To manage the authorities to objects in the IFS, you can use either green-screen CL commands or the Navigator for i interface.
Editor's Note: This article is excerpted from chapter 7 of IBM i Security Administration and Compliance: Third Edition, by Carol Woodbury.
The WRKAUT (Work with Authority), CHGAUT (Change Authority), and DSPAUT (Display Authority) commands provide the green-screen interface. When issuing these commands, you identify the object by specifying a pathname rather than using the traditional library_name/object_name *objtype naming convention you’re accustomed to. For example, to work with the authorities to the object proj1.txt in the directory /home/cjw/projects, you’d use this command:
WRKAUT '/home/cjw/projects/proj1.txt'
If you’re uncomfortable typing a pathname with the CL commands, you can opt to use the WRKLNK (Work with Object Links) command to navigate through the directory structure to the desired directory or object. When you reach the directory or object for which you want to view or change authorities, enter option 9 (Work with Authority) beside it. The WRKAUT command screen will be displayed with the pathname filled in for you.
Your other choice for managing IFS objects is to use Navigator for i. To view the authorities for the root directory using this method, go to My Connections > System_name > File Systems > Integrated File System. Right-click on Root, and choose Permissions. Navigator will display a window equivalent to the WRKAUT command display.
Figure 7.1 shows the WRKAUT command’s display of the default access for the root directory as IBM ships it. Note that *PUBLIC has data authorities *RWX and all object authorities. In “traditional” IBM i security terms, this authority is equivalent to
*PUBLIC(*ALL). Figure 7.2 shows Navigator’s view—this time, with my recommended
*PUBLIC authority setting for root.
You can use the green-screen or Navigator interface to manage the authority of any object, including objects in the QSYS.LIB file system. For example, the screen shown in Figure 7.3 lets you manage authority to all programs in the PROD library. In the following example, all file objects in the PROD library will be set to
*PUBLIC *RX (or *USE).
Figure 7.1: WRKAUT command display: default authority to root (/)
Figure 7.2: Navigator for i permissions window: Recommended access for root (/)
Figure 7.3: Managing authorities to IBM i objects with the CHGAUT command
File Attributes
Objects in the IFS possess some PC-like properties called file attributes that contribute to the way their access is determined and how the objects are managed. File attributes are properties of a file that work in addition to (not as a replacement for) the IBM i authority settings for the file. There are six file attributes:
- Read-only—The file or folder can only be read. It cannot be updated, changed, or deleted when this attribute is
- Hidden—The file or folder is hidden and can’t be worked with unless you know its name.
- System—The file is a system (A folder cannot have this attribute set.)
- Archive—This attribute indicates whether the file or folder should be Some programs use this attribute to determine which objects are backed up.
- Archive (i5/OS attribute)—This attribute has the same meaning as the Archive It cannot be changed.
- Allow save—Determines whether the file will be
To use Navigator for i to set the file attributes for a file in the IFS, navigate through the IFS using Navigator for i to the desired file or folder. Right-click on the object and select Properties. A window similar to the one shown in Figure 7.4 is displayed.
You use the check boxes at the bottom of the window to set the file attributes of the object.
Figure 7.4: Setting file attributes for an IFS file
You can set the file attributes for objects that reside on IBM i by using PC interfaces or by running the CHGATR (Change Attribute) CL command. Note that most people don’t use these attributes. However, if one gets set by accident, it’s good to know they exist. For example, one of my clients couldn’t figure out why they couldn’t update a file—even with a profile that had *ALLOBJ special authority! We determined that the read-only attribute had been set, and that’s what was preventing the file from being updated.
Adopted Authority and the IFS
If you’ve written a traditional application that runs with adopted authority, you know that as long as the owner of the program that’s running either owns or has authority to the object (e.g., a file) being accessed, the person running the program can access the file. However, this scheme doesn’t work for accessing objects in the IFS because the IFS ignores adopted authority.
To access an object in the IFS, the user running the process must have authority to the object. Like accessing an object in a library, the authority can come from *ALLOBJ special authority, a private authority, a primary group authority, or authority to the authorization list securing an object. The method for granting authority that cannot be used is adopted authority. The operating system ignores adopted authority in the IFS. If you don’t want to give users or groups direct authority, your option is to change the process or thread so that it runs as a different user who has sufficient authority to the IFS objects being accessed. To run as a different user, you have several choices: profile swap, profile token, or the UID and GID family of APIs. Chapter 12 discusses these approaches in detail.
Auditing Objects in the IFS
Just as you can audit objects in a library, you can audit objects in the IFS. The challenge comes when you try to read the audit journal entries for these objects. The objects’ names are actually pathnames and can vary quite a bit in length; therefore, they don’t fit in the audit journal’s 10-character object and library entry fields.
You’ll recognize an audit entry for an IFS object by the *N that appears in place of the object name. To determine the object name for such entries, refer to the Absolute Path Name field, which is a field that is 5002 characters long and is at the very end of the audit journal entry.
Carol Woodbury is IBM i Security SME and Senior Advisor to Kisco Systems, a firm focused on providing IBM i security solutions. Carol has over 30 years’ experience with IBM i security, starting her career as Security Team Leader and Chief Engineering Manager for iSeries Security at IBM in Rochester, MN. Since leaving IBM, she has co-founded two companies: SkyView Partners and DXR Security. Her practical experience and her intimate knowledge of the system combine for a unique viewpoint and experience level that cannot be matched.
Carol is known worldwide as an author and award-winning speaker on security technology, specializing in IBM i security topics. She has written seven books on IBM i security, including her two current books, IBM i Security Administration and Compliance, 3rd Edition and Mastering IBM i Security, A Modern, Step-by-Step Approach. Carol has been named an IBM Champion since 2018 and holds her CISSP and CRISC security certifications.
MC Press books written by Carol Woodbury available now on the MC Press Bookstore.
 |
||
 |
|
IBM i Security Administration and Compliance: Third Edition Don't miss the newest edition by the industry’s #1 IBM i security expert. List Price $71.95 Now On Sale
|
 |
|
Mastering IBM i Security Get the must-have guide by the industry’s #1 security authority. List Price $49.95 Now On Sale
|
More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.
TRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now! Request Now.
Forms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.
Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:
Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.
IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn:
LATEST COMMENTS
MC Press Online