Manage Learn to apply best practices and optimize your operations.

Checking IFS security

How to check the security configurations of non-native file systems in OS/400.

For years, OS/400 has provided robust security for its native file system. For some of us who've been around for...

a while, this has been all we've known on our systems. These days, more and more applications and users are working with the other non-native file systems that are collectively known as the Integrated File System (IFS). OS/400 provides the same level of security in the IFS, but the commands to review items in the IFS and a lot of the terminology is different from what the "natives" may expect to see.

This article scratches the surface of this issue by explaining how you can view the IFS directories and files from your OS/400 command line, as well as how you can interpret the security settings used in the IFS.

The main command you need to start with is the Work with Object Links (WRKLNK) command. These "links" can take several different types, the most common of which are Directories (DIR) or Stream Files (SMTF). If you thought about this from a PC perspective, these would correspond to disk directories and files.

More Information

If you use the WRKLNK command with no parameters, a complete list of all of the top level directories in the IFS will be displayed. This display lets you explore the entire IFS on your system, including the "native" file system that is included under the QSYS.LIB file system. If you want to go directly to a specific directory, you can do so with a qualified OBJ selection parameter. Example:

    WRKLNK OBJ('/qdls/kisco')

On our test system, we have a directory in the shared-folders file system, KISCO. The shared folders system is found in the QDLS file directory. Running the above command gets us straight to this folder -- without having to spend time searching.

To check on the security setting for a displayed object, simply put a '9' next to that object. This brings up a Work With Authority display, and it gives you all of the security information about the object selected. This includes the owner, any applicable authorization list, any public authorization settings, and a list of user profiles that are authorized to the object.

Data authority in the IFS is described by a series of letter codes which, in combination, describes the authorities in place. The applicable access letter codes are as follows:

  • R -- Gives access to object attributes (think READ)
  • W -- Gives access to the object for change (think WRITE)
  • X -- Allows the object to be used (think USE)

You'll see these codes in combination or singly (preceded by the ever present *), depending on the authorities implemented. For example, if full authority is being granted, you will see the *RWX authority setting displayed. Specific object authorities are also displayed on this screen. You can use this screen to make changes and to check on the specifics for any object shown by placing a '2' next to the line in question and making updates.

If you've never (or rarely) considered what's going on in the IFS on your system, now is the time to get started and the WRKLNK command gives you a very good starting point.

If you have any questions about this topic, you can reach me at, I'll give it my best shot. All e-mail messages will be answered.

About the author: Rich Loeber is president of Kisco Information Systems Inc.s in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.

Dig Deeper on iSeries system and application security