Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security and Security System Values

Published byCollin Hensley Modified over 6 years ago

Similar presentations

Presentation on theme: "Security and Security System Values"— Presentation transcript:

1 Security and Security System Values
Chapter 11 Security and Security System Values

2 Security Two Broad Areas
Physical security. Data security. Understanding AS/400 System Operations

3 Data Security Three Broad Areas
System level. User profiles. Object. Understanding AS/400 System Operations

4 Understanding AS/400 System Operations
System Security Level QSECURITY: Security Level 20: (SL20). User ID and password required. Full access. Security Level 30: (SL30). Complete system security. Valid user ID and password required. Access to objects by authority. Most common. Understanding AS/400 System Operations

5 Understanding AS/400 System Operations
System Security Level Security Level 40: (SL40). Level 30 plus. Prevents applications from using “unauthorized” low-level programming techniques. Security Level 50: (SL50). “C2” - Department of Defense. Only access given explicit access. Programs abnormal end if access low-level functions. Programs abnormal end access AS/400 APIs or functions. Understanding AS/400 System Operations

6 Understanding AS/400 System Operations
User Profiles All user profiles reside in system library, QSYS. Understanding AS/400 System Operations

7 Understanding AS/400 System Operations
User Profile Defines Basic security information. Special authorities granted. Job processing information: Job queue. Output queue. Initial program or menu to call. Current library. Understanding AS/400 System Operations

8 Components of a User Profile
Understanding AS/400 System Operations

9 IBM Default User Profiles
Security Officer. QSECOFR. Unlimited access to objects. System Administrator. No profile provided. Creating and maintaining user profiles. Understanding AS/400 System Operations

10 IBM Default User Profiles
System Operator. QSYSOPR. Control jobs, print files. Backup and restore functions. Programmers. QPGMR. Broad access to development libraries. Users. QUSER. End User. Understanding AS/400 System Operations

11 Special Service User Profiles
QSRV Services (all functions). This is the profile that the person who services the AS/400 will use. QSRVBAS Services (limited functions). Understanding AS/400 System Operations

12 Additional IBM-supplied User Profiles
Not To Used By User. Used Internally To Do Special Functions. QAUTPROF IBM general authority profile. QBRMS Backup Recovery Media (BRM) profile. QDBSHR Database share profile. Understanding AS/400 System Operations

13 Additional IBM-supplied User Profiles
QDFTOWN All objects on the AS/ must be owned by a legitimate user. If a user profile is no longer valid its objects’ ownership are changed to QDFTOWN. QDOC Document Profile. QDSNX Distributed system node executive. Understanding AS/400 System Operations

14 Additional IBM-supplied User Profiles
QFNC Finance Profile. QGATE User profile to bridge into PROFS. (VM/MVS on mainframes). QLPAUTO Licensed program auto- installation user. QLPINSTALL Licensed program installation user. Understanding AS/400 System Operations

15 Additional IBM-supplied User Profiles
QMSF Mail server framework profile. QNETSPLF Network spooling profile. QNFSANON NFS user profile. QSNADS SNADS user. QSPL Spooling user. QSPLJOB Spooling readers/writers job user profile. Understanding AS/400 System Operations

16 Additional IBM-supplied User Profiles
QSYS Internal system user. QTCP TCP/IP user. Understanding AS/400 System Operations

17 Understanding AS/400 System Operations
Special Authorities Special authorities are user-based. Here is what they do: *ALLOBJ: Can do anything to any object. Reserved for SECOFR. Overrides all private/public authorities. *AUDIT: Control auditing. *IOSYSCFG: Change system configuration issues. Understanding AS/400 System Operations

18 Understanding AS/400 System Operations
Special Authorities *JOBCTL: Manage jobs running on the system. Given to system operators. *SAVSYS: Perform backup/restore. Understanding AS/400 System Operations

19 Understanding AS/400 System Operations
Special Authorities *SECADM: Create and alter user profiles. *SECADM allows a user to: Create, change, and delete user profiles. Add user to distribution list. Work with access to documents/folders. Control access to the system. Change security-related system values and network attributes. Understanding AS/400 System Operations

20 Understanding AS/400 System Operations
Special Authorities *SERVICE: Service and dump functions. Run service functions like System Service Tools (SST). *SPLCTL: Manage output queues. Can browse only output queues not restricted. Understanding AS/400 System Operations

21 Understanding AS/400 System Operations
User Class User default special authorities controls menu options. *SECOFR *SECADM *PGMR *SYSOPR *USER Understanding AS/400 System Operations

22 Class Special Authorities
Figure 11-1: Special authorities granted to user classes in SL20 AS/400s. Understanding AS/400 System Operations

23 Class Special Authorities
Figure 11-2: special authorities granted to user classes in all other AS/400 security levels. Understanding AS/400 System Operations

24 Object Security (Authorities)
Users named on object in several forms: Ownership. Named users & specific authorities. Authorization lists. Public authority. Understanding AS/400 System Operations

25 Ownership – Single and Group
Four categories: Person who created object. Previous owners’ authorities. Group user profile of creator. User ownership transferred to. Understanding AS/400 System Operations

26 Object Management Authorities
Operational can use as determined by other specific authorities. Management can specify security for the object, can move or rename it. Existence can delete the object, change owner, free storage, perform save/restore functions on object. Authority List Management can attach an authority list to objects. Alter can change attributes of database files or add/remove stored triggers. Reference. can name a database table as the parent in a referential integrity situation. Understanding AS/400 System Operations

27 Understanding AS/400 System Operations
Data Authorities *READ Can read contents of objects. *ADD Can add to contents of objects. *UPD Can change contents of objects. *DLT Can delete all/part of object contents. *EXECUTE Can execute object. Understanding AS/400 System Operations

28 Four Pre-defined Specific Authorities
*ALL All management and all data authorities. *CHANGE User operational authority and all data authorities. *USE Operational, read, and execute authorities. Can not add/ change/delete object’s contents. *EXCLUDE No access. Understanding AS/400 System Operations

29 Understanding AS/400 System Operations
Figure 11-3: System authority structure. Understanding AS/400 System Operations

30 Understanding AS/400 System Operations
Adopted Authority Methods to adopt authority in one of two ways: On program creation, by specifying it on the USRPRF parameter. After the program has been created with the Change Program (CHGPGM) command: CHGPGM <library/program name> + USEADPAUT(*yes) Understanding AS/400 System Operations

31 System Values and System Security
QAUDLVL—Keeping a Security Audit QAUTOVRT—Auto configuration of Virtual Devices QDSPSGNINF—Sign-on display information control QINACTITV—Inactive Job Time-out Interval Understanding AS/400 System Operations

32 System Values and System Security
QINACTMSGQ—Inactive Job Message Queue QLMTDEVSSN—Limits Device Sessions QLMTSECOFR—Limits Security Officer device access QMAXSIGN—Maximum Sign-On Attempts Understanding AS/400 System Operations

33 System Values and System Security
QMAXSGNACN—Maximum Sign-On Failed Action QPWDEXPITV—Password Expiration Interval QPWDLMAJC—Limit Adjacent Characters In Password Understanding AS/400 System Operations

34 System Values and System Security
QPWDLMREP—Limit Repeated Characters In Password QPWDLMTCHR—Invalid Password Characters QPWDMAXLEN—Maximum Password Length Understanding AS/400 System Operations

35 System Values and System Security
QPWDMINLEN—Minimum Password Length QPWDPOSDIP—Force All New Password Characters to Be Different QPWDRQDDGT—Force the Use of at Least One Number In a Password Understanding AS/400 System Operations

36 System Values and System Security
QPWDRQDDIF—Expired Password Must Be Changed QPWDVLDPGM—User Program to Validate Passwords QRETSVRSEC—Retain Server Security Data QSECURITY—Security Level QUSEADPAUT—Use Adopted Authority Understanding AS/400 System Operations

37 Understanding AS/400 System Operations
Security Menu SECURITY Security System: BIGBLUE Select one of the following: 1. Work with object authority 2. Work with authorization lists 3. Office security 4. Change your password 5. Change your user profile 6. Work with user profiles 7. Work with system values 8. Security tools 70. Related commands Selection or command ===>___________________________________________________________________ F3=Exit F4=Prompt F9=Retrieve F12=Cancel F13=Information Assistant F16=AS/400 Main menu (C) COPYRIGHT IBM CORP. 1980, 1998. Figure 11-4: Security menu. Understanding AS/400 System Operations

38 Changing Default User IDs Password
Change Passwords for IBM-Supplied Users System: BIGBLUE Type new password below for IBM-supplied user, type password again to verify change, then press Enter. New security officer (QSECOFR) password New password (to verify) New system operator (QSYSOPR) password New programmer (QPGMR) password New user (QUSER) password New service (QSRV) password More... F1=Help F3=Exit F5=Refresh F12=Cancel Figure 11-5: Screen from Setup menu to change IBM-supplied passwords. Understanding AS/400 System Operations

39 User-profile Commands
CRTUSRPRF - Create user profile. CHGUSRPRF - Change user profile. DLTUSRPRF - Delete user profile. DSPUSRPRF - Display user profile. RSTUSRPRF - Restore user profile. RTVUSRPRF - Retrieve user profile information (CL PGMs only). Understanding AS/400 System Operations

40 Create User Profile Screen 1
Create User Profile (CRTUSRPRF) Type choices, press Enter. User profile Name User password *USRPRF Name, *USRPRF, *NONE Set password to expired *NO *NO, *YES Status *ENABLED *ENABLED, *DISABLED User class *USER *USER, *SYSOPR, *PGMR... Assistance level *SYSVAL *SYSVAL, *BASIC, *INTERMED... Current library *CRTDFT Name, *CRTDFT Initial program to call *NONE Name, *NONE Library Name, *LIBL, *CURLIB Initial menu MAIN Name, *SIGNOFF Library *LIBL Name, *LIBL, *CURLIB Limit capabilities *NO *NO, *PARTIAL, *YES Text 'description' *BLANK                                   _________________________ Bottom F3=Exit F4=Prompt F5=Refresh F10=Additional parameters F12=Cancel F13=How to use this display F24=More keys Figure 11-6: Prompted version of command CRTUSRPRF (screen 1). Understanding AS/400 System Operations

41 Create User Profile Screen 2
Create User Profile (CRTUSRPRF) Type choices, press Enter. Additional Parameters Special authority *USRCLS *USRCLS, *NONE, *ALLOBJ... + for more values          Special environment *SYSVAL *SYSVAL, *NONE, *S36 Display sign-on information *SYSVAL *SYSVAL, *NO, *YES Password expiration interval *SYSVAL , *SYSVAL, *NOMAX Limit device sessions *SYSVAL *SYSVAL, *YES, *NO Keyboard buffering *SYSVAL *SYSVAL, *NO, *TYPEAHEAD... Maximum allowed storage *NOMAX Kilobytes, *NOMAX Highest schedule priority Job description QDFTJOBD Name Library *LIBL Name, *LIBL, *CURLIB Group profile *NONE Name, *NONE Owner *USRPRF *USRPRF, *GRPPRF More... F3=Exit F4=Prompt F5=Refresh F12=Cancel F13=How to use this display F24=More keys Figure 11-7: Prompted version of command CRTUSRPRF-Additional Parameters (screens 2 of 4). Understanding AS/400 System Operations

42 Create User Profile Screen 3
Create User Profile (CRTUSRPRF) Type choices, press Enter. Group authority *NONE *NONE, *ALL, *CHANGE, *USE... Group authority type *PRIVATE *PRIVATE, *PGP Supplemental groups *NONE Name, *NONE + for more values          Accounting code *BLANK   Document password *NONE Name, *NONE Message queue *USRPRF Name, *USRPRF Library Name, *LIBL, *CURLIB Delivery *NOTIFY *NOTIFY, *BREAK, *HOLD, *DFT Severity code filter Print device *WRKSTN Name, *WRKSTN, *SYSVAL Output queue *WRKSTN Name, *WRKSTN, *DEV Attention program *SYSVAL Name, *NONE, *SYSVAL, *ASSIST More... F3=Exit F4=Prompt F5=Refresh F12=Cancel F13=How to use this display F24=More keys Figure 11-7: Prompted version for command CRTUSRPRF (screen 3 of 4). Understanding AS/400 System Operations

43 Create User Profile Screen 4
Create User Profile (CRTUSRPRF) Type choices, press Enter. Sort sequence *SYSVAL Name, *SYSVAL, *HEX... Library Name, *LIBL, *CURLIB Language ID *SYSVAL *SYSVAL... Country ID *SYSVAL *SYSVAL... Coded character set ID *SYSVAL *SYSVAL, *HEX... Character identifier control *SYSVAL *SYSVAL, *DEVD, *JOBCCSID Locale job attributes *SYSVAL *SYSVAL, *NONE, *CCSID... + for more values        Locale *SYSVAL User options *NONE *NONE, *CLKWD, *EXPERT... User ID number *GEN , *GEN Group ID number *NONE , *NONE, *GEN Home directory *USRPRF More... F3=Exit F4=Prompt F5=Refresh F12=Cancel F13=How to use this display F24=More keys Figure 11-9: Partial prompted version for command CRTUSRPRF (screens 4 of 4). Understanding AS/400 System Operations

44 Object Security Screen 1
Edit Object Authority Object : MSTFLE Owner : NEWGRP Library : MDAWSON Primary group : *NONE Object type : *FILE Type changes to current authorities, press Enter. Object secured by authorization list *NONE Object User Group Authority NEWGRP *ALL *PUBLIC *CHANGE Figure 11-10: Displaying object authority on MSTFLE. Understanding AS/400 System Operations

45 Object Security Screen 2
Edit Object Authority Object : MSTFLE Owner : MDAWSON Library : MDAWSON Primary group : *NONE Object type : *FILE Type changes to current authorities, press Enter. Object secured by authorization list *NONE Object User Group Authority NEWGRP *ALL MDAWSON *CHANGE *PUBLIC *CHANGE Figure 11-11: Displaying object MSTFLE’s authorities. Understanding AS/400 System Operations

46 Object Security Screen 3
Edit Object Authority Object : MSTFLE Owner : MDAWSON Library : MDAWSON Primary group : NEWGRP Object type : *FILE Type changes to current authorities, press Enter. Object secured by authorization list *NONE Object User Group Authority NEWGRP *ALL MDAWSON *CHANGE *PUBLIC *CHANGE Figure 11-11: Displaying object MSTFLE’s authorities. Understanding AS/400 System Operations

47 Edit Object Authority Understanding AS/400 System Operations
Edit Object Authority (EDTOBJAUT) Type choices, press Enter. Object OPRLIB Name Library *LIBL Name, *LIBL, *CURLIB Object type *LIB *ALRTBL, *AUTL, *BNDDIR... Bottom F3=Exit F4=Prompt F5=Refresh F12=Cancel F13=How to use this display F24=More keys Figure 11-13: The Edit Object Authority screen. Understanding AS/400 System Operations

48 OPRLIB Object Authorities
Edit Object Authority Object : OPRLIB Owner : HOHLY#M Library : QSYS Primary group : *NONE Object type : *LIB Type changes to current authorities, press Enter. Object secured by authorization list *NONE     Object User Group Authority HOHLY#M *ALL____ QSYSOPR USER DEF OPR *CHANGE_ OPR *USE____ *PUBLIC *EXCLUDE Bottom F3=Exit F5=Refresh F6=Add new users F10=Grant with reference object F11=Display detail object authorities F12=Cancel F17=Top F18=Bottom Figure 11-14: Object authorities of the OPRLIB. Point out that different uses have authorities to this object. The authorities show are predefined authorities. Next screen we will define authorities. Understanding AS/400 System Operations

49 OPRLIB Object Authorities
Edit Object Authority Object : OPRLIB Owner : HOHLY#M Library : QSYS Primary group : *NONE Object type : *LIB Type changes to current authorities, press Enter. Object secured by authorization list *NONE     Object Object User Group Authority Opr Mgt Exist Alter Ref HOHLY#M *ALL X X X X X QSYSOPR USER DEF X _ _ _ _ OPR *CHANGE X _ _ _ _ OPR *USE X _ _ _ _ *PUBLIC *EXCLUDE _ _ _ _ _ Bottom F3=Exit F5=Refresh F6=Add new users F10=Grant with reference object F11=Display data authorities F12=Cancel F17=Top F18=Bottom Figure 11-15: Object authorities of the OPRLIB. Point out the object authorities associated to the pre-defined authorities. Understanding AS/400 System Operations

50 OPRLIB Object Authorities
Edit Object Authority Object : OPRLIB Owner : HOHLY#M Library : QSYS Primary group : *NONE Object type : *LIB Type changes to current authorities, press Enter. Object secured by authorization list *NONE     Object Data User Group Authority Read Add Update Delete Execute HOHLY#M *ALL X X X X X QSYSOPR USER DEF X _ _ _ _ OPR *CHANGE X X X X X OPR *USE X _ _ _ X *PUBLIC *EXCLUDE _ _ _ _ _ Bottom F3=Exit F5=Refresh F6=Add new users F10=Grant with reference object F11=Nondisplay detail F12=Cancel F17=Top F18=Bottom Figure 11-15: Data authorities of the OPRLIB. Point out the data authorities associated to the pre-defined authorities. Understanding AS/400 System Operations

51 Sample Authorization List
Edit Authorization List Object : MCAUTLST Owner : PGM Library : QSYS Primary group : *NONE Type changes to current authorities, press Enter. Object List User Authority Mgt PGM *ALL X BWEBER *USE _ HOHLY#M *ALL____ _ *PUBLIC *EXCLUDE _ Figure 11-17: Sample authorization list, MCAUTLST, displayed using the EDTAUTL command. Understanding AS/400 System Operations

52 Authorization List Objects
Display Authorization List Objects Authorization list : MCAUTLST Library : QSYS Owner : PGM Primary group : *NONE Primary Object Library Type Owner group Text ONERPGPGM MDAWSON *PGM PGM *NONE One RPG program STARTUP MDAWSON *PGM PGM *NONE PROGRAM to start sub Figure 11-17: Result of pressing F15 from Figure 11-17—EDTAUTL. Objects that use the authorization list MCAUTLST. Understanding AS/400 System Operations

53 Understanding AS/400 System Operations
Object Authority Edit Object Authority Object : STARTUP Owner : PGM Library : MDAWSON Primary group : *NONE Object type : *PGM Type changes to current authorities, press Enter. Object secured by authorization list MCAUTLST Object User Group Authority JJCRONEY *ALL     *GROUP PGM *ALL     *PUBLIC *EXCLUDE Figure 11-19: Object authority from object viewpoint. Understanding AS/400 System Operations

Download ppt "Security and Security System Values"

Similar presentations

August 29, 20061 Accessing the iSeries and Some Commands.

August 29, Accessing the iSeries and Some Commands.
Week # 2 - Agenda Types of AS/400 Objects Qualified/Unqualified Names

Week # 2 - Agenda Types of AS/400 Objects Qualified/Unqualified Names
9.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 9: Installing and Configuring.

9.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 9: Installing and Configuring.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
Linux+ Guide to Linux Certification, Second Edition

Linux+ Guide to Linux Certification, Second Edition
Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.

Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.
WebReport/400 TCP/IP Configuration Presented by Kisco Information Systems.

WebReport/400 TCP/IP Configuration Presented by Kisco Information Systems.
The AS/400 and the printing process

The AS/400 and the printing process
1 REVIEW Object types - ???? System security levels - ???? Current library - How is it assigned ???? How do you change it??? Qualified naming - What is.

1 REVIEW Object types - ???? System security levels - ???? Current library - How is it assigned ???? How do you change it??? Qualified naming - What is.
Chapter 16 - Monitoring Hardware and Jobs

Chapter 16 - Monitoring Hardware and Jobs
Chapter 5 File and Printer Services

Chapter 5 File and Printer Services
W1L1ops400.ppt1 Welcome! OPS400 students to the POWER SYSTEM Mid-Range Operating System.

W1L1ops400.ppt1 Welcome! OPS400 students to the POWER SYSTEM Mid-Range Operating System.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Sharing Resources Lesson 6. Objectives Manage NTFS and share permissions Determine effective permissions Configure Windows printing.

Sharing Resources Lesson 6. Objectives Manage NTFS and share permissions Determine effective permissions Configure Windows printing.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.

1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.
5.1 © 2004 Pearson Education, Inc. Lesson 5: Administering User Accounts Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure Goals 

5.1 © 2004 Pearson Education, Inc. Lesson 5: Administering User Accounts Exam Microsoft® Windows® 2000 Directory Services Infrastructure Goals 
Mastering the AS/400, Third Edition, author Jerry Fottral 1 Week 2 The System The AS/400 is a multi-user, multi-tasking system -- a system on which many.

Mastering the AS/400, Third Edition, author Jerry Fottral 1 Week 2 The System The AS/400 is a multi-user, multi-tasking system -- a system on which many.
University of Management & Technology 1 Operating Systems & Utility Programs.

University of Management & Technology 1 Operating Systems & Utility Programs.

Similar presentations

Ads by Google