SecureMyi.com Security and Systems Management Newsletter for the IBM i iSeries and AS/400 - August 27, 2014 - Adopted Authority and the Mystery of QUSEADPAUT System Value

Tweet
SecureMyi.com Security and Systems Management Newsletter for the IBM i August 27, 2014 - Vol 4, Issue 14

	Feature Article Adopted Authority and the Mystery of The QUSEADPAUT System Value By Dan Riehl - SecureMyi.com The topic of Adopted Authority on IBM i has not been very well understood. We know that it is a method to allow a user to perform functions that they are not normally authorized to perform. But, under Adopted Authority, they can do more powerful things than what their normal permissions allow. For most programming techies, we know how to make a program Adopt the Authority of the Owner of a program, but we are unsure how that fits in with the function of the program attribute named USEADPAUT, and the mysterious System Value QUSEADPAUT. Many think that the USEADPAUT attribute of a program determines if the program Adopts Authority, which it surely does not. It is the USRPRF property of a program that determines if the program Adopts the Owners Authority. If USRPRF(OWNER) is specified, the program will Adopt the Authority of the Program's Owner as shown here. CRTCLPGM PGM(MYPGM) USRPRF(OWNER)** The program property USEADPAUT cannot be specified at compile time, but can be specified using the CHGPGM command. But, still, What does USEADPAUT actually do, and why is it set the way it is to YES or NO? *CHGPGM PGM(MYPGM) USEADPAUT(YES) A short History of USEADPAUT and QUSEADPAUT The QUSEADPAUT** System Value was introduced several years ago to address the concern that there was no way to keep adopted authority from flowing down the call stack to all or a program's subprograms. Whenever a program adopted authority, called subprograms had no way to turn off that adopted authority. I recall when we, the AS/400 user community, back then, asked IBM for a way to create an adopting program that didn't propagate the adopted authority down the stack. We wanted an attribute we could set in the adopting program that said, "This program will adopt but will not pass the adopted authority to any other program." We wanted to contain the adoption within the adopting program itself and not pass it on. With that functionality, we could control the use of adopted authority very granularly. We could adopt authority in a program that needed additional authority and specify that the program not pass that adopted authority to any called programs. That way we could easily control which programs adopted authority and never worry about the adopted authority being propagated outside of the program. That's what we asked for. When IBM announced its version of the solution as a PTF to version 3.1 of the OS, we were all a bit dismayed. IBM didn't let us stop the propagation within the adopting program; instead IBM let us set a flag in a called program as to whether the called program was going to use the adopted authority passed to it. It was exactly backwards from what we had asked for. I'm sure many of you remember that discussion. We wanted control from within the adopting and CALLing program. IBM supplied USEADPAUT to provide control inside the CALLed programs. I wish IBM had done it the other way. But, IBM ultimately got it right when they released the Built-In MI function MODINVAU, which can be used to stop the propagation of authority outside the adopting program or a program running under adopted authority. See the sidebar "Stop Adoption in the Calling Program using MODINVAU," below. *Read More . .*
In This Issue Featured Article - QUSEADPAUT Security Shorts - Easy Reporting on Users Industry News and Calendar Security Resources Quick Links Search Security Site for IBM i and i5/OS SecureMyi Website Security Training from The 400 School SecureMyi Newsletter Home/Archives Our Newsletter Sponsors Platinum Sponsor The 400 School, Inc Gold Sponsor PowerTech Skyview Partners, Inc Silver Sponsor Cilasoft Security Solutions	IBM i Security Resources IBM i Security Videos - SecureMyi SecureMyi Newsletter Archives Search Security for IBM i IBM i Security Ref - 6.1 IBM i Security Ref - 7.1 QAUDJRN Entries By AUDLVL QAUDJRN Entry Layouts RedBook - Security Guide IBM i Open Security Foundation - DataLoss DB National Vulnerability Database - NIST PCI Data Security Standard COBIT - ISACA HIPAA Resources HITECH Enforcement CISSP - Certification
Live Security Related Webcasts and Training for IBM i September Events Live Hands-On - Expanded Security Workshop for IBM i, iSeries AS/400 with Dan Riehl Training Workshop - Sep 8-11 - Presented by The 400 School, Inc. Dan Riehl presents this 4-Day Live Online Hands-on Workshop. More Information and Register to Attend Live Hands-On - IBM i Query Workshop for Technical Staff and End Users with Dan Riehl Training Workshop - Sep 23 - Presented by The 400 School, Inc. Dan Riehl presents this Full-Day Live Online Hands-on Workshop. More Information and Register to Attend Coffee with Carol: What's New in V7R2 Security! Live Webcast - Presented by Skyview Partners Wednesday, Sep 24 10:00am CDT More Information and Register to Attend Live Hands-On - QAUDJRN Auditing and Forensic Analysis Workshop with Dan Riehl Training Workshop - Sep 25-26 - Presented by The 400 School, Inc. Dan Riehl presents this 2-Day Live Online Hands-on Workshop. More Information and Register to Attend
Security Shorts Great, Yet Simple, Reporting on your User Profiles By Dan Riehl - SecureMyi.com When you need to perform quick analysis on your user profiles, here are some tips. First create a file containing information about all of your user profiles. This will be a snapshot of your current user profiles. You can create this file of users by using the following command. *DSPUSRPRF USRPRF(ALL) OUTPUT(OUTFILE) OUTFILE(LibraryName/FileName)* Where LibraryName and Filename are your selected values. Now, using IBM i Access for Windows file transfer, you can simply download the file into Excel and slice and dice the user attributes to your heart's content. If you want to run some quick reports, you can use the RUNQRY(Run Query) command. One nice thing about using RUNQRY is that you can perform record selection, and optionally specify that you want a printed report, or display to your screen. Enter the following command to be prompted for record selection criteria: *RUNQRY QRY(NONE) QRYFILE((MyLibrary/MyFile)) RCDSLT(YES)* Here are some nice record selections you can choose. Users that have not signed on since July 1, 2014 UPPSOD LT '140701' Users will ALLOBJ Special Authority in their User Profile UPSPAU LIKE '%ALLOBJ%'* Users with Action Auditing Values(e.g. AUDLVL(CMD)) UPAUDL NE 'NONE'** Using simple tools like STRSQL, RUNQRY, and Download to Excel, you can make great management and auditor reports on your User Profiles. Try it out!		Sponsored Links IBM i, iSeries and AS/400 Security Services from SecureMyi IT Security and Compliance Group In Depth Security Assessment of IBM i Upgrade to QSECURITY level 40 or 50 Forensic Research and Analysis Audit Assistance and Remediation Security Training for IT and Audit Staff Software Selection & Configuration Security and Systems Programming Live Training from The 400 School, Inc Customized IBM i (AS/400) Training - Presented Live at your offices Live Online Hands-On Workshops


Send your IBM i Security and Systems Management News and Events! Send your Questions, Comments, Tips and Stories Copyright 2014 - SecureMyi.com, all rights reserved SecureMyi.com \| St Louis MO 63017