Download presentation
Presentation is loading. Please wait.
Published byElmer Jacobs Modified over 9 years ago
1
Mastering the AS/400, Third Edition, author Jerry Fottral 1 Week 12 Lesson Overview Introduce the idea of object authorization and see how library and object authorities can be used to limit access to database files Review Library Authority Value, authorization lists and Group Profiles System & User level security
2
Mastering the AS/400, Third Edition, author Jerry Fottral 2 Week 12 Objectives Use the EDTOBJAUT (Edit Object Authority) command to observe and change individual and public authority to libraries and objects Use the GRTOBJAUT (Grant Object Authority) command Discuss System Security Levels Discuss User Classes
3
Mastering the AS/400, Third Edition, author Jerry Fottral 3 Week 12 System Level Security There are five security levels 10, 20, 30, 40 (& 50). 10 – no security 20 – User I.D. & Password 30 & 40 – Object Authority (50 – New 5.1 level)
4
Mastering the AS/400, Third Edition, author Jerry Fottral 4 Week 12 User Classes There are five such User classes on the AS/400. They are assigned at the User Profile level. They include: –SECOFR (Security Officer) –SECADM (Security Administrator) –PGMR (Programmer) –SYSOPR (System Operator) –USER (User)
5
Mastering the AS/400, Third Edition, author Jerry Fottral 5 Week 12 Database File-Level Security An object has at least two authorized users: –Owner of the object -- has all authority to it and can display or change the object’s description, save and restore the object, rename it, copy it to another library, or delete it; if the object is a type that has a data component, i.e., a physical file, the object owner can read the data, delete or add new records, and change existing records. –Everyone else not covered by another explicit authorization -- given special name *PUBLIC.
6
Mastering the AS/400, Third Edition, author Jerry Fottral 6 Week 12 Database File-Level Security (Continued) Detail object- and data-authority types and brief statement of usage: Object authoritiesUsage Opr -- OperationalLook at the object’s description; do whatever the data authority permits Mgt -- ManagementMove, Rename, and Create Duplicate Object; grant authority Exist -- ExistenceDelete the object; perform SAVE and RESTORE operations
7
Mastering the AS/400, Third Edition, author Jerry Fottral 7 Week 12 Database File-Level Security (Continued) Detail object- and data-authority types and brief statement of usage (continued): Object authoritiesUsage Alter -- AlterAdd, Clear, Reorganize database-file members; change file structure (CHGPF) Ref -- ReferenceSpecify the object as parent file in adding a referential constraint (to a dependent file)
8
Mastering the AS/400, Third Edition, author Jerry Fottral 8 Week 12 Database File-Level Security (Continued) Detail object- and data-authority types and brief statement of usage (continued): Data AuthoritiesUsage ReadView the data (e.g., DSPFFD, RUNQRY) or read-only access from RPG, Cobol program AddAdd records to a file, messages to a message queue UpdateChange records in a database file DeleteRemove records from a file, spooled files from an output queue, objects from a library ExecuteCall a program
9
Mastering the AS/400, Third Edition, author Jerry Fottral 9 Week 12 Database File-Level Security (Continued) When an object is created, the authority parameter for the object (which determines the public authority) is set to *LIBCRTAUT by default, meaning that the system checks the create authority value of the library into which the object will go and uses the value found there.
10
Mastering the AS/400, Third Edition, author Jerry Fottral 10 Week 12 Database File-Level Security (Continued) That value is normally set by default to the system value QCRTAUT; the QCRTAUT system value can be set by the Security Officer (I.e. *EXCLUDE), and that is what appears as the object’s public authority.
11
Mastering the AS/400, Third Edition, author Jerry Fottral 11 Week 12 Database File-Level Security (Continued) To use another public authority of *USE or *CHANGE for all objects in a library, change the Create authority parameter value when you create the library.
12
Mastering the AS/400, Third Edition, author Jerry Fottral 12 Week 12 Database File-Level Security (Continued) After a library has been created, use the CHGLIB command to change the Create authority parameter value. Changing the value for an existing library has no effect on objects already created in it, but the change applies to newly created objects. For objects in the library, use GRTOBJAUT (Grant Object Authority) command to set an authority level for all or specified objects in the library; executing the command once can affect authorities of all objects.
13
Mastering the AS/400, Third Edition, author Jerry Fottral 13 Week 12 Database File-Level Security (Continued) If the object has already been created and you own it, you can add or change explicit authorities if required. From the EDTOBJAUT screen, function key F6 lets you provide explicit authority to other user profiles not currently in the list by taking you to the Add New Users screen.
14
Mastering the AS/400, Third Edition, author Jerry Fottral 14 Week 12 Database File-Level Security (Continued) Add New Users You can enter user-profile names and specify authority levels either by typing an X for each object and data authority you want to provide or by using an authority-class special value such as *CHANGE.
15
Mastering the AS/400, Third Edition, author Jerry Fottral 15 Week 12 Database File-Level Security (Continued) At the Edit Object Authority screen, change *PUBLIC’s authority to *EXCLUDE by typing over the current value (*CHANGE) in the Object Authority column; press Enter to save, and you get a screen that shows different authority levels for the four classes: *ALL, *CHANGE, *USE, and *EXCLUDE.
16
Mastering the AS/400, Third Edition, author Jerry Fottral 16 Week 12 Database File-Level Security (Continued) Observations about Object Authorities Added and Changed…: When considering *ALL object authority, be careful about who owns objects in a production environment to avoid possible harm to critical data, programs, etc.
17
Mastering the AS/400, Third Edition, author Jerry Fottral 17 Week 12 Database File-Level Security (Continued) All levels of explicit object authority provided to users of an object are still subordinate to that user’s access to the library in which the object exists. (No library access, no object access!) User-profile *ALLOBJ special authority is extremely powerful (and potentially dangerous); in a production environment, it should be granted only to the security officer -- it overrides any explicit or public revocation of authority.
18
Mastering the AS/400, Third Edition, author Jerry Fottral 18 Week 12 Database File-Level Security (Continued) To provide proper levels of authority to the library in which other objects reside (short of giving *ALLOBJ special authority), you can: Use function key F6 from the Edit Object Authority screen for the library to grant explicit authority to each user Use an authorization list or group profile
19
Mastering the AS/400, Third Edition, author Jerry Fottral 19 Week 12 Authorization Lists An authorization list is an AS/400 object that identifies a group of users and specifies individual authority levels for each user. Authorization lists are useful when a certain group of users needs authority to several different objects and/or libraries. Different users in the list can have different object- and data-authority levels.
20
Mastering the AS/400, Third Edition, author Jerry Fottral 20 Week 12 Authorization Lists (Continued) Instead of having to add individual private authorities for each of the needed objects, you can secure each object with the authorization list. NOTE: Private authorities are any other user- profile names that appear under the User column of the Edit Object Authority screen; the object owner’s authority and *PUBLIC authority aren’t considered private.
21
Mastering the AS/400, Third Edition, author Jerry Fottral 21 Week 12 Authorization Lists (Continued) Although different users can be given different levels of authority on an authorization list, an individual’s authority would be the same for all objects secured by that authorization list.
22
Mastering the AS/400, Third Edition, author Jerry Fottral 22 Week 12 Authorization Lists (Continued) To create an authorization list, use the CRTAUTL (Create Authorization List) command. The required parameter is the name of the list. You can edit your authorization list using the EDTAUTL (Edit Authorization List) command, and that screen is similar to the Edit Object Authority screen and lets you add users (by using F6).
23
Mastering the AS/400, Third Edition, author Jerry Fottral 23 Week 12 Authorization Lists (Continued) An authorization list also specifies *PUBLIC authority, which may be set to *EXCLUDE or some other authority level. To use the *PUBLIC authority level assigned through the authorization list and not the *PUBLIC authority granted for an object itself, you need to change the object’s *PUBLIC authority to *AUTL.
24
Mastering the AS/400, Third Edition, author Jerry Fottral 24 Week 12 Authorization Lists (Continued) When the authorization list is created and members added to it, use the EDTOBJAUT command on each object to be secured by the list.
25
Mastering the AS/400, Third Edition, author Jerry Fottral 25 Week 12 Group Profiles The third way to provide access to a library and grant object authority to groups of users is through the use of group profiles. A group profile is similar in certain respects to other user profiles. The security administrator creates a group profile and usually gives it a user-profile name and a password of *NONE.
26
Mastering the AS/400, Third Edition, author Jerry Fottral 26 Week 12 Group Profiles (Continued) NOTE: Use caution in providing special authorities to a group profile because members of the group inherit any special authorities in addition to their own individual authorities. Once the group profile is created, individual users can be assigned to it by changing the Group profile parameter of each group member’s user profile.
27
Mastering the AS/400, Third Edition, author Jerry Fottral 27 Week 12 Group Profiles (Continued) Users with similar system needs can be assigned to the same group profile, and there can be as many different group profiles as there are groups of users with distinct needs. The group profile can be given explicit private authority to objects and libraries. A group profile can be granted different levels of authority for different objects. All members of the group are implicitly granted the same level of authority to a given object as the group profile specifies.
28
Mastering the AS/400, Third Edition, author Jerry Fottral 28 Week 12 Group Profiles (Continued) The system uses a hierarchy of authorization checking when accessing objects on the AS/400. At the top is a user with *ALLOBJ special authority, which overrides any attempted restriction through authorization lists, group profiles, or explicit private object authority.
29
Mastering the AS/400, Third Edition, author Jerry Fottral 29 Week 12 Group Profiles (Continued) If the user profile does not have *ALLOBJ special authority, the system next checks to see whether explicit private object authority exists. If the user’s name is in the list of private authorities shown by the EDTOBJAUT command, the user will have whatever level of authority is specified there.
30
Mastering the AS/400, Third Edition, author Jerry Fottral 30 Week 12 Group Profiles (Continued) Explicit private object authority takes precedence over both authorization lists and group profiles -- whether the explicit authority limits or extends authority specified by the authorization list or group profile.
31
Mastering the AS/400, Third Edition, author Jerry Fottral 31 Week 12 Group Profiles (Continued) If no explicit authorization has been specified for a user, the system checks the authorization list (if there is one) securing the object, and if the user is found on the object’s authorization list, the authority level granted there applies.
32
Mastering the AS/400, Third Edition, author Jerry Fottral 32 Week 12 Group Profiles (Continued) If the requesting user is not on the authorization list for the object (or if the object is not secured by an authorization list), the system checks to see whether the user is part of a group profile given specific authority to the object. If the user is a member of such a group, the authority granted to the group applies to the user.
33
Mastering the AS/400, Third Edition, author Jerry Fottral 33 Week 12 Group Profiles (Continued) If none of the other cases has been true, the user receives the *PUBLIC authority (or lack of it) granted for that object. In a nutshell, the hierarchy is: –*ALLOBJ user-profile special authority –User-name explicit object authority –Authorization-list member –Group-profile member –*PUBLIC authority
34
Mastering the AS/400, Third Edition, author Jerry Fottral 34 Week 12 Group Profiles (Continued) Group profiles, unlike authorization lists, do not permit the granting of variable levels of authority to different group members, but exceptions to the group-granted authority level can be handled by specifying private object authority for individual group members when necessary. Such individual user authorization always overrides the group authority.
35
Mastering the AS/400, Third Edition, author Jerry Fottral 35 Week 12 Group Profiles (Continued) An object can have several different groups, with different levels of authority among its explicitly authorized users. If one group will be the only profile needing special authority beyond *PUBLIC (and the owner), make that group the primary group of the object. Each object can have one primary group associated with it.
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.