|
||
SecureMyi.com Security and Systems Management Newsletter for the IBM i
Issue Date: March 19, 2019
|
||
|
||
|
Feature Article
|
|
|
||
In This Issue
Quick Links
Our Newsletter Sponsors
Platinum Sponsor |
IBM i Security ResourcesIBM Security Incident Response BLOG IBM i Security Videos - from SecureMyi Search Security for IBM i - SecureMyi IBM i Security Reference - 6.1 IBM i Security Reference - 7.1 IBM i Security Reference - 7.2 IBM i Security Reference - 7.3 QAUDJRN Journal Entry Types 7.3 RedBook - Security Guide for IBM i 6.1 National Vulnerability Database - NIST PCI Security Standards Council |
|
Featured YouTube Educational VideoIBM i Security
|
||
|
||
Security Shorts
Security Shorts
By Dan Riehl - SecureMyi.com When you create a new file or program, you have the option of specifying the authority to the new object. But we typically do not specify that authority. Each CL command used to create objects has the parameter Authority (AUT), which is used to specify the *PUBLIC authority for the new object. For most of us, we do not even see the AUT parameter because we seldom prompt the CRTxxx commands. Even if you do prompt the CRTxxx commands, the AUT parameter is usually the very last parameter in the long list. We seldom get that far in the prompt. Understanding CRTAUT and *LIBCRTAUTFor almost all object types, the CRTxxx command uses the default value AUT(*LIBCRTAUT). This value *LIBCRTAUT is specified to assign the new object authority based upon the library in which it is created. So for one library, the value *LIBCRTAUT may mean AUT(*CHANGE), for another library it may mean AUT(*EXCLUDE), depending all on the library's CRTAUT value. The CRTAUT setting for a library can be set explicitly, or can be derived from the System Value QCRTAUT, which ships from IBM with a value of *CHANGE. Allowing the QCRTAUT System Value to determine the CRTAUT value for your sensitive program and data libraries is usually not what you want. When you create or change a library (CRTLIB, CHGLIB), one of the parameters is Create Authority (CRTAUT), as shown in this command to create a library: CRTLIB LIB(MYLIBRARY) CRTAUT(*EXCLUDE) When the library's CRTAUT value is *EXCLUDE, new objects created within the library will be set to *PUBLIC AUT(*EXCLUDE), based upon the CRTAUT of the library. Note: Be careful to specify the correct CRTAUT for your libraries, since CRTAUT(*SYSVAL) is the default value when initially creating a Library. Overriding the Library's CRTAUT ValueYou do not need to accept the CRTxxx command default of AUT(*LIBCRTAUT). You can specify the authority for the object as needed, as in the following command to Create a Data Area: CRTDTAARA DTAARA(MYLIBRARY/MYDATA) TYPE(*CHAR) LEN(100) AUT(*USE) Here, the CRTAUT value of MYLIBRARY is not considered, and the data area is assigned *PUBLIC AUT(*USE) authority. Using an Authorization ListWhen setting the value for a library's CRTAUT parameter, the name of an authorization list can be assigned, as shown here on the Change Library (CHGLIB) command: CHGLIB LIB(MYLIBRARY) CRTAUT(MYAUTL) Then, when a new object is created in the library, the new object will be secured by the MYAUTL authorization list. This assumes that we accepted the default value on the CRTxxx command of AUT(*LIBCRTAUT) or that we specified AUT(MYAUTL). Using an authorization list to assign the authority for a newly created object gives you some nice flexibility. You are not limited to only assigning *PUBLIC authority, but when using an authorization list, you can assign all private authorities to the object at the time the object is created. Object Ownership: The GotchaThe only gotcha when it comes to assigning authority to a new object is that the object will be owned by the creator or by the creator's primary group profile. The owner will have *ALL authority to the new object, which might not be what you want, especially if you are securing the new object with an authorization list. In these cases, you will need to develop a method to reassign the ownership of the new object. I'd be anxious to hear your ideas on the best way to set the exact authority that you want on a newly created object when the creator/owner should not have a distinct authority to the object. I am one who believes that most objects types should be owned by an "owning" profile, whose sole purpose for existence is to own objects. For example, create the user profile PRODOWNER. Assign PRODOWNER as the owner of your production objects. This owning profile PRODOWNER is not a group profile. It is simply a profile to own objects. This works great until someone creates a new object, which makes them (or their primary group) the owner of the new object, and not PRODOWNER. |
Sponsored Links
Security Services from SecureMyi |
|
|
||
|
||
Send your IBM i Security and Systems Management News and Events! Send your Questions, Comments, Tips and Stories Copyright 2014-2019 - SecureMyi.com, all rights reserved SecureMyi.com | St Louis MO 63017 |