We recently upgraded an application package on our iSeries that requires significantly more authority to stop and start the subsystem and jobs than it previously required. Currently only QSECOFR can stop and start the processes. How can I allow my programming team to be able to stop and start the processes without creating security holes? Previously the processes ran under a specific user profile that was invoked by a CLP whenever the startup program was called. We had to add special authorities to that profile and now no one can start the software except QSECOFR. I tried granting my user profile *USE authority to the common user profile that runs the software and that did not work. Any ideas before I call the software vendor?
First of all, I encourage you to contact the vendor regardless of whether this tip helps you or not. Unless all of us let vendors know that their security implementation is unacceptable, they are going to continue to foist these problems upon us. Until you can get an acceptable scheme from the vendor, you might try creating a program that is owned by a profile with sufficient authority to stop/start the processes. Have the program adopt (change the user profile parameter to user profile (*OWNER)) authority. Then the sole purpose of this program is to start/stop the processes. You could have two different programs - one for each process - if you need different people to perform the start from those who perform the stop.
MORE INFORMATION ON THIS TOPIC
The Best Web Links: Tips, tutorials and more.
Search400's targeted search engine: Get relevant information on security.
Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.
Read this Search400 Featured Topic: Secure your iSeries
Dig Deeper on iSeries skills
Related Q&A from Carol Woodbury
Before changing password levels and upgrading operating systems on the AS/400, ensure the clients connecting to the NetServer do not need the old ... Continue Reading
Look in the audit journal (QAUDJRN) on the AS/400 for an authority failure message with the name of the library as the object name. Use the ... Continue Reading
When error messages arise concerning attempts to use a permanent system object without authority, find the source of the issue by looking for an AF ... Continue Reading