Allow user domain objects

This system value specifies whether to allow user domain objects and where these objects will be located.

User domain objects can pose security risk since movement between these objects cannot be monitored. Types of user domain objects include:

User space (*USRSPC)
User index (*USRIDX)
User queue (*USRQ)

Systems with high security requirements should restrict these user domain objects to the system's temporary library (QTEMP). Other object types, program (*PGM), server program (*SRVPGM), and SQL packages (*SQLPKG) can also be in the user domain. However, the contents of these objects cannot be changed directly and therefore are not impacted by these restrictions.

See Table 2 for an overview of this system value.

Table 1. Possible values for the use allow user domain objects system value
iSeries™ Navigator	Character-based interface	Description
All libraries and directories	*ALL	Allows objects that are not able to be audited in all libraries and directories. The server has multiple file systems. Libraries are part of the QSYS file system and directories are part of a POSIX file system. Directories are referred to as being part of the "root" or "QOpenSys" file system.
QTEMP library and in the following: All directories	*DIR	Allows objects that are not able to be audited in all directories, in addition to the QTEMP library.
QTEMP library and in the following: Selected libraries	library-name	Allows you to specify libraries in which to allow objects that cannot be audited. This system value indicates specific libraries that may contain user domain versions of user objects. You may list up to 50 libraries. If you specify a list of library names, applications that currently work with user domain user objects may fail if they use objects in libraries not specified in the list.

Relationship to security policy

Table 2. Quick Reference. Provides details for the allow user domain objects system value.
iSeries Navigator name	Allow these objects in
Character-based interface name	QALWUSRDMN
Authority	ALLOBJ SECADM Note: The QSECOFR user profile is shipped with these authorities.
How to access	iSeries Navigator Expand Security > Policies. Right click Security Policy and select Properties. On the User Domain Objects page, you will find the options for this system value. Character-based interface In the character-based interface, type `WRKSYSVAL QALWUSRDMN`.
Changes take effect	Immediately.
Default value	All libraries and directories.
Recommended value	For most systems, the recommended value is *ALL. If your system has a high security requirement, you should allow user domain objects only in the QTEMP library.
Lockable	Yes.
Special considerations	Some systems have application software that need user domain object types (USRSPC, USRIDX, or USRQ). For those systems, set this system value to use a library list that includes all the libraries used by the application. All libraries that are defined with this system value, with the exception of QTEMP, should have exclude (EXCLUDE) public authority. This limits the number of users to read or change the data in user domain objects in these libraries.

For more detailed information about this security value, see Chapter 3, "Security System Values" in Security Reference.