• Introduce the idea of object authorization
Download
Report
Transcript • Introduce the idea of object authorization
Week 12
Lesson Overview
• Introduce the idea of object authorization
and see how library and object authorities
can be used to limit access to database files
• Review Library Authority Value,
authorization lists and Group Profiles
• System & User level security
Mastering the AS/400, Third Edition, author
Jerry Fottral
1
Week 12
Objectives
• Use the EDTOBJAUT (Edit Object Authority)
command to observe and change individual and
public authority to libraries and objects
• Use the GRTOBJAUT (Grant Object Authority)
command
• Discuss System Security Levels
• Discuss User Classes
Mastering the AS/400, Third Edition, author
Jerry Fottral
2
Week 12
System Level Security
There are five security levels 10, 20, 30, 40
(& 50).
10 – no security
20 – User I.D. & Password
30 & 40 – Object Authority
(50 – New 5.1 level)
Mastering the AS/400, Third Edition, author
Jerry Fottral
3
Week 12
User Classes
There are five such User classes on the AS/400.
They are assigned at the User Profile level.
They include:
–
–
–
–
–
SECOFR (Security Officer)
SECADM (Security Administrator)
PGMR (Programmer)
SYSOPR (System Operator)
USER (User)
Mastering the AS/400, Third Edition, author
Jerry Fottral
4
Week 12
Database File-Level Security
An object has at least two authorized users:
– Owner of the object -- has all authority to it and can
display or change the object’s description, save and
restore the object, rename it, copy it to another library,
or delete it; if the object is a type that has a data
component, i.e., a physical file, the object owner can
read the data, delete or add new records, and change
existing records.
– Everyone else not covered by another explicit
authorization -- given special name *PUBLIC.
Mastering the AS/400, Third Edition, author
Jerry Fottral
5
Week 12
Database File-Level Security (Continued)
Detail object- and data-authority types and brief
statement of usage:
Object authorities
Opr -- Operational
Usage
Look at the object’s description; do
whatever the data authority permits
Mgt -- Management Move, Rename, and Create Duplicate
Object; grant authority
Exist -- Existence
Delete the object; perform SAVE and
RESTORE operations
Mastering the AS/400, Third Edition, author
Jerry Fottral
6
Week 12
Database File-Level Security (Continued)
Detail object- and data-authority types and brief
statement of usage (continued):
Object authorities
Usage
Alter -- Alter
Add, Clear, Reorganize database-file
members; change file structure
(CHGPF)
Ref -- Reference
Specify the object as parent file in
adding a referential constraint (to a
dependent file)
Mastering the AS/400, Third Edition, author
Jerry Fottral
7
Week 12
Database File-Level Security (Continued)
Detail object- and data-authority types and brief
statement of usage (continued):
Data Authorities
Usage
Read
View the data (e.g., DSPFFD, RUNQRY) or
read-only access from RPG, Cobol program
Add
Add records to a file, messages to a message
queue
Update
Change records in a database file
Delete
Remove records from a file, spooled files
from an output queue, objects from a library
Execute
Call a program
Mastering the AS/400, Third Edition, author
Jerry Fottral
8
Week 12
Database File-Level Security (Continued)
When an object is created, the authority parameter
for the object (which determines the public
authority) is set to *LIBCRTAUT by default,
meaning that the system checks the create
authority value of the library into which the object
will go and uses the value found there.
Mastering the AS/400, Third Edition, author
Jerry Fottral
9
Week 12
Database File-Level Security (Continued)
That value is normally set by default to the
system value QCRTAUT; the QCRTAUT
system value can be set by the Security
Officer (I.e. *EXCLUDE), and that is what
appears as the object’s public authority.
Mastering the AS/400, Third Edition, author
Jerry Fottral
10
Week 12
Database File-Level Security (Continued)
To use another public authority of *USE or
*CHANGE for all objects in a library,
change the Create authority parameter value
when you create the library.
Mastering the AS/400, Third Edition, author
Jerry Fottral
11
Week 12
Database File-Level Security (Continued)
After a library has been created, use the CHGLIB
command to change the Create authority parameter
value.
Changing the value for an existing library has no effect
on objects already created in it, but the change applies
to newly created objects.
For objects in the library, use GRTOBJAUT (Grant
Object Authority) command to set an authority level
for all or specified objects in the library; executing the
command once can affect authorities of all objects.
Mastering the AS/400, Third Edition, author
Jerry Fottral
12
Week 12
Database File-Level Security (Continued)
If the object has already been created and you
own it, you can add or change explicit
authorities if required. From the
EDTOBJAUT screen, function key F6 lets
you provide explicit authority to other user
profiles not currently in the list by taking
you to the Add New Users screen.
Mastering the AS/400, Third Edition, author
Jerry Fottral
13
Week 12
Database File-Level Security (Continued)
Add New Users
You can enter user-profile names and specify
authority levels either by typing an X for
each object and data authority you want to
provide or by using an authority-class
special value such as *CHANGE.
Mastering the AS/400, Third Edition, author
Jerry Fottral
14
Week 12
Database File-Level Security (Continued)
At the Edit Object Authority screen, change
*PUBLIC’s authority to *EXCLUDE by
typing over the current value (*CHANGE)
in the Object Authority column; press Enter
to save, and you get a screen that shows
different authority levels for the four
classes: *ALL, *CHANGE, *USE, and
*EXCLUDE.
Mastering the AS/400, Third Edition, author
Jerry Fottral
15
Week 12
Database File-Level Security (Continued)
Observations about Object Authorities
Added and Changed…:
When considering *ALL object authority, be
careful about who owns objects in a
production environment to avoid possible
harm to critical data, programs, etc.
Mastering the AS/400, Third Edition, author
Jerry Fottral
16
Week 12
Database File-Level Security (Continued)
All levels of explicit object authority provided to
users of an object are still subordinate to that
user’s access to the library in which the object
exists. (No library access, no object access!)
User-profile *ALLOBJ special authority is
extremely powerful (and potentially dangerous);
in a production environment, it should be granted
only to the security officer -- it overrides any
explicit or public revocation of authority.
Mastering the AS/400, Third Edition, author
Jerry Fottral
17
Week 12
Database File-Level Security (Continued)
To provide proper levels of authority to the
library in which other objects reside (short
of giving *ALLOBJ special authority), you
can:
• Use function key F6 from the Edit Object
Authority screen for the library to grant
explicit authority to each user
• Use an authorization list or group profile
Mastering the AS/400, Third Edition, author
Jerry Fottral
18
Week 12
Authorization Lists
• An authorization list is an AS/400 object
that identifies a group of users and specifies
individual authority levels for each user.
• Authorization lists are useful when a certain
group of users needs authority to several
different objects and/or libraries.
• Different users in the list can have different
object- and data-authority levels.
Mastering the AS/400, Third Edition, author
Jerry Fottral
19
Week 12
Authorization Lists (Continued)
Instead of having to add individual private
authorities for each of the needed objects,
you can secure each object with the
authorization list.
NOTE: Private authorities are any other userprofile names that appear under the User
column of the Edit Object Authority screen;
the object owner’s authority and *PUBLIC
authority aren’t considered private.
Mastering the AS/400, Third Edition, author
Jerry Fottral
20
Week 12
Authorization Lists (Continued)
Although different users can be given
different levels of authority on an
authorization list, an individual’s authority
would be the same for all objects secured by
that authorization list.
Mastering the AS/400, Third Edition, author
Jerry Fottral
21
Week 12
Authorization Lists (Continued)
To create an authorization list, use the
CRTAUTL (Create Authorization List)
command.
The required parameter is the name of the list.
You can edit your authorization list using the
EDTAUTL (Edit Authorization List)
command, and that screen is similar to the
Edit Object Authority screen and lets you
add users (by using F6).
Mastering the AS/400, Third Edition, author
Jerry Fottral
22
Week 12
Authorization Lists (Continued)
An authorization list also specifies *PUBLIC
authority, which may be set to *EXCLUDE
or some other authority level.
To use the *PUBLIC authority level assigned
through the authorization list and not the
*PUBLIC authority granted for an object
itself, you need to change the object’s
*PUBLIC authority to *AUTL.
Mastering the AS/400, Third Edition, author
Jerry Fottral
23
Week 12
Authorization Lists (Continued)
When the authorization list is created and
members added to it, use the EDTOBJAUT
command on each object to be secured by
the list.
Mastering the AS/400, Third Edition, author
Jerry Fottral
24
Week 12
Group Profiles
The third way to provide access to a library
and grant object authority to groups of users
is through the use of group profiles.
A group profile is similar in certain respects
to other user profiles.
The security administrator creates a group
profile and usually gives it a user-profile
name and a password of *NONE.
Mastering the AS/400, Third Edition, author
Jerry Fottral
25
Week 12
Group Profiles (Continued)
NOTE: Use caution in providing special
authorities to a group profile because
members of the group inherit any special
authorities in addition to their own
individual authorities.
Once the group profile is created, individual
users can be assigned to it by changing the
Group profile parameter of each group
member’s user profile.
Mastering the AS/400, Third Edition, author
Jerry Fottral
26
Week 12
Group Profiles (Continued)
• Users with similar system needs can be assigned to the
same group profile, and there can be as many different
group profiles as there are groups of users with distinct
needs.
• The group profile can be given explicit private
authority to objects and libraries.
• A group profile can be granted different levels of
authority for different objects.
• All members of the group are implicitly granted the
same level of authority to a given object as the group
profile specifies.
Mastering the AS/400, Third Edition, author
Jerry Fottral
27
Week 12
Group Profiles (Continued)
The system uses a hierarchy of authorization
checking when accessing objects on the
AS/400.
At the top is a user with *ALLOBJ special
authority, which overrides any attempted
restriction through authorization lists, group
profiles, or explicit private object authority.
Mastering the AS/400, Third Edition, author
Jerry Fottral
28
Week 12
Group Profiles (Continued)
If the user profile does not have *ALLOBJ
special authority, the system next checks to
see whether explicit private object authority
exists.
If the user’s name is in the list of private
authorities shown by the EDTOBJAUT
command, the user will have whatever level
of authority is specified there.
Mastering the AS/400, Third Edition, author
Jerry Fottral
29
Week 12
Group Profiles (Continued)
Explicit private object authority takes
precedence over both authorization lists and
group profiles -- whether the explicit
authority limits or extends authority
specified by the authorization list or group
profile.
Mastering the AS/400, Third Edition, author
Jerry Fottral
30
Week 12
Group Profiles (Continued)
If no explicit authorization has been specified
for a user, the system checks the
authorization list (if there is one) securing
the object, and if the user is found on the
object’s authorization list, the authority
level granted there applies.
Mastering the AS/400, Third Edition, author
Jerry Fottral
31
Week 12
Group Profiles (Continued)
If the requesting user is not on the
authorization list for the object (or if the
object is not secured by an authorization
list), the system checks to see whether the
user is part of a group profile given specific
authority to the object. If the user is a
member of such a group, the authority
granted to the group applies to the user.
Mastering the AS/400, Third Edition, author
Jerry Fottral
32
Week 12
Group Profiles (Continued)
If none of the other cases has been true, the user
receives the *PUBLIC authority (or lack of it)
granted for that object.
In a nutshell, the hierarchy is:
–
–
–
–
–
*ALLOBJ user-profile special authority
User-name explicit object authority
Authorization-list member
Group-profile member
*PUBLIC authority
Mastering the AS/400, Third Edition, author
Jerry Fottral
33
Week 12
Group Profiles (Continued)
Group profiles, unlike authorization lists, do
not permit the granting of variable levels of
authority to different group members, but
exceptions to the group-granted authority
level can be handled by specifying private
object authority for individual group
members when necessary. Such individual
user authorization always overrides the
group authority.
Mastering the AS/400, Third Edition, author
Jerry Fottral
34
Week 12
Group Profiles (Continued)
An object can have several different groups, with
different levels of authority among its explicitly
authorized users.
If one group will be the only profile needing special
authority beyond *PUBLIC (and the owner), make
that group the primary group of the object.
Each object can have one primary group associated
with it.
Mastering the AS/400, Third Edition, author
Jerry Fottral
35