Chapter 11


1.  Security and Security System Values


2.  Security Two Broad Areas

	* Physical security. 

	* Data security. 


3.  Data Security Three Broad Areas 

	* System level. 

	* User profiles. 

	* Object. 


4.  System Security Level 

	* QSECURITY: 

		* Security Level 20: (SL20). 

			* User ID and password required. 

			* Full access. 

	* Security Level 30: (SL30). 

		* Complete system security. 

		* Valid user ID and password required. 

		* Access to objects by authority. 

		* Most common. 

   

	5.  * Security Level 40: (SL40). 

		  * Level 30 plus. 

		  * Prevents applications from using "unauthorized" low-level programming techniques.

	* Security Level 50: (SL50). 

		* "C2" - Department of Defense. 

		* Only access given explicit access. 

		* Programs abnormal end if access low-level functions. 

		* Programs abnormal end access AS/400 APIs or functions. 


6.  User Profiles

	* All user profiles reside in system library, QSYS. 


7.  User Profile Defines

	* Basic security information. 

	* Special authorities granted. 

	* Job processing information: 

		* Job queue. 

		* Output queue. 

		* Initial program or menu to call. 

		* Current library. 


8.  Components of a User Profile, SEE TABLE(     ) 


9.  IBM Default User Profiles

	* Security Officer. 

		* QSECOFR. 

		* Unlimited access to objects.

	*  System Administrator.  

		* No profile provided. 

		* Creating and maintaining user profiles.


	10. * System Operator. 

			* QSYSOPR. 

			* Control jobs, print files. 

			* Backup and restore functions. 

	* Programmers. 

		* QPGMR. 

			* Broad access to development libraries. 

	* Users. 

		* QUSER. 

		* End User. 


11.  Special Service User Profiles

	* QSRV	

		* Services (all functions). 

		* This is the profile that the person who services the AS/400 will use. 

	* QSRVBAS	

		* Services (limited functions). 

		* This is the profile that the person who services the AS/400 will use. 


12.  Additional IBM-supplied User Profiles

	* Not To Used By User.

	* Used Internally To Do Special Functions. 

	* QAUTPROF	IBM general authority profile.

		* QBRMS	Backup Recovery Media (BRM)

                        profile.  

		* QDBSHR	Database share profile. 


	    13* QDFTOWN	All objects on the AS/400 

			      must be owned by a 

			      legitimate user. If a user 

			      profile is no longer valid its 

			      objects' ownership are 

			      changed to QDFTOWN. 

		* QDOC	Document Profile. 

		* QDSNX	Distributed system node

 			      executive. 


	 14.  * QFNC	Finance Profile.

		* QGATE	User profile to bridge into 

			      PROFS. (VM/MVS on 

			      mainframes). 

		* QLPAUTO 	Licensed program auto-

			      installation user. 

		* QLPINSTALL Licensed program 

			      installation user. 


	 15.  * QMSF  	Mail server framework 

			      profile. 

		* QNETSPLF 	Network spooling profile. 

		* QNFSANON	NFS user profile.

		* QSNADS	SNADS user. 

		* QSPL 	Spooling user. 

		* QSPLJOB 	Spooling readers/writers 

			      job user profile. 


	 16.  * QSYS 	Internal system user. 

		* QTCP  	TCP/IP user. 


17.  Special Authorities 

	* Special authorities are user-based. Here is what they do: 

		- *ALLOBJ: 

			* Can do anything to any object. 

			* Reserved for SECOFR. 

			* Overrides all private/public authorities. 

		- *AUDIT: 

			* Control auditing. 

		- *IOSYSCFG: 

			* Change system configuration issues. 


	 18.  - *JOBCTL:

			* Manage jobs running on the system. 

			* Given to system operators.

		- *SAVSYS: 

			* Perform backup/restore. 

			* Given to system operators.

	

	 19.  - *SECADM: 

			* Create and alter user profiles.

			* *SECADM allows a user to: 

				* Create, change, and delete user profiles.

				* Add user to distribution list.

				* Work with access to documents/folders.

				* Control access to the system.

				* Change security-related system values and network attributes.

 

     20.  -*SERVICE: 

			* Service and dump functions. 

			* Run service functions like System Service Tools (SST). 

		- *SPLCTL: 

			* Manage output queues. 

			* Can browse only output queues not restricted. 


21.  User Class

	* User default special authorities controls menu options. 

	- *SECOFR 

	- *SECADM 

	- *PGMR 

	- *SYSOPR 

	- *USER 

22.  Class Special Authorities,  SEE TABLE(     ) 


23.  Class Special Authorities, SEE TABLE(     ) 

  

24.  Object Security (Authorities)

	* Users named on object in several forms: 

		* Ownership. 

		* Named users & specific authorities. 

		* Authorization lists. 

		* Public authority. 


25.  Ownership - Single and Group

	* Four categories: 

		* Person who created object. 

		* Previous owners' authorities. 

		* Group user profile of creator. 

		* User ownership transferred to. 


26.  Object Management Authorities,  SEE TABLE(     ) 


27.  Data Authorities,  SEE TABLE(     ) 


28.  Four Pre-defined Specific Authorities,  SEE TABLE(     ) 


29.  System Authoritiees, SEE TABLE(     ) 


30.  Adopted Authority 

	* Methods to adopt authority in one of two ways: 

		* On program creation, by specifying it on the USRPRF parameter. 

		* After the program has been created with the Change Program (CHGPGM) command:

		  CHGPGM <library/program name> + USEADPAUT(*yes) 

31.  System Values and System Security

	* QAUDLVL-Keeping a Security Audit

	*  QAUTOVRT-Auto configuration of Virtual Devices 

	* QDSPSGNINF-Sign-on display information control 

	* QINACTITV-Inactive Job Time-out Interval 


 32.  * QINACTMSGQ-Inactive Job Message Queue 

	* QLMTDEVSSN-Limits Device Sessions 

	* QLMTSECOFR-Limits Security Officer device access

	* QMAXSIGN-Maximum Sign-On Attempts 


 33.  * QMAXSGNACN-Maximum Sign-On Failed Action 

	* QPWDEXPITV-Password Expiration Interval  

	* QPWDLMAJC-Limit Adjacent Characters In Password 


 34.  * QPWDLMREP-Limit Repeated Characters In Password 

	* QPWDLMTCHR-Invalid Password Characters  

	* QPWDMAXLEN-Maximum Password Length 


 35.  * QPWDMINLEN-Minimum Password Length 

	* QPWDPOSDIP-Force All New Password Characters to Be Different 

	* QPWDRQDDGT-Force the Use of at Least One Number In a Password 

 

 36.  * QPWDRQDDIF-Expired Password Must Be Changed 

	* QPWDVLDPGM-User Program to Validate Passwords 

	* QRETSVRSEC-Retain Server Security Data 

	* QSECURITY-Security Level 

	* QUSEADPAUT-Use Adopted Authority 

37.  Security Menu,SEE TABLE(     ) 

 

38.  Changing Default User IDs PasswordSEE TABLE(     ) 

 

39.  User-profile Commands

	* CRTUSRPRF - Create user profile. 

	* CHGUSRPRF - Change user profile. 

	* DLTUSRPRF - Delete user profile. 

	* DSPUSRPRF - Display user profile. 

	* RSTUSRPRF - Restore user profile. 

	* RTVUSRPRF - Retrieve user profile 

                    information (CL PGMs 

                    only). 

40.  Create User Profile Screen 1, 


41.  Create User Profile Screen 2SEE TABLE(     ) 


42.  Create User Profile Screen 3,SEE TABLE(     ) 

 

43.  Create User Profile Screen 4, SEE TABLE(     ) 


44.  Object Security Screen 1, SEE TABLE(     ) 


45.  Object Security Screen 2,SEE TABLE(     ) 

 

46.  Object Security Screen 3,SEE TABLE(     ) 

 

47.  Edit Object Authority, SEE TABLE(     ) 


48.  OPRLIB Object Authorities, SEE TABLE(     ) 


49.  OPRLIB Object Authorities, SEE TABLE(     ) 

50.  OPRLIB Object Authorities,  SEE TABLE(     ) 


51.  Sample Authorization List, SEE TABLE(     ) 

 

52.  Authorization List Objects, SEE TABLE(     ) 

 

53.  Object Authority, SEE TABLE(     )