ATTN key program – AS/400 – QSECOFR – Program that adopt authority

100 pts.
Tags:
AS/400
IBM
iSeries
PGM
QSECOFR
Scenario: let's say I have a user that has authority to a PGM that adopts QSECOFR authority. If that user has limited capability set to *NO or *YES, what is the link with the ATTN Key PGM value? From an IT/Security audit perspective, how do the limit capability value and ATTN key PGM value (in the DSPUSRPRF files) come into play? If there's a risk identified, how would one mitigate it?

Answer Wiki

Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

Discuss This Question: 4  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Splat
    It the program runs under QSECOFR authority and the user has access to it, it's a possible security risk. The level of the risk depends on what the user has access to while running the program.

    LMTCPB won't necessarily stop a user from accessing it, and ATNPGM is only relevant if the program in question is available via the attention program.
    11,315 pointsBadges:
    report
  • aldc123
    First of all, thanks for your reply.

    Okay, so what's the link with LMTCPB in this scenario? any at all? as a mitigating procedure (or partial)? And could you provide me with a brief description of ATNPGM and how do I figure out if the program is available via the attention program? What about the ATNPGM value for each user? Thanks a lot in advance! :)

    100 pointsBadges:
    report
  • Splat
    Take a look at the help text & the available options for LMTCPB & you'll see why it may or may not have any bearing on the scenario described.

    You can provide a single program for every user's ATNPGM, or define it system wide (see the help text for further details).  If the program isn't available through the ATNPGM entry (we have a pop-up menu window, others provide other functions) and the program isn't the ATNPGM entry, the user should not be able to access it through that avenue.
    11,315 pointsBadges:
    report
  • TheRealRaven
    "If that user has limited capability set to *NO or *YES, what is the link with the ATTN Key PGM value?"

    Practically none. The two are effectively unrelated.

    "If there's a risk identified, how would one mitigate it?"

    Adopted authority becomes effective when the user authority is insufficient and the adoption can provide enough. LMTCPB() isn't an authority; it's a capability. It's unlikely that any effect would appear.

    An unlikely possibility could be if a program accepted an input string from the user and executed it as a command.

    It can be easily tested. Create a new LMTCPB(*YES) user. Compile this program with USRPRF(*OWNER):
    pgm
    
       call QUSCMDLN
       call QCMD
    
       return
    
    endpgm
    Change the owner, if necessary, to a high-authority user (not QSECOFR); and assign it as the ATNPGM for the new user. Sign on and test commands both inside and outside the ATNPGM.

    BTW, none of your objects should be owned by QSECOFR nor any other IBM-supplied user profile (except if recommended by IBM). That applies to QSECOFR, QPGMR, QSYSOPR and any others. If QSECOFR-level authority is needed, use it to create a user profile with needed *SECOFR capabilities and then use that new profile.

    In general, that's all you should ever use QSECOFR (et al.) for outside of instructions from IBM. You shouldn't otherwise sign on with it, run jobs with it, have it own programs nor anything else. When profiles are in use, various actions cause updates to the *USRPRF objects. (E.g., actions like assigning ownership to objects.)

    If one of various system failures happens while the profile is in the middle of being updated, object damage can occur. No one wants to try running a system with a damaged QSECOFR profile. Not even to try to recover it.
    21,845 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.

Following

Share this item with your network: