Security and Systems Management Newsletter for the IBM i             January 14, 2015 - Vol 5, Issue 1
Security Training from

Security software from Powertech

Skyview Partners

Training from The 400 School

Feature Article

Fixing Your Save/Restore Authority Problems

By Dan Riehl -

How often have you found yourself bewildered when restoring a production library to a test or backup system only to find that the authorities on the test system don't match the authorities on the production system?

I can't tell you the number of times I've received a call from a client trying to figure out why their authorities are not consistent between the two systems. Restoring objects from one system to another and trying to keep all the security-related attributes and authorities intact can be a challenging process. There are numerous rules that come into play, depending upon how the objects are saved and how they are restored.

IBM made a very nice enhancement to the Save(SAVxxx) and Restore(RSTxxx) commands back in IBM i version 5.4 that ease the pain of trying to get the authorities right on your restored objects. You still need to be aware of the rules and restrictions of saving and restoring objects, but this updated support will be the answer to many of your restore difficulties.

The Problem

Before delving into the enhanced support provided in 5.4, let's consider an example of how Save/Restore operations work in relation to object private authorities.

The only object authorities that are saved and restored with an object are the object Owner's authority, the *PUBLIC authority, and the Object Primary Group. These authorities are stored within the object and are therefore saved with the object; however, NONE of an object's private authorities are stored within the object. They are stored within the User Profiles of the users that have a private authority to an object.
(Note: If the object is secured by an Authorization List, the list name is stored in the object. So, the list name is saved with the object.)

So, If Joe has an authority of *CHANGE to the PAYROLL library, and Joe is not the owner of the library, Joe's 'private authority' is not saved, and thus cannot be restored with the object. It's just gone on the restore side. Poof!

Prior to the 5.4 enhanced support, these object private authorities were only saved when user profiles were saved, using the Save Security Data (SAVSECDTA) or Save System (SAVSYS) commands.

Restoring the object private authorities on to another system required a two-step process, not including the actual Object/Library restore process. First you had to restore the user profiles. The command Restore User Profile (RSTUSRPRF) is designed for that purpose. Once your selected user profiles had been restored, the command Restore Authority (RSTAUT) could be used to restore the private authorities from selected user profiles back to the restored objects.

The Updated IBM i 5.4 Support to Save and Restore Private Authorities

In 5.4, IBM introduced the Private Authority (PVTAUT) parameter to the Save and Restore commands. The setting of the PVTAUT parameter will determine whether private authorities are saved and/or restored WITH the objects.

This updated capability can save you a significant amount of time, effort, and aggravation in moving objects from one system to another while keeping the private authorities intact. You obviously are still subject to the rules and restrictions for Save and Restore operations, but using this 5.4 PVTAUT support, you no longer need to Save and Restore user profiles, and you do not need to do the RSTAUT operation in order to get your private authorities in synch for selected objects.

Read More . .

In This Issue

Featured Article - Save Restore Authorities

Security Shorts - Copy User Authorities

Industry News and Calendar

Security Resources

Quick Links

Search Security Site for IBM i and i5/OS

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home/Archives

Our Newsletter Sponsors

Platinum Sponsor

    The 400 School, Inc

Gold Sponsor


    Skyview Partners, Inc

Silver Sponsor

    Cilasoft Security Solutions

IBM i Security Resources

IBM i Security Videos - SecureMyi

SecureMyi Newsletter Archives

Search Security for IBM i

IBM i Security Ref - 6.1

IBM i Security Ref - 7.1


QAUDJRN Entry Layouts

RedBook - Security Guide IBM i

Open Security Foundation - DataLoss DB

National Vulnerability Database - NIST

PCI Data Security Standard


HIPAA Resources

HITECH Enforcement

CISSP - Certification

Follow SecureMyi on Twitter
Follow SecureMyi on LinkedIn=
Follow SecureMyi on YouTube

Software from Cilasoft

Security software from Powertech
Security Training from Skyview
Security news and Events

Security Related News for IBM i

HelpSystems Acquires Halcyon Software
HelpSystems has announced the acquisition of Halcyon Software and its complete portfolio of IT systems management software solutions.
Read the Press Release for More Information

Skyview Partners Announce "Deep Dive" Security Training for IBM i - Las Vegas, NV
Skyview Partners announces its Annual "Deep Dive" Security Training for 2015.
Skyview's own Carol Woodbury will be presenting this "Deep Dive" into IBM i Security. The Two-Day Training Event will be held in Las Vegas, NV on January 27 and 28th.
For More Information and to Register to Attend

Live Security Related Webcasts and Training for IBM i

January Events

Live Hands-On - Expanded Security Workshop for IBM i, iSeries & AS/400
with Dan Riehl

Training Workshop - January 20-23 - Presented by The 400 School, Inc.
Dan Riehl presents this 4-Day Live Online Hands-on Workshop.
More Information and Register to Attend

"Deep Dive" Security Training - Las Vegas NV
with Carol Woodbury

Live Two-Day Training Event - Presented by Skyview Partners
Location: The Mandarin Oriental Hotel in Las Vegas, NV
Dates: January 27 and 28.
More Information and Register to Attend

February Events

Live Hands-On - Expanded Control Language Programming Workshop
with Dan Riehl

Training Workshop - February 2-6 - Presented by The 400 School, Inc.
Dan Riehl presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Live Hands-On - IBM i, iSeries System Administration and Control Workshop
with Dan Riehl

Training Workshop - February 23-27 - Presented by The 400 School, Inc.
Dan Riehl presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Skyview Partners

Training from The 400 School
Training from The 400 School

Security Shorts

Copying Authorities from one User to Another

By Dan Riehl -

I always encourage IBM i system administrators to use or create a special "owner" profile to own all of our production objects. For example, instead of the Distribution application programs and files being owned by a conglomeration of programmers and other IT people, the objects should be owned by a special owning profile, like DSTOWNER. DSTOWNER is not a group profile, it's just used to own objects. It has no password, so it cannot be used to sign on.

I also advise that certain system objects that we create, like User Profiles, be owned by QSECOFR. It might require an extra step to assign the ownership to QSECOFR, but doing so avoids the problem of these objects being owned by IT staff members, who come and go.

Creating a New User

When a new user must be created on your system, it is usually rather straightforward. However, if you have fallen into the trap of assigning object authorities at the user profile level, it becomes much more difficult to create the new user.

Let's say that you have a new system administrator and this new user needs to have the same authorities as an existing system administrator. You can easily copy the existing user profile to the new one. The Copy User profile option is available as Option 3 from the WRKUSRPRF(Work with User Profiles) display.

But, copying a user profile in this way does not copy the ownership of objects or the private authorities of the original user. For example, if the existing user owns a collection of libraries or files, that existing user has *ALL authority to those objects. How do we grant *ALL authority to the new user.

If the original user has private authorities, or ownership of 50 commands, 10 libraries, 200 files and a few job descriptions, you will need to grant all those same authorities to the new user. Thankfully, IBM has provided the tool to copy these authorities using the command GRTUSRAUT(Grant User Authority).

When using the command GRTUSRAUT, make sure you are signed-on as QSECOFR or as an *ALLOBJ user, otherwise, certain objects or authorities may be skipped.

Copying the Authorities

Here is a command that will copy the private authorities(including those granted through ownership) from OLDUSER to NEWUSER.


When you run this command, it would be best to submit it to batch, since it may take a log time to run. So use the command


Here is the IBM Documentation on GRTUSRAUT command.

Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi

IT Security and Compliance Group

In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Software Selection & Configuration
Security and Systems Programming

LIVE Training from The 400 School, Inc

Customized IBM i (iSeries, AS/400) Training -
    Presented Live at your offices

LIVE Online Hands-On Workshops

ILE RPG IV Programming
ILE COBOL Programming
Interactive Programming Workshops
System Operations Workshops
System Administration and Control
Security and Auditing Workshops
Control Language Programming
IBM i Concepts and Facilities
Query Workshop

Security Training from The 400 School

Send your IBM i Security and Systems Management News and Events!           Send your Questions, Comments, Tips and Stories

Copyright 2015 -, all rights reserved | St Louis MO 63017