Difference between revisions of "Security Basics"
From MidrangeWiki
Starbuck5250 (talk | contribs) (-400, +IBM i) |
Starbuck5250 (talk | contribs) (+outq) |
||
Line 53: | Line 53: | ||
* [[PRTADJOBJ]] Print Adopting Objects | * [[PRTADJOBJ]] Print Adopting Objects | ||
** Specify a user profile, *ALL or generic user(QP*) and get a printout of objects that adopt user's authority. | ** Specify a user profile, *ALL or generic user(QP*) and get a printout of objects that adopt user's authority. | ||
+ | |||
+ | |||
+ | === Spooled files === | ||
+ | The scenario: want to stop programmers from using a production OUTQ. | ||
+ | |||
+ | If the developers have either *JOBCTL or *SPLCTL, and the OPRCTL(*YES) | ||
+ | parameter is specified on the OUTQ, the developers will be able to use | ||
+ | and work with the OUTQ. One way to correct this is to turn the OPRCTL | ||
+ | parameter on the OUTQ to *NO. | ||
+ | |||
+ | Assuming programmers have *JOBCTL, here is what I would do.... | ||
+ | |||
+ | # Make the OUTQ *OPRCTL(*NO) | ||
+ | # Create a Group Profile for all developers | ||
+ | # Add the Group Profile to the OUTQ with an authority of *EXCLUDE | ||
+ | # Give the authorized user Group(s) *CHANGE (authorized users could be *PUBLIC now that the programmers are excluded.) | ||
+ | # If there are any *JOBCTL or *SPLCTL users (SysOpers?) who you want to be able to manage the OUTQ, give them *CHANGE authority as well. | ||
+ | |||
+ | Thanks to John Earl via Midrange-L 21 Apr 2010 |
Revision as of 16:10, 22 April 2010
See General Computer Security for info and links about Security outside of the IBM i community.
Contents
Security Tools
- GO SECTOOLS
- GO SECBATCH
Security Wizard
- Access via Operations Navigator
- Warning ... while this is for administrators new to IBM i or Security, before changing any security settings, it is advisable to consult with the most experienced IBM i security professional on-site.
- You can change security settings, but while they are changed, they affect how objects function, including how they function after you change settings back again.
Security Commands
- Most functions of Security Commands, can also be done with Operations Navigator
User Profile
Password
- GO CMDPWD
- CHGPWD change password
- CHKPWD makes user re-enter password that was used to sign onto the system
Object Authority
Objects Owned
Authorization List
Adopted Authority
- DSPPGMADP Display Program Adopt
- Specify a user profile and get a list of the programs that adopt that user's authority.
- PRTADJOBJ Print Adopting Objects
- Specify a user profile, *ALL or generic user(QP*) and get a printout of objects that adopt user's authority.
Spooled files
The scenario: want to stop programmers from using a production OUTQ.
If the developers have either *JOBCTL or *SPLCTL, and the OPRCTL(*YES) parameter is specified on the OUTQ, the developers will be able to use and work with the OUTQ. One way to correct this is to turn the OPRCTL parameter on the OUTQ to *NO.
Assuming programmers have *JOBCTL, here is what I would do....
- Make the OUTQ *OPRCTL(*NO)
- Create a Group Profile for all developers
- Add the Group Profile to the OUTQ with an authority of *EXCLUDE
- Give the authorized user Group(s) *CHANGE (authorized users could be *PUBLIC now that the programmers are excluded.)
- If there are any *JOBCTL or *SPLCTL users (SysOpers?) who you want to be able to manage the OUTQ, give them *CHANGE authority as well.
Thanks to John Earl via Midrange-L 21 Apr 2010