|

QPWDLVLs 0 and 1 – Moving to a Higher Password Level

Password levels 0 and 1 define that a user’s password will have a maximum length of 10 characters and can consist only of uppercase A–Z, numerals 0–9, and special characters #, @, $, and _. The problem with these two levels is the restricted character set. The small number of possibilities of password combinations means…

|

Determine the Users’ Source of Authority to Application Data after IPLing – Moving to a Higher Security Level

The next step is to determine how users are going to have sufficient authority to run the application once their *ALLOBJ authority has been removed. You must first decide what your security posture is going to be after the IPL. Do you want to have a secure posture so data can only be accessed by…

| |

Analyzing and Adjusting Profiles’ User Class- Moving to a Higher Security Level

The analysis for moving off of QSECURITY 20 begins with analyzing the profiles’ user class settings. To get this listing, we’ll make use of the QSYS2.USER_INFO IBM i Service: I’ve included the currently assigned special authorities in my SQL so you can see what special authorities may potentially be stripped away when you IPL. I…

| |

Moving from QSECURITY Level 20 to 40- Moving to a Higher Security Level

Tech Note As of IBM i 7.5, you cannot change QSECURITY to run at level 20 I have to be honest. Moving from QSECURITY level 20 to 40 is a much different story than the 30 to 40 move. Simply put, the move is not trivial. But because QSECURITY level 20 will no longer be…

| |

User Profiles Specified in a Job Description- Moving to a Higher Security Level

J entries, as I said, indicate the use of a job description that specifies a user profile. Most of the time, job descriptions are created so that the person using the job description is the profile under which the job runs. But the USER parameter can be specified with the name of a user profile….

| |

Domain Failures- Moving to a Higher Security Level

The entries I typically find at my clients are D (domain failures) and more often, J (job description use). If you have any domain failures, the program name and library in the D audit journal entry identify the program running at the time of the failure. The object name is the object being accessed, and…

| | | | |

Moving from QSECURITY Level 30 to 40- Moving to a Higher Security Level

At security level 40, the operating system prevents certain actions from being taken. Examples include calling an operating system program directly, accessing an internal control block, and using a job description that names a user profile in which the caller doesn’t have authority to the named profile. The good news is that, while not prevented…

|

New Nav: System Values- System Values

You can also get a listing of all system values, including the security-relevant system values, in New Nav. To access these values, float your cursor over what, to me, looks like a clipboard. See Figure 2.3. Figure 2.3: Click on the clipboard then System Values to view and manage all system values. The system values…

|

QSYS2.SECURITY_INFO- System Values

This service is similar to running the Display Security Attributes (DSPSECA) and Display Security Auditing (DSPSECAUD) CL commands along with the Retrieve Security Attributes API (QSYRTVSA). But instead of calling two CL commands that only go to display or write to an API, you can retrieve all security-related values (including security-relevant system values) in one…