SecureMyi.com Security and Systems Management Newsletter for the IBM i             August 27, 2014 - Vol 4, Issue 14
Security Training from SecureMyi.com


Security software from Powertech



Skyview Partners



Security Training from The 400 School

Feature Article

Adopted Authority and

     the Mystery of The QUSEADPAUT System Value

By Dan Riehl - SecureMyi.com

The topic of Adopted Authority on IBM i has not been very well understood. We know that it is a method to allow a user to perform functions that they are not normally authorized to perform. But, under Adopted Authority, they can do more powerful things than what their normal permissions allow. For most programming techies, we know how to make a program Adopt the Authority of the Owner of a program, but we are unsure how that fits in with the function of the program attribute named USEADPAUT, and the mysterious System Value QUSEADPAUT.

Many think that the USEADPAUT attribute of a program determines if the program Adopts Authority, which it surely does not. It is the USRPRF property of a program that determines if the program Adopts the Owners Authority. If USRPRF(*OWNER) is specified, the program will Adopt the Authority of the Program's Owner as shown here.

CRTCLPGM PGM(MYPGM) USRPRF(*OWNER)

The program property USEADPAUT cannot be specified at compile time, but can be specified using the CHGPGM command. But, still, What does USEADPAUT actually do, and why is it set the way it is to *YES or *NO?

CHGPGM PGM(MYPGM) USEADPAUT(*YES)


A short History of USEADPAUT and QUSEADPAUT

The QUSEADPAUT System Value was introduced several years ago to address the concern that there was no way to keep adopted authority from flowing down the call stack to all or a program's subprograms. Whenever a program adopted authority, called subprograms had no way to turn off that adopted authority.

I recall when we, the AS/400 user community, back then, asked IBM for a way to create an adopting program that didn't propagate the adopted authority down the stack. We wanted an attribute we could set in the adopting program that said, "This program will adopt but will not pass the adopted authority to any other program." We wanted to contain the adoption within the adopting program itself and not pass it on.

With that functionality, we could control the use of adopted authority very granularly. We could adopt authority in a program that needed additional authority and specify that the program not pass that adopted authority to any called programs. That way we could easily control which programs adopted authority and never worry about the adopted authority being propagated outside of the program. That's what we asked for.

When IBM announced its version of the solution as a PTF to version 3.1 of the OS, we were all a bit dismayed. IBM didn't let us stop the propagation within the adopting program; instead IBM let us set a flag in a called program as to whether the called program was going to use the adopted authority passed to it. It was exactly backwards from what we had asked for. I'm sure many of you remember that discussion.

We wanted control from within the adopting and CALLing program. IBM supplied USEADPAUT to provide control inside the CALLed programs. I wish IBM had done it the other way.

But, IBM ultimately got it right when they released the Built-In MI function MODINVAU, which can be used to stop the propagation of authority outside the adopting program or a program running under adopted authority. See the sidebar "Stop Adoption in the Calling Program using MODINVAU," below.

Read More . .

In This Issue


Featured Article - QUSEADPAUT

Security Shorts - Easy Reporting on Users

Industry News and Calendar

Security Resources

Quick Links


Search Security Site for IBM i and i5/OS

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home/Archives


Our Newsletter Sponsors


Platinum Sponsor

    The 400 School, Inc


Gold Sponsor

    PowerTech

    Skyview Partners, Inc

Silver Sponsor

    Cilasoft Security Solutions

IBM i Security Resources

IBM i Security Videos - SecureMyi

SecureMyi Newsletter Archives

Search Security for IBM i

IBM i Security Ref - 6.1

IBM i Security Ref - 7.1

QAUDJRN Entries By AUDLVL

QAUDJRN Entry Layouts

RedBook - Security Guide IBM i


Open Security Foundation - DataLoss DB

National Vulnerability Database - NIST

PCI Data Security Standard

COBIT - ISACA

HIPAA Resources

HITECH Enforcement

CISSP - Certification


Follow SecureMyi on Twitter

Follow SecureMyi on YouTube


Software from Cilasoft


Security software from Powertech
Security news and Events


Live Security Related Webcasts and Training for IBM i

September Events

Live Hands-On - Expanded Security Workshop for IBM i, iSeries AS/400
with Dan Riehl

Training Workshop - Sep 8-11 - Presented by The 400 School, Inc.
Dan Riehl presents this 4-Day Live Online Hands-on Workshop.
More Information and Register to Attend


Live Hands-On - IBM i Query Workshop for Technical Staff and End Users
with Dan Riehl

Training Workshop - Sep 23 - Presented by The 400 School, Inc.
Dan Riehl presents this Full-Day Live Online Hands-on Workshop.
More Information and Register to Attend


Coffee with Carol: What's New in V7R2 Security!
Live Webcast - Presented by Skyview Partners
Wednesday, Sep 24 10:00am CDT
More Information and Register to Attend


Live Hands-On - QAUDJRN Auditing and Forensic Analysis Workshop
with Dan Riehl

Training Workshop - Sep 25-26 - Presented by The 400 School, Inc.
Dan Riehl presents this 2-Day Live Online Hands-on Workshop.
More Information and Register to Attend




Skyview Partners


Security Training from The 400 School

Security Shorts

Great, Yet Simple, Reporting on your User Profiles

By Dan Riehl - SecureMyi.com

When you need to perform quick analysis on your user profiles, here are some tips.

First create a file containing information about all of your user profiles. This will be a snapshot of your current user profiles. You can create this file of users by using the following command.


DSPUSRPRF USRPRF(*ALL) 
          OUTPUT(*OUTFILE) 
          OUTFILE(LibraryName/FileName)

Where LibraryName and Filename are your selected values.

Now, using IBM i Access for Windows file transfer, you can simply download the file into Excel and slice and dice the user attributes to your heart's content.

If you want to run some quick reports, you can use the RUNQRY(Run Query) command. One nice thing about using RUNQRY is that you can perform record selection, and optionally specify that you want a printed report, or display to your screen.

Enter the following command to be prompted for record selection criteria:


RUNQRY   QRY(*NONE) 
         QRYFILE((MyLibrary/MyFile)) 
         RCDSLT(*YES)  

Here are some nice record selections you can choose.

Users that have not signed on since July 1, 2014


UPPSOD    LT     '140701'

Users will *ALLOBJ Special Authority in their User Profile


UPSPAU   LIKE   '%ALLOBJ%'

Users with Action Auditing Values(e.g. AUDLVL(*CMD))


UPAUDL   NE     '*NONE'  

Using simple tools like STRSQL, RUNQRY, and Download to Excel, you can make great management and auditor reports on your User Profiles.

Try it out!

Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi


IT Security and Compliance Group


In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Software Selection & Configuration
Security and Systems Programming



Live Training from The 400 School, Inc


Customized IBM i (AS/400) Training -
    Presented Live at your offices


Live Online Hands-On Workshops

Security Training from The 400 School

Security Training from The 400 School
Security Training from The 400 School

Send your IBM i Security and Systems Management News and Events!           Send your Questions, Comments, Tips and Stories

Copyright 2014 - SecureMyi.com, all rights reserved

SecureMyi.com | St Louis MO 63017