August 15, 2012 - Vol 2, Issue 15

Cilasoft EAM - Control Powerful Users

Monitor File Integrity - Powertech

Feature Article

Fixing your Restore Inconsistencies in Private Authorities

By Dan Riehl

How often have you found yourself bewildered when restoring a production library to a test or backup system only to find that the authorities on the test system don't match the authorities on the production system?

I can't tell you the number of times I've received a call from a client trying to figure out why their authorities are not consistent between the two systems. Restoring objects from one system to another and trying to keep all the security-related attributes and authorities intact can be challenging process. There are numerous rules that come into play, depending upon how the objects are saved and how they are restored.

IBM made a very nice enhancement to the Save(SAVxxx) and Restore(RSTxxx) commands in IBM i version 5.4 that can ease the pain of trying to get the authorities right on your restored objects. You still need to be aware of the rules and restrictions of saving and restoring objects, but this new support will be the answer to many of your restore difficulties.

The Problem

Before delving into the enhanced support provided in 5.4, let's consider an example of how Save/Restore operations work in relation to object private authorities.

The only object authorities that are saved and restored with an object are the object Owner's authority, the *PUBLIC authority, and the Object Primary Group. These authorities are stored within the object and are therefore saved with the object; however, all of an object's private authorities are not stored within the object. They are stored within the user profiles of the users who have a private authority to an object.
(Note: If the object is secured by an Authorization List, the list name is stored in the object. So, the list name is saved with the object.)

So, If Joe has an authority of *CHANGE to the PAYROLL library, and Joe is not the owner of the library, Joe's "private authority" is not saved, and thus cannot be restored with the objectů It's just gone on the restore side.

Prior to the 5.4 enhanced support, these object private authorities were only saved when user profiles were saved, using the Save Security Data (SAVSECDTA) or Save System (SAVSYS) commands.


In This Issue

Featured Article - SAV/RST Private Auts

Security Shorts - Copying Authorities

Industry News and Calendar

Security Resources

Quick Links

Search Security Site for IBM i and i5/OS

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home/Archives

Need Access to an IBM i?   Visit

Thank You! To Our Great Sponsors

Platinum Sponsor
      Cilasoft Security Solutions

Gold Sponsor
      The PowerTech Group

      Skyview Partners, Inc

      The 400 School, Inc

IBM i Security and Audit Resources

IBM i Security Videos from

SecureMyi Newsletter Home and Archives

Search Security Site for IBM i and i5/OS

IBM i Security Reference - IBM i 6.1

IBM i Security Reference - IBM i 7.1

QAUDJRN Audit Types By AUDLVL 6.1

QAUDJRN Entry Type Record Layout 6.1

RedBook - Security Guide for IBM i 6.1

PCI SSC Data Security Standards

COBIT Framework - ISACA

HIPAA Resources

HITECH Enforcement

CISSP - Certification

Follow SecureMyi on Twitter

Follow SecureMyi on YouTube

IBM i Security News Bytes

Linoma Announces Outlook 2010 Plugin for GoAnywhere

Linoma Software has announced the introduction of an Outlook 2010 Plugin for users of GoAnywhere Services Secure Mail.

This new support allows employees to send files, regardless of size, to one or more recipients using a combination of email (for notifications) and HTTPS protocol (for file retrieval). Recipients click on an encrypted HTTPS link within the email notification to securely download the file(s). Senders can add password protection and other parameters to increase the security of the transmission.
More Information from Linoma.

IBM i Security Calendar of Events

Live Security Related Webcasts and Training for IBM i

GoAnywhere Services Secure Mail Live Demo
Live Web Demo - Sponsored by Linoma Software
WednesdayAugust 15 Noon CDT
More Information and Register to Attend

Crowd Control - Managing Access For Powerful Users
Live webcast - Sponsored by Powertech
Wednesday August 29 1:00 PM CDT
More Information and Register to Attend

Live 4-Day Hands-On Expanded Security Workshop for IBM i
Full Length Training Workshop - August 21-24 9:00am - 4:00pm Central Time
Dan Riehl presents his 4-Day Live Online Hands-on Security Workshop for the IBM i.
More Information and Register to Attend

Monitor File Integrity - Powertech

Subscribe to the SecureMyi Security Newsletter - Get Dan Riehl's book PowerTips for IBM i Security

Is Your JD EDWARDS Database Secure? See how SKYVIEW PARTNERS can help! Security Workshop

Skyview Partners - Security Checkup from Skyview Partners

Security Shorts -

Copying Authorities from one User to Another

By Dan Riehl

I always encourage administrators to use or create a special "owner" profile to own all of our production objects/ For example, instead of the Distribution application programs and files being owned by a conglomeration of programmers and other IT people, the objects should be owned by a special owning profile, like DSTOWNER. DSTOWNER is not a group profile, and it has no password, so it cannot be used to sign on.

I also advise that certain system objects that we create, like User Profiles, be owned by QSECOFR. It might requires an extra step to assign the ownership to QSECOFR, but doing so avoids the problem of these objects being owned by IT staff members, who, sadly, come and go.

Creating a New User

When a new user must be created on your system, it is usually rather straightforward. However, if you have fallen into the trap of assigning object authorities at the user profile level, it becomes much more difficult to create the new user.

Let's say that you have a new system administrator and this new user needs to have the same authorities as an existing system administrator. You can easily copy the existing user profile to the new one. The Copy User profile option is available as Option 3 from the WRKUSRPRF(Work with User Profiles) display.

But, copying a user profile in this way does not copy the private authorities of the original user. For example, if the existing user owns a collection of libraries or files, that existing user has *ALL authority to those objects. How do we grant *ALL authority to the new user.

If the original user has private authorities, or ownership of 50 commands, 10 libraries, 200 files and a few job descriptions, you will need to grant all those same authorities to the new user. IBM has provided the tool to copy these authorities using the command GRTUSRAUT(Grant User Authority).

When using the command GRTUSRAUT, make sure you are signed-on as QSECOFR or as an *ALLOBJ user, otherwise, certain objects or authorities may be skipped.

Copying the Authorities

Here is a command that will copy the private authorities(including those granted through ownership) from OLDUSER to NEWUSER.


When you run this command, it would be best to submit it to batch, since it may take a log time to run. So use the command


Here is the IBM Documentation on GRTUSRAUT command.

Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi

Expert Level Security Consulting
IT Security and Compliance Group, LLC

In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Security Software Selection & Configuration
Customized Security/System Programming

Live Training from The 400 School, Inc

Live Online Hands-On Workshops
Special Fall/Winter Class Discounts

Now Accepting Credit Cards

IBM i Security Workshop Aug 21-24

IBM i Concepts and Control Language Sep 17-21

Fall Schedule Coming in Early August

Send your IBM i Security Related News and Events!           Advertise in Security Newsletter

Copyright 2012 -, all rights reserved | St Louis MO 63017