Using IBM i? Need to create Excel, CSV, HTML, JSON, PDF, SPOOL reports? Learn more about the fastest and least expensive tool for the job: SQL iQuery.
Is it possible to restrict a user to a specific set of objects and only to those objects?
1- Create a library and restrict the user only to that library and not allow them access to anything else on the system.
2 - Maybe an authorization list and add them and the objects to the authorization list?
We are creating a web access project for vendors to access their accounts and want to be able to tie them down as much as possible.
Ideas or suggestions?
Hi Larry,
Fast track 4-step system:
1. Create group profiles MYGRPPRF1, MYGRPPRF2 etc. Basically one for each system or application you have.
2. Tie these group profiles to the vendor user profiles as well as for all other profiles. The vendor profiles only get the group profiles matching the systems you want them to access. (GRPPRF and SUPGRPPRF parameters)
3. Add authority *GROUP MYGROUPRF1 *ALL (use appropriate group profile per system) to all objects you'd like folks to be able to access. As objects belonging to a system often reside in a set of libraries, this is easy to do.
4. Set authority *PUBLIC *EXCLUDE for all objects on your system.
Sounds like more work than it actually is but you only have to do it once and you're ok from then.
Good luck,
Paulster
5. Be really, really careful changing IBM-supplied objects.
6. Authority on the library (*LIB object) controls ability to change the library itself (CHGLIB, DLTLIB, ...), and the ability to have the library in the library list (which I think just needs *OBJOPR). Authority on the *LIB does not control authority on objects in the library.
6.a. Corollary: It's OK to change QGPL *LIB to *USE. The user will not be able to create new objects in QGPL, or delete objects from QGPL, but there are a lot of IBM-supplied things in QGPL that they're going to need access to.
A place I worked went both ways: Assign each user a Group Profile that controlled the individuals authority AND assign Group Profiles to an Authorisation List. That way when a new object is created you add the appropriate authorisation lists to it, and when a new user joins you add them the the correct group profiles.
You can also write programs to change IBM command authorities, so that when you install a new OS release you can just run the programs to put your restrictions back in place (it's just a matter of adding the Authorisation List entries to the IBM objects - don't have to go all the way down to user profiles).
> 4. Set authority *PUBLIC *EXCLUDE for all objects on your system.
> 6. Authority on the *LIB does not control authority on objects in the library.
Oh gotta disagree with #6. OS/400 first checks the user's authority to the library before checking authority to the object. To access any object in a library, the user must at least have *USE (or perhaps just *EXECUTE) to the Library object itself. So for example, if the object is *PUBLIC *ALL but the library is *PUBLIC *EXCLUDE, they can't touch the object in that library.
So #4 could be changed to setting the restricted libraries to *PUBLIC *EXCLUDE to protect objects in those libraries.
Of course, if the user has *ALLOBJ authority, they can go/do whatever they want.
Chris Ringer
And uh, make them LMTCPB *YES and never ever show them a command line with adopted authority.Yeah, I know, you said web access, but things change and employees rotate out over time.
Chris Ringer
Addition:
1. Indeed, libraries are objects and also get the group profile authority and then the *exclude.
2. I forgot about the LMTCPB(*YES), this is indeed also required for this group of users.
Regards,
Paulster
True, Ringer, you need *USE to the library to access objects in the library. But only *USE. The *LIB authority is the gatekeeper. If you're *EXCLUDE to the *LIB, the gate is closed, *USE and the gate is open. Sorry if I wasn't clear on that.
First of all thanks for the quick responses. I had already started down this path a couple of years back by creating and assinging user groups tied to functions and controlled access. As a result it shouldn't be to much disruption to continue and expand the process.
This group is awesome!