Security and Systems Management Newsletter for the IBM i             April 23, 2014 - Vol 4, Issue 7
Security Training from

Security software from Powertech

Skyview Partners

Security Training from The 400 School

Feature Article

Don't be Fooled by an Authorization List

By Dan Riehl -

Authorization lists allow you to secure several different objects that have the same object-level authorities by using a template approach, rather than maintaining the list of object authorities within each individual object.

I think many people shy away from using authorization lists because they don't understand the lists' function. But when you think of an authorization list as simply an authorization template to be applied to many objects, it seems to make a bit more sense.

The best way to secure objects on the IBM i is by using a combination of group profiles and authorization lists. Doing so greatly eases maintenance tasks.

In auditing numerous systems over the years, I find that when authorization lists are used, there is often an error in setting the *PUBLIC authority, private authorities, and ownership of the objects secured by the list. There can also be errors due to improper ownership of the authorization list itself.

Among IBM i professionals, I've noticed three main misconceptions about using an authorization list:

  • When we secure an object using an authorization list (*AUTL), we believe that we can view all the authorities to the object by simply viewing the authorization list. In effect, we are able to ignore the authorities that are set within the object itself. *AUTL is the only authority in effect.

  • We also believe that since the authorization list contains a setting for *PUBLIC authority, the *PUBLIC authority specified in the authorization list will be applied to all objects secured by the list, regardless of what is specified in the object for *PUBLIC authority.

  • The third issue is that we ignore the owner of the authorization list, since that will have no bearing on the authority to the objects secured by the list.

Let's look at some examples to try to dispel these common misconceptions. In Figure 1, below, the PRODLIB_O authorization list is owned by PAYUSER, providing *ALL authority to the authorization list to PAYUSER. The *PUBLIC authority to the authorization list is set to *EXCLUDE. Private authorities have been granted to GROUP_IT, GROUP_OPS, and QPGMR.

Read More . .

Note: The Featured Video in this issue presents another look at this Authorization List Example.

Another Note: The Security Shorts Column in this issue presents an added benefit to using Authorization Lists.

In This Issue

Featured Article - Authorization Lists

Security Shorts - Authorization Lists

Featured Video - Authorization Lists

Industry News and Calendar

Security Resources

Quick Links

Search Security Site for IBM i and i5/OS

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home/Archives

Our Newsletter Sponsors

Platinum Sponsor

    The 400 School, Inc

Gold Sponsor


    Skyview Partners, Inc

Silver Sponsor

    Cilasoft Security Solutions

IBM i Security Resources

IBM i Security Videos - SecureMyi

SecureMyi Newsletter Archives

Search Security for IBM i

IBM i Security Ref - 6.1

IBM i Security Ref - 7.1


QAUDJRN Entry Layouts

RedBook - Security Guide IBM i

Open Security Foundation - DataLoss DB

National Vulnerability Database - NIST

PCI Data Security Standard


HIPAA Resources

HITECH Enforcement

CISSP - Certification

Follow SecureMyi on Twitter

Follow SecureMyi on YouTube

Software from Cilasoft

Security software from Powertech

Featured YouTube Educational Video

IBM i Security

Misconceptions when Using an Authorization List

Featured Video - IBM i Security - Common Misconceptions - Using Authorization Lists

Cannot Access YouTube from your office? Download the video in wmv format.   Click to Download the wmv file
Security news and Events

Live Security Related Webcasts and Training for IBM i

April Events

The Hacker's View of Cyber Security
With Mel Beckman and Robin Tatam

Live Webcast - Presented by iProDeveloper
Sponsored by Powertech
Tuesday, April 29 1:00pm CDT
More Information and Register to Attend

April 29 - May 1 - InfoSecurity EUROPE 2014
Earl's Court, LONDON
Free to Attendees - 325 Exhibitors
Look for Cilasoft which is exhibiting at this event
For More Information

May Events

May 4-7 - COMMON - A User Group
2014 Annual Conference and Exposition - Orlando, FL
More Information and Register to Attend

Coffee with Carol: with Carol Woodbury
Security Considerations for Application Development including PCI Requirements

Live Webcast - Presented by Skyview Partners
Wednesday, May 14 10:00am CDT
More Information and Register to Attend

June Events

Live Hands-On - IBM i System Administration and Control Workshop
with Dan Riehl

Training Workshop - June 2-6 - Presented by The 400 School, Inc.
Dan Riehl presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Coffee with Carol: with guest presenter Patrick Townsend
Encrypting Data with FIELDPROC - No Application Changes!

Live Webcast - Presented by Skyview Partners
Thursday, June 12 10:00am CDT
More Information and Register to Attend

Skyview Partners

Security Training from The 400 School

Security Shorts - Gain Flexibility with Authorization Lists

By Dan Riehl

The Feature Article in this issue of the SecureMyi Newsletter discusses the topic of Authorization Lists, and how they are often misunderstood. I did not mention that additional flexibility can be gained by securing libraries and other objects with an authorization list rather than with a list of private and *PUBLIC authorities.

In a recent case, a customer wanted to change the *PUBLIC authorization on certain production libraries from *CHANGE, to the more restrictive *USE. This needed to be done in order to keep users from adding new objects into the production libraries. If a user has *CHANGE authority to a library, the user can add new objects to the library. But, if the user has only *USE authority to the library, they cannot add new objects.

The problem in this case, was that the private and *PUBLIC authorities to the production libraries could not be changed while the system was up and running. Since users have these production libraries on the user portion of their job's library lists, a *SHRRD(Shared for read) lock is placed on the library object, prohibiting the authorities from being changed while the system is up and the users logged on.

Since this is a 24x7 uptime shop, we needed to wait for several weeks to get clearance for a scheduled outage so we could make the change to *PUBLIC AUT(*USE).

Since I wanted to make sure we had flexibility for any future authorization changes to these libraries, the decision was made to use the scheduled outage to change the authorization method for the libraries. Instead of simply changing the *PUBLIC authority from *CHANGE to *USE, we would create an authorization list for each "in-scope" library, and then during the outage, we would change the libraries to be secured by the associated authorization list. Which we did.

One of the big advantages of using an authorization list, is that they can typically be changed on-the-fly, during system uptime. This flexibility will come in very handy the next time an authorization change needs to be made to any of these production libraries, Next time, we will not need an outage, we can simply change the authorization list.

Some of you are pondering a very good question right now. That is: "Using the new Authorization list scheme, won't you break something when you change the production library authorities on the fly?". The answer is: As long as the change that is being made is not creating a new restriction, nothing will break. If the change to the authorization list is creating a new restriction, that type of change may require an outage.

(Note: The System Value QLIBLCKLVL can be used to specify that libraries are NOT locked by a job simply because they are on the job's library list. For more information, see the IBM Information Center discussion on the System Value QLIBLCKLVL.

Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi

IT Security and Compliance Group

In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Software Selection & Configuration
Security and Systems Programming

Live Training from The 400 School, Inc

Customized IBM i (AS/400) Training -
    Presented Live at your offices

Live Online Hands-On Workshops

ILE RPG IV Programming Workshop
RPG/400 Programming Workshop
IBM i COBOL Programming
Interactive Programming Workshops
System Operations Workshops
System Administration and Control
Security and Audit Workshops
Control Language Programming
IBM i Concepts and Facilities
Query Workshop

Security Services from

Send your IBM i Security and Systems Management News and Events!           Send your Questions, Comments, Tips and Stories

Copyright 2014 -, all rights reserved | St Louis MO 63017