ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamv_5.4.0.1/rzamvallowuser.htm

141 lines
7.3 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Allow user domain objects" />
<meta name="abstract" content="This system value specifies whether to allow user domain objects and where these objects will be located." />
<meta name="description" content="This system value specifies whether to allow user domain objects and where these objects will be located." />
<meta name="DC.Relation" scheme="URI" content="rzamvgensecsysval.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="allowuser" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Allow user domain objects</title>
</head>
<body id="allowuser"><a name="allowuser"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Allow user domain objects</h1>
<div><p>This system value specifies whether to allow user domain objects
and where these objects will be located.</p>
<div class="p">User domain objects can pose security risk since movement between these
objects cannot be monitored. Types of user domain objects include:<ul><li>User space (*USRSPC)</li>
<li>User index (*USRIDX)</li>
<li>User queue (*USRQ)</li>
</ul>
</div>
<p> Systems with high security requirements should restrict these user domain
objects to the system's temporary library (QTEMP). Other object types, program
(*PGM), server program (*SRVPGM), and SQL packages (*SQLPKG) can also be in
the user domain. However, the contents of these objects cannot be changed
directly and therefore are not impacted by these restrictions.</p>
<p>See <a href="#allowuser__quickref">Table 2</a> for an overview
of this system value. </p>
<div class="p">
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><caption>Table 1. Possible values for the use allow user domain
objects system value</caption><tbody><tr><td valign="top"><strong>iSeries™ Navigator </strong></td>
<td valign="top"><strong>Character-based interface</strong></td>
<td valign="top"><strong>Description</strong></td>
</tr>
<tr><td valign="top">All libraries and directories</td>
<td valign="top">*ALL</td>
<td valign="top">Allows objects that are not able to be audited in all
libraries and directories. The server has multiple file systems. Libraries
are part of the QSYS file system and directories are part of a POSIX file
system. Directories are referred to as being part of the "root" or "QOpenSys"
file system.</td>
</tr>
<tr><td valign="top">QTEMP library and in the following: All directories</td>
<td valign="top">*DIR</td>
<td valign="top">Allows objects that are not able to be audited in all
directories, in addition to the QTEMP library.</td>
</tr>
<tr><td valign="top">QTEMP library and in the following: Selected libraries</td>
<td valign="top"><em>library-name</em></td>
<td valign="top">Allows you to specify libraries in which to allow objects
that cannot be audited. This system value indicates specific libraries that
may contain user domain versions of user objects. You may list up to 50 libraries.
If you specify a list of library names, applications that currently work with
user domain user objects may fail if they use objects in libraries not specified
in the list.</td>
</tr>
</tbody>
</table>
</div>
</div>
<p><strong>Relationship to security policy</strong></p>
<div class="p">
<div class="tablenoborder"><a name="allowuser__quickref"><!-- --></a><table cellpadding="4" cellspacing="0" summary="" id="allowuser__quickref" frame="border" border="1" rules="all"><caption>Table 2. Quick Reference. Provides details
for the allow user domain objects system value.</caption><tbody><tr><td valign="top">iSeries Navigator name</td>
<td valign="top">Allow these objects in</td>
</tr>
<tr><td valign="top">Character-based interface name</td>
<td valign="top">QALWUSRDMN</td>
</tr>
<tr><td valign="top">Authority</td>
<td valign="top"><p>*ALLOBJ<br />
*SECADM</p>
<div class="note"><span class="notetitle">Note:</span> The QSECOFR user profile is shipped with these authorities. </div>
</td>
</tr>
<tr><td valign="top">How to access</td>
<td valign="top"><div class="p"><strong>iSeries Navigator</strong><ol><li>Expand <span class="menucascade"><span class="uicontrol">Security</span> &gt; <span class="uicontrol">Policies</span></span>.</li>
<li>Right click <strong>Security Policy</strong> and select <strong>Properties</strong>.</li>
<li>On the <strong>User Domain Objects</strong> page, you will find the options for
this system value.</li>
</ol>
</div>
<div class="p"><strong>Character-based interface</strong><ol><li>In the character-based interface, type <samp class="codeph">WRKSYSVAL QALWUSRDMN</samp>.</li>
</ol>
</div>
</td>
</tr>
<tr><td valign="top">Changes take effect</td>
<td valign="top">Immediately.</td>
</tr>
<tr><td valign="top">Default value</td>
<td valign="top">All libraries and directories.</td>
</tr>
<tr><td valign="top">Recommended value</td>
<td valign="top">For most systems, the recommended value is *ALL. If
your system has a high security requirement, you should allow user domain
objects only in the QTEMP library.</td>
</tr>
<tr><td valign="top"><a href="rzamvlockdown.htm">Lockable</a></td>
<td valign="top">Yes.</td>
</tr>
<tr><td valign="top">Special considerations</td>
<td valign="top">Some systems have application software that need user
domain object types (*USRSPC, *USRIDX, or *USRQ). For those systems, set this
system value to use a library list that includes all the libraries used by
the application. All libraries that are defined with this system value, with
the exception of QTEMP, should have exclude (*EXCLUDE) public authority. This
limits the number of users to read or change the data in user domain objects
in these libraries.</td>
</tr>
</tbody>
</table>
</div>
</div>
<p>For more detailed information about this security value, see Chapter 3,
"Security System Values" in <a href="../books/sc415302.pdf" target="_blank">Security Reference</a>. </p>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvgensecsysval.htm" title="General security system values provide the cornerstone for your security policy.">General security system values</a></div>
</div>
</div>
</body>
</html>