22
Fri, Nov
1 New Articles

Security Patrol: *PUBLIC Authority and Safely Changing QCRTAUT

IBM i (OS/400, i5/OS)
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times
Focus is starting to be placed on the *PUBLIC authority of application objects. For many years, it was largely ignored because of "menu security"--better termed "menu access control." Today, menu access control has been shown to fall short of the demands of today's iSeries systems. Because of the plethora of vendors (10 at last count) now providing network access control (that is, exit program) solutions as well as regulations such as the Gramm-Leach-Bliley Act and HIPAA (Health Insurance Portability and Accountability Act), the spotlight is now beginning to turn to the accessibility of the application objects themselves. Specifically, focus is now settling on how easily one can access application database files using iSeries Access features such as data transfer and ODBC, Microsoft Excel, and the FTP client that is provided with every Microsoft operating system. Some vendors and developers writing customized applications are (finally) realizing that the OS/400 default of *PUBLIC authority *CHANGE provides more access than is appropriate. So I thought that a discussion on *PUBLIC authority might be warranted.

*PUBLIC authority is the default access for an object. OS/400 is a bit unique in that everyone has some authority to every object on the system. If you don't get authority from anywhere else (e.g., *ALLOBJ special authority, private authority, authority from an authorization list, etc.), then you get the authority defined for *PUBLIC. Many other operating systems don't have the concept of a "default" access.

So how and when is this default access set? *PUBLIC authority is set when an object is created. Once the object is created, you can change the authority using the OS/400 commands Grant Object Authority (GRTOBJAUT) or Edit Object Authority (EDTOBJAUT) or the OS/400 IFS commands Work with Authority (WRKAUT) or Change Authority (CHGAUT).

It's the initial setting of this authority that I'd like to discuss, however. You may have noticed that when you create most OS/400 objects, the Authority (or AUT) parameter defaults to a value of *LIBCRTAUT. What on earth does that mean, you ask? Let's look at Figure 1 for an explanation.


http://www.mcpressonline.com/articles/images/2002/Public%20authority%20-%20MCPressV300.png

Figure 1: Here's how *PUBLIC authority is derived.

The value *LIBCRTAUT says to look at the Create Authority value for the library into which the object is being created. If you display the library using the Display Library Description (DSPLIBD) command, you will see that the value for the Create Authority parameter is *SYSVAL. What does this refer to? It refers to the value of the QCRTAUT (Create Default Public Authority) system value. The default for this system value is *CHANGE. That's why most objects end up with *PUBLIC authority *CHANGE. Obviously, when the object is created, the AUT parameter can be changed to another value such as *USE, *EXCLUDE, or the name of an authorization list. But most people just let it default, resulting in the object having *PUBLIC authority *CHANGE.

Please resist the temptation to start up an emulation session and quickly change your system's QCRTAUT system value to a more restrictive setting (such as *USE or *EXCLUDE.) While that may be what you end up doing after reading this column, there are some things you will want to consider before changing QCRTAUT to either *USE or *EXCLUDE.

First, there are some objects that require a user to have *CHANGE authority to use them--I'm speaking primarily of *DEVDs and *MSGQs. You might think about changing the command default for the Authority parameter of the Create Device Description (CRTDEVD) command to *CHANGE, but that won't do a lot of good when the system goes to auto-create a device and its corresponding message queue. Under the covers, OS/400 uses a different interface--not the CRTDEVD command to create devices. Therefore, unless you take some action, no one will be able to use the device descriptions or the message queues OS/400 automatically creates for you. You have two options. One is to manually update the authority to the device descriptions and their message queues, either giving everyone *PUBLIC authority or giving individuals *CHANGE authority to the device description and its message queue. The other is to change the Create Authority of QSYS to be *CHANGE.

If you change the Create Authority of QSYS, you will then want to change the command default for the Create Library (CRTLIB) command to be either *USE or *EXCLUDE (your preference). You may not realize it, but all libraries are created into the system library QSYS. Therefore, the *PUBLIC authority of all libraries comes from the Create Authority of the QSYS library. Changing the default for the Authority parameter on the CRTLIB command will ensure that all libraries are created with the appropriate *PUBLIC authority.

Another consideration is how changing this value will affect your applications. If your application authorization model depends on users having access through *PUBLIC authority and your application dynamically creates objects (e.g., files or data areas) application users need to read or update, your application might fail with a "Not authorized" message. Hang on--there's an answer to this problem. Remember the Create authority parameter on libraries? It defaults to *SYSVAL, but you can change that parameter to a value such as *USE or *EXCLUDE or even an authorization list name. So you can change the QCRTAUT system value to one value, such as *EXCLUDE, and change the Create authority parameter of your application's query library to *USE. Then, when an object is created into this library, the value specified in the Create authority value will be used for the object's *PUBLIC authority. Therefore, all new queries will be created with *PUBLIC authority *USE. Note that changing the Create authority parameter does not affect the *PUBLIC authority of existing objects in the library.

With more applications creating objects into the IFS, you might wonder how *PUBLIC authority defaults for those objects. This will be a topic of a future "Security Patrol" column.

A Completely Different Subject

Now, if you'll allow, I'd like to redirect your thoughts to something that has absolutely nothing to do with security. Rather, it has to do with what is going to occur during the next few weeks--the holiday season. Unfortunately, we often get caught up in the hustle and bustle of the season and don't take time to enjoy it. So the rest of this column is dedicated to tips to help you enjoy the weeks between now and the end of 2002.

Tip #1

Set reasonable expectations for yourself and your family--in other words, be realistic and carefully plan your schedule. At some point, we must face the fact that we are not supermen and superwomen. You cannot physically attend every event that is scheduled for this time of year. For example, you might limit yourself to only one or two events per week between now and the end of the year. Once you decide on the limit, stick to it! This will make you stop and evaluate which events you really want to attend. Limiting your activities will preserve your energy and your sanity!

Tip #2

Have some self-control. Have you ever noticed that diet food and exercise machines go on sale the first week of January? Ever gotten a sick feeling when you receive your credit card bill in January? Determine that you are going to have self-control this year. You can probably recite all the popular tips for not overeating--don't go to a party starved, drink lots of water, and so on. And I'm sure your intent is not to overspend. However, until you decide in your heart to exercise self-control, you are doomed to failure again this year. My advice is to tell someone that you're trying to control your urges--your spouse, a family member, or perhaps a close friend. It doesn't matter who you choose, as long as it's someone you trust who is willing to help keep you on track.

Tip #3

Be thankful! Did you ever notice that most merchants jump directly from Halloween into Christmas? Those of us in the United States are about to celebrate Thanksgiving. We all have many things to be thankful for. Forget for a moment the turmoil and troubles in the world today and reflect on the things you have to be thankful for. Then, carry that thankful heart all the way through the holiday season.

Tip #4

Perform your activities with joy. People will be celebrating the upcoming season in many different ways. Whatever our reasons to celebrate are, we all have reasons to experience and share joy. But we often forget these reasons and abandon the spirit of joy as we elbow our way to the front of the line at the shopping mall in our quest to find the absolute best deal on that holiday gift.

Tip #5

Be generous--share your joy. Keep your thankful heart past Thanksgiving and share it throughout the holiday season. Sharing your joy will plant a smile on your face, and your attitude will be contagious to all those you come in contact with. Remember, it is always better to give than to receive. What better gifts to give than a thankful heart and a spirit filled with joy.

Thank you for letting me divert briefly from my technical writing. I wish you great joy this holiday season.


Carol Woodbury is co-author of the book Implementing AS/400 Security as well as co-founder of SkyView Partners, a firm specializing in security consulting and services. Carol has 13 years in the security industry, 10 of those working for IBM's Enterprise Server Group as the AS/400 Security Architect and Chief Engineering Manager of Security Technology. Carol recently authored iSeries security training videos that are now available for purchase at www.expertanytime.comCarol can be reached at This email address is being protected from spambots. You need JavaScript enabled to view it..


Carol Woodbury

 

Carol Woodbury is IBM i Security SME and Senior Advisor to Kisco Systems, a firm focused on providing IBM i security solutions. Carol has over 30 years’ experience with IBM i security, starting her career as Security Team Leader and Chief Engineering Manager for iSeries Security at IBM in Rochester, MN. Since leaving IBM, she has co-founded two companies: SkyView Partners and DXR Security. Her practical experience and her intimate knowledge of the system combine for a unique viewpoint and experience level that cannot be matched.

Carol is known worldwide as an author and award-winning speaker on security technology, specializing in IBM i security topics. She has written seven books on IBM i security, including her two current books, IBM i Security Administration and Compliance, 3rd Edition and Mastering IBM i Security, A Modern, Step-by-Step Approach. Carol has been named an IBM Champion since 2018 and holds her CISSP and CRISC security certifications.


MC Press books written by Carol Woodbury available now on the MC Press Bookstore.

IBM i Security Administration and Compliance: Third Edition
Don't miss the newest edition by the industry’s #1 IBM i security expert.
List Price $71.95

Now On Sale

Mastering IBM i Security Mastering IBM i Security
Get the must-have guide by the industry’s #1 security authority.
List Price $49.95

Now On Sale

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: