WRKQRY Security Flaw / Users can Alter/ Replace Data in Production Files

160 pts.
AS/400 security
Can a user change or replace data, members, or the file itself (a prodcution file in a production lib) using WRKQRY...??? I have an auditor who believes in the "Define the Query" display, 2nd to last option ("Select output type and output form") you can specify 3 in the output type (3 = datafile file) and then you press enter to bring up next screen which allows you to specify file lib and member and replace, add, etc... the existing file with the new query output file. If this being the case this would be a paramount security flaw. Can someone please shed any insight or experience realted to this matter. THX

Answer Wiki

Thanks. We'll let you know when a new response is added.

– they would be limited by their authority to the file.
Lacking MGT/EXIST/ALTER authority to the file the user can only alter the file with option 5 – add records to the member. And if the user does not have add authority to the file they cannot do that.

There may be ways to limit use of QUERY

Phil L


No. If you try to do this, you will get the message :

“Output file cannot be same as input file.”

(if you use option 2, replace file), or

“Output member cannot be same as input member.”

(if you use option 4 to replace the member).

I’ve tried doing this by using Query to copy data from a logical to the physical, and with option 2 it will not let me do it because there are logicals over the physical. Using the same method with option 4 gives me the message that the output format is not the same as the file format. This would appear to be because even though the logical uses the same format name, with all the physical file’s fields in the right order, a different level ID is created for the logical than that which was created for the physical.

I have tried, but I can’t overwrite the data in the way your auditor describes. I hope this helps.



Discuss This Question: 2  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Gilly400
    Hi, Unless the output format is the same as the existing file (which is unlikely from a query), then the only thing they can possibly do is replace the file. If this happens then your application programs are likely to start crashing with level checks, so you'll know straight away that someone's done this. If you have your security set up correctly with authorisations to files ,etc then you shouldn't get this happening. If you don't have your security set up right, then your users can probably use all sorts of other ways to modify data they shouldn't be modifying. You can always set up a test file and user and show this to your auditor - just to prove the point. Regards, Martin Gilbert.
    23,730 pointsBadges:
  • TomLiotta
    If you've given authority to change the file data to the user, they can change it with WRKQRY or UPDDTA or ODBC or RPG or COBOL or CL or REXX or remote commands or... well, just about any tool they can get hold of that's capable of issuing file updates. The security flaw is not in the tools; it's in the authority that's been granted to the users. If you don't want a user to change file data, revoke the authority to change the data. Tom
    125,585 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: