Manage Learn to apply best practices and optimize your operations.

Prevent insiders with *READ or *USE access from circumventing object authority on IBM i

Users with *READ or *USE access can only circumvent the object authority if they have *ALLOBJ special authority, or find a way to gain more authority.

I have a situation where the program and data libraries in production have been secured by an authorization list. The application developer community has *READ or *USE access to program libraries and data via this authorization list.

However, the command line is not restricted to these individuals. Is there any risk here? Is it possible for a creative or smart individual to circumvent object authority and update production data or programs?

You cannot circumvent object authority. Regardless of the interface used to access an object (in this case data in a file), object authority is always in effect -- it is checked by SLIC (system licensed internal code.)

The only way users would be able to circumvent the object authority is if they have *ALLOBJ special authority or if they are able to gain more authority than they currently have. For example, a user would be able to gain more authority by calling a program that adopts a powerful user such as QSECOFR and puts up a command, or if they had *USE authority to a powerful profile and could swap to it. Default authority to user profiles is *PUBLIC *EXCLUDE so this would have had to been a conscious choice to open up access to the profile.

In addition, you have to have *ALLOBJ authority yourself to be able to create a program that adopts QSECOFR or some other *ALLOBJ profile.

Dig Deeper on iSeries system and application security

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.