Moving from QSECURITY Level 20 to 40- Moving to a Higher Security Level
Tech Note
As of IBM i 7.5, you cannot change QSECURITY to run at level 20
I have to be honest. Moving from QSECURITY level 20 to 40 is a much different story than the 30 to 40 move. Simply put, the move is not trivial. But because QSECURITY level 20 will no longer be an option as of IBM i 7.5 and I know there are still systems running at this security level, I’m going to describe how I’ve helped organizations make this move.
The only difference between QSECURITY level 20 and 30 is that at level 20 all profiles are created—by default—with *ALLOBJ, *SAVSYS, and *JOBCTL special authorities. When you IPL the system off of level 20 to anything higher, the system adjusts the users’ special authorities based on the value of the User Class (*USRCLS) parameter in the user profile. This is the absolute only time you’ll ever hear me talking about the importance of the user class setting, but in this one scenario, it’s critical.
The primary reason it’s so difficult to move off of level 20 is because at level 20 you basically don’t have to worry about security at all because all profiles have *ALLOBJ. So now you’re moving from an environment where security isn’t a concern to one where it is. Of course, this is the perfect opportunity to rework your application security design to be more secure, possibly even implementing a deny-by-default approach. But even if you don’t want to go to those lengths, you can’t ignore the fact that *ALLOBJ is going to be removed from most users, and if your application’s *PUBLIC authority settings aren’t set to accommodate all actions being taken, there will be authority failures. While there’s no way to use the audit journal to know what will fail (as you can with the 30 to 40 move), the good news is that the same authority-checking algorithm runs at all security levels. This means that you can remove some users’ *ALLOBJ special authority while still running at security level 20 to test your application and make the necessary adjustments prior to IPLing. You can also—and I encourage you to—audit for security level 40 issues at the same time. It’s a waste of time to IPL from 20 to 30 and then audit for level 40 issues and then IPL to 40. You can easily make the move from 20 directly to 40.