Manage

Guidelines for preventing access to commands and duplication of objects

On AS/400, ensuring that a piece of data's object-level security has been set properly should be your first line of defense. Appendix C and D in the IBM i security reference manual provide IBM's recommendations for which commands should be set to Public Exclude, as well as CL commands and the authorities required to run them.

Carol Woodbury, SkyView Partners

Published: 15 Dec 2008

Multi part question:

1. What are the recommendations for commands that should be *Public *Exclude?

2. The current example is the command CRTDUPOBJ which is *Public *Use but few users have command line authority to run the command. For those who do have command line, are there other authorities required to create a duplicate object?

In Appendix C of the System i Security Reference manual (PDF) you'll see a list of the commands that IBM ships with *PUBLIC authority set to *EXCLUDE. This is a good place to start. Then in Appendix D in the same manual, you'll see all of the CL commands listed along with the authority required to run them. Ensuring that the data's object level security has been set properly should be your first line of defense (rather than focusing on securing commands). For example, if users don't have authority to the file, they won't be able to duplicate it.

Dig Deeper on iSeries system and application security

Mastering the Linux history command Learning how to take advantage of the Linux history command, as well as the Bash variant, can save Linux admins a lot of time. Discover how the command works, including shortcuts, searching and settings.

Establishing iSCSI connections in Hyper-V Establishing iSCSI connections in Hyper-V can be difficult without the iscsicli.exe command line tool. An expert outlines the method and the additional commands you need.

How to make iSCSI connections in Hyper-V Learn the tools and commands you need to make iSCSI connections in Hyper-V - without the iscsicli.exe command line tool.

AS/400 system user class settings versus CL command authorities An AS/400 user class setting is not necessarily the setting that allows a user to run a command on the system. CL command authorities are separate settings that need to be understood.

Check for invalid log-on attempts Is there a command I could use to check for invalid log-on attempts. I know I could use DSPLOG for MSGID CPF1393, but is there a way of passing info such as user, device and subsystem to an outfile to query later on?

How to define iSeries commands -- Part IV Ron Turull finishes up his series on how to define iSeries commands by looking at key concepts related to command parameters and how to compile command definition source code to create the command.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

Meet all of our AS/400 experts

View all AS/400 questions and answers

Guidelines for preventing access to commands and duplication of objects

Dig Deeper on iSeries system and application security

Related Q&A from Carol Woodbury

Changing password security levels and upgrading operating systems on the IBM i

Provide authorization in order for a user to start a subsystem within startup routine

Define journal code value "K"

Have a question for an expert?

Start the conversation

0 comments

Please create a username to comment.

-ADS BY GOOGLE

SearchDataCenter

Refresh your data center cooling lexicon

Comparing Linux distributions: Red Hat vs. Ubuntu

Get eco-friendly with LEED data center certification

Dig Deeper on iSeries system and application security

Related Q&A from Carol Woodbury

Have a question for an expert?

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.