This article describes the step-by-step procedure for analyzing
programs that adopt authority.
Programs that adopt the authority of a user with *ALLOBJ special authority
represent a security exposure. The following method can be used to find and
inspect those programs:
- For each user with *ALLOBJ special authority, use the Display Programs
That Adopt (DSPPGMADP) command to list the programs that adopt that user’s
authority:
DSPPGMADP USRPRF(user-profile-name) +
OUTPUT(*PRINT)
- Use the DSPOBJAUT command to determine who is authorized to use each adopting
program and what the public authority is to the program:
DSPOBJAUT OBJ(library-name/program-name) +
OBJTYPE(*PGM) ASPDEV(library-name/program-name) +
OUTPUT(*PRINT)
- Inspect the source code and program description to evaluate:
- Whether the user of the program is prevented from excess function, such
as using a command line, while running under the adopted profile.
- Whether the program adopts the minimum authority level needed for the
intended function. Applications that use program failure can be designed using
the same owner profile for objects and programs. When the authority of the
program owner is adopted, the user has *ALL authority to application objects.
In many cases, the owner profile does not need any special authorities.
- Verify when the program was last changed, using the DSPOBJD command:
DSPOBJD OBJ(library-name/program-name) +
OBJTYPE(*PGM) ASPDEV(library-name/program-name) +
DETAIL(*FULL)