Adopting Owner’s Authority

Question: To prevent the exposure resulting from a powerful user profile being used from any terminal, my company’s auditors requested that I set the system value QLMTSECOFR to ‘1’ to restrict where users with *ALLOBJ authority can sign on. But if I do, I will not be able to sign on at users’ workstations to assist with problems.

Some system values (QPWDEXPITV, QLMTDEVSSN) have a user profile override, but QLMTSECOFR doesn’t. How can I set this system value so that I can sign on at users’ workstations?

Answer: When you set the system value QLMTSECOFR to ‘1’, user profiles having either *ALLOBJ or *SERVICE special authority are restricted to signing on at the system console and at devices explicitly authorized to the user profile. If a device is authorized to the user profile QSECOFR, any *ALLOBJ user can sign on.

You could authorize your user profile to every device, but doing so would be tedious and defeat the intended purpose of this system value.

I recommend that you create a program owned by QSECOFR that adopts the owner’s authority and allows entry of commands. The program consists of a single command, CALL QCMD, which displays the command entry line. Name this program SECOFR, and authorize it to the users to whom you want to allow *ALLOBJ access. Then, change your user profile to remove *ALLOBJ authority. This method will allow you to sign on at any workstation when the system value QLMTSECOFR is set to ‘1’.

If you need security officer access, get it through the CALL SECOFR program. If you remove *ALLOBJ authority from your user profile and use CALL SECOFR only rarely, you’ll prevent accidental deletion or modification of objects.

These steps create the program SECOFR:
1. Create the program with adopted authority. CRTCLPGM PGM(your-lib/SECOFR) USRPRF(*OWNER) AUT(*EXCLUDE) SRCF(....)

2. Change the owner of the program to QSECOFR. CHGOBJOWN OBJ(your-lib/SECOFR) OBJTYPE(*PGM) TOUSER(QSECOFR)

3. Authorize the program to the user that should have *ALLOBJ access. GRTOBJAUT OBJ(your-lib/SECOFR) OBJTYPE(*PGM) USER(your-profile) AUT(*USE)

4. Change the system value QLMTSECOFR to ‘1’. CHGSYSVAL QLMTSECOFR ‘1’
5. Remove *ALLOBJ authority from user profiles. CHGUSRPRF USRPRF(profile) SPCAUT(.......).

Commands for All Users

Question: Most of our users are not allowed to enter commands. One user tells me that he can use the SIGNOFF command even though his user profile is limited capability, LMTCPB =*YES. Are there some commands that all users can enter?

Answer: The Limit capability (LMTCPB) option in the user profile prevents the use of commands unless the individual command attribute Allow limited user (ALWLMTUSR) contains the value *YES. Of course, the users must be authorized to the command in question.

The IBM default for commands does not allow command entry by any user whose user profile prevents use of commands.

The commands shipped by IBM with ALWLMTUSR=*YES are Display Job (DSPJOB), Display Job Log (DSPJOBLOG), Display Message (DSPMSG), Send Message (SNDMSG), Start PC Organizer (STRPCO), and SIGNOFF. Users are allowed to use these commands because they ensure compatibility with S/36 (important in the early days of the AS/400).

You can use the Display Command (DSPCMD) command to display the command attributes, including the ALWLMTUSR setting. Using DSPCMD to look for all commands with ALWTLMTUSR(*YES) would be tedious because each command would be displayed. The Check Allow Limited Users (CHKALWLMTX) program uses the QCDRCMDI API to retrieve command information. (Download the code in this article from the MC Web site at http://www.midrangecomputing. com/mc/98/11.) The program checks the ALWLMTUSR setting and sends journal entries to report all commands that are ALWLMTUSR (*YES). The CHKALWLMTU command definition source (also available from MC’s Web site) provides an ease of use interface to the program. The data is printed using the query shown in Figure 1.

Wayne O. Evans is an AS/400 security consultant and a frequent speaker on security topics. During his 27 years with IBM Corporation, he was involved with AS/400 security design issues. Prior to working on security, Wayne worked on message handling and work management and was the team leader for the command definition and CL language on the S/38.

Selected files

ID File Library Member Record Format

T01 CHKALWLMTU QTEMP *FIRST QJORDJE

Result fields

Name Expression Column Heading

COMMAND SUBSTR(JOESD,1,10) Command

LIBRARY SUBSTR(JOESD,11,10) Library

Ordering of selected fields

Field Sort Ascending/ Break Field

Name Priority Descending Level Text

COMMAND

LIBRARY Figure 1: Query definition used to print commands with ALWLMTUSR(*YES)