AUDIT: Attention Key Program, programs that adopt QSECOFR, and object authority

100 pts.
Tags:
AS/400
QSECOFR
Hi all,
Two questions:
  1. If public is *USE to a program that adopts QSECOFR authority, how do I determine if a user can use the program, through attention key program and command line (if limit cap  = no)? Which values do I need to look at? If public is *EXCLUDE, is my risk covered or a user with *ALLOBJ could still use the program?
  2. If I have an object which is a financial file, and I want to find out if access to that file is appropriate. I display the library authorities, and find out that they are okay. Should I bother looking into the object authority itself? Or if the user doesn't have access to the lib, then the object itself isn't attainable? What if the user has *ALLOBJ?
Thanks a lot in advance!


Software/Hardware used:
OS/400
1

Answer Wiki

Thanks. We'll let you know when a new response is added.

1. Limit capabilities on the *USRPRF relates to the ALWLMTUSR() attribute on the *CMD object. It gives you a way to allow command-line access without allowing all commands, but if they can use a CALL command it won’t restrict which program they can call. *PUBLIC *EXCLUDE will stop them unless they have explicit authority or *ALLOBJ (see below).

2. To access on object you need various rights to the object depending on use, plus *READ rights to the *LIB. If the lib has *EXCLUDE, you’re safe – except for *ALLOBJ.

Think of *ALLOBJ as a complete bypass of the normal object level system authorities – if a user has *ALLOBJ then normal object / library level authorities will not stop them. (This is why it should be _very_ restricted).
As for attention key programs, it all depends on what the program does. If it just brings up a menu then they can only do what that menu allows. As a developer I use one that calls QCMD so that I can start the interactive debugger in the middle of testing a program. Not something to give to your average user.

Discuss This Question: 4  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • aldc123
    Thank you for your answer! :-)

    Let's say command XYZ has PUBLIC set to *EXCLUDE.
    If I have access to command line and not *ALLOBJ, I cannot access that command, right?
    If I have *ALLOBJ or belong to the authorization list, then I can launch it? 

    Thanks in advance, 
    100 pointsBadges:
    report
  • GregManzo
    Yes, that's correct.
    2,950 pointsBadges:
    report
  • azohawk
    I used to have a book that in a couple of pages clearly outlined the checks used for authority checking. I don't recall all of the exact steps in the middle, but it went something like this:
    1. Does the user have *allobj? if yes, they get in.
    2. Does the object explicitly grant authority to the object? if yes, and the granted authority permits the user to do what they are trying to do. permission granted
    3. Check if the user has group authority
    4. Check authorization list.
    5. *Public authority is the final check.

    (I think that there was one more check, but I don't recall it off hand and I may have 3 and 4 reversed--but you get the idea).

    Of course if they don't have authority to the library, I don't think that can be bypassed at the object level.

    Seldom should anyone outside of I.T. have *allobj. and that should be limited to administrators of the system.
    4,055 pointsBadges:
    report
  • TheRealRaven
    Actually, those inside IT may be less needed for *ALLOBJ and may be more restricted than normal users (though *ALLOBJ would indeed normally be used only by a couple IT members). In general, IT shouldn't even have authority to access most business objects.

    However, no matter who has *ALLOBJ, it overrides any exclusions. It's a "special" authority for exceptional (i.e., not day-to-day) use. When it's involved, no other thoughts should matter.
    34,320 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.

Following

Share this item with your network: