Ü SECURITY
·
AS400 security is related to creating limitations to a user
for what he can access, operate and manage in the system.
Ü User profile
·
User profiles are used to
identify users to the systems and verify authorities on the system (DSPUSRPRF,
CHGUSRPRF, EDTOBJAUT)
·
User profiles tell the system
who can sign on and what functions the user can perform on the system on the
system resources after signing on.
·
The security officer or
security administrator can create it.
·
The user profile defines the
following attributes for a particular user
1) User class
2) Object owned and authorized
3) Authorization of objects
4) Current library
5) Initial program and menu
6) Maximum storage allowed
7) Priority limit
8) Group profile
Create User Profile (CRTUSRPRF)
Type choices, press Enter.
User profile . . . . . . . . . . > iRobo Name
User password . . . . . . . . . *USRPRF Character value, *USRPRF...
Set password to expired . . . . *NO *NO, *YES
Status . . . . . . . . . . . . . *ENABLED *ENABLED, *DISABLED
User class . . . . . . . . . . . *USER *USER, *SYSOPR, *PGMR...
Assistance level . . . . . . . . *SYSVAL *SYSVAL, *BASIC, *INTERMED...
Current library . . . . . . . . *CRTDFT Name, *CRTDFT
Initial program to call . . . . *NONE Name, *NONE
Library . . . . . . . . . . . Name, *LIBL, *CURLIB
Initial menu . . . . . . . . . . MAIN Name, *SIGNOFF
Library . . . . . . . . . . . *LIBL Name, *LIBL, *CURLIB
Display sign-on information . . *SYSVAL *SYSVAL, *NO, *YES
Maximum allowed storage . . . . *NOMAX Kilobytes, *NOMAX
Highest schedule priority . . . 3 0-9
Job description . . . . . . . . QDFTJOBD Name
Library . . . . . . . . . . . *LIBL Name, *LIBL, *CURLIB
Group profile . . . . . . . . . *NONE Name, *NONE
Owner . . . . . . . . . . . . . *USRPRF *USRPRF, *GRPPRF
Group authority . . . . . . . . *NONE *NONE, *ALL, *CHANGE, *USE...
Group authority type . . . . . . *PRIVATE *PRIVATE, *PGP
More...
F3=Exit F4=Prompt F5=Refresh F12=Cancel F13=How to use this display
F24=More keys
¤ User class
When identifying a user
on the system you can specify the user class in the user profile. AS/400 has
five user classes that determine the level of system’s access a user is
permitted. The five user classes, starting the highest level of access, are:
ü Security officer (*SECOFR)
ü Security administrator (*SECADM)
ü Programmer (*PGMR)
ü System operator (*SYSOPR)
ü User (*USER)
¤
Object
Authority
Object authority, or the right to user to use or control an object
comes in two categories.
·
Object rights
·
Data rights
Object Authority
Type
*EXCLUDE è The user cannot access the object.
*CHANGE è The user can change and perform basic
functions on the object.
*ALL è The user can control the object's existence,
specify the security for the object, change the
Object, and perform basic functions on
the object.
*USE è The user can perform basic operations on
the object, such as running a program or reading
a file. The user cannot change the
object.
·
Object rights
Object rights assign a user the following authority
·
Operational rights (*OPER)
·
Object management rights (*OBJMGT)
·
Object existence rights (*OBJEXT)
·
Object Alter rights
·
Object ref rights
*OBJEXIST è Object existence authority provides the
authority to control the object's existence and
ownership like delete an object, free
storage for an object, perform save and
restore
operations for an object, or transfer
ownership of an object.
*OBJMGT è
Object management authority provides
the authority to the security for the object, move or
rename the object, and add members to
database files.
*OBJOPR è Object
operational authority provides authority to
look at the description of an object and
to use the object as determined by the
user's data authority to the
object.
·
Data rights
Data rights
apply to the data contained within the object.
*ADD è Add
authority provides the authority to add entries to an object (for example, job entries to an
queue or records to a file).
*DLT è Delete
authority allows the user to remove entries from an object (for example, remove
messages from a message queue or records from a file.)
*READ
è Read
authority provides the authority needed to show the contents of an object.
*UPD è Update
authority provides the authority to change the
entries in an object.
*EXECUTE è Execute
authority provides the authority needed to run a program or locate an object in
a
library or directory.
Edit Object Authority
Object . . . . . . . : ADDCL Owner . . . . . . . : G#SAFE
Library . . . . . : AMINEM Primary group . . . : *NONE
Object type . . . . : *PGM ASP device . . . . . : *SYSBAS
Type changes to current authorities, press Enter.
Object secured by authorization list . . . . . . . . . . . . *NONE
Object ----------Object-----------
User Group Authority Opr Mgt Exist Alter Ref
*PUBLIC *CHANGE X
*GROUP G#SAFE *ALL X X X X X
Bottom
F3=Exit F5=Refresh F6=Add new users F10=Grant with reference object
F11=Display data authorities F12=Cancel F17=Top F18=Bottom
OBJECT
AUTHORITY: *USE, *CHANGE, *
Add New Users
Object . . . . . . . : ADDCL Owner . . . . . . . : G#SAFE
Library . . . . . : AMINEM Primary group . . . : *NONE
Object type . . . . : *PGM ASP device . . . . . : *SYSBAS
Type new users, press Enter.
Object ----------Object-----------
User Authority Opr Mgt Exist Alter Ref
_______ _______ __ __ __ __ __
More...
F3=Exit F11=Display data authorities F12=Cancel F17=Top F18=Bottom
Add New Users
Object . . . . . . . : ADDCL Owner . . . . . . . : G#SAFE
Library . . . . . : AMINEM Primary group . . . : *NONE
Object type . . . . : *PGM ASP device . . . . . : *SYSBAS
Type new users, press Enter.
Object ---------------Data---------------
User Authority Read Add Update Delete Execute
Z03OPER *USE _x__ __ __ __ __
Work with Objects
Type options, press Enter.
2=Edit authority 3=Copy 4=Delete 5=Display authority 7=Rename
8=Display description 13=Change description
Opt Object Type Library Attribute Text
2 ADDCL *PGM AMINEM CLP clp prm to add 2 var
CAP52I00 *PGM AMINEM CBL Account fee condition intro
CFP13RA0M *PGM AMINEM CBL Fee Statement Extraction pg
ENTRY_CL *PGM AMINEM CLP ENTRY CL PGM
FPT1_PGM *PGM AMINEM RPG entry pgm to be called
More...
Parameters for options 5, 7 and 13 or command
===>
F3=Exit F4=Prompt F5=Refresh F9=Retrieve F11=Display names and types
F12=Cancel F16=Repeat position to F17=Position to
Not authorized to change authorities. >>>>>>>>>>>>>>>>>>>>>>>>
Edit Object Authority
Object . . . . . . . : ADDCL Owner . . . . . . . : G#SAFE
Library . . . . . : AMINEM Primary group . . . : *NONE
Object type . . . . : *PGM ASP device . . . . . : *SYSBAS
Type changes to current authorities, press Enter.
Object secured by authorization list . . . . . . . . . . . . *NONE
Object ----------Object-----------
User Group Authority Opr Mgt Exist Alter Ref
*PUBLIC *CHANGE X
*GROUP G#SAFE *ALL X X X X X
Z03OPER USER DEF X X X X X
Object ---------------Data---------------
User Group Authority Read Add Update Delete Execute
*PUBLIC *CHANGE X X X X X
*GROUP G#SAFE *ALL X X X X X
Z03OPER USER DEF X
Bottom
F3=Exit F5=Refresh F6=Add new users F10=Grant with reference object
F11=Display data authorities F12=Cancel F17=Top F18=Bottom
Work with Objects
Type options, press Enter.
2=Edit authority 3=Copy 4=Delete 5=Display authority 7=Rename
8=Display description 13=Change description
Opt Object Type Library Attribute Text
ADDCL *PGM AMINEM CLP clp prm to add 2 var
CAP52I00 *PGM AMINEM CBL Account fee condition intro
CFP13RA0M *PGM AMINEM CBL Fee Statement Extraction pg
ENTRY_CL *PGM AMINEM CLP ENTRY CL PGM
FPT1_PGM *PGM AMINEM RPG entry pgm to be called
GEN *PGM AMINEM RPGLE GENERATION OF ACCOUNT NUMBE
More...
Parameters for options 5, 7 and 13 or command
===> call aminem/addcl
F3=Exit F4=Prompt F5=Refresh F9=Retrieve F11=Display names and types
F12=Cancel F16=Repeat position to F17=Position to
Not authorized to program ADDCL in library AMINEM. >>>>>>>>>>>>>>>>>>>>>>
Ü
Group profile
It is a profile
that facilitates a number of users to get the same authority for an object.
Authority List (*AUTL) è If we want different authority to different user, then we go for
Authority List.
Create Authorization List (CRTAUTL)
Type choices, press Enter.
Authorization list . . . . . . . AUTH01 Name
Text 'description' . . . . . . . *BLANK
Additional Parameters
Authority . . . . . . . . . . . *USE *CHANGE, *ALL, *USE, *EXCLUDE
Bottom
F3=Exit F4=Prompt F5=Refresh F12=Cancel F13=How to use this display
F24=More keys
Authorization list AUTH01 created.
Add Authorization List Entry (ADDAUTLE)
Type choices, press Enter.
Authorization list . . . . . . . > AUTH01 Name, generic*
User . . . . . . . . . . . . . . > AJAISWAL Name
+ for more values + >>>>>>>>>>>>>>> To add more user
Authority . . . . . . . . . . . *CHANGE *EXCLUDE, *CHANGE, *ALL...
+ for more values
Bottom
F3=Exit F4=Prompt F5=Refresh F12=Cancel F13=How to use this display
F24=More keys