Security Patrol discusses security topics and implementation tips and answers your security questions. I welcome questions, recommendations, and suggestions for security topics you would like discussed in detail. You can submit your correspondence through MC-BBS at 619-931-9909; by E-mail at
-Wayne O. Evans, chief of security
Q: I would like to prevent some, but not all, users from running interactive queries with the Run Query (RUNQRY) command. If I change the Where allowed to run (ALLOW) parameter of the RUNQRY command, it will prevent all users from running interactive queries. I am attempting to use a validity checking program like the one you described in "Modifying OS/400 Commands" (MC, October 1994), but I have discovered some problems. Is there a way to restrict interactive queries for some users while allowing other users to run it?
A: A validity checking program is not the answer to your problem. You were very close to the solution when you modified the RUNQRY command to prevent its use in an interactive environment. As you said, if the ALLOW parameter of the RUNQRY command is changed to prevent interactive use, it prevents all users from executing interactive queries. The key is to find a way for some users to have a version of the RUNQRY command that allows interactive execution while others have a version that does not.
You can use the Change System Library List (CHGSYSLIBL) command to insert a library that contains a version of the RUNQRY command that allows only batch execution.
The steps to make the change are as follows:
1. Create a library called BATCH_ONLY with *PUBLIC authority of *USE that allows users access to the contents of the library without letting them add new objects to the library.
CRTLIB LIB(BATCH_ONLY) + AUT(*USE)
2. Make a copy of the RUNQRY command and place it in the BATCH_ONLY library.
CRTDUPOBJ OBJ(RUNQRY) + FROMLIB(QSYS) + OBJTYPE(*CMD) + TOLIB(BATCH_ONLY)
3. Change the version of the RUNQRY command in the BATCH_ONLY library to allow it to be run in batch environments only.
CHGCMD CMD(BATCH_ONLY/RUNQRY) + ALLOW(*BATCH *BPGM + *BREXX *BMOD)
4. Create a CL program similar to the one called SET_BATCH illustrated in 1. The program must adopt the authority of the *OWNER because, for security reasons, the CHGSYSLIBL command ships with *PUBLIC authority of *EXCLUDE. The owner should be a profile that has the authority to issue the CHGSYSLIBL command. The *PUBLIC authority to the program can be *USE.
4. Create a CL program similar to the one called SET_BATCH illustrated in Figure 1. The program must adopt the authority of the *OWNER because, for security reasons, the CHGSYSLIBL command ships with *PUBLIC authority of *EXCLUDE. The owner should be a profile that has the authority to issue the CHGSYSLIBL command. The *PUBLIC authority to the program can be *USE.
5. Modify the initial program to call the SET_BATCH program for those users who should not be allowed to run the RUNQRY command interactively. This could be the most labor-intensive operation, and you must remember to include the SET_BATCH program in the initial program when new user profiles are created.
Security Patrol
Figure 1: CL Program SET_BATCH
/*==================================================================*/ /* To compile: */ /* CRTCLPGM PGM(XXX/SET_BATCH) SRCFILE(XXX/QCLSRC) + */ /* USRPRF(*OWNER) AUT(*USE) */ /* */ /*==================================================================*/ SET_BATCH: PGM CHGSYSLIBL LIB(BATCH_ONLY) OPTION(*ADD) ENDPGM
LATEST COMMENTS
MC Press Online