161 lines
9.8 KiB
HTML
161 lines
9.8 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="concept" />
|
|
<meta name="DC.Title" content="Use adopted authority" />
|
|
<meta name="abstract" content="Adopted authority adds the authority of a program owner to the authority of the user running the program." />
|
|
<meta name="description" content="Adopted authority adds the authority of a program owner to the authority of the user running the program." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzamvgensecsysval.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="useadoptauth" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Use adopted authority</title>
|
|
</head>
|
|
<body id="useadoptauth"><a name="useadoptauth"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Use adopted authority</h1>
|
|
<div><p>Adopted authority adds the authority of a program owner to the
|
|
authority of the user running the program. </p>
|
|
<p>Sometimes a user may need different authorities to an object or application.
|
|
For instance, you have employees that need to update customer information
|
|
by using a data management application that provides that function. However,
|
|
the same users should be allowed to view, but not change, the same customer
|
|
information when using a decision support tool, such as SQL. One solution
|
|
to this situation is to use adopted authority. You can use adopted authority
|
|
to protect your important files from being changed outside of your approved
|
|
application programs while you still allow queries against the files. </p>
|
|
<p>See <a href="#useadoptauth__quickref">Table 2</a> for an overview
|
|
of this system value. </p>
|
|
<div class="p">
|
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><caption>Table 1. Possible values for the use adopted authority
|
|
system value</caption><thead align="left"><tr valign="bottom"><th valign="bottom" id="d0e29">iSeries™ Navigator</th>
|
|
<th valign="bottom" id="d0e33">Character-based interface</th>
|
|
<th valign="bottom" id="d0e35">Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr><td valign="top" headers="d0e29 ">All users</td>
|
|
<td valign="top" headers="d0e33 ">*NONE <sup>1</sup></td>
|
|
<td valign="top" headers="d0e35 ">All users can create, change, or update programs and
|
|
service programs to use the authority of the program which called them if
|
|
the user has the necessary authority to the program or service program.</td>
|
|
</tr>
|
|
<tr><td valign="top" headers="d0e29 ">Authorization list</td>
|
|
<td valign="top" headers="d0e33 ">Name of the authorization list</td>
|
|
<td valign="top" headers="d0e35 ">The user's authority is checked against the specified
|
|
authorization list. This authority cannot come from adopted authority. If
|
|
the user has at least the USE authority attribute in the specified authorization
|
|
list, the user can create, change, or update programs or service programs
|
|
that use the authority of the program which called them.</td>
|
|
</tr>
|
|
<tr><td colspan="3" valign="top" headers="d0e29 d0e33 d0e35 "><ol><li>*NONE indicates that no authorization list will be used and by default
|
|
all users will be allowed to access programs that use adopted authority.</li>
|
|
</ol>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
</div>
|
|
<p><strong>Relationship to security policy</strong></p>
|
|
<div class="p">This system value determines which users can work with programs with adopted
|
|
authorities. Adopted authority adds the authority of a program owner to the
|
|
authority of the user running the program. All users with adopted authority
|
|
can create and change the program, as long as they have authority to that
|
|
program. Before determining which programs and users that will use adopted
|
|
authority, answer the following questions:<dl><dt class="dlterm"><strong>How much authority do users need for a given program or application?</strong></dt>
|
|
<dd>Programs should adopt the authority of a user profile that has only enough
|
|
authority to do the necessary functions, not excessive authority. You should
|
|
be particularly cautious of programs that adopt the authority of a user profile
|
|
that either has *ALLOBJ special authority or owns important objects. These
|
|
users could have access to core program functions and alter key data or change
|
|
application parameters. Adopting the authority of an application owner is
|
|
preferable to adopting the authority of QSECOFR or a user with *ALLOBJ special
|
|
authority. Ensure that applications owners of applications that adopt authority
|
|
are not in QSECOFR user class or have *ALLOBJ special authority.</dd>
|
|
<dt class="dlterm">What programs should use adopted authority?</dt>
|
|
<dd>Programs that adopt authority should have a specific, limited function.
|
|
Carefully monitor the function provided by programs that adopt authority.
|
|
Make sure these programs do not provide a means for the user to access objects
|
|
outside the control of the program, such as command entry capability. In addition
|
|
programs that adopt authority should be secured properly. It is critical that
|
|
you understand how a program is used before allowing adopted authority. System
|
|
performance may be impacted negatively if adopted authority is used excessively.
|
|
Chapter 5, "Resource Security" of the <a href="../books/sc415302.pdf " target="_blank">Security Reference</a> book contains flowcharts that illustrate
|
|
how adopted authority works.</dd>
|
|
</dl>
|
|
</div>
|
|
<div class="p">
|
|
<div class="tablenoborder"><a name="useadoptauth__quickref"><!-- --></a><table cellpadding="4" cellspacing="0" summary="" id="useadoptauth__quickref" frame="border" border="1" rules="all"><caption>Table 2. Quick Reference. Provides details
|
|
for the use adopted authority system value.</caption><thead align="left"><tr valign="bottom"><th valign="bottom" width="43.43434343434344%" id="d0e90">iSeries Navigator name</th>
|
|
<th valign="bottom" width="56.56565656565656%" id="d0e94">Users who can cause programs to use adopted authority
|
|
from calling programs</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr><td valign="top" width="43.43434343434344%" headers="d0e90 ">Character-based interface name</td>
|
|
<td valign="top" width="56.56565656565656%" headers="d0e94 ">QUSEADPAUT</td>
|
|
</tr>
|
|
<tr><td valign="top" width="43.43434343434344%" headers="d0e90 ">Authority</td>
|
|
<td valign="top" width="56.56565656565656%" headers="d0e94 "><p>*ALLOBJ<br />
|
|
*SECADM</p>
|
|
<div class="note"><span class="notetitle">Note:</span> The QSECOFR user profile is shipped with these authorities. </div>
|
|
</td>
|
|
</tr>
|
|
<tr><td valign="top" width="43.43434343434344%" headers="d0e90 ">How to access</td>
|
|
<td valign="top" width="56.56565656565656%" headers="d0e94 "><div class="p"><strong>iSeries Navigator</strong><ol><li>Expand <span class="menucascade"><span class="uicontrol">Security</span> > <span class="uicontrol">Policies</span></span>.</li>
|
|
<li>Right click <strong>Security Policy</strong> and select <strong>Properties</strong>.</li>
|
|
<li>On the <strong>General</strong> page, you will find the option for using adopted
|
|
authority.</li>
|
|
</ol>
|
|
</div>
|
|
<div class="p"><strong>Character-based interface</strong><ol><li>In the character-based interface, type <samp class="codeph">WRKSYSVAL QUSEADPAUT</samp>.</li>
|
|
</ol>
|
|
</div>
|
|
</td>
|
|
</tr>
|
|
<tr><td valign="top" width="43.43434343434344%" headers="d0e90 ">Changes take effect</td>
|
|
<td valign="top" width="56.56565656565656%" headers="d0e94 ">Immediately</td>
|
|
</tr>
|
|
<tr><td valign="top" width="43.43434343434344%" headers="d0e90 ">Default value</td>
|
|
<td valign="top" width="56.56565656565656%" headers="d0e94 ">All users </td>
|
|
</tr>
|
|
<tr><td valign="top" width="43.43434343434344%" headers="d0e90 ">Recommended value</td>
|
|
<td valign="top" width="56.56565656565656%" headers="d0e94 ">Authorization list</td>
|
|
</tr>
|
|
<tr><td valign="top" width="43.43434343434344%" headers="d0e90 "><a href="rzamvlockdown.htm">Lockable</a></td>
|
|
<td valign="top" width="56.56565656565656%" headers="d0e94 ">Yes</td>
|
|
</tr>
|
|
<tr><td valign="top" width="43.43434343434344%" headers="d0e90 ">Special considerations</td>
|
|
<td valign="top" width="56.56565656565656%" headers="d0e94 "><span>This system value does not prevent anyone
|
|
from creating or changing a program or service program that adopts its owner's
|
|
authority. This system value applies to the Use Adopted Authority (<span class="parmname">USEADPAUT</span>)
|
|
parameter but not to the User Profile (<span class="parmname">USRPRF</span>) parameter
|
|
of a program or service program.</span></td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
</div>
|
|
<p>For more detailed information about this security value, see Chapter 3,
|
|
"Security System Values" in <a href="../books/sc415302.pdf" target="_blank">Security Reference</a>.</p>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvgensecsysval.htm" title="General security system values provide the cornerstone for your security policy.">General security system values</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |