Security and Systems Management Newsletter for the IBM i                 September 25, 2013 - Vol 3, Issue 36
Security from
Security Study

iSecurity from SEA

Security? See how SKYVIEW PARTNERS can help!

Feature Article

Discovering Problems with Private Authorities

By Dan Riehl -

When an object(i.e. File, Program, Library, etc.) is created, it is owned by either the user that created the object or by the user's primary group profile. Ownership depends on the OWNER attribute of the user profile. If the value is set to OWNER(*GRPPRF), objects created are owned by the user's primary group, if OWNER(*USRPRF) is specified, objects are owned by the user, not the group.

To view objects owned by a user profile you can use the command:


In addition to ownership, a user can be assigned explicit private authority to an object using the command GRTOBJAUT(Grant Object Authority), or by adding a user from the EDTOBJAUT(Edit Object Authority) display.

Normally, we want to avoid adding private authorities to an object. We typically want all of our User objects to be secured by an authorization list containing group profile names, and not individual user names.

Once we start down the path of assigning private authorities at the user level, rather than at the group profile level, we begin to build an overly complex security scheme that will require constant maintenance as users come and go. Using Authorization Lists and Group Profiles in our authorization settings provides the least complex configuration, and requires the least amount of on-going maintenance. We do not have to make additions and changes every time a new user is added, or when a user's job function changes. In those cases, we simply assign the user to the correct group profile.

Problems in Assigning Private Authorities to Users

Any private authorities that exist, should be assigned at the Group profile level. But, alas, our systems have evolved over time, and what we typically have is a hodgepodge of mixed ownership and numerous private authority inconsistencies.

One of our aims should be to remove private authorities that exist for individual users, and reassign the authority to their group. That is, if the private authority is really needed at all.

Working With Objects by Private Authority

IBM has provided the command WRKOBJPVT(Work With Objects by Private Authority). The command is used to list all the private authorities that are held by a user.
(NOTE: If the user is the owner of the object, the object will not be included in the Private Authority report. Ownership is reported using the WRKOBJOWN command as discussed above.)

Read More

In This Issue

Featured Article - Private Authorities

Security Shorts - Report on User Profiles

Featured Video - Hidden Security Options

Industry News and Calendar

Security Resources

Quick Links

Search Security Site for IBM i and i5/OS

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home/Archives

Our Newsletter Sponsors

Platinum Sponsor

    The 400 School, Inc

Gold Sponsor


    Skyview Partners, Inc

    Software Engineering of America

Silver Sponsor

    Cilasoft Security Solutions

IBM i Security Resources

John Earl Memorial Tribute

IBM i Security Videos - SecureMyi

SecureMyi Newsletter Archives

Search Security for IBM i

IBM i Security Ref - 6.1

IBM i Security Ref - 7.1


QAUDJRN Entry Layouts

RedBook - Security Guide IBM i

OSF - DataLoss DB

PCI Data Security Standard


HIPAA Resources

HITECH Enforcement

CISSP - Certification

Follow SecureMyi on Twitter

Follow SecureMyi on YouTube

iSecurity from SEA

Security Study

Security news and Events

September Events

Automating File Transfers and Meeting Service Level Agreements
Live Webcast - Presented by Linoma Software
Thursday, September 26 12:00 Noon CDT
More Information and Register to Attend

Configuring Real-Time Security Event Notification on IBM i
Live Webcast - Presented by PowerTech
Thursday, September 26 1:00pm CDT
More Information and Register to Attend

October Events

A Decade of IBM i Security: The Good, the Bad, and the Ugly
Live Webcast - Presented by PowerTech
Wednesday, October 2 1:00pm CDT
More Information and Register to Attend

Implementing Multiple Layers of Defense
with Carol Woodbury

Live Webcast - Presented by Skyview Partners
Friday, October 4 10:00am CDT
More Information and Register to Attend

Live Hands-On - Expanded Security Workshop for IBM i
with Dan Riehl

Training Workshop - October 7-10
Dan Riehl presents this 4-Day Live Online Hands-on Workshop.
More Information and Register to Attend

2013 IBM Power Systems Technical University at Enterprise2013
Sponsored by IBM - (ed. This is the newest name for the IBM Technical Conference)
Orlando, FL, October 21-25
More Information and Register to Attend

November Events

Live Hands-On - IBM i System Administration and Control Workshop
with Dan Riehl

Full Length Training Workshop - November 11-15
Dan Riehl presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Security? See how SKYVIEW PARTNERS can help!

Featured YouTube Video

The "Hidden" Security Options for IBM i

Featured Video - WRKFCNUSG - Control The

Cannot Access Youtube from your office? Here is the presentation in wmv format.   Click to Download the wmv file

Security Shorts

Quick Reporting On Your User Profiles

By Dan Riehl

When you need to perform quick analysis on your user profiles, here are some tips.

First create a file containing information about all of your user profiles. This will be a snapshot of your current user profiles. You can create this file of users by using the following command.


Where LibraryName and Filename are your selected values.

Now, using IBM i Access for Windows file transfer, you can simply download the file into Excel and slice and dice the user attributes to your heart's content.

If you want to run some quick reports, you can use the RUNQRY(Run Query) command. One nice thing about using RUNQRY is that you can perform record selection, and optionally specify that you want a printed report, or display to your screen.

Enter the following command to be prompted for record selection criteria:


Here are some nice record selections you can choose

Users that have not signed on since July 1, 2011

UPPSOD      LT     '110701'

Users will *ALLOBJ Special Authority


Users with Action Auditing Values(e.g. AUDLVL(*CMD))

UPAUDL      NE     '*NONE'  

Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi

Expert IBM i Security Consulting
IT Security and Compliance Group. LLC

In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Security Software Selection & Configuration
Customized Security/System Programming

Live Training from The 400 School, Inc

Customized IBM i (AS/400) Training -
    Presented Live at your offices

Live Online Hands-On Workshops

ILE RPG IV Programming
ILE COBOL Programming
Interactive Programming Workshops
System Operations Workshops
System Administration and Control
Security and Auditing Workshops
Control Language Programming
IBM i Concepts and Facilities
Query Workshop

Training from The 400 School

Send your IBM i Security and Systems Management News and Events!           Send your Questions, Comments, Tips and Stories

Copyright 2013 -, all rights reserved | St Louis MO 63017