Readers often ask me questions regarding a situation in their shop. One of the most frequent questions I hear is "How do I keep a specific user from accessing certain data files on my system?"
The answer depends a many variables. First of all, if the user you want to block has been set up with all object authority at the user profile level (SPCAUT containing the *ALLOBJ setting), then there is really nothing you can do at the operating system level to block access. This is a frequent song that I sing, but there should be precious few user profiles on your system with this level of access. And, you should have some pretty good business reasons for granting it to those profiles where this level is supported.
Assuming that this is not an issue, then the easiest way to block access to a specific file is to edit the authority for that object using the Edit Object Authority (EDTOBJAUT) command. Add an entry for the user profile you want to block and set it to *EXCLUDE. If you want to block everyone except certain users, then set the *PUBLIC access to the object to *EXCLUDE and specifically authorize the profiles where access needs to be granted.
If your object is secured by an authorization list, then you should to make these changes to the associated authorization list. The list in force is shown when you edit the object authority. Having your object authority controlled by an authorization list is a good idea as it lets you make security changes at any time, not just when the object is not in use. Also, you can secure multiple objects with the same authorization list thereby simplifying your security administration task.
If you decide that you want to block access to all the files in a given library, then you can edit the object authority for the library. Adding *EXCLUDE access authority at the library level will extend to all objects within the library. Remember, this will extend to all objects in the library, not just data file objects. This could be a concern for you depending on how your applications are implemented.
You can also exclude users from accessing objects that are stored in the Integrated File System (IFS). In the IFS, you can specify *EXCLUDE authority for any object for a given user profile. From the command line, you can work with IFS security from the WRKLNK command. From iSeries Access, the security functions are also available and may be easier to work with for you.
Lastly, if you have a entire group of people where you want to block access, consider placing them all into a group on your system. If you are already using group profiles and your blocking scheme does not match up with your current group implementation, then you can set up the users to be blocked in a supplemental group. OS/400 and i5/OS provide for up to 14 supplemental groups for each user profile on the system giving you a lot of flexibility. Remember, doing things at the group level reduces your security administration overhead.
---------------------------
About the author: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.
