Object Authorities: IBM i Services for Objects in Libraries – Object Authorities
The QSYS2.OBJECT_PRIVILEGES IBM i table function allows you to list a specific object’s permissions. For example:
But what I find more interesting and useful is the IBM i Service version of OBJECT_PRIVILEGES, where you can select objects based on specific criteria. It’s useful because this allows you to find those objects in your production libraries that don’t meet your security model. In the following example, the SQL will return any file in the PROD_LIB library that isn’t secured with the PRODAUTL authorization list, has *PUBLIC set to *AUTL, and is owned by PROD_OWNER.
In addition to the examples provided in chapter 5 for managing user profiles, you can find all *USRPRF objects that aren’t set to *PUBLIC *EXCLUDE. By default, profiles are created as *PUBLIC *EXCLUDE. Profiles set to *USE or greater pose a threat because anyone can use that profile to submit a job and run as that profile and, in so doing, potentially elevate their authorities. (Note: I’ve omitted the three profiles that are purposely not set to *EXCLUDE by IBM.)
Object Authorities: IBM i Services for Objects in Directories
To discover permissions for IFS objects, you’ll use the QSYS2.IFS_OBJECT_PRIVILEGES. In the following example, you’ll get the object permissions for all objects starting at the /home directory, including all objects in /home as well as all subdirectories. (Thanks to Scott Forstie for helping me with this example.)
But, as with OBJECT_PRIVILEGES, you can add a WHERE clause to find objects that don’t meet your security requirements. The following SQL lists all objects in the /prod_directory (and all subdirectories) not owned by PROD_OWNER and all directories whose *PUBLIC authority is not set to DTAAUT(*EXCLUDE).