Home > AS/400 Tips > iSeries security tips > iSeries security and performance issues

	iSeries 400 Tips:	EMAIL THIS

	TIPS & NEWSLETTERS TOPICS

	ISERIES SECURITY TIPS iSeries security and performance issues Rich Loeber 02.20.2006 Rating: -4.33- (out of 5) iSeries news and advice Digg This!     StumbleUpon     Del.icio.us    [TABLE]Normally, you would not think of system performance in terms of a security issue. But, if someone with the right know-how is abusing privileges on your system, then it becomes a security issue. This tip will help you to identify some performance issues that fall into that category. A performance issue that has security implications can happen when someone with the right user profile authorities abuses those and uses up excessive system resource in their own interest. That can happen, for example, when programmers boost the execution priority for their jobs at the expense of interactive processing. It can also happen when someone runs a batch job interactively, thereby bringing other interactive users to a crawl. When this occurs, it is clearly a security issue as the user(s) in question are abusing their system privileges. [TABLE]			[IMAGE]

Controlling the execution priority of a job is a function of the Job Priority. This is set by the Job Description that is used for the job. It can also be changed on the fly by someone with *JOBCTL special authority associated with their user profile. If you see that happening, you might want to remove *JOBCTL from their user profile. Also, restricting access to the CHGJOB command can help.

To restrict access to the CHGJOB command, run the following command on your system:

GRTOBJAUT OBJ(CHGJOB) OBJTYPE(*CMD) USER(*PUBLIC) AUT(*EXCLUDE)

That will change

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT iSeries security tips Checking in on your IBM i authorization lists PCI data security standards and the System i Securing the integrated file system on IBM System i Contextual security on IBM i: Limit user profile access Time for a security checkup for your i Security monitoring on IBM i: Watching your super users Tracking System i program object changes Recovering your AS/400 security configuration System values on i: Setting them up and locking i down A guide to System i security, Part 3: Digging in to the System i security environment iSeries security planning Rescinding access rights Using System i security consultant services Unsecured devices worry IT professionals System i5 Solutions For Business Resiliency Top 10 System i security Q&As i5 network intrusion: An allegory Profile without ALLOBJ authority to view joblog Security implemented via default settings Granting user B the same private authorities as user A Using the Print user profile command

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

the command so only authorized user profiles can use it. To add a user profile to those allowed access to this command, use the following command:

GRTOBJAUT OBJ(CHGJOB) OBJTYPE(*CMD) USER(MYUSRPRF) AUT(*USE)

That allows the profile MYUSRPRF to use that command while excluding all others. Of course, any user profile with All Object Authority (*ALLOBJ) will still have access, so that wrinkle also has to be allowed for.

Limiting access to command objects on your system is a good way to control who can do what. Another command that you should consider for similar treatment is the Change Shared Storage Pool (CHGSHRPOOL) command. That command can be used to control performance characteristics for jobs running on your system through the allocation of memory resources and processing time slices.

If you still have problems with performance issues preventing production from getting done efficiently, there may be a problem of users running batch jobs interactively. If your applications are running from OS/400 commands, you can change the commands so that they will not function when called in an interactive environment. You can do this using the Change Command (CHGCMD) command, setting the ALLOW parameter to remove the *INTERACT, *IPGM and *REXX options.

If you have specific questions about this topic, e-mail me at rich@kisco.com. All e-mail messages will be answered.

---------------------------
About the author: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.

Rate this Tip To rate tips, you must be a member of Search400.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.