Security and Systems Management Newsletter for the IBM i                 August 14, 2013 - Vol 3, Issue 33
Security Services from

Security Study

Security? See how SKYVIEW PARTNERS can help!

Feature Article

Pondering the Dangers of Unsecured Spooled Files

By Dan Riehl -

A "data leak" is defined in Wikipedia as "the intentional or unintentional release of secure information to an untrusted environment." It can also be called a "data spill" or "data breach."

We are often deeply concerned about data leaking from our production database to the outside world. We often focus a great deal of effort on securing these precious data jewels we call files. But what about protecting the end result of these jewels—our printed reports? Our production reports consist of our precious data jewels, coordinated, manipulated, and cajoled into what becomes meaningful information in the form of a production report.

If we consider our database files to be sensitive, then our printed reports, which present that file data in a readable, organized format, must be protected with as much or, dare I say, more due diligence.

If your shop is like most, all, or almost all, output queues are left unsecured. For some strange reason, we assign *JOBCTL special authority to our end users. The result of this *JOBCTL assignment is that they can view and manipulate the reports generated by others. This is usually the root of the problem of data leakage via printed reports. A user with *JOBCTL special authority can, with few exceptions, view and control any printed report on the system.

Perhaps to avoid the potential of a data leak through a printed report, we configure the user accounts with the command line restriction LMTCPB(*YES). As a further step, we don't present a menu option that allows them to view the spooled files of others. That's a nice solution, but there still can be alternative methods to view and leak the data in our sensitive reports. One such method is through the IBM i Navigator for Windows (a.k.a. Operations Navigator) Basic Operations tab.

Read More

In This Issue

Featured Article - Unsecured Spooled Files

Security Shorts - Copying Authorities

Industry News and Calendar

Security Resources

Quick Links

Search Security Site for IBM i and i5/OS

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home/Archives

Need Access to an IBM i? Visit

Our Newsletter Sponsors

Platinum Sponsor

    The 400 School, Inc

Gold Sponsor

    The PowerTech Group

    Skyview Partners, Inc

Silver Sponsor

    Cilasoft Security Solutions

IBM i Security Resources

John Earl Memorial Tribute

IBM i Security Videos from

SecureMyi Newsletter Home and Archives

Search Security Site for IBM i and i5/OS

IBM i Security Reference - IBM i 6.1

IBM i Security Reference - IBM i 7.1

QAUDJRN Audit Types By AUDLVL 6.1

QAUDJRN Entry Type Record Layout 6.1

RedBook - Security Guide for IBM i 6.1

Open Security Foundation - DataLoss DB

PCI SSC Data Security Standards

COBIT Framework - ISACA

HIPAA Resources

HITECH Enforcement

CISSP - Certification

Follow SecureMyi on Twitter

Follow SecureMyi on YouTube

Security study
Security news and Events

Live Security Related Webcasts and Training for IBM i

August Events

7 Habits Of Highly Secure Organizations
Live Webcast - Presented by PowerTech
Wednesday, August 21 1:00pm CDT
More Information and Register to Attend

Live Hands-On - Expanded Control Language Programming Workshop
with Dan Riehl

Full Length Training Workshop - August 19-23
Dan Riehl, Co-Author of the textbook Control Language Programming for the IBM i
presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend

September Events

Live Hands-On - IBM i System Administration and Control Workshop
with Dan Riehl

Full Length Training Workshop - September 4,5,6 and 11,12
Dan Riehl presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend

COMMON 2013 Fall Conference and Expo
Three Day Conference and Expo - September 9-11
Renaissance Grand St. Louis • St. Louis, Missouri
More Information and Register to Attend

October Events

Live Hands-On - QAUDJRN Auditing and Forensic Analysis Workshop for IBM i
with Dan Riehl

Full Length Training Workshop - oct 2-3
Dan Riehl presents this 2-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Live Hands-On - Expanded Security Workshop for IBM i
with Dan Riehl

Full Length Training Workshop - October 7-10
Dan Riehl presents this 4-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Security? See how SKYVIEW PARTNERS can help!

Live Training for IBM i

Security Shorts

Copying Authorities from one User to Another

By Dan Riehl

I always encourage administrators to use or create a special "owner" profile to own all of our production objects/ For example, instead of the Distribution application programs and files being owned by a conglomeration of programmers and other IT people, the objects should be owned by a special owning profile, like DSTOWNER. DSTOWNER is not a group profile, and it has no password, so it cannot be used to sign on.

I also advise that certain system objects that we create, like User Profiles, be owned by QSECOFR. It might requires an extra step to assign the ownership to QSECOFR, but doing so avoids the problem of these objects being owned by IT staff members, who, as we all know, come and go.

Creating a New User

When a new user must be created on your system, it is usually rather straightforward. However, if you have fallen into the trap of assigning object authorities at the user profile level, it becomes much more difficult to create the new user.

Let's say that you have a new system administrator and this new user needs to have the same authorities as an existing system administrator. You can easily copy the existing user profile to the new one. The Copy User profile option is available as Option 3 from the WRKUSRPRF(Work with User Profiles) display.

But, copying a user profile in this way does not copy the private authorities of the original user. For example, if the existing user owns a collection of libraries or files, that existing user has *ALL authority to those objects. How do we grant *ALL authority to the new user.

If the original user has private authorities, or ownership of 50 commands, 10 libraries, 200 files and a few job descriptions, you will need to grant all those same authorities to the new user. IBM has provided the tool to copy these authorities using the command GRTUSRAUT(Grant User Authority).

When using the command GRTUSRAUT, make sure you are signed-on as QSECOFR or as an *ALLOBJ user, otherwise, certain objects or authorities may be skipped.

Copying the Authorities

Here is a command that will copy the private authorities(including those granted through ownership) from OLDUSER to NEWUSER.


When you run this command, it would be best to submit it to batch, since it may take a long time to run. So use the command


Here is the IBM Documentation on GRTUSRAUT command.

Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi

Expert IBM i Security Consulting
IT Security and Compliance Group. LLC

In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Security Software Selection & Configuration
Customized Security/System Programming

Live Training from The 400 School, Inc

Customized IBM i (AS/400) Training -
    Presented Live at your offices

Live Online Hands-On Workshops

ILE RPG IV Programming
ILE COBOL Programming
Interactive Programming Workshops
System Operations Workshops
System Administration and Control
Security and Auditing Workshops
Control Language Programming
IBM i Concepts and Facilities
Query Workshop

Training from The 400 School

Send your IBM i Security and Systems Management News and Events!           Send your Questions, Comments, Tips and Stories

Copyright 2013 -, all rights reserved | St Louis MO 63017