AS/400 User Class and Special Authority

370 pts.
Tags:
AS/400
AS/400 security
Hi, everyone. I have been going around AS/400 Security Reference and seemed to understand some part of it. but I find it so difficult the understand the table below.
Special Authority User Classes
*SECOFR *SECADM *PGMR *SYSOPR *USER
*ALLOBJ All 10 or 20 10 or 20 10 or 20 10 or 20
*AUDIT All        
*IOSYSCFG All        
*JOBCTL All 10 or 20 10 or 20 All  
*SAVSYS All 10 or 20 10 or 20 All 10 or 20
*SECADM All All      
*SERVICE All        
*SPLCTL All        
Could everyone give me some clue what it means? Thank you.
1

Answer Wiki

Thanks. We'll let you know when a new response is added.

When creating a user profile, it is necessary to assign a user class to that profile (accross the top). There are also special authority (ability to specific things on the system) listed along the left. The chart than details which special authorities are assigned to that user class (and in some cases, this chart indicates that this is done only at selected security levels, other security levels this does not happen).

Example: A user profile with user class *PGMR has all object authority when at security levels 10 and 20 by default, security levels 30 and above this does not happen automatically.

Discuss This Question: 11  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • TheRealRaven
    The table is Table 1. 'Default special authorities by user class'. It's a table that shows a relationship between the USRCLS() and the SPCAUT() attributes of user profiles.

    The Security Reference says this:

    Possible values for USRCLS: Table 1 shows the possible user classes and what the default special authorities are for each user class. The entries indicate that the authority is given at security levels 10 and 20 only, at all security levels, or not at all.

    The default value for user class is *USER.


    When you create a user profile, a USRCLS() attribute is set. (If you don't give the values, it will default to "*USER".) The table shows what values are assigned for SPCAUT() depending on what is set for USRCLS(). It also shows that SPCAUT() will be set differently depending on the QSECURITY system value.

    So, for a user profile that is created as USRCLS(*SECOFR), the default will have every special authority assigned to the SPCAUT() attribute. Further, it doesn't matter what the QSECURITY system value is. Each special authority will be assigned for that user profile at "All" QSECURITY settings.

    BUt if a user profile is created with USRCLS(*SYSOPR), the default special authorities change for different QSECURITY levels. You can go down that column to see what SPCAUT() values will be set.

    If QSECURITY is set to level 10 or level 20, a USRCLS(*SYSOPR) profile will get SPCAUT(*ALLOBJ *JOBCTL *SAVSYS *SECADM). Those are the ones that are marked in that column. For any other QSECURITY level, only SPCAUT(*SECADM) will be given.

    Each USRCLS() column can be read the same way.

    There is a little confusion that could be cleared up. It is no longer possible to set QSECURITY to level 10, so the "10 or 20" should now only be "20". Level 10 only applies to old systems.

    Also, keep in mind that the table only shows defaults for SPCAUT(). You can assign any special authorities you want to any profile that you create, as long as you have the authority yourself.
    35,040 pointsBadges:
    report
  • srithea

    @TheRealRaven: Thank for your explanation.

    This helps me a lot. but I seem not clearly understand the meaning of each cell. eg: "blank cell" means that that specific USRCLS() is not assigned to the SPCAUT? and "All"? and as well as "the secuirty level".

    Could you help me clear this out, I really want understand to relation between USRCLS() and SPCAUT()

    I really appreciate your time.

    370 pointsBadges:
    report
  • TheRealRaven
    ...means that that specific USRCLS() is not assigned to the SPCAUT?

    A USRCLS() is never assigned to a SPCAUT(). A user profile is set as a USRCLS(). And a user profile is also assigned one or more SPCAUT() values, or no special authorities at all.

    ...
    "blank cell" means that that specific USRCLS() is not assigned...

    A blank means that the special authority is not assigned to a user profile of that user class. It isn't assigned no matter what the system security level is.

    and "All"?

    "All" means that the special authority is assigned for that user class at all security levels.

    and as well as "the secuirty level".

    The "security level" is the value in the QSECURITY system value. The help text for QSECURITY describes what each level is for. The Security Reference has more detail.

    Don't pay much attention to USRCLS(). It only has two functions.

    First, it determines the default value for the SPCAUT() attribute when you create user profiles. It doesn't stop any special authorities from being assigned, as long as you have the personal authority to assign them. It only determines defaults.

    And second, it can determine what menu options appear on some menus. If you aren't the right user class, you won't see the menu options. It doesn't stop you from performing the actions of those options if you know how to do them outside of the menu. It just hides the options from view.

    Other than that, the USRCLS() attribute is meaningless.
    35,040 pointsBadges:
    report
  • srithea

    @TheRealRaven

    I get the point now.

    If USRCLS() is not really core part of AS400 users security, so what is the core part that I should look found?

    You can provide me any link that I can refer to.

    ^^ Thank you

    370 pointsBadges:
    report
  • TheRealRaven
    Be especially careful of the SPCAUT() attributes of user profiles that you create. Never give a special authority to a user profile unless it's absolutely necessary for that job function and the authority cannot be obtained by other means, e.g., by 'adopted authority'. And when obtaining a needed special authority, be sure not to obtain additional unneeded special authorities.

    If that is used as a guiding principle, other elements will become more certain. It will also help force you to learn other security aspects.
    35,040 pointsBadges:
    report
  • srithea

    @TheRealRaven

    Thank you very much.

    This helps me a lot.

    I really appreicated for your every response.

    370 pointsBadges:
    report
  • srithea

    @TheRealRaven

    I have another question about audit log in AS400.

    can any user profile modify audit log history?

    370 pointsBadges:
    report
  • TheRealRaven
    No. And there is no published method of altering the system audit journal at all on a reasonably secured IBM i system (other than deleting it, of course).
    35,040 pointsBadges:
    report
  • srithea

    @TheRealRaven

    U meant it can be deleted?

    so that all the logs are gone, even if the activities that user profile deleted the log?

    It must be the user profile with *AUDIT SPCAUT() that can do that, am i correct?

    370 pointsBadges:
    report
  • TheRealRaven
    Since this is a very different question, please open a new question. That will help if anyone needs the info in the future. Thank you.
    35,040 pointsBadges:
    report
  • srithea

    @TheRealRaven

    I have posted the new question.

    please help give me the answer.

    thank you very much.

    370 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.

Following

Share this item with your network: