I am trying to secure several third-party libraries so only certain user profiles can access them. The owner is QSECOFR and *PUBLIC is set to *EXCLUDE. I have a validation list set for these libraries with the user profiles needing access. When I sign on as a user who is not in the access list and is *USER, I can still do a runqry to access the files in these libraries. When I check the object authority for the library using that profile, it lists *ADOPT *ALL. What am I missing? Does the runqry command use adopted authority? I still want certain users to be able to use runqry, just not with these libraries.
Because you see *ADOPT *ALL when you do a DSPOBJAUT (Display Object Authority), that means that some program adopts and is still in the call stack. I'm going to guess it's the user's initial program or one (or more) of the application programs. To determine which program, add *PGMADP to the QAUDLVL system value and try doing the RUNQRY. There should be an audit entry generated that will tell you which program's adopted authority was used to access the libraries.
================================== MORE INFORMATION ON THIS TOPIC ==================================
The Best Web Links: tips, tutorials and more.
Search400's targeted search engine: Get relevant information on security.
Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.
Check out this Search400.com Featured Topic: Top ten security tips
Dig Deeper on iSeries system and application security
Related Q&A from Carol Woodbury
Before changing password levels and upgrading operating systems on the AS/400, ensure the clients connecting to the NetServer do not need the old ... Continue Reading
Look in the audit journal (QAUDJRN) on the AS/400 for an authority failure message with the name of the library as the object name. Use the ... Continue Reading
On AS/400, the journal type AF subtype K, shows that a user profile lacks the special authority required by the function attempting to run. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.