IBM Power Systems
About This Blog
Warm wishes and welcome to all AS400 Administrators and Operators.
This is exclusive blog for iSeries system Administrators working anywhere in the world. Also a place for guys and gals who want to share knowledge pertaining to iSeries. This blog has been designed for exchanging knowledge on AS400 or iSeries server administration and operations.
Wednesday, June 30, 2010
Securing a Library from Some Users but Allowing *PUBLIC Access
There are times when you want a person or group to have less access than *PUBLIC has. To be the most secure possible, you can even make the entire system excluded from the user except what you want that user to be able to see.
For the person or group, do the following:
1 To exclude a person from all libraries on the system and, therefore, all objects in libraries on the system, run the following command:
GRTOBJAUT OBJ(QSYS/*ALL) OBJTYPE(*LIB) USER(xxxx) AUT(*EXCLUDE)
2 Run the following command:
DSPSYSVAL QSYSLIBL
Document every library in the system library list.
3 For each library in the system library list, run the following command:
RVKOBJAUT OBJ(QSYS/library) OBJTYPE(*LIB) USER(xxxx) AUT(*ALL)
This allows the user to access the libraries in the system library list. Without this, the user cannot sign on.
4 Do the same thing for each library in the user library list (which is listed in their job description). Then, repeat Step 3 for each library added to the user's library list.
5 For each additional library you want the excluded user to be able to use objects in that library, do one of the following:
To give the user the same authority that public does, run the following command:
RVKOBJAUT OBJ(QSYS/library) OBJTYPE(*LIB) USER(xxxx) AUT(*ALL)
To give the user specific authority to the library, run the following command:
GRTOBJAUT OBJ(QSYS/library) OBJTYPE(*LIB) USER(xxxx) AUT(xxxx)
To give the user specific authority to the library, run the following command:
GRTOBJAUT OBJ(QSYS/library) OBJTYPE(*LIB) USER(xxxx) AUT(xxxx)
If a user is *EXCLUDE from a library, that user is excluded from all objects in the library. However, if the user can *USE the library, the user can do more than merely *USE the objects within. The authority goes down to the specific object authorities. Therefore, the user might be able to change or even delete objects within the library.
The user must always have access to the following:
o The libraries in their library list.
o Most objects available to *PUBLIC in QSYS.
o The device that they're signing in from, with at least *CHANGE authority.
o Their own user profile, with at least Operator and Management data authorities, and all data authorities.
Without these, the user is not able to sign on.
For the person or group, do the following:
1 To exclude a person from all libraries on the system and, therefore, all objects in libraries on the system, run the following command:
GRTOBJAUT OBJ(QSYS/*ALL) OBJTYPE(*LIB) USER(xxxx) AUT(*EXCLUDE)
2 Run the following command:
DSPSYSVAL QSYSLIBL
Document every library in the system library list.
3 For each library in the system library list, run the following command:
RVKOBJAUT OBJ(QSYS/library) OBJTYPE(*LIB) USER(xxxx) AUT(*ALL)
This allows the user to access the libraries in the system library list. Without this, the user cannot sign on.
4 Do the same thing for each library in the user library list (which is listed in their job description). Then, repeat Step 3 for each library added to the user's library list.
5 For each additional library you want the excluded user to be able to use objects in that library, do one of the following:
To give the user the same authority that public does, run the following command:
RVKOBJAUT OBJ(QSYS/library) OBJTYPE(*LIB) USER(xxxx) AUT(*ALL)
To give the user specific authority to the library, run the following command:
GRTOBJAUT OBJ(QSYS/library) OBJTYPE(*LIB) USER(xxxx) AUT(xxxx)
To give the user specific authority to the library, run the following command:
GRTOBJAUT OBJ(QSYS/library) OBJTYPE(*LIB) USER(xxxx) AUT(xxxx)
If a user is *EXCLUDE from a library, that user is excluded from all objects in the library. However, if the user can *USE the library, the user can do more than merely *USE the objects within. The authority goes down to the specific object authorities. Therefore, the user might be able to change or even delete objects within the library.
The user must always have access to the following:
o The libraries in their library list.
o Most objects available to *PUBLIC in QSYS.
o The device that they're signing in from, with at least *CHANGE authority.
o Their own user profile, with at least Operator and Management data authorities, and all data authorities.
Without these, the user is not able to sign on.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment