ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamv_5.4.0.1/rzamvanalyzeprogadoptauth.htm

67 lines
4.1 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Analyze programs that adopt authority" />
<meta name="abstract" content="This article describes the step-by-step procedure for analyzing programs that adopt authority." />
<meta name="description" content="This article describes the step-by-step procedure for analyzing programs that adopt authority." />
<meta name="DC.Relation" scheme="URI" content="rzamvplansecauditing.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="analyzeprogadoptauth" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Analyze programs that adopt authority</title>
</head>
<body id="analyzeprogadoptauth"><a name="analyzeprogadoptauth"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Analyze programs that adopt authority</h1>
<div><p>This article describes the step-by-step procedure for analyzing
programs that adopt authority.</p>
<div class="p">Programs that adopt the authority of a user with *ALLOBJ special authority
represent a security exposure. The following method can be used to find and
inspect those programs:<ol><li>For each user with *ALLOBJ special authority, use the Display Programs
That Adopt (DSPPGMADP) command to list the programs that adopt that users
authority: <pre>DSPPGMADP USRPRF(<var class="varname">user-profile-name</var>) +
OUTPUT(*PRINT)</pre>
</li>
<li>Use the DSPOBJAUT command to determine who is authorized to use each adopting
program and what the public authority is to the program: <pre>DSPOBJAUT OBJ(<var class="varname">library-name</var>/<var class="varname">program-name</var>) +
OBJTYPE(*PGM) ASPDEV(<var class="varname">library-name</var>/<var class="varname">program-name</var>) +
OUTPUT(*PRINT)</pre>
</li>
<li>Inspect the source code and program description to evaluate: <ul><li>Whether the user of the program is prevented from excess function, such
as using a command line, while running under the adopted profile.</li>
<li>Whether the program adopts the minimum authority level needed for the
intended function. Applications that use program failure can be designed using
the same owner profile for objects and programs. When the authority of the
program owner is adopted, the user has *ALL authority to application objects.
In many cases, the owner profile does not need any special authorities.</li>
</ul>
</li>
<li>Verify when the program was last changed, using the DSPOBJD command: <pre>DSPOBJD OBJ(<var class="varname">library-name</var>/<var class="varname">program-name</var>) +
OBJTYPE(*PGM) ASPDEV(<var class="varname">library-name</var>/<var class="varname">program-name</var>) +
DETAIL(*FULL)</pre>
</li>
</ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvplansecauditing.htm" title="Use this information to plan security auditing for your systems.">Plan security auditing</a></div>
</div>
</div>
</body>
</html>