
To use an individual operation, you must have the authority required by the operation .
1
To update system-level environment variables, you need *JOBCTL special authority.
File Commands
Commands identified by (Q) are shipped with public authority *EXCLUDE.
Appendix C shows which IBM-supplied user profiles are authorized to the
command. The security officer can grant *USE authority to others.
Authority Needed
Command Referenced Object For Object For Library
ADDICFDEVE ICF file *OBJOPR, *OBJMGT *EXECUTE
ADDLFM Logical file *OBJOPR, *OBJMGT *EXECUTE, *ADD
or *OBJALTER
File referenced in DTAMBRS parameter, *OBJOPR, *OBJMGT *EXECUTE
when logical file is keyed or *OBJALTER
File referenced in DTAMBRS parameter, *OBJOPR *EXECUTE
when logical file is not keyed
ADDPFCST Dependent file, if TYPE(*REFCST) is *OBJMGT or *EXECUTE
specified *OBJALTER
Parent file, if TYPE(*REFCST) is specified *OBJMGT or *OBJREF *EXECUTE
File, if TYPE(*UNQCST) or TYPE(*PRIKEY) *OBJMGT *EXECUTE
is specified
ADDPFM Physical file *OBJOPR, *OBJMGT *EXECUTE, *ADD
or *OBJALTER
| ADDPFTRG Physical file, to insert trigger *OBJALTER, *EXECUTE
| *OBJMGT, *READ,
| *OBJOPR
| Physical file, to delete trigger *OBJALTER, *EXECUTE
| *OBJMGT, *READ,
| *OBJOPR
| Physical file, to update trigger *OBJALTER, *EXECUTE
| *OBJMGT, *READ,
| *OBJOPR
| Trigger program *EXECUTE *EXECUTE
1
The CPYFRMQRYF command uses a FROMOPNID parameter rather than a FROMFILE parameter. A user
must have sufficient authority to perform the OPNQRYF command prior to running the CPYFRMQRYF
command. If CRTFILE(*YES) is specified on the CPYFRMQRYF command, the first file specified on the
corresponding OPNQRYF FILE parameter is considered to be the from-file when determining the
authorities for the new to-file. (See note 1 of General Rules on page 299.)
2
Ownership or operational authority to the file is required.
3
To use individual operations, you must have the authority required by the individual operation.
4
If a new file is created and an authority holder exists for the file, then the user must have all (*ALL)
authority to the authority holder or be the owner of the authority holder. If there is no authority holder, the
owner of the file is the user who entered the RSTS36F command and the public authority is *ALL.
5
Some authority to the object is required.
6
You must have *ALLOBJ special authority.
7
Authority is verified when the DDM file is used.
8
| This authority check is only made when the Optical media format is Universal Disk Format (UDF).
9
| This authority check is only made if you are clearing the optical volume.
10
| Optical volumes are not actual system objects. The link between the optical volume and the authorization
| list used to secure the volume is maintained by the optical support function.
Filter Commands
Authority Needed
Command Referenced Object For Object For Library
ADDALRACNE Filter *USE, *ADD *EXECUTE
ADDALRSLTE Filter *USE, *ADD *EXECUTE
ADDPRBACNE Filter *USE, *ADD *EXECUTE
ADDPRBSLTE Filter *USE, *ADD *EXECUTE
CHGALRACNE Filter *USE, *UPD *EXECUTE
CHGALRSLTE Filter *USE, *UPD *EXECUTE
CHGFTR Filter *OBJMGT *EXECUTE
CHGPRBACNE Filter *USE, *UPD *EXECUTE
CHGPRBSLTE Filter *USE, *UPD *EXECUTE
CRTFTR Filter *READ, *ADD
DLTFTR Filter *OBJEXIST *EXECUTE
RMVFTRACNE Filter *USE, *DLT *EXECUTE
RMVFTRSLTE Filter *USE, *DLT *EXECUTE
1
To use an individual operation, you must have the authority required by the operation.
Finance Commands
Commands identified by (Q) are shipped with public authority *EXCLUDE.
Appendix C shows which IBM-supplied user profiles are authorized to the
command. The security officer can grant *USE authority to others.
Authority Needed
Command Referenced Object For Object For Library
1
SBMFNCJOB (Q) Job description and message queue *OBJOPR *EXECUTE
1
SNDFNCIMG (Q) Job description and message queue *OBJOPR *EXECUTE
1
WRKDEVTBL (Q) Device description At least one data *EXECUTE
authority
WRKPGMTBL (Q)
WRKUSRTBL (Q)
1
The QFNC user profile must have this authority.
1
The workstation object is an internal object that is created when you install the OS/400 Graphical
Operations feature. It is shipped with public authority of *USE.
2
You must be the owner or have *OBJMGT authority and the authorities being granted or revoked.
3
You must be the owner of have *ALLOBJ authority to grant *OBJMGT or *AUTLMGT authority.
4
To secure the workstation object with an authorization list or remove the authorization list, you must have
one of the following:
Own the workstation object.
Have *ALL authority to the workstation object.
Have *ALLOBJ special authority.
1
Ownership or some authority to the object is required.
Authority
Needed for
Command Referenced Object Object Type File System Object1
9
ADDLNK Object *STMF QOpenSys, *OBJEXIST
"root" ,
UDFS
*FILE QLANSvr *OBJMGT
Parent of new link *DIR QOpenSys, *WX
"root", UDFS
Path prefix See General Rules on page 299
1
Adopted authority is not used for Integrated File system commands.
2
If you have *SAVSYS special authority, you do not need the authority specified for the QSYS.LIB, QDLS,
QOpenSys, and "root" file systems. For the QLANSvr file system, you do not need the specified authority if
you are a LAN Server administrator.
3
| The authority required varies by object type. See the description of the QLIRNMO API in the Information
| Center (see “Prerequisite and related information” on page xvi for details). If the object is a database
| member, see the authorities for the Rename Member (RNMM) command.
4
You must have *AUDIT special authority to change an auditing value.
5
This command is not supported for the QLANSvr file system.
6
If the user issuing the command does not have *ALLOBJ authority, the user must be a member of the new
primary group.
7
To use an individual operation, you must have the authority required by the operation
8
These commands require the authority shown plus the authorities required for the DSPCURDIR command.
9
This command is not supported for the QOPT file system.
10
Optical volumes are not actual system objects. The link between the optical volume and the authorization
list used to secure the volume is maintained by the optical support function.
11
See the Optical File System restrictions for this command in the manual.
12
Authority required varies by the native command used. See the respective SAVOBJ or RSTOBJ command
for the required authority.
13
Authority required by QOPT against media formatted in ″Universal Disk Format″ (UDF).
14
*ADD is needed only when object being moved to is a *MRB.
15
Pattern: In some commands, an asterick (*) or a question mark (?) can be used in the last component of the
path name to search for names matching a pattern.
16
Relative path name: If a path name does not begin with a slash, the predecessor of the first component of
the path name is taken to be the current working directory of the process. For example, if a path name of
’a/b’ is specified, and the current working directory is ’/home/john’, then the object being accessed is
’/home/john/a/b’.
17
When using relative path names in the QLANSvr file system, the user must have read data authority (*R)
to the NWS storage being accessed, ie: If a user wants to change his current directory to
’/QLANSvr/NWS/SERVER/DSK/K’ (or even another path below K), then the user must have *R
authority to K directory.
Note: For the QLANSvr file system, you do not need the specified authority of you are a LAN Server
Administrator.
18
If you have *ALLOBJ special authority, you do not need the listed authority.
1
Authority to the data dictionary is not required to unlink a file.
2
To use individual operations, you must have the authority required by the individual operation.
3
Before the dictionary is deleted, all linked files are unlinked. Refer to the LNKDTADFN command for
authority required to unlink a file.
4
You need use authority to the data dictionary to create a new file. No authority to the data dictionary is
needed to enter data in an existing file.
Authority Needed
Command Referenced Object For Object For Library
1
CHGIPXD IPX description *CHANGE, *OBJMGT *EXECUTE
1
CRTIPXD IPX description *EXECUTE
DLTIPXD IPX description *OBJEXIST *EXECUTE
DSPIPXD IPX description *USE *EXECUTE
ENDIPX (Q) File Objects *USE *EXECUTE
2
Line description *USE *EXECUTE
2
Controller description *USE *EXECUTE
2
Device description *USE *EXECUTE
ENDIPIIFC (Q) File objects *USE *EXECUTE
2
Line description *USE *EXECUTE
2
Controller description *USE *EXECUTE
2
Device description *USE *EXECUTE
ENDIPXCCT (Q) File objects *USE *EXECUTE
2
Line description *USE *EXECUTE
2
Controller description *USE *EXECUTE
2
Device description *USE *EXECUTE
STRIPX (Q) File objects *USE *EXECUTE
2
Line description *USE *EXECUTE
2
Controller description *USE *EXECUTE
2
Device description *USE *EXECUTE
1
You must have *IOSYSCFG special authority to use this command.
2
If you have *JOBCTL special authority, you do not need the specified authority to the object.
1
To use an individual operation, you must have the authority required by the operation .
1
To use this command, you must have *SECADM and *ALLOBJ special authorities.
Job Commands
Commands identified by (Q) are shipped with public authority *EXCLUDE.
Appendix C shows which IBM-supplied user profiles are authorized to the
command. The security officer can grant *USE authority to others.
Authority Needed
Command Referenced Object For Object For Library
9,11
BCHJOB Job description *USE *EXECUTE
10
User profile in job description *USE *EXECUTE
10
Sort sequence table *USE *EXECUTE
7
Message queue *USE, *ADD *EXECUTE
10,11
Job queue *READ *EXECUTE
7
Output queue *USE *EXECUTE
1
CHGACGCDE
CHGGRPA 4 Message queue if associating a message *OBJOPR *EXECUTE
queue with a group
1,2,3
CHGJOB New job queue, if changing the job *READ *EXECUTE
queue10,11
New output queue, if changing the output *READ *EXECUTE
queue7
Sort sequence table7 *USE *EXECUTE
CHGPJ User profile for the program start request to *USE *EXECUTE
specify *PGMSTRRQS
User profile and job description *USE *EXECUTE
13
CHGSYSJOB(Q)
CHGUSRTRC14 User trace buffer when CLEAR (*YES) is *OBJOPR *EXECUTE
used.15
User trace buffer when MAXSTG is used15 *CHANGE, *OBJMGT *USE
15
User trace buffer when TRCFULL is used. *OBJOPR *EXECUTE
15
DLTUSRTRC User trace buffer *OBJOPR, *OBJEXIST *EXECUTE
4
DLYJOB
15
DMPUSRTRC User trace buffer *OBJOPR *EXECUTE
1
DSCJOB
DSPACTPJ
1
DSPJOB
DSPJOBTBL
1
Any user can run these commands for jobs running under his own user profile. A user with job control
(*JOBCTL) special authority can run these commands for any job. If you have *SPLCTL special authority,
you do not need any authority to the job queue. However, you need authority to the library that contains
the job queue.
2
You must have the authority (specified in your user profile) for the scheduling priority and output priority
specified.
3
To change certain job attributes, even in the user’s own job, requires job control (*JOBCTL) special
authority. These attributes are RUNPTY, TIMESLICE, PURGE, DFTWAIT, and TSEPOOL.
4
This command only affects the job in which it was specified.
5
To display the log for a job which was run with *ALLOBJ special authority, you must also have *JOBCTL
and *ALLOBJ special authority.
6
To use this command, job control *JOBCTL special authority is required.
7
The user profile under which the submitted job runs is checked for authority to the referenced object. The
adopted authority of the user submitting or changing the job is not used.
8
If the job being transferred is an interactive job, the following restrictions apply:
v The job queue where the job is placed must be associated with an active subsystem.
v The work station associated with the job must have a corresponding work station entry in the subsystem
description associated with the new subsystem.
v The work station associated with the job must not have another job associated with it that has been
suspended by means of the Sys Req (System Request) key. The suspended job must be canceled before
the Transfer Job command can run.
v The job must not be a group job.
9
Both the user submitting the job and the user profile under which the job will run are checked for
authority to the referenced object.
10
The user submitting the job is checked for authority to the referenced object.
11
The adopted authority of the user issuing the CHGJOB or SBMJOB command is used.
12
You must be authorized to the user profile and the job description; the user profile must also be authorized
to the job description.
13
To change certain job attributes, even in the user’s own job, requires job control (*JOBCTL) and all object
(*ALLOBJ) special authorities.
14
Any user can run these commands for jobs running under his own user profile. A user with job control
(*JOBCTL) special authority can run these commands for any job.
15
A user trace buffer is a user space (*USRSPC) object in library QUSRSYS by the name QPOZnnnnnn, where
’nnnnnn’ is the job number of the job using the user trace facility.
1
You must have *ALLOBJ special authority to use this command.
1
If you have *SPLCTL special authority, you do not need any authority to the job queue but you need
authority to the library containing the job queue.
2
You must be the owner of the job queue.
3
If you request to work with all job queues, your list display includes all the job queues in libraries to
which you have *EXECUTE authority.
4
To display the job queue parameters, use the QSPRJOBQ API.
5
You must have *ALLOBJ special authority.
1
Both the user profile adding the entry and the user profile under which the job will run are checked for
authority to the referenced object.
2
Authority to the job queue cannot come from adopted authority.
3
You must have *JOBCTL special authority or have added the entry.
4
To display the details of an entry (option 5 or print format *FULL), you must have *JOBCTL special
authority or have added the entry.
Journal Commands
Commands identified by (Q) are shipped with public authority *EXCLUDE.
Appendix C shows which IBM-supplied user profiles are authorized to the
command. The security officer can grant *USE authority to others.
Authority Needed
For Object For Library or
| Command Referenced Object Directory
ADDRMTJRN Source journal *CHANGE, *OBJMGT *EXECUTE
Target journal *EXEC,*ADD
| APYJRNCHG (Q) Journal *USE *EXECUTE
| Journal receiver *USE *EXECUTE
| Non-IFS objects whose journaled changes *OBJMGT, *CHANGE *EXECUTE
| are being applied
| IFS objects whose journal changes are being *RW, *OBJMGT *RX (if subtree *ALL)
| applied
1
See the WRKJRN command (this command has the same function)
2
See the STRJRNAP command.
3
See the STRJRNPF command.
4
Additional authority is required for specific functions called during the operation selected. For example, to
restore an object you must have the authority required for the RSTOBJ command.
5
*OBJOPR and *OBJEXIST authority is required for journal receivers if the option is chosen to delete
receivers.
6
To specify JRN(*INTSYSJRN), you must have *ALLOBJ special authority.
7
*READ authority to the journal’s library is required to display the WRKJRN menu. *EXECUTE authority to
the library is required to use an option on the menu.
8
You must have *ALLOBJ and *AUDIT special authorities to use this command.
1
To use an individual operation, you must have the authority required by the operation .
2
*OBJOPR and *OBJEXIST authority is required for journal receivers if the option is chosen to delete
receivers.
3
*OBJOPR and a data authroity other than *EXECUTE is required for journal receivers if the option is
chosen to display the description.
1
| The DB2 Universal Database for iSeries topic in the Information Center contains more information about
| security requirements for structured query language (SQL) statements. See “Prerequisite and related
| information” on page xvi for details.
Library Commands
Commands identified by (Q) are shipped with public authority *EXCLUDE.
Appendix C shows which IBM-supplied user profiles are authorized to the
command. The security officer can grant *USE authority to others.
|| Authority Needed
| For Library Being Acted
| Command Referenced Object For Object On
| ADDLIBLE Library *USE
| CHGCURLIB New current library *USE
1
| The authority needed for the library being acted upon is indicated in this column. For example, to add the
| library CUSTLIB to a library list using the ADDLIBLE command requires Use authority to the CUSTLIB
| library.
2
| The authority needed for the QSYS library is indicated in this column, because all libraries are in QSYS
| library.
3
| If object existence is not found for some objects in the library, those objects are not deleted, and the library
| is not completely cleared and deleted. Only authorized objects are deleted.
4
| All restrictions that apply to the CRTDUPOBJ command, also apply to this command.
5
| If you do not have authority to an object in the library, the text for the object says *NOT AUTHORIZED.
|
6
| If you have *SAVSYS special authority, you do not need the authority specified.
7
| You must have *ALLOBJ special authority to specify ALWOBJDIF(*ALL).
8
| You must have *AUDIT special authority to change the CRTOBJAUD value for a library. *OBJMGT is not
| required if you change only the CRTOBJAUD value. *OBJMGT is required if you change the CRTOBJAUD
| value and other values.
9
| You must have *AUDIT special authority to specify a CRTOBJAUD value other than *SYSVAL.
10
| You must have the authority required by th operation to use an individual operation.
|
11
| Optical volumes are not actual system objects. The link between the optical volume and the authorization
| list used to secure the volume is maintained by the optical support function.
12
| This authority check is only made when the Optical media format is Universal Disk Format.
13
| This authority check is only made when you are clearing the optical volume.
|
|
Authority Needed
Command Referenced Object For Object For Library
ADDLICKEY (Q) Output file *USE *EXECUTE
DSPLICKEY (Q) Output file See General Rules on See General Rules on
page 299 page 299
RMVLICKEY (Q) Output file *CHANGE *EXECUTE
1
Some licensed programs can be deleted, saved, or restored only if you are enrolled in the system
distribution directory.
2
If deleting, restoring, or saving a licensed program that contains folders, all restrictions that apply to the
DLTDLO command also apply to this command.
3
To use individual operations, you must have the authority required by the individual operation.
1
To use individual operations, you must have the authority required by the individual operation.
2
To use this command, you must have *IOSYSCFG special authority.
3
To use this command, you must have *ALLOBJ special authority.
Locale Commands
Authority Needed
Command Referenced Object For Object For Library
CRTLOCALE Source file *USE *USE, *ADD
DLTLOCALE Locale *OBJEXIST *USE
Media Commands
Authority Needed
Command Referenced Object For Object For Library
ADDTAPCTG Tape Library description *USE *EXECUTE
1
CFGDEVMLB (Q) Tape Library description *USE *EXECUTE
CHGDEVMLB (Q) Tape Library description *USE *EXECUTE
CHGJOBMLBA Tape Library description *CHANGE *EXECUTE
CHGTAPCTG Tape Library description *USE *EXECUTE
CHKDKT Diskette device description *USE *EXECUTE
CHKTAP Tape device description *USE *EXECUTE
CLRDKT Diskette device description *USE *EXECUTE
CRTTAPCGY Tape Library description *USE *EXECUTE
DLTDKTLBL Diskette device description *USE *EXECUTE
DLTMEDDFN Media definition *OBJEXIST *EXECUTE
DLTTAPCGY Tape Library description *USE *EXECUTE
DMPTAP Tape device description *USE *EXECUTE
DSPDKT Diskette device description *USE *EXECUTE
DSPTAP Tape device description *USE *EXECUTE
DSPTAPCGY Tape Library description *USE *EXECUTE
DSPTAPCTG Tape Library description *USE *EXECUTE
DSPTAPSTS Tape Library description *USE *EXECUTE
DUPDKT Diskette device description *USE *EXECUTE
DUPTAP Tape device description *USE *EXECUTE
INZDKT Diskette device description *USE *EXECUTE
INZTAP Tape device description *USE *EXECUTE
RMVTAPCTG Tape Library description *USE *EXECUTE
RNMDKT Diskette device description *USE *EXECUTE
SETTAPCGY Tape Library description *USE *EXECUTE
3
WRKMLBRSCQ Tape Library description *USE *EXECUTE
2
WRKMLBSTS (Q) Tape Library description *USE *EXECUTE
WRKTAPCTG Tape Library description *USE *EXECUTE
1
To use this command, you must have *IOSYSCFG special authority.
2
To use individual operation, you must have the authority required by the operation.
2
To change the session media library attributes, you must have *CHANGE authority to the Tape Library
description.
1
To use an individual operation, you must have the authority required by the operation .
1
To use individual operations, you must have the authority required by the individual operation.
1
To use an individual operation, you must have the authority required by the operation .
1
To use an individual operation, you must have the authority required by the operation .
Migration Commands
Authority Needed
Command Referenced Object For Object For Library
RCVMGRDTA File *ALL *READ, *ADD
Device *CHANGE *EXECUTE
SNDMGRDTA File *ALL *READ, *ADD
Device *CHANGE *EXECUTE
The following commands do not require any object authorities.
They are shipped with public authority *EXCLUDE. You must have
*ALLOBJ special authority to use these commands.
1
You must have *ALLOBJ special authority and have OS/400 option 4 installed.
1
To use individual operations, you must have the authority required by the individual operation.
2
To use this command, you must have *IOSYSCFG special authority.
Module Commands
Authority Needed
Command Referenced Object For Object For Library
CHGMOD Module *OBJMGT, *USE *USE
Module, if OPTIMIZE specified *OBJMGT, *USE *USE, *ADD, *DLT
Module, if FRCCRT(*YES) specified *OBJMGT, *USE *USE, *ADD, *DLT
Module, if ENBPRFCOL specified *OBJMGT, *USE *USE, *ADD,
*DELETE
DLTMOD Module *OBJEXIST *EXECUTE
DSPMOD Module *USE *EXECUTE
1
You need *USE authority to the:
v CRTSRCPF command if the file does not exist.
v ADDPFM command if the member does not exist.
v RGZPFM command so the source file member is reorganized. Either *CHANGE and *OBJALTER
authorities or *OBJMGT authority is required to reorganize the source file member. The RTVBNDSRC
command function then completes with the source file member reorganized with sequence numbers of
zero.
2
To use an individual operation, you must have the authority required by the operation
1
To use an individual operation, you must have the authority required by the operation
2
To use this command, you must have *IOSYSCFG special authority.
Network Commands
Commands identified by (Q) are shipped with public authority *EXCLUDE.
Appendix C shows which IBM-supplied user profiles are authorized to the
command. The security officer can grant *USE authority to others.
1
You must have *ALLOBJ special authority.
2
A user can run these commands on the user’s own network files or on network files owned by the user’s
group profile. *ALLOBJ special authority is required to process network files for another user.
3
To use an individual operation, you must have the authority required by that operation.
4
To change some network attributes, you must have *ALLOBJ and *IOSYSCFG special authorities.
1
To use this command, you must have *IOSYSCFG special authority.
2
QASPxx is either 01 (system asp) or 02-16 based on which user asp is needed. This is the directory that
contains the *BLKSF that is being mounted.
3
The directory that is mounted over (dir_to_be_mounted_over) is any IFS directory that can be mounted
over.
4
You must provide a path to some object. You must have *RX authority for all directories in that path.
5
You must have *RX authority to the /etc/exports stream file and the directories in the /etc/exports path.
6
You must provide a path to some *STMF. You must have *RX authority for all directories in that path.
7
You must have update (*RWX) authority to the stream file for which you are releasing locks.
1
To use the individual operations, you must have the authority required by the individual operation.
2
To use this command, you must have *IOSYSCFG special authority.
1
Adopted authority is not used for Network Server commands.
2
To use this command, you must have *IOSYSCFG special authority.
3
To use this command, you must have *JOBCTL special authority.
4
You must have *SECADM special authority to specify a value other than *NONE for the NDSTREELST and
the NTW3SVRLST paramaters.
1
To use an individual operation, you must have the authority required by the operation
2
To use this command, you must have *IOSYSCFG special authority.
1
To use the individual operations, you must have the authority required by the individual operation.
| DSPUSRPMN RVKACCAUT 1
1
| You must have *ALLOBJ special authority to grant or revoke access code authority or document authority
| for other users.
2
| Access is restricted to documents, folders, and mail that are not personal.
3
| The access code must be defined to the system (using the Add Access Code (ADDACC) command) before
| you can grant access code authority. The user being granted access code authority must be enrolled in the
| system distribution directory.
4
| You must have *SECADM special authority.
5
| Additional authorities are required for specific functions called by the operations selected. The user also
| needs additional authorities for any commands called during a specific function.
|
|
Authority Needed
Command Referenced Object For Object For Library
CVTEDU
STREDU
Authority Needed
Command Referenced Object For Object For Library
1
CHGBCKUP QUSRSYS/QEZBACKUPL *USRIDX *CHANGE *EXECUTE
2
| CHGCLNUP
3
CHGPWRSCD PWRDWNSYS *CMD *USE *EXECUTE
3
CHGPWRSCDE PWRDWNSYS *CMD *USE *EXECUTE
DSPBCKSTS QUSRSYS/QEZBACKUPL *USRIDX *USE *EXECUTE
DSPBCKUP QUSRSYS/QEZBACKUPL *USRIDX *USE *EXECUTE
DSPBCKUPL QUSRSYS/QEZBACKUPL *USRIDX *USE *EXECUTE
QUSRSYS/QEZBACKUPF *USRIDX *USE *EXECUTE
DSPPWRSCD *EXECUTE
EDTBCKUPL 1 QUSRSYS/QEZBACKUPL *USRIDX *CHANGE *EXECUTE
QUSRSYS/QEZBACKUPF *USRIDX *CHANGE *EXECUTE
4
ENDCLNUP ENDJOB *CMD *USE *EXECUTE
1
You must have *ALLOBJ or *SAVSYS special authority.
2
You must have *ALLOBJ, *SECADM, and *JOBCTL special authorities.
3
You must have *ALLOBJ and *SECADM special authorities.
4
You must have *JOBCTL special authority.
5
You must have *ALLOBJ special authority.
Optical Commands
Commands identified by (Q) are shipped with public authority *EXCLUDE.
Appendix C shows which IBM-supplied user profiles are authorized to the
command. The security officer can grant *USE authority to others.
Authority Needed
1
Command Referenced Object Object Library Optical Volume
ADDOPTCTG (Q) Optical Device *USE *EXECUTE
ADDOPTSVR (Q) Server CSI *USE *EXECUTE
4
CHGDEVOPT Optical Device *CHANGE, *OBJMGT *EXECUTE
CHGOPTA (Q)
CHGOPTVOL Root directory (/) of *W N/A N/A
volume when
changing the Text
Description.5
3
Optical Device *USE *EXECUTE *CHANGE
Server CSI *USE *EXECUTE
CPYOPT Optical Device *USE *EXECUTE *USE - Source Volume
*ALL - Target Volume
4
CRTDEVOPT Optical Device *EXECUTE *ALL - Target Volume
CVTOPTBKU Optical Device *USE *EXECUTE *ALL
1
Optical volumes are not actual system objects. The link between the optical volume and the authorization
list used to secure the volume is maintained by the optical support function.
2
There are seven options that can be invoked from the optical utilities that are not commands themselves.
These options and their required authorities to the optical volume are shown below.
Delete File: *CHANGE
Rename File: *CHANGE
Delete Directory: *CHANGE
Create Directory: *CHANGE
Rename Volume: *ALL
Release Held Optical File: *CHANGE
Save Held Optical File: *USE - Source Volume, *Change - Target Volume
3
Authorization list management authority to the authorization list currently securing the optical volume is
needed to change the authorization list used to secure the volume.
4
To use this command, you must have *IOSYSCFG special authority.
5
This authority check is only made when the Optical media format is Universal Disk Format (UDF).
1
If you have *SPLCTL special authority, you do not need authority to the output queue. You do need
*EXECUTE authority, however, to the library for the outqueue.
2
You must be the owner of the output queue.
3
If you request to work with all output queues, your list display includes all the output queues in libraries
to which you have *EXECUTE authority.
4
You must have *ALLOBJ special authority to use this command.
Performance Commands
Commands identified by (Q) are shipped with public authority *EXCLUDE.
Appendix C shows which IBM-Supplied user profiles are authorized to the
command. The security officer can grant *USE to others.
|| Authority Needed
| Command Referenced Object For Object For Library
| ADDPEXDFN (Q) QUSRSYS/QAPEXDFN *FILE *OBJOPR, *ADD *EXECUTE
| ANZACCGRP (Q) Job description *USE *EXECUTE
| QPFR/QPTPAGA0 *PGM *USE *EXECUTE
| ANZBESTMDL (Q) Model library *EXECUTE, *ADD
| Job description *USE *EXECUTE
| QPFR/QCYRBCPP *PGM *USE *EXECUTE
| QPFR/QCYMBREX *PGM *USE *EXECUTE
| QPFR/QCYRBMN *PGM *USE *EXECUTE
| ANZDBF (Q) Application libraries that contain the *EXECUTE
| database files to be analyzed
| Job description *USE *EXECUTE
| QPFR/QPTANZDC *PGM *USE *EXECUTE
| ANZDBFKEY (Q) Job description *USE *EXECUTE
| QPFR/QPTANZKC *PGM *USE *EXECUTE
| ANZPGM (Q) Application libraries that contain the *EXECUTE
| programs to be analyzed
| Job description *USE *EXECUTE
| QPFR/QPTANZPC *PGM *USE *EXECUTE
2
| ANZPFRDTA (Q) Performance data *ADD, *READ
| QPFR/QACVPP *PGM *USE *EXECUTE
2
| ANZPFRDT2 (Q) Performance data *ADD, *READ
| QPFR/QAVCPP *PGM *USE *EXECUTE
1
| If the default library (QPEXDATA) is specified, authority to that library is not checked.
2
| Authority is needed to the library that contains the set of database files. Authority to the individual set of
| database files is not checked.
3
| To use this command, you must have *JOBCTL special authority.
4
| To use this command, you must have *SERVICE special authority.
|
|
1
The PSF/400 feature is required to use this command.
2
*IOSYSCFG special authroity is required to use this command.
Problem Commands
Commands identified by (Q) are shipped with public authority *EXCLUDE.
Appendix C shows which IBM-supplied user profiles are authorized to the
command. The security officer can grant *USE authority to others.
Authority Needed
Command Referenced Object For Object For Library
ADDPRBACNE (Q) Filter *USE, *ADD *EXECUTE
ADDPRBSLTE (Q) Filter *USE, *ADD *EXECUTE
ANZPRB (Q) SNDSRVRQS command *USE *EXECUTE
CHGPRB (Q) *EXECUTE
CHGPRBACNE (Q) Filter *USE, *UPD *EXECUTE
CHGPRBSLTE (Q) Filter *USE, *UPD *EXECUTE
3
DLTPRB (Q) Command: DLTAPARDTA *USE *EXECUTE
DSPPRB Output file See General Rules on See General Rules on
page 299 page 299
PTRINTDTA (Q)
| QRYPRBSTS (Q)
1
VFYCMN (Q) Line description *USE *EXECUTE
1
Controller description *USE *EXECUTE
1
Network ID *USE *EXECUTE
VFYOPT (Q) Device description *USE *EXECUTE
VFYTAP (Q) Device description *USE *EXECUTE
VFYPRT (Q) Device description *USE *EXECUTE
2
WRKPRB (Q) Line, controller, NWID (Netword ID), and *USE *EXECUTE
device based on problem analysis action
1
You need *USE authority to the communications object you are verifying.
2
You must have *USE authority to the SNDSRVRQS command to be able to report a problem.
3
You must have authority to DLTAPARDTA if you want the APAR data associated with the problem to be
deleted also. See DLTAPARDTA in the Service Commands-Authorities Needed table to determine
additional authorities that are needed.
1
When a program is in a debug operation, no further authority is needed for debug commands.
2
If you have *SERVICE special authority, you need only *USE authority to the program.
3
The DMPCLPGM command is requested from within a CL program that is already running. Because
authority to the library containing the program is checked at the time the program is called, authority to
the library is not checked again when the DMPCLPGM command is run.
4
Applies only to ILE programs.
5
The DB2 Universal Database for iSeries topic in the Information Center contains more information about
security requirements for SQL statements. See “Prerequisite and related information” on page xvi for
details.
6
To use individual operations, you need the authority required by the individual operation.
7
You must own the program or have *ALLOBJ and *SECADM special authorities.
Query Commands
Authority Needed
Command Referenced Object For Object For Library
ANZQRY Query definition *USE *EXECUTE
4
CHGQRYA
CRTQMFORM Query management form: REPLACE(*NO) *READ, *ADD,
*EXECUTE
Query management form: REPLACE(*YES) *ALL *READ, *ADD,
*EXECUTE
Source file *USE *EXECUTE
CRTQMQRY Query management query: REPLACE(*NO) *READ, *ADD,
*EXECUTE
Query management query: REPLACE(*YES) *ALL *READ, *ADD,
*EXECUTE
Source file *USE *EXECUTE
OVRDBF command *USE *EXECUTE
DLTQMFORM Query management form OBJEXIST *EXECUTE
DLTQMQRY Query management query *OBJEXIST *EXECUTE
DLTQRY Query definition *OBJEXIST *EXECUTE
RTVQMFORM Query manager form *OBJEXIST *EXECUTE
Target source file *ALL *READ, *ADD,
*EXECUTE
ADDPFM, CHGPFM, CLRPFM, CPYSRCF, *USE *EXECUTE
CRTPRTF, CRTSRCPF, DLTF, DLTOVR,
OVRDBF, RMVM commands
1
To run STRQM, you must have the authority required by the statements in the query. For example, to
insert a row in a table requires *OBJOPR, *ADD, and *EXECUTE authority to the table.
2
Ownership or some authority to the object is required.
3
To use individual operations, you must have the authority required by the individual operation.
4
To use individual command, you must have *JOBCTL special authority.
1
QSH is an alias for the STRQSH CL command.
Authority Needed
Command Referenced Object For Object For Library
1
ANSQST (Q) Database file QAQAxxBQPY *READ *READ
1
ASKQST Database file QAQAxxBBPY or *READ *READ
QAQAxxBQPY 1
1
CHGQSTDB (Q) Database file QAQAxxBQPY *READ *READ
2
CRTQSTDB (Q) Database files *READ, *ADD,
*EXECUTE
1
CRTQSTLOD (Q) Database file QAQAxxBQPY *READ *READ
1
DLTQST (Q) Database file QAQAxxBQPY *READ *READ
1
DLTQSTDB (Q) Database file QAQAxxBQPY *READ *READ
1
EDTQST (Q) Database file QAQAxxBQPY *READ *READ
2 1,3
LODQSTDB (Q) Database file QAQAxxBQPY *READ *READ, *ADD,
*EXECUTE
4 1
STRQST Database file QAQAxxBBPY or *READ *READ
QAQAxxBQPY 1
1
WRKQST Database file QAQAxxBBPY *READ *USE
QAQAxxBQPY 1
WRKCNTINF *EXECUTE
1
The “xx” portion of the file name is the index of the Question and Answer database being operated on by
the command. The index is a two-digit number in the range 00 to 99. To obtain the index for a particular
Question and Answer database, use the WRKCNTINF command.
2
The user profile running the command becomes the owner of newly created files, unless the OWNER
parameter of the user’s profile is *GRPPRF. Public authority for new files, except QAQAxxBBPY, is set to
*EXCLUDE. Public authority for QAQAxxBBPY is set to *READ.
3
Authority to the file is required only if loading a previously existing Question and Answer database.
4
The command displays the Question and Answer menu. To use individual options, you must have the
authority required by those options.
Reader Commands
Authority Needed
Command Referenced Object For Object For Library
STRDBRDR Message queue *OBJOPR, *ADD *EXECUTE
Database file *OBJOPR, *USE *EXECUTE
Job queue *READ *EXECUTE
STRDKTRDR Message queue *OBJOPR, *ADD *EXECUTE
Job queue *READ *EXECUTE
Device description *OBJOPR, *READ *EXECUTE
These commands to not require any authority to objects:
1
You must be the user who started the reader, or you must have all object (*ALLOBJ) or job control
(*JOBCTL) special authority.
1
Authority verified when the RDB directory entry is used.
Resource Commands
Authority Needed
Command Referenced Object For Object For Library
DSPHDWRSC
DSPSFWRSC Output file, if specified See General Rules on See General Rules on
page 299 page 299
EDTDEVRSC
1
WRKHDWRSC
1
If you use the option to create a configuration object, you must have authority to use the appropriate CRT
command.
1
User profile QUSER requires authority to this object.
2
If the object is not found or the required authority is not held, an information message is sent and the
function of the command is still performed.
3
This authority is required to create job description QRJESSN.
4
This authority is only required when DLTCMN(*YES) is specified.
5
You must have *JOBCTL special authority.
6
Input files include those imbedded using the .. READFILE control statement.
7
Refer to authority required for the SBMJOB command 358.
8
To use an individual operation, you must have the authority required by the operation.
1
You must have *SECADM special authority to use this command.
2
You must have *ALLOBJ special authority to use this command.
3
You must have *AUDIT special authority to use this command.
1
If the user profile for this operation is not *CURRENT or the current user for the job, you must have
*SECADM special authority and *OBJMGT and *USE authority to the profile.
Service Commands
Commands identified by (Q) are shipped with public authority *EXCLUDE.
Appendix C shows which IBM-supplied user profiles are authorized to the
command. The security officer can grant *USE authority to others.
Authority Needed
Command Referenced Object For Object For Library
APYPTF (Q) Product library *OBJMGT
3
CHGSRVA (Q)
3
CHKCMNTRC (Q) *EXECUTE
4
CHKPRDOPT (Q) All objects in product option
CMPPTFLVL (Q) Output file See General Rules on See General Rules on
page 299 page 299
Device description *USE *EXECUTE
QAPZ CMPL, if outfile does not exist *OBJOPR, *READ
1
You need authority to the PRTERRLOG command for some analysis procedures or if the error log records
are being saved.
2
All restrictions for the RSTOBJ command also apply.
3
Service (*SERVICE) special authority is required to run this command.
4
The objects listed are used by the command, but authority to the objects is not checked. Authority to use
the command is sufficient to use the objects.
5
You need *USE authority to the communications object that you are verifying.
6
You must have *SPLCTL special authority to save a spooled file.
7
When SAVAPARDTA is run for a new problem, a unique APAR library is created for that problem. If you
run SAVAPARDTA again for the same problem to collect more information, you must have Use authority
to the APAR library for the problem.
8
The option to add a new member to an existing output file is not valid for this command.
9
This command has the same authorities and restrictions as the APYPTF command and the LODPTF
command.
| 10
To access options 1 and 3 on the ″Select Reporting Option″ display, you must have *USE authority to the
| SNDSRVRQS command.
11
To use this command, you must have *SERVICE special authority, or be authorized to the Service Trace
function of OS/400 through Operations Navigator’s Application Administration support. The Change
Function Usage Information (QSYCHFUI) API, with a function ID of QIBM_SERVICE_TRACE, can also be
used to change the list of users that are allowed to perform trace operations.
11
To use this command, you must have *SERVICE special authority, or be authorized to the Service Trace
function of OS/400 through Operations Navigator’s Application Administration support. The Change
Function Usage Information (QSYCHFUI) API, with a function ID of QIBM_SERVICE_TRACE, can also be
used to change the list of users that are allowed to perform trace operations.
1
To use an individual operation, you must have the authority required by the operation .
1
The sphere of control is physical file QUSRSYS/QAALSOC.
1
Users are always authorized to control their own spooled files.
2
To move a spooled file to the front of an output queue (PRTSEQ(*NEXT)) or change its priority to a value
greater than the limit specified in your user profile, you must have one of the authorities shown for the
output queue or have *SPLCTL special authority.
3
If you have *SPLCTL special authority, you do not need any authority to the output queue.
4
You must be the owner of the output queue.
5
You must have *USE authority to the recipient’s output queue and output queue library when sending a
file to a user on the same system.
6
If you have job control (*JOBCTL) special authority and the output queue is set to OPRCTL(*YES), you do
not need *EXECUTE authority to the library of the output queue.
7
If you have *SPLCTL special authority, you must have *EXECUTE authority to the target output queue
library.
1
You must have job control (*JOBCTL) special authority to use this command.
2
Requires some authority (anything but *EXCLUDE)
3
To use an individual operation, you must have the authority required by the operation.
4
| The authority is needed to complete format checks of the display file. This helps predict that the display
| will work correctly when the subsystem is started. When you are not authorized to the display file or its
| library, those format checks will not be performed.
5
You must have *SECADMIN or *ALLBOJ special authority to specify a specific library for the subsystem
library.
6
You must have *ALLBOJ special authority to use this command.
System Commands
These commands do not require any object authorities:
CHGSHRPOOL RCLRSC SIGNOFF WRKSYSSTS
DSPSYSSTS RETURN WRKSHRPOOL
ENDSYS1 RTVGRPA
PWRDWNSYS1
RCLACTGRP1
1 You must have job control (*JOBCTL) special authority to use this command.
1
To change some system values, you must have *ALLOBJ and *SECADM special authority.
2
To change some system values, you must have *AUDIT special authority.
Authority Needed
Command Referenced Object For Object For Library
CHGS36 S/36 configuration object QS36ENV *UPD *EXECUTE
CHGS36A S/36 configuration object QS36ENV *UPD *EXECUTE
CHGS36PGMA Program *OBJMGT, *USE *EXECUTE
CHGS36PRCA File QS36PRC *OBJMGT, *USE *EXECUTE
CHGS36SRCA Source *OBJMGT, *USE *EXECUTE
CRTMSGFMNU Menu: REPLACE(*NO) *READ, *ADD
Menu: REPLACE(*YES) See General Rules on *READ, *ADD
page 299
Display file if it exists *ALL *EXECUTE
Message file *USE *CHANGE
Source file QS36SRC *ALL *EXECUTE
CRTS36DSPF Display file: REPLACE(*NO) *READ, *ADD
Display file: REPLACE(*YES) See General Rules on *READ, *ADD,
page 299 *CHANGE
To-file source file when TOMBR is not *ALL *CHANGE
*NONE
Source file QS36SRC *USE *EXECUTE
Create Display File (CRTDSPF) command *OBJOPR *EXECUTE
1
You need *ALL authority to the document if replacing it. You need operational and all the data authorities
to the folder if restoring new information into the folders, or you need *ALLOBJ special authority.
2
If used for a data dictionary, only the authority to the command is required.
3
You must be enrolled in the system distribution directory if the source folder is a document folder.
Table Commands
Authority Needed
Command Referenced Object For Object For Library
CRTTBL Table *READ, *ADD,
*EXECUTE
Source file *USE *EXECUTE
1
To use an individual operation, you must have the authority required by the operation .
TCP/IP Commands
Commands identified by (Q) are shipped with public authority *EXCLUDE.
Appendix C shows which IBM-supplied user profiles are authorized to the
command. The security officer can grant *USE authority to others.
Authority Needed
Command Referenced Object For Object For Library
CVTTCPCL (Q) File objects *USE *EXECUTE
4
ENDTCP (Q) Line description *USE *EXECUTE
4
Controller description *USE *EXECUTE
4
Device description *USE *EXECUTE
File Objects *USE *EXECUTE
ENDTCPIFC (Q) File objects *USE *EXECUTE
4
Line description *USE *EXECUTE
4
Controller description *USE *EXECUTE
4
Device description *USE *EXECUTE
4
ENDTCPPTP Line description *USE *EXECUTE
4
Controller description *USE *EXECUTE
4
Device description *USE *EXECUTE
File Objects *USE *EXECUTE
ENDTCPSRV (Q) File objects *USE *EXECUTE
FTP File objects *USE *EXECUTE
Table objects *USE *EXECUTE
2
LPR Workstation customizing object *USE *EXECUTE
SETVTTBL Table objects *USE *EXECUTE
2
SNDTCPSPLF Workstation customizing object *USE *EXECUTE
STRTCP (Q) File objects *USE *EXECUTE
4
Line description *USE *EXECUTE
4
Controller description *USE *EXECUTE
4
Device description *USE *EXECUTE
STRTCPFTP Table objects *USE *EXECUTE
File objects *USE *EXECUTE
1
You must have *IOSYSCFG special authority to use this command.
2
The SNDTCPSPLF command and the LPR command use the same combinations of referenced object
authorities as the SNDNETSPLF command. See page 416.
3
You must have *SECADM special authority to change the system alias table or another user profile’s alias
table.
4
If you have *JOBCTL special authority, you do not need the specified authority to the object.
5
If you have *JOBCTL special authority, you do not need the specified authority to the object on the remote
system.
Authority Needed
Command Referenced Object For Object For Library
3, 14,
ANZDFTPWD
(Q)
15
ANZPRFACT 3, 14,
(Q)
15
CHGACTPRFL 14(Q)
CHGACTSCDE 3, 14,
15(Q)
1
CHGDSTPWD
CHGEXPSCDE 3, 14,
15(Q)
1
This command can be run only if you are signed on as QSECOFR.
2
You need authority only to the objects for fields you are changing in the user profile.
3
*SECADM special authority is required.
4
*OBJMGT authority to the group profile cannot come from adopted authority.
5
The message queue associated with the user profile is deleted if it is owned by that user profile. To delete
the message queue, the user running the DLTUSRPRF command must have the authorities specified.
6
The display includes only user profiles to which the user running the command has the specified authority.
7
See the authorities required for the GRTOBJAUT command on page “Commands Common for Most
Objects” on page 301.
8
*SAVSYS special authority is required.
9
If you select the option to delete objects owned by the user profile, you must have the necessary authority
for the delete operations. If you select the option to transfer ownership to another user profile, you must
have the necessary authority to the objects and to the target user profile. See information for the
CHGOBJOWN command on page “Commands Common for Most Objects” on page 301.
10
You must have *ALLOBJ special authority to specify ALWOBJDIF(*ALL).
11
You must have *AUDIT special authority.
12
The user whose profile is created is given these authorities to it: *OBJMGT, *OBJOPR, *READ, *ADD, *DLT,
*UPD, *EXECUTE.
13
To use an individual operation, you must have the authority required by the operation.
14
You must have *ALLOBJ special authority to use this command.
15
You must have *JOBCTL special authority to use this command.
1
To use this command, you must have *IOSYSCFG special authority.
2
QASPxx is either 01 (system asp) or 02-16 based on which user asp is needed. This is the directory that
contains the *BLKSF that is being mounted.
3
The directory that is mounted over (dir_to_be_mounted_over) is any IFS directory that can be mounted
over.
4
You must provide a path to some object. You must have *X authority for all directories in that path.
5
You must have *RX authority to the /etc/exports stream file and the directories in the /etc/exports path.
6
A UDFS can contain an entire subtree of EPFS objects, so when you delete a UDFS, you delete objects of all
types that can be stored in an EPFS file system.
7
When using the DLTUDFS commands, you must have *OBJEXIST authority on every object in the UDFS or
no objects are deleted.
Writer Commands
Authority Needed Output Queue Parameters
Referenced Special
Command Object For Object For Library AUTCHK OPRCTL Authority
CHGWTR 2, 4 Current output *READ, *ADD, *EXECUTE *DTAAUT
queue1 *DLT
3
Owner *EXECUTE *OWNER
*YES *JOBCTL
1
ENDWTR Output queue *READ, *ADD, *EXECUTE *DTAAUT
*DLT
3
Owner *EXECUTE *OWNER
*YES *JOBCTL
1
HLDWTR Output queue *READ, *ADD, *EXECUTE *DTAAUT
*DLT
3
Owner *EXECUTE *OWNER
*YES *JOBCTL
1
RLSWTR Output queue *READ, *ADD, *EXECUTE *DTAAUT
*DLT
3
Owner *EXECUTE *OWNER
*YES *JOBCTL
1
STRDKTWTR Output queue *READ, *ADD, *EXECUTE *DTAAUT
*DLT
3
Owner *EXECUTE *OWNER
*EXECUTE *YES *JOBCTL
Message queue *OBJOPR, *EXECUTE
*ADD
Device *OBJOPR,
description *READ
1
If you have *SPLCTL special authority, you do not need any authority to the output queue.
2
To change the output queue for the writer, you need one of the specified authorities for the new output
queue.
3
You must be the owner of the output queue.
4
You must have *EXECUTE authority to the new output queue’s library even if the user has *SPLCTL
special authority.
Note: The audit record for the save operation will identify if the save
was done with the STG(*FREE).
v Change operation
| APYJRNCHG
| Apply Journaled Changes
3. A prompt override program displays the current values when prompting is requested for a command. For example, if you type
CHGURSPRF USERA and press F4 (prompt), the Change User Profile display shows the current values for the USERA user
profile.
Note: Changes to access path recovery times are audited if the action auditing
(QAUDLVL) system value or the action auditing (AUDLVL) parameter in
the user profile includes *SYSMGT.
v Operations that are audited
CHGRCYAP
Change Recovery for Access Paths
EDTRCYAP
Edit Recovery for Access Paths
v Operations that are not audited
DSPRCYAP
Display Recovery for Access Paths
Note: Directory services actions are audited if the action auditing (QAUDLVL)
system value or the action auditing (AUDLVL) parameter in the user profile
includes *OFCSRV.
v Operations that are audited
Add Adding new directory entries
Change
Changing directory entry details
Delete Deleting directory entries
Rename
Renaming directory entries
Print Displaying or printing directory entry details
Displaying or printing department details
Displaying or printing directory entries as the result of a search
RTVDIRE
Retrieve Directory Entry
Collect
Collecting directory entry data using directory shadowing
Supply
Supplying directory entry data using directory shadowing
v Operations that are not audited
CL commands
CL commands that work on the directory may be audited separately
using the object auditing function.
Note: A read entry is written for the folder containing the documents.
v Change operation
ADDDLOAUT
Add DLO Authority
ADDOFCENR
Add Office Enrollment
CHGDLOAUD
Change DLO Auditing
CHGDLOAUT
Change DLO Authority
CHGDLOOWN
Change DLO Ownership
CHGDLOPGP
Change DLO Primary Group
CHGDOCD
Change Document Description
CHGDSTD
Change Distribution Description
CPYDOC 4
Copy Document
4. A change entry is written for both the document and the folder if the target of the operation is in a folder.
5. An audit record is written if object auditing is specified for the subsystem description (*SBSD).
If a library whose name begins with “AR” does not have any file
names beginning with “WRK”, no audit record is written for that
library.
v Change operation
Library list
Adding library to a library list
CHGLIB
Change Library
CLRLIB
Clear Library
MOVOBJ
Move Object
RNMOBJ
Rename Object
Add Add object to library
Delete Delete object from library
v Operations that are not audited
Note: Mail services actions are audited if the action auditing (QAUDLVL) system
value or the action auditing (AUDLVL) parameter in the user profile
includes *OFCSRV.
v Operations that are audited
Change
Changes to the system distribution directory
6. This is also audited if action auditing (QAUDLVL system value or AUDLVL user profile value) includes *SPLFDTA.
Note: Reply list actions are audited if the action auditing (QAUDLVL) system
value or the action auditing (AUDLVL) parameter in the user profile
includes *SYSMGT.
v Operations that are audited
ADDRPYLE
Add Reply List Entry
CHGRPYLE
Change Reply List Entry
RMVRPYLE
Remove Reply List Entry
WRKRPYLE
Work with Reply List Entry
v Operations that are not audited
None
Note: Spooled file actions are audited if the action auditing (QAUDLVL) system
value or the action auditing (AUDLVL) parameter in the user profile
includes *SPLFDTA.
v Operations that are audited
Access
Each access by any user that is not the owner of the spooled file,
including:
– CPYSPLF
– DSPSPLF
– SNDNETSPLF
– SNDTCPSPLF
– STRRMTWTR
– QSPOPNSP API
Change
Changing any of the following spooled file attributes:
– COPIES
– DEV
– FORMTYPE
– RESTART
– PAGERANGE
Create Creating a spooled file using print operations
Creating a spooled file using the QSPCRTSP API
Table 140 contains the layout for fields that are common to all entry types when
OUTFILFMT(*TYPE2) is specified on the DSPJRN command. This layout, which is
called QJORDJE2, is defined in the QADSPJR2 file in the QSYS library.
Note: *TYPE2 output formats are no longer updated; therefore, IBM recommends
that you stop using *TYPE2 formats and use only *TYPE4 formats.
Table 139 contains the layout for fields that are common to all entry types when
OUTFILFMT(*TYPE4) is specified on the DSPJRN command. This layout, which is
called QJORDJE4, is defined in the QADSPJR4 file in the QSYS library. The *TYPE4
output includes all of the *TYPE2 information, plus information about journal
identifiers, triggers, and referential constraints.
Tables 142 through 213 contain layouts for the model database outfiles provided to
define entry-specific data. You can use the CRTDUPOBJ command to create any
empty output file with the same layout as one of the model database outfiles. You
can use the DSPJRN command to copy selected entries from the audit journal to
the output file for analysis. “Analyzing Audit Journal Entries with Query or a
Program” on page 262 provides examples of using the model database outfiles. See
also the Journal Entry Information Appendix in the SC41-5304-05 book for detailed
descriptions for these fields.
Table 139. Standard Heading Fields for Audit Journal Entries. QJORDJE4 Record Format (*TYPE4)
Offset Field Format Description
1 Length of Entry Zoned(5,0) Total length of the journal entry including the entry length field.
6 Sequence Zoned(10,0) Applied to each journal entry. Initially set to 1 for each new or restored
Number journal. Optionally, reset to 1 when a new receiver is attached.
16 Journal Code Char(1) Always T.
17 Entry Type Char(2) See Table 141 on page 491 for a list of entry types and descriptions.
19 Timestamp of Char(26) Date and time that the entry was made in SAA® timestamp format.
Entry
45 Name of Job Char(10) The name of the job that caused the entry to be generated.
55 User Name Char(10) The user profile name associated with the job1.
65 Job Number Zoned(6,0) The job number.
71 Program Name Char(10) The name of the program that made the journal entry. This can also be
the name of a service program or the partial name of a class file used in
a compiled Java program. If an application program or CL program did
not cause the entry, the field contains the name of a system-supplied
program such as QCMD. The field has the value *NONE if one of the
following is true:
v The program name does not apply to this entry type.
v The program name was not available.
81 Object Name Char(10) Used for journaled objects. Not used for audit journal entries.
91 Library Name Char(10) Used for journaled objects. Not used for audit journal entries.
101 Member Name Char(10) Used for journaled objects. Not used for audit journal entries.
111 Count/RRN Zoned(10) Used for journaled objects. Not used for audit journal entries.
121 Flag Char(1) Used for journaled objects. Not used for audit journal entries.
122 Commit Cycle ID Zoned(10) Used for journaled objects. Not used for audit journal entries.
132 User Profile Char(10) The name of the current user profile1.
142 System Name Char(8) The name of the system.
150 Reserved Char(10) Used for file journaling. Not used for audit journal entries.
160 Referential Char(1) Used for file journaling. Not used for audit journal entries.
Constraint
161 Trigger Char(1) Used for file journaling. Not used for audit journal entries.
162 (Reserved Area) Char(8)
170 Null Value Char(50) Used for file journaling. Not used for audit journal entries.
Indicators
220 Entry Specific Binary (4) Length of the entry specific data.
Data Length
Note: The three fields beginning at offset 31 make up the system job name. In most cases, the User name
field at offset 41 and the User profile name field at offset 132 have the same value. For prestarted jobs, the
User profile name field contains the name of the user starting the transaction. For some jobs, both these
fields contain QSYS as the user name. The User profile name field in the entry-specific data contains the
actual user who caused the entry. If an API is used to swap user profiles, the User profile name field
contains the name of the new (swapped) user profile.
Table 140. Standard Heading Fields for Audit Journal Entries. QJORDJE2 Record Format (*TYPE2)
Offset Field Format Description
1 Length of Entry Zoned(5,0) Total length of the journal entry including the entry length field.
6 Sequence Zoned(10,0) Applied to each journal entry. Initially set to 1 for each new or restored
Number journal. Optionally, reset to 1 when a new receiver is attached.
16 Journal Code Char(1) Always T.
17 Entry Type Char(2) See Table 141 on page 491 for a list of entry types and descriptions.
19 Timestamp Char(6) The system date that the entry was made.
25 Time of entry Zoned(6,0) The system time that the entry was made.
31 Name of Job Char(10) The name of the job that caused the entry to be generated.
41 User Name Char(10) The user profile name associated with the job1.
51 Job Number Zoned(6,0) The job number.
57 Program Name Char(10) The name of the program that made the journal entry. This can also be
the name of a service program or the partial name of a class file used in
a compiled Java program. If an application program or CL program did
not cause the entry, the field contains the name of a system-supplied
program such as QCMD. The field has the value *NONE if one of the
following is true:
v The program name does not apply to this entry type.
v The program name was not available.
67 Object Name Char(10) Used for journaled objects. Not used for audit journal entries.
77 Library Name Char(10) Used for journaled objects. Not used for audit journal entries.
87 Member Name Char(10) Used for journaled objects. Not used for audit journal entries.
97 Count/RRN Zoned(10) Used for journaled objects. Not used for audit journal entries.
107 Flag Char(1) Used for journaled objects. Not used for audit journal entries.
108 Commit Cycle ID Zoned(10) Used for journaled objects. Not used for audit journal entries.
118 User Profile Char(10) The name of the current user profile1.
128 System Name Char(8) The name of the system.
136 (Reserved Area) Char(20)
1
The three fields beginning at offset 31 make up the system job name. In most cases, the User name field at
offset 41 and the User profile name field at offset 118 have the same value. For prestarted jobs, the User profile
name field contains the name of the user starting the transaction. For some jobs, both these fields contain
QSYS as the user name. The User profile name field in the entry-specific data contains the actual user who
caused the entry. If an API is used to swap user profiles, the User profile name field contains the name of the
new (swapped) user profile.
AD Auditing changes
AF Authority failure
AP Obtaining adopted authority
CA Authority changes
CD Command string audit
CO Create object
CP User profile changed, created, or restored
CQ Change of *CRQD object
CU Cluster Operations
CV Connection verification
| CY Cryptographic Configuration
| DI Directory Services
DO Delete object
DS DST security password reset
EV System environment variables
GR Generic record
GS Socket description was given to another job
IP Interprocess Communication
IR IP Rules Actions
IS Internet security management
JD Change to user parameter of a job description
JS Actions that affect jobs
KF Key ring file
LD Link, unlink, or look up directory entry
ML Office services mail actions
NA Network attribute changed
ND APPN directory search filter violation
NE APPN end point filter violation
OM Object move or rename
OR Object restore
OW Object ownership changed
O1 (Optical Access) Single File or Directory
O2 (Optical Access) Dual File or Directory
O3 (Optical Access) Volume
PA Program changed to adopt authority
PG Change of an object’s primary group
PO Printed output
PS Profile swap
PW Invalid password
RA Authority change during restore
RJ Restoring job description with user profile specified
Table 142. AD (Auditing Change) Journal Entries. QASYADJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
157 225 Object Name Char(10) Name of the object for which auditing was changed.
167 235 Library Name Char(10) Name of the library for the object.
177 245 Object Type Char(8) The type of object.
185 253 Object Audit Char(10) The new value specified on the CHGOBJAUD
Value command.
195 263 CHGUSRAUD Char(1) Y = Audit commands for this user.
*CMD
196 264 CHGUSRAUD Char(1) Y = Write an audit record when this user creates an
*CREATE object.
197 265 CHGUSRAUD Char(1) Y = Write an audit record when this user deletes an
*DELETE object.
198 266 CHGUSRAUD Char(1) Y = Write an audit record when this user changes a job.
*JOBDTA
199 267 CHGUSRAUD Char(1) Y = Write an audit record when this user moves or
*OBJMGT renames an object.
200 268 CHGUSRAUD Char(1) Y = Write an audit record when this user performs
*OFCSRV office functions.
201 269 CHGUSRAUD Char(1) Y = Write an audit record when this user obtains
*PGMADP authority through adopted authority.
202 270 CHGUSRAUD Char(1) Y = Write an audit record when this user saves or
*SAVRST restores objects.
203 271 CHGUSRAUD Char(1) Y = Write an audit record when this user performs
*SECURITY security-relevant actions.
204 272 CHGUSRAUD Char(1) Y = Write an audit record when this user performs
*SERVICE service functions.
205 273 CHGUSRAUD Char(1) Y = Write an audit record when this user manipulates
*SPLFDTA spooled files.
206 274 CHGUSRAUD Char(1) Y = Write an audit record when this user makes system
*SYSMGT management changes.
207 275 CHGUSRAUD Char (1) Y = Write an audit record when this user accesses
*OPTICAL optical devices.
208 276 (Reserved Area) Char(19)
227 295 DLO Name Char(12) Name of the DLO object for which auditing was
changed.
239 307 (Reserved Area) Char(8)
247 315 Folder Path Char(63) Path of the folder.
310 (Reserved Area) Char(20)
378 (Reserved Area) Char(18)
396 Object Name Binary(4) The length of the object name.
Length 1
330 398 Object Name Binary(5) The coded character set identifier for the object name.
CCSID1
334 402 Object Name Char(2) The country ID for the object name.
Country ID1
| 336 404 Object Name Char(3) The language ID for the object name.
| Language ID1
339 407 (Reserved area) Char(3)
342 410 Parent File ID1,2 Char(16) The file ID of the parent directory.
358 426 Object File ID1,2 Char(16) The file ID of the object.
374 442 Object Name1 Char(512) The name of the object.
954 Object File ID Char(16) The file ID of the object.
970 ASP Name Char(10) The name of the ASP device.
980 ASP Number Char(5) The number of the ASP device.
985 Path Name Binary(5) The coded character set identifier for the absolute path
CCSID name.
989 Path Name Char(2) The country ID for the absolute path name.
Country ID
991 Path Name Char(3) The language ID for the absolute path name.
Language ID
994 Path Name Binary(4) The length of the absolute path name.
Length
| 997 Relative File ID3 Char(16) The relative file ID of the absolute path name.
| 1013 Absolute Path Char(5002) The absolute path name of the object.
Name4
1
These fields are used only for objects in the QOpenSys, "root" file systems, and user-defined file systems.
2
| An ID that has the left-most bit set and the rest of the bits zero indicates that the ID is NOT set.
| 3
When the absolute path name indicator (offset 996) is ″N″, this field will contain the relative field ID of the
| path name. When the absolute path name indicator is ″Y″, this field will contain 16 bytes of hex zeroes.
4
This is a variable length field. The first two bytes contain the length of the path name.
Table 143. AF (Authority Failure) Journal Entries. QASYAFJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
| 185 253 Validation Error Char(1) Action taken after validation error detected, set only if
| Action the violation type (offset 156) is C.
| A The translation of the object was not
| attempted or it failed. The QALWOBJRST
| system value setting allowed the object to be
| restored. The user doing the restore did not
| have *ALLOBJ special authority and the
| system security level is set to 10, 20, or 30.
| Therefore, all authorities to the object were
| retained.
| B The translation of the object was not
| attempted or it failed. The QALWOBJRST
| system value setting allowed the object to be
| restored. The user doing the restore did not
| have *ALLOBJ special authority and the
| system security level is set to 40 or above.
| Therefore, all authorities to the object were
| revoked.
| C The translation of the object was successful.
| The translated copy was restored on the
| system.
| D The translation of the object was not
| attempted or it failed. The QALWOBJRST
| system value setting allowed the object to be
| restored. The user doing the restore had
| *ALLOBJ special authority. Therefore, all
| authorities to the object were retained.
| E System install time error detected.
| F The object was not restored because the
| signature is not OS/400 format.
|
186 254 Job Name Char(10) The name of the job.
196 264 User Name Char(10) The job user name.
206 274 Job Number Zoned(6,0) The job number.
212 280 Program Name Char(10) The name of the program.
222 290 Program Library Char(10) The name of the library where the program is found.
232 300 User Profile 2 Char(10) The name of the user that caused the authority failure.
242 310 Work Station Char(10) The name of the work station or work station type.
Name
252 320 Program Zoned(7,0) The instruction number of the program.
Instruction
Number
259 327 Field name Char(10 The name of the field.
| 269 337 Operation Char(3) The type of operation violation that occurred, set only
| Violation Code if the violation type (offset 224) is X.
| HCA Service tool user profile not authorized to
| perform hardware configuration operation
| (QYHCHCOP).
|
272 340 Office User Char(10) The name of the office user.
282 350 DLO Name Char(12) The name of the document library object.
294 362 (Reserved Area) Char(8)
302 370 Folder Path Char(63) The path of the folder.
365 433 Office on Behalf Char(10) User working on behalf of another user.
of User
375 (Reserved Area) Char(20)
443 (Reserved Area) Char(18)
461 Object Name Binary(4) The length of the object name.
Length3
395 463 Object Name Binary(5) The coded character set identifier for the object name.
CCSID3
399 467 Object Name Char(2) The country ID for the object name.
Country ID3
401 469 Object Name Char(3) The language ID for the object name.
Language ID3
404 472 (Reserved area) Char(3)
407 475 Parent File ID3,4 Char(16) The file ID of the parent directory.
423 491 Object File ID3,4 Char(16) The file ID of the object.
439 507 Object Name3,6 Char(512) The name of the object.
1019 Object File ID Char(16) The file ID of the object.
1035 ASP Name Char(10) The name of the ASP device.
1045 ASP Number Char(5) The number of the ASP device.
1050 Path Name Binary(5) The coded character set identifier for the absolute path
CCSID name.
1054 Path Name Char(2) The country ID for the absolute path name.
Country ID
1056 Path Name Char(3) The language ID for the the absolute path name.
Language ID
1059 Path Name Binary(4) The length of the absolute path name.
Length
1061 Path Name Char(1) The absolute path name indicator:
Indicator
Y The Absolute Path Name field contains an
absolute path name for the object.
N The Absolute Path Name field does not
contain an absolute path name for the object.
1062 Relative File ID8 Char(16) The relative file ID of the absolute path name.
| 1078 Absolute Path Char(5002) The absolute path name of the object.
| Name9
1
When the violation type is for description ″G″, the object name contains the name of the *SRVPGM that
contained the exit that detected the error. For more information about the violation types, see Table 115 on
page 244.
2
This field contains the name of the user that caused the entry. QSYS may be the user for the following:
v offsets 41 and 118 for *TYPE2 records
v offsets 55 and 132 for *TYPE4 records
3
These fields are used only for objects in the QOpenSys file system, the "root" file system, user-defined file
systems, and QFileSvr.400.
4
An ID that has the left-most bit set and the rest of the bits zero indicates that the ID is NOT set.
| 5
When the violation type is ″T″, the object name contains the TCP/IP port the user is not authorized to use.
| The value is left justified and blank filled. The object library and object type fields will be blank.
6
| When the violation type is O, the optical object name is contained in the IFS object name field. The country
| ID, language ID, parent file ID, and object file ID fields will all contain blanks.
7
| The Java class object being created may not extend its base class because the base class has system Java
| attributes.
| 8
When the absolute path name indicator (offset 1061) is ″N″, this field will contain the relative file ID of the
| path name. When the absolute path name indicator is ″Y″, this field will contain 16 bytes of hex zeroes.
9
This is a variable length field. The first 2 bytes contain the length of the path name.
Table 144. AP (Adopted Authority) Journal Entries. QASYAPJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
157 225 Object Name Char(10) The name of the program, service program, or SQL
package
167 235 Library name Char(10) The name of the library.
177 245 Object Type Char(8) The type of object.
185 253 Owning User Char(10) The name of the user profile whose authority is
Profile adopted.
195 263 Object File ID Char(16) The file ID of the object.
279 ASP Name Char(10) The name of the ASP device.
| 289 ASP Number Char(5) The number of the ASP device.
Table 145. CA (Authority Changes) Journal Entries. QASYCAJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
1041 Relative File ID3 Char(16) The relative file ID of the absolute path name.
1057 Absolute Path Char(5002) The absolute path name of the object.
Name4
1
These fields are used only for objects in the QOpenSys file system, the "root" file system, user-defined file
systems, and QFileSvr.400.
2
| An ID that has the left-most bit set and the rest of the bits zero indicates that the ID is NOT set.
| 3
When the path name indicator (offset 1040) is ″N″, this field will contain the relative file ID of the path
| name. When the path name indicator is ″Y″, this field will contain 16 bytes of hex zeroes.
4
This is a variable length field. The first 2 bytes contain the length of the path name.
186 254 Command string Char(6000) The command that was run, with parameters.
Table 147. CO (Create Object) Journal Entries. QASYCOJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
356 424 Object File ID1,2 Char(16) The file ID of the object.
372 440 Object Name1 Char(512) The name of the object.
952 Object File ID Char(16) The file ID of the object.
968 ASP Name Char(10) The name of the ASP device.
978 ASP Number Char(5) The number of the ASP device.
983 Path Name Binary(5) The coded character set identifier for the absolute path
CCSID name.
987 Path Name Char(2) The country ID for the absolute path name.
Country ID
989 Path Name Char(3) The language ID for the absolute path name.
Language ID
992 Path Name Binary(4) The length of the absolute path name.
Length
994 Path Name Char(1) The absolute path name indicator:
Indicator
Y The Absolute Path Name field contains an
absolute path name for the object.
N The Absolute Path Name field does not
contain an absolute path name for the object.
995 Relative File ID3 Char(16) The relative file ID of the absolute path name.
| 1011 Absolute Path Char(5002) The absolute path name of the object.
Name4
1
These fields are used only for objects in the QOpenSys, "root" file systems, and user-defined file systems.
2
| An ID that has the left-most bit set and the rest of the bits zero indicates that the ID is NOT set.
| 3
When the path name indicator (offset 994) is ″N″, this field will contain the relative file ID of the path name.
| When the path name indicator is ″Y″, this field will contain 16 bytes of hex zeroes..
4
This is a variable length field. The first 2 bytes contain the length of the path name.
Table 148. CP (User Profile Changes) Journal Entries. QASYCPJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
157 225 User Profile Char(10) The name of the user profile that was changed.
Name
167 235 Library Name Char(10) The name of the library.
177 245 Object Type Char(8) The type of object.
185 256 Command Name Char(3) The type of command used.
CRT CRTUSRPRF
CHG CHGUSRPRF
RST RSTUSRPRF
DST QSECOFR password reset using DST
157 225 Object Name Char(10) The name of the object that was changed.
167 235 Library Name Char(10) The name of the object library.
177 245 Object Type Char(8) The type of object.
Table 150. CU (Cluster Operations) Journal Entries. QASYCUJ4 Field Description File
JE Offset J4 Offset Field Format Description
N/A 1 Heading fields common to all entry types. See Table 139
on page 489 for field listing.
N/A 224 Entry Type Char(1) The type of entry.
M Cluster control operation
R Cluster Resource Group (*GRP) management
operation
N/A 231 CRG Object Char(10) The Cluster Resource Group object name.
Name
Note: This value is filled in when the entry type is
R.
N/A 241 CRG Library Char(10) The Cluster Resource Group object library.
Name
Note: This value is filled in when the entry type is
R.
Table 151. CV (Connection Verification) Journal Entries. QASYCVJ4 Field Description File
JE Offset J4 Offset Field Format Description
N/A 1 Heading fields common to all entry types. See Table 139
on page 489 for field listing.
N/A 224 Entry Type Char(1) The type of entry.
C Connection established
E Connection ended
R Connection rejected
N/A 225 Action Char(1) Action taken for the connection type.
″″ Connection established or ended normally.
Used for Entry Type C or E.
| A Peer was not authenticated. Used for Entry
| Type E or R.
C No response from the authentication server.
Used for Entry Type R.
L LCP configuration error. Used for Entry Type
R.
N NCP configuration error. Used for Entry Type
R.
P Password is not valid. Used for Entry Type E
or R.
| R Authentication was rejected by peer. Used for
| Entry Type R.
T L2TP configuration error. Used for Entry Type
E or R.
U User is not valid. Used for Entry Type E or R.
N/A 226 Point to Point Char(10) The point to point profile name.
Profile Name
| Table 152. CY (Cryptographic Configuration) Journal Entries. QASYCYJ4 Field Description File
| JE Offset J4 Offset Field Format Description
| N/A 1 Heading fields common to all entry types. See Table 140
| on page 490 and Table 139 on page 489 for field listing.
| N/A 224 Entry Type Char(1) The type of entry.
| A Access Control function
| F Facility Control function
| M Master Key function
|
| N/A 1 Heading fields common to all entry types. See Table 140
| on page 490 and Table 139 on page 489 for field listing.
| N/A 224 Entry Type Char(1) The type of entry.
| L LDAP Operation
|
| N/A 229 Configuration Char(1) Code for configuration changes. This field is used only
| Change Code if the operation type (offset 225) is CF.
| A Item added to configuration
| D Item deleted from configuration
| M Item modified
|
| N/A 230 Propagate Flag Char(1) Indicates the new setting of the owner or ACL
| propagate value. This field is used only if the operation
| type (offset 225) is CA or OW.
| T True
| F False
|
| N/A 231 Bind Char(20) The bind authentication choice. This field is used only
| Authentication if the operation type (offset 225) is BN.
| Choice
| N/A 251 LDAP Version Char(4) Version of client making request. This field is used only
| if the operation was done through the LDAP server.
| 2 LDAP Version 2
| 3 LDAP Version 3
|
| N/A 255 SSL Indicator Char(1) Indicates if SSL was used on the request. This field is
| used ony if the operation was done through the LDAP
| server.
| 0 No
| 1 Yes
|
| N/A 256 Request Type Char(1) The type of request. This field is used only if the
| operation was done through the LDAP server.
| A Authenticated
| N Anonymous
| U Unauthenticated
|
| N/A 257 Connection ID Char(20) Connection ID of the request. This field is used only if
| the operation was done through the LDAP server.
| N/A 277 Client IP Address Char(50) IP address and port number of the client request. This
| field is used only if the operation was done through
| the LDAP server.
| N/A 327 User Name Bin(5) The coded character set identifier of the user name.
| CCSID
| N/A 331 User Name Bin(4) The length of the user name.
| Length
| N/A 333 User Name1 Char(2002) The name of the LDAP user.
| N/A 2335 Object Name Bin(5) The coded character set identifier of the object name.
| CCSID
| N/A 2339 Object Name Bin(4) The length of the object name.
| Length
| N/A 2341 Object Name1 Char(2002) The name of the LDAP object.
| N/A 4343 Owner Name Bin(5) The coded character set identifier of the owner name.
| CCSID This field is used only if the operation type (offset 225)
| is OW.
| N/A 4347 Owner Name Bin(4) The length of the owner name. This field is used only if
| Length the operation type is OW.
| N/A 4349 Owner Name1 Char(2002) The name of the owner. This field is used only if the
| operation type (offset 225) is OW.
| N/A 6351 New Name Bin(5) The coded character set identifier of the new name.
| CCSID This field is used only if the operation type (offset 225)
| is OM, OW, ZC, or AF+M.
| v For operation type OM, this field will contain the
| CCSID of the new object name.
| v For operation type OW, this field will contain the
| CCSID of the new owner name.
| v For operation types ZC or AF+M, this field will
| contain the CCSID of the list of changed attribute
| types in the New Name field.
| N/A 6355 New Name Bin(4) The length of the new name. This field is used only if
| Length the operation type (offset 225) is OM, OW, ZC, or
| AF+M.
| v For operation type OM, this field will contain the
| length of the new object name.
| v For operation type OW, this field will contain the
| length of the new owner name.
| v For operation types ZC or AF+M, this field will
| contain the length of the list of changed attribute
| types in the New Name field.
| N/A 6357 New Name1 Char(2002) The new name. This field is used only if the operation
| type (offset 225) is OM, OW, ZC, or AF+M.
| v For operation type OM, this field will contain the
| new object name.
| v For operation type OW, this field will contain the
| new owner name.
| v For operation types ZC or AF+M, this field will
| contain a list of changed attribute types.
| N/A 8359 Object File ID2 Char(16) The file ID of the object for export.
| N/A 8375 ASP Name2 Char(10) The name of the ASP device.
| N/A 8385 ASP Number2 Char(5) The number of the ASP device.
| N/A 8390 Path Name Bin(5) The coded character set identifier of the absolute path
| CCSID2 name.
| N/A 8394 Path Name Char(2) The country ID of the absolute path name.
| Country ID2
| N/A 8396 Path Name Char(3) The language ID of the absolute path name.
| Language ID2
| N/A 8399 Path Name Bin(4) The length of the absolute path name.
| Length2
| N/A 8401 Path Name Char(1) The absolute path name indicator.
| Indicator2
| Y The Absolute Path Name field contains an
| absolute path name for the object.
| N The Absolute Path Name field does not
| contain an absolute path name for the object.
|
| N/A 8402 Relative File ID2,3 Char(16) The relative file ID of the absolute path name.
| N/A 8418 Absolute Path Char(5002) The absolute path name of the object.
| Name1,2
1
| This is a variable length field. The first 2 bytes contain the length of the value in the field.
2
| These fields are used only if the operation type (offset 225) is EX or IM.
| 3
When the path name indicator (offset 8401) is ″N″, this field will contain the relative file ID of the path
| name. When the path name indicator is ″Y″, this field will contain 16 bytes of hex zeroes.
|
|
Table 154. DO (Delete Operation) Journal Entries. QASYDOJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
989 Path Name Char(3) The language ID for the absolute path name.
Language ID
992 Path Name Binary(4) The length of the absolute path name.
Length
994 Path Name Char(1) The absolute path name indicator:
Indicator
Y The Absolute Path Name field contains an
absolute path name for the object.
N The Absolute Path Name field does not
contain an absolute path name for the object.
995 Relative File ID3 Char(16) The relative file ID of the absolute path name.
| 1011 Absolute Path Char(5002) The absolute path name of the object.
| Name4
1
These fields are used only for objects in the QOpenSys, "root" file systems, and user-defined file systems.
2
| An ID that has the left-most bit set and the rest of the bits zero indicates that the ID is NOT set.
| 3
When the path name indicator (offset 994) is ″N″, this field will contain the relative file ID of the path name.
| When the path name indicator is ″Y″, this field will contain 16 bytes of hex zeroes.
4
This is a variable length field. The first 2 bytes contain the length of the path name.
Table 155. DS (DST Password Reset) Journal Entries. QASYDSJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
158 226 DST Profile Type Char(10) The type of DST profile.
*SECURITY
*FULL
*BASIC
168 236 DST New Profile Char(8) The name of the DST profile.
176 244 DST Pasword Char(1) Request to change the DST password.
Change
Y Request to change DST password.
N/A 245 DST New Profile Char(10) The name of the DST profile.
| N/A 255 DST Requesting Char(10) The name of the DST profile that requested the change.
| Profile
Table 156. EV (Environment Variable) Journal Entries. QASYEVJ4 Field Description File
JE Offset J4 Offset Field Format Description
N/A 1 Heading fields common to all entry types. See Table 139
on page 489 for field listing.
| N/A 225 Name Truncated Char(1) Indicates whether the environment variable name
| (offset 232), is truncated.
| Y Environment variable name truncated.
| N Environment variable name not truncated.
|
N/A 226 CCSID Binary(5) The CCSID of the environment variable name.
N/A 230 Length Binary(4) The length of the environment variable name.
| N/A 232 Environment Char(1002) The name of the environment variable.
| Variable Name2
| N/A 1234 New Name Char(1) Indicates whether the new environment variable name
| Truncated1 (offset 1241), is truncated.
| Y Environment variable value truncated.
| N Environment variable value not truncated.
|
| N/A 1235 New Name Binary(5) The CCSID of the new environment variable name.
| CCSID1
| N/A 1239 New Name Binary(4) The length of the new environment variable name.
| Length1
| N/A 1241 New Char (1002) The new environment variable name.
| Environment
| Variable Name1,2
1
| These fields are used when the entry type is C.
2
| This is a variable length field. The first two bytes contain the length of the environment variable name.
|
Table 157. GR (Generic Record) Journal Entries. QASYGRJ4 Field Description File
JE Offset J4 Offset Field Format Description
N/A 1 Heading fields common to all entry types. See Table 139
on page 489 for field listing.
| N/A 224 Entry Type Char(1) The type of entry.
| A Exit program added
| D Exit program removed
| F Function registration operations
| R Exit program replaced
|
N/A 225 Action Char(2) The action performed.
ZC Change
ZR Read
N/A 561 Field 4 CCSID Binary (5) The CCSID value for field 4.
N/A 565 Field 4 Length Binary (4) The length of the data in field 4.
N/A 567 Field 4 Char(100) Field 4 data.
Table 158. GS (Give Descriptor) Journal Entries. QASYGSJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
185 253 New Group Char(10) Group associated with IPC entity
195 263 Old Group Char(10) Previous group associated with IPC entity
205 273 Group Authority Char(3) Group’s authority to IPC entity
*R read
*W write
*RW read and write
Table 160. IR (IP Rules Actions) Journal Entries. QASYIRJ4 Field Description File
JE Offset J4 Offset Field Format Description
N/A 1 Heading fields common to all entry types. See Table 139
on page 489 for field listing.
N/A 224 Entry Type Char(1) The type of entry.
L IP rules have been loaded from a file.
N IP rules have been unloaded for an IP Security
connection
P IP rules have been loaded for an IP Security
connection
R IP rules have been read and copied to a file.
U IP rules have been unloaded (removed).
N/A 225 File Name Char(10) The name of the QSYS file used to load or receive the
IP rules.
This value is blank if the file used was not in
the QSYS file system.
N/A 235 File Library Char(10) The name of the QSYS file library.
N/A 245 Reserved Char(18)
N/A 263 File Name Binary (4) The length of the file name.
Length
N/A 265 File Name Binary (5) The coded character set identifier for the file name.
CCSID1
N/A 269 File Country ID1 Char(2) The country ID for the file name.
N/A 271 File Language Char(3) The language ID for the file name.
ID1
N/A 274 Reserved Char(3)
N/A 277 Parent File ID1, 2 Char(16) The file ID of the parent directory.
N/A 293 Object File ID1, 2 Char(16) The file ID of the file.
N/A 309 File Name1 Char(512) The name of the file.
N/A 821 Connection Char(40) The connection name.
sequence
| N/A 861 Object File ID Char(16) The file ID of the object.
| N/A 877 ASP Name Char(10) The name of the ASP device.
| N/A 887 ASP Number Char(5) The number of the ASP device.
| N/A 892 Path Name Binary(5) The coded character set identifier for the absolute path
| CCSID name.
| N/A 896 Path Name Char(2) The country ID for the absolute path name.
| Country ID
| N/A 898 Path Name Char(3) The language ID for the absolute path name.
| Language ID
| N/A 901 Path Name Binary(4) The length of the absolute path name.
| Length
| N/A 903 Path Name Char(1) The absolute path name indicator:
Indicator
| Y The Absolute Path Name field contains an
| absolute path name for the object.
| N The Absolute Path Name field does not
| contain an absolute path name for the object.
|
| N/A 904 Relative File ID3 Char(16) The relative file ID of the absolute path name.
| N/A 920 Absolute Path Char(5002) The absolute path name of the object.
| Name4
1
These fields are used only for objects in the QOpenSys file system and the ’root’ file system.
2
If the ID has the left-most bit set and the rest of the bits zero, the ID is not set.
| 3
When the path name indicator (offset 903) is ″N″ this field will contain the relative file ID of the path name.
| When the path name indicator is ″Y″, this field will contain 16 bytes of hex zeroes..
4
| This is a variable length field. The first two bytes contain the length of the field.
Table 161. IS (Internet Security Management) Journal Entries. QASYISJ4 Field Description File
JE Offset J4 Offset Field Format Description
| 525 CCSID Bin(5) The coded character set identifier for the following
| fields:
| v Local ID
| v Local Client ID Value
| v Remote ID
| v Remote Client ID Value
| 529 Local ID Char(256) Local IKE identifier
| 785 Local Client ID Char(2) Type of client ID (valid for phase 2):
Type
| 1 IP version 4 address
| 2 Fully qualified domain name
| 3 User fully qualified domain name
| 4 IP version 4 subnet
| 7 IP version 4 address range
| 9 Distinguished name
| 11 Key identifier
|
| 787 Local Client ID Char(256) Local client ID (valid for phase 2)
| Value
| 1043 Local Client ID Char(4) Local client ID protocol (valid for phase 2)
| Protocol
| 1047 Remote ID Char(256) Remote IKE identifier
| 1303 Remote Client ID Char(2) Type of client ID (valid for phase 2)
Type
| 1 IP version 4 address
| 2 Fully qualified domain name
| 3 User fully qualified domain name
| 4 IP version 4 subnet
| 7 IP version 4 address range
| 9 Distinguished name
| 11 Key identifier
|
| 1305 Remote Client ID Char(256) Remote client ID (valid for phase 2)
| Value
| 1561 Remote Client ID Char(4) Remote client ID protocol (valid for phase 2)
| Protocol
Table 162. JD (Job Description Change) Journal Entries. QASYJDJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
157 225 Job Description Char(10) The name of the job description that had the USER
parameter changed.
167 235 Library Name Char(10) The name of the library the object is in.
188 256 Old User Char(10) The name of the user profile specified for the USER
parameter before the job description was changed.
198 266 New User Char(10) The name of the user profile specified for the user
parameter when the job description was changed.
Table 163. JS (Job Change) Journal Entries. QASYJSJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
159 227 Job Name Char(10) The first part of the qualified job name being operated
on
169 237 Job User Name Char(10) The second part of the qualified job name being
operated on
179 247 Job Number Char(6) The third part of the qualified job name being operated
on
185 253 Device Name Char(10) The name of the device
| 195 263 Effective User Char(10) The name of the effective user profile for the thread
| Profile2
205 273 Job Description Char(10) The name of the job description for the job
Name
215 283 Job Description Char(10) The name of the library for the job description
Library
225 293 Job Queue Name Char(10) The name of the job queue for the job
235 303 Job Queue Char(10) The name of the library for the job queue
Library
245 313 Output Queue Char(10) The name of the output queue for the job
Name
255 323 Output Queue Char(10) The name of the library for the output queue
Library
265 333 Printer Device Char(10) The name of the printer device for the job
275 343 Library List2 Char(430) The library list for the job
| 705 773 Effective Group Char(10) The name of the effective group profile for the thread
| Profile Name2
715 783 Supplemental Char(150) The names of the supplemental group profiles for the
Group Profiles2 thread.
933 JUID Description Char(1) Describes the meaning of the JUID field:
' ' The JUID field contains the value for the JOB.
C The clear JUID API was called. The JUID field
contains the new value.
S The set JUID API was called. The JUID field
contains the new value.
985 Effective User Char(1) The effective user profile was changed.
Changed3
Y Yes
N No
986 Saved User Char(1) The saved user profile was changed
Changed3
Y Yes
N No
987 Real Group Char(1) The real group profile was changed.
Changed3
Y Yes
N No
988 Effective Group Char(1) The effective group profile was changed
Changed3
Y Yes
N No
989 Saved Group Char(1) The saved group profile was changed.
Changed3
Y Yes
N No
991 Library list Bin(4) The number of libraries in the library list extension
Number4 field (offset 993).
993 Library List Char(2252) The extension to the library list for the job.
Extension4,5
1
This field is blank if the job is on the job queue and has not run.
2
When the JS audit record is generated because one job performs an operation on another job then this field
will contain data from the initial thread of the job that is being operated on. In all other cases, the field will
contain data from the thread that performed the operation.
3
This field is used only when entry type (offset 224) is M or T.
4
This field is used only if the number of libraries in the library list exceeds the size of the field at offset 343.
5
This is a variable length field. The first two bytes contain the length of the data in the field.
Table 164. KF (Key Ring File) Journal Entries. QASYKFJ4 Field Description File
JE Offset J4 Offset Field Format Description
N/A 1 Heading fields common to all entry types. See Table 139
on page 489 for field listing.
N/A 224 Entry Type Char(1) The type of entry.
C Certificate operation
K Key ring file operation
P Password incorrect
T Trusted root operation
| 2457 Relative File ID2 Char(16) The relative file ID of the absolute path name.
| 2473 Absolute Path Char(5002) The absolute path name of the key ring file.
| Name1
| 7475 Object File ID Char(16) The file ID of the source or target file.
| 7491 ASP Name Char(10) The name of the ASP device.
| 7501 ASP Number Char(5) The number of the ASP device.
| 7506 Path Name Binary(5) The coded character set identifier for the absolute path
| CCSID name.
| 7510 Path name Char(2) The country ID for the absolute path name
| Country ID
| 7512 Path Name Char(3) The language ID for the absolute path name.
| Language ID
| 7515 Path Name Binary(4) The length of the absolute path name.
| Length
| 7517 Path Name Char(1) The absolute path name indicator:
Indicator
| Y The Absolute Path Name field contains an
| absolute path name for the source or target
| file.
| N The Absolute Path Name field does not
| contain an absolute path name for the source
| or target file.
|
| 7518 Relative File ID3 Char(16) The relative file ID of the absolute path name.
| 7534 Absolute Path Char(5002) The absolute path name of the source or target file.
| Name1
1
| This is a variable length field. The first 2 bytes contain the length of the path name.
| 2
When the path name indicator (offset 2456) is ″N″, this field will contain the relative file ID of the absolute
| path name at offset 2473. When the path name indicator is ″Y″, this field will contain 16 bytes of hex zeroes.
| 3
When the path name indicator (offset 7517) is ″N″, this field will contain the relative file ID of the absolute
| path name at offset 7534. When the path name indicator is ″Y″, this field will contain 16 bytes of hex zeroes.
4
| The field will be blanks when it is not a certificate operation.
5
| The field will be blanks when it is not a key ring file operation.
6
| The field will be blanks when it is not a trusted root operation.
|
Table 165. LD (Link, Unlink, Search Directory) Journal Entries. QASYLDJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
177 245 Object Name Binary(5) The coded character set identifier for the object name.
CCSID1
181 249 Object Name Char(2) The country ID for the object name.
Country ID1
183 251 Object Name Char(3) The language ID for the object name.
Language ID1
186 254 (Reserved area) Char(3)
189 257 Parent File ID1,2 Char(16) The file ID of the parent directory.
205 273 Object File ID1,2 Char(16) The file ID of the object.
221 289 Object Name1 Char(512) The name of the object.
| 801 Object File ID Char(16) The file ID of the object.
| 817 ASP Name Char(10) The name of the ASP device.
| 827 ASP Number Char(5) The number of the ASP device.
| 832 Path Name Binary(5) The coded character set identifier for the absolute path
| CCSID name.
| 836 Path Name Char(2) The country ID for the absolute path name
| Country ID
| 838 Path Name Char(3) The language ID for the absolute path name.
| Language ID
| 841 Path Name Binary(4) The length of the absolute path name.
| Length
| 843 Path Name Char(1) The absolute path name indicator:
Indicator
| Y The Absolute Path Name field contains an
| absolute path name for the object.
| N The Absolute Path Name field does not
| contain an absolute path name for the object.
|
| 844 Relative File ID1 Char(16) The relative file ID of the absolute path name.
| 860 Absolute Path Char(5002) The absolute path name of the object.
| Name2
1
When the path name indicator (offset 843) is ″N″, this field will contain the relative file ID of the absolute
path name. When the path name indicator is ″Y″, this field will contain 16 bytes of hex zeroes.
2
This is a variable length field. The first 2 bytes contain the length of the path name.
Table 166. ML (Mail Actions) Journal Entries. QASYMLJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
Table 167. NA (Network Attribute Change) Journal Entries. QASYNAJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
Table 168. ND (APPN Directory Search Filter) Journal Entries. QASYNDJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
| For more information about APPN Directory Search Filter and APPN End point,
| see the Information Center (see “Prerequisite and related information” on page xvi
| for details).
Table 169. NE (APPN End Point Filter) Journal Entries. QASYNEJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
| For more information about APPN Directory Search Filter and APPN End point,
| see the Information Center (see “Prerequisite and related information” on page xvi
| for details).
Table 170. OM (Object Management Change) Journal Entries. QASYOMJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
157 225 Old Object Name Char(10) The old name of the object.
167 235 Old Library Char(10) The name of the library the old object is in.
Name
177 245 Object Type Char(8) The type of object.
185 253 New Object Char(10) The new name of the object.
Name
195 263 New Library Char(10) The name of the library the object was moved to.
Name
205 273 (Reserved Area) Char(20)
225 293 Office User Char(10) The name of the office user.
235 303 Old Folder or Char(12) The old name of the folder or document.
Document Name
247 315 (Reserved Area) Char(8)
255 323 Old Folder Path Char(63) The old path of the folder.
318 386 New Folder or Char(12) The new name of the folder or document.
Document Name
330 398 (Reserved Area) Char(8)
338 406 New Folder Path Char(63) The new path of the folder.
401 469 Office on Behalf Char(10) User working on behalf of another user.
of User
411 (Reserved Area) Char(20)
479 (Reserved Area) Char (18)
497 Object Name Binary (4) The length of the new object name.
Length
431 499 Object Name Binary(5) The coded character set identifier for the object name.
CCSID1
435 503 Object Name Char(2) The country ID for the object name.
Country ID1
437 505 Object Name Char(3) The language ID for the object name.
Language ID1
440 508 (Reserved area) Char(3)
443 511 Old Parent File Char(16) The file ID of the old parent directory.
ID1,2
459 527 Old Object File Char(16) The file ID of the old object.
ID1,2
475 543 Old Object Char(512) The name of the old object.
Name1
987 1055 New Parent File Char(16) The file ID of the new parent directory.
ID1,2
1003 1071 New Object Char(512) The new name of the object.
Name1,2
1583 Object File ID1,2 Char(16) The file ID of the object.
| 1599 ASP Name Char(10) The name of the ASP device.
| 1609 ASP Number Char(5) The number of the ASP device.
| 1614 Path Name Binary(5) The coded character set identifier for the absolute path
| CCSID name.
| 1618 Path Name Char(2) The country ID for the absolute path name
| Country ID
| 1620 Path Name Char(3) The language ID for the absolute path name.
| Language ID
| 1623 Path Name Binary(4) The length of the absolute path name.
| Length
| 1625 Path Name Char(1) The absolute path name indicator:
Indicator
| Y The Absolute Path Name field contains an
| absolute path name for the object.
| N The Absolute Path Name field does not
| contain an absolute path name for the object.
|
| 1626 Relative File ID3 Char(16) The relative file ID of the absolute path name.
| 1642 Absolute Path Char(5002) The old absolute path name of the object.
| Name5
| 6644 Object File ID Char(16) The file ID of the object.
| 6660 ASP Name Char(10) The name of the ASP device.
| 6670 ASP Number Char(5) The number of the ASP device.
| 6675 Path Name Binary(5) The coded character set identifier for the absolute path
| CCSID name.
| 6679 Path Name Char(2) The country ID for the absolute path name
| Country ID
| 6681 Path Name Char(3) The language ID for the absolute path name.
| Language ID
| 6684 Path Name Binary(4) The length of the absolute path name.
Length
Table 171. OR (Object Restore) Journal Entries. QASYORJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
157 225 Restored Object Char(10) The name of the restored object.
Name
167 235 Restored Library Char(10) The name of the library of the restored object.
Name
177 245 Object Type. Char(8) The type of object.
185 253 Save Object Char(10) The name of the save object.
Name
195 263 Save Library Char(10) The name of the library from which the object was
Name saved.
205 273 Program State1 Char(1)
I An inherit state program was restored.
Y A system state program was restored.
N A user state program was restored.
277 Signature Status Char(1) The signature status of the restored object.
| B Signature was not in OS/400 format
E Signature exists but is not verified
F Signature does not match object content
I Signature ignored
N Unsignable object
U Object unsigned
S Signature is valid
1071 Media File ID Char(16) The file ID (FID) that was stored on the media file.
Note: The FID stored on the media is the FID the
object had on the source system.
Table 172. OW (Ownership Change) Journal Entries. QASYOWJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
Table 173. O1 (Optical Access) Journal Entries. QASY01JE/J4 Field Description File
JE Offset J4 Offset Field Format Description
Table 174. O2 (Optical Access) Journal Entries. QASY02JE/J4 Field Description File
JE Offset J4 Offset Field Format Description
158 226 Src Device Name Char(10) Source library LUD name
168 236 Src CSI Name Char(8) Source Side Object Name
176 244 Src CSI Library Char(10) Source Side Object Library
186 254 Src Volume Char(32) Source Optical volume name
Name
218 286 Src Obj Name Char(256) Source Optical directory/file name
474 542 Tgt Device Name Char(10) Target library LUD name
484 552 Tgt CSI Name Char(8) Target Side Object Name
492 560 Tgt CSI Library Char(10) Target Side Object Library
502 570 Tgt Volume Char(32) Target Optical volume name
Name
534 602 Tgt Obj Name Char(256) Target Optical directory/file name
Table 175. O3 (Optical Access) Journal Entries. QASY03JE/J4 Field Description File
JE Offset J4 Offset Field Format Description
Table 176. PA (Program Adopt) Journal Entries. QASYPAJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
841 Primary Group Char(10) The name of the primary group owner.
Owner
851 Object File ID Char(16) The file ID of the object.
| 867 ASP Name Char(10) The name of the ASP device.
| 877 ASP Number Char(5) The number of the ASP device.
| 882 Path Name Binary(5) The coded character set identifier for the absolute path
| CCSID name.
| 886 Path Name Char(2) The country ID for the absolute path name
| Country ID
| 888 Path Name Char(3) The language ID for the absolute path name.
Language ID
| 891 Path Name Binary(4) The length of the absolute path name.
| Length
| 893 Path Name Char(1) The absolute path name indicator:
Indicator
Y The Absolute Path Name field contains an
absolute path name for the object.
N The Absolute Path Name field does not
contain an absolute path name for the object.
| 894 Relative File ID4 Char(16) The relative file ID of the absolute path name.
| 910 Absolute Path Char(5002) The absolute path name of the object.
| Name5
1
These fields are used only for objects in the QOpenSys and "root" file systems.
2
An ID that has the left-most bit set and the rest of the bits zero indicates that the ID is NOT set.
3
When the entry type is ″J″, the program name and the library name fields will contain ″*N″. In addition, the
parent file ID and the object file ID fields will contain binary zeroes.
4
When the path name indicator (offset 893) is ″N″, this field will contain the relative file ID of the absolute
path name. When the path name indicator is ″Y″, this field will contain 16 bytes of hex zeroes.
5
This is a variable length field. The first 2 bytes contain the length of the path name.
Table 177. PG (Primary Group Change) Journal Entries. QASYPGJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
1
These fields are used only for objects in the QOpenSys and "root" file systems.
2
An ID that has the left-most bit set and the rest of the bits zero indicates that the ID is NOT set.
3
When the path name indicator (offset 1047) is ″N″, this field will contain the relative file ID of the absolute
path name. When the path name indicator is ″Y″, this field will contain 16 bytes of hex zeroes.
4
This is a variable length field. The first 2 bytes contain the length of the path name.
5
A value of *N implies the value of the Old Primary Group was not available.
Table 178. PO (Printer Output) Journal Entries. QASYPOJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
158 226 Job Name Char(10) The first part of the qualified job name.
168 236 Job User Name Char(10) The second part of the qualified job name.
178 246 Job Number Zoned(6,0) The third part of the qualified job name.
184 252 User Profile Char(10) The user profile that created the output.
194 262 Output Queue Char(10) The output queue containing the spooled file.1
204 272 Output Queue Char(10) The name of the library containing the output queue.1
Library Name
214 282 Device Name Char(10) The device where the output was printed2.
224 292 Device Type Char(4) The type of printer device2.
228 296 Device Model Char(4) The model of the printer device2.
232 300 Device File Name Char(10) The name of the device file used to access the printer.
242 310 Device File Char(10) The name of the library for the device file.
Library
1
252 320 Spooled File Char(10) The name of the spooled file
Name
262 330 Short Spooled Char(4) The number of the spooled file 1. If the spooled file
File Number number is larger than 4 bytes, this field will be blank
and the Spooled File Number field (offset 354) will be
used.
266 334 Form Type Char(10) The form type of the spooled file.
276 344 User Data Char(10) The user data associated with the spooled file 1.
286 (Reserved area) Char(20)
354 Spooled File Char(6) The number of the spooled file.
Number
360 Reserved Area Char(14)
306 374 Remote System Char(255) Name of the remote system to which printing was sent.
561 629 Remote System Char(128) The name of the output queue on the remote system.
Print Queue
1
This field is blank if the type of output is direct print.
2
This field is blank if the type of output is remote print.
Table 179. PS (Profile Swap) Journal Entries. QASYPSJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
216 284 Profile Token Binary(4) The number of seconds the profile token is valid.
Timeout
Table 181. RA (Authority Change for Restored Object) Journal Entries. QASYRAJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
321 389 Object Name Binary(5) The coded character set identifier for the object name.
CCSID1
325 393 Object Name Char(2) The country ID for the object name.
Country ID1
327 395 Object Name Char(3) The language ID for the object name.
Language ID1
330 398 (Reserved area) Char(3)
333 401 Parent File ID1,2 Char(16) The file ID of the parent directory.
349 417 Object File ID1,2 Char(16) The file ID of the object.
365 433 Object Name1 Char(512) The name of the object.
945 Object File ID Char(16) The file ID of the object.
| 961 ASP Name Char(10) The name of the ASP device.
| 971 ASP Number Char(5) The number of the ASP device.
| 976 Path Name Binary(5) The coded character set identifier for the absolute path
| CCSID name.
| 980 Path Name Char(2) The country ID for the absolute path name
| Country ID
| 982 Path Name Char(3) The language ID for the absolute path name.
| Language ID
| 985 Path Name Binary(4) The length of the absolute path name.
| Length
| 987 Path Name Char(1) The absolute path name indicator:
Indicator
| Y The Absolute Path Name field contains an
| absolute path name for the object.
| N The Absolute Path Name field does not
| contain an absolute path name for the object.
|
| 988 Relative File ID3 Char(16) The relative file ID of the absolute path name.
| 1004 Absolute Path Char(5002) The absolute path name of the object.
Name4
1
These fields are used only for objects in the QOpenSys and "root" file systems.
2
An ID that has the left-most bit set and the rest of the bits zero indicates that the ID is NOT set.
3
When the path name indicator (offset 987) is ″N″, this field will contain the relative file ID of the absolute
path name. When the path name indicator is ″Y″, this field will contain 16 bytes of hex zeroes.
4
This is a variable length field. The first 2 bytes contain the length of the path name.
Table 182. RJ (Restoring Job Description) Journal Entries. QASYRJJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
157 225 Job Description Char(10) The name of the job description restored.
Name
167 235 Library Name Char(10) The name of the library the job description was
restored to.
Table 183. RO (Ownership Change for Restored Object) Journal Entries. QASYROJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
| 995 Relative File ID3 Char(16) The relative file ID of the absolute path name.
| 1011 Absolute Path Char(5002) The absolute path name of the object.
| Name4
1
These fields are used only for objects in the QOpenSys and "root" file systems.
2
An ID that has the left-most bit set and the rest of the bits zero indicates that the ID is NOT set.
3
When the path name indicator (offset 994) is ″N″, this field will contain the relative file ID of the absolute
path name. When the path name indicator is ″Y″, this field will contain 16 bytes of hex zeroes.
4
This is a variable length field. The first 2 bytes contain the length of the path name.
Table 184. RP (Restoring Programs that Adopt Authority) Journal Entries. QASYRPJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
1 1 Heading fields common to all entry types. See Table 140
on page 490 and Table 139 on page 489 for field listing.
156 224 Entry Type Char(1) The type of entry.
A Restoring programs that adopt the owner’s
authority
Table 185. RQ (Restoring Change Request Descriptor Object) Journal Entries. QASYRQJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
157 225 Object Name Char(10) The name of the change request descriptor.
167 235 Object Library Char(10) The name of the library where the change request
descriptor is found.
177 245 Object Type Char(8) The type of object.
Table 186. RU (Restore Authority for User Profile) Journal Entries. QASYRUJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
157 225 User Name Char(10) The name of the user profile whose authority was
restored.
167 235 Library Name Char(10) The name of the library.
177 245 Object Type Char(8) The type of object.
| 253 Authority Char(1) Indicates whether all authorities were restored for the
| Restored user.
| A All authorities were restored
| S Some authorities not restored
|
1
These fields are used only for objects in the QOpenSys and "root" file systems.
2
An ID that has the left-most bit set and the rest of the bits zero indicates that the ID is NOT set.
3
When the path name indicator (offset 1014) is ″N″, this field will contain the relative file ID of the absolute
path name. When the path name indicator is ″Y″, this field will contain 16 bytes of hex zeroes.
4
This is a variable length field. The first 2 bytes contain the length of the path name.
Table 188. SD (Change System Distribution Directory) Journal Entries. QASYSDJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
Table 189. SE (Change of Subsystem Routing Entry) Journal Entries. QASYSEJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
Table 190. SF (Action to Spooled File) Journal Entries. QASYSFJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
157 225 Database File Char(10) The name of the database file containing the spooled
Name file
167 235 Library Name Char(10) The name of the library for the database file
177 245 Object Type Char(8) The object type of the database file
185 253 Reserved area Char(10)
195 263 Member Name Char(10) The name of the file member.
205 273 Spooled File Char(10) The name of the spooled file 1.
Name
215 283 Short Spooled Char(4) The number of the spooled file 1. If the spooled file
File Number number is larger than 4 bytes, this field will be blank
and the Spooled File Number field (offset 307) will be
used.
219 287 Output Queue Char(10) The name of the output queue containing the spooled
Name file.
229 297 Output Queue Char(10) The name of the library for the output queue.
Library
| 239 Reserved area Char(20)
| 307 Spooled File Char(6) The number of the spooled file.
| Number
| 313 Reserved Area Char(14)
259 327 Old Copies Char(3) Number of old copies of the spooled file
262 330 New Copies Char(3) Number of new copies of the spooled file
265 333 Old Printer Char(10) Old printer for the spooled file
275 343 New Printer Char(10) New printer for the spooled file
285 353 New Output Char(10) New output queue for the spooled file
Queue
295 363 New Output Char(10) Library for the new output queue
Queue Library
305 373 Old Form Type Char(10) Old form type of the spooled file
315 383 New Form Type Char(10) New form type of the spooled file
325 393 Old Restart Page Char(8) Old restart page for the spooled file
333 401 New Restart Page Char(8) New restart page for the spooled file
341 409 Old Page Range Char(8) Old page range start of the spooled file
Start
349 417 New Page Range Char(8) New page range start of the spooled file
Start
357 425 Old Page Range Char(8) Old page range end of the spooled file
End
365 433 New Page Range Char(8) New page range end of the spooled file
End
441 Spooled File Job Char(10) The name of the spooled file job.
Name
451 Spooled File Job Char(10) The user for the spooled file job.
User
461 Spooled File Job Char(6) The number for the spooled file job.
Number
1
This field is blank when the type of entry is I (inline print).
Table 191. SG (Asychronous Signals) Journal Entries. QASYSGJ4 Field Description File
JE Offset J4 Offset Field Format Description
225 Signal Number Char(4) The signal number that was processed.
229 Handle action Char(1) The action taken on this signal.
C Continue the process
E Signal exception
H Handle by invoking the signal catching
function
S Stop the process
T Terminate the process
U Terminate the request
Table 193. SM (System Management Change) Journal Entries. QASYSMJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
Table 194. SO (Server Security User Information Actions) Journal Entries. QASYSOJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
157 225 User Profile Char(10) The name of the user profile.
235 Server Char(1) Y = Entry is a server authentication entry.
Authentication
Entry
236 Password Stored Char(1)
N Password not stored
S No change
Y Password is stored.
Table 195. ST (Service Tools Action) Journal Entries. QASYSTJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
| 442 Early Trace Char(10) The action requested for early job tracing
Action1
| *ON Early tracing turned on
| *OFF Early tracing turned off
| *RESET
| Early tracing turned off and trace information
| deleted.
|
| 452 Application Trace Char(1) The trace option specified on TRCTCPAPP.
Option2
| Y Collection of trace information started
| N Collection of trace information stopped and
| trace information written to spooled file
| E Collection of trace information ended and all
| trace information purged (no output created)
|
| 453 Application Char(10) The name of the application being traced.
| Traced2
| 463 Service Tools Char(10) The name of the service tools profile used for STRSST.
| Profile3
1
| This field is used only when the entry type (offset 225) is CE.
2
| This field is used only when the entry type (offset 225) is TA.
3
| This field is used only when the entry type (offset 225) is ST.
Table 196. SV (Action to System Value) Journal Entries. QASYSVJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
157 225 System Value or Char(10) The name of the system value or service attribute
Service Attribute
167 235 New Value Char(250) The value to which the system value or service
attribute was changed
417 485 Old Value Char(250) The value of the system value or service attribute
before it was changed
667 735 New Value Char(250) Continuation of the value to which the system value or
Continued service attribute was changed.
917 985 Old Value Char(250) Continuation of the value of the system value or
Continued service attribute was changed.
Table 197. VA (Change of Access Control List) Journal Entries. QASYVAJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
157 225 Server Name Char(10) The name of the network server description that
registered the event.
167 235 Server Date Char(6) The date the event was logged on the network server.
173 241 Server Time Zoned(6,0) The time the event was logged on the network server.
179 247 Computer Name Char(8) The name of the computer issuing the request to
change the access control list.
187 255 Requester Name Char(10) The name of the user issuing the request.
197 265 Action Performed Char(1) The action performed on the access control profile:
A Addition
C Modification
D Deletion
198 266 Resource Name Char(260) The name of the resource to be changed.
Table 198. VC (Connection Start and End) Journal Entries. QASYVCJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
157 225 Server Name Char(10) The name of the network server description that
registered the event.
167 235 Server Date Char(6) The date the event was logged on the network server.
173 241 Server Time Zoned(6,0) The time the event was logged on the network server.
179 247 Computer Name Char(8) The name of the computer associated with the
connection request.
187 255 Connection User Char(10) The name of the user associated with the connection
request.
197 265 Connect ID Char(5) The start or stop connection ID.
202 270 Rejection Reason Char(1) The reason the connection was rejected:
A Automatic disconnect (timeout), share
removed, or administrative permissions
lacking
E Error, session disconnect, or incorrect
password
N Normal disconnection or user name limit
P No access permission to shared resource
203 271 Network Name Char(12) The network name associated with the connection.
157 225 Server Name Char(10) The name of the network server description that
registered the event.
167 235 Server Date Char(6) The date the event was logged on the network server.
173 241 Server Time Zoned(6,0) The time the event was logged on the network server.
179 247 Computer Name Char(8) The name of the computer requesting the close.
187 255 Connection User Char(10) The name of the user requesting the close.
197 265 File ID Char(5) The ID of the file being closed.
202 270 Duration Char(6) The number of seconds the file was open.
208 276 Resource Name Char(260) The name of the resource owning the accessed file.
Table 200. VL (Account Limit Exceeded) Journal Entries. QASYVLJE /J4 Field Description File
JE Offset J4 Offset Field Format Description
157 225 Server Name Char(10) The name of the network server description that
registered the event.
167 235 Server Date Char(6) The date the event was logged on the network server.
173 241 Server Time Zoned(6,0) The time the event was logged on the network server.
179 247 Computer Name Char(8) The name of the computer with the account limit
violation.
187 255 User Char(10) The name of the user with the account limit violation.
197 265 Resource Name Char(260) The name of the resource being used.
Table 201. VN (Network Log On and Off) Journal Entries. QASYVNJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
157 225 Server Name Char(10) The name of the network server description that
registered the event.
167 235 Server Date Char(6) The date the event was logged on the network server.
173 241 Server Time Zoned(6,0) The time the event was logged on the network server.
179 247 Computer Name Char(8) The name of the computer for the event.
187 255 User Char(10) The user who logged on or off.
197 265 User Privilege Char(1) Privilege of user logging on:
A Administrator
G Guest
U User
198 266 Reject Reason Char(1) The reason the log on attempt was rejected:
A Access denied
F Forced off due to logon limit
P Incorrect password
Table 202. VO (Validation List) Journal Entries. QASYVOJ4 Field Description File
JE Offset J4 Offset Field Format Description
Table 203. VP (Network Password Error) Journal Entries. QASYVPJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
157 225 Server Name Char(10) The name of the network server description that
registered the event.
167 235 Server Date Char(6) The date the event was logged on the network server.
173 241 Server Time Zoned(6,0) The time the event was logged on the network server.
179 247 Computer Name Char(8) The name of the computer initiating the request.
187 255 User Char(10) The name of the user who attempted to log on.
Table 204. VR (Network Resource Access) Journal Entries. QASYVRJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
157 225 Server Name Char(10) The name of the network server description that
registered the event.
167 235 Server Date Char(6) The date the event was logged on the network server.
173 241 Server Time Zoned(6,0) The time the event was logged on the network server.
179 247 Computer Name Char(8) The name of the computer requesting the resource.
187 255 User Char(10) The name of the user requesting the resource.
197 265 Operation Type Char(1) The type of operation being performed:
A Resource attributes modified
C Instance of the resource created
D Resource deleted
P Resource permissions modified
R Data read or run from a resource
W Data written to resource
X Resource was run
198 266 Return Code Char(4) The return code received if resource access is granted.
202 270 Server Message Char(4) The message code sent when access is granted.
206 274 File ID Char(5) The ID of the file being accessed.
211 279 Resource Name Char(260) Name of the resource being used.
Table 205. VS (Server Session) Journal Entries. QASYVSJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
157 225 Server Name Char(10) The name of the network server description that
registered the event.
167 235 Server Date Char(6) The date the event was logged on the network server.
173 241 Server Time Zoned(6,0) The time the event was logged on the network server.
179 247 Computer Name Char(8) The name of the computer requesting the session.
187 255 User Char(10) The name of the user requesting the session.
197 265 User Privilege Char(1) The privilege level of the user for session start:
A Administrator
G Guest
U User
198 266 Reason Code Char(1) The reason code for ending the session.
A Administrator disconnect
D Automatic disconnect (timeout), share
removed, or administrative permissions
lacking
E Error, session disconnect, or incorrect
password
N Normal disconnection or user name limit
R Account restriction
Table 206. VU (Network Profile Change) Journal Entries. QASYVUJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
157 225 Server Name Char(10) The name of the network server description that
registered the event.
167 235 Server Date Char(6) The date the event was logged on the network server.
173 241 Server Time Zoned(6,0) The time the event was logged on the network server.
179 247 Computer Name Char(8) The name of the computer requesting the user profile
change.
187 255 User Char(10) The name of the user requesting the user profile
change.
197 265 Action Char(1) Action requested:
A Addition
C Change
D Deletion
P Incorrect password
Table 207. VV (Service Status Change) Journal Entries. QASYVVJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
157 225 Server Name Char(10) The name of the network server description that
registered the event.
167 235 Server Date Char(6) The date the event was logged on the network server.
173 241 Server Time Zoned(6,0) The time the event was logged on the network server.
179 247 Computer Name Char(8) The name of the computer requesting the change.
187 255 User Char(10) The name of the user requesting the change.
197 265 Status Char(1) Status of the service request:
A Service active
B Start service pending
C Continue paused service
E Stop pending for service
H Service pausing
I Service paused
S Service stopped
198 266 Service Code Char(8) The code of the service requested.
206 274 Text Set Char(80) The text being set by the service request.
286 354 Return Value Char(4) The return value from the change operation.
290 358 Service Char(20) The service that was changed.
| Table 208. X0 (Network Authentication) Journal Entries. QASYX0JE/J4 Field Description File
| JE Offset J4 Offset Field Format Description
| 2672 GSS Server Binary(5) Server principal (from GSS credential) CCSID
| Principal CCSID
| 2676 GSS Server Binary(4) Server principal (from GSS credential) length
| Principal Length
| 2678 GSS Server Char(1) Server principal (from GSS credential) indicator
| Principal
|| Indicator
Y server principal complete
| N server principal not complete
| X not provided
|
| 2679 GSS Server Char(512) Server principal from GSS credential
| Principal
| 3191 GSS Local Binary(5) GSS local principal name CCSID
| Principal CCSID
| 3195 GSS Local Binary(4) GSS local principal name length
| Principal Length
| 3197 GSS Local Char(1) GSS local principal name indicator
| Principal
|| Indicator
Y local principal complete
| N local principal not complete
| X not provided
|
| 3198 GSS Local Char(512) GSS local principal
| Principal
| 3710 GSS Remote Binary(5) GSS remote principal name CCSID
| Principal CCSID
| 3714 GSS Remote Binary(4) GSS remote principal name length
| Principal Length
| 3716 GSS Remote Char(1) GSS remote principal name indicator
| Principal
|| Indicator
Y remote principal complete
| N remote principal not complete
| X not provided
|
| 3717 GSS Remote Char(512) GSS remote principal
| Principal
|
Table 209. YC (Change to DLO Object) Journal Entries. QASYYCJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
Table 210. YR (Read of DLO Object) Journal Entries. QASYYRJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
Table 211. ZC (Change to Object) Journal Entries. QASYZCJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
Table 212. ZM (SOM Method Access) Journal Entries. QASYZMJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
Table 213. ZR (Read of Object) Journal Entries. QASYZRJE/J4 Field Description File
JE Offset J4 Offset Field Format Description
| 941 Absolute Path Char(5002) The absolute path name of the object.
| Name5
1
See Table 214 for a list of the codes for access types.
2
These fields are used only for objects in the QOpenSys, "root" file systems, and user-defined file systems.
3
An ID that has the left-most bit set and the rest of the bits zero indicates that the ID is NOT set.
4
When the path name indicator (offset 924) is ″N″, this field will contain the relative file ID of the absolute
path name. When the path name indicator is ″Y″, this field will contain 16 bytes of hex zeroes.
5
This is a variable length field. The first 2 bytes contain the length of the path name.
Table 214 lists the access codes used for object auditing journal entries in files
QASYYCJE, QASYYRJE, QASYZCJE, and QASYZRJE.
Table 214. Numeric Codes for Access Types
Code Access Type Code Access Type Code Access Type
Table 215 describes these menu options and the associated commands:
Table 215. Tool Commands for User Profiles
Menu1 Option Command Name Description Database File Used
1 ANZDFTPWD Use the Analyze Default Passwords command QASECPWD2
to report on and take action on user profiles
that have a password equal to the user profile
name.
2 DSPACTPRFL Use the Display Active Profile List command QASECIDL2
to display or print the list of user profiles that
are exempt from ANZPRFACT processing.
Notes:
1. Options are from the SECTOOLS menu.
2. This file is in the QUSRSYS library.
Notes:
1. Options are from the SECTOOLS menu.
...
Job name . . . . . . . . . . . . *JOBD Name, *JOBD
Job description . . . . . . . . *USRPRF Name, *USRPRF
Library . . . . . . . . . . . Name, *LIBL, *CURLIB
Job queue . . . . . . . . . . . *JOBD Name, *JOBD
Library . . . . . . . . . . . Name, *LIBL, *CURLIB
Job priority (on JOBQ) . . . . . *JOBD 1-9, *JOBD
Output priority (on OUTQ) . . . *JOBD 1-9, *JOBD
Print device . . . . . . . . . . *CURRENT Name, *CURRENT, *USRPRF...
If you want to change the default options for the command, you can press F4
(Prompt) on the Command to run line.
To see the Schedule Batch Reports, page down on the SECBATCH menu. By using
the options on this part of the menu, you can, for example, set up your system to
run changed versions of reports regularly.
SECBATCH Submit or Schedule Security Reports To Batch
System:
Select one of the following:
You can page down for additional menu options. When you select an option from
this part of the menu, you see the Add Job Schedule Entry (ADDJOBSCDE)
display:
Add Job Schedule Entry (ADDJOBSCDE)
...
Frequency . . . . . . . . . . . *ONCE, *WEEKLY, *MONTHLY
Schedule date, or . . . . . . . *CURRENT Date, *CURRENT, *MONTHST
Schedule day . . . . . . . . . . *NONE *NONE, *ALL, *MON, *TUE.
+ for more values
Schedule time . . . . . . . . . *CURRENT Time, *CURRENT
When you run security reports, the system prints only information that meets both
the selection criteria that you specify and the selection criteria for the tool. For
example, job descriptions that specify a user profile name are security-relevant.
Therefore, the job description (PRTJOBDAUT) report prints job descriptions in the
specified library only if the public authority for the job description is not
*EXCLUDE and if the job description specifies a user profile name in the USER
parameter.
If a particular report prints less information than you expect, consult the online
help information to find out the selection criteria for the report.
Table 217. Commands for Security Reports
Menu1
Option Command Name Description Database File Used
1, 40 PRTADPOBJ Use the Print Adopting Objects command to QSECADPOLD2
print a list of objects that adopt the authority of
the specified user profile. You can specify a single
profile, a generic profile name (such as all
profiles that begin with Q), or all user profiles on
the system.
Notes:
1. Options are from the SECBATCH menu.
2. This file is in the QUSRSYS library.
| 3. xx is the two-character journal entry type. For example, the model output file for AE journal entries is
| QSYS/QASYAEJE. The model output files are described in Appendix F of this book.
4. The SECTOOLS menu contains options for the object types that are typically of concern to security
administrators. For example, use options 11 or 50 to run the PRTPUBAUT command against *FILE objects. Use
the general options (18 and 57) to specify the object type. Use options 12 and 51 to run the PRTPVTAUT
command against *FILE objects. Use the general options (19 and 58) to specify the object type.
5. The xxxxxx in the name of the file is the object type. For example, the file for program objects is called QPBPGM
for public authorities and QPVPGM for private authorities. The files are in the QUSRSYS library.
The file contains a member for each library for which you have printed the report. The member name is the
same as the library name.
Notes:
1. Options are from the SECTOOLS menu.
Notes:
| 1. If you are currently running with a QSECURITY value of 30 or lower, be sure to review the information in
| Chapter 2 of this book before you change to a higher security level.
2. The restricted characters are stored in message ID CPXB302 in the message file QSYS/QCPFMSG. They are
shipped as AEIOU@$#. You can use the Change Message Description (CHGMSGD) command to change the
restricted characters.
The CFGSYSSEC command also sets the password to *NONE for the following
IBM-supplied user profiles:
The commands that are listed in Table 220 on page 582 and the APIs that are listed
in Table 221 on page 582 all perform functions on your system that may provide an
opportunity for mischief. As security administrator, you should explicitly authorize
users to run these commands and programs rather than make them available to all
system users.
When you run the RVKPUBAUT command, you specify the library that contains
the commands. The default is the QSYS library. If you have more than one national
On V3R7, when you run the RVKPUBAUT command, the system sets the public
authority for the root directory to *USE (unless it is already *USE or less).
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not give you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
500 Columbus Avenue
Thornwood, NY 10594
U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM
Intellectual Property Department in your country or send inquiries, in writing, to:
| IBM World Trade Asia Corporation
| Licensing
| 2-31 Roppongi 3-chome, Minato-ku
| Tokyo 106-0032, Japan
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or
implied warranties in certain transactions, therefore, this statement may not apply
to you.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this IBM
product and use of those Web sites is at your own risk.
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
The licensed program described in this information and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement, or any equivalent agreement
between us.
All statements regarding IBM’s future direction or intent are subject to change or
withdrawal without notice, and represent goals and objectives only.
This information contains examples of data and reports used in daily business
operations. To illustrate them as completely as possible, the examples include the
names of individuals, companies, brands, and products. All of these names are
fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.
COPYRIGHT LICENSE:
If you are viewing this information softcopy, the photographs and color
illustrations may not appear.
Microsoft, Windows, Windows NT, and the Windows 95 logo are registered
trademarks of Microsoft Corporation.
UNIX is a registered trademark in the United States and other countries licensed
exclusively through X/Open Company Limited.
Other company, product, and service names may be trademarks or service marks
of others.
Bibliography 589
features of this full-screen text editor. The book
contains examples to help both new and
experienced users accomplish various editing
tasks, from the simplest line commands to
using pre-defined prompts for high-level
languages and data formats.
| v The DB2 Universal Database for iSeries topic in
| the Information Center provides an overview of
| how to design, write, run, and test SQL/400*
| statements. It also describes interactive
| Structured Query Language (SQL), and
| provides examples of how to write SQL
| statements in COBOL, RPG, C, FORTRAN, and
| PL/I programs. See “Prerequisite and related
| information” on page xvi for details.
| v The DB2 Universal Database for iSeries topic in
| the Information Center provides information on
| how to:
| – Build, maintain, and run SQL queries
| – Create reports ranging from simple to
| complex
| – Build, update, manage, query, and report on
| database tables using a forms-based interface
| – Define and prototype SQL queries and
| reports for inclusion in application programs
| See “Prerequisite and related information” on
| page xvi for details.
Index 593
ADDMFS (Add Mounted File System) ADDPGM (Add Program) command ADDSNILOC 355
command) command object authority required 400 ADDSOCE (Add Sphere of Control
object authority required 385 ADDPJE (Add Prestart Job Entry) Entry) command
ADDMSGD (Add Message Description) command object authority required 415
command object auditing 475 ADDSRVTBLE (Add Service Table Entry)
object auditing 465 object authority required 416 command
object authority required 381 ADDPRBACNE (Add Problem Action object authority required 422
ADDNETJOBE (Add Network Job Entry) Entry) command ADDSVRAUTE (Add Server
command object auditing 456 Authentication Entry) command
authorized IBM-supplied user object authority required 337, 399 object authority required 411
profiles 287 ADDPRBSLTE (Add Problem Selection ADDTAPCTG (Add Tape Cartridge)
object authority required 384 Entry) command command
ADDNETTBLE (Add Network Table object auditing 456 object authority required 379
Entry) command object authority required 337, 399 ADDTCPHTE (Add TCP/IP Host Table
object authority required 422 ADDPRDCRQA (Add Product Change Entry) command
ADDNODLE (Add Node List Entry) Request Activity) command object authority required 422
command authorized IBM-supplied user ADDTCPIFC (Add TCP/IP Interface)
object auditing 466 profiles 287 command
object authority required 388 object auditing 437 object authority required 422
object authority required 312 ADDTCPPORT (Add TCP/IP Port Entry)
ADDNWSSTGL (Add Network Server
ADDPRDLICI (Add Product License command
Storage Link) command
Information) command object authority required 422
object authority required 387
object auditing 472 ADDTCPRSI (Add TCP/IP Remote
ADDOBJCRQA (Add Object Change
ADDPTFCRQA (Add PTF Change System Information) command
Request Activity) command
Request Activity) command object authority required 422
authorized IBM-supplied user
authorized IBM-supplied user ADDTCPRTE (Add TCP/IP Route)
profiles 287
profiles 287 command 355
object auditing 437
object auditing 437 object authority required 422
object authority required 312
object authority required 312 ADDTRC (Add Trace) command
ADDOFCENR (Add Office Enrollment) ADDRDBDIRE (Add Relational Database
command object authority required 400
Directory Entry) command ADDWSE (Add Work Station Entry)
object auditing 447 object authority required 406
ADDOPTCTG (Add Optical Cartridge) command
ADDRJECMNE (Add RJE object auditing 475
command Communications Entry) command
authorized IBM-supplied user object authority required 416
object authority required 407
profiles 287 adopted
ADDRJERDRE (Add RJE Reader Entry)
object authority required 390 authority
command
ADDOPTSVR (Add Optical Server) displaying 135
object authority required 407
command adopted (*ADOPTED) authority 135
ADDRJEWTRE (Add RJE Writer Entry)
authorized IBM-supplied user command adopted authority
profiles 287 object authority required 407 *PGMADP (program adopt) audit
object authority required 390 level 244
ADDRMTJRN (Add Remote Journal)
ADDPCST (Add Physical File Constraint) AP (adopted authority) file
command
command layout 498
object auditing 459
object authority required 330 AP (adopted authority) journal entry
ADDRMTSVR (Add Remote Server)
ADDPEXDFN () command type 244
command
application design 205, 208, 209
authorized IBM-supplied user object authority required 387
profiles 287 Attention (ATTN) key 130
ADDRPYLE (Add Reply List Entry) audit journal (QAUDJRN) entry 244,
ADDPEXDFN (Add Performance command 498
Explorer Definition) command authorized IBM-supplied user auditing 239
object authority required 393 profiles 287 authority checking example 164, 167
ADDPFCST (Add Physical File object auditing 475 bound programs 131
Constraint) command object authority required 419 break-message-handling
object auditing 453 ADDRSCCRQA (Add Resource Change program 130
ADDPFM (Add Physical File Member) Request Activity) command changing
command authorized IBM-supplied user audit journal (QAUDJRN)
object auditing 453 profiles 287 entry 244
object authority required 330 object auditing 437 authority required 130
ADDPFTFG (Add Physical File Trigger) object authority required 312 job 130
command ADDRTGE (Add Routing Entry) creating program 130
object authority required 330 command debug functions 130
ADDPFTRG (Add Physical File Trigger) object auditing 475 definition 128
command object authority required 416 displaying
object auditing 453 ADDSCHIDXE (Add Search Index Entry) command description 274
ADDPFVLM (Add Physical File command critical files 211
Variable-Length Member) command object auditing 471, 476 programs that adopt a profile 131
object auditing 453 object authority required 356 USRPRF parameter 131
Index 595
application design (continued) audit (QAUDJRN) journal 431 audit (QAUDJRN) journal 431
ignoring adopted authority 208 (continued) (continued)
libraries 201 AF (authority failure) entry type 244 IP (interprocess communications)
library lists 202 (continued) entry type 244
menus 204 hardware protection violation 14 IR(IP rules actions) file layout 518
profiles 202 job description violation 14 IS (Internet security management) file
application program interface (API) program validation 18 layout 519
QSYGETPH (Get Profile Handle) 244 restricted instruction violation 18 JD (job description change) entry
QWTSETP (Set Profile) 244 unsupported interface 13 type 244
application programming interface (API) unsupported interface JD (job description change) file
security level 40 13 violation 18 layout 520
APPN directory (ND) file layout 528 AF (authority failure) file layout 494 JS (job change) entry type 244
APPN end point (NE) file layout 528 analyzing JS (job change) file layout 521
approval program, password 45, 46 with query 262 KF (key ring file) file layout 524
approving password 44 AP (adopted authority) entry LD (link, unlink, search directory) file
APYJRNCHG (Apply Journaled Changes) type 244 layout 526
command AP (adopted authority) file managing 258
authorized IBM-supplied user layout 498 methods for analyzing 261
profiles 287 auditing level (QAUDLVL) system ML (mail actions) entry type 244
object auditing 431, 459 value 51 ML (mail actions) file layout 527
object authority required 361 automatic cleanup 259 NA (network attribute change) entry
APYPTF (Apply Program Temporary Fix) CA (authority change) entry type 244 type 244
command CA (authority change) file layout 498 NA (network attribute change) file
authorized IBM-supplied user CD (command string) entry type 244 layout 527
profiles 287 CD (command string) file layout 501 ND (APPN directory) file layout 528
object authority required 411 changing receiver 260 NE (APPN end point) file layout 528
APYRMTPTF (Apply Remote Program CO (create object) entry type 123, O1 (optical access) file layout 534,
Temporary Fix) command 244 535
authorized IBM-supplied user CO (create object) file layout 501 O3 (optical access) file layout 536
profiles 287 CP (user profile change) entry OM (object management) entry
ASKQST (Ask Question) command type 244 type 244
object authority required 405 CP (user profile change) file OM (object management) file
assistance level layout 502 layout 529
advanced 55, 61 CQ (*CRQD change) file layout 504 OR (object restore) entry type 244
basic 55, 61 CQ (change *CRQD object) entry OR (object restore) file layout 531
definition 55 type 244 OW (ownership change) entry
example of changing 61 creating 257 type 244
intermediate 55, 61 CU(Cluster Operations file OW (ownership change) file
stored with user profile 61 layout 504 layout 533
user profile 61 CV(connection verification) file PA (program adopt) entry type 244
ASTLVL (assistance level) parameter layout 505 PA (program adopt) file layout 536
user profile 61 CY(cryptographic configuration) file PG (primary group change) entry
ATNPGM (Attention-key-handling layout 507 type 244
program) parameter damaged 258 PG (primary group change) file
user profile 84 detaching receiver 258, 260 layout 538
Attention (ATTN) key DI(directory services) file layout 508 PO (printed output) entry type 244
adopted authority 130 displaying entries 240, 261 PO (printer output) file layout 540
Attention (ATTN) key buffering 73 DO (delete operation) entry type 244 PS (profile swap) entry type 244
DO (delete operation) file layout 512 PS (profile swap) file layout 541
Attention-key-handling program
DS (DST password reset) entry PW (password) entry type 244
*ASSIST 84
type 244 PW (password) file layout 541
changing 84
DS (DST password reset) file RA (authority change for restored
initial program 84
layout 513 object) entry type 244
job initiation 176
error conditions 50 RA (authority change for restored
QATNPGM system value 84
EV (Environment variable) file object) file layout 542
QCMD command processor 84
layout 513 receiver storage threshold 258
QEZMAIN program 84
file layouts 489 RJ (restoring job description) entry
setting 84
force level 51 type 244
user profile 84
GR(generic record) file layout 514 RJ (restoring job description) file
audit (*AUDIT) special authority
GS (give descriptor) entry type 244 layout 543
functions allowed 69
GS (give descriptor) file layout 516 RO (ownership change for restored
risks 69
introduction 240 object) entry type 244
audit (QAUDJRN) journal 431 IP (change ownership) entry RO (ownership change for restored
AD (auditing change) entry type 244 type 244 object) file layout 544
AD (auditing change) file layout 492 IP (interprocess communication RP (restoring programs that adopt
AF (authority failure) entry type 244 actions) file layout 517 authority) entry type 244
default sign-on violation 14
description 244
Index 597
auditing 255, 256, 431 (continued) authority 148 (continued) authority 148 (continued)
planning *ALLOBJ (all object) special checking
overview 241 authority 66 batch job initiation 176
system values 254 *AUDIT (audit) special authority 69 flowcharts 148, 162
program failure 268 *AUTLMGT (authorization list interactive job initiation 175
programmer authorities 238 management) 112, 120, 297 sign-on process 175
QTEMP objects 255 *CHANGE (change) 114, 298 commonly used subsets 113
remote sign-on 240 *DLT (delete) 112, 297 copying
reply list 475 *EXCLUDE (exclude) 113 command description 273
save operations 233 *EXECUTE (execute) 112, 297 example 99
security officer 269 *IOSYSCFG (system configuration) recommendations 145
sensitive data special authority 69 renaming profile 104
authority 238 *JOBCTL (job control) special data
encrypting 240 authority 67 definition 112
setting up 256 *Mgt 112 definition 112
sign-on without user ID and *OBJALTER (object alter) 112, 297 deleting user 141
password 239 *OBJEXIST (object existence) 112, 297 detail, displaying (*EXPERT user
spooled files 479 *OBJMGT (object management) 112, option) 87, 88
starting 256 297 directory 5
steps to start 256 *OBJOPR (object operational) 112, displaying
stopping 50, 260 297 command description 272
system values 49, 236, 254 *OBJREF (object reference) 112, 297 displaying detail (*EXPERT user
unauthorized access 239 *R (read) 114, 298 option) 87, 88
unauthorized programs 240 *READ (read) 112, 297 displays 134
unsupported interfaces 240 *Ref (Reference) 112 field
user profile *RW (read, write) 114, 298 definition 112
*ALLOBJ (all object) special *RWX (read, write, execute) 114, 298 group
authority 238 *RX (read, execute) 114, 298 displaying 135
administration 238 *SAVSYS (save system) special example 162, 165
using authority 68 holding when deleting file 132
journals 265 *SECADM (security administrator) ignoring adopted 132
QHST (history) log 265 special authority 66 introduction 4, 220
QSYSMSG message queue 240 *SERVICE (service) special library 5
working on behalf 463 authority 68 Management authority
working with user 104 *SPLCTL (spool control) special *Mgt(*) 112
auditing change (AD) file layout 492 authority 67 multiple objects 142
auditing change (AD) journal entry *UPD (update) 112, 297 new object
type 244 *USE (use) 114, 298 CRTAUT (create authority)
auditing control (QAUDCTL) system *W (write) 114, 298 parameter 120, 137
value *WX (write, execute) 114, 298 example 124
overview 50 *X (execute) 114, 298 GRPAUT (group authority)
auditing end action (QAUDENDACN) adding users 141 parameter 78, 122
system value 50, 254 adopted GRPAUTTYP (group authority
auditing force level (QAUDFRCLVL) application design 205, 208, 209 type) parameter 78
system value 51, 254 audit journal (QAUDJRN) QCRTAUT (create authority)
entry 244, 498 system value 26
auditing level (QAUDLVL) system
auditing 268 QUSEADPAUT (use adopted
value 51
authority checking example 164, authority) system value 32
AUDLVL (audit level) parameter
167 object
*CMD (command string) value 244 displaying 135, 211 *ADD (add) 112, 297
user profile 91 ignoring 208 *DLT (delete) 112, 297
AUT (authority) parameter purpose 128 *EXECUTE (execute) 112, 297
creating libraries 137 assigning to new object 124 *OBJEXIST (object existence) 112,
creating objects 138 authorization for changing 139 297
specifying authorization list authorization list *OBJMGT (object
(*AUTL) 146 format on save media 225 management) 112, 297
user profile 90 management (*AUTLMGT) 112, *OBJOPR (object operational) 112,
AUTCHK (authority to check) 297 297
parameter 188 stored on save media 225 *READ (read) 112, 297
authentication storing 224 *Ref (Reference) 112
digital ID 93 changing *UPD (update) 112, 297
Authorities, Accumulating Special 217 audit journal (QAUDJRN) definition 112
authorities, field 116 entry 244 exclude (*EXCLUDE) 113
audit journal (QAUDJRN) file format on save media 225
Authorities, Special 217
layout 498 required by commands 297
authority 148
command description 272 stored on save media 225
*ADD (add) 112, 297 procedures 139 storing 224
*ALL (all) 114, 298
Index 599
automatic virtual-device configuration calling Change Authorization List Entry
(QAUTOVRT) system value program (CHGAUTLE) command (continued)
value set by CFGSYSSEC transferring adopted using 147
command 579 authority 129 Change Command (CHGCMD) command
availability 1 canceling ALWLMTUSR (allow limited user)
audit function 260 parameter 65
cartridge PRDLIB (product library)
B object authority required for
commands 379
parameter 185
security risks 185
backing up
CCSID (coded character set identifier) Change Command Default
security information 223
parameter (CHGCMDDFT) command 211
backup
user profile 86 Change Current Library (CHGCURLIB)
object authority required for
CD (command string) file layout 501 command
commands 389
CD (command string) journal entry restricting 186
backup media
type 244 Change Dedicated Service Tools
protecting 236
CFGDSTSRV (Configure Distribution Password (CHGDSTPWD)
basic (*BASIC) assistance level 55, 61
Services) command command 109, 272
basic service (QSRVBAS) user profile
authorized IBM-supplied user Change Directory Entry (CHGDIRE)
authority to console 179 profiles 287 command 275
default values 280 object authority required 324 Change Document Library Object
batch CFGIPS (Configure IP over SNA Auditing (CHGDLOAUD) command
restricting jobs 194 Interface) command *AUDIT (audit) special authority 69
batch job object authority required 308 description 274
*SPLCTL (spool control) special CFGRPDS (Configure VM/MVS Bridge) QAUDCTL (Auditing Control) system
authority 67 command value 50
priority 75 authorized IBM-supplied user Change Document Library Object
security when starting 175, 176 profiles 287 Authority (CHGDLOAUT)
BCHJOB (Batch Job) command object authority required 324 command 274
object authority required 357 CFGSYSSEC (Configure System Security) Change Document Library Object Owner
binding directory command (CHGDLOOWN) command 274
object authority required for authorized IBM-supplied user Change Document Library Object
commands 311 profiles 287 Primary (CHGDLOPGP) command
binding directory object auditing 435 description 277, 579 description 274
bound program object authority required 411 Change Expiration Schedule Entry
adopted authority 131 CFGTCP (Configure TCP/IP) command (CHGEXPSCDE) command
definition 131 object authority required 422 description 571
break (*BREAK) delivery mode CFGTCPAPP (Configure TCP/IP Change Job (CHGJOB) command
user profile 82 Applications) command adopted authority 130
break-message-handling program object authority required 422 Change Journal (CHGJRN)
adopted authority 130 CFGTCPLPD (Configure TCP/IP LPD) command 258, 260
command Change Library List (CHGLIBL)
BRM (QBRMS) user profile 280
object authority required 422 command 183
buffering
CFGTCPSMTP (Configure TCP/IP SMTP) Change Library Owner (CHGLIBOWN)
Attention key 73
command tool 219
keyboard 73
object authority required 422 Change Menu (CHGMNU) command
CFGTCPTELN (Change TCP/IP PRDLIB (product library)
TELNET) command parameter 185
C object authority required 422 security risks 185
C locale description (*CLD) auditing 437 change (*CHANGE) authority 114, 298 Change Network Attributes (CHGNETA)
C2 security change *CRQD object (CQ) journal entry command 190
description 5 type 244 Change Node Group Attributes (Change
CA (authority change) file layout 498 Change Accounting Code Node Group Attributes) command
CA (authority change) journal entry (CHGACGCDE) command 80 object auditing 466
type 244 Change Activation Schedule Entry Change Object Auditing (CHGOBJAUD)
calculating (CHGACTSCDE) command command
validation value description 571 *AUDIT (audit) special authority 69
Change Program (CHGPGM) Change Active Profile List description 272, 274
command 15 (CHGACTPRFL) command QAUDCTL (Auditing Control) system
CALL (Call Program) command description 571 value 50
object authority required 400 Change Auditing (CHGAUD) command Change Object Owner (CHGOBJOWN)
transferring adopted authority 129 description 272, 274 command 144, 272
call-level interface using 104 Change Object Primary Group
QSYGETPH (Get Profile Handle) 244 Change Authority (CHGAUT) (CHGOBJPGP) command 123, 145, 272
QWTSETP (Set Profile) 244 command 140, 272 change of subsystem routing entry (SE)
security level 40 13 Change Authorization List Entry file layout 549
Call Program (CALL) command (CHGAUTLE) command change of subsystem routing entry (SE)
transferring adopted authority 129 description 271 journal entry type 244
Index 601
changing (continued) CHGALRD (Change Alert Description) CHGCMDDFT (Change Command
system management command Default) command
audit journal (QAUDJRN) object auditing 434 object auditing 438
entry 244 object authority required 308 object authority required 313
system value CHGALRSLTE (Change Alert Selection using 211
audit journal (QAUDJRN) Entry) command CHGCMNE (Change Communications
entry 244 object auditing 456 Entry) command
user auditing 69, 273, 274 object authority required 337 object auditing 475
user authority CHGALRTBL (Change Alert Table) object authority required 416
authorization list 147 command CHGCNNL (Change Connection List)
user ID object auditing 434 command
DST (dedicated service tools) 107 object authority required 308 object auditing 439
user profile CHGATR (Change Attribute) command object authority required 316
audit journal (QAUDJRN) object auditing 442 CHGCNNLE (Change Connection List
entry 244 CHGAUD (Change Audit) command Entry) command
command descriptions 272, 273 object auditing 439
using 104
methods 99 object authority required 316
CHGAUD (Change Auditing) command
password composition system
description 272, 274 CHGCOMSNMP (Change Community
values 38 for SNMP) command
object auditing 443, 477, 481
setting password equal to profile
object authority required 339 object authority required 422
name 57
CHGAUT (Change Authority) CHGCOSD (Change Class-of-Service
changing access control list (VA) file
command 140 Description) command
layout 555
description 272 object auditing 439
chart format object authority required 313
object auditing 443, 477, 482
object authority required for object authority required 339 CHGCRQD (Change Change Request
commands 312 CHGAUTLE (Change Authorization List Description) command
chart format (*CHTFMT) auditing 436 Entry) command object auditing 437
Check Object Integrity (CHKOBJITG) description 271 object authority required 312
command object auditing 435 CHGCRSDMNK (Change Cross Domain
auditing use 240 object authority required 310 Key) command
description 268, 273, 575 using 147 authorized IBM-supplied user
Check Password (CHKPWD) CHGBCKUP (Change Backup Options) profiles 287
command 105, 272 command object authority required 318
checking 148 object authority required 389 CHGCSI (Change Communications Side
altered objects 268 CHGCCTSRV 355 Information) command
default passwords 571 CHGCDEFNT (Change Coded Font) object auditing 440
object integrity 575 object authority required for object authority required 314
auditing use 240 commands 307 CHGCSPPGM (Change CSP/AE
description 268, 273 CHGCFGL (Change Configuration List) Program) command
password 105, 272 command object auditing 471
checklist object auditing 436 CHGCTLAPPC (Change Controller
auditing security 235 object authority required 316 Description (APPC)) command
planning security 235 CHGCFGLE (Change Configuration List object authority required 316
CHGACGCDE (Change Accounting Entry) command CHGCTLASC (Change Controller
Code) command object auditing 436 Description (Async)) command
object authority required 357 object authority required 316 object authority required 316
relationship to user profile 80 CHGCLNUP (Change Cleanup) CHGCTLBSC (Change Controller
CHGACTPRFL (Change Active Profile command Description (BSC)) command
List) command object authority required 389 object authority required 316
description 571 CHGCLS (Change Class) command
CHGCTLFNC (Change Controller
object authority required 424 object auditing 438 Description (Finance)) command
CHGACTSCDE (Change Activation object authority required 313
object authority required 316
Schedule Entry) command CHGCMD (Change Command) command
CHGCTLHOST (Change Controller
description 571 ALWLMTUSR (allow limited user)
Description (SNA Host)) command
parameter 65
CHGACTSCDE (Change Activity object authority required 316
Schedule Entry) command object auditing 438
object authority required 313 CHGCTLLWS (Change Controller
object authority required 424 Description (Local Work Station))
PRDLIB (product library)
CHGAJE (Change Autostart Job Entry) parameter 185 command
command security risks 185 object authority required 316
object auditing 475 CHGCMDCRQA (Change Command CHGCTLNET (Change Controller
object authority required 416 Change Request Activity) command Description (Network)) command
CHGALRACNE (Change Alert Action authorized IBM-supplied user object authority required 316
Entry) command profiles 287 CHGCTLRTL (Change Controller
object auditing 456 object auditing 437 Description (Retail)) command
object authority required 337 object authority required 312 object authority required 316
Index 603
CHGGPHPKG (Change Graph Package) CHGLFM (Change Logical File Member) CHGMGRSRVA (Change Manager
command command Service Attributes) command
authorized IBM-supplied user object auditing 453 authorized IBM-supplied user
profiles 287 object authority required 330 profiles 287
object authority required 393 CHGLIB (Change Library) command CHGMNU (Change Menu) command
CHGGRPA (Change Group Attributes) object auditing 461 object auditing 463
command object authority required 371 object authority required 380
object authority required 357 CHGLIBL (Change Library List) PRDLIB (product library)
CHGHLLPTR (Change High-Level command parameter 185
Language Pointer) command object authority required 371 security risks 185
object authority required 400 using 183 CHGMOD (Change Module) command
CHGICFDEVE (Change Intersystem CHGLIBOWN (Change Library Owner) object auditing 464
Communications Function Program tool 219 object authority required 383
Device Entry) command
CHGLICINF (Change License CHGMODD (Change Mode Description)
object authority required 330 Information) command command
CHGICFF (Change Intersystem
authorized IBM-supplied user object auditing 464
Communications Function File) profiles 287 object authority required 383
command
object authority required 375 CHGMSGD (Change Message
object authority required 330
CHGLINASC (Change Line Description Description) command
CHGIPIADR 355
(Async)) command object auditing 465
CHGIPIIFC 355
object authority required 376 object authority required 381
CHGIPLA 356
CHGLINBSC (Change Line Description CHGMSGF (Change Message File)
CHGIPSIFC (Change IP over SNA
(BSC)) command command
Interface) command
object authority required 376 object auditing 465
object authority required 308
CHGLINETH (Change Line Description object authority required 382
CHGIPSLOC (Change IP over SNA
(Ethernet)) command CHGMSGQ (Change Message Queue)
Location Entry) command
object authority required 376 command
object authority required 308
CHGIPSTOS (Change IP over SNA Type CHGLINFAX (Change Line Description object auditing 465
of Service) command (FAX)) command object authority required 382
object authority required 308 object authority required 376 CHGMSTK (Change Master Key)
CHGIPXCCT 355 CHGLINFR (Change Line Description command
CHGIPXD 355 (Frame Relay Network)) command authorized IBM-supplied user
CHGJOB (Change Job) command object authority required 376 profiles 287
adopted authority 130 CHGLINIDD (Change Line Description object authority required 318
object auditing 458 (DDI Network)) command CHGMWSD (Change Network Server
object authority required 357 object authority required 376 Description) command
CHGJOBD (Change Job Description) CHGLINIDLC (Change Line Description object auditing 468
command (IDLC)) command CHGNETA (Change Network Attributes)
object auditing 458 object authority required 376 command
object authority required 359 CHGLINNET (Change Line Description authorized IBM-supplied user
CHGJOBQE (Change Job Queue Entry) (Network)) command profiles 287
command object authority required 376 object authority required 384
object auditing 458, 475 CHGLINSDLC (Change Line Description using 190
object authority required 416 (SDLC)) command CHGNETJOBE (Change Network Job
CHGJOBSCDE (Change Job Schedule object authority required 376 Entry) command
Entry) command CHGLINTDLC (Change Line Description authorized IBM-supplied user
object auditing 459 (TDLC)) command profiles 287
object authority required 361 object authority required 376 object authority required 384
CHGJOBTYP (Change Job Type) CHGNFSEXP (Change Network File
CHGLINTRN (Change Line Description
command System Export) command
(Token-Ring Network)) command
authorized IBM-supplied user
object authority required 376 authorized IBM-supplied user
profiles 287 profiles 287
CHGLINWLS (Change Line Description
object authority required 393
(Wireless)) command object authority required 385
CHGJRN (Change Journal) command
object authority required 376 CHGNTBD (Change NetBIOS
authorized IBM-supplied user
CHGLINX25 (Change Line Description Description) command
profiles 287
(X.25)) command object auditing 467
detaching receiver 258, 260
object auditing 460, 461 object authority required 376 object authority required 384
object authority required 361 CHGLPDA (Change LPD Attributes) CHGNWIFR (Change Network Interface
CHGLANADPI (Change LAN Adapter command Description (Frame Relay Network))
Information) command object authority required 422 command
object authority required 378 CHGMGDSYSA (Change Managed object authority required 386
CHGLF (Change Logical File) command System Attributes) command CHGNWIISDN (Change Network
object auditing 453 authorized IBM-supplied user Interface Description (ISDN)) command
object authority required 330 profiles 287 object authority required 386
Index 605
CHGRJERDRE (Change RJE Reader CHGSECAUD (Change Security CHGTCPA (Change TCP/IP Attributes)
Entry) command Auditing) command
object authority required 407 security auditing function 255 object authority required 422
CHGRJEWTRE (Change RJE Writer CHGSECAUD (Change Security CHGTCPHTE (Change TCP/IP Host
Entry) command Auditing) command Table Entry) command
object authority required 407 description 276, 573 object authority required 422
CHGRMTJRN (Change Remote Journal) CHGSHRPOOL (Change Shared Storage CHGTCPIFC (Change TCP/IP Interface)
command Pool) command command
object auditing 460 object authority required 418 object authority required 422
CHGRPYLE (Change Reply List Entry) CHGSNILOC 355 CHGTCPRTE (Change TCP/IP Route
command CHGSNMPA (Change SNMP Attributes) Entry) command 355
authorized IBM-supplied user command object authority required 422
profiles 287 object authority required 422 CHGTELNA (Change TELNET
object auditing 475 CHGSPLFA (Change Spooled File Attributes) command
object authority required 419 Attributes) command object authority required 422
CHGRSCCRQA (Change Resource action auditing 479 CHGUSRAUD (Change User Audit)
DSPDTA parameter of output command
Change Request Activity) command
queue 187 *AUDIT (audit) special authority 69
authorized IBM-supplied user
object auditing 468, 469 description 273, 274
profiles 287
object authority required 415 object authority required 424
object auditing 437
CHGSRCPF (Change Source Physical QAUDCTL (Auditing Control) system
object authority required 312
File) command value 50
CHGRTGE (Change Routing Entry)
object authority required 330 using 104
command
CHGSRVA (Change Service Attributes) CHGUSRPRF (Change User Profile)
object auditing 476
command command
object authority required 416
object authority required 411 description 272, 273
CHGS34LIBM (Change System/34 CHGSRVPGM (Change Service Program) object auditing 485
Library Members) command command object authority required 424
authorized IBM-supplied user object auditing 481 password composition system
profiles 287 object authority required 400 values 38
object authority required 382 specifying USEADPAUT setting password equal to profile
CHGS36 (Change System/36) command parameter 132 name 57
object auditing 484 CHGSSND (Change Session Description) using 99
object authority required 419 command CHGUSRTRC (Change User Trace)
CHGS36A (Change System/36 Attributes) object authority required 407 command
command CHGSSNMAX (Change Session object authority required 357
object auditing 484 Maximum) command CHGVTMAP (Change VT100 Keyboard
object authority required 419 object auditing 464 Map) command
CHGS36PGMA (Change System/36 object authority required 383 object authority required 422
Program Attributes) command CHGSVRAUTE (Change Server CHGWSE (Change Work Station Entry)
object auditing 471 Authentication Entry) command command
object authority required 419 object authority required 411 object auditing 476
CHGS36PRCA (Change System/36 CHGSYSDIRA (Change System Directory object authority required 416
Procedure Attributes) command Attributes) command CHGWTR (Change Writer) command
object auditing 454 object auditing 445 object authority required 428
object authority required 419 object authority required 323 CHKCMNTRC (Check Communications
CHGS36SRCA (Change System/36 Source CHGSYSJOB (Change System Job) Trace) command
Attributes) command command authorized IBM-supplied user
object authority required 419 object authority required 357 profiles 287
CHGSAVF (Change Save File) command CHGSYSLIBL (Change System Library object authority required 411
object auditing 453 List) command CHKDKT (Check Diskette) command
object authority required 330 authorized IBM-supplied user object authority required 379
CHGSBSD (Change Subsystem profiles 287 CHKDLO (Check Document Library
Description) command object authority required 371 Object) command
object auditing 476 programming example 204 object authority required 325
object authority required 416 using 183 CHKDOC (Check Document) command
CHGSCHIDX (Change Search Index) CHGSYSVAL (Change System Value) object auditing 446
command command object authority required 325
object auditing 476 authorized IBM-supplied user CHKIGCTBL (Check DBCS Font Table)
object authority required 356 profiles 287 command
CHGSECA (Change Security Attributes) object authority required 419 object auditing 457
command CHGTAPCTG (Change Tape Cartridge) CHKIN (Check In) command
description 276 command object auditing 477, 482
object authority required 411 object authority required 379 object authority required 339
CHGSECAUD (Change Security Audit) CHGTAPF (Change Tape File) command CHKOBJ (Check Object) command
command object auditing 454 object auditing 433
object authority required 411 object authority required 330 object authority required 301
Index 607
command, CL (continued) command, CL (continued) command, CL (continued)
QAUDCTL (Auditing Control) Change User Profile CHGNETA (Change Network
system value 50 (CHGUSRPRF) 273 Attributes) 190
Change Document Library Object description 272 CHGOBJAUD (Change Object
Authority (CHGDLOAUT) 274 password composition system Auditing) 272
Change Document Library Object values 38 *AUDIT (audit) special
Owner (CHGDLOOWN) 274 setting password equal to profile authority 69
Change Document Library Object name 57 description 274
Primary (CHGDLOPGP) 274 using 99 QAUDCTL (Auditing Control)
Change Job (CHGJOB) Check Object Integrity (CHKOBJITG) system value 50
adopted authority 130 auditing use 240 CHGOBJOWN (Change Object
Change Journal (CHGJRN) 258, 260 description 268, 273 Owner) 144, 272
Change Library List (CHGLIBL) 183 Check Password (CHKPWD) 105, CHGOBJPGP (Change Object Primary
Change Menu (CHGMNU) 272 Group) 123, 145, 272
PRDLIB (product library) CHGACGCDE (Change Accounting CHGOUTQ (Change Output
parameter 185 Code) 80 Queue) 187
security risks 185 CHGACTPRFL (Change Active Profile CHGPGM (Change Program)
Change Network Attributes List) FRCCRT parameter 15
(CHGNETA) 190 description 571 specifying USEADPAUT
Change Object Auditing CHGACTSCDE (Change Activation parameter 132
(CHGOBJAUD) 272 Schedule Entry) CHGPRF (Change Profile) 99, 273
*AUDIT (audit) special description 571 CHGPWD (Change Password)
authority 69 CHGAUTLE (Change Authorization auditing 237
description 274 List Entry) description 272
QAUDCTL (Auditing Control) description 271 enforcing password system
system value 50 using 147 values 38
Change Object Owner CHGCMD (Change Command) setting password equal to profile
(CHGOBJOWN) 144, 272 ALWLMTUSR (allow limited user) name 57
Change Object Primary Group parameter 65 CHGSECA (Change Security
(CHGOBJPGP) 123, 145, 272 PRDLIB (product library) Attributes) 276
Change Output Queue parameter 185 CHGSECAUD (Change Security
(CHGOUTQ) 187 security risks 185 Auditing)
Change Password (CHGPWD) CHGCMDDFT (Change Command description 276, 573
auditing 237 Default) 211 CHGSPLFA (Change Spooled File
description 272 CHGCURLIB (Change Current Attributes) 187
enforcing password system Library) CHGSRVPGM (Change Service
values 38 restricting 186 Program)
setting password equal to profile CHGDIRE (Change Directory specifying USEADPAUT
name 57 Entry) 275 parameter 132
Change Profile (CHGPRF) 99, 273 CHGDLOAUD (Change Document CHGSVRAUTE (Change Server
Change Program (CHGPGM) Library Object Auditing) 274 Authentication Entry) 275
FRCCRT parameter 15 *AUDIT (audit) special CHGSYSLIBL (Change System Library
specifying USEADPAUT authority 69 List) 183, 204
parameter 132 QAUDCTL (Auditing Control) CHGUSRAUD (Change User
Change Security Attributes system value 50 Audit) 273
(CHGSECA) 276 CHGDLOAUT (Change Document *AUDIT (audit) special
Change Security Auditing Library Object Authority) 274 authority 69
(CHGSECAUD) CHGDLOOWN (Change Document description 274
description 276 Library Object Owner) 274 QAUDCTL (Auditing Control)
Change Server Authentication Entry CHGDLOPGP (Change Document system value 50
(CHGSVRAUTE) 275 Library Object Primary) 274 using 104
Change Service Program CHGDLOUAD (Change Document CHGUSRPRF (Change User
(CHGSRVPGM) Library Object Auditing) Profile) 273
specifying USEADPAUT description 274 description 272
parameter 132 CHGDSTPWD (Change Dedicated password composition system
Change Spooled File Attributes Service Tools Password) 109, 272 values 38
(CHGSPLFA) 187 CHGEXPSCDE (Change Expiration setting password equal to profile
Change System Library List Schedule Entry) name 57
(CHGSYSLIBL) 183, 204 description 571 using 99
Change User Audit CHGJOB (Change Job) CHKOBJITG (Check Object Integrity)
(CHGUSRAUD) 273 adopted authority 130 auditing use 240
*AUDIT (audit) special CHGJRN (Change Journal) 258, 260 description 268, 273, 575
authority 69 CHGLIBL (Change Library List) 183 CHKPWD (Check Password) 105,
description 274 CHGMNU (Change Menu) 272
QAUDCTL (Auditing Control) PRDLIB (product library) Configure System Security
system value 50 parameter 185 (CFGSYSSEC)
using 104 security risks 185 description 277
Index 609
command, CL (continued) command, CL (continued) command, CL (continued)
DSPSECAUD (Display Security Print Queue Authority (PRTQAUT) Restore Authority (RSTAUT)
Auditing Values) description 276 (continued)
description 276 Print Subsystem Description Authority using 228
DSPSPLF (Display Spooled File) 187 (PRTSBSDAUT) Restore Document Library Object
DSPSRVPGM (Display Service description 276 (RSTDLO) 223
Program) Print System Security Attributes Restore Library (RSTLIB) 223
adopted authority 131 (PRTSYSSECA) Restore Licensed Program
DSPUSRPRF (Display User Profile) description 277 (RSTLICPGM)
description 273 Print Trigger Programs recommendations 230
using 102 (PRTTRGPGM) security risks 230
using output file 266 description 276 Restore Object (RSTOBJ)
Edit Authorization List Print User Objects (PRTUSROBJ) ALWOBJDIF parameter 15
(EDTAUTL) 146, 271 description 276 using 223
Edit Document Library Object PRTADPOBJ (Print Adopting Objects) Restore User Profiles
Authority (EDTDLOAUT) 274 description 575 (RSTUSRPRF) 223, 274
Edit Library List (EDTLIBL) 183 PRTCMNSEC (Print Communications restricted to IBM-supplied user
Edit Object Authority Security) profiles 287
(EDTOBJAUT) 139, 272 description 277, 575 Retrieve Authorization List Entry
EDTAUTL (Edit Authorization PRTJOBDAUT (Print Job Description (RTVAUTLE) 271
List) 146, 271 Authority) 276 Retrieve User Profile
EDTDLOAUT (Edit Document Library description 575 (RTVUSRPRF) 105, 273
Object Authority) 274 PRTPUBAUT (Print Publicly Revoke Object Authority
EDTLIBL (Edit Library List) 183 Authorized Objects) 276 (RVKOBJAUT) 148, 272
EDTOBJAUT (Edit Object description 575 Revoke Public Authority
Authority) 139, 272 PRTPVTAUT (Print Private (RVKPUBAUT)
End Job (ENDJOB) Authorities) 276 description 277
QINACTMSGQ system value 28 authorization list 575 Revoke User Permission
ENDJOB (End Job) description 577 (RVKUSRPMN) 274
QINACTMSGQ system value 28 PRTQAUT (Print Queue Authority) RMVAUTLE (Remove Authorization
Grant Object Authority description 276, 577 List Entry) 147, 271
(GRTOBJAUT) 272 PRTSBSDAUT (Print Subsystem RMVDIRE (Remove Directory
affect on previous authority 142 Description) Entry) 275
multiple objects 142 description 575 RMVDLOAUT (Remove Document
Grant User Authority (GRTUSRAUT) PRTSBSDAUT (Print Subsystem Library Object Authority) 274
copying authority 99 Description Authority) RMVLIBLE (Remove Library List
description 273 description 276 Entry) 183
recommendations 145 PRTSYSSECA (Print System Security RMVSVRAUTE (Remove Server
renaming profile 104 Attributes) Authentication Entry) 275
Grant User Permission description 277, 575 RSTAUT (Restore Authority)
(GRTUSRPMN) 274 PRTTRGPGM (Print Trigger audit journal (QAUDJRN)
GRTOBJAUT (Grant Object Programs) entry 244
Authority) 272 description 276, 575 description 274
affect on previous authority 142 PRTUSROBJ (Print User Objects) procedure 229
multiple objects 142 description 276, 575 role in restoring security 223
GRTUSRAUT (Grant User Authority) PRTUSRPRF (Print User Profile) using 228
copying authority 99 description 575 RSTDLO (Restore Document Library
description 273 RCLSTG (Reclaim Storage) 19, 25, Object) 223
recommendations 145 123, 232 RSTLIB (Restore Library) 223
renaming profile 104 Reclaim Storage (RCLSTG) 19, 25, RSTLICPGM (Restore Licensed
GRTUSRPMN (Grant User 123, 232 Program)
Permission) 274 Remove Authorization List Entry recommendations 230
keywords, displaying (*CLKWD user (RMVAUTLE) 147, 271 security risks 230
option) 87, 88 Remove Directory Entry RSTOBJ (Restore Object)
object authority, table 272 (RMVDIRE) 275 ALWOBJDIF parameter 15
parameter names, displaying Remove Document Library Object using 223
(*CLKWD user option) 87, 88 Authority (RMVDLOAUT) 274 RSTUSRPRF (Restore User
passwords, table 272 Remove Library List Entry Profiles) 223, 274
Print Communications Security (RMVLIBLE) 183 RTVAUTLE (Retrieve Authorization
Attributes (PRTCMNSEC) Remove Server Authentication Entry List Entry) 271
description 277 (RMVSVRAUTE) 275 RTVUSRPRF (Retrieve User
Print Job Description Authority Restore Authority (RSTAUT) Profile) 105, 273
(PRTJOBDAUT) 276 audit journal (QAUDJRN) RVKOBJAUT (Revoke Object
Print Private Authorities entry 244 Authority) 148, 272
(PRTPVTAUT) 276 description 274 RVKPUBAUT (Revoke Public
Print Publicly Authorized Objects procedure 229 Authority)
(PRTPUBAUT) 276 role in restoring security 223 description 277, 579
Index 611
configuration list copying (continued) CPYLIB (Copy Library) command
object authority required for user authority (continued) object authority required 371
commands 316 renaming profile 104 CPYOPT (Copy Optical) command
configuration list object auditing 436 user profile 97 object authority required 390
Configure System Security (CFGSYSSEC) country identifier CPYPFRDTA (Copy Performance Data)
command CNTRYID user profile parameter 86 command
description 277, 579 QCNTRYID system value 86 object authority required 393
connection CP (user profile change) file layout 502 CPYPTF (Copy Program Temporary Fix)
ending CP (user profile change) journal entry command
audit journal (QAUDJRN) type 244 authorized IBM-supplied user
entry 244 CPHDTA (Cipher Data) command profiles 287
starting authorized IBM-supplied user object authority required 411
audit journal (QAUDJRN) profiles 287 CPYSPLF (Copy Spooled File) command
entry 244 object authority required 318 action auditing 479
connection list CPROBJ (Compress Object) command DSPDTA parameter of output
object authority required for object auditing 433 queue 187
commands 316 object authority required 301 object auditing 469
connection list (*CNNL) auditing 439 CPY (Copy) command object authority required 415
connection start and end (VC) file object auditing 443, 481, 482, 483, CPYSRCF (Copy Source File) command
layout 556 484 object authority required 330
connection start or end (VC) journal entry object authority required 339 CPYTODIR (Copy to Directory)
type 244 CPY (Copy Object) command command
connection verification (CV) file object auditing 442 object authority required 323
layout 505 CPYCFGL (Copy Configuration List) CPYTODKT (Copy to Diskette) command
console command
object authority required 330
authority needed to sign on 179 object auditing 436
CPYTOIMPF (Copy to Import File)
QCONSOLE system value 179 object authority required 316
command
QSECOFR (security officer) user CPYCNARA (Copy Functional Area)
object authority required 330
profile 179 command
QSRV (service) user profile 179 object authority required 393 CPYTOSTMF (Copy to Stream File)
command
QSRVBAS (basic service) user CPYDOC (Copy Document) command
profile 179 object auditing 446, 447 object authority required 330
restricting access 236 object authority required 325 CPYTOTAP (Copy to Tape) command
contents CPYF (Copy File) command object authority required 330
security tools 276, 571 object auditing 452, 454 CQ (*CRQD change) file layout 504
controller description object authority required 330 CQ (change *CRQD object) journal entry
object authority required for CPYFRMDIR (Copy from Directory) type 244
commands 316 command CRC (cyclical redundancy check) 15
printing security-relevant object authority required 323 create (*CREATE) audit level 244
parameters 575 CPYFRMDKT (Copy from Diskette) create authority (CRTAUT) parameter
controller description (*CTLD) command description 120
auditing 440 object authority required 330 displaying 138
controlling CPYFRMIMPF (Copy from Import File) risks 121
access command create authority (QCRTAUT) system
Client Access 191 object authority required 330 value
DDM request (DDM) 192 CPYFRMQRYF (Copy from Query File) description 26
objects 13 command risk of changing 26
system programs 13 object authority required 330 using 121
auditing 50 CPYFRMSTMF (Copy from Stream File) Create Authority Holder (CRTAUTHLR)
remote command command 132, 271, 275
job submission 190 object authority required 330 Create Authorization List (CRTAUTL)
sign-on (QRMTSIGN system CPYFRMTAP (Copy from Tape) command 146, 271
value) 31 command Create Command (CRTCMD) command
restore operations 193 object authority required 330 ALWLMTUSR (allow limited user)
save operations 193 CPYGPHFMT (Copy Graph Format) parameter 65
user library list 203 command PRDLIB (product library)
Copy Spooled File (CPYSPLF) object authority required 393 parameter 185
command 187 CPYGPHPKG (Copy Graph Package) security risks 185
copy to database file command Create Journal (CRTJRN) command 257
general authority rules 299 object authority required 393 Create Journal Receiver (CRTJRNRCV)
Copy User display 98 CPYIGCSRT (Copy DBCS Sort Table) command 256
copying command Create Library (CRTLIB) command 137
spooled file 187 object auditing 457 Create Menu (CRTMNU) command
user authority CPYIGCTBL (Copy DBCS Font Table) PRDLIB (product library)
command description 273 command parameter 185
example 99 object auditing 457 security risks 185
recommendations 145 object authority required 328 create object (CO) file layout 501
Index 613
CRTDEVDSP (Create Device Description CRTFLR (Create Folder) command CRTLINDDI (Create Line Description
(Display)) command (continued) (DDI Network)) command
object authority required 320 object authority required 325 object authority required 376
CRTDEVFNC (Create Device Description CRTFNTRSC (Create Font Resources) CRTLINETH (Create Line Description
(Finance)) command command (Ethernet)) command
object authority required 320 object authority required 307 object authority required 376
CRTDEVHOST (Create Device CRTFNTTBL (Create Font Table) CRTLINFAX (Create Line Description
Description (SNA Host)) command object authority required for (FAX)) command
object authority required 320 commands 307 object authority required 376
CRTDEVINTR (Create Device Description CRTFORMDF (Create Form Definition) CRTLINFR (Create Line Description
(Intrasystem)) command command (Frame Relay Network)) command
object authority required 320 object authority required 307 object authority required 376
CRTDEVNET (Create Device Description CRTFTR (Create Filter) command CRTLINIDLC (Create Line Description
(Network)) command object authority required 337 for IDLC) command
object authority required 320 CRTGDF (Create Graphics Data File) object authority required 376
CRTDEVPRT (Create Device Description command CRTLINNET (Create Line Description
(Printer)) command object auditing 436 (Network)) command
object authority required 320 CRTGPHPKG (Create Graph Package) object authority required 376
CRTDEVRTL (Create Device Description command CRTLINSDLC (Create Line Description
(Retail)) command object authority required 393 (SDLC)) command
object authority required 320 CRTGSS (Create Graphics Symbol Set) object authority required 376
CRTDEVSNPT (Create Device command CRTLINTDLC (Create Line Description
Description (SNPT)) command object authority required 339 (TDLC)) command
object authority required 320 CRTHSTDTA (Create Historical Data) object authority required 376
CRTDEVSNUF (Create Device command CRTLINTRN (Create Line Description
Description (SNUF)) command object authority required 393 (Token-Ring Network)) command
object authority required 320 CRTICFF (Create ICF File) command object authority required 376
CRTDEVTAP (Create Device Description object auditing 452 CRTLINWLS (Create Line Description
(Tape)) command CRTICFF (Create Intersystem (Wireless)) command
object authority required 320 Communications Function File) object authority required 376
CRTDIR (Create Directory) command command CRTLINX25 (Create Line Description
object auditing 443 object authority required 330 (X.25)) command
CRTDKTF (Create Diskette File) CRTIGCDCT (Create DBCS Conversion object authority required 376
command Dictionary) command CRTLOCALE (Create Locale) command
object authority required 330 object authority required 328 object authority required 378
CRTDOC (Create Document) command CRTIPXD 355 CRTMNU (Create Menu) command
object authority required 325 CRTJOBD (Create Job Description) object authority required 380
CRTDSPF (Create Display File) command command PRDLIB (product library)
object auditing 452 authorized IBM-supplied user parameter 185
object authority required 330 profiles 287 security risks 185
CRTDSTL (Create Distribution List) object authority required 359 CRTMODD (Create Mode Description)
command CRTJOBQ (Create Job Queue) command command
object authority required 325 object authority required 360 object authority required 383
CRTDTAARA (Create Data Area) CRTJRN (Create Journal) command CRTMSDF (Create Mixed Device File)
command creating audit (QAUDJRN) command
object authority required 319 journal 257 object auditing 452
CRTDTADCT (Create a Data Dictionary) object authority required 361 CRTMSGF (Create Message File)
command CRTJRNRCV (Create Journal Receiver) command
object authority required 354 command object authority required 382
CRTDTAQ (Create Data Queue) creating audit (QAUDJRN) journal CRTMSGFMNU (Create Message File
command receiver 256 Menu) command
object authority required 320 object authority required 364 object authority required 419
CRTDUPOBJ (Create Duplicate Object) CRTLASREP (Create Local Abstract CRTMSGQ (Create Message Queue)
command Syntax) command command
object auditing 431 authorized IBM-supplied user object authority required 382
object authority required 301 profiles 287 CRTNODL (Create Node List) command
CRTEDTD (Create Edit Description) CRTLF (Create Logical File) command object authority required 388
command object auditing 452, 485 CRTNTBD (Create NetBIOS Description)
object authority required 329 object authority required 330 command
CRTFCNARA (Create Functional Area) CRTLIB (Create Library) command 137 object authority required 384
command object authority required 371 CRTNWIFR (Create Network Interface
object authority required 393 CRTLINASC (Create Line Description Description (Frame Relay Network))
CRTFCT (Create Forms Control Table) (Async)) command command
command object authority required 376 object authority required 386
object authority required 407 CRTLINBSC (Create Line Description CRTNWIISDN (Create Network Interface
CRTFLR (Create Folder) command (BSC)) command for ISDN) command
object auditing 447 object authority required 376 object authority required 386
Index 615
customizing CVTS38JOB (Convert System/38 Job) default 280 (continued)
security values 579 command owner (QDFTOWN) user profile
CV (connection verification) file authorized IBM-supplied user audit journal (QAUDJRN)
layout 505 profiles 287 entry 244
CVTBASSTR (Convert BASIC Stream object authority required 382 default values 280
Files) command CVTSQLCPP (Converte SQL C++ Source) description 123
authorized IBM-supplied user command restoring programs 230
profiles 287 object authority required 365 sign-on
object authority required 382 CVTTCPCL (Convert TCP/IP CL) audit journal (QAUDJRN)
CVTBASUNF (Convert BASIC command entry 244
Unformatted Files) command object authority required 422 security level 40 14
authorized IBM-supplied user CVTTCPCL (Convert TCP/IP Control subsystem description 181
profiles 287 Language) command value
object authority required 382 authorized IBM-supplied user IBM-supplied user profile 279
CVTBGUDTA (Convert BGU Data) profiles 287 user profile 279
command CVTTOFLR (Convert to Folder) delete (*DELETE) audit level 244
command delete (*DLT) authority 112, 297
authorized IBM-supplied user
object auditing 447 Delete Authority Holder (DLTAUTHLR)
profiles 287
object authority required 382 CY(cryptographic configuration) file command 133, 271, 275
layout 507 Delete Authorization List (DLTAUTL)
CVTCLSRC (Convert CL Source)
cyclical redundancy check (CRC) 15 command 148, 271
command
Delete Journal Receiver (DLTJRNRCV)
object authority required 400
CVTEDU (Convert Education) command D command 260
delete operation (DO) file layout 512
object authority required 389 damaged audit journal 258 delete operation (DO) journal entry
CVTIPSIFC (Convert IP over SNA damaged authorization list type 244
Interface) command recovering 231 Delete User Profile (DLTUSRPRF)
object authority required 308 data area command
CVTIPSLOC (Convert IP over SNA object authority required for description 273
Location Entry) command commands 319 example 99
object authority required 308 data authority object ownership 122
CVTOPTBKU (Convert Optical Backup) definition 112 Delete User Profile display 99
command data queue Delete Validation Lists (DLTVLDL) 220
object authority required 390 object authority required for deleting
commands 320 audit journal receiver 260
CVTPFRDTA (Convert Performance Data)
database share (QDBSHR) user authority for user 141
command
profile 280 authority holder 133, 271
object authority required 393
DCEADM (QDCEADM) user profile 280 authorization list 148, 271
CVTPFRTHD (Convert Performance DCPOBJ (Decompress Object) command
Thread Data) command object
object auditing 433 audit journal (QAUDJRN)
object authority required 393 object authority required 301 entry 244
CVTRJEDTA (Convert RJE Data) DDM (distributed data management) object owner profile 122
command security 192 user profile
object authority required 407 DDM request access (DDMACC) network command description 273
CVTRPGSRC (Convert RPG Source) attribute 192 directory entry 99
command DDMACC (DDM request access) network distribution lists 99
object authority required 365 attribute 192 message queue 99
CVTS36CFG (Convert System/36 DDMACC (distributed data management owned objects 99
Configuration) command access) network attribute 240 primary group 99
authorized IBM-supplied user debug functions spooled files 101
profiles 287 adopted authority 130 user’s authority 141
object authority required 382 dedicated service tools (DST)
deleting object
auditing passwords 237
CVTS36FCT (Convert System/36 Forms object auditing 432
changing password 109
Control Table) command delivery (DLVRY) parameter
changing passwords 107
authorized IBM-supplied user user profile 82
changing user ID 107
profiles 287 describing
resetting password
object authority required 382 library security requirements 204
audit journal (QAUDJRN)
CVTS36JOB (Convert System/36 Job) entry 244 menu security 209
command command description 272 description (TEXT) parameter
authorized IBM-supplied user Dedicated Service Tools (DST) user profile 65
profiles 287 users 106 descriptor
object authority required 382 default 280 giving
CVTS36QRY (Convert System/36 Query) *DFT delivery mode audit journal (QAUDJRN)
command user profile 82 entry 244
authorized IBM-supplied user job description (QDFTJOBD) 76 designing
profiles 287 object libraries 201
object authority required 382 auditing 254 security 195
Index 617
displaying (continued) distribution list (continued) DLTCSI (Delete Communications Side
all user profiles 102 object authority required for Information) command
audit (QAUDJRN) journal commands 325 object authority required 314
entries 240, 261 DLCOBJ (Deallocate Object) command DLTCTLD (Delete Controller Description)
audit journal entries 276 object auditing 433 command
authority 134, 272 object authority required 301 object authority required 316
authority holders 132 DLO (document library object) DLTDEVD (Delete Device Description)
command description 271 authority command
authorization list command descriptions 274 object auditing 484
document library objects DLTALR (Delete Alert) command object authority required 320
(DLO) 274 object authority required 308 DLTDFUPGM (Delete DFU Program)
users 271 DLTALRTBL (Delete Alert Table) command
authorization list objects 148, 271 command object authority required 400
authorized users 266, 273 object authority required 308 DLTDKTLBL (Delete Diskette Label)
CRTAUT (create authority) DLTAPARDTA (Delete APAR Data) command
parameter 138 command object authority required 379
document library object authorized IBM-supplied user DLTDLO (Delete Document Library
authority 274 profiles 287 Object) command
job description 239 object authority required 411 object auditing 447
journal DLTAUTHLR (Delete Authority Holder) object authority required 325
auditing file activity 212, 265 command DLTDOCL (Delete Document List)
object description 271, 275
originator 123 command
object authority required 310 object auditing 448
object auditing 254 using 133
object authority 267, 272 object authority required 325
DLTAUTL (Delete Authorization List) DLTDST (Delete Distribution) command
object description 272 command
object domain 13 object auditing 448
description 271 object authority required 324
path name 144
object authority required 310 DLTDSTL (Delete Distribution List)
program adopt 131
using 148 command
program state 13
DLTBESTMDL (Delete Best/1-400 Model) object authority required 325
Display Program (DSPPGM)
command DLTDTAARA (Delete Data Area)
command 13
object authority required 393 command
programs that adopt 131, 268
QAUDCTL (audit control) system DLTBESTMDL (Delete BEST/1 Model) object authority required 319
value 276, 573 command DLTDTADCT (Delete Data Dictionary)
QAUDLVL (audit level) system authorized IBM-supplied user command
value 276, 573 profiles 287 object authority required 354
security auditing 276, 573 DLTBNDDIR (Delete Binding Directory) DLTDTAQ (Delete Data Queue)
sign-on information command command
DSPSGNINF user profile object authority required 311
object authority required 320
parameter 71 DLTCFGL (Delete Configuration List)
DLTEDTD (Delete Edit Description)
QDSPSGNINF system value 26 command command
recommendations 72 object authority required 316 object authority required 329
spooled file 187 DLTCHTFMT (Delete Chart Format) DLTEXDTA (Delete Performance Explorer
user profile command Data) command
activation schedule 571 object authority required 312
authorized IBM-supplied user
active profile list 571 DLTCLD (Delete C Locale Description) profiles 287
command description 273 command
DLTF (Delete File) command
expiration schedule 571 object authority required 365 object authority required 330
individual 102 DLTCLS (Delete Class) command
DLTFCNARA (Delete Functional Area)
summary list 102 object authority required 313 command
distributed data management access DLTCMD (Delete Command) command
object authority required 393
(DDMACC) network attribute 240 object authority required 313
DLTFCT (Delete Forms Control Table)
distributed systems node executive DLTCMNTRC (Delete Communications
command
(QDSNX) user profile 280 Trace) command
object authority required 407
distribution authorized IBM-supplied user
DLTFNTRSC (Delete Font Resources)
object authority required for profiles 287
object authority required 411 command
commands 324
DLTCNNL (Delete Connection List) object authority required 307
distribution directory
command DLTFNTTBL (Delete Font Table)
changing object authority required for
object authority required 316
audit journal (QAUDJRN) commands 307
entry 244 DLTCOSD (Delete Class-of Service
Description) command DLTFORMDF (Delete Form Definition)
distribution directory, system command
object authority required 313
commands for working with 275 DLTCRQD (Delete Change Request object authority required 307
distribution list Description) command DLTFTR (Delete Filter) command
deleting user profile 99 object authority required 312 object authority required 337
Index 619
DLTWSCST (Delete Work Station document library object (DLO) DSPAUT (Display Authority) command
Customizing Object) command adding authority 274 (continued)
object authority required 427 changing authority 274 object authority required 339
DLVRY (message queue delivery) changing owner 274 DSPAUTHLR (Display Authority Holder)
parameter changing primary group 274 command
user profile 82 commands 274 description 271
DLYJOB (Delay Job) command displaying authority 274 object auditing 435
object authority required 357 displaying authorization list 274 object authority required 310
DMPCLPGM (Dump CL Program) editing authority 274 using 132
command object authority required for DSPAUTL (Display Authorization List)
object auditing 471 commands 325 command
object authority required 400 removing authority 274 description 271
DMPDLO (Dump Document Library document library object auditing object auditing 435
Object) command changing object authority required 310
authorized IBM-supplied user command description 274 DSPAUTLDLO (Display Authorization
profiles 287 domain attribute, object List Document Library Objects)
object auditing 446 description 13 command
object authority required 325 displaying 13 description 274
DMPJOB (Dump Job) command double-byte character set (DBCS) object auditing 435
authorized IBM-supplied user object authority required for object authority required 310, 325
profiles 287 commands 328 DSPAUTLOBJ (Display Authorization List
object authority required 411 double byte-character set dictionary Objects) command
DMPJOBINT (Dump Job Internal) (*IGCDCT) object auditing 457
description 271
command double byte-character set sort (*IGCSRT) object auditing 435
authorized IBM-supplied user object auditing 457
object authority required 310
profiles 287 double byte-character set table (*IGCTBL) using 148
object authority required 411 object auditing 457
DSPAUTUSR (Display Authorized Users)
DMPOBJ (Dump Object) command DS (DST password reset) file layout 513
command
authorized IBM-supplied user DS (DST password reset) journal entry
auditing 266
profiles 287 type 244
description 273
object auditing 431 DSCJOB (Disconnect Job) command
example 102
object authority required 301 object authority required 357
object authority required 424
DMPSYSOBJ (Dump System Object) DSPACC (Display Access Code)
DSPBCKSTS (Display Backup Status)
command command
command
authorized IBM-supplied user object auditing 449
profiles 287 object authority required 388 object authority required 389
object auditing 431 DSPACCAUT (Display Access Code DSPBCKUP (Display Backup Options)
object authority required 301 Authority) command command
DMPTAP (Dump Tape) command object authority required 388 object authority required 389
object authority required 379 DSPACCGRP (Display Access Group) DSPBCKUPL (Display Backup List)
DMPTRC (Dump Trace) command command command
authorized IBM-supplied user object authority required 393 object authority required 389
profiles 287 DSPACTPJ (Display Active Prestart Jobs) DSPBKP (Display Breakpoints) command
object authority required 393 command object authority required 400
DMPUSRTRC (Dump User Trace) object authority required 357 DSPBNDDIR (Display Binding Directory)
command DSPACTPRFL (Display Active Profile command
object authority required 357 List) command object authority required 311
DO (delete operation) file layout 512 description 571 DSPBNDDIRE (Display Binding
DO (delete operation) journal entry object authority required 424 Directory) command
type 244 DSPACTSCD (Display Activation object auditing 436
DOCPWD (document password) Schedule) command DSPCCTSRV 355
parameter description 571 DSPCDEFNT (Display Coded Font)
user profile 80 object authority required 424 object authority required for
document DSPAPPNINF (Display APPN* commands 307
library object (DLO) 223 Information) command DSPCFGL (Display Configuration List)
object authority required for object authority required 384 command
commands 325 DSPAUDJRNE (Display Audit Journal object auditing 436
password Entries) command object authority required 316
changes when restoring authorized IBM-supplied user DSPCHT (Display Chart) command
profile 225 profiles 287 object auditing 436
password (DOCPWD user profile description 276, 575 object authority required 312
parameter) 80 object authority required 411 DSPCLS (Display Class) command
QDOC profile 280 DSPAUDLOG (Display Audit Log) tool object auditing 438
restoring 223 messages used 244 object authority required 313
saving 223 DSPAUT (Display Authority) command DSPCMD (Display Command) command
document library object description 272 object auditing 438
object auditing 446 object auditing 444, 478, 483 object authority required 313
Index 621
DSPLNK DSPNWSSTC (Display Network Server DSPPGMVAR (Display Program Variable)
object authority required 339 Statistics) command command
DSPLNK (Display Links) command object authority required 387 object authority required 400
object auditing 442, 477, 481, 483 DSPNWSSTG (Display Network Server DSPPRB (Display Problem) command
DSPLOG (Display Log) command Storage Space) command object authority required 399
object auditing 465 object authority required 387 DSPPTF (Display Program Temporary
object authority required 382 DSPNWSUSR (Display Network Server Fix) command
DSPMFSINF (Display Mounted File User) command authorized IBM-supplied user
System Information) command object authority required 387 profiles 287
authorized IBM-supplied user DSPNWSUSRA (Display Network Server object authority required 411
profiles 287 User Attribute) command DSPPWRSCD (Display Power On/Off
object authority required 385 object authority required 387 Schedule) command
DSPMGDSYSA (Display Managed System DSPOBJAUT (Display Object Authority) object authority required 389
Attributes) command command DSPRCYAP (Dipslay Recovery for Access
authorized IBM-supplied user description 272 Paths) command
profiles 287 object auditing 433 object authority required 306
DSPMNUA (Display Menu Attributes) object authority required 301 DSPRCYAP (Display Recovery for Access
command using 267 Paths) command
object auditing 463 DSPOBJD (Display Object Description) object auditing 434
object authority required 380 command DSPRDBDIRE (Display Relational
created by 123 Database Directory Entry) command
DSPMOD (Display Module) command
description 272 object authority required 406
object auditing 464
object auditing 433 DSPRJECFG (Display RJE Configuration)
object authority required 383
object authority required 301 command
DSPMODD (Display Mode Description)
using 254 object authority required 407
command
using output file 267 DSPS36 (Display System/36) command
object auditing 464
DSPOPT (Display Optical) command object auditing 484
object authority required 383
object authority required 390 object authority required 419
DSPMODSRC (Display Module Source) DSPOPTLCK (Display Optical Lock) DSPSAVF (Display Save File) command
command command object authority required 330
object auditing 452 object authority required 390 DSPSBSD (Display Subsystem
object authority required 400 DSPOPTSVR (Display Optical Server) Description) command
DSPMODSTS (Display Mode Status) command object auditing 476
command object authority required 390 object authority required 416
object auditing 442 DSPPDGPRF (Display Print Descriptor DSPSECA (Display Security Attributes)
object authority required 383 Group Profile) command command
DSPMSG (Display Messages) command object authority required 398 description 276
object auditing 465 DSPPFM (Display Physical File Member) object authority required 411
object authority required 381 command DSPSECAUD (Display Security Auditing)
DSPMSGD (Display Message object auditing 452 command
Descriptions) command object authority required 330 description 573
object auditing 464 DSPPFRDTA (Display Performance Data) DSPSECAUD (Display Security Auditing
object authority required 381 command Values) command
DSPNETA (Display Network Attributes) object authority required 393 description 276
command DSPPFRGPH (Display Performance object authority required 411
object authority required 384 Graph) command DSPSFWRSC (Display Software
DSPNTBD (Display NetBIOS Description) object authority required 393 Resources) command
command DSPPGM (Display Program) command object authority required 406
object auditing 467 adopted authority 131 DSPSGNINF (display sign-on
object authority required 384 object auditing 471 information) parameter
DSPNWID (Display Network Interface object authority required 400 user profile 71
Description) command program state 13 DSPSOCSTS (Display Sphere of Control
object auditing 467 DSPPGMADP (Display Program Adopt) Status) command
object authority required 386 command object authority required 415
DSPNWSA (Display Network Server object authority required 424 DSPSPLF (Display Spooled File)
Attribute) command DSPPGMADP (Display Programs that command
object authority required 387 Adopt) command action auditing 479
DSPNWSALS (Display Network Server object auditing 486 DSPDTA parameter of output
Alias) command DSPPGMADP (Display Programs That queue 187
object authority required 387 Adopt) command object auditing 469
DSPNWSD (Display Network Server auditing 268 object authority required 415
Description) command description 274 DSPSRVA (Display Service Attributes)
object auditing 468 using 131, 211 command
object authority required 388 DSPPGMREF (Display Program object authority required 411
DSPNWSSSN (Display Network Server References) command DSPSRVPGM (Display Service Program)
Session) command object auditing 455 command
object authority required 387 object authority required 400 adopted authority 131
Index 623
ENDCBLDBG (End COBOL Debug) ENDIPXCCT ENDPFRTRC (End Performance Trace)
command object authority required 355 command
object authority required 365, 400 ENDJOB (End Job) command authorized IBM-supplied user
ENDCLNUP (End Cleanup) command action auditing 480 profiles 287
object authority required 389 object authority required 357 ENDPJ (End Prestart Jobs) command
ENDCMNTRC (End Communications QINACTMSGQ system value 28 action auditing 480
Trace) command ENDJOBABN (End Job Abnormal) object authority required 357
object authority required 411 command ENDPRTEML (End Printer Emulation)
ENDCMTCTL (End Commitment command
authorized IBM-supplied user
Control) command object authority required 322
profiles 287
object authority required 314 ENDRDR (End Reader) command
object authority required 357
ENDCPYSCN (End Copy Screen) object authority required 405
ENDJOBTRC (End Job Trace) command
command ENDRJESSN (End RJE Session) command
object authority required 411 object authority required 393 object authority required 407
ENDCTLRCY (End Controller Recovery) ENDJRN (End Journal) command ENDRQS (End Request) command
command object authority required 339, 361 object authority required 400
object auditing 441 ENDJRN (End Journaling) command ENDS36 (End System/36) command
object authority required 316 object auditing 432 object auditing 484
ENDDBG (End Debug) command ENDJRNAP (End Journal Access Path) ENDSBS (End Subsystem) command
object authority required 400 command object auditing 475
ENDDBGSVR (End Debug Server) object authority required 361 object authority required 416
command ENDJRNPF (End Journal Physical File ENDSRVJOB (End Service Job) command
authorized IBM-supplied user Changes) command authorized IBM-supplied user
profiles 287 profiles 287
object authority required 361
ENDDBMON (End Database Monitor) object authority required 411
ENDJRNxxx (End Journaling) command
command ENDSYS (End System) command
object authority required 393 object auditing 460 object authority required 418
ENDDEVRCY (End Device Recovery) ENDLINRCY (End Line Recovery) ENDSYSMGR (End System Manager)
command command command
object auditing 442 object auditing 462 authorized IBM-supplied user
object authority required 320 object authority required 376 profiles 287
ENDDIRSHD (End Directory Shadow ENDMGDSYS (End Managed System) ENDTCP (End TCP/IP) command
System) command command authorized IBM-supplied user
object authority required 323 authorized IBM-supplied user profiles 287
ENDDIRSHD (End Directory Shadowing) profiles 287 object authority required 422
command ENDMGRSRV (End Manager Services) ENDTCPCNN (End TCP/IP Connection)
object auditing 445 command command
ENDDSKRGZ (End Disk Reorganization) authorized IBM-supplied user authorized IBM-supplied user
command profiles 287 profiles 287
object authority required 323 ENDMOD (End Mode) command object authority required 422
ENDGRPJOB (End Group Job) command ENDTCPIFC (End TCP/IP Interface)
object auditing 464
object authority required 357 command
object authority required 383
ENDHOSTSVR (End Host Server) object authority required 422
ENDMSF (End Mail Server Framework)
command ENDTCPPTP (End Point-to-Point
command
object authority required 339 TCP/IP) command
authorized IBM-supplied user object authority required 422
ENDIDXMON (End Index Monitor)
profiles 287 ENDTCPSRV (End TCP/IP Service)
command
object authority required 378 command
authorized IBM-supplied user
ENDNFSSVR (End Network File System object authority required 422
profiles 287
Server) command ENDTCPSVR (End TCP/IP Server)
object authority required 388
authorized IBM-supplied user command
ending
profiles 287 authorized IBM-supplied user
audit function 260
object authority required 385 profiles 287
auditing 50
ENDNWIRCY (End Network Interface ENDTRC (End Trace) command
connection
Recovery) command object authority required 411
audit journal (QAUDJRN)
entry 244 object auditing 467 ENDWTR (End Writer) command
disconnected job 36 ENDPASTHR (End Pass-Through) object authority required 428
inactive job 27 command enhanced hardware storage protection
ENDIPIIFC object authority required 323 audit journal (QAUDJRN) entry 244
object authority required 355 ENDPEX (End Performance Explorer) security level 40 14
ENDIPSIFC (End IP over SNA Interface) command enrolling
command authorized IBM-supplied user users 95
authorized IBM-supplied user profiles 287 ENTCBLDBG (Enter COBOL Debug)
profiles 287 object authority required 393 command
object authority required 308 ENDPFRMON (End Performance object authority required 365, 400
ENDIPX Monitor) command EV (Environment variable) file
object authority required 355 object authority required 393 layout 513
Index 625
file layout (continued)
read of DLO object
G granting (continued)
object authority 272
(QASYYRJE) 566 GENCAT (Merge Message Catalogue) affect on previous authority 142
read of object (QASYZRJE) 568 command multiple objects 142
restore authority for user profile object authority required 330 user authority
(QASYRUJE) 546 GENCPHK (Generate Cipher Key) command description 273
restoring *CRQD object that adopts command user permission 274
authority (QASYRQJE) 546 authorized IBM-supplied user graphic symbols set (*GSS) object
restoring job description profiles 287 auditing 456
(QASYRJJE) 543 object authority required 318 graphical operations
restoring programs that adopt GENCRSDMNK (Generate Cross Domain object authority required for
authority (QASYRPJE) 545 Key) command commands 338
server security user information authorized IBM-supplied user graphics symbol set
actions (QASYSOJ4) 553 profiles 287 object authority required for
server session (QASYVSJE) 560 object authority required 318 commands 339
service status change general rules for object authority 299 group
(QASYVVJE) 561 generic name
authority
service tools action example 143
displaying 135
(QASYSTJE) 553 generic record(CV) file layout 514
primary
SG (QASYSGJ4) 551, 552 GENMAC (Generate Message
introduction 4
system management change Authentication Code) command
group (*GROUP) authority 135
(QASYSMJE) 552 authorized IBM-supplied user
group authority
user profile change profiles 287
adopted authority 129
(QASYCPJE) 502 object authority required 318
authority checking example 162, 165
validation list (QASYVOJ4) 558 GENPIN (Generate Personal
description 111
file security Identification Number) command
GRPAUT user profile parameter 78,
authorized IBM-supplied user
SQL 214 122, 124
profiles 287
file transfer GRPAUTTYP user profile
object authority required 318
securing 191 parameter 78, 124
GENS36RPT (Generate System/36
filter group authority type
Report) command
object authority required for authorized IBM-supplied user GRPAUTTYP user profile
commands 337 profiles 287 parameter 78
filter (*FTR) object auditing 455 object authority required 382 group identification number (gid))
finance GENS38RPT (Generate System/38 restoring 226
object authority required for Report) command group job
commands 338 authorized IBM-supplied user adopted authority 130
finance (QFNC) user profile 280 profiles 287 group profile
flowchart object authority required 382 auditing
authority checking 149, 162 gid (group identification number) *ALLOBJ special authority 238
determining special environment 71 restoring 226 membership 238
device description authority 177 give descriptor (GS) file layout 516 password 237
give descriptor (GS) journal entry authorization list
FNDSTRPDM (Find String Using PDM)
type 244 comparison 218
command
giving comparison
object authority required 309
descriptor authorization list 218
folder GRPPRF user profile parameter
audit journal (QAUDJRN)
security shared 192 entry 244 changes when restoring
font resource (*FNTRSC) object socket profile 225
auditing 455 audit journal (QAUDJRN) description 76
force level entry 244 introduction 4, 53
audit records 51 GO (Go to Menu) command multiple
form definition (*FORMDF) object object authority required 380 planning 217
auditing 455 GR (generic record) file layout 514 naming 56
forms control table Grant Object Authority (GRTOBJAUT) object ownership 122
object authority required for command 140, 272 password 57
commands 407 affect on previous authority 142 planning 216
multiple objects 142 primary 123
FRCCRT parameter
Grant User Authority (GRTUSRAUT) planning 216
Change Program (CHGPGM)
command resource security 4, 111
command 15
copying authority 99 supplemental
FTP (File Transfer Protocol) command SUPGRPPRF (supplemental
description 273
object authority required 422 recommendations 145 groups) parameter 79
full renaming profile 104 user profile
audit (QAUDJRN) journal Grant User Permission (GRTUSRPMN) description 76
receiver 258 command 274 user profile parameter
full-screen help (*HLPFULL) user granting changes when restoring
option 88 authority using referenced object 145 profile 225
Index 627
inactive (continued)
user
integrity 1 (continued)
checking
J
listing 267 auditing use 240 JD (job description change) file
inactive job description 268, 273 layout 520
message (CPI1126) 28 interactive data definition JD (job description change) journal entry
inactive job message queue object authority required for type 244
(QINACTMSGQ) system value commands 354 JKL Toy Company
value set by CFGSYSSEC interactive data definition utility (IDDU) diagram of applications 195
command 579 object auditing 450 job
inactive job time-out interval interactive job *JOBCTL (job control) special
(QINACTITV) system value routing authority 67
value set by CFGSYSSEC SPCENV (special environment) automatic cancelation 36
command 579 parameter 71 changing
incorrect password security when starting 175 adopted authority 130
audit journal (QAUDJRN) entry 244 intermediate assistance level 55, 61 audit journal (QAUDJRN)
incorrect user ID internal control block entry 244
audit journal (QAUDJRN) entry 244 disconnected job interval
preventing modification 20
information search index (QDSCJOBITV) system value 36
Internet security management (GS) file
object authority required 356 inactive
layout 519
initial library list time-out interval (QINACTITV)
Internet user
current library 62 system value 27
validation lists 220
job description (JOBD) object authority required for
user profile 76 interprocess communication actions (IP) commands 357
file layout 517
recommendations 186 restricting to batch 194
relationship to library list for job 183 interprocess communications scheduling 194
risks 186 incorrect security when starting 175
initial menu audit journal (QAUDJRN) verify object on restore
*SIGNOFF 63 entry 244 (QVFYOBJRST) system value 36
changing 63 interprocess communications (IP) journal job accounting
preventing display 63 entry type 244 user profile 80
recommendation 65 INZDKT (Initialize Diskette) command job action (JOBACN) network
user profile 63 object authority required 379 attribute 190, 240
initial menu (INLMNU) parameter INZDSTQ (Initialize Distribution Queue) job change (*JOBDTA) audit level 244
user profile 63 command job change (JS) file layout 521
initial program (INLPGM) parameter authorized IBM-supplied user job change (JS) journal entry type 244
changing 62 profiles 287 job control (*JOBCTL) special authority
user profile 62 object authority required 324
functions allowed 67
initial program load (IPL) INZOPT (Initialize Optical) command output queue parameters 188
*JOBCTL (job control) special object authority required 390 priority limit (PTYLMT) 75
authority 67 INZPFM (Initialize Physical File Member) risks 67
INLMNU (initial menu) parameter command job description
user profile 63 object auditing 454 audit journal (QAUDJRN) entry 244
INLPGM (initial program) parameter object authority required 330 changing
changing 62 INZSYS (Initialize System) command audit journal (QAUDJRN)
user profile 62
authorized IBM-supplied user entry 244
INSPTF (Install Program Temporary Fix) profiles 287 communications entry 181
command
object authority required 375 default (QDFTJOBD) 76
authorized IBM-supplied user
INZTAP (Initialize Tape) command displaying 239
profiles 287
object authority required 379 monitoring 239
object authority required 411
IP (change ownership) journal entry object authority required for
INSRMTPRD (Install Remote Product) commands 359
type 244
command printing security-relevant
authorized IBM-supplied user IP (interprocess communication actions)
file layout 517 parameters 575
profiles 287 protecting 13
install licensed program (QLPINSTALL) IP (interprocess communications) journal
protecting system resources 194
user profile entry type 244
QDFTJOBD (default) 76
default values 280 IP rules actions (IR) file layout 518
recommendations 76
restoring 226 IPC object restoring
install licensed program automatic changing audit journal (QAUDJRN)
(QLPAUTO) user profile audit journal (QAUDJRN) entry 244
restoring 226 entry 244 security issues 182
installing IPL (initial program load) security level 40 13
operating system 232 *JOBCTL (job control) special USER parameter 181
integrated file system authority 67 user profile 76
object authority required for IR (IP rules actions) file layout 518 workstation entry 181
commands 339 IS (Internet security management) file job description (*JOBD) object
integrity 1 layout 519 auditing 457
Index 629
library list limiting (continued) LODQSTDB (Load Question-and-Answer
adding entries 183, 186 device sessions Database) command
adopted authority 116 auditing 238 authorized IBM-supplied user
changing 183 LMTDEVSSN user profile profiles 287
current library parameter 73 object authority required 405
description 183 recommendations 73 logging off
recommendations 185 device sessions (QLMTDEVSSN) network
user profile 62 system value audit journal (QAUDJRN)
definition 183 description 28 entry 244
editing 183 disk usage (MAXSTG) 74 logging on
job description (JOBD) security officer (QLMTSECOFR) network
user profile 76 changing security levels 11 audit journal (QAUDJRN)
monitoring 239 security officer (QLMTSECOFR) entry 244
product library system value logical file
description 183 auditing 236 securing
recommendations 185 authority to device fields 212
recommendations 185 descriptions 177 records 212
removing entries 183 description 29 lost password
security risks 183 sign-on process 179 DST (dedicated service tools) 109
system portion sign-on QSECOFR (security officer) 109
changing 203 attempts (QMAXSGNACN) system LPR (Line Printer Requester) command
description 183 value 30 object authority required 422
recommendations 185 attempts (QMAXSIGN) system
user portion value 29
controlling 203
description 183
multiple devices 28
sign-on attempts
M
mail
recommendations 186 auditing 236, 240
handling
licensed program use of system resources
audit journal (QAUDJRN)
automatic install (QLPAUTO) user priority limit (PTYLMT)
entry 244
profile parameter 75
mail actions (ML) file layout 527
description 280 line description
mail actions (ML) journal entry type 244
install (QLPINSTALL) user profile object authority required for mail server framework
default values 280 commands 376 object authority required for
object authority required for line description (*LIND) auditing 462 commands 378
commands 375 link mail server framework (QMSF) user
restoring object authority required for profile 280
recommendations 230 commands 339 mail services
security risks 230 listing action auditing 462
licensed program automatic install all libraries 267 management (*OBJMGT) authority
(QLPAUTO) user profile authority holders 132 object 112, 297
restoring 226 library contents 267 managing
licensed program install (QLPINSTALL) selected user profiles 266 audit journal 258
user profile system values 236 maximum
restoring 226 user profile auditing 236
limit capabilities (LMTCPB) parameter individual 102 length of password (QPWDMAXLEN
user profile 64 summary list 102 system value) 41
limit characters (QPWDLMTCHR) system Lists, Create Validation 220 sign-on attempts (QMAXSIGN)
value 42 Lists, Delete Validation 220 system value 236
limit repeated characters LMTDEVSSN (limit device sessions) description 29
(QPWDLMTREP) system value 43 parameter size
limit security officer (QLMTSECOFR) user profile 73 audit (QAUDJRN) journal
system value LNKDTADFN (Link Data Definition) receiver 258
value set by CFGSYSSEC command storage (MAXSTG) parameter
command 579 authority holder 123
object auditing 450
limiting group ownership of objects 122
object authority required 354
capabilities 64 journal receiver 74
local socket (*SOCKET) auditing 477
changing Attention-key-handling restore operation 74
locale user profile 74
program 84
changing current library 62, 186 object authority required for maximum sign-on attempts
commands 378 (QMAXSIGN) system value
changing initial menu 63
changing initial program 62 LOCALE (user options) parameter value set by CFGSYSSEC
commands allowed 64 user profile 88 command 579
functions allowed 65 LODPTF (Load Program Temporary Fix) maximum storage (MAXSTG) parameter
listing users 267 command authority holder
LMTCPB user profile authorized IBM-supplied user transferred to QDFTOWN (default
parameter 64 profiles 287 owner) 123
command line use 64 object authority required 411 group ownership of objects 122
Index 631
MOVDOC (Move Document) command network attribute (continued) new object (continued)
object auditing 448 DDM request access (DDMACC) 192 authority example 124
object authority required 325 DDMACC (DDM request access) 192 ownership example 124
moving DDMACC (distributed data NLV (national language version)
object management access) 240 command security 211
audit journal (QAUDJRN) distributed data management access node group (*NODGRP) auditing 466
entry 244 (DDMACC) 240 node list
spooled file 187 job action (JOBACN) 190, 240 object authority required for
MOVOBJ (Move Object) command JOBACN (job action) 190, 240 commands 388
object auditing 432, 461 object authority required for node list (*NODL) auditing 466
object authority required 301 commands 384 Notices 583
MRGDOC (Merge Document) command PC Support (PCSACC) 240 notification, message
object auditing 446, 448 PCSACC (client request access) 191 DLVRY (message queue delivery)
object authority required 325 PCSACC (PC Support access) 240 parameter
MRGFORMD (Merge Form Description) printing security-relevant 575 user profile 82
command network attribute change (NA) file no status message (*NOSTSMSG) user
object authority required 309 layout 527 option 88
MRGMSGF (Merge Message File) network attribute change (NA) journal notify (*NOTIFY) delivery mode
command entry type 244 user profile 82
object auditing 464, 465 network attributes number required in password 44
object authority required 382 printing security- numeric character required in
MSGQ (message queue) parameter communications 277 password 44
user profile 81 printing security-relevant 277 numeric password 57
multiple group network interface (*NWID) auditing 467 numeric user ID 56
example 169
planning 217
network interface description
object authority required for
O
commands 386 OBJAUD (object auditing) parameter
network log on and off (VN) file user profile 91
object
N layout 557
network log on or off (VN) journal entry (*Mgt) authority 112
NA (network attribute change) file (*Ref) authority 112
type 244
layout 527 add (*ADD) authority 112, 297
network password error (VP) file
NA (network attribute change) journal altered
layout 559
entry type 244 checking 268
network password error (VP) journal
naming assigning authority and
entry type 244
audit journal receiver 256 ownership 124
network profile
group profile 56 auditing
changing
user profile 56 changing 69
audit journal (QAUDJRN)
national language version (NLV) default 254
entry 244
command security 211 authority
ND (APPN directory) file layout 528 network profile change (VU) file
layout 561 *ALL (all) 114, 298
NE (APPN end point) file layout 528 *CHANGE (change) 114, 298
netBIOS description network profile change (VU) journal
*USE (use) 114, 298
object authority required for entry type 244
changing 139
commands 384 network resource access (VR) file
commonly used subsets 113
NetBIOS description (*NTBD) layout 559
new 121
auditing 467 Network Server
new object 120
NETSTAT (Network Status) command object authority required for
storing 225
object authority required 422 commands 387
system-defined subsets 113
network network server description using referenced 145
logging off object authority required for authority required for
audit journal (QAUDJRN) commands 388 commands 301
entry 244 network server description (*NWSD) controlling access 13
logging on auditing 467 default owner (QDFTOWN) user
audit journal (QAUDJRN) network spooled file profile 123
entry 244 sending 187 delete (*DLT) authority 112, 297
password new object displaying
audit journal (QAUDJRN) authority originator 123
entry 244 CRTAUT (create authority) domain attribute 13
network attribute parameter 120, 137 execute (*EXECUTE) authority 112,
*SECADM (security administrator) GRPAUT (group authority) 297
special authority 66 parameter 78, 122 existence (*OBJEXIST) authority 112,
changing GRPAUTTYP (group authority 297
audit journal (QAUDJRN) type) parameter 78 failure of unsupported interface 13
entry 244 authority (QCRTAUT system management (*OBJMGT)
command 190 value) 26 authority 112, 297
client request access (PCSACC) 191 authority (QUSEADPAUT system non-IBM
command for setting 277, 579 value) 32 printing list 276
Index 633
object auditing (continued) object auditing (continued) object authority (continued)
job description (*JOBD) object 457 user space (*USRSPC) object 486 emulation commands 322
job queue (*JOBQ) object 458 validation list (*VLDL) object 487 extended wireless LAN configuration
job scheduler (*JOBSCD) object 459 workstation customizing object commands 329
journal (*JRN) object 459 (*WSCST) object 487 file commands 330
journal receiver (*JRNRCV) object auditing (OBJAUD) parameter filter commands 337
object 460 user profile 91 finance commands 338
library (*LIB) object 461 format on save media 225
object authority
line description (*LIND) object 462 forms control table commands 407
local socket (*SOCKET) object 477 *ALLOBJ (all object) special general rules for commands 299
menu (*MENU) object 463 authority 66 granting 272
message file (*MSGF) object 464 *SAVSYS (save system) special affect on previous authority 142
message queue (*MSGQ) object 465 authority 68 multiple objects 142
mode description (*MODD) access code commands 388 graphical operations 338
object 463 access path recovery 306 graphics symbol set commands 339
module (*MODULE) object 464 Advanced Function Printing hardware commands 406
NetBIOS description (*NTBD) commands 307 host server 339
object 467 AF_INET sockets over SNA 308 information search index
network interface (*NWID) alert commands 308 commands 356
object 467 alert description commands 308 interactive data definition 354
network server description (*NWSD) alert table commands 308 job commands 357
object 467 analyzing 267 job description commands 359
node group (*NODGRP) object 466 authority holder commands 310 job queue commands 360
node list (*NODL) object 466 authorization list commands 310 job schedule commands 361
output queue (*OUTQ) object 468 backup commands 389 journal commands 361
overlay (*OVL) object 469 binding directory 311 journal receiver commands 364
page definition (*PAGDFN) change request description language commands 365
object 469 commands 312 library commands 371
page segment (*PAGSEG) object 470 changing licensed program commands 375
panel group (*PNLGRP) object 471 audit journal (QAUDJRN) line description commands 376
planning 252 entry 244 locale commands 378
print descriptor group (*PDG) procedures 139 mail server framework
object 470 chart format commands 312 commands 378
product availability (*PRDAVL) class commands 313 media commands 379
object 472 class-of-service description menu commands 380
product definition (*PRDDFN) commands 313 message commands 381
object 472 cleanup commands 389 message description commands 381
product load (*PRDLOD) object 472 commands 272 message file commands 382
program (*PGM) object 470 commitment control commands 314 message queue commands 382
query definition (*QRYDFN) common object commands 301 migration commands 382
object 473 communications side information mode description commands 383
query manager form (*QMFORM) commands 314 netBIOS description commands 384
object 472 configuration commands 315 network attribute commands 384
query manager query (*QMQRY) configuration list commands 316 network interface description
object 473 connection list commands 316 commands 386
reference code table (*RCT) controller description commands 316 Network Server commands 387
object 474 cryptography commands 318 network server description
S/36 machine description (*S36) data area commands 319 commands 388
object 484 data queue commands 320 node list commands 388
search index (*SCHIDX) object 476 definition 112 online education commands 389
server storage space (*SVRSTG) detail, displaying (*EXPERT user Operational Assistant commands 389
object 481 option) 87, 88 optical commands 390
service program (*SRVPGM) device description commands 320 output file
object 480 directory commands 323 (OUTPUT(*OUTFILE)) 299
session description (*SSND) display station pass-through output queue commands 392
object 481 commands 323 package commands 393
spelling aid dictionary (*SPADCT) displaying 267, 272 panel group commands 380
object 479 displaying detail (*EXPERT user performance commands 393
SQL package (*SQLPCK) object 480 option) 87, 88 printer output commands 415
stream file (*STMF) object 481 distribution commands 324 printer writer commands 428
subsystem description (*SBSD) distribution list commands 325 problem commands 399
object 475 document commands 325 program commands 400
symbolic link (*SYMLNK) object 483 document library object (DLO) program temporary fix (PTF)
table (*TBL) object 485 commands 325 commands 411
user index (*USRIDX) object 485 double-byte character set programming development manager
user profile (*USRPRF) object 485 commands 328 (PDM) commands 309
user queue (*USRQ) object 486 edit description commands 329
editing 139, 272
Index 635
ownership (continued) password (continued) password (continued)
methods 144 approval program minimum length (QPWDMINLEN
default (QDFTOWN) user profile 123 example 46 system value) 41
deleting QPWDVLDPGM system value 44 network
owner profile 99, 122 requirements 45 audit journal (QAUDJRN)
description 121 security risk 46 entry 244
device description 179 auditing position characters (QPWDPOSDIF)
flowchart 154 DST (dedicated service tools) 237 system value 44
group profile 122 user 237 possible values 58
introduction 4 changes when restoring profile 225 preventing
managing changing adjacent digits (QPWDLMTAJC
owner profile size 122 description 272 system value) 43
new object 124 DST (dedicated service tools) 272 repeated characters 43
object enforcing password system trivial 38, 237
managing 219 values 38 use of words 42
private authority 111 setting password equal to profile PWDEXP (set password to
OWNER user profile parameter name 57 expired) 58
description 77 checking 105, 272 QPGMR (programmer) user
printer output 187 checking for default 571 profile 581
restoring 223, 227 commands for working with 272 QSECOFR (security officer)
saving 223 communications 41 recovering 109
spooled file 187 document QSRV (service) user profile 581
working with 144 DOCPWD user profile QSRVBAS (basic service) user
workstation 179 parameter 80 profile 581
ownership, object DST (dedicated service tools) QSYSOPR (system operator) user
responsibilities 238 auditing 237 profile 581
ownership change (OW) file layout 533 changing 107 QUSER (user) user profile 581
ownership change (OW) journal entry recovering 109 recommendations 58, 59
type 244 encrypting 57 recovering
ownership change for restored object equal to user profile name 38, 57 DST (dedicated service tools) 109
(RO) file layout 544 expiration interval QSECOFR (security officer) 109
ownership change for restored object auditing 237 require numeric character
(RO) journal entry type 244 PWDEXPITV user profile (QPWDRQDDGT) system value
parameter 72 value set by CFGSYSSEC
P QPWDEXPITV system value 39
expiration interval (QPWDEXPITV)
command 579
require position difference
PA (program adopt) file layout 536 system value (QPWDPOSDIF) system value
PA (program adopt) journal entry value set by CFGSYSSEC value set by CFGSYSSEC
type 244 command 579 command 579
package expired (PWDEXP) parameter 58 required difference (QPWDRQDDIF)
object authority required for IBM-supplied user profile system value
commands 393 auditing 236 value set by CFGSYSSEC
PAGDOC (Paginate Document) command changing 106 command 579
object auditing 448 immediate expiration 39 requiring
object authority required 325 incorrect change (PWDEXPITV
page definition (*PAGDFN) auditing 469 audit journal (QAUDJRN) parameter) 72
page down key entry 244 change (QPWDEXPITV system
reversing (*ROLLKEY user length value) 39
option) 88 maximum (QPWDMAXLEN) complete change 44
page segment (*PAGSEG) auditing 470 system value 41 different (QPWDRQDDIF system
page up key minimum (QPWDMINLEN) value) 42
reversing (*ROLLKEY user system value 41 numeric character 44
option) 88 limit repeated characters resetting
panel group (QPWDLMTREP) system value DST (dedicated service tools) 109,
object authority required for value set by CFGSYSSEC 244
commands 380 command 579 QSECOFR (security officer) 109
panel group (*PNLGRP) auditing 471 lost 57 user 57
parameter maximum length (QPWDMAXLEN) restrict adjacent characters
validating 20 system value (QPWDLMTAJC) system value
partial (*PARTIAL) limit capabilities 65 value set by CFGSYSSEC value set by CFGSYSSEC
pass-through command 579 command 579
controlling sign-on 31 maximum length (QPWDMAXLEN restrict characters (QPWDLMTCHR)
target profile change system value) 41 system value
audit journal (QAUDJRN) minimum length (QPWDMINLEN) value set by CFGSYSSEC
entry 244 system value command 579
password value set by CFGSYSSEC
all-numeric 57 command 579
allowing users to change 237
Index 637
Print Communications Security printing 88 (continued) profile (continued)
(PRTCMNSEC) command list of subsystem descriptions 276 group 237, 238 (continued)
description 277, 575 network attributes 277, 575 naming 56
print descriptor group (*PDG) notification (*PRTMSG user object ownership 122
auditing 470 option) 88 password 57
print device (DEV) parameter publicly authorized objects 577 planning 216
user profile 83 security 186 resource security 4
Print Job Description Authority security-relevant communications handle
(PRTJOBDAUT) command 276 settings 575 audit journal (QAUDJRN)
description 575 security-relevant job queue entry 244
Print Private Authorities (PRTPVTAUT) parameters 276, 577 IBM-supplied
command 276 security-relevant output queue auditing 236
authorization list 575 parameters 276, 577 authority profile
description 577 security-relevant subsystem (QAUTPROF) 280
Print Publicly Authorized Objects description values 575 automatic install (QLPAUTO) 280
(PRTPUBAUT) command 276 sending message (*PRTMSG user basic service (QSRVBAS) 280
description 577 option) 88 BRM user profile (QBRMS) 280
Print Queue Authority (PRTQAUT) system values 236, 277, 575 database share (QDBSHR) 280
command trigger programs 276, 575 default owner (QDFTOWN) 280
description 276, 577 printing message (*PRTMSG) user distributed systems node executive
Print Subsystem Description option 88 (QDSNX) 280
(PRTSBSDAUT) command priority 194 document (QDOC) 280
description 575 priority limit (PTYLMT) parameter finance (QFNC) 280
Print Subsystem Description Authority recommendations 75 IBM authority profile
(PRTSBSDAUT) command user profile 75 (QAUTPROF) 280
description 276 private authorities install licensed programs
Print System Security Attributes authority cache 173 (QLPINSTALL) 280
(PRTSYSSECA) command private authority mail server framework
description 277, 575 definition 111 (QMSF) 280
Print Trigger Programs (PRTTRGPGM) flowchart 153 network file system (QNFS) 280
command object ownership 111 programmer (QPGMR) 280
description 276, 575 planning applications 202 QAUTPROF (IBM authority
Print User Objects (PRTUSROBJ) restoring 223, 228 profile) 280
command saving 223 QBRMS (BRM user profile) 280
description 276, 575 privilege QDBSHR (database share) 280
Print User Profile (PRTUSRPRF) definition 111 QDFTOWN (default owner) 280
command problem QDOC (document) 280
description 575 object authority required for QDSNX (distributed systems node
printed output (*PRTDTA) audit commands 399 executive) 280
level 244 problem analysis QFNC (finance) 280
printer remote service attribute QGATE (VM/MVS bridge) 280
user profile 83 (QRMTSRVATR) system value 36 QLPAUTO (licensed program
virtual processor keylock 236 automatic install) 280
securing 192 processor password 110 QLPINSTALL (licensed program
printer output product availability (*PRDAVL) install) 280
*JOBCTL (job control) special auditing 472 QMSF (mail server
authority 67 product definition (*PRDDFN) framework) 280
*SPLCTL (spool control) special QNFSANON (network file
auditing 472
authority 67 system) 280
product library
object authority required for QPGMR (programmer) 280
library list 185
commands 415 QRJE (remote job entry) 280
description 183
owner 187 QSECOFR (security officer) 280
recommendations 185
securing 186, 187 QSNADS (Systems Network
product load (*PRDLOD) auditing 472
printer output (PO) file layout 540 Architecture distribution
profile
services) 280
printer output (PO) journal entry action auditing (AUDLVL) 91 QSPL (spool) 280
type 244 analyzing with query 266 QSPLJOB (spool job) 280
printer writer auditing QSRV (service) 280
object authority required for *ALLOBJ special authority 238 QSRVBAS (service basic) 280
commands 428 authority to use 238 QSYS (system) 280
printing 88 auditing membership 238 QSYSOPR (system operator) 280
adopted object information 575 auditing password 237 QTCP (TCP/IP) 280
audit journal (QAUDJRN) entry 244 AUDLVL (action auditing) 91 QTMPLPD (TCP/IP printing
audit journal entries 575 changing 273 support) 280
authority holder 276 default values table 279 QTSTRQS (test request) 280
authorization list information 575 group 237, 238 QUSER (workstation user) 280
communications 277 auditing 238 remote job entry (QRJE) 280
list of non-IBM objects 276, 575 introduction 4, 53
Index 639
program (continued) PRTADPOBJ (Print Adopting Objects) PRTPEXRPT (Print Performance Explorer
validation value 15 command Report) command
service description 575 object authority required 393
adopted authority 131 PRTCMDUSG (Print Command Usage) PRTPOLRPT (Print Pool Report)
transferring command command
adopted authority 129 object auditing 438, 471 object authority required 393
translation 15 object authority required 400 PRTPRFINT (Print Profile Internals)
trigger PRTCMNSEC (Print Communication command
listing all 276 Security) command authorized IBM-supplied user
unauthorized 240 object authority required 316 profiles 287
working with user profiles 105 PRTCMNSEC (Print Communications PRTPUBAUT (Print Public Authorities)
program (*PGM) auditing 470 Security) command command
program adopt (PA) file layout 536 description 277, 575 object authority required 301
program adopt (PA) journal entry object authority required 320, 376 PRTPUBAUT (Print Publicly Authorized
type 244 PRTCMNSEC (Print Communications Objects) command
program adopt function 239 Security Report) command authorized IBM-supplied user
program-described file profiles 287
authorized IBM-supplied user
holding authority when deleted 132 description 276, 575
profiles 287
program failure PRTPVTAUT (Print Private Authorities)
PRTCMNTRC (Print Communications
command
auditing 268 Trace) command
authorization list 575
restoring programs authorized IBM-supplied user
audit journal (QAUDJRN) authorized IBM-supplied user
profiles 287
profiles 287
entry 244 object authority required 411
description 276, 577
program failure (*PGMFAIL) audit PRTCPTRPT (Print Component Report) object authority required 301
level 244 command
PRTQAUT (Print Queue Authorities)
program state object authority required 393 command
definition 13 PRTCSPAPP (Print CSP/AE Application) object authority required 360, 392
displaying 13 command PRTQAUT (Print Queue Authority)
program temporary fix (PTF) object auditing 471 command
object authority required for PRTDEVADR (Print Device Addresses) authorized IBM-supplied user
commands 411 command profiles 287
program validation object auditing 441 description 276, 577
definition 15 object authority required 315 PRTRSCRPT (Print Resource Report)
programmer PRTDOC (Print Document) command command
application object auditing 446 object authority required 393
planning security 218 PRTDSKINF (Print Disk Activity PRTSBSDAUT (Print Subsystem
auditing access to production Information) command Description) command
libraries 238 authorized IBM-supplied user description 575
system profiles 287 PRTSBSDAUT (Print Subsystem
planning security 219 object authority required 389 Description Authority) command
programmer (QPGMR) user profile PRTERRLOG (Print Error Log) command authorized IBM-supplied user
default values 280 profiles 287
authorized IBM-supplied user
device description owner 179 description 276
profiles 287
programming development manager object authority required 416
object authority required 411
(PDM) PRTSQLINF (Print SQL Information)
PRTINTDTA (Print Internal Data)
object authority for commands 309 command
command
programming language object auditing 471, 480, 481
authorized IBM-supplied user
object authority required for PRTSQLINF (Print Structured Query
profiles 287
commands 365 Language Information) command
object authority required 411
programs that adopt object authority required 393
PRTIPSCFG (Print IP over SNA
PRTSYSRPT (Print System Report)
displaying 268 Configuration) command
command
protecting object authority required 308 object authority required 393
backup media 236 PRTJOBDAUT (Print Job Description PRTSYSSECA (Print System Security
protection Authority) command Attribute) command
enhanced hardware storage 14 authorized IBM-supplied user object authority required 411
PRTACTRPT (Print Activity Report) profiles 287 PRTSYSSECA (Print System Security
command description 276, 575 Attribute Report) command
object authority required 393 object authority required 359 authorized IBM-supplied user
PRTADPOBJ (Print Adopted Object) PRTJOBRPT (Print Job Report) command profiles 287
command object authority required 393 PRTSYSSECA (Print System Security
object authority required 424 PRTJOBTRC (Print Job Trace) command Attributes) command
PRTADPOBJ (Print Adopting Object) object authority required 393 description 277, 575
command PRTLCKRPT (Print Lock Report) PRTTNSRPT (Print Transaction Report)
authorized IBM-supplied user command command
profiles 287 object authority required 393 object authority required 393
Index 641
QASYYRJE (read of DLO object) file QAUDJRN (audit) journal 244, 431 QAUDJRN (audit) journal 244, 431
layout 566 (continued) (continued)
QASYZCJE (change to object) file DO (delete operation) entry type 244 RA (authority change for restored
layout 566 DO (delete operation) file layout 512 object) entry type 244
QASYZMJE (change to object) file DS (DST password reset) entry RA (authority change for restored
layout 567 type 244 object) file layout 542
QASYZRJE (read of object) file DS (DST password reset) file receiver storage threshold 258
layout 568 layout 513 RJ (restoring job description) entry
QATNPGM (Attention-key-handling error conditions 50 type 244
program) system value 84 EV (Environment variable) file RJ (restoring job description) file
QAUDCTL (audit control) system value layout 513 layout 543
changing 276, 573 file layouts 489, 569 RO (ownership change for restored
displaying 276, 573 force level 51 object) entry type 244
QAUDCTL (auditing control) system GR(generic record) file layout 514 RO (ownership change for restored
value GS (give descriptor) file layout 516 object) file layout 544
overview 50 introduction 240 RP (restoring programs that adopt
IP (Interprocess Communication authority) entry type 244
QAUDENDACN (auditing end action)
actions) file layout 517 RP (restoring programs that adopt
system value 50, 254
IP (interprocess communications) authority) file layout 545
QAUDFRCLVL (auditing force level)
entry type 244 RQ (restoring *CRQD object) entry
system value 51, 254
IR(IP rules actions) file layout 518 type 244
QAUDJRN (audit) journal 244, 431
IS (Internet security management) file RQ (restoring *CRQD object that
AD (auditing change) entry type 244 layout 519 adopts authority) file layout 546
AD (auditing change) file layout 492 JD (job description change) entry RU (restore authority for user profile)
AF (authority failure) entry type 244 type 244 entry type 244
default sign-on violation 14 JD (job description change) file RU (restore authority for user profile)
description 244 layout 520 file layout 546
hardware protection violation 14 JS (job change) entry type 244 RZ (primary group change for
job description violation 14 JS (job change) file layout 521 restored object) entry type 244
program validation 18 KF (key ring file) file layout 524 RZ (primary group change for
restricted instruction 18 LD (link, unlink, search directory) file restored object) file layout 547
unsupported interface 13, 18 layout 526 SD (change system distribution
AF (authority failure) file layout 494 managing 258 directory) entry type 244
analyzing methods for analyzing 261 SD (change system distribution
with query 262 ML (mail actions) entry type 244 directory) file layout 548
AP (adopted authority) entry ML (mail actions) file layout 527 SE (change of subsystem routing
type 244 NA (network attribute change) entry entry) entry type 244
AP (adopted authority) file type 244 SE (change of subsystem routing
layout 498 NA (network attribute change) file entry) file layout 549
auditing level (QAUDLVL) system layout 527 SF (action to spooled file) file
value 51 ND (APPN directory) file layout 528 layout 549
automatic cleanup 259 NE (APPN end point) file layout 528 SF (change to spooled file) entry
CA (authority change) entry type 244 O1 (optical access) file layout 534, type 244
CA (authority change) file layout 498 535 SG file layout 551, 552
CD (command string) entry type 244 O3 (optical access) file layout 536 SM (system management change)
CD (command string) file layout 501 OM (object management) entry entry type 244
changing receiver 260 type 244 SM (system management change) file
CO (create object) entry type 123, OM (object management) file layout 552
244 layout 529 SO (server security user information
CO (create object) file layout 501 OR (object restore) entry type 244 actions) file layout 553
CP (user profile change) entry OR (object restore) file layout 531 ST (service tools action) entry
type 244 OW (ownership change) entry type 244
CP (user profile change) file type 244 ST (service tools action) file
layout 502 OW (ownership change) file layout 553
CQ (*CRQD change) file layout 504 layout 533 standard heading fields 489
CQ (change *CRQD object) entry PA (program adopt) entry type 244 stopping 260
type 244 PA (program adopt) file layout 536 SV (action to system value) entry
creating 257 PG (primary group change) entry type 244
CU(Cluster Operations) file type 244 SV (action to system value) file
layout 504 PG (primary group change) file layout 555
CV(connection verification) file layout 538 system entries 258
layout 505 PO (printer output) entry type 244 VA (access control list change) entry
CY(cryptographic configuration) file PO (printer output) file layout 540 type 244
layout 507 PS (profile swap) entry type 244 VA (changing access control list) file
damaged 258 PS (profile swap) file layout 541 layout 555
detaching receiver 258, 260 PW (password) entry type 244 VC (connection start and end) file
DI(directory services) file layout 508 PW (password) file layout 541 layout 556
displaying entries 240, 261
Index 643
QMAXSIGN (maximum sign-on QPWDRQDDGT (password require QSECURITY (security level) system
attempts) system value (continued) numeric character) system value value (continued)
description 29 value set by CFGSYSSEC level 30 11
user profile status 59 command 579 level 40 11
value set by CFGSYSSEC QPWDRQDDGT (required password level 50 19
command 579 digits) system value 44 message handling 20
QMSF (mail server framework) user QPWDRQDDIF (duplicate password) validating parameters 20
profile 280 system value 42 overview 7
QPGMR (programmer) user profile QPWDRQDDIF (password required recommendations 9
default values 280 difference) system value special authority 9
device description owner 179 value set by CFGSYSSEC user class 9
password set by CFGSYSSEC command 579 value set by CFGSYSSEC
command 581 QPWDVLDPGM (password validation command 579
program) system value 44 QSH (Start QSH) command
QPRTDEV (print device) system
value 83 value set by CFGSYSSEC alias for STRQSH 404
command 579 QSHRMEMCTL (share memory control)
QPWDEXPITV (password expiration
QRCL (reclaim storage) library system value
interval) system value
setting QALWUSRDMN (allow user description 32
auditing 237
objects) system value 25 possible values 32
description 39
QRCLAUTL (reclaim storage) QSNADS (Systems Network Architecture
PWDEXPITV user profile authorization list 232
parameter 72 distribution services) user profile 280
QRETSVRSEC (retain server security) QSPCENV (special environment) system
value set by CFGSYSSEC system value 30
command 579 value 70
QRETSVRSEC (retain server security) QSPL (spool) user profile 280
QPWDLMTAJC (password limit adjacent) value 30
system value 43 QSPLJOB (spool job) user profile 280
QRJE (remote job entry) user profile 280
QPWDLMTAJC (password restrict QSPRJOBQ (Retrieve job queue
QRMTSIGN (allow remote sign-on)
adjacent characters) system value information) API
system value
object auditing 458
value set by CFGSYSSEC value set by CFGSYSSEC
command 579 QSRTSEQ (sort sequence) system
command 579
value 85
QPWDLMTCHR (limit characters) system QRMTSIGN (remote sign-on) system
value 42 QSRV (service) user profile
value 31, 240
authority to console 179
QPWDLMTCHR (password restrict QRMTSRVATR (remote service attribute)
default values 280
characters) system value system value 2, 36
password set by CFGSYSSEC
value set by CFGSYSSEC QRYDOCLIB (Query Document Library)
command 581
command 579 command
QSRVBAS (basic service) user profile
QPWDLMTCHR command 58 object auditing 448
authority to console 179
QPWDLMTREP (limit repeated object authority required 325
default values 280
characters) system value 43 QRYDST (Query Distribution) command
password set by CFGSYSSEC
QPWDLVL object authority required 324 command 581
case sensitive passwords 44, 57 QRYPRBSTS (Query Problem Status) QSYS (system) library
Password levels (maximum command
authorization lists 120
length) 41 object authority required 399
QSYS (system) user profile
Password levels (minimum QSECOFR (security officer) user profile
default values 280
length) 41 authority to console 179 restoring 226
Password levels (QPWDLVL) 41, 42 default values 280
QSYSLIBL (system library list) system
QPWDLVL (case sensitive) device description owner 179
value 183
case sensitive passwords disabled status 59
QSYSMSG message queue
QPWDLVL case sensitive 43 enabling 59
auditing 240, 264
Password levels (case sensitive) 43 restoring 226
QMAXSGNACN (action when
QPWDLVL (current or pending value) QSECURITY (security level) system value
attempts reached) system value 30
and program name 44 auditing 236
QMAXSIGN (maximum sign-on
QPWDMAXLEN (password maximum automatic user profile creation 53
attempts) system value 29
length) system value 41 changing, 20 from higher level 10
QSYSOPR (system operator) message
changing, level 10 to level 20 10
value set by CFGSYSSEC queue
changing, level 20 to 30 11
command 579 restricting 183
changing, to level 40 17
QPWDMINLEN (password minimum QSYSOPR (system operator) user
changing, to level 50 20
length) system value 41 profile 280
comparison of levels 7
value set by CFGSYSSEC disabling level 40 18 password set by CFGSYSSEC
command 579 disabling level 50 21 command 581
QPWDPOSDIF (password require enforcing QLMTSECOFR system QTCP (TCP/IP) user profile 280
position difference) system value value 179 QTEMP (temporary) library
value set by CFGSYSSEC internal control blocks 20 security level 50 19
command 579 introduction 2 QTMPLPD (TCP/IP printing support)
QPWDPOSDIF (position characters) level 10 9 user profile 280
system value 44 level 20 10 QTSTRQS (test request) user profile 280
Index 645
Remove Authorization List Entry resource security (continued) restoring (continued)
(RMVAUTLE) command 147, 271 introduction 4 job description
Remove Directory Entry (RMVDIRE) limit access audit journal (QAUDJRN)
command 275 introduction 220 entry 244
Remove Document Library Object restore library 223
Authority (RMVDLOAUT) security risks 192 licensed program
command 274 recommendations 230
Restore Authority (RSTAUT) command
Remove Library List Entry (RMVLIBLE) security risks 230
command 183 audit journal (QAUDJRN) entry 244 maximum storage (MAXSTG) 74
description 274
Remove User display 100 object
removing procedure 229 audit journal (QAUDJRN)
role in restoring security 223
authority for user 141 entry 244
using 228
authorization list commands 223
object 148 restore authority for user profile (RU) file ownership 223, 227
user authority 147, 271 layout 546 security issues 226
directory entry 275 restore authority for user profile (RU) operating system 232
document library object journal entry type 244 ownership change
authority 274 Restore Document Library Object audit journal (QAUDJRN)
employees who no longer need (RSTDLO) command 223 entry 244
access 238 Restore Library (RSTLIB) command 223 primary group 223, 227
library list entry 183 Restore Licensed Program (RSTLICPGM) private authority 223, 228
security level 40 18 command program failure
security level 50 21 audit journal (QAUDJRN)
recommendations 230
server authentication entry 275 entry 244
security risks 230
user authority program validation 15
authorization list 147 Restore Object (RSTOBJ) command programs 229
object 141 ALWOBJDIF parameter 15 public authority 223, 227
user profile using 223 QDFTOWN (default) owner
automatically 571 restore operation audit journal (QAUDJRN)
directory entry 99 maximum storage (MAXSTG) 74 entry 244
distribution lists 99 storage needed 74 restricting 193
message queue 99 Restore User Profiles (RSTUSRPRF) security information 223
owned objects 99 command 223, 274 storage needed 74
primary group 99 uid (user identification number) 226
restoring
renaming user profile
object *ALLOBJ (all object) special authority audit journal (QAUDJRN)
audit journal (QAUDJRN) all object (*ALLOBJ) special entry 244
entry 244 authority 226 command description 274
user profile 103 *CRQD object procedures 223, 225
repeated characters (QPWDLMTREP) audit journal (QAUDJRN) restoring *CRQD (RQ) file layout 547
system value 43 entry 244
restoring *CRQD object (RQ) journal
*CRQD object that adopts authority
repeating passwords 42 entry type 244
(RQ) file layout 546
reply list restoring job description (RJ) file
adopted authority
action auditing 475 layout 543
changes to ownership and
object authority required for restoring job description (RJ) journal
authority 230
commands 419 entry type 244
allow object differences (ALWOBJDIF)
required password digits parameter 227 restoring programs that adopt authority
(QPWDRQDDGT) system value 44 (RP) file layout 545
ALWOBJDIF (allow object differences)
resetting parameter 227 restoring programs that adopt authority
DST (dedicated service tools) authority (RP) journal entry type 244
password audit journal (QAUDJRN) restricted instruction
audit journal (QAUDJRN) entry 244 audit journal (QAUDJRN) entry 244
entry 244 command description 274 restricting
procedure 109 description of process 229 access
QSECOFR (security officer) overview of commands 223 console 236
password 109 procedure 228 workstations 236
RESMGRNAM (Resolve Duplicate and authority changed by system adjacent digits in passwords
Incorrect Office Object Names) audit journal (QAUDJRN) (QPWDLMTAJC system value) 43
command entry 244 capabilities 64
authorized IBM-supplied user authority holder 223 characters in passwords 42
profiles 287 authorization list command line use 64
object authority required 382 association with object 227 commands (ALWLMTUSR) 64
resource description of process 231 consecutive digits in passwords
object authority required for overview of commands 223 (QPWDLMTAJC system value) 43
commands 406 document library object (DLO) 223 messages 20
resource security gid (group identification QSYSOPR (system operator) message
definition 111 number) 226 queue 183
Index 647
RMVDSTLE (Remove Distribution List RMVIPSLOC (Remove IP over SNA RMVNODLE (Remove Node List Entry)
Entry) command Location Entry) command command
object authority required 325 object authority required 308 object auditing 466
RMVDSTQ (Remove Distribution Queue) RMVIPSRTE (Remove IP over SNA object authority required 388
command Route) command RMVNWSSTGL (Remove Network Server
authorized IBM-supplied user object authority required 308 Storage Link) command
profiles 287 RMVIPXCCT 355 object authority required 387
object authority required 324 RMVJOBQE (Remove Job Queue Entry) RMVOPTCTG (Remove Optical
RMVDSTRTE (Remove Distribution command Cartridge) command
Route) command object auditing 458, 476 authorized IBM-supplied user
authorized IBM-supplied user object authority required 416 profiles 287
profiles 287 RMVJOBSCDE (Remove Job Schedule object authority required 390
object authority required 324 Entry) command RMVOPTSVR (Remove Optical Server)
RMVDSTSYSN (Remove Distribution command
object auditing 459
Secondary System Name) command object authority required 361 authorized IBM-supplied user
authorized IBM-supplied user profiles 287
RMVJRNCHG (Remove Journaled
profiles 287 object authority required 390
Changes) command
object authority required 324 RMVPEXDFN (Remove Performance
authorized IBM-supplied user
RMVEMLCFGE (Remove Emulation Explorer Definition) command
profiles 287
authorized IBM-supplied user
Configuration Entry) command object auditing 432, 460
profiles 287
object authority required 322 object authority required 361
object authority required 393
RMVENVVAR (Remove Environment RMVLANADP (Remove LAN Adapter)
RMVPFCST (Remove Physical File
Variable) command command
Constraint) command
object authority required 329 authorized IBM-supplied user object auditing 454
RMVEWCBCDE (Remove Extended profiles 287
object authority required 330
Wireless Controller Bar Code Entry) RMVLANADPI (Remove LAN Adapter RMVPFTGR (Remove Physical File
command Information) command Trigger) command
object authority required 329 object authority required 378 object auditing 454
RMVEWCPTCE (Remove Extended RMVLANADPT (Remove LAN Adapter) RMVPFTRG (Remove Physical File
Wireless Controller PTC Entry) command Trigger) command
command object authority required 378 object authority required 330
object authority required 329 RMVLIBLE (Remove Library List Entry) RMVPGM (Remove Program) command
RMVEXITPGM (Add Exit Program) command object authority required 400
command using 183 RMVPJE (Remove Prestart Job Entry)
object auditing 452 RMVLICKEY (Remove License Key) command
RMVEXITPGM (Remove Exit Program) command object auditing 476
command object authority required 375 object authority required 416
authorized IBM-supplied user RMVLNK (Remove Link) command RMVPTF (Remove Program Temporary
profiles 287 object auditing 478, 482, 484 Fix) command
object authority required 406 object authority required 339 authorized IBM-supplied user
RMVFCTE (Remove Forms Control Table RMVM (Remove Member) command profiles 287
Entry) command object authority required 411
object auditing 454
object authority required 407 RMVRDBDIRE (Remove Relational
object authority required 330
Database Directory Entry) command
RMVFNTTBLE (Remove Font Table RMVMFS (Remove Mounted File System)
Entry) object authority required 406
object authority required 426
RMVRJECMNE (Remove RJE
object authority required for RMVMFS (Remove Mounted File System) Communications Entry) command
commands 307 command
object authority required 407
RMVFTRACNE (Remove Filter Action authorized IBM-supplied user RMVRJERDRE (Remove RJE Reader
Entry) command profiles 287 Entry) command
object auditing 456 object authority required 385 object authority required 407
object authority required 337 RMVMSG (Remove Message) command RMVRJEWTRE (Remove RJE Writer
RMVFTRSLTE (Remove Filter Selection object auditing 466 Entry) command
Entry) command object authority required 381 object authority required 407
object auditing 456 RMVMSGD (Remove Message RMVRMTJRN (Remove Remote Journal)
object authority required 337 Description) command command
RMVICFDEVE (Remove Intersystem object auditing 465 object auditing 460
Communications Function Program object authority required 381 RMVRMTPTF (Remove Remote Program
Device Entry) command RMVNETJOBE (Remove Network Job Temporary Fix) command
object authority required 330 Entry) command authorized IBM-supplied user
RMVIPIADR 355 authorized IBM-supplied user profiles 287
RMVIPIIFC 355 profiles 287 RMVRPYLE (Remove Reply List Entry)
RMVIPIRTE 355 object authority required 384 command
RMVIPSIFC (Remove IP over SNA RMVNETTBLE (Remove Network Table authorized IBM-supplied user
Interface) command Entry) command profiles 287
object authority required 308 object authority required 422 object auditing 475
Index 649
RTVAUTLE (Retrieve Authorization List RTVMBRD (Retrieve Member RUNQRY (Run Query) command
Entry) command Description) command (continued) (continued)
description 271 object authority required 330 object authority required 403
object auditing 435 RTVMSG (Retrieve Message) command RUNSMGCMD (Run System
object authority required 310 object auditing 464 Management Command) command
RTVBCKUP (Retrieve Backup Options) RTVNETA (Retrieve Network Attributes) authorized IBM-supplied user
command command profiles 287
object authority required 389 object authority required 384 RUNSMGOBJ (Run System Management
RTVBNDSRC (Retrieve Binder Source) RTVOBJD (Retrieve Object Description) Object) command
command command authorized IBM-supplied user
object auditing 464 object auditing 434 profiles 287
object authority required 383 object authority required 301 RUNSQLSTM (Run Structured Query
RTVCFGSRC (Retrieve Configuration RTVPDGPRF (Retrieve Print Descriptor Language Statement) command
Source) command Group Profile) command object authority required 365
object auditing 439, 440, 441, 442, object authority required 398 RVKACCAUT (Revoke Access Code
462, 467, 468 RTVPRD (Retrieve Product) command Authority) command
object authority required 315 authorized IBM-supplied user object auditing 449
RTVCFGSTS (Retrieve Configuration profiles 287 object authority required 388
Status) command RTVPTF (Retrieve PTF) command RVKOBJAUT (Revoke Object Authority)
object auditing 441, 442, 462, 467, authorized IBM-supplied user command 140
468 profiles 287 description 272
object authority required 315 RTVPWRSCDE (Retrieve Power On/Off object auditing 433
RTVCLDSRC (Retrieve C Locale Source) Schedule Entry) command object authority required 301
command object authority required 389 using 148
object auditing 437 RTVQMFORM (Retrieve Query RVKPUBAUT (Revoke Public Authority)
RTVCLNUP (Retrieve Cleanup) Management Form) command command
command object auditing 474 authorized IBM-supplied user
object authority required 389 object authority required 403 profiles 287
RTVCLSRC (Retrieve CL Source) RTVQMQRY (Retrieve Query description 277, 579
command Management Query) command details 581
object auditing 470 object auditing 473, 474 object authority required 301
object authority required 400 object authority required 403 RVKUSRPMN (Revoke User Permission)
RTVCURDIR (Retrieve Current Directory) RTVS36A (Retrieve System/36 Attributes) command
command command description 274
object auditing 443 object auditing 484 object auditing 449
object authority required 339 object authority required 419 object authority required 388
RTVDLONAM (Retrieve Document RTVSMGOBJ (Retrieve System RVKWSOAUT (Revoke Workstation
Library Object Name) command Management Object) command Object Authoriy) command
object authority required 325 authorized IBM-supplied user object authority required 338
RTVDOC (Retrieve Document) command profiles 287 RZ (primary group change for restored
object auditing 447, 449 RTVSYSVAL (Retrieve System Value) object) file layout 547
object authority required 325 command RZ (primary group change for restored
RTVDSKINF (Retrieve Disk Activity object authority required 419 object) journal entry type 244
Information) command RTVUSRPRF (Retrieve User Profile)
authorized IBM-supplied user
profiles 287
command
description 273
S
object authority required 389 S/36 machine description (*S36)
object auditing 486
auditing 484
RTVDTAARA (Retrieve Data Area) object authority required 424
SAV (Save) command
command using 105
object auditing 431, 443, 481, 483
object auditing 449 RTVWSCST (Retrieve Work Station
object authority required 339
object authority required 319 Customizing Object) command
SAVAPARDTA (Save APAR Data)
RTVGRPA (Retrieve Group Attributes) object auditing 487
command
command object authority required 427
authorized IBM-supplied user
object authority required 418 RU (restore authority for user profile) file
profiles 287
RTVJOBA (Retrieve Job Attributes) layout 546
object authority required 411
command RU (restore authority for user profile) SAVCFG (Save Configuration) command
object authority required 357 journal entry type 244 object auditing 441, 462, 467, 468
RTVJRNE (Retrieve Journal Entry) run priority 194 object authority required 315
command RUNBCKUP (Run Backup) command SAVCHGOBJ (Save Changed Object)
object auditing 459 object authority required 389 command
object authority required 361 RUNLPDA (Run LPDA-2) command object auditing 431
RTVLIBD (Retrieve Library Description) authorized IBM-supplied user object authority required 301
command profiles 287 SAVDLO (Save Document Library Object)
object authority required 371 object auditing 462 command
RTVMBRD (Retrieve Member object authority required 411 object auditing 431, 447
Description) command RUNQRY (Run Query) command object authority required 325
object auditing 455 object auditing 474 using 223
Index 651
security auditing (continued) security tools SETATNPGM (Set Attention Program)
setting up 276, 573 commands 276, 571 command
security auditing function contents 276, 571 job initiation 84
activating 256 menus 571 object authority required 400
CHGSECAUD 255 Security Tools (SECTOOLS) menu 571 SETCSTDTA (Set Customization Data)
stopping 260 security value command
security command setting 579 object authority required 338
list 271 Send Journal Entry (SNDJRNE) SETJOBATR (user options) parameter
security data command 258 user profile 87
saving 223, 274 Send Network Spooled File SETMSTK (Set Master Key) command
security information (SNDNETSPLF) command 187 authorized IBM-supplied user
backup 223 sending profiles 287
format on save media 225 journal entry 258 object authority required 318
format on system 224 network spooled file 187 SETOBJACC (Set Object Access)
recovery 223 sensitive data command
restoring 223 encrypting 240 object authority required 301
saving 223 protecting 238 SETPGMINF (Set Program Information)
stored on save media 225 server authentication command
stored on system 224 object authority required for object authority required 400
commands 411 SETTAPCGY (Set Tape Category)
security level (QSECURITY) system value
server authentication entry command
auditing 236
adding 275 object authority required 379
automatic user profile creation 53
changing 275 setting
changing
removing 275 Attention-key-handling program
level 10 to level 20 10
(ATNPGM) 84
level 20 to level 30 11 server security user information actions
(SO) file layout 553 network attributes 277, 579
level 20 to level 40 17
security values 579
level 20 to level 50 20 server session
system values 277, 579
level 30 to 20 10 audit journal (QAUDJRN) entry 244
setting up
level 30 to level 40 17 server session (VS) file layout 560
auditing function 256
level 30 to level 50 20 server session VS) journal entry
security auditing 276, 573
level 40 to 20 10 type 244 SETVTMAP (Set VT100 Keyboard Map)
level 40 to level 30 18 server storage space (*SVRSTG) command
level 50 to level 30 or 40 21 object 481 object authority required 422
comparison of levels 7 service SETVTTBL (Set VT Translation Tables)
disabling level 40 18 object authority required for command
disabling level 50 21 commands 411
enforcing QLMTSECOFR system object authority required 422
service (*SERVICE) special authority SEV (message queue severity) parameter
value 179 failed sign-on 177
internal control blocks 20 user profile 82
functions allowed 68 severity (SEV) parameter
introduction 2
risks 68 user profile 82
level 10 9
service (QSRV) user profile SF (action to spooled file) file layout 549
level 20 10
authority to console 179 SF (change to spooled file) journal entry
level 30 11
default values 280
level 40 11 type 244
service basic (QSRVBAS) user
level 50 share memory control (QSHRMEMCTL)
profile 280 system value
message handling 20
service program
overview 19 description 32
QTEMP (temporary) library 19 adopted authority 131 possible values 32
validating parameters 20 service program (*SRVPGM) shared folder
overview 7 auditing 480
securing 192
recommendations 9 service status change (VV) file sign-on
special authority 9 layout 561
action when attempts reached
user class 9 service status change (VV) journal entry
(QMAXSGNACN system value) 30
value set by CFGSYSSEC type 244
authorities required 175
command 579 service tools (*SPLFDTA) audit level 244 authority failures 175
security officer service tools action (ST) file layout 553 console 179
limiting workstation access 29 service tools action (ST) journal entry default
monitoring actions 269 type 244 audit journal (QAUDJRN)
restricting to certain session entry 244
workstations 236 object authority required for incorrect password
security officer (QSECOFR) user profile commands 407 audit journal (QAUDJRN)
authority to console 179 session description (*SSND) entry 244
default values 280 auditing 481 incorrect user ID
device description owner 179 Set Attention Program (SETATNPGM) audit journal (QAUDJRN)
disabled status 59 command 84 entry 244
enabling 59 set password to expired (PWDEXP) limiting attempts 29
restoring 226 parameter 58 preventing default 239
Index 653
special authority (continued) starting STRDBG (Start Debug) command
listing users 267 auditing function 256 authorized IBM-supplied user
recommendations 69 connection profiles 287
removed by system audit journal (QAUDJRN) object auditing 452, 470
automatically removed 226 entry 244 object authority required 400
changing security level 10 state STRDBGSVR (Start Debug Server)
user profile 65 program 13 command
special authority (SPCAUT) parameter state attribute authorized IBM-supplied user
recommendations 69 object 13 profiles 287
user profile 65 state attribute, program STRDBMON (Start Database Monitor)
special environment (QSPCENV) system displaying 13 command
value 70 STATFS (Display Mounted File System object authority required 393
special environment (SPCENV) parameter Information) command STRDBRDR (Start Database Reader)
recommendations 70 object authority required 385 command
routing interactive job 71 status (STATUS) parameter object authority required 405
user profile 70 user profile 59 STRDFU (Start DFU) command
spelling aid dictionary status message object authority required 309, 330
object authority required for displaying (*STSMSG user option) 88 STRDIRSHD (Start Directory Shadow
commands 414 not displaying (*NOSTSMSG user System) command
spelling aid dictionary (*SPADCT) option) 88 object authority required 323
auditing 479 stopping STRDIRSHD (Start Directory Shadowing)
sphere of control audit function 260 command
object authority required for auditing 50 object auditing 446
commands 415 storage STRDKTRDR (Start Diskette Reader)
spool (QSPL) user profile 280 enhanced hardware protection 14 command
spool control (*SPLCTL) special authority maximum (MAXSTG) parameter 74 object authority required 405
functions allowed 67 reclaiming 19, 123, 232 STRDKTWTR (Start Diskette Writer)
output queue parameters 188 setting QALWUSRDMN (allow command
risks 67 user objects) system value 25 object authority required 428
spool job (QSPLJOB) user profile 280 threshold STRDSKRGZ (Start Disk Reorganization)
spooled file audit (QAUDJRN) journal command
*JOBCTL (job control) special receiver 258 object authority required 323
authority 67 user profile 74 stream file (*STMF) auditing 481
*SPLCTL (spool control) special storage pool 194 STREDU (Start Education) command
authority 67 STRAPF (Start Advanced Printer object authority required 389
action auditing 479 Function) command STREML3270 (Start 3270 Display
changing object authority required 309, 330 Emulation) command
audit journal (QAUDJRN) STRBEST (Start BEST/1) command object authority required 322
entry 244 authorized IBM-supplied user STRFMA (Start Font Management Aid)
copying 187 profiles 287 command
deleting user profile 101 STRBEST (Start Best/1-400 Capacity object auditing 457
displaying 187 Planner) command object authority required 328
moving 187 object authority required 393 STRHOSTSVR (Start Host Server)
object authority required for STRBGU (Start Business Graphics Utility) command
commands 415 command object authority required 339
owner 187 object authority required 309 STRIDD (Start Interactive Data Definition
securing 187 STRCBLDBG (Start COBOL Debug) Utility) command
working with 187 command object authority required 354
spooled file changes (*SPLFDTA) audit object authority required 365, 400 STRIDXMON (Start Index Monitor)
level 244, 479 STRCGU (Start CGU) command command
SQL object authority required 328 authorized IBM-supplied user
file security 214 STRCLNUP (Start Cleanup) command profiles 287
SQL catalog 214 object authority required 389 object authority required 388
SQL package (*SQLPKG) auditing 480 STRCMNTRC (Start Communications STRIPIIFC
SRC (system reference code) Trace) command object authority required 355
B900 3D10 (auditing error) 50 authorized IBM-supplied user STRIPSIFC (Start IP over SNA Interface)
SRTSEQ (sort sequence) parameter profiles 287 command
user profile 85 object authority required 411 authorized IBM-supplied user
ST (service tools action) file layout 553 STRCMTCTL (Start Commitment Control) profiles 287
ST (service tools action) journal entry command object authority required 308
type 244 object authority required 314 STRIPX (Start IPX) command
Start QSH (STRQSH) command STRCPYSCN (Start Copy Screen) object authority required 355
object authority required command STRIPXCCT
alias, QSH 404 object authority required 411 object authority required 355
Start System/36 (STRS36) command STRCSP (Start CSP/AE Utilities) STRJOBTRC (Start Job Trace) command
user profile command authorized IBM-supplied user
special environment 71 object auditing 471 profiles 287
Index 655
subsystem description (continued) system distribution directory (continued) system value (continued)
printing list of descriptions 276 deleting user profile 99 audit level (QAUDLVL)
printing security-relevant system library list *AUTFAIL (authority failure)
parameters 575 changing 183, 204 description 244
routing entry change QSYSLIBL system value 183 *CREATE (create) value 244
audit journal (QAUDJRN) system management *DELETE (delete) value 244
entry 244 changing *JOBDTA (job change) value 244
security 181 audit journal (QAUDJRN) *OBJMGT (object management)
workstation entry 181 entry 244 value 244
subsystem description (*SBSD) system management (*SYSMGT) audit *OFCSRV (office services)
auditing 475 level 244 value 244
SUPGRPPRF (supplemental groups) system management change (SM) file *PGMADP (adopted authority)
parameter layout 552 value 244
user profile 79 system management change (SM) journal *PGMFAIL (program failure)
supplemental group entry type 244 value 244
planning 217 system operations *PRTDTA (printer output)
supplemental groups value 244
special authority (SPCAUT)
SUPGRPPRF user profile *SAVRST (save/restore) value 244
parameter 65
parameter 79 *SECURITY (security) value 244
system operator (QSYSOPR) user
SV (action to system value) file *SERVICE (service tools)
profile 280
layout 555 value 244
system password 110
SV (action to system value) journal entry *SPLFDTA (spooled file changes)
type 244 system portion value 244
symbolic link (*SYMLNK) auditing 483 library list *SYSMGT (system management)
system changing 203 value 244
object authority required for description 183 changing 257, 276
commands 418 recommendations 185 displaying 276
saving 223, 274 system program purpose 241
system (*SYSTEM) domain 13 calling directly 13 user profile 91
system (*SYSTEM) state 13 system reference code (SRC) auditing 236
system (QSYS) library B900 3D10 (auditing error) 50 overview 49
authorization lists 120 system reply list auditing control (QAUDCTL)
system (QSYS) user profile object authority required for overview 50
default values 280 commands 419 auditing end action
restoring 226 (QAUDENDACN) 50, 254
system request function
System/36 auditing force level
adopted authority 130
authority for deleted files 132 (QAUDFRCLVL) 51, 254
migration System request menu auditing level (QAUDLVL)
authority holders 133 options and commands 209 overview 51
System/36 environment using 209 automatic configuration of virtual
object authority required for System Request menu devices (QAUTOVRT) 34
commands 419 limit device sessions automatic device configuration
user profile 70 (LMTDEVSSN) 73 (QAUTOCFG) 34
System/38 system resources changing
command security 211 limiting use *SECADM (security administrator)
System/38 environment 70 priority limit (PTYLMT) special authority 66
System/38 Environment 118 parameter 75 audit journal (QAUDJRN)
system change-journal management preventing abuse 194 entry 244
support 258 system signing 3 coded character set identifier
system configuration system status (QCCSID) 86
*IOSYSCFG (system configuration) command for setting 277, 579
working with 194
special authority 69 console (QCONSOLE) 179
system value
system configuration (*IOSYSCFG) country identifier (QCNTRYID) 86
action when sign-on attempts reached create authority (QCRTAUT)
special authority
(QMAXSGNACN) description 26
functions allowed 69 description 30
risks 69 risk of changing 26
user profile status 59 using 121
system console 179 allow object restore option create object auditing
QCONSOLE system value 179 (QALWOBJRST) 24 (QCRTOBJAUD) 52
system-defined authority 113 allow user objects disconnected job time-out interval
system directory (QALWUSRDMN) 19, 25 (QDSCJOBITV) 36
changing Attention-key-handling program display sign-on information
audit journal (QAUDJRN) (QATNPGM) 84 (QDSPSGNINF) 26, 72
entry 244 audit inactive job
system distribution directory planning 254 message queue
*SECADM (security administrator) audit control (QAUDCTL) (QINACTMSGQ) 28
special authority 66 changing 276
commands for working with 275 displaying 276
Index 657
system value (continued) system value (continued) system value (continued)
QPWDLMTREP (limit repeated QSECURITY (security level) sort sequence (QSRTSEQ) 85
characters) 43 (continued) special environment (QSPCENV) 70
QPWDLMTREP (password limit recommendations 9 system library list (QSYSLIBL) 183
repeated characters) special authority 9 use adopted authority
value set by CFGSYSSEC user class 9 (QUSEADPAUT)
command 579 validating parameters 20 description 32
QPWDLMTREP (password require value set by CFGSYSSEC risk of changing 33
position difference) command 579 user library list (QUSRLIBL) 76
value set by CFGSYSSEC QSHRMEMCTL (share memory verify object on restore
command 579 control) (QVFYOBJRST) 36
QPWDMAXLEN (password maximum description 32 working with 236
length) 41 possible values 32 Systems Network Architecture (SNA)
value set by CFGSYSSEC QSPCENV (special environment) 70 distribution services (QSNADS) user
command 579 QSRTSEQ (sort sequence) 85 profile 280
QPWDMINLEN (password minimum QSYSLIBL (system library list) 183 Systems Network Architecture
length) 41 QUSEADPAUT (use adopted distribution services (SNADS)
value set by CFGSYSSEC authority) QSNADS user profile 280
command 579 description 32
QPWDPOSDIF (position risk of changing 33
characters) 44
QPWDRQDDGT (password require
QUSRLIBL (user library list) 76
QVFYOBJRST (verify object on
T
TAA (tips and techniques) tool
numeric character) restore) 36
Display Audit Log (DSPAUDLOG)
value set by CFGSYSSEC remote service attribute
messages used 244
command 579 (QRMTSRVATR) 36
DSPAUDLOG (Display Audit Log)
QPWDRQDDGT (required password remote sign-on (QRMTSIGN) 31, 240
messages used 244
digits) 44 retain server security
table
QPWDRQDDIF (duplicate (QRETSVRSEC) 30
object authority required for
password) 42 security
commands 421
QPWDRQDDIF (password required introduction 3
table (*TBL) auditing 485
difference) overview 23
tape
value set by CFGSYSSEC setting 579
object authority required for
command 579 security level (QSECURITY)
commands 379
QPWDVLDPGM (password validation auditing 236
protecting 236
program) 44 automatic user profile creation 53
value set by CFGSYSSEC changing, 20 from higher level 10 tape cartridge
command 579 changing, level 10 to level 20 10 object authority required for
QRETSVRSEC (retain server changing, level 20 to 30 11 commands 379
security) 30 changing, to level 40 17 TCP/IP (QTCP) user profile 280
QRMTSIGN (allow remote sign-on) changing, to level 50 20 TCP/IP (Transmission Control
value set by CFGSYSSEC comparison of levels 7 Protocol/Internet Protocol)
command 579 disabling level 40 18 object authority required for
QRMTSIGN (remote sign-on) 31, 240 disabling level 50 21 commands 422
QRMTSRVATR (remote service enforcing QLMTSECOFR system TCP/IP printing support (QTMPLPD)
attribute) 36 value 179 user profile 280
QSECURITY (security level) introduction 2 TELNET (Start TCP/IP TELNET)
auditing 236 level 10 9 command
automatic user profile creation 53 level 20 10 object authority required 422
changing, 20 from higher level 10 level 30 11 temporary (QTEMP) library
changing, level 10 to level 20 10 level 40 11 security level 50 19
changing, level 20 to 30 11 level 50 19 test request (QTSTRQS) user profile 280
changing, to level 40 17 overview 7 text (TEXT) parameter
changing, to level 50 20 recommendations 9 user profile 65
comparison of levels 7 special authority 9 text index
disabling level 40 18 user class 9 object authority required for
disabling level 50 21 security-related commands 388
enforcing QLMTSECOFR system overview 33 TFRBCHJOB (Transfer Batch Job)
value 179 share memory control command
internal control blocks 20 (QSHRMEMCTL)
object auditing 458
introduction 2 description 32
object authority required 357
level 10 9 possible values 32
TFRCTL (Transfer Control) command
level 20 10 sign-on 39
object authority required 400
level 30 11 action when attempts reached
transferring adopted authority 129
level 40 11 (QMAXSGNACN) 30, 59
TFRGRPJOB (Transfer to Group Job)
level 50 19 maximum attempts
command
message handling 20 (QMAXSIGN) 29, 59, 236, 240
overview 7 remote (QRMTSIGN) 31, 240 adopted authority 130
object authority required 357
Index 659
user profile (continued) user profile (continued) user profile (continued)
*SPLCTL (spool control) special deleting limit device sessions
authority 67 command description 273 (LMTDEVSSN) 73
(user identification number) 89 directory entry 99 list of permanently active
accounting code (ACGCDE) 80 distribution lists 99 changing 571
ACGCDE (accounting code) 80 message queue 99 listing
action auditing (AUDLVL) 91 spooled files 101 all users 102
all numeric user ID 56 delivery (DLVRY) 82 inactive 267
all object (*ALLOBJ) special description (TEXT) 65 selected 266
authority 66 DEV (print device) 83 users with command
analyzing displaying capability 267
by special authorities 575 command description 273 users with special authorities 267
by user class 575 individual 102 listing all 102
analyzing with query 266 programs that adopt 131 LMTCPB (limit capabilities) 64, 186
assistance level (ASTLVL) 61 sign-on information LMTDEVSSN (limit device
ASTLVL (assistance level) 61 (DSPSGNINF) 71 sessions) 73
ATNPGM (Attention-key-handling DLVRY (message queue delivery) 82 LOCALE (locale) 88
program) 84 DOCPWD (document password) 80 LOCALE (user options) 88
Attention-key-handling program document password (DOCPWD) 80 maximum storage (MAXSTG)
(ATNPGM) 84 DSPSGNINF (display sign-on description 74
audit (*AUDIT) special authority 69 information) 71 group ownership of objects 122
audit level (AUDLVL) enabling MAXSTG (maximum storage)
*CMD (command string) sample program 101 description 74
value 244 exit points 105 group ownership of objects 122
auditing group authority (GRPAUT) 78, 122, message queue (MSGQ) 81
*ALLOBJ special authority 238 124 message queue delivery (DLVRY) 82
authority to use 238 group authority type message queue severity (SEV) 82
authorized users 266 (GRPAUTTYP) 78, 124 MSGQ (message queue) 81
AUDLVL (action auditing) 91 group identification number (gid name (USRPRF) 56
AUDLVL (audit level) ) 89 naming 56
*CMD (command string) group profile (GRPPRF) 124 OBJAUD (object auditing) 91
value 244 changes when restoring object auditing (OBJAUD) 91
AUT (authority) 90 profile 225 object authority required for
authority description 76 commands 424
storing 225 GRPAUT (group authority) 78, 122, object owner
authority (AUT) 90 124 deleting 122
automatic creation 53 GRPAUTTYP (group authority output queue (OUTQ) 83
CCSID (coded character set type) 78, 124 OUTQ (output queue) 83
identifier) 86 GRPPRF (group profile) 124 owned object information 92
changes when restoring 225 changes when restoring owner (OWNER) 124
changing profile 225 OWNER (owner) 124
audit journal (QAUDJRN) description 76 OWNER (owner of objects
entry 244 home directory (HOMEDIR) 90 created) 77, 122
command descriptions 273 HOMEDIR (home directory) 90 owner of objects created
methods 99 IBM-supplied (OWNER) 77, 122
password 272 auditing 236 password 57
password composition system default values table 279 password expiration interval
values 38 purpose 106 (PWDEXPITV) 72
setting password equal to profile initial menu (INLMNU) 63 performance
name 57 initial program (INLPGM) 62 save and restore 92
checking for default password 571 INLMNU (initial menu) 63 primary group 101
CNTRYID (country identifier) 86 INLPGM (initial program) 62 print device (DEV) 83
coded character set identifier introduction 3 printing 266
(CCSID) 86 job control (*JOBCTL) special priority limit (PTYLMT) 75
commands for working with 273 authority 67 private authorities 92
copying 97 job description (JOBD) 76 PTYLMT (priority limit) 75
country identifier (CNTRYID) 86 JOBD (job description) 76 public authority (AUT) 90
creating KBDBUF (keyboard buffering) 73 PWDEXP (set password to
audit journal (QAUDJRN) keyboard buffering (KBDBUF) 73 expired) 58
entry 244 LANGID (language identifier) 85 PWDEXPITV (password expiration
command descriptions 272, 273 language identifier (LANGID) 85 interval) 72
example description 95 large, examining 267 related commands for working
methods 93 limit capabilities with 274
CURLIB (current library) 62 auditing 238 renaming 103
current library (CURLIB) 62 description 64 restoring
default values table 279 library list 186 audit journal (QAUDJRN)
entry 244
Index 661
WKRNWSENR (Work with Network working with (continued) WRKCFGL (Work with Configuration
Server User Enrollment) command system status 194 List) command
object authority required 387 user auditing 104 object auditing 436
WKRNWSSSN (Work with Network user profiles 94, 273, 274 WRKCFGL (Work with Configuration
Server Session) command workstation Lists) command
object authority required 387 authority to sign-on 177 object authority required 316
WKRNWSSTS (Work with Network limiting user to one at a time 28 WRKCFGSTS (Work with Configuration
Server Status) command restricting access 236 Status) command
object authority required 387 securing 177 object auditing 442, 462, 467
Work with Authority (WRKAUT) security officer access 29 object authority required 315
command 140, 272 workstation customizing object WRKCHTFMT (Work with Chart
Work with Authorization Lists object authority required for Formats) command
(WRKAUTL) command 271 commands 427 object authority required 312
Work with Database Files Using IDDU workstation customizing object (*WSCST) WRKCLS (Work with Class) command
(WRKDBFIDD) command auditing 487 object auditing 438
object authority required 354 workstation entry WRKCLS (Work with Classes) command
Work with Directory (WRKDIRE) job description 181 object authority required 313
command 275 sign on without user ID and WRKCMD (Work with Command)
Work with Journal (WRKJRN) password 14 command
command 260, 266 workstation user (QUSER) user object auditing 438
Work with Journal Attributes profile 280 WRKCMD (Work with Commands)
(WRKJRNA) command 260, 266 writer command
Work with Objects (WRKOBJ) *JOBCTL (job control) special object authority required 313
command 272 authority 67 WRKCMTDFN (Work with Commitment
Work with Objects by Owner object authority required for Definition) command
(WRKOBJOWN) command commands 428 object authority required 314
auditing 238 WRKACTJOB (Work with Active Jobs) WRKCNNL (Work with Connection Lists)
description 272 command command
using 144 object authority required 357 object auditing 439
Work with Objects by Owner WRKALR (Work with Alerts) command object authority required 316
display 100, 144 object authority required 308 WRKCNNLE (Work with Connection List
Work with Objects by Primary Group WRKALRD (Work with Alert Entries) command
(WRKOBJPGP) command 123, 145 Description) command object auditing 439
description 272 object auditing 434 object authority required 316
Work with Output Queue Description WRKALRD (Work with Alert WRKCNTINF (Work with Contact
(WRKOUTQD) command 187 Descriptions) command Information) command
Work with Spooled Files (WRKSPLF) object authority required 308 authorized IBM-supplied user
command 187 WRKALRTBL (Work with Alert Table) profiles 287
Work with System Status (WRKSYSSTS) command object authority required 405, 411
command 194 object auditing 434 WRKCOSD (Work with Class-of-Service
Work with System Values (WRKSYSVAL) WRKALRTBL (Work with Alert Tables) Descriptions) command
command 236 command object auditing 440
Work with User Enrollment display 95 object authority required 308 object authority required 313
Work with User Profiles (WRKUSRPRF) WRKAUT (Work with Authority) WRKCRQD (Work with Change Request
command 140 Description) command
command 94, 273
Work with User Profiles display 94 description 272 object authority required 312
object auditing 444, 478, 482 WRKCRQD (Work with Change Request
working on behalf
WRKAUT (Work with Authority Descriptions) command
auditing 463
Directory) command object auditing 437
working with
object authority required 339 WRKCSI (Work with Communications
authority 272
WRKAUTL (Work with Authorization Side Information) command
authority holders 271, 275
List) command object auditing 440
authorization lists 271
object auditing 435 object authority required 314
directory 275
document library objects (DLO) 274 WRKAUTL (Work with Authorization WRKCTLD (Work with Controller
journal 266 Lists) command Descriptions) command
journal attributes 260, 266 description 271 object auditing 441
object authority 272 object authority required 310 object authority required 316
object ownership 144 WRKBNDDIR (Work with Binding WRKDBFIDD (Work with Database Files
objects 272 Directory) command Using IDDU) command
objects by owner 272 object auditing 436 object authority required 354
objects by primary group 123, 272 object authority required 311 WRKDDMF (Work with Distributed Data
output queue description 187 WRKBNDDIRE (Work with Binding Management Files) command
password 272 Directory Entry) command object authority required 330
primary group 145 object auditing 436 WRKDEVD (Work with Device
security attributes 276 object authority required 311 Descriptions) command
spooled files 187 WRKCCTRTE 355 object auditing 442
system directory 275 WRKCCTSRV 355 object authority required 320
Index 663
WRKNAMSMTP (Work with Names for WRKOPTDIR (Work with Optical WRKPRB (Work with Problem)
SMTP) command Directories) command command (continued)
object authority required 422 object authority required 390 object authority required 399, 411
WRKNETF (Work with Network Files) WRKOPTF (Work with Optical Files) WRKPRJPDM (Work with Project Using
command command PDM) command
object authority required 384 object authority required 390 object authority required 309
WRKNETJOBE (Work with Network Job WRKOPTVOL (Work with Optical WRKQMFORM (Work with Query
Entries) command Volumes) command Management Form) command
object authority required 384 object authority required 390 object auditing 473
WRKNETTBLE (Work with Network WRKORDINF (Work with Order object authority required 403
Table Entries) command Information) command WRKQMQRY (Work with Query
object authority required 422 authorized IBM-supplied user Management Query) command
WRKNODL (Work with Node List) profiles 287 object authority required 403
command object authority required 423 WRKQRY (Work with Query) command
object auditing 466 WRKOUTQ (Work with Output Queue) object authority required 403
object authority required 388 command
WRKQST (Work with Questions)
WRKNODLE (Work with Node List object auditing 469
command
Entries) command object authority required 392
object authority required 405
object auditing 467 WRKOUTQD (Work with Output Queue
WRKRDBDIRE (Work with Relational
object authority required 388 Description) command
Database Directory Entries) command
object auditing 469
WRKNTBD (Work with NetBIOS object authority required 406
Description) command object authority required 392
security parameters 187 WRKREGINF (Work with Registration)
object auditing 467 command
WRKOVL (Work with Overlays)
object authority required 384 object authority required 406
command
WRKNWID (Work with Network WRKREGINF (Work with Registration
object auditing 469
Interface Description) command Information) command
object authority required 307
object auditing 467 object auditing 452
WRKPAGDFN (Work with Page
WRKNWID (Work with Network Definitions) command WRKRJESSN (Work with RJE Session)
Interface Description Command) object auditing 469 command
command object authority required 407
object authority required 307
object authority required 386 WRKPAGSEG (Work with Page WRKRPYLE (Work with System Reply
WRKNWSD (Work with Network Server Segments) command List Entries) command
Description) command object auditing 470 object auditing 475
object auditing 468 object authority required 307 object authority required 419
object authority required 388 WRKPARTPDM (Work with Parts Using WRKS36PGMA (Work with System/36
WRKNWSSTG (Work with Network PDM) command Program Attributes) command
Server Storage Space) command object authority required 309 object auditing 471
object authority required 387 WRKPCLTBLE (Work with Protocol Table object authority required 419
WRKOBJ (Work with Objects) command Entries) command WRKS36PRCA (Work with System/36
description 272 object authority required 422 Procedure Attributes) command
object authority required 301 WRKPDG (Work with Print Descriptor
object auditing 454
WRKOBJCSP (Work with Objects for Group) command
object authority required 419
CSP/AE) command object auditing 470
WRKS36SRCA (Work with System/36
object auditing 440, 471 WRKPDGPRF (Work with Print
Source Attributes) command
WRKOBJLCK (Work with Object Lock) Descriptor Group Profile) command
object auditing 454
command object authority required 398
object authority required 419
object auditing 434 WRKPFCST (Work with Physical File
WRKSBMJOB (Work with Submitted
WRKOBJLCK (Work with Object Locks) Constraints) command
Jobs) command
command object auditing 455
object authority required 357
object authority required 301 object authority required 330
WRKOBJOWN (Work with Objects by WRKPGM (Work with Programs) WRKSBS (Work with Subsystems)
Owner) command command command
auditing 238 object auditing 471 object auditing 476
description 272 object authority required 400 object authority required 416
object auditing 434, 486 WRKPGMTBL (Work with Program WRKSBSD (Work with Subsystem
object authority required 301 Tables) command Descriptions) command
using 144 authorized IBM-supplied user object auditing 476
WRKOBJPDM (Work with Objects Using profiles 287 object authority required 416
PDM) command object authority required 338 WRKSBSJOB (Work with Subsystem Jobs)
object authority required 309 WRKPNLGRP (Work with Panel Groups) command
WRKOBJPGP (Work with Objects by command object auditing 476
Primary) command object auditing 472 object authority required 357
description 272 object authority required 380 WRKSCHIDX (Work with Search
WRKOBJPGP (Work with Objects by WRKPRB (Work with Problem) command Indexes) command
Primary Group) command 123, 145 authorized IBM-supplied user object auditing 477
object authority required 301 profiles 287 object authority required 356
Index 665
666 OS/400 Security Reference V5R1
Readers’ Comments — We’d Like to Hear from You
iSeries
Security Reference
Version 5
Overall, how satisfied are you with the information in this book?
How satisfied are you that the information in this book is:
When you send comments to IBM, you grant IBM a nonexclusive right to use or distribute your comments in any
way it believes appropriate without incurring any obligation to you.
Name Address
Company or Organization
Phone No.
___________________________________________________________________________________________________
Readers’ Comments — We’d Like to Hear from You Cut or Fold
SC41-5302-05 Along Line
_ _ _ _ _ _ _Fold
_ _ _and
_ _ _Tape
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _Please
_ _ _ _ _do
_ _not
_ _ staple
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _Fold
_ _ _and
_ _ Tape
______
NO POSTAGE
NECESSARY
IF MAILED IN THE
UNITED STATES
IBM CORPORATION
ATTN DEPT 542 IDCLERK
3605 HWY 52 N
ROCHESTER MN 55901-7829
_________________________________________________________________________________________
Fold and Tape Please do not staple Fold and Tape
Cut or Fold
SC41-5302-05 Along Line