|
|
SecureMyi.com Security and Systems Management Newsletter for the IBM i
June 11, 2014 - Vol 4, Issue 10
|
|
|
Feature Article - Encore Presentation!
Why Use Authorization Lists?
By Carol Woodbury
The Authorization List is a security administration tool that has been available since Release 1.0 of OS/400. Authorization lists or authority lists, as some people call them, are a tool that help security administrators manage authority to objects (libraries, files, folders, directories, etc) when all of the objects need to be authorized in the same way. In other words, they make an administrator’s life significantly easier when users need the same authorization level to a bunch of objects.
Let’s walk through the steps of securing the files for an HR (Human Resources) application with an authorization list.
Create the authorization list using the Create Authorization List command.
CRTAUTL AUTL(HR_AUTL)
Note: All authorization lists are created in the QSYS library. This is not optional.
Determine the objects you’re going to secure with the authorization list. In this example, you are going to secure all of the files associated with a Human Resources application.
To associate the authorization list with the files, run the following command. This associates all of the files in the HR_LIB library with the HR_AUTL authorization list.
GRTOBJAUT OBJ(HR_LIB/*ALL) OBJTYPE(*FILE) AUTL(HR_AUTL)
To associate an authorization list with an object in the Integrated File System use the Change Authority (CHGAUT) command
CHGAUT OBJ(‘/ADP_FTP_TRANSFER’) AUTL(HR_AUTL)
For the users needing authority to the files which are secured by the list, grant them authority to the list.
Run the Add Authorization List Entry (ADDAUTLE) command. In this case, the Human Resources group profile, GRP_HR is being granted *USE authority to the HR_AUTL authorization list.
ADDAUTLE AUTL(HR_AUTL) USER(GRP_HR) AUT(*USE)
Optionally you can use the Edit Authorization List (EDTAUTL) command, specifying the name of the authorization list. Using EDTAUTL, you can easily add and remove users from the list, and specify their authorization to the list, and therefore, the objects secured by the list.
And the Effect is
After following these steps, when a member of the Human Resources group (GRP_HR) accesses FILE001 in library HR_LIB, they will access it with *USE authority because IBM i will recognize that the FILE001 is secured with the HR_AUTL authorization list, and that their group has *USE authority to the list.
Read More
|
In This Issue
Featured Article - Why Authorization Lists?
Security Shorts - Change Journaling Options
Industry News and Calendar
Security Resources
Quick Links
Search Security Site for IBM i and i5/OS
SecureMyi Website
Security Training from The 400 School
SecureMyi Newsletter Home/Archives
Our Newsletter Sponsors
Platinum Sponsor
The 400 School, Inc
Gold Sponsor
PowerTech
Skyview Partners, Inc
Silver Sponsor
Cilasoft Security Solutions
|
IBM i Security Resources
IBM i Security Videos - SecureMyi
SecureMyi Newsletter Archives
Search Security for IBM i
IBM i Security Ref - 6.1
IBM i Security Ref - 7.1
QAUDJRN Entries By AUDLVL
QAUDJRN Entry Layouts
RedBook - Security Guide IBM i
Open Security Foundation - DataLoss DB
National Vulnerability Database - NIST
PCI Data Security Standard
COBIT - ISACA
HIPAA Resources
HITECH Enforcement
CISSP - Certification
|
|
Industry News for IBM i Security
State of IBM i Security Study 2014 Released
PowerTech, a division of HelpSystems has announced the release of the 2014 State of IBM i Security Study.
Now in its eleventh year, the study includes data from 233 servers and partitions audited with PowerTech’s Compliance Assessment tool in 2013. The participating organizations spanned a broad range of industries, including finance, healthcare, communication, education, and transportation.
You can Download the Free 2014 Security Study Here
Skyview Making Hay out of Managed Security Services
Skyview Partners is now in their second full year of offering Managed Security Services for the IBM i and AIX. According to John Vanderwall, Co-Founder and CEO of Skyview Partners, "The growth in the program continues to be very exciting as new clients, both large and small, join us in the program. We have been able to scale very nicely to meet the service level agreements and the highest expectations of our growing client base."
Learn more about Skyview's Managed Security Services at the Skyview Site
Live Security Related Webcasts and Training for IBM i
June Events
Coffee with Carol: with guest presenter Patrick Townsend
Encrypting Data with FIELDPROC - No Application Changes!
Live Webcast - Presented by Skyview Partners
Thursday, June 12 10:00am CDT
More Information and Register to Attend
|
|
Security Shorts -
Changing Database Journaling Options on the Fly
By Dan Riehl
A while back, I was confronted with a task in which I needed to change the journaling characteristics of a physical file. The file was being journaled with *AFTER images only, and I needed to change the journaling option to capture *BOTH the before and after images of database record changes.
I suspected I would need to end journaling of the file and then start journaling (STRJRNPF) with the *BOTH (before and after images) option. I didn't know all the ramifications that the stop and start would have, but I knew that I wanted to avoid it if possible. I was unaware of any way to do this. So I needed to check whether there was a way to change the journaling characteristics without ending the journaling of the file on a live system.
I used the CL command GO CMDJRN to review commands that relate to journaling, and I found the Change Journaled Object (CHGJRNOBJ) command. I prompted the command (F4) and pressed F1 to review the command help text. It turns out that the command was exactly what I was looking for. The CHGJRNOBJ command was introduced by IBM in OS/400 V5R3.
Here's a snippet from the command online help text from IBM.
The Change Journaled Object (CHGJRNOBJ) command changes the journaling attributes of a journaled object without the need to end and restart journaling for the object.
The command can be used to change the Images (IMAGES) value for a database file (*FILE) or a data area (*DTAARA) object without the need to end and restart journaling for the object.
The command can be used to change the Omit journal entry (OMTJRNE) value for a database file (*FILE), an integrated file system stream file (*STMF) or directory (*DIR) object without the need to end and restart journaling for the object.
Only one journaling attribute can be changed at a time.
Because I needed to change the IMAGES attribute from *AFTER to *BOTH, I used the command:
CHGJRNOBJ OBJ((MYLIB/MYFILE *FILE)) ATR(*IMAGES) IMAGES(*BOTH)
Then, in order to omit the Open and Close journal entries I used the command:
CHGJRNOBJ OBJ((MYLIB/MYFILE *FILE)) ATR(*OMTJRNE) OMTJRNE(*OPNCLOSYN)
As the help text says, you can change only one attribute per execution of the command--thus the need to run the command twice, once for each attribute to be changed.
|
Sponsored Links
IT Security and Compliance Group
In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Software Selection & Configuration
Security and Systems Programming
Customized IBM i (AS/400) Training -
Presented Live at your offices
Live Online Hands-On Workshops
ILE RPG IV Programming Workshop
RPG/400 Programming Workshop
IBM i COBOL Programming
Interactive Programming Workshops
System Operations Workshops
System Administration and Control
Security and Audit Workshops
Control Language Programming
IBM i Concepts and Facilities
Query Workshop
|
|
|