ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamv_5.4.0.1/rzamvuseadoptauth.htm

161 lines
9.8 KiB
HTML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Use adopted authority" />
<meta name="abstract" content="Adopted authority adds the authority of a program owner to the authority of the user running the program." />
<meta name="description" content="Adopted authority adds the authority of a program owner to the authority of the user running the program." />
<meta name="DC.Relation" scheme="URI" content="rzamvgensecsysval.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="useadoptauth" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Use adopted authority</title>
</head>
<body id="useadoptauth"><a name="useadoptauth"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Use adopted authority</h1>
<div><p>Adopted authority adds the authority of a program owner to the
authority of the user running the program. </p>
<p>Sometimes a user may need different authorities to an object or application.
For instance, you have employees that need to update customer information
by using a data management application that provides that function. However,
the same users should be allowed to view, but not change, the same customer
information when using a decision support tool, such as SQL. One solution
to this situation is to use adopted authority. You can use adopted authority
to protect your important files from being changed outside of your approved
application programs while you still allow queries against the files. </p>
<p>See <a href="#useadoptauth__quickref">Table 2</a> for an overview
of this system value. </p>
<div class="p">
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><caption>Table 1. Possible values for the use adopted authority
system value</caption><thead align="left"><tr valign="bottom"><th valign="bottom" id="d0e29">iSeries™ Navigator</th>
<th valign="bottom" id="d0e33">Character-based interface</th>
<th valign="bottom" id="d0e35">Description</th>
</tr>
</thead>
<tbody><tr><td valign="top" headers="d0e29 ">All users</td>
<td valign="top" headers="d0e33 ">*NONE <sup>1</sup></td>
<td valign="top" headers="d0e35 ">All users can create, change, or update programs and
service programs to use the authority of the program which called them if
the user has the necessary authority to the program or service program.</td>
</tr>
<tr><td valign="top" headers="d0e29 ">Authorization list</td>
<td valign="top" headers="d0e33 ">Name of the authorization list</td>
<td valign="top" headers="d0e35 ">The user's authority is checked against the specified
authorization list. This authority cannot come from adopted authority. If
the user has at least the USE authority attribute in the specified authorization
list, the user can create, change, or update programs or service programs
that use the authority of the program which called them.</td>
</tr>
<tr><td colspan="3" valign="top" headers="d0e29 d0e33 d0e35 "><ol><li>*NONE indicates that no authorization list will be used and by default
all users will be allowed to access programs that use adopted authority.</li>
</ol>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<p><strong>Relationship to security policy</strong></p>
<div class="p">This system value determines which users can work with programs with adopted
authorities. Adopted authority adds the authority of a program owner to the
authority of the user running the program. All users with adopted authority
can create and change the program, as long as they have authority to that
program. Before determining which programs and users that will use adopted
authority, answer the following questions:<dl><dt class="dlterm"><strong>How much authority do users need for a given program or application?</strong></dt>
<dd>Programs should adopt the authority of a user profile that has only enough
authority to do the necessary functions, not excessive authority. You should
be particularly cautious of programs that adopt the authority of a user profile
that either has *ALLOBJ special authority or owns important objects. These
users could have access to core program functions and alter key data or change
application parameters. Adopting the authority of an application owner is
preferable to adopting the authority of QSECOFR or a user with *ALLOBJ special
authority. Ensure that applications owners of applications that adopt authority
are not in QSECOFR user class or have *ALLOBJ special authority.</dd>
<dt class="dlterm">What programs should use adopted authority?</dt>
<dd>Programs that adopt authority should have a specific, limited function.
Carefully monitor the function provided by programs that adopt authority.
Make sure these programs do not provide a means for the user to access objects
outside the control of the program, such as command entry capability. In addition
programs that adopt authority should be secured properly. It is critical that
you understand how a program is used before allowing adopted authority. System
performance may be impacted negatively if adopted authority is used excessively.
Chapter 5, "Resource Security" of the <a href="../books/sc415302.pdf " target="_blank">Security Reference</a> book contains flowcharts that illustrate
how adopted authority works.</dd>
</dl>
</div>
<div class="p">
<div class="tablenoborder"><a name="useadoptauth__quickref"><!-- --></a><table cellpadding="4" cellspacing="0" summary="" id="useadoptauth__quickref" frame="border" border="1" rules="all"><caption>Table 2. Quick Reference. Provides details
for the use adopted authority system value.</caption><thead align="left"><tr valign="bottom"><th valign="bottom" width="43.43434343434344%" id="d0e90">iSeries Navigator name</th>
<th valign="bottom" width="56.56565656565656%" id="d0e94">Users who can cause programs to use adopted authority
from calling programs</th>
</tr>
</thead>
<tbody><tr><td valign="top" width="43.43434343434344%" headers="d0e90 ">Character-based interface name</td>
<td valign="top" width="56.56565656565656%" headers="d0e94 ">QUSEADPAUT</td>
</tr>
<tr><td valign="top" width="43.43434343434344%" headers="d0e90 ">Authority</td>
<td valign="top" width="56.56565656565656%" headers="d0e94 "><p>*ALLOBJ<br />
*SECADM</p>
<div class="note"><span class="notetitle">Note:</span> The QSECOFR user profile is shipped with these authorities. </div>
</td>
</tr>
<tr><td valign="top" width="43.43434343434344%" headers="d0e90 ">How to access</td>
<td valign="top" width="56.56565656565656%" headers="d0e94 "><div class="p"><strong>iSeries Navigator</strong><ol><li>Expand <span class="menucascade"><span class="uicontrol">Security</span> &gt; <span class="uicontrol">Policies</span></span>.</li>
<li>Right click <strong>Security Policy</strong> and select <strong>Properties</strong>.</li>
<li>On the <strong>General</strong> page, you will find the option for using adopted
authority.</li>
</ol>
</div>
<div class="p"><strong>Character-based interface</strong><ol><li>In the character-based interface, type <samp class="codeph">WRKSYSVAL QUSEADPAUT</samp>.</li>
</ol>
</div>
</td>
</tr>
<tr><td valign="top" width="43.43434343434344%" headers="d0e90 ">Changes take effect</td>
<td valign="top" width="56.56565656565656%" headers="d0e94 ">Immediately</td>
</tr>
<tr><td valign="top" width="43.43434343434344%" headers="d0e90 ">Default value</td>
<td valign="top" width="56.56565656565656%" headers="d0e94 ">All users </td>
</tr>
<tr><td valign="top" width="43.43434343434344%" headers="d0e90 ">Recommended value</td>
<td valign="top" width="56.56565656565656%" headers="d0e94 ">Authorization list</td>
</tr>
<tr><td valign="top" width="43.43434343434344%" headers="d0e90 "><a href="rzamvlockdown.htm">Lockable</a></td>
<td valign="top" width="56.56565656565656%" headers="d0e94 ">Yes</td>
</tr>
<tr><td valign="top" width="43.43434343434344%" headers="d0e90 ">Special considerations</td>
<td valign="top" width="56.56565656565656%" headers="d0e94 "><span>This system value does not prevent anyone
from creating or changing a program or service program that adopts its owner's
authority. This system value applies to the Use Adopted Authority (<span class="parmname">USEADPAUT</span>)
parameter but not to the User Profile (<span class="parmname">USRPRF</span>) parameter
of a program or service program.</span></td>
</tr>
</tbody>
</table>
</div>
</div>
<p>For more detailed information about this security value, see Chapter 3,
"Security System Values" in <a href="../books/sc415302.pdf" target="_blank">Security Reference</a>.</p>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvgensecsysval.htm" title="General security system values provide the cornerstone for your security policy.">General security system values</a></div>
</div>
</div>
</body>
</html>