Intro to the AS/400
Download
Report
Transcript Intro to the AS/400
Intro to the AS/400
Chapter 15 - Security
Copyright 1999 by Janson Industries
Objectives
Explain general security/control
concepts
Show how the AS/400 provides
security with:
System
value QSECURITY
User Profiles
Object Authority
Authorization Lists
Group Profiles
2
Controls
System Access
File
OS functions
Record
Running
Programs
Field
Editing
Content
3
System Access Control
The system value “QSECURITY” determines
whether there are ids and passwords
Display System Value
System value . . . . . :
Description . . . . . :
System security level
QSECURITY
System security level
. . . :
30
10=Physical security only
20=Password security only
30=Password and object security
40=Password, object, and operating
system integrity
50=Password, object, and enhanced
operating system integrity
Press Enter to continue.
F3=Exit
F12=Cancel
4
Security Levels
Level 10 - sign on screen accepts any
user id and password
Level 20 - only valid user ids and
passwords accepted
Level 30 - same as level 20, plus
object control
Level 40 - same as level 30, plus
control over low level system programs
5
Controls
QSECURITY >= 20
System Access
File
OS functions
QSECURITY >= 30
Record
Running
“OBJECT CONTROL”
Programs
Field
Editing
Content
6
User ids
Creating a user id means creating a
user profile
A user profile contains information
about a particular user id:
Password
Initial
program to run
Current library
Default output queue
7
User Profile
Each user can control some aspects
of their user profile with CHGPRF
Security administrators have control
over all user profile parameters:
CRTUSRPRF
DSPUSRPRF
CHGUSRPRF
DLTUSRPRF
8
User Profile
Also controls the operating system
functions (I.e. CL commands) the user
id can perform
The parameters which control O/S
functions are:
User
Class
Special Authority
Essentially they provide 2 methods for
grouping and allocating access to
O/S functions.
9
CRTUSRPRF
Create User Profile (CRTUSRPRF)
Type choices, press Enter.
User profile . . . . . .
User password . . . . .
Set password to expired
Status . . . . . . . . .
User class . . . . . . .
Assistance level . . . .
Current library . . . .
Initial program to call
Library . . . . . . .
Initial menu . . . . . .
Library . . . . . . .
Limit capabilities . . .
Text 'description' . . .
_
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
__________
*USRPRF
*NO
*ENABLED
*USER
*SYSVAL
*CRTDFT
*NONE
___________
MAIN
*LIBL
*NO
*BLANK
Name
Name, *USRPRF, *NONE
*NO, *YES
*ENABLED, *DISABLED
*USER, *SYSOPR, *PGMR...
*SYSVAL, *BASIC, *INTERMED...
Name, *CRTDFT
Name, *NONE
Name, *LIBL, *CURLIB
Name, *SIGNOFF
Name, *LIBL, *CURLIB
*NO, *PARTIAL, *YES
_
10
CRTUSRPRF (cont.)
Create User Profile (CRTUSRPRF)
Type choices, press Enter.
Additional Parameters
Special authority . . . . . . .
+ for more values
Special environment . . . . . .
Display sign-on information . .
Password expiration interval . .
Limit device sessions . . . . .
Keyboard buffering . . . . . . .
Maximum allowed storage . . . .
Highest schedule priority . . .
Job description . . . . . . . .
Library . . . . . . . . . . .
Group profile . . . . . . . . .
Owner . . . . . . . . . . . . .
*USRCLS
_________
*SYSVAL
*SYSVAL
*SYSVAL
*SYSVAL
*SYSVAL
*NOMAX
3
QDFTJOBD
*LIBL
*NONE
*USRPRF
*USRCLS, *NONE, *ALLOBJ...
*SYSVAL, *NONE, *S36
*SYSVAL, *NO, *YES
1-366, *SYSVAL, *NOMAX
*SYSVAL, *YES, *NO
*SYSVAL, *NO, *TYPEAHEAD...
Kilobytes, *NOMAX
0-9
Name
Name, *LIBL, *CURLIB
Name, *NONE
*USRPRF, *GRPPRF
More...
11
User Class
Categorizes O/S functions by the
type of user:
*USER
- provides the O/S functions
(minimal) an application user needs
*SYSOPR
- provides functions a
system operator would need
*PGMR
- functions a programmer
would need
*SECADM
- security administrator
*SECOFR
- grants access to all O/S
functions (a system god!)
12
Special Authority
Categorizes/controls O/S functions by the
system resource affected (more or less):
*ALLOBJ
- all object functions
*SPLCTL - all spool file functions
*IOSYSCFG - all functions that control
system configuration information
*JOBCTL - all job functions
*SAVSYS
*SECADM
*SERVICE
*AUDIT
13
Operating
System
Functions
User Class groupings
Special Authority groupings
14
Object Control
When QSECURITY >= 30 an object
control “framework” is erected
Each object has an authorization list
An objects’ authorization list can be
controlled by:
The
owner of the object:
the
user who created the object
the user assigned as the object owner
Users
with *ALLOBJ authority
QSECOFR
15
Authorization List
A list of user ids and the authority
each user id has to the object
CL commands to manage object
authorities:
DSPOBJAUT
GRTOBJAUT
EDTOBJAUT
16
DSPOBJAUT
Display Object Authority
Object . . . . . . . :
Library . . . . . :
Object type . . . . :
YOURLIBXX
QSYS
*LIB
Object secured by authorization list
User
INTROXX
INTRO99
INTRO98
*PUBLIC
Group
Owner . . . . . . . :
Primary group . . . :
. . . . . . . . . . . . :
INTROXX
*NONE
*NONE
Object
Authority
*ALL
*CHANGE
*USE
*EXCLUDE
Bottom
Press Enter to continue.
F3=Exit
F11=Display detail object authorities
F18=Bottom
F12=Cancel
F17=Top
17
Object Authorities
Object Authorities
*OBJOPR
*OBJMGT
*OBJEXIST
*OBJALTER
*OBJREF
Data Authorities
*READ
*ADD
*OBJOPR must be specified
*UPDATE
to get data authorities
*DELETE
*EXECUTE
18
Object Authorities
Allow you to control the object as a
whole:
OPR
- permits access to data
authorities
MGT - allows you to move or rename
the object
EXIST - delete or save the object
ALTER - change an objects’
attributes
REF - use the object in a referential
constraint
19
Data Authorities
With *OBJOPR, allow you to access &
control the contents of an object:
*READ
- permits access to view the
contents of the object
*ADD
- allows you to add to the object
*UPDATE
- change the objects’ contents
*DELETE
- delete an objects’ contents
*EXECUTE
- use the object (I.e. run a
program, search a library)
20
Other Authorities
*EXCLUDE - denies access to the object
*USE
OPR
MGT
EXIST
ALTER
REF
*ALL
*CHANGE
READ
ADD
UPDATE
DELETE
EXECUTE
21
EDTOBJAUT - object authorities
Edit Object Authority
Object . . . . . . . :
Library . . . . . :
Object type . . . . :
YOURLIBXX
QSYS
*LIB
Owner . . . . . . . :
Primary group . . . :
INTROXX
*NONE
Type changes to current authorities, press Enter.
Object secured by authorization list
User
INTROXX
INTRO99
INTRO98
*PUBLIC
Group
Object
Authority
*ALL
*CHANGE
*USE
*EXCLUDE
. . . . . . . . . . . .
*NONE
----------Object----------Opr Mgt Exist Alter Ref
X
X
X
X
X
X
_
_
_
_
X
_
_
_
_
_
_
_
_
_
F3=Exit
F5=Refresh
F6=Add new users
F11=Display data authorities
F12=Cancel
Bottom
F10=Grant with reference object
F17=Top
F18=Bottom
22
EDTOBJAUT - data authorities
Edit Object Authority
Object . . . . . . . :
Library . . . . . :
Object type . . . . :
YOURLIBXX
QSYS
*LIB
Owner . . . . . . . :
Primary group . . . :
INTROXX
*NONE
Type changes to current authorities, press Enter.
Object secured by authorization list
User
INTROXX
INTRO99
INTRO98
*PUBLIC
Group
Enter new
authority
Object
Authority
*ALL
*CHANGE
*USE
*EXCLUDE
. . . . . . . . . . . .
*NONE
---------------Data--------------Read Add Update Delete Execute
X
X
X
X
X
X
X
X
X
X
X
_
_
_
X
_
_
_
_
_
Define a new object authority
by adding/deleting X’s
F3=Exit
F5=Refresh
F11=Nondisplay detail
F6=Add new users
F12=Cancel
Bottom
F10=Grant with reference object
F17=Top
F18=Bottom
23
Add New Users
Add New Users
Object . . . . . . . :
Library . . . . . :
Object type . . . . :
YOURLIBXX
QSYS
*LIB
Owner . . . . . . . :
Primary group . . . :
INTROXX
*NONE
Type new users, press Enter.
User
__________
__________
__________
__________
__________
__________
__________
__________
__________
__________
Object
Authority
________
________
________
________
________
________
________
________
________
________
---------------Data--------------Read Add Update Delete Execute
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
More...
F3=Exit
F11=Nondisplay detail
F12=Cancel
F17=Top
F18=Bottom
24
*PUBLIC
The *PUBLIC id authority is the
authority granted to user ids not on
the authorization list.
*PUBLIC
*EXCLUDE
Anyone not on the authorization list
will have no authority to the object
25
Authorization Search
When an object is accessed the OS
follows a search order for access
authority:
Users
special authorities
Users
authority as specified on the
objects authorization list
*PUBLIC
authority
26
Authorization Search
Does user id have
special authority?
Yes
NO
Is user id on
author list?
Yes
Is authority Yes
high enough?
Allow
access
NO
NO
Is *PUBLIC
specified?
NO
Yes
Deny
access
27
Managing Security
Assigning individual users to each
object is unmanageable in any
midsize or large organization
Therefore, the AS/400 offers the
following security tools to help
manage authority:
Group
Profiles
Authorization Lists
Adopted Authority
Alternative User Environments
28
Group Profiles
Created like any user profile
Object authority to many objects is
defined for the “group profile”
Group profile is assigned to other
user ids (this makes it a group profile)
Usually a group profile is assigned
authority according to type of job
(Finance, Shipping, etc):
Authority
to each jobs needed objects
is assigned once to the group profile
The group profile is assigned to many
different users
29
Group Profiles
CRTUSRPRF
FIN & PGMR
Library
RPGSRC
Type = *FILE
Att = PF-SRC
PAYROLL
Type = *PGM
Att = RPG
PGMR
*ALL
*PUBLIC *EXCLUDE
PGMR *OBJEXIST
FIN
*EXECUTE
*PUBLIC *EXCLUDE
PAYROLL
Type = *FILE
Att = PF-DTA
FIN
*CHANGE
*PUBLIC *EXCLUDE
30
Group Profile
Joe Nerd is hired as a programmer.
What are his authorities to the 3
objects?
What group profile should he be
assigned?
Which was easier for you to remember?
31
Group Profile
Create User Profile (CRTUSRPRF)
Type choices, press Enter.
Additional Parameters
Special authority . . . . . . .
+ for more values
Special environment . . . . . .
Display sign-on information . .
Password expiration interval . .
Limit device sessions . . . . .
Keyboard buffering . . . . . . .
Maximum allowed storage . . . .
Highest schedule priority . . .
Job description . . . . . . . .
Library . . . . . . . . . . .
Group profile . . . . . . . . .
Owner . . . . . . . . . . . . .
F3=Exit
F4=Prompt
F24=More keys
F5=Refresh
*USRCLS
*SYSVAL
*SYSVAL
*SYSVAL
*SYSVAL
*SYSVAL
*NOMAX
3
QDFTJOBD
*LIBL
*NONE
*USRPRF
F12=Cancel
*USRCLS, *NONE, *ALLOBJ...
*SYSVAL, *NONE, *S36
*SYSVAL, *NO, *YES
1-366, *SYSVAL, *NOMAX
*SYSVAL, *YES, *NO
*SYSVAL, *NO, *TYPEAHEAD...
Kilobytes, *NOMAX
0-9
Name
Name, *LIBL, *CURLIB
Name, *NONE
*USRPRF, *GRPPRF
More...
F13=How to use this display
32
Authorization Search Order
User authorities?
Yes
NO
Does group have
special authority?
Yes
Is authority Yes
high enough?
NO
Is group profile
on author. list?
Yes
NO
NO
*PUBLIC?
NO
Allow
access
Yes
Deny
access
33
Authorization Lists
A user defined authorization list can
be created and assigned to many
objects:
CRTAUTL
ADDAUTLE
EDTAUTL
DSPAUTL
DLTAUTL
34
User Defined Authorization Lists
Create Authorization List (CRTAUTL)
Type choices, press Enter.
Authorization list . . . . . . .
Text 'description' . . . . . . .
FINL
*BLANK
Name
Additional Parameters
Authority
. . . . . . . . . . .
F3=Exit
F4=Prompt
F24=More keys
F5=Refresh
*USE
F12=Cancel
*CHANGE, *ALL, *USE, *EXCLUDE
Bottom
F13=How to use this display
35
User Defined Authorization Lists
Add New Users
Object . . . . . . . :
Library . . . . . :
FINL
QSYS
Owner . . . . . . . :
Primary group . . . :
INTROXX
*NONE
Type new users, press Enter.
User
BIGSHOT
PGMR
FIN
__________
__________
__________
__________
__________
__________
__________
__________
Object
Authority
*ALL
*USE
*CHANGE
________
________
________
________
________
________
________
________
List
Mgt
_
_
_
_
_
_
_
_
_
_
_
User ids (group profiles too!)
can be added to the list
More...
F3=Exit
F11=Display detail object authorities
F18=Bottom
F12=Cancel
F17=Top
36
Assigning an Authorization List
Edit Object Authority
Object . . . . . . . :
Library . . . . . :
Object type . . . . :
YOURLIBXX
QSYS
*LIB
Object secured by authorization list
User
INTROXX
INTRO99
INTRO98
*PUBLIC
Group
Owner . . . . . . . :
Primary group . . . :
. . . . . . . . . . . . :
INTROXX
*NONE
FINL
Object
Authority
*ALL
*CHANGE
*USE
*EXCLUDE
Bottom
Press Enter to continue.
F3=Exit
F11=Display detail object authorities
F18=Bottom
F12=Cancel
F17=Top
37
Authorization Search Order
User authorities? Yes
NO
Is Useron AL?
Yes
NO
Group authorities? Yes
NO
Is Group on AL? Yes
Is authority Yes
high enough?
Allow
access
NO
*PUBLIC?
Yes
NO
NO
Yes
Is*PUBLIC on AL?
NO
Deny
access
38
Group profile vs. Authorization list
Group Profile
Authorization List
One profile/authority
per object
Many profiles/
authorities per object
Different authority
for different objects
Same authority for
different objects
39
Group profile vs. Authorization list
We create a group profile FINANCEGP and
an authorization list FINANCEAL such that:
FINANCEAL is assigned to PGM1 and FILE1 and has
users ACCT01 as *CHANGE, ACCT02 as *USE
This means:
ACCT01 has *CHANGE for PGM1 and FILE1
ACCT02 has *USE for PGM1 and FILE1
FINANCEGP is assigned to PGM1 as *CHANGE &
FILE1 as *USE. Designated for ACCT01 & ACCT02
This means:
ACCT01 & ACCT02 have *CHANGE for PGM1
*USE for FILE1
40
Adopted Authority
While running a program, a user
adopts the program owners
authorities
Adopted authority is specified
when the program is created
Used instead of authorizing users
to files all the time
Users can only access files while
using the program (cuts down on
errors)
41
Adopted Authority
Create CL Program (CRTCLPGM)
Type choices, press Enter.
Program . . . . .
Library . . . .
Source file . . .
Library . . . .
Source member . .
Text 'description'
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
__________
*CURLIB
QCLSRC
*LIBL
*PGM
*SRCMBRTXT
Name
Name, *CURLIB
Name
Name, *LIBL, *CURLIB
Name, *PGM
Additional Parameters
Source listing options . . . . .
+ for more values
Generation options . . . . . . .
+ for more values
User profile . . . . . . . . . .
Log commands . . . . . . . . . .
F3=Exit
F4=Prompt
F24=More keys
F5=Refresh
_________
_________
________
________
*USER
*JOB
F12=Cancel
*SOURCE, *NOSOURCE, *SRC...
*NOLIST, *LIST, *NOXREF...
*USER, *OWNER
*JOB, *YES, *NO
More...
F13=How to use this display
42
Adopted Authority
User authorities? Yes
NO
Group authorities? Yes
NO
*PUBLIC?
Yes
Is authority Yes
high enough?
Allow
access
NO
Adopt Owner
Authority?
NO
Yes
Deny
access
43
Alternative User Environments
The AS/400 allows you to create
menus and screens
The initial screen to display can be
specified for any user id
You can create tailored menus and
screens to only allow user access to
specific functions and data
By creating screens without a
command line no CL commands can
be executed
44
Points to Remember
All systems must provide control over
functions and access to data
The AS/400 has a rich set of tools to
manage security:
object
control
user profiles
group profiles
authorization lists
45