Adopted authority adds the authority of a program owner to the
authority of the user running the program.
Sometimes a user may need different authorities to an object or application.
For instance, you have employees that need to update customer information
by using a data management application that provides that function. However,
the same users should be allowed to view, but not change, the same customer
information when using a decision support tool, such as SQL. One solution
to this situation is to use adopted authority. You can use adopted authority
to protect your important files from being changed outside of your approved
application programs while you still allow queries against the files.
See Table 2 for an overview
of this system value.
Table 1. Possible values for the use adopted authority
system value| iSeries™ Navigator |
Character-based interface |
Description |
|---|
| All users |
*NONE 1 |
All users can create, change, or update programs and
service programs to use the authority of the program which called them if
the user has the necessary authority to the program or service program. |
| Authorization list |
Name of the authorization list |
The user's authority is checked against the specified
authorization list. This authority cannot come from adopted authority. If
the user has at least the USE authority attribute in the specified authorization
list, the user can create, change, or update programs or service programs
that use the authority of the program which called them. |
- *NONE indicates that no authorization list will be used and by default
all users will be allowed to access programs that use adopted authority.
|
Relationship to security policy
This system value determines which users can work with programs with adopted
authorities. Adopted authority adds the authority of a program owner to the
authority of the user running the program. All users with adopted authority
can create and change the program, as long as they have authority to that
program. Before determining which programs and users that will use adopted
authority, answer the following questions:
- How much authority do users need for a given program or application?
- Programs should adopt the authority of a user profile that has only enough
authority to do the necessary functions, not excessive authority. You should
be particularly cautious of programs that adopt the authority of a user profile
that either has *ALLOBJ special authority or owns important objects. These
users could have access to core program functions and alter key data or change
application parameters. Adopting the authority of an application owner is
preferable to adopting the authority of QSECOFR or a user with *ALLOBJ special
authority. Ensure that applications owners of applications that adopt authority
are not in QSECOFR user class or have *ALLOBJ special authority.
- What programs should use adopted authority?
- Programs that adopt authority should have a specific, limited function.
Carefully monitor the function provided by programs that adopt authority.
Make sure these programs do not provide a means for the user to access objects
outside the control of the program, such as command entry capability. In addition
programs that adopt authority should be secured properly. It is critical that
you understand how a program is used before allowing adopted authority. System
performance may be impacted negatively if adopted authority is used excessively.
Chapter 5, "Resource Security" of the Security Reference book contains flowcharts that illustrate
how adopted authority works.
Table 2. Quick Reference. Provides details
for the use adopted authority system value.| iSeries Navigator name |
Users who can cause programs to use adopted authority
from calling programs |
|---|
| Character-based interface name |
QUSEADPAUT |
| Authority |
*ALLOBJ
*SECADM
Note: The QSECOFR user profile is shipped with these authorities.
|
| How to access |
iSeries Navigator- Expand .
- Right click Security Policy and select Properties.
- On the General page, you will find the option for using adopted
authority.
Character-based interface- In the character-based interface, type WRKSYSVAL QUSEADPAUT.
|
| Changes take effect |
Immediately |
| Default value |
All users |
| Recommended value |
Authorization list |
| Lockable |
Yes |
| Special considerations |
This system value does not prevent anyone
from creating or changing a program or service program that adopts its owner's
authority. This system value applies to the Use Adopted Authority (USEADPAUT)
parameter but not to the User Profile (USRPRF) parameter
of a program or service program. |
For more detailed information about this security value, see Chapter 3,
"Security System Values" in Security Reference.