|
February 15, 2012 - Vol 2, Issue 4
|
|
|
From the Editor
Thank you for subscribing to the SecureMyi Security Newsletter.
In this issue we present the first article in our Guest Author series with a great article on the topic of Authorization Lists by Carol Woodbury. Carol is the President and Co-Founder of Skyview Partners, Inc. and is well known around the IBM i world as one of our top security experts. She is a regular speaker at industry events, technical webinars, and her regular Coffee with Carol Webcasts are a nice way to launch your day.
Carol is also the author of several books including Experts' Guide to OS/400 and i5/OS Security. Her latest book IBM i and i5/OS Security and Compliance: A Practical Guide is a comprehsive guide for all of us in the IBM i Security Community.
This Issue's Educational YouTube Video on 'Misconceptions when using Authorization Lists' ties in very nicely with Carol's article.
In the Upcoming Leap-Day issue(February 29) we introduce our new column entitled Security Code for i.
Security Code for i will be a regular feature in which we present Source Code and instructions for security and auditing utilities you can build on your own system to help augment your toolset. Wait til you see the first installment, it is fabulous!
In this issue, I have begun using a Chili Pepper icon to help identify those articles that I think contain blazing HOT technical content. While all of our content is HOT, these are outstanding articles. Try following the Red Chili Peppers!
Get the Book "Powertips for OS/400 and IBM i Security" for FREE!
All new subscribers, and existing subscribers that update their subscription options receive a Free copy of my book "PowerTips for IBM i Security", a large gathering of tips and techniques and little known security related tidbits are included in the book, Published by System iNEWS magazine. A $20 retail value.
You can subscribe, or update your subscription by clicking here.
All my very best to you. I hope you enjoy this issue,
Dan Riehl
www.SecureMyi.com
|
Feature Article
Why use Authorization Lists?
By Carol Woodbury Skyview Partners, Inc.
The Authorization List is a security administration tool that has been available since Release 1.0 of OS/400. Authorization lists or authority lists, as some people call them, are a tool that help security administrators manage authority to objects (libraries, files, folders, directories, etc) when all of the objects need to be authorized in the same way. In other words, they make an administrator’s life significantly easier when users need the same authorization level to a bunch of objects.
Let’s walk through the steps of securing the files for an HR (Human Resources) application with an authorization list.
Create the authorization list using the Create Authorization List command.
CRTAUTL AUTL(HR_AUTL)
Note: All authorization lists are created in the QSYS library. This is not optional.
Determine the objects you’re going to secure with the authorization list. In this example, you are going to secure all of the files associated with a Human Resources application.
To associate the authorization list with the files, run the following command. This associates all of the files in the HR_LIB library with the HR_AUTL authorization list.
GRTOBJAUT OBJ(HR_LIB/*ALL) OBJTYPE(*FILE) AUTL(HR_AUTL)
To associate an authorization list with an object in the Integrated File System use the Change Authority (CHGAUT) command
CHGAUT OBJ(‘/ADP_FTP_TRANSFER’) AUTL(HR_AUTL)
For the users needing authority to the files which are secured by the list, grant them authority to the list.
Run the Add Authorization List Entry (ADDAUTLE) command. In this case, the Human Resources group profile, GRP_HR is being granted *USE authority to the HR_AUTL authorization list.
Read More.
|
In This Issue
Featured Article
Why Authorization Lists?
by Guest Author Carol Woodbury
Featured Youtube Video
Misconceptions - Authorization Lists
Security Shorts
Changing Object Journaling Options
Industry News and Calendar
Security Resources
Quick Links
SecureMyi Website
Security Training from The 400 School
SecureMyi Newsletter Home and Archives
Please Visit Our Sponsors
Platinum Sponsor
Cilasoft Security Solutions
Gold Sponsor
Software Engineering of America
Silver Sponsor
Skyview Partners, Inc
The 400 School, Inc
|
IBM i Security and Audit Resources
IBM i. iSeries and AS/400 Security
Free Security Videos from Securemyi.com
IBM i Security Reference - IBM i 6.1
IBM i Security Reference - IBM i 7.1
Recently Added
SecureMyi Security Newsletter Archives
QAUDJRN Audit Types By AUDLVL 6.1
QAUDJRN Entry Type Record Layouts 6.1
General Security & Compliance Resources
PCI SSC Data Security Standards
COBIT Framework - ISACA
HIPAA Resources
HITECH Enforcement
CISSP - Certification
|
|
IBM i Security Calendar of Events
Live Security Webcasts for IBM i
Addressing and Automating Audit Requirements for IBM i
Presented by Carol Woodbury - Sponsored by Skyview Partners
Wednesday February 22 10:00 AM PST
More Information and Register to Attend
Beyond FTP: Securing and Automating File Transfers
Sponsored by Linoma Software
Wednesday February 22 12:00 PM CST
More Information and Register to Attend
Assessing your Security on the Power i
Expert Webinar Series - Sponsored by Software Engineering of America, Inc
Thursday March 1st 1:00 PM ET
More Information and Register to Attend
More IBM i Security Related Events
April 10-13 - Live Online - Expanded Security Workshop for IBM i SecureMyi President Dan Riehl presents this 4-Day Hands-on Workshop in the Online Virual Classroom for IBM i. Sponsored and Hosted by The 400 School, Inc.
More Information and Register to Attend
May 6-9 - COMMON User Group - Annual Conference and Expo - Anaheim, CA
|
|
Featured YouTube Educational Video
IBM i Security - Common Misconceptions - Using Authorization Lists
Cannot Access YouTube from your office? Download the video in wmv format.
|
|
Security Shorts - Changing Database Journaling Options on the Fly
By Dan Riehl
A while back, I was confronted with a task in which I needed to change the journaling characteristics of a physical file. The file was being journaled with *AFTER images only, and I needed to change the journaling option to capture *BOTH the before and after images of database record changes.
I suspected I would need to end journaling of the file and then start journaling (STRJRNPF) with the *BOTH (before and after images) option. I didn't know all the ramifications that the stop and start would have, but I knew that I wanted to avoid it if possible. I was unaware of any way to do this. So I needed to check whether there was a way to change the journaling characteristics without ending the journaling of the file on a live system.
I used the CL command GO CMDJRN to review commands that relate to journaling, and I found the Change Journaled Object (CHGJRNOBJ) command. I prompted the command (F4) and pressed F1 to review the command help text. It turns out that the command was exactly what I was looking for. The CHGJRNOBJ command was introduced by IBM in OS/400 V5R3.
Here's a snippet from the command online help text from IBM.
The Change Journaled Object (CHGJRNOBJ) command changes the journaling attributes of a journaled object without the need to end and restart journaling for the object.
The command can be used to change the Images (IMAGES) value for a database file (*FILE) or a data area (*DTAARA) object without the need to end and restart journaling for the object.
The command can be used to change the Omit journal entry (OMTJRNE) value for a database file (*FILE), an integrated file system stream file (*STMF) or directory (*DIR) object without the need to end and restart journaling for the object.
Only one journaling attribute can be changed at a time.
Because I needed to change the IMAGES attribute from *AFTER to *BOTH, I used the command:
CHGJRNOBJ OBJ((MYLIB/MYFILE *FILE)) ATR(*IMAGES) IMAGES(*BOTH)
Then, in order to omit the Open and Close journal entries I used the command:
CHGJRNOBJ OBJ((MYLIB/MYFILE *FILE)) ATR(*OMTJRNE) OMTJRNE(*OPNCLOSYN)
As the help text says, you can change only one attribute per execution of the command--thus the need to run the command twice, once for each attribute to be changed.
|
Sponsored Links
Expert Level Security Consulting
IT Security and Compliance Group, LLC
In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Security Software Selection & Configuration
Customized Security/System Programming
Live Online Hands-On Workshops
Special Winter/Spring Class Discounts
System Operations Workshop-Feb 27-29
System Administration & Control - Mar 12-16
Interactive RPG IV Programming - Mar 26-30
IBM i Security Workshop - Apr 10-13
Control Language Programming - Apr 16-20
Intro to RPG IV Programming - Apr 30-May 4
|
|