Security and Systems Management Newsletter for the IBM i             June 11, 2014 - Vol 4, Issue 10
Security Training from

Security software from Powertech

Skyview Partners

Security Training from The 400 School

Feature Article - Encore Presentation!

Why Use Authorization Lists?

By Carol Woodbury

The Authorization List is a security administration tool that has been available since Release 1.0 of OS/400. Authorization lists or authority lists, as some people call them, are a tool that help security administrators manage authority to objects (libraries, files, folders, directories, etc) when all of the objects need to be authorized in the same way. In other words, they make an administrator’s life significantly easier when users need the same authorization level to a bunch of objects.

Let’s walk through the steps of securing the files for an HR (Human Resources) application with an authorization list.

Create the authorization list using the Create Authorization List command.


Note: All authorization lists are created in the QSYS library. This is not optional.

Determine the objects you’re going to secure with the authorization list.

In this example, you are going to secure all of the files associated with a Human Resources application.

To associate the authorization list with the files, run the following command. This associates all of the files in the HR_LIB library with the HR_AUTL authorization list.


To associate an authorization list with an object in the Integrated File System use the Change Authority (CHGAUT) command


For the users needing authority to the files which are secured by the list, grant them authority to the list.

Run the Add Authorization List Entry (ADDAUTLE) command. In this case, the Human Resources group profile, GRP_HR is being granted *USE authority to the HR_AUTL authorization list.


Optionally you can use the Edit Authorization List (EDTAUTL) command, specifying the name of the authorization list. Using EDTAUTL, you can easily add and remove users from the list, and specify their authorization to the list, and therefore, the objects secured by the list.

And the Effect is

After following these steps, when a member of the Human Resources group (GRP_HR) accesses FILE001 in library HR_LIB, they will access it with *USE authority because IBM i will recognize that the FILE001 is secured with the HR_AUTL authorization list, and that their group has *USE authority to the list.

Read More

In This Issue

Featured Article - Why Authorization Lists?

Security Shorts - Change Journaling Options

Industry News and Calendar

Security Resources

Quick Links

Search Security Site for IBM i and i5/OS

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home/Archives

Our Newsletter Sponsors

Platinum Sponsor

    The 400 School, Inc

Gold Sponsor


    Skyview Partners, Inc

Silver Sponsor

    Cilasoft Security Solutions

IBM i Security Resources

IBM i Security Videos - SecureMyi

SecureMyi Newsletter Archives

Search Security for IBM i

IBM i Security Ref - 6.1

IBM i Security Ref - 7.1


QAUDJRN Entry Layouts

RedBook - Security Guide IBM i

Open Security Foundation - DataLoss DB

National Vulnerability Database - NIST

PCI Data Security Standard


HIPAA Resources

HITECH Enforcement

CISSP - Certification

Follow SecureMyi on Twitter

Follow SecureMyi on YouTube

Software from Cilasoft

Security software from Powertech
Security news and Events

Industry News for IBM i Security

State of IBM i Security Study 2014 Released

PowerTech, a division of HelpSystems has announced the release of the 2014 State of IBM i Security Study.

Now in its eleventh year, the study includes data from 233 servers and partitions audited with PowerTech’s Compliance Assessment tool in 2013. The participating organizations spanned a broad range of industries, including finance, healthcare, communication, education, and transportation.

You can Download the Free 2014 Security Study Here

Skyview Making Hay out of Managed Security Services

Skyview Partners is now in their second full year of offering Managed Security Services for the IBM i and AIX. According to John Vanderwall, Co-Founder and CEO of Skyview Partners, "The growth in the program continues to be very exciting as new clients, both large and small, join us in the program. We have been able to scale very nicely to meet the service level agreements and the highest expectations of our growing client base."

Learn more about Skyview's Managed Security Services at the Skyview Site

Live Security Related Webcasts and Training for IBM i

June Events

Coffee with Carol: with guest presenter Patrick Townsend
Encrypting Data with FIELDPROC - No Application Changes!

Live Webcast - Presented by Skyview Partners
Thursday, June 12 10:00am CDT
More Information and Register to Attend

Skyview Partners

Security Training from The 400 School

Security Shorts -
Changing Database Journaling Options on the Fly

By Dan Riehl

A while back, I was confronted with a task in which I needed to change the journaling characteristics of a physical file. The file was being journaled with *AFTER images only, and I needed to change the journaling option to capture *BOTH the before and after images of database record changes.

I suspected I would need to end journaling of the file and then start journaling (STRJRNPF) with the *BOTH (before and after images) option. I didn't know all the ramifications that the stop and start would have, but I knew that I wanted to avoid it if possible. I was unaware of any way to do this. So I needed to check whether there was a way to change the journaling characteristics without ending the journaling of the file on a live system.

I used the CL command GO CMDJRN to review commands that relate to journaling, and I found the Change Journaled Object (CHGJRNOBJ) command. I prompted the command (F4) and pressed F1 to review the command help text. It turns out that the command was exactly what I was looking for. The CHGJRNOBJ command was introduced by IBM in OS/400 V5R3.

Here's a snippet from the command online help text from IBM.

The Change Journaled Object (CHGJRNOBJ) command changes the journaling attributes of a journaled object without the need to end and restart journaling for the object.

The command can be used to change the Images (IMAGES) value for a database file (*FILE) or a data area (*DTAARA) object without the need to end and restart journaling for the object.

The command can be used to change the Omit journal entry (OMTJRNE) value for a database file (*FILE), an integrated file system stream file (*STMF) or directory (*DIR) object without the need to end and restart journaling for the object.

Only one journaling attribute can be changed at a time.

Because I needed to change the IMAGES attribute from *AFTER to *BOTH, I used the command:


Then, in order to omit the Open and Close journal entries I used the command:


As the help text says, you can change only one attribute per execution of the command--thus the need to run the command twice, once for each attribute to be changed.

Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi

IT Security and Compliance Group

In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Software Selection & Configuration
Security and Systems Programming

Live Training from The 400 School, Inc

Customized IBM i (AS/400) Training -
    Presented Live at your offices

Live Online Hands-On Workshops

ILE RPG IV Programming Workshop
RPG/400 Programming Workshop
IBM i COBOL Programming
Interactive Programming Workshops
System Operations Workshops
System Administration and Control
Security and Audit Workshops
Control Language Programming
IBM i Concepts and Facilities
Query Workshop

Security Services from

Send your IBM i Security and Systems Management News and Events!           Send your Questions, Comments, Tips and Stories

Copyright 2014 -, all rights reserved | St Louis MO 63017