Midrange News for the IBM i Community


Posted by: LarryP
confine a user to objects in an authorization list
has no ratings.
Published: 09 Feb 2012
Revised: 23 Jan 2013 - 1611 days ago
Last viewed on: 22 Jun 2017 (5532 views) 

Using IBM i? Need to create Excel, CSV, HTML, JSON, PDF, SPOOL reports? Learn more about the fastest and least expensive tool for the job: SQL iQuery.

confine a user to objects in an authorization list Published by: LarryP on 09 Feb 2012 view comments(8)

Return to midrangenews.com home page.
Sort Ascend | Descend

COMMENTS

(Sign in to Post a Comment)
Posted by: Paulster
Premium member *
Sweden and The Netherlands
Comment on: confine a user to objects in an authorization list
Posted: 5 years 4 months 13 days 8 hours 54 minutes ago

Hi Larry,

Fast track 4-step system:

1. Create group profiles MYGRPPRF1, MYGRPPRF2 etc. Basically one for each system or application you have.

2. Tie these group profiles to the vendor user profiles as well as for all other profiles. The vendor profiles only get the group profiles matching the systems you want them to access. (GRPPRF and SUPGRPPRF parameters)

3. Add authority *GROUP MYGROUPRF1 *ALL (use appropriate group profile per system) to all objects you'd like folks to be able to access. As objects belonging to a system often reside in a set of libraries, this is easy to do.

4. Set authority *PUBLIC *EXCLUDE for all objects on your system.

Sounds like more work than it actually is but you only have to do it once and you're ok from then.

 

Good luck,

Paulster

Posted by: DaleB
Premium member *
Reading, PA
Comment on: confine a user to objects in an authorization list
Posted: 5 years 4 months 13 days 1 hours 39 minutes ago

5. Be really, really careful changing IBM-supplied objects.

6. Authority on the library (*LIB object) controls ability to change the library itself (CHGLIB, DLTLIB, ...), and the ability to have the library in the library list (which I think just needs *OBJOPR). Authority on the *LIB does not control authority on objects in the library.

6.a. Corollary: It's OK to change QGPL *LIB to *USE. The user will not be able to create new objects in QGPL, or delete objects from QGPL, but there are a lot of IBM-supplied things in QGPL that they're going to need access to.

Posted by: neilrh
Premium member *
Jackson, MI
Comment on: confine a user to objects in an authorization list
Posted: 5 years 4 months 13 days 8 minutes ago

A place I worked went both ways: Assign each user a Group Profile that controlled the individuals authority  AND  assign Group Profiles to an Authorisation List.  That way when a new object is created you add the appropriate authorisation lists to it, and when a new user joins you add them the the correct group profiles.

You can also write programs to change IBM command authorities, so that when you install a new OS release you can just run the programs to put your restrictions back in place (it's just a matter of adding the Authorisation List entries to the IBM objects - don't have to go all the way down to user profiles).

Posted by: Ringer
Premium member *
Comment on: confine a user to objects in an authorization list
Posted: 5 years 4 months 12 days 20 hours 42 minutes ago

> 4. Set authority *PUBLIC *EXCLUDE for all objects on your system.

> 6. Authority on the *LIB does not control authority on objects in the library.

Oh gotta disagree with #6. OS/400 first checks the user's authority to the library before checking authority to the object. To access any object in a library, the user must at least have *USE (or perhaps just *EXECUTE) to the Library object itself. So for example, if the object is *PUBLIC *ALL but the library is *PUBLIC *EXCLUDE, they can't touch the object in that library.

So #4 could be changed to setting the restricted libraries to *PUBLIC *EXCLUDE to protect objects in those libraries.

Of course, if the user has *ALLOBJ authority, they can go/do whatever they want.

Chris Ringer

Posted by: Ringer
Premium member *
Comment on: confine a user to objects in an authorization list
Posted: 5 years 4 months 12 days 20 hours 13 minutes ago

And uh, make them LMTCPB *YES and never ever show them a command line with adopted authority.Yeah, I know, you said web access, but things change and employees rotate out over time.

Chris Ringer

Posted by: Paulster
Premium member *
Sweden and The Netherlands
Comment on: confine a user to objects in an authorization list
Posted: 5 years 4 months 10 days 8 hours 41 minutes ago

Addition:

1. Indeed, libraries are objects and also get the group profile authority and then the *exclude.

2. I forgot about the LMTCPB(*YES), this is indeed also required for this group of users.

 

Regards,

Paulster

Posted by: DaleB
Premium member *
Reading, PA
Comment on: confine a user to objects in an authorization list
Posted: 5 years 4 months 10 days 52 minutes ago

True, Ringer, you need *USE to the library to access objects in the library. But only *USE. The *LIB authority is the gatekeeper. If you're *EXCLUDE to the *LIB, the gate is closed, *USE and the gate is open. Sorry if I wasn't clear on that.

Posted by: LarryP
Premium member *
Comment on: confine a user to objects in an authorization list
Posted: 5 years 4 months 9 days 17 hours 8 minutes ago

First of all thanks for the quick responses. I had already started down this path a couple of years back by creating and assinging user groups tied to functions and controlled access. As a result it shouldn't be to much disruption to continue and expand the process.

This group is awesome!