IBM Security

ERserver
iSeries
Security Reference
Version 5
SC41-5302-06

ERserver
iSeries
Security Reference
Version 5
SC41-5302-06
Note
Before using this information and the product it supports, be sure to read the information in
Appendix H, Notices on page 611.
Seventh Edition (September 2002)

This edition replaces SC41530206. This edition applies only to reduced instruction set computer (RISC) systems.
Copyright International Business Machines Corporation 1996, 2002. All rights reserved.
US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
Figures . . . . . . . . . . . . . . . ix
Tables . . . . . . . . . . . . . . . xi
About Security - Reference (SC41-5302) xv
Who should read this book . . . .
Conventions and terminology used in
Prerequisite and related information .
iSeries Navigator . . . . . .
How to send your comments . . .
. . . .
this book .
. . . .
. . . .
. . . .
.
.
.
.
. xv
xvi
xvi
xvi
xvi
| Whats new for V5R2 . . . . . . . . xix
Chapter 1. Introduction to iSeries

Security . . . . . . . . . . . . . . . 1
Physical Security . . . .
Keylock Security . . . .
Security Level . . . . .
System Values . . . . .
Signing . . . . . . .
Single sign-on enablement .
User Profiles . . . . .
Group Profiles . . . . .
Resource Security . . . .
Security Audit Journal . .
C2 Security . . . . . .
Independent disk pool . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
2
2
2
3
3
3
4
5
5
6
6
7
Chapter 2. Using System Security

(QSecurity) System Value . . . . . . . 9
Security Level 10 . . . . . . . . . . .
Security Level 20 . . . . . . . . . . .
Changing to Level 20 from Level 10 . . . .
Changing to Level 20 from a Higher Level . .
Security Level 30 . . . . . . . . . . .
Changing to Level 30 from a Lower Level . .
Security Level 40 . . . . . . . . . . .
Preventing the Use of Unsupported Interfaces .
Protecting Job Descriptions . . . . . . .
Signing On without a User ID and Password .
Enhanced Hardware Storage Protection . . .
Protecting a Programs Associated Space . .
Protecting a Jobs Address Space . . . . .
Validating Parameters . . . . . . . . .
Validation of Programs Being Restored . . .
Changing to Security Level 40 . . . . . .
Disabling Security Level 40 . . . . . . .
Security Level 50 . . . . . . . . . . .
Restricting User Domain Objects . . . . .
Restricting Message Handling . . . . . .
Preventing Modification of Internal Control
Blocks . . . . . . . . . . . . . .
Changing to Security Level 50 . . . . . .
Disabling Security Level 50 . . . . . . .
Copyright IBM Corp. 1996, 2002
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
12
12
12
13
13
13
14
15
16
16
16
17
17
17
17
18
19
19
19
20
. 20
. 21
. 21
Chapter 3. Security System Values. . . 23

|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
General Security System Values. . . . . . . .

Allow User Domain Objects (QALWUSRDMN)
Authority for New Objects (QCRTAUT) . . . .
Display Sign-On Information (QDSPSGNINF) . .
Inactive Job Time-Out Interval (QINACTITV) . .
Inactive Job Time-Out Message Queue
(QINACTMSGQ) . . . . . . . . . . .
Limit Device Sessions (QLMTDEVSSN) . . . .
Limit Security Officer (QLMTSECOFR) . . . .
Maximum Sign-On Attempts (QMAXSIGN) . .
Action When Sign-On Attempts Reached
(QMAXSGNACN) . . . . . . . . . . .
Retain Server Security (QRETSVRSEC) . . . .
Remote Sign-On Control (QRMTSIGN) . . . .
Share Memory Control (QSHRMEMCTL) . . .
Use Adopted Authority (QUSEADPAUT) . . .
Security-Related System Values . . . . . . . .
Automatic Device Configuration (QAUTOCFG)
Automatic Configuration of Virtual Devices
(QAUTOVRT) . . . . . . . . . . . .
Device Recovery Action (QDEVRCYACN) . . .
Disconnected Job Time-Out Interval
(QDSCJOBITV) . . . . . . . . . . . .
Remote Service Attribute (QRMTSRVATR) . . .
Security-Related Restore System Values . . . . .
Verify Object on Restore (QVFYOBJRST). . . .
Force Conversion on Restore (QFRCCVNRST) . .
Allow Restoring of Security-Sensitive Objects
(QALWOBJRST) . . . . . . . . . . . .
System Values That Apply to Passwords. . . . .
Password Expiration Interval (QPWDEXPITV). .
Password Level (QPWDLVL) . . . . . . .
Minimum Length of Passwords
(QPWDMINLEN) . . . . . . . . . . .
Maximum Length of Passwords
(QPWDMAXLEN) . . . . . . . . . . .
Required Difference in Passwords
(QPWDRQDDIF) . . . . . . . . . . .
Restricted Characters for Passwords
(QPWDLMTCHR) . . . . . . . . . . .
Restriction of Consecutive Digits for Passwords
(QPWDLMTAJC) . . . . . . . . . . .
Restriction of Repeated Characters for Passwords
(QPWDLMTREP) . . . . . . . . . . .
Character Position Difference for Passwords
(QPWDPOSDIF) . . . . . . . . . . . .
Requirement for Numeric Character in
Passwords (QPWDRQDDGT) . . . . . . .
Password Approval Program (QPWDVLDPGM)
System Values That Control Auditing. . . . . .
Auditing Control (QAUDCTL) . . . . . . .
Auditing End Action (QAUDENDACN) . . . .
Auditing Force Level (QAUDFRCLVL) . . . .
Auditing Level (QAUDLVL) . . . . . . . .
Auditing for New Objects (QCRTOBJAUD) . . .
23
25
25
26
27
28
29
29
30
31
32
32
33
34
35
36
36
37
38
38
39
39
42
43
44
46
46
48
49
49
50
51
51
52
52
53
58
58
59
60
61
61
iii
Chapter 4. User Profiles . . . . . . . 63
Roles of the User Profile . . . . . . . .

Group Profiles . . . . . . . . . . .
User-Profile Parameter Fields . . . . . .
User Profile Name . . . . . . . . .
Password . . . . . . . . . . . .
Set Password to Expired . . . . . . .
Status . . . . . . . . . . . . .
User Class . . . . . . . . . . . .
Assistance Level . . . . . . . . . .
Current Library . . . . . . . . . .
Initial Program . . . . . . . . . .
Initial Menu . . . . . . . . . . .
Limit Capabilities . . . . . . . . .
Text . . . . . . . . . . . . . .
Special Authority . . . . . . . . .
Special Environment . . . . . . . .
Display Sign-On Information . . . . .
Password Expiration Interval . . . . .
Limit Device Sessions . . . . . . . .
Keyboard Buffering. . . . . . . . .
Maximum Storage . . . . . . . . . .
Priority Limit . . . . . . . . . . . .
Job Description . . . . . . . . . . .
Group Profile . . . . . . . . . . . .
Owner . . . . . . . . . . . . . .
Group Authority . . . . . . . . . .
Group Authority Type . . . . . . . . .
Supplemental Groups . . . . . . . . .
Accounting Code . . . . . . . . . .
Document Password . . . . . . . . .
Message Queue . . . . . . . . . . .
Delivery . . . . . . . . . . . . .
Severity . . . . . . . . . . . . .
Print Device . . . . . . . . . . . .
Output Queue . . . . . . . . . . .
Attention-Key-Handling Program . . . . .
Sort Sequence . . . . . . . . . . .
Language Identifier. . . . . . . . . .
Country or Region Identifier. . . . . . .
Coded Character Set Identifier . . . . . .
Character Identifier Control . . . . . . .
Job Attributes. . . . . . . . . . . .
Locale . . . . . . . . . . . . . .
User Options . . . . . . . . . . . .
User Identification Number . . . . . . .
Group Identification Number . . . . . .
Home Directory . . . . . . . . . .
Authority. . . . . . . . . . . . .
Object Auditing . . . . . . . . . .
Action Auditing . . . . . . . . . .
Additional Information Associated with a User
Profile . . . . . . . . . . . . . .
Private Authorities . . . . . . . .
Primary Group Authorities . . . . . .
Owned Object Information . . . . . .
Digital ID Authentication . . . . . . .
Working with User Profiles . . . . . . .
Creating User Profiles . . . . . . .
Copying User Profiles . . . . . . .
Changing User Profiles . . . . . . .
iv
OS/400 Security Reference V5R2
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 63
. 63
. 64
. 66
. 66
. 68
. 69
. 69
. 70
. 71
. 72
. 73
. 73
. 75
. 75
. 80
. 82
. 82
. 83
. 83
. 84
. 85
. 86
. 87
. 88
. 88
. 89
. 89
. 90
. 91
. 91
. 92
. 92
. 93
. 93
. 94
. 95
. 96
. 96
. 96
. 97
. 97
. 98
. 98
. 99
. 99
. 100
. 100
. 101
. 102
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
103
103
103
103
103
104
104
107
109
Deleting User Profiles . . . . . .

Working with Objects by Primary Group
Enabling a User Profile . . . . . .
Listing User Profiles . . . . . . .
Renaming a User Profile . . . . . .
Working with User Auditing . . . .
Working with Profiles in CL Programs .
User Profile Exit Points . . . . . .
IBM-Supplied User Profiles . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
109
112
112
113
114
115
116
116
116
Chapter 5. Resource Security . . . . 119

Defining Who Can Access Information . . . . .
Defining How Information Can Be Accessed . . .
Commonly Used Authorities . . . . . . .
Defining What Information Can Be Accessed . . .
Library Security . . . . . . . . . . .
Field Authorities . . . . . . . . . . .
Security and the System/38 Environment . . .
Directory Security . . . . . . . . . . .
Authorization List Security . . . . . . . .
Authority for New Objects in a Library. . . . .
Create Authority (CRTAUT) Risks . . . . .
Authority for New Objects in a Directory . . . .
Object Ownership . . . . . . . . . . . .
Group Ownership of Objects . . . . . . .
Primary Group for an Object . . . . . . .
Default Owner (QDFTOWN) User Profile . . .
Assigning Authority and Ownership to New
Objects . . . . . . . . . . . . . .
Objects That Adopt the Owners Authority . . .
Adopted Authority Risks and Recommendations
Programs That Ignore Adopted Authority . . . .
Authority Holders . . . . . . . . . . . .
Authority Holders and System/36 Migration
Authority Holder Risks . . . . . . . . .
Working with Authority . . . . . . . . . .
Authority Displays . . . . . . . . . .
Authority Reports . . . . . . . . . . .
Working with Libraries . . . . . . . . .
Creating Objects . . . . . . . . . . .
Working with Individual Object Authority. . .
Working with Authority for Multiple Objects
Working with Object Ownership . . . . . .
Working with Primary Group Authority . . .
Using a Referenced Object . . . . . . . .
Copying Authority from a User . . . . . .
Working with Authorization Lists . . . . .
How the System Checks Authority . . . . . .
Authority Checking Flowcharts . . . . . .
Authority Checking Examples . . . . . . .
Authority Cache . . . . . . . . . . . .
119
120
121
123
123
123
125
126
126
127
128
128
128
129
130
130
131
135
138
139
139
140
140
141
141
144
144
145
146
149
151
152
153
153
153
156
156
173
184
Chapter 6. Work Management Security 185

Job Initiation . . . . . . . .
Starting an Interactive Job . . .
Starting a Batch Job . . . . .
Adopted Authority and Batch Jobs
Workstations . . . . . . . .
Ownership of Device Descriptions
Signon screen display file . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
185
185
186
187
187
189
190
Changing the signon screen display . . . . .

Subsystem Descriptions . . . . . . . . . .
Controlling How Jobs Enter the System . . .
Job Descriptions . . . . . . . . . . . .
System Operator Message Queue . . . . . . .
Library Lists. . . . . . . . . . . . . .
Security Risks of Library Lists . . . . . . .
Recommendations for System Portion of Library
List. . . . . . . . . . . . . . . .
Recommendations for Product Library . . . .
Recommendations for the Current Library. . .
Recommendations for the User Portion of the
Library List . . . . . . . . . . . . .
Printing . . . . . . . . . . . . . . .
Securing Spooled Files . . . . . . . . .
Output Queue and Parameter Authorities
Required for Printing . . . . . . . . . .
Examples: Output Queue . . . . . . . .
Network Attributes . . . . . . . . . . .
Job Action (JOBACN) Network Attribute . . .
Client Request Access (PCSACC) Network
Attribute . . . . . . . . . . . . . .
DDM Request Access (DDMACC) Network
Attribute . . . . . . . . . . . . . .
Save and Restore Operations . . . . . . . .
Restricting Save and Restore Operations . . .
Example: Restricting Save and Restore
Commands . . . . . . . . . . . . .
Performance Tuning . . . . . . . . . . .
Restricting Jobs to Batch . . . . . . . . .
190
191
191
192
193
193
194
195
195
196
196
197
197
199
200
200
201
201
202
203
203
203
204
205
Chapter 7. Designing Security . . . . 207

Overall Recommendations . . . . . . . .
Planning Password Level Changes . . . . .
Considerations for changing QPWDLVL from 0
to 1. . . . . . . . . . . . . . .
or 1 to 2 . . . . . . . . . . . . .
to 3. . . . . . . . . . . . . . .
Changing to a lower password level. . . .
Planning Libraries . . . . . . . . . . .
Planning Applications to Prevent Large Profiles
Library Lists. . . . . . . . . . . .
Describing Library Security. . . . . . .
Planning Menus . . . . . . . . . . .
Using Adopted Authority in Menu Design .
Describing Menu Security . . . . . . .
System Request Menu . . . . . . . .
Planning Command Security . . . . . . .
Planning File Security . . . . . . . . .
Securing Logical Files . . . . . . . .
Overriding Files . . . . . . . . . .
File Security and SQL . . . . . . . .
Planning Authorization Lists . . . . . . .
Advantages of Using an Authorization List .
Planning Group Profiles . . . . . . . . .
Planning Primary Groups for Objects . . .
Planning Multiple Group Profiles. . . . .
Using an Individual Profile as a Group Profile
. 208
. 209
. 210
. 210
. 212
. 212
. 213
214
. 215
. 216
. 217
. 218
. 222
. 222
. 223
. 224
. 224
. 227
. 227
. 227
. 228
. 229
. 229
. 229
230
Comparison of Group Profiles and Authorization

Lists . . . . . . . . . . . . . . .
Planning Security for Programmers . . . . .
Managing Source Files . . . . . . . .
Planning Security for System Programmers or
Managers. . . . . . . . . . . . .
Planning the Use of Validation List Objects . .
Limit Access to Program Function . . . . .
. 230
. 231
. 232
. 232
. 232
. 233
Chapter 8. Backup and Recovery of

Security Information . . . . . . . . 235
How Security Information Is Stored .
Saving Security Information . . .
Recovering Security Information . .
Restoring User Profiles . . . .
Restoring Objects . . . . . .
Restoring Authority . . . . .
Restoring Programs . . . . .
Restoring Licensed Programs . .
Restoring Authorization Lists . .
Restoring the Operating System .
*SAVSYS Special Authority . . . .
Auditing Save and Restore Operations
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
236
236
237
237
238
241
241
242
243
244
244
245
Chapter 9. Auditing Security on the

iSeries System . . . . . . . . . . . 247
Checklist for Security Officers and Auditors . .
Physical Security . . . . . . . . . .
System Values . . . . . . . . . . .
IBM-Supplied User Profiles . . . . . . .
Password Control . . . . . . . . . .
User and Group Profiles. . . . . . . .
Authorization Control . . . . . . . .
Unauthorized Access . . . . . . . . .
Unauthorized Programs . . . . . . . .
Communications . . . . . . . . . .
Using the Security Audit Journal . . . . . .
Planning Security Auditing . . . . . . .
Using CHGSECAUD to Set up Security
Auditing . . . . . . . . . . . . .
Setting up Security Auditing . . . . . .
Managing the Audit Journal and Journal
Receivers . . . . . . . . . . . . .
Stopping the Audit Function . . . . . .
Analyzing Audit Journal Entries . . . . .
Other Techniques for Monitoring Security . . .
Monitoring Security Messages . . . . . .
Using the History Log . . . . . . . .
Using Journals to Monitor Object Activity . .
Analyzing User Profiles . . . . . . . .
Analyzing Object Authorities . . . . . .
Analyzing Programs That Adopt Authority .
Checking for Objects That Have Been Altered
Auditing the Security Officers Actions . . .
.
.
.
.
.
.
.
.
.
.
.
.
247
248
248
249
249
250
250
251
252
252
252
253
. 267
. 267
.
.
.
.
.
.
.
.
.
.
269
272
272
275
276
276
276
277
279
279
280
. 280
Appendix A. Security Commands . . . 283

Appendix B. IBM-Supplied User
Profiles . . . . . . . . . . . . . . 291
Contents
| Appendix C. Commands Shipped with

| Public Authority *EXCLUDE . . . . . 299
Appendix D. Authority Required for

Objects Used by Commands . . . . . 309
Assumptions . . . . . . . . . . . . .
General Rules for Object Authorities on Commands
Commands Common for Most Objects . . . . .
Authorities Needed . . . . . . . . . . .
Access Path Recovery Commands . . . . .
Advanced Function Printing Commands. . .
AF_INET Sockets Over SNA Commands . . .
Alerts . . . . . . . . . . . . . . .
Application Development Commands . . . .
Authority Holder Commands . . . . . . .
Authorization List Commands. . . . . . .
Binding Directory Commands . . . . . . .
Change Request Description Commands . . .
Chart Commands . . . . . . . . . . .
Class Commands . . . . . . . . . . .
Class-of-Service Commands . . . . . . .
Command (*CMD) Commands . . . . . .
Commitment Control Commands . . . . .
Communications Side Information Commands
Configuration Commands . . . . . . . .
Configuration List Commands. . . . . . .
Connection List Commands . . . . . . .
Controller Description Commands . . . . .
Cryptography Commands . . . . . . . .
Data Area Commands . . . . . . . . .
Data Queue Commands . . . . . . . . .
Device Description Commands . . . . . .
Device Emulation Commands . . . . . . .
Directory and Directory Shadowing Commands
Disk Commands . . . . . . . . . . .
Display Station Pass-Through Commands . . .
Distribution Commands . . . . . . . . .
Distribution List Commands . . . . . . .
Document Library Object Commands . . . .
Double-Byte Character Set Commands . . . .
Edit Description Commands . . . . . . .
Environment Variable Commands . . . . .
Extended Wireless LAN Configuration
Commands . . . . . . . . . . . . .
File Commands . . . . . . . . . . .
Filter Commands . . . . . . . . . . .
Finance Commands . . . . . . . . . .
OS/400 Graphical Operations . . . . . . .
Graphics Symbol Set Commands . . . . . .
Host Server Commands . . . . . . . . .
Integrated File System Commands . . . . .
Interactive Data Definition Commands . . . .
Internetwork Packet Exchange (IPX) Commands
Information Search Index Commands . . . .
IPL Attribute Commands . . . . . . . .
Job Commands . . . . . . . . . . . .
Job Description Commands. . . . . . . .
Job Queue Commands . . . . . . . . .
Job Schedule Commands . . . . . . . .
Journal Commands . . . . . . . . . .
vi
311
311
313
319
319
319
320
320
321
322
323
323
324
324
324
325
325
326
326
326
327
328
328
330
331
332
332
334
335
335
335
336
336
337
340
341
341
341
342
349
350
350
351
351
351
367
368
368
368
369
371
372
372
373
Journal Receiver Commands . . . . . . .

Language Commands . . . . . . . . .
Library Commands . . . . . . . . . .
License Key Commands . . . . . . . . .
Licensed Program Commands . . . . . . .
Line Description Commands . . . . . . .
Local Area Network (LAN) Commands . . .
Locale Commands. . . . . . . . . . .
Mail Server Framework Commands . . . . .
Media Commands . . . . . . . . . . .
Menu and Panel Group Commands . . . . .
Message Commands . . . . . . . . . .
Message Description Commands . . . . . .
Message File Commands . . . . . . . .
Message Queue Commands . . . . . . .
Migration Commands . . . . . . . . .
Mode Description Commands . . . . . . .
Module Commands . . . . . . . . . .
NetBIOS Description Commands . . . . . .
Network Commands . . . . . . . . . .
Network File System Commands . . . . . .
Network Interface Description Commands . .
Network Server Commands . . . . . . .
Network Server Description Commands . . .
Node List Commands . . . . . . . . .
Office Services Commands . . . . . . . .
Online Education Commands . . . . . . .
Operational Assistant Commands . . . . .
Optical Commands . . . . . . . . . .
Output Queue Commands . . . . . . . .
Package Commands . . . . . . . . . .
Performance Commands . . . . . . . .
Print Descriptor Group Commands . . . . .
Print Services Facility Configuration Commands
Problem Commands . . . . . . . . . .
Program Commands . . . . . . . . . .
Query Commands . . . . . . . . . . .
QSH Shell Interpreter Commands . . . . .
Question and Answer Commands . . . . .
Reader Commands . . . . . . . . . .
Registration Facility Commands . . . . . .
Relational Database Commands . . . . . .
Resource Commands . . . . . . . . . .
RJE (Remote Job Entry) Commands . . . . .
Security Attributes Commands . . . . . .
Server Authentication Entry Commands . . .
Service Commands . . . . . . . . . .
Spelling Aid Dictionary Commands . . . . .
Sphere of Control Commands . . . . . . .
Spooled File Commands. . . . . . . . .
Subsystem Description Commands . . . . .
System Commands . . . . . . . . . .
System Reply List Commands . . . . . . .
System Value Commands . . . . . . . .
System/36 Environment Commands . . . .
Table Commands . . . . . . . . . . .
TCP/IP Commands . . . . . . . . . .
Upgrade Order Information Data Commands
User Index, User Queue, User Space Commands
User Profile Commands . . . . . . . . .
User-Defined File System . . . . . . . .
376
376
383
386
387
387
389
389
390
390
391
392
392
393
393
393
394
394
395
396
396
397
398
399
399
399
400
400
401
404
405
405
410
411
411
412
415
416
417
417
418
418
418
419
423
423
423
426
427
427
429
430
431
431
431
433
434
435
436
436
439
Validation List Commands . . . . .

Workstation Customizing Commands .
Writer Commands . . . . . . . .
.
.
.
.
.
.
. 439
. 440
. 440
Appendix E. Object Operations and

Auditing . . . . . . . . . . . . . 451
Appendix F. Layout of Audit Journal
Entries . . . . . . . . . . . . . . 501
Appendix G. Commands and Menus
for Security Commands . . . . . . . 599
Options on the Security Tools Menu . . . . . .
How to Use the Security Batch Menu . . . . .
Options on the Security Batch Menu . . . .
Commands for Customizing Security . . . . .
Values That Are Set by the Configure System
Security Command . . . . . . . . . . .
Changing the Program . . . . . . . . .
What the Revoke Public Authority Command Does
Changing the Program . . . . . . . . .
599
601
603
607
607
609
609
610
Trademarks .
. 613
Related information. . . . . . . . . 615

Advanced Security . . . . . . . . . .
Backup and Recovery . . . . . . . . .
Basic Security Information and Physical Security
iSeries Access for Windows Licensed Program .
Communications and Networking . . . . .
Cryptography . . . . . . . . . . . .
General System Operations . . . . . . . .
IBM-Supplied Program Installation and System
Configuration . . . . . . . . . . . .
Integrated File System . . . . . . . . .
The Internet . . . . . . . . . . . . .
IBM Lotus Domino . . . . . . . . . .
Migration and System/36 Environment. . . .
Optical Support . . . . . . . . . . .
Printing . . . . . . . . . . . . . .
Programming . . . . . . . . . . . .
Utilities . . . . . . . . . . . . . .
. 615
. 615
615
. 615
. 615
. 616
. 616
.
.
.
.
.
.
.
.
.
616
616
616
616
616
616
617
617
617
Index . . . . . . . . . . . . . . . 619
Appendix H. Notices . . . . . . . . 611
Contents
vii
viii
Figures
|
|
|
|
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
| 12.
13.
14.
15.
16.
Password Expiration Message . . . . . . 68

Description of Special Environment . . . . 81
Sign-On Information Display. . . . . . . 82
Display Object Authority display showing
F16=Display field authorities. This function
key will be displayed when a database file
has field authorities. . . . . . . . . . 124
Display Field Authority display. When
F17=Position to, is pressed the Position the
List prompt will be displayed. If F16 is
pressed, the previous position to operation
will be repeated. . . . . . . . . . . 125
New Object Example: Public Authority from
Library, Group Given Private Authority . . . 132
System Value, Group Given Private Authority 133
Library, Group Given Primary Group
Authority . . . . . . . . . . . . . 134
New Object Example: Public Authority
Specified, Group Owns Object . . . . . . 135
Adopted Authority and the CALL Command 136
Adopted Authority and the TFRCTL
Command . . . . . . . . . . . . 137
Display Object Authority Display . . . . . 141
Flowchart 1: Main Authority Checking
Process. . . . . . . . . . . . . . 158
Flowchart 2: Fast Path for Object Authority
160
Flowchart 3: Check User Authority . . . . 161
Flowchart 4: Owner Authority Checking
163
17.
18.
19.
20.
21.
|
|
|
|
|
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
38.
39.
40.
41.
42.
Flowchart 5: Fast Path for User Authority

Flowchart 6: Group Authority Checking
Flowchart 7: Check Public Authority
Flowchart 8A: Checking Adopted Authority
User *ALLOBJ and Owner . . . . . .
Flowchart 8B: Checking Adopted Authority
Using Private Authorities . . . . . .
Authority for the PRICES File . . . . .
Authority for the CREDIT File . . . . .
Display Object Authority. . . . . . .
Authority for the ARWRK01 File . . . .
Authority for the ARLST1 Authorization List
Authority for the CRLIM File . . . . .
Authority for CRLIMWRK File. . . . .
Authority for the CRLST1 Authorization List
Authority Checking for Workstations
Library ListExpected Environment . . .
Library ListActual Environment . . . .
Example Applications . . . . . . . .
Program to Replace and Restore Library List
Format for Describing Library Security
Sample Inquiry Menu. . . . . . . .
Sample Initial Menu . . . . . . . .
Sample Initial Application Program . . .
Sample Program for Query with Adopted
Authority . . . . . . . . . . . .
Sample Application Menu with Query
Format for Menu Security Requirements
Using a Logical File for Security . . . .
164
167
169
. 170
.
.
.
.
.
.
.
.
.
.
.
.
.
172
173
174
178
179
180
181
182
182
188
194
195
208
215
217
218
218
219
. 219
221
222
. 225
ix
Tables
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1. Security Levels: Function Comparison . . . . 9

2. Default Special Authorities for User Classes by
Security Level . . . . . . . . . . . . 11
3. Comparison of Security Levels 30, 40, and 50
14
4. Domain and State Access . . . . . . . . 16
5. System values that can be restricted . . . . 23
6. Possible Values for the QALWUSRDMN
System Value: . . . . . . . . . . . . 25
7. Possible Values for the QCRTAUT System
Value: . . . . . . . . . . . . . . 26
8. Possible Values for the QDSPSGNINF System
Value: . . . . . . . . . . . . . . 27
9. Possible Values for the QINACTITV System
Value: . . . . . . . . . . . . . . 28
10. Possible Values for QINACTMSGQ System
Value: . . . . . . . . . . . . . . 28
11. Possible Values for the QLMTDEVSSN System
Value: . . . . . . . . . . . . . . 29
12. Possible Values for the QLMTSECOFR System
Value: . . . . . . . . . . . . . . 30
13. Possible Values for the QMAXSIGN System
Value: . . . . . . . . . . . . . . 31
14. Possible Values for the QMAXSGNACN
System Value: . . . . . . . . . . . . 31
15. Possible Values for the QRETSVRSEC System
Value: . . . . . . . . . . . . . . 32
16. Possible Values for the QRMTSIGN System
Value: . . . . . . . . . . . . . . 33
17. Possible Values for the QSHRMEMCTL System
Value: . . . . . . . . . . . . . . 34
18. Possible Values for the QUSEADPAUT System
Value: . . . . . . . . . . . . . . 35
19. Possible Values for the QAUTOCFG System
Value: . . . . . . . . . . . . . . 36
20. Possible Values for the QAUTOVRT System
Value: . . . . . . . . . . . . . . 37
21. Possible Values for the QDEVRCYACN System
Value: . . . . . . . . . . . . . . 37
22. Possible Values for the QDSCJOBITV System
Value: . . . . . . . . . . . . . . 38
23. Possible Values for the QRMTSRVATR System
Value: . . . . . . . . . . . . . . 39
24. Possible Values for the QVFYOBJRST System
Value: . . . . . . . . . . . . . . 40
25. QFRCCVNRST Values . . . . . . . . . 43
26. Possible Values for the QALWOBJRST System
Value: . . . . . . . . . . . . . . 44
27. Possible Values for the QPWDEXPITV System
Value: . . . . . . . . . . . . . . 46
28. Possible Values for the QPWDLVL System
Value: . . . . . . . . . . . . . . 47
29. Possible Values for the QPWDMINLEN System
Value: . . . . . . . . . . . . . . 49
30. Possible Values for the QPWDMAXLEN
System Value: . . . . . . . . . . . . 49
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
31. Possible Values for the QPWDRQDDIF System

Value: . . . . . . . . . . . . . .
32. Possible Values for the QPWDLMTCHR
System Value: . . . . . . . . . . . .
33. Possible Values for the QPWDLMTAJC System
Value: . . . . . . . . . . . . . .
34. Possible Values for the QPWDLMTREP System
Value: . . . . . . . . . . . . . .
35. Passwords with Repeating Characters with
QPWDLVL 0 or 1 . . . . . . . . . .
36. Passwords with Repeating Characters with
QPWDLVL 2 or 3 . . . . . . . . . .
37. Possible Values for the QPWDPOSDIF System
Value: . . . . . . . . . . . . . .
38. Possible Values for the QPWDRQDDGT
System Value: . . . . . . . . . . . .
39. Possible Values for the QPWDVLDPGM
System Value: . . . . . . . . . . . .
40. Parameters for Password Approval Program
41. Possible Values for the QAUDCTL System
Value: . . . . . . . . . . . . . .
42. Possible Values for the QAUDENDACN
System Value: . . . . . . . . . . . .
43. Possible Values for the QAUDFRCLVL System
Value: . . . . . . . . . . . . . .
44. Possible Values for the QAUDLVL System
Value: . . . . . . . . . . . . . .
45. Possible Values for the QCRTOBJAUD System
Value: . . . . . . . . . . . . . .
46. Possible Values for PASSWORD: . . . . .
47. Possible Values for PWDEXP: . . . . . .
48. Possible Values for STATUS: . . . . . . .
49. Default Special Authorities by User Class
50. How Assistance Levels Are Stored and
Changed . . . . . . . . . . . . .
51. Possible Values for ASTLVL: . . . . . . .
52. Possible Values for CURLIB: . . . . . . .
53. Possible Values for INLPGM: . . . . . .
54. Possible Values for INLPGM Library: . . . .
55. Possible Values for MENU: . . . . . . .
56. Possible Values for MENU Library: . . . .
57. Functions Allowed for Limit Capabilities
Values . . . . . . . . . . . . . .
58. Possible Values for text: . . . . . . . .
59. Possible Values for SPCAUT: . . . . . . .
60.
. . . . . . . . . . . . . . . .
61. Possible Values for SPCENV: . . . . . . .
62. Possible Values for DSPSGNINF: . . . . .
63. Possible Values for PWDEXPITV: . . . . .
64. Possible Values for LMTDEVSSN: . . . . .
65. Possible Values for KBDBUF:. . . . . . .
66. Possible Values for MAXSTG: . . . . . .
67. Possible Values for PTYLMT:. . . . . . .
68. Possible Values for JOBD: . . . . . . . .
69. Possible Values for JOBD Library: . . . . .
70. Possible Values for GRPPRF: . . . . . . .
50
50
51
51
52
52
52
53
53
54
59
60
60
61
62
67
68
69
70
71
71
72
72
73
73
73
74
75
75
78
80
82
83
83
84
85
86
86
87
87
xi
71.
72.
73.
74.
75.
76.
77.
78.
79.
80.
81.
82.
83.
84.
85.
86.
87.
88.
89.
90.
91.
92.
93.
94.
95.
96.
97.
98.
99.
100.
101.
102.
103.
104.
105.
106.
107.
108.
109.
110.
111.
112.
113.
114.
115.
116.
117.
118.
119.
120.
121.
122.
123.
xii
Possible Values for OWNER: . . . . . .

Possible Values for GRPAUT:. . . . . .
Possible Values for GRPAUTTYP: 1 . . . .
Possible Values for SUPGRPPRF . . . .
Possible Values for ACGCDE: . . . . .
Possible Values for DOCPWD: . . . . .
Possible Values for MSGQ: . . . . . .
Possible Values for MSGQ Library:. . . .
Possible Values for DLVRY: . . . . . .
Possible Values for SEV: . . . . . . .
Possible Values for PRTDEV: . . . . . .
Possible Values for OUTQ: . . . . . .
Possible Values for OUTQ library: . . . .
Possible Values for ATNPGM: . . . . .
Possible Values for ATNPGM Library:. . .
Possible Values for SRTSEQ: . . . . . .
Possible Values for SRTSEQ Library: . . .
Possible Values for LANGID: . . . . .
Possible Values for CNTRYID: . . . . .
Possible Values for CCSID: . . . . . .
Possible Values for CHRIDCTL: . . . . .
Possible Values for SETJOBATR: . . . .
Possible Values for LOCALE: . . . . .
Possible Values for USROPT: . . . . . .
Possible Values for UID: . . . . . . .
Possible Values for GID: . . . . . . .
Possible Values for HOMEDIR: . . . .
Possible Values for AUT: . . . . . . .
Possible Values for OBJAUD: . . . . .
Auditing Performed for Object Access
Possible Values for AUDLVL: . . . . .
Description of Authority Types . . . .
System-Defined Authority . . . . . .
System-Defined Authority . . . . . .
LAN Server Permissions . . . . . . .
Public versus Private Authority . . . .
Accumulated Group Authority. . . . .
Parts of the Library List . . . . . . .
Authority Required to Perform Printing
Functions . . . . . . . . . . . .
User Profiles for Menu System . . . . .
Objects Used by Menu System . . . . .
Options and Commands for the System
Request Menu . . . . . . . . . .
Physical File Example: CUSTMAST File
Authorization List and Group Profile
Comparison . . . . . . . . . . .
How Security Information Is Saved and
Restored . . . . . . . . . . . .
Action Auditing Values . . . . . . .
Security Auditing Journal Entries . . . .
How Object and User Auditing Work
Together . . . . . . . . . . . .
Commands for Working with Authority
Holders . . . . . . . . . . . .
Commands for Working with Authorization
Lists . . . . . . . . . . . . .
Commands for Working with Object
Authority and Auditing . . . . . . .
Commands for Working with Passwords
Commands for Working with User Profiles
. 88
. 89
. 89
. 90
. 90
. 91
. 91
. 92
. 92
. 93
. 93
. 94
. 94
. 95
. 95
. 95
. 95
. 96
. 96
. 97
. 97
. 98
. 98
. 99
. 99
. 100
. 100
. 101
. 101
102
. 102
. 120
. 121
. 122
. 122
. 165
. 166
. 194
. 199
. 219
. 219
. 223
225
. 231
. 235
. 254
. 255
. 264
. 283
. 283
. 284
285
286
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
124. Related User Profile Commands . . . . .

125. Commands for Working with Auditing
126. Commands for Working with Document
Library Objects . . . . . . . . . . .
127. Commands for Working with Server
Authentication Entries . . . . . . . .
128. Commands for Working with the System
Distribution Directory. . . . . . . . .
129. Commands for Working with Validation Lists
130. Security Tools for Working with Auditing
131. Security Tools for Working with Authorities
132. Security Tools for Working with System
Security . . . . . . . . . . . . .
133. Default Values for User Profiles . . . . .
134. IBM-Supplied User Profiles . . . . . . .
135. Authorities of IBM-Supplied User Profiles to
Restricted Commands. . . . . . . . .
136. Description of Authority Types . . . . .
137. System-Defined Authority . . . . . . .
138. System-Defined Authority . . . . . . .
139. . . . . . . . . . . . . . . . .
140. . . . . . . . . . . . . . . . .
141. Standard Heading Fields for Audit Journal
Entries . . . . . . . . . . . . . .
Entries . . . . . . . . . . . . . .
Entries . . . . . . . . . . . . . .
144. Audit Journal (QAUDJRN) Entry Types.
145. AD (Auditing Change) Journal Entries
146. AF (Authority Failure) Journal Entries
147. AP (Adopted Authority) Journal Entries
148. AU (Attribute Changes) Journal Entries
149. CA (Authority Changes) Journal Entries
150. CD (Command String) Journal Entries
151. CO (Create Object) Journal Entries . . . .
152. CP (User Profile Changes) Journal Entries
153. CQ (*CRQD Changes) Journal Entries
154. CU (Cluster Operations) Journal Entries
155. CV (Connection Verification) Journal Entries
156. CY (Cryptographic Configuration) Journal
Entries . . . . . . . . . . . . . .
157. DI (Directory Services) Journal Entries
158. DO (Delete Operation) Journal Entries
159. DS (IBM-Supplied Service Tools User ID
Reset) Journal Entries . . . . . . . . .
160. EV (Environment Variable) Journal Entries
161. GR (Generic Record) Journal Entries . . . .
162. GS (Give Descriptor) Journal Entries . . . .
163. IP (Interprocess Communication) Journal
Entries . . . . . . . . . . . . . .
164. IR (IP Rules Actions) Journal Entries . . . .
165. IS (Internet Security Management) Journal
Entries . . . . . . . . . . . . . .
166. JD (Job Description Change) Journal Entries
167. JS (Job Change) Journal Entries . . . . .
168. KF (Key Ring File) Journal Entries . . . .
169. LD (Link, Unlink, Search Directory) Journal
Entries . . . . . . . . . . . . . .
170. ML (Mail Actions) Journal Entries. . . . .
171. NA (Attribute Change) Journal Entries
287
287
287
288
288
289
289
289
290
291
293
299
309
310
311
401
436
501
503
504
504
506
508
512
513
513
516
516
518
519
520
521
523
524
528
530
530
531
533
534
535
536
538
539
542
544
545
546
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
172. ND (APPN Directory Search Filter) Journal

Entries . . . . . . . . . . . . . .
173. NE (APPN End Point Filter) Journal Entries
174. OM (Object Management Change) Journal
Entries . . . . . . . . . . . . . .
175. OR (Object Restore) Journal Entries . . . .
176. OW (Ownership Change) Journal Entries
177. O1 (Optical Access) Journal Entries . . . .
180. PA (Program Adopt) Journal Entries . . . .
181. PG (Primary Group Change) Journal Entries
182. PO (Printer Output) Journal Entries . . . .
183. PS (Profile Swap) Journal Entries . . . . .
184. PW (Password) Journal Entries. . . . . .
185. RA (Authority Change for Restored Object)
Journal Entries . . . . . . . . . . .
186. RJ (Restoring Job Description) Journal Entries
187. RO (Ownership Change for Restored Object)
Journal Entries . . . . . . . . . . .
188. RP (Restoring Programs that Adopt
Authority) Journal Entries . . . . . . .
189. RQ (Restoring Change Request Descriptor
Object) Journal Entries . . . . . . . .
190. RU (Restore Authority for User Profile)
Journal Entries . . . . . . . . . . .
191. RZ (Primary Group Change for Restored
Object) Journal Entries . . . . . . . .
192. SD (Change System Distribution Directory)
Journal Entries . . . . . . . . . . .
193. SE (Change of Subsystem Routing Entry)
Journal Entries . . . . . . . . . . .
194. SF (Action to Spooled File) Journal Entries
195. SG (Asychronous Signals) Journal Entries
196. SK (Secure Sockets Connections) Journal
Entries . . . . . . . . . . . . . .
197. SM (System Management Change) Journal
Entries . . . . . . . . . . . . . .
546
547
547
550
553
554
555
556
556
558
560
561
562
563
565
565
567
568
568
569
570
571
572
575
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
198. SO (Server Security User Information Actions)

Journal Entries . . . . . . . . . . .
199. ST (Service Tools Action) Journal Entries
200. SV (Action to System Value) Journal Entries
201. VA (Change of Access Control List) Journal
Entries . . . . . . . . . . . . . .
202. VC (Connection Start and End) Journal
Entries . . . . . . . . . . . . . .
203. VF (Close of Server Files) Journal Entries
204. VL (Account Limit Exceeded) Journal Entries
205. VN (Network Log On and Off) Journal
Entries . . . . . . . . . . . . . .
206. VO (Validation List) Journal Entries . . . .
207. VP (Network Password Error) Journal Entries
208. VR (Network Resource Access) Journal
Entries . . . . . . . . . . . . . .
209. VS (Server Session) Journal Entries . . . .
210. VU (Network Profile Change) Journal Entries
211. VV (Service Status Change) Journal Entries
212. X0 (Network Authentication) Journal Entries
213. YC (Change to DLO Object) Journal Entries
214. YR (Read of DLO Object) Journal Entries
215. ZC (Change to Object) Journal Entries
216. ZM (SOM Method Access) Journal Entries
217. ZR (Read of Object) Journal Entries . . . .
218. Numeric Codes for Access Types . . . . .
219. Tool Commands for User Profiles . . . . .
220. Tool Commands for Security Auditing
221. Commands for Security Reports . . . . .
222. Commands for Customizing Your System
223. Values Set by the CFGSYSSEC Command
224. Commands Whose Public Authority Is Set by
the RVKPUBAUT Command . . . . . .
225. Programs Whose Public Authority Is Set by
the RVKPUBAUT Command . . . . . .
578
579
581
581
582
582
583
583
584
586
586
587
587
588
589
593
593
594
595
596
597
599
601
603
607
608
610
610
576
577
Tables
xiii
xiv
About Security - Reference (SC41-5302)

This book provides information about planning, setting up, managing, and
auditing security on your iSeries system. It describes all the features of security on
the system and discusses how security features relate to other aspects of the
system, such as work management, backup and recovery, and application design.
This book does not provide complete operational instructions for setting up
security on your system. For a step-by-step example of setting up security, consult
the iSeries Information Center (see Prerequisite and related information on
page xvi) and the Tips and Tools for Securing Your iSeries, SC41-5300-06 book.
Information on planning and setting up Basic System Security and Planning can
also be found in the Information Center (see Prerequisite and related information
on page xvi).
This book does not provide complete information about planning for IBM Lotus
Domino users. For Lotus Domino users, see the URL
http://notes.net/notesua.nsf. This Web site provides information on IBM Lotus
Notes, Lotus Domino, and IBM Lotus Domino for iSeries. From this web site, you
can download information in Domino database (.NSF) and Adobe Acrobat (.PDF)
format, search databases, and find out how to obtain printed manuals.
This book does not contain complete information about the application
programming interfaces (APIs) that are available to access security information.
APIs are described in System API Programming, SC41-5800-00. This book does not
contain information about the Internet. For information about considerations when
you connect your system to the Internet see the IBM SecureWay: iSeries and the
Internet in the Information Center (see Prerequisite and related information on
page xvi). .
For a list of related publications, see the Related information on page 615.
Who should read this book

The primary audience for this book is the security administrator.
Chapter 9, Auditing Security on the iSeries System on page 247 is intended for
anyone who wants to perform a security audit of the system.
This book assumes you are familiar with entering commands on the system. To use
some of the examples in this book, you need to know how to:
v Edit and create a control language (CL) program.
v Use a query tool, such as the Query/400 licensed program.
The information in the following chapters can help the application programmer
and systems programmers understand the relationship between security and
application and system design:
Chapter 5, Resource Security on page 119
Chapter 6, Work Management Security on page 185
Chapter 7, Designing Security on page 207
Chapter 8, Backup and Recovery of Security Information on page 235
xv
Conventions and terminology used in this book

The iSeries displays in this book could be shown as they are presented through
iSeries Navigator, which is part of iSeries Access for Windows on the personal
computer. The example displays in this book could also be shown without iSeries
Navigator available.
For more information on using iSeries Navigator, refer to the iSeries Information
Center (seePrerequisite and related information).
Prerequisite and related information

Use the iSeries Information Center as a starting point for your iSeries information
needs. It is available in either of the following ways:
v The Internet at this uniform resource locator (URL) address:
http://www.ibm.com/eserver/iseries/infocenter
v On CD-ROM: SK3T409000, iSeries Information Center. This package also

includes the PDF versions of iSeries manuals (SK3T409200, iSeries Information
Center: Supplemental Manuals), which replaces the Softcopy Library CD-ROM.
The iSeries Information Center contains advisors and important topics such as CL
commands, system application programming interfaces (APIs), logical partitions,
clustering, Java, TCP/IP, Web serving, and secured networks. It also includes
links to related IBM Redbooks and Internet links to other IBM Web sites such as
the Technical Studio and the IBM home page.
With every new hardware order, you receive the following CD-ROM information:
v SK3T-4096-00, iSeries Installation and Service Library. This CD-ROM contains
PDF manuals needed for installation and system maintenance of an IBM Eserver
iSeries.
v iSeries Setup and Operations CD-ROM, SK3T-4098-01. This CD-ROM contains IBM
iSeries Access for Windows and the EZ-Setup wizard. iSeries Access Express
offers a powerful set of client and server capabilities for connecting PCs to
iSeries servers. The EZ-Setup wizard automates many of the iSeries setup tasks.
For a list of related publications, see the Related information on page 615.
iSeries Navigator
IBM iSeries Navigator is a powerful graphical interface for managing your iSeries
systems that is a component of iSeries Access for Windows.. iSeries Navigator
functionality includes system navigation, configuration, planning capabilities, and
online help to guide you through your tasks. iSeries Navigator makes operation
and administration of the server easier and more productive and is the only user
interface to the new, advanced features of the OS/400 operating system. It also
includes Management Central for managing multiple servers from a central server.
For more information on iSeries Navigator, see the Information Center.
How to send your comments

Your feedback is important in helping to provide the most accurate and
high-quality information. If you have any comments about this book or any other
iSeries documentation, fill out the readers comment form at the back of this book.
xvi
v If you prefer to send comments by mail, use the readers comment form with the
address that is printed on the back. If you are mailing a readers comment form
from somewhere other than the United States, you can give the form to the local
IBM branch office or IBM representative for postage-paid mailing.
v If you prefer to send comments by FAX, use either of the following numbers:
United States and Canada: 1-800-937-3430
Other countries: 1-507-253-5192
v If you prefer to send comments electronically, use this network ID:
IBMMAIL, to IBMMAIL(USIB56RZ)
[email protected]
Be sure to include the following:
v The name of the book.
v The publication number of the book.
v The page number or topic to which your comment applies.
About Security - Reference (SC41-5302)
xvii
xviii
Whats new for V5R2
System service tools (SST)
|
|
|
|
|
|
|
|
|
|
|
|
There are several enhancements and additions to service tools for this release that
make them easier to use and understand. You can now manage and create service
tools user IDs from system service tools (SST) by selecting option 8 (Work with
service tools user IDs) from the main SST display. You no longer need to go into
dedicated service tools (DST) to reset passwords, grant or revoke privileges, or
create service tools user IDs. Note: Information regarding Service tools has been
moved to the Information Center. The following enhancements have been made to
System service tools (SST):
v Password management enhancements
The server is shipped with limited ability to change default and expired
passwords. This means that you cannot change service tools user IDs that have
default and expired passwords through the Change Service Tools User ID
(QSYCHGDS) API, nor can you change their passwords through SST. You can
only change a service tools user ID with a default and expired password
through DST. And, you can change the setting to allow default and expired
passwords to be changed. Also, you can use the new Start service tools (STRSST)
privilege to create a service tools user ID that can access DST, but can be
restricted from accessing SST.
v Terminology changes
The textual data and other documentation have been changed to reflect the new
service tools terminology. Specifically, the term service tools user IDs replaces
previous terms, such as DST user profiles, DST user IDs, service tools user
profiles, or variations of these names.
|
|
|
For information on how to work with Service tools, see the Information Center (see
Prerequisite and related information on page xvi for details) topic, Service tools
(Security>Service tools).
Audit file enhancements
|
|
|
|
|
|
|
|
|
|
|
There is a new outfile format, TYPE5, for the security audit journal. All new fields
in existing records will only be added to the TYPE5 outfiles, and new audit records
will only have TYPE5 outfiles. When you display the security audit journal, you
can specify *TYPE5 as the outfile format for the journal. TYPE5 outfiles include
remote IP information and thread IDs in the header portion of the security audit
records. This data was added to the header portion of the audit record to keep the
size of the records to a minimum. The remote IP information is helpful with
intrusion detection and in determining the source of some actions on your system.
The thread ID is useful for isolating actions within a thread in multi-threaded jobs.
You can find more information about audit journals in Appendix F: in Security
Reference.
Independent Disk Pool (IASP) security considerations
|
|
|
If you are using IASPs you need to understand the security implications of using
them. You can find more information about how security affects and is affected by
IASPs in Chapter 1 of Security Reference.
|
|
|
|
|
|
|
|
|
|
|
xix
New values for QFRCCVNRST system value
|
|
|
|
|
|
|
You can now specify a wider range of values for the force conversion on restore
(QFRCCVNRST) system value. The values that you specify for this and two other
system values affect how your system handles restore operations. These three
system values work together to provide options for controlling how trusted an
object must be before it is restored on your system. You can find more information
about the security implications of these system values in Chapter 3 of Security
Reference.
Allow change of security related system values
|
|
|
|
|
|
|
|
|
|
|
|
|
System service tools (SST) and dedicated service tools (DST) provide an option that
allows you to prevent changes to a variety of security related system values. If the
value of the Allow change of security related system values option is set to NO,
then the system values cannot be changed by using the Change system value
(CHGSYSVAL) command (or any other user interfaces). Setting this option to NO
is useful, for example, if you have settings for the Verify objects during restore
(QVFYOBJRST) or Allow restore of security-sensitive objects (QALWOBJRST)
system values to control how trusted an object must be before it can be restored.
Selecting NO for this option ensures that applications cannot change these system
value settings during install to values that are less restrictive to install objects that
do not satisfy the settings for these system values. You can find information about
restriction certain system values from being changed in Chapter 3 of Security
Reference.
|
|
|
Finding commonly-used topics:

v Defining How Information Can Be Accessed on page 120
v How the System Checks Authority on page 156
|
|
|
v Output Queue and Parameter Authorities Required for Printing on page 199
v Planning the Auditing of Object Access on page 263
v Appendix D, Authority Required for Objects Used by Commands on page 309
xx
Chapter 1. Introduction to iSeries Security

The Eserver family of systems covers a wide range of users. A small system might
have three to five users, and a large system might have several thousand users.
Some installations have all their workstations in a single, relatively secure, area.
Others have widely distributed users, including users who connect by dialing in
and indirect users connected through personal computers or system networks.
Security on the iSeries system is flexible enough to meet the requirements of this
wide range of users and situations. You need to understand the features and
options available so that you can adapt them to your own security requirements.
This chapter provides an overview of the security features on the system.
System security has three important objectives:
Confidentiality:
v Protecting against disclosing information to unauthorized people.
v Restricting access to confidential information.
v Protecting against curious system users and outsiders.
Integrity:
v Protecting against unauthorized changes to data.
v Restricting manipulation of data to authorized programs.
v Providing assurance that data is trustworthy.
Availability:
v Preventing accidental changes or destruction of data.
v Protecting against attempts by outsiders to abuse or destroy system resources.
System security is often associated with external threats, such as hackers or
business rivals. However, protection against system accidents by authorized system
users is often the greatest benefit of a well-designed security system. In a system
without good security features, pressing the wrong key might result in deleting
important information. System security can prevent this type of accident.
The best security system functions cannot produce good results without good
planning. Security that is set up in small pieces, without planning, can be
confusing. It is difficult to maintain and to audit. Planning does not imply
designing the security for every file, program, and device in advance. It does
imply establishing an overall approach to security on the system and
communicating that approach to application designers, programmers, and system
users.
As you plan security on your system and decide how much security you need,
consider these questions:
v Is there a company policy or standard that requires a certain level of security?
v Do the company auditors require some level of security?
v How important is your system and the data on it to your business?
v How important is the error protection provided by the security features?
v What are your company security requirements for the future?
To facilitate installation, many of the security capabilities on your system are not
activated when your system is shipped. Recommendations are provided in this
book to bring your system to a reasonable level of security. Consider the security
requirements of your own installation as you evaluate the recommendations.
Physical Security
Physical security includes protecting the system unit, system devices, and backup
media from accidental or deliberate damage. Most measures you take to ensure the
physical security of your system are external to the system. However, the system is
equipped with a keylock that prevents unauthorized functions at the system unit.
Note: You must order the keylock feature on some models.
Physical security is described in the Information Center (see Prerequisite and
related information on page xvi for details).
Keylock Security
The keylock on the 940x control panel controls access to various system control
panel functions. The keylock position can be retrieved and changed under program
control by using either of the following:
v Retrieve IPL Attributes (QWCRIPLA) API
v Change IPL Attributes (CHGIPLA) command
This allows the remote user access to additional functions available at the control
panel. For example, it controls where the machine will IPL from and to what
environment, either OS/400 or Dedicated Service Tools (DST).
The OS/400 System Value, QRMTSRVATR, controls the remote access. This value is
shipped defaulted to off which will not allow the keylock to be overridden. The
system value can be changed to allow remote access, but does require *SECADM
and *ALLOBJ special authorities to change.
Security Level
You can choose how much security you want the system to enforce by setting the
security level (QSECURITY) system value. The system offers five levels of security:
Level 10:
Level 10 is no longer supported. See Chapter 2, Using System Security
(QSecurity) System Value on page 9 for information about security levels
(10, 20, 30, 40, and 50).
Level 20:
The system requires a user ID and password for sign-on. All users are
given access to all objects.
Level 30:
The system requires a user ID and password for sign-on. The security of
resources is enforced.
Level 40:
resources is enforced. Additional integrity protection features are also
enforced.
Level 50:
resources is enforced. Level 40 integrity protection and enhanced integrity
protection are enforced. Security level 50 is intended for iSeries systems
with high security requirements, and it is designed to meet C2 security
requirements.
The system security levels are described in Chapter 2, Using System Security
(QSecurity) System Value on page 9.
System Values
System values allow you to customize many characteristics of your system. A
group of system values are used to define system-wide security settings. For
example, you can specify:
v
v
v
v
How many sign-on attempts you allow at a device.

Whether the system automatically signs off an inactive workstation.
How often passwords need to be changed.
The length and composition of passwords.
The system values that relate to security are described in Chapter 3, Security
System Values on page 23.
Signing
A key component of security is integrity: being able to trust that objects on the
system have not been tampered with or altered. Your operating system software is
protected by digital signatures, and now you can reinforce integrity by signing
software objects which you rely on (for more information on using signing to
protect your system, see Tips and Tools for Securing Your iSeries). This is particularly
important if the object has been transmitted across the internet or stored on media
which you feel might have been modified. The digital signature can be used to
detect if the object has been altered.
Digital signatures, and their use for verification of software integrity, can be
managed according to your security policies using the Verify Object Restore
(QVFYOBJRST) system value, the Check Object Integrity (CHKOBJITG) command,
and the Digital Certificate Manager tool. Additionally, you can choose to sign your
own programs (all licensed programs shipped with the iSeries are signed). DCM is
described in the Information Center (see Prerequisite and related information on
page xvi for details).
|
|
|
|
|
|
|
|
|
|
|
New for V5R2, you can restrict adding digital signatures to a digital certificate
store using the Add Verifier API and restrict resetting passwords on the digital
certificate store. System Service Tools (SST) provides a new menu option, entitled
Work with system security where you can restrict adding digital certificates.
Single sign-on enablement

In todays heterogeneous networks with partitioned servers and multiple
platforms, administrators must cope with the complexities of managing
identification and authentication for network users. IBMs new infrastructure and
exploitation of it in iSeries helps administrators, users, and application
programmers to much more cheaply and easily manage these identification and
authentication.
|
|
|
|
|
|
|
|
To enable a single sign-on environment, IBM provides two technologies that work
together to allow users to sign in with their Windows username and password and
be authenticated to iSeries systems in the network. Network authentication service
and Enterprise Identity Mapping (EIM) are the two technologies that an
administrator must configure to enable a single sign-on environment. Windows
2000, XP, AIX, and zSeries use Kerberos protocol to authenticate users to the
network. A secure, centralized server, called a key distribution center, authenticates
principals (Kerberos users) to the network.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
While network authentication service allows an iSeries system to participate in that

Kerberos realm, EIM provides a mechanism for associating these Kerberos
principals to a single EIM identifier that represents that user within the entire
enterprise. Other user identities, such as an OS/400 username, can also be
associated with this EIM identifier. When a user signs onto the network and
accesses an iSeries system, he or she is not prompted for a userid and password. If
the Kerberos authentication is successful, applications can look up the association
to the EIM identifier to find the OS/400 username. The user no longer needs a
password to iSeries applications and functions because the user is already
authenticated through the Kerberos protocol. Administrators can centrally manage
user identities with EIM while network users need only to manage one password.
You can enable single sign-on by configuring network authentication service and
Enterprise Identity Mapping (EIM) on your iSeries system. To review a scenario
that shows how to set up a single sign-on environment, see the Information Center
topic, Scenario: Enable single sign-on.(Security>Network authentication
service>Network authentication service scenarios>Scenario: Enable single
sign-on. See Prerequisite and related information on page xvi for more
information on accessing the Information Center.
User Profiles
Every system user has a user profile. At security level 10, the system automatically
creates a profile when a user first signs on. At higher security levels, you must
create a user profile before a user can sign on.
The user profile is a powerful and flexible tool. It controls what the user can do
and customizes the way the system appears to the user. Following are descriptions
of a few important security features of the user profile:
Special authority
Special authorities determine whether the user is allowed to perform
system functions, such as creating user profiles or changing the jobs of
other users.
Initial menu and initial program
The initial menu and program determine what the user sees after signing
on the system. You can limit a user to a specific set of tasks by restricting
the user to an initial menu.
Limit capabilities
The limit capabilities field in the user profile determines whether the user
can enter commands and change the initial menu or initial program when
signing on.
User profiles are discussed in Chapter 4, User Profiles on page 63.
Group Profiles
A group profile is a special type of user profile. You can use a group profile to
define authority for a group of users, rather than giving authority to each user
individually. A group profile can own objects on the system. You can also use a
group profile as a pattern when creating individual user profiles by using the copy
profile function.
Planning Group Profiles on page 229 discusses using group authority. Group
Ownership of Objects on page 129 discusses what objects should be owned by
group profiles. Primary Group for an Object on page 130 discusses using primary
group and primary group authority for an object. Copying User Profiles on
page 107 describes how to copy a group profile to create an individual user profile.
Resource Security
Resource security on the system allows you to define who can use objects and how
those objects can be used. The ability to access an object is called authority. You
can specify detailed authorities, such as adding records or changing records. Or
you can use the system-defined subsets of authorities: *ALL, *CHANGE, *USE, and
*EXCLUDE.
Files, programs, and libraries are the most common objects requiring security
protection, but you can specify authority for any object on the system. Following
are descriptions of the features of resource security:
Group profiles
A group of similar users can share the same authority to use objects.
Authorization lists
Objects with similar security needs can be grouped on one list; authority
can be granted to the list rather than to the individual objects.
Object ownership
Every object on the system has an owner. Objects can be owned by an
individual user profile or by a group profile. Proper assignment of object
ownership helps you manage applications and delegate responsibility for
the security of your information.
Primary group
You can specify a primary group for an object. The primary groups
authority is stored with the object. Using primary groups may simplify
your authority management and improve authority checking performance.
Library authority
You can put files and programs that have similar protection requirements
into a library and restrict access to that library. This is often easier than
restricting access to each individual object.
Directory authority
You can use directory authority in the same way that you use library
authority. You can group objects in a directory and secure the directory
rather than the individual objects.
Object authority
In cases where restricting access to a library or directory is not specific
enough, you can restrict authority to access individual objects.
Public authority
For each object, you can define what kind of access is available for any
system user who does not have any other authority to the object. Public
authority is an effective means for securing information and provides good
performance.
Adopted authority
Adopted authority adds the authority of a program owner to the authority
of the user running the program. Adopted authority is a useful tool when
a user needs different authority for an object, depending on the situation.
Authority holder
An authority holder stores the authority information for a
program-described database file. The authority information remains, even
when the file is deleted. Authority holders are commonly used when
converting from the System/36, because System/36 applications often
delete files and create them again.
Field level authority
Field level authorities are given to individual fields in a database file. This
authority is managed through SQL.
Resource security is described in Chapter 5, Resource Security on page 119
Security Audit Journal

Several functions exist on the system to help you audit the effectiveness of security.
In particular, the system provides the ability to log selected security-related events
in a security audit journal. Several system values, user profile values, and object
values control which events are logged.
Chapter 9, Auditing Security on the iSeries System on page 247 provides
information about auditing security.
C2 Security
By using security level 50 and following the instructions in the Security - Enabling
for C2, SC41-5303-00, you can bring a Version 4 Release 4 iSeries system to a C2
level of security. C2 is a security standard defined by the U.S. government in the
Department of Defense Trusted System Evaluation Criteria (DoD 5200.28.STD).
In October, 1995, iSeries formally received a C2 security rating from the United
States Department of Defense. The C2 rating is for V2R3 of OS/400, SEU,
Query/400, SQL, and Common Cryptographic Architecture Services/400. The C2
rating was awarded after a rigorous, multi-year period of evaluation. iSeries is the
first system to achieve a C2 rating for a system (hardware and operating system)
with an integrated, full-function database.
In 1999, iSeries received a C2 rating for Version 4 Release 4 of OS/400 (with
feature code 1920), SEU, Query/400, SQL, TCP/IP Utilities, Cryptographic Access
Provider, and Advanced Series Hardware. A limited set of TCP/IP communication
functions between iSeries, attached to a local area network, were included in the
evaluation.
To achieve a C2 rating, a system must meet strict criteria in the following areas:
v Discretionary access control
v User accountability
v Security auditing
v Resource isolation
|
Independent disk pool
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Independent disk pools provide the ability to group together storage that can be
taken offline or brought online independent of system data or other unrelated data.
The terms independent auxiliary storage pool (ASP) and independent disk pool are
synonymous. An independent disk pool can be either switchable among multiple
systems in a clustering environment or privately connected to a single system. For
V5R2, functional changes to independent disk pools have security implications on
your system. For example, when you perform a CRTUSRPRF, you can not create a
user profile (*USRPRF) into an independent disk pool. However, when a user is
privately authorized to an object in the independent disk pool, is the owner of an
object on an independent disk pool, or is the primary group of an object on an
independent disk pool, the name of the profile is stored on the independent disk
pool. If the independent disk pool is moved to another system, the private
authority, object ownership, and primary group entries will be attached to the
profile with the same name on the target system. If a profile does not exist on the
target system, a profile will be created. The user will not have any special
authorities and the password will be set to *NONE.
|
|
|
|
|
|
|
Independent disk pools have been enhanced to provide support for library-based
objects. In previous releases, independent disk pools supported user-defined file
systems (UDFS) only. However several objects are not allowed on independent
disk pools. For a complete list of supported and unsupported objects see
Supported and unsupported OS/400 object types topic in the Information Center.
(Systems management>Independent disk pools>Concepts>Restrictions
and considerations>Supported and unsupported OS/400 object types).
Chapter 2. Using System Security (QSecurity) System Value

This chapter discusses the security level (QSECURITY) system value and the issues
associated with it.
Overview:
Purpose:
Specify level of security to be enforced on the system.
How To:
WRKSYSVAL *SEC (Work with System Values command) or Menu
SETUP, option 1 (Change System Options)
Authority:
*ALLOBJ and *SECADM
Journal Entry:
SV
Notes: Before changing on a production system, read appropriate
section on migrating from one level to another.
The system offers five levels of security:
10
No system-enforced security
Note: You cannot set the system value QSECURITY to security level 10.
20
Sign-on security
30
Sign-on and resource security
40
Sign-on and resource security; integrity protection
50
Sign-on and resource security; enhanced integrity protection.
Your system is shipped at level 40, which provides sign-on and resource security
and provides integrity protection. For more information, see Security Level 40 on
page 14.
If you want to change the security level, use the Work with System Values
(WRKSYSVAL) command. The minimum security level you should use is 30.
However, level 40 or higher is recommended. The change takes effect the next time
you perform an initial program load (IPL). Table 1 compares the levels of security
on the system:
| Table 1. Security Levels: Function Comparison
| Function
Level 20
Level 30
Level 40
Level 50
|
|
|
|
|
|
|
|
Yes
Yes
Yes
Yes1
Yes
No
Yes
No
Yes
Yes
Yes
Yes1
Yes
Yes
No
No
Yes
Yes
Yes
Yes1
Yes
Yes
No
No
Yes
Yes
Yes
Yes1
Yes
Yes
No
No
User name required to sign on.

Password required to sign on.
Password security active.
Menu and initial program security active.
Limit capabilities support active.
Resource security active.
Access to all objects.
User profile created automatically.
| Table 1. Security Levels: Function Comparison (continued)

| Function
Level 20
Level 30
Level 40
Level 50
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Security auditing capabilities available.

Programs that contain restricted instructions cannot be created
or recompiled.
Programs that use unsupported interfaces fail at run time.
Enhanced hardware storage protection supported.
Library QTEMP is a temporary object.
*USRSPC, *USRIDX, and *USRQ objects can be created only in
libraries specified in the QALWUSRDMN system value.
Pointers used in parameters are validated for user domain
programs running in system state.
Message handling rules are enforced between system and user
state programs.
A programs associated space cannot be directly modified.
Internal control blocks are protected.
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
No
No
Yes
No
No
No
Yes
Yes
Yes
No
Yes
Yes
Yes
Yes
Yes
No
No
Yes
Yes
No
No
No
Yes
No
No
No
No
Yes
Yes
Yes
Yes
When LMTCPB(*YES) is specified in the user profile.
|
|
|
At level 50, more protection of internal control blocks is enforced than at level 40. See Preventing
Modification of Internal Control Blocks on page 20.
The system security level determines what the default special authorities are for
each user class. When you create a user profile, you can select special authorities
based on the user class. Special authorities are also added and removed from user
profiles when you change security levels.
These special authorities can be specified for a user:
*ALLOBJ
All-object special authority gives a user authority to perform all operations
on objects.
*AUDIT
Audit special authority allows a user to define the auditing characteristics
of the system, objects, and system users.
*IOSYSCFG
System configuration special authority allows a user to configure input and
output devices on the system.
*JOBCTL
Job control special authority allows a user to control batch jobs and
printing on the system.
*SAVSYS
Save system special authority allows a user to save and restore objects.
*SECADM
Security administrator special authority allows a user to work with user
profiles on the system.
*SERVICE
Service special authority allows a user to perform software service
functions on the system.
*SPLCTL
Spool control special authority allows unrestricted control of batch jobs and
output queues on the system.
10
|
|
|
|
New for V5R2, you can also restrict users with *SECADM and *ALLOBJ authorities
from changing this security related system value with the CHGSYSVAL command.
You can specify this restriction in the System Service Tools (SST) with the Work
with system security option.
|
|
|
Note: This restriction applies to several other system values.

For details on how to restrict changes to security system values and a complete list
of the affected system values, see Chapter 3: Security System Values.
Table 2 shows the default special authorities for each user class. The entries
indicate that the authority is given at security levels 10 and 20 only, at all security
levels, or not at all.
Table 2. Default Special Authorities for User Classes by Security Level
User Classes
Special
Authority
*ALLOBJ
*AUDIT
*IOSYSCFG
*JOBCTL
*SAVSYS
*SECADM
*SERVICE
*SPLCTL
*SECOFR
All
All
All
All
All
All
All
All
*SECADM
*PGMR
*SYSOPR
*USER
10 or 20
10 or 20
10 or 20
10 or 20
10 or 20
10 or 20
All
10 or 20
10 or 20
All
All
10 or 20
Note: The topics User Class on page 69 and Special Authority on page 75
provide more information about user classes and special authorities.
Recommendations:
Security level 30 or higher is recommended because the system does not
automatically give users access to all resources. At lower security levels, all users
are given *ALLOBJ special authority.
Also, at security level 30 (or below), users are able to call system interfaces that
swap to QSECOFR user profile or allow users access to resources that they would
not normally be allowed to access. At security level 40, users are not allowed to
directly call these interfaces; therefore, security level 40 or higher is strongly
recommended.
Security level 40 provides additional integrity protection without affecting system
performance. Applications that do not run at security level 40 have a negative
affect on performance at security level 30. They cause the system to respond to
domain violations.
Security level 50 is intended for systems with very high security requirements. If
you run your system at security level 50, you may notice some performance
impact because of the additional checking the system performs.
Even if you want to give all users access to all information, consider running your
system at security level 30. You can use the public authority capability to give
11
users access to information. Using security level 30 from the beginning gives you
the flexibility of securing a few critical resources when you need to without having
to test all your applications again.
Security Level 10
At security level 10, you have no security protection; therefore, security level 10 is
not recommended by IBM. Beginning in Version 4 Release 3, you cannot set your
security level to 10. If your system is currently at level 10, your system will remain
at level 10 when you install Version 4 Release 3. If you change the system level to
some other value, you cannot change it back to level 10.
When a new user signs on, the system creates a user profile with the profile name
equal to the user ID specified on the sign-on display. If the same user signs on
later with a different user ID, a new user profile is created. Appendix B shows the
default values that are used when the system automatically creates a user profile.
The system performs authority checking at all levels of security. Because all user
profiles created at security level 10 are given *ALLOBJ special authority, users
successfully pass every authority check and have access to all resources. If you
want to test the effect of moving to a higher security level, you can remove
*ALLOBJ special authority from user profiles and grant those profiles the authority
to use specific resources. However, this does not give you any security protection.
Anyone can sign on with a new user ID, and a new profile is created with
*ALLOBJ special authority. You cannot prevent this at security level 10.
Security Level 20
Level 20 provides the following security functions:
v Both user ID and password are required to sign on.
v Only a security officer or someone with *SECADM special authority can create
user profiles.
v The limit capabilities value specified in the user profile is enforced.
All profiles are created with *ALLOBJ special authority at security level 20 by
default. Therefore, security level 20 is not recommended by IBM.
Changing to Level 20 from Level 10

When you change from level 10 to level 20, any user profiles that were
automatically created at level 10 are preserved. The password for each user profile
that was created at level 10 is the same as the user profile name. No changes are
made to the special authorities in the user profiles.
Following is a recommended list of activities if you plan to change from level 10 to
level 20 after your system has been in production:
v List all the user profiles on the system using the Display Authorized User
(DSPAUTUSR) command.
v Either create new user profiles with standardized names or copy the existing
profiles and give them new, standardized names.
v Set the password to expired in each existing profile, forcing each user to assign a
new password.
v Set password composition system values to prevent users from assigning trivial
passwords.
12
v Review the default values in Table 133 in Appendix B for any changes you want
to make to the profiles automatically created at security level 10.
Changing to Level 20 from a Higher Level

When you change from a higher security level to level 20, special authorities are
added to the user profiles. By doing this, the user has, at least, the default special
authority for the user class. Refer to Table 2 on page 11 to see how special
authorities differ between level 20 and higher security levels.
Attention: When you change to level 20 from a higher security level, the system
adds *ALLOBJ special authority to every user profile. This allows users to view,
change, or delete any object on the system.
Security Level 30
Level 30 provides the following security functions, in addition to what is provided
at level 20:
v Users must be specifically given authority to use resources on the system.
v Only user profiles created with the *SECOFR security class are given *ALLOBJ
special authority automatically.
Changing to Level 30 from a Lower Level

When you change to security level 30 from a lower security level, the system
changes all user profiles the next time you perform an IPL. Special authorities that
the user was given at 10 or 20, but would not have at 30 or above, are removed.
Special authorities that the user was given that are not associated with their user
class are not changed. For example, *ALLOBJ special authority is removed from all
user profiles except those with a user class of *SECOFR. See Table 2 on page 11 for
a list of the default special authorities and the differences between level 10 or 20
and the higher security levels.
If your system has been running applications at a lower security level, you should
set up and test resource security before changing to security level 30. Following is
a recommended list of activities:
v For each application, set the appropriate authorities for application objects.
v Test each application using either actual user profiles or special test user profiles:
Remove *ALLOBJ special authority from the user profiles used for testing.
Grant appropriate application authorities to the user profiles.
Run the application using the user profiles.
Check for authority failures either by looking for error messages or by using
the security audit journal.
v When all applications run successfully with test profiles, grant the appropriate
authorities for application objects to all production user profiles.
v If the QLMTSECOFR (limit security officer) system value is 1 (Yes), users with
*ALLOBJ or *SERVICE special authority must be specifically authorized to
devices at security level 30 or higher. Give these users *CHANGE authority to
selected devices, give QSECOFR *CHANGE authority to the devices, or change
the QLMTSECOFR system value to 0.
v Change the security level on your system and perform an initial program load
(IPL).
13
If you want to change to level 30 without defining individual object authorities,

make the public authority for application objects high enough to run the
application. Run application tests to make sure no authority failures occur.
Note: See the topic Defining How Information Can Be Accessed on page 120 for
more information about object authorities.
Security Level 40
Security level 40 prevents potential integrity or security risks from programs that
could circumvent security in special cases. Security level 50 provides enhanced
integrity protection for installations with strict security requirements. Table 3
compares how security functions are supported at levels 30, 40, and 50. These
functions are explained in more detail in the sections that follow.
| Table 3. Comparison of Security Levels 30, 40, and 50
| Scenario Description
Level 30
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AF journal entry
AF journal entry
AF journal entry
AF journal entry
A program attempts to access objects using

interfaces that are not supported.
A program attempts to use a restricted
instruction.
The user submitting a job does not have
*USE authority to the user profile specified
in the job description.
A user attempts default sign-on without a
user ID and a password.
A *USER state program attempts to write to
system area of disk defined as read only or
no access.
An attempt is made to restore a program
that does not have a validation value. 3
An attempt is made to restore a program

that has a validation value.
An attempt is made to modify a programs
associated space.
An attempt is made to modify a jobs
address space.
A user state program attempts to call or
transfer control to a system domain program.
An attempt is made to create a user domain
object of type *USRSPC, *USRIDX, or *USRQ
in a library not included in the
QALWUSRDMN system value.
A user state program sends an exception
message to a system state program that is
not immediately above it in the program
stack.
A parameter is passed to a user domain
program running in the system state.
14
Level 40
Level 50
AF journal entry 1;
AF journal entry 1;
operation fails.
operation fails.
AF journal entry 1;
AF journal entry 1;
operation fails.
operation fails.
AF journal entry 1; job AF journal entry 1; job
does not run.
does not run.
AF journal entry 1;
sign-on is not
successful.
AF journal entry; 1,2
operation fails. 2
AF journal entry 1;
sign-on is not
successful.
AF journal entry; 1,2
operation fails. 2
Operation fails.
No validation is
performed. Program
must be retranslated
before it can be used.
Program validation is
performed.
AF journal entry;1,2
operation fails.2
operation fails.2
operation fails.2
Operation fails.
No validation is
performed. Program
performed.
operation fails.2
operation fails.2
operation fails.2
Operation fails.
Attempt is successful.
Operation fails.
Parameter validation
is performed.
Parameter validation
is performed.
No validation is
performed. Program
performed.
| Table 3. Comparison of Security Levels 30, 40, and 50 (continued)

| Scenario Description
Level 30
Level 40
Level 50
AF journal entry;1,2,4
operation fails.2,4
AF journal entry;1,2,4
operation fails.2,4
|
|
|
|
|
|
An IBM*-supplied command is changed to
run a different program using the CHGCMD
command. The command is changed again
to run the original IBM-supplied program,
which is a system domain program. A user
attempts to run the command.
|
|
An authority failure (AF) type entry is written to the audit (QAUDJRN) journal, if the auditing function is
active. See Chapter 9 for more information about the audit function.
If the processor supports enhanced hardware storage protection.
Programs created prior to Version 1 Release 3 do not have a validation value.
|
|
When you change an IBM-supplied command, it can no longer call a system domain program.
If you use the auditing function at lower security levels, the system logs journal
entries for most of the actions shown in Table 3 on page 14, except those detected
by the enhanced hardware protection function. You receive warnings in the form of
journal entries for potential integrity violations. At level 40 and higher, integrity
violations cause the system to fail the attempted operation.
Preventing the Use of Unsupported Interfaces

At security level 40 and higher, the system prevents attempts to directly call
system programs not documented as call-level interfaces. For example, directly
calling the command processing program for the SIGNOFF command fails.
The system uses the domain attribute of an object and the state attribute of a
program to enforce this protection:
v Domain:
Every object belongs to either the *SYSTEM domain or the *USER domain.
*SYSTEM domain objects can be accessed only by *SYSTEM state programs or
by *INHERIT state programs that are called by *SYSTEM state programs.
You can display the domain of an object by using the Display Object Description
(DSPOBJD) command and specifying DETAIL(*FULL). You can also use the
following commands:
Display Program (DSPPGM) to display the domain of a program
Display Service Program (DSPSRVPGM) to display the domain of a service
program
v State:
Programs are either *SYSTEM state, *INHERIT state, or *USER state. The *USER
state programs can directly access only *USER domain objects. Objects that are
*SYSTEM domain can be accessed using the appropriate command or
application programming interface (API). The *SYSTEM and *INHERIT states are
reserved for IBM-supplied programs.
You can display the state of a program using the Display Program (DSPPGM)
command. You can display the state of a service program using the Display
Service Program (DSPSRVPGM) command.
15
Table 4 shows the domain and state access rules:

Table 4. Domain and State Access
Object Domain
Program State
*USER
*SYSTEM
1
*USER
YES
NO
*SYSTEM
YES
YES
A domain or state violation causes the operation to fail at security level 40 and
higher. At all security levels, an AF type entry is written to the audit journal if the
auditing function is active.
Journal Entry:
If the auditing function is active and the QAUDLVL system value includes
*PGMFAIL, an authority failure (AF) entry, violation type D, is written to the
QAUDJRN journal when an attempt is made to use an unsupported interface.
Protecting Job Descriptions

If a user profile name is used as the value for the User field in a job description,
any jobs submitted with the job description can be run with attributes taken from
that user profile. An unauthorized user might use a job description to violate
security by submitting a job to run under the user profile specified in the job
description.
At security level 40 and higher, the user submitting the job must have *USE
authority to both the job description and the user profile specified in the job
description, or the job fails. At security level 30, the job runs if the submitter has
*USE authority to the job description.
Journal Entry:
*AUTFAIL, an AF entry, violation type J, is written to the QAUDJRN journal when
a user submits a job and is not authorized to the user profile in a job description.
Signing On without a User ID and Password

At security level 30 and below, signing on by pressing the Enter key without a user
ID and password is possible with certain subsystem descriptions. At security level
40 and higher, the system stops any attempt to sign on without a user ID and
password. See the topic Subsystem Descriptions on page 191 for more
information about security issues associated with subsystem descriptions.
Journal Entry:
An AF entry, violation type S, is written to the QAUDJRN journal when a user
attempts to sign on without entering a user ID and password and the subsystem
description allows it. (The attempt fails at security level 40 and higher.)
Enhanced Hardware Storage Protection

Enhanced hardware storage protection allows blocks of system information located
on disk to be defined as read-write, read only, or no access. At security level 40
16
and higher, the system controls how *USER state programs access these protected
blocks. This support is not available at security levels less than 40.
Enhanced hardware storage protection is supported on all iSeries models, except
the following:
v All B models
v All C models
v D models: 9402 D04, 9402 D06, 9404 D10, and 9404 D20.
Journal Entry:
*PGMFAIL, an AF entry, violation type R, is written to the QAUDJRN journal
when a program attempts to write to an area of disk protected by the enhanced
hardware storage protection feature. This support is available only at security level
40 and higher.
Protecting a Programs Associated Space

At security level 40 and higher, a user state program cannot directly change the
associated space of a program object.
Protecting a Jobs Address Space

At security level 50, a user state program cannot obtain the address for another job
on the system. Therefore, a user state program cannot directly manipulate objects
associated with another job.
Validating Parameters
Interfaces to the operating system are system state programs in user domain. In
other words, they are programs that can be called directly by a user. When
parameters are passed between user state and system state programs, those
parameters must be checked to prevent any unexpected values from jeopardizing
the integrity of the operating system.
When you run your system at security level 40 or 50, the system specifically checks
every parameter passed between a user state program and a system state program
in the user domain. This is required for your system to separate the system and
user domain and to meet the requirements of a C2 level of security. You may
notice some performance impact because of this additional checking.
|
Validation of Programs Being Restored
|
|
|
|
|
When a program is created, the iSeries system calculates a validation value, which
is stored with the program. When the program is restored, the validation value is
calculated again and compared to the validation value that is stored with the
program. If the validation values do not match, the actions taken by the system are
controlled by the QFRCCVNRST and QALWOBJRST system values.
|
|
|
|
|
In addition to a validation value, a program may optionally have a digital

signature that can be verified upon restore. Any system actions related to digital
signatures are controlled by the QVFYOBJRST and QFRCCVNRST system values.
The three system values, Verify Object on Restore (QVFYOBJRST), Force
Conversion on Restore (QFRCCVNRST) and Allow Object Restore (QALWOBJRST),
17
|
|
|
act as a series of filters to determine whether a program will be restored without

change, whether it will be re-created (converted) as it is restored, or whether it will
not be restored to the system.
|
|
|
|
|
|
|
|
|
The first filter is QVFYOBJRST system value. It controls the restore operation on
some objects that can be digitally signed. After an object is successfully checked
and is validated by this system value, the object proceeds to the second filter,
QFRCCVNRST system value. This system value allows you to specify whether or
not to convert programs, service programs, or module objects during a restore
operation. This system value also prevents certain objects from being restored.
Only when the objects have passed the first two filters do they proceed to the final
filter, QALWOBJRST system value. This system value controls whether or not
objects with security sensitive attributes can be restored.
|
|
|
|
|
|
Programs created for the iSeries can contain information that allows the program
to be re-created at restore time, without requiring the program source. Programs
created for iSeries Version 5, Release 1 and later contain the information needed for
re-creation even when the observability of the program is removed. Programs
created for releases prior to Version 5, Release 1 can only be re-created at restore
time if the observable information of the program has not been deleted.
|
|
Each of these system values are described in the Chapter 3, Security System
Values in the section, entitled Security-Related Restore System Values.
Changing to Security Level 40

Make sure that all your applications run successfully at security level 30 before
migrating to level 40. Security level 30 gives you the opportunity to test resource
security for all your applications. Use the following procedure to migrate to
security level 40:
1. Activate the security auditing function, if you have not already done so. The
topic Setting up Security Auditing on page 267 gives complete instructions
for setting up the auditing function.
2. Make sure the QAUDLVL system value includes *AUTFAIL and *PGMFAIL.
*PGMFAIL logs journal entries for any access attempts that violate the integrity
protection at security level 40.
3. Monitor the audit journal for *AUTFAIL and *PGMFAIL entries while running
all your applications at security level 30. Pay particular attention to the
following reason codes in AF type entries:
B
Restriction (blocked) instruction violation
Object validation failure
Unsupported interface (domain) violation
Job-description and user-profile authorization failure
Attempt to access protected area of disk (enhanced hardware storage

protection)
Default sign-on attempt
These codes indicate the presence of integrity exposures in your applications.

At security level 40, these programs fail.
4. If you have any programs that were created prior to Version 1 Release 3, use
the CHGPGM command with the FRCCRT parameter to create validation
values for those programs. At security level 40, the system translates any
18
program that is restored without a validation value. This can add considerable
time to the restore process. See the topic Validation of Programs Being
Restored on page 17 for more information about program validation.
Note: Restore program libraries as part of your application test. Check the
audit journal for validation failures.
5. Based on the entries in the audit journal, take steps to correct your applications
and prevent program failures.
6. Change the QSECURITY system value to 40 and perform an IPL.
Disabling Security Level 40

After changing to security level 40, you may find you need to move back to level
30 temporarily. For example, you may need to test new applications for integrity
errors. Or, you may discover you did not test well enough before changing to
security level 40.
You can change from security level 40 to level 30 without jeopardizing your
resource security. No changes are made to special authorities in user profiles when
you move from level 40 to level 30. After you have tested your applications and
resolved any errors in the audit journal, you can move back to level 40.
Attention: If you move from level 40 to level 20, some special authorities are
added to all user profiles. (See Table 2 on page 11.) This removes resource security
protection.
Security Level 50
Security level 50 is designed to meet the requirements defined by the U.S.
Department of Defense for C2 security. It provides enhanced integrity protection in
addition to what is provided by security level 40. Running your system at security
level 50 is required for C2 security. Other requirements for C2 security are
described in the book Security - Enabling for C2.
These security functions are included for security level 50. They are described in
the topics that follow:
v Restricting user domain object types (*USRSPC, *USRIDX, and *USRQ)
v Restricting message handling between user and system state programs
v Preventing modification of all internal control blocks
v Making the QTEMP library a temporary object
Restricting User Domain Objects

Most objects are created in the system domain. When you run your system at
security level 40 or 50, system domain objects can be accessed only by using the
commands and APIs provided.
These object types can be either system or user domain:
v User space (*USRSPC)
v User index (*USRIDX)
v User queue (*USRQ)
Objects of type *USRSPC, *USRIDX, and *USRQ in user domain can be
manipulated directly without using system-provided APIs and commands. This
allows a user to access an object without creating an audit record.
19
Note: Objects of type *PGM, *SRVPGM and *SQLPKG can also be in the user
domain. Their contents cannot be manipulated directly, and they are not
affected by the restrictions.
At security level 50, a user must not be permitted to pass security-relevant
information to another user without the ability to send an audit record. To enforce
this:
v At security level 50, no job can get addressability to the QTEMP library for
another job. Therefore, if user domain objects are stored in the QTEMP library,
they cannot be used to pass information to another user.
Because of the difference in handling the QTEMP library at security level 50,
objects in the QTEMP library may not be deleted when you IPL after the system
ends abnormally. You may need to run the Reclaim Storage (RCLSTG) command
more often at security level 50. Objects that are in a users QTEMP library when
the system ends abnormally appear in the QRCL library and need to be deleted
after running the RCLSTG command.
v To provide compatibility with existing applications that use user domain objects,
you can specify additional libraries in the QALWUSRDMN system value. The
QALWUSRDMN system value is enforced at all security levels. See Allow User
Domain Objects (QALWUSRDMN) on page 25 for more information.
Restricting Message Handling

Messages sent between programs provide the potential for integrity exposures. The
following applies to message handling at security level 50:
v Any user state program can send a message of any type to any other user state
program.
v Any system state program can send a message of any type to any user or system
state program.
v A user state program can send a non-exception message to any system state
program.
v A user state program can send an exception type message (status, notify, or
escape) to a system state program if one of the following is true:
The system state program is a request processor.
The system state program called a user state program.
Note: The user state program sending the exception message does not have
to be the program called by the system state program. For example, in
this program stack, an exception message can be sent to Program A by
Program B, C, or D:
Program A
Program B
Program C
Program D
System state
User state
User state
User state
v When a user state program receives a message from an external source (*EXT),
any pointers in the message replacement text are removed.
Preventing Modification of Internal Control Blocks

At security level 40 and higher, some internal control blocks, such as the work
control block, cannot be modified by a user state program.
20
At security level 50, no system internal control blocks can be modified. This
includes the open data path (ODP), the spaces for CL commands and programs,
and the S/36 environment job control block.
Changing to Security Level 50

Most of the additional security measures that are enforced at security level 50 do
not cause audit journal entries at lower security levels. Therefore, an application
cannot be tested for all possible integrity error conditions prior to changing to
security level 50.
The actions that cause errors at security level 50 are uncommon in normal
application software. Most software that runs successfully at security level 40 also
runs at security level 50.
If you are currently running your system at security level 30, complete the steps
described in Changing to Security Level 40 on page 18 to prepare for changing to
security level 50.
If you are currently running your system at security level 30 or 40, do the
following to prepare for security level 50:
v Evaluate setting the QALWUSRDMN system value. Controlling user domain
objects is important to system integrity. See Restricting User Domain Objects
on page 19.
v Recompile any COBOL programs that assign the device in the SELECT clause to
WORKSTATION if the COBOL programs were compiled using a pre-V2R3
compiler.
v Recompile any S/36 environment COBOL programs that were compiled using a
pre-V2R3 compiler.
v Recompile any RPG/400* or System/38 environment RPG* programs that use
display files if they were compiled using a pre-V2R2 compiler.
You can go directly from security level 30 to security level 50. Running at security
level 40 as an intermediate step does not provide significant benefits for testing.
If you are currently running at security level 40, you can change to security level
50 without extra testing. Security level 50 cannot be tested in advance. The
additional integrity protection that is enforced at security level 50 does not produce
error messages or journal entries at lower security levels.
Disabling Security Level 50

After changing to security level 50, you may find you need to move back to
security level 30 or 40 temporarily. For example, you may need to test new
applications for integrity errors. Or, you may discover integrity problems that did
not appear at lower security levels.
You can change from security level 50 to level 30 or 40 without jeopardizing your
resource security. No changes are made to special authorities in user profiles when
you move from level 50 to level 30 or 40. After you have tested your applications
and resolved any errors in the audit journal, you can move back to level 50.
Attention: If you move from level 50 to level 20, some special authorities are
added to all user profiles. This removes resource security protection. (See Table 2
on page 11.)
21
22
Chapter 3. Security System Values

|
|
|
This chapter describes the system values that control security on your system.
System values allow you to customize many characteristics of your system. A
group of system values are used to define system-wide security settings.
|
|
|
|
|
|
New for V5R2, you can restrict users from changing several security-related system
values. These restrictions can prevent even a user with *SECADM and *ALLOBJ
authority from changing these system values with the CHGSYSVAL command. In
addition to restricting changes to these system values, you can also restrict adding
digital cerificates to digital certificate store with the Add Verifier API and restrict
password resetting on the digital certificate store.
The following system values can be restricted:
Table 5. System values that can be restricted
QALWOBJRST
QLMTDEVSSN
QPWDLVL
QALWUSRDMN QCRTAUT
QLMTSECOFR
QPWDMAXLEN QRMTSRVATR
QAUDCTL
QCRTOBJAUD
QMAXSGNACN QPWDMINLEN
QSECURITY
QAUDENACN
QDEVRCYACN
QMAXSIGN
QPWDPOSDIF
QSHRMEMCTL
QAUDFRCLVL
QDSPSGNINF
QPWDEXPITV
QPWDRQDDGT QUSEADPAUT
QAUDLVL
QDSCJOBITV
QPWDLMTAJC
QPWDRQDDIF
QAUTOCFG
QFRCCVNRST
QPWDLMTCHR QPWDVLDPGM
|
|
QAUTORMT
QINACTMSGQ
QPWDLMTREP
|
|
|
You can use System Service Tools (SST) to enable these restrictions. To work with
these restrictions, you must have a service tools user ID and password. Dedicated
Service Tools also provides the ability to turn on and off these restrictions.
|
|
|
|
|
To
1.
2.
3.
|
|
|
The following sections discuss specific security system values. Those system values
to which you can restrict changes are documented within their corresponding
sections:
v General security system values
v Security-related system values
v Security-related restore system values
v System values that apply to passwords
v System values that control auditing
|
|
|
|
|
|
|
|
QAUTOVRT
QRMTSIGN
QVFYOBJRST
QRETSVRSEC
enable these restrictions, complete the following:

From a command line, enter STRSST.
On the System Service Tools (SST) display, select Option 7, and press enter.
You can restrict security system values and new digital certificates by selecting
No for each of these options.
General Security System Values

Overview:
23
|
|
Purpose:
Specify system values that control security on the system.
|
|
How To:
WRKSYSVAL *SEC (Work with System Values command)
|
|
Authority:
*ALLOBJ and *SECADM
|
|
Journal Entry:
SV
|
|
|
Notes: Changes take effect immediately. IPL is required only when

changing the security level (QSECURITY system value) or
password level (QPWDLVL system value).
Following are the general system values that control security on your system:
|
|
QALWUSRDMN
Allow user domain objects in the libraries
|
|
QCRTAUT
Create default public authority
|
|
QDSPSGNINF
Display sign-on information
|
|
QFRCCVNRST
Force conversion on restore
|
|
QINACTITV
Inactive job time-out interval
|
|
QINACTMSGQ
Inactive job message queue
|
|
QLMTDEVSSN
Limit device sessions
|
|
QLMTSECOFR
Limit security officer
|
|
QMAXSIGN
Maximum sign-on attempts
|
|
QMAXSGNACN
Action when maximum sign-on attempts exceeded
|
|
QRETSVRSEC
Retain Server Security
|
|
QRMTSIGN
Remote sign-on requests
|
|
QSECURITY
Security level
|
|
QSHRMEMCTL
Shared memory control
|
|
QUSEADPAUT
Use Adopted Authority
|
|
QVFYOBJRST
Verify object on restore
24
|
|
|
|
Descriptions of these system values follow. The possible choices are shown. The
choices that are underlined are the system-supplied defaults. For most system
values, a recommended choice is listed.
Allow User Domain Objects (QALWUSRDMN)
|
|
|
|
|
|
The QALWUSRDMN system value specifies which libraries are allowed to contain
user domain objects of type *USRSPC, *USRIDX, and *USRQ. The restriction does
not apply to user domain objects of type *PGM, *SRVPGM, and *SQLPKG. Systems
with high security requirements require the restriction of user *USRSPC, *USRIDX,
*USRQ objects. The system cannot audit the movement of information to and from
user domain objects.
|
|
|
|
New for V5R2, you can restrict users with *SECADM and *ALLOBJ authorities
|
|
|

|
|
|
|
|
|
|
|
|
|
Table 6. Possible Values for the QALWUSRDMN System Value:

*ALL
User domain objects are allowed in all libraries and directories
on the system.
*DIR
User domain objects are allowed in all directories on the
system.
library- name
The names of up to 50 libraries that can contain user domain
objects of type *USRSPC, *USRIDX, and *USRQ. If individual
libraries are listed, the library QTEMP must be included in the
list.
|
|
|
|
Recommended Value: For most systems, the recommended value is *ALL. If your
system has a high security requirement, you should allow user domain objects
only in the QTEMP library. At security level 50, the QTEMP library is a temporary
object and cannot be used to pass confidential data between users.
|
|
|
|
|
|
|
Some systems have application software that relies on object types *USRSPC,
*USRIDX, or *USRQ. For those systems, the list of libraries for the
QALWUSRDMN system value should include the libraries that are used by the
application software. The public authority of any library placed in
QALWUSRDMN, except QTEMP, should be set to *EXCLUDE. This limits the
number of users that may use MI interface, that cannot be audited, to read or
change the data in user domain objects in these libraries.
|
|
|
|
|
|
|
Note: If you run the Reclaim Storage (RCLSTG) command, user domain objects
may need to be moved in and out of the QRCL (reclaim storage) library. To
run the RCLSTG command successfully, you may need to add the QRCL
library to the QALWUSRDMN system value. To protect system security, set
the public authority to the QRCL library to *EXCLUDE. Remove the QRCL
library from the QALWUSRDMN system value when you have finished
running the RCLSTG command.
|
|
|
Authority for New Objects (QCRTAUT)

The QCRTAUT system value is used to determine the public authority for a newly
created object if the following conditions are met:
25
|
|
|
v The create authority (CRTAUT) for the library of the new object is set to
*SYSVAL.
v The new object is created with public authority (AUT) of *LIBCRTAUT.
|
|
|
|
|
|
|

|
|
|
|
|
|
Table 7. Possible Values for the QCRTAUT System Value:

*CHANGE
The public can change newly created objects.
*USE
The public may view, but not change, newly created objects.
*ALL
The public may perform any function on new objects.
*EXCLUDE
The public is not allowed to use new objects.
|
|
Recommended Value:
*CHANGE
|
|
The QCRTAUT system value is not used for objects created in directories in the
enhanced file system.
|
|
|
|
|
|
|
|
Attention: Several IBM-supplied libraries, including QSYS, have a CRTAUT value

of *SYSVAL. If you change the QCRTAUT system value to something other than
*CHANGE, you may encounter problems with signing on at new or automatically
created devices. To avoid these problems when you change QCRTAUT to
something other than *CHANGE, you should ensure that all device descriptions
and their associated message queues have a PUBLIC authority of *CHANGE. One
way to accomplish this is to change the CRTAUT value for library QSYS to
*CHANGE from *SYSVAL.
Display Sign-On Information (QDSPSGNINF)
The QDSPSGNINF system value determines whether the Sign-on Information

display is shown after signing on. The Sign-on Information display shows:
v Date of last sign-on
v Any sign-on attempts that were not valid
v The number of days until the password expires (if the password is due to expire
in 7 days or less)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
Sign-on Information
Previous sign-on . . . . . . . . . . . . . :
10/30/91
Sign-on attempts not valid . . . . . . . . :
Days until password expires . . . . . . . :
26
System:
14:15:00
|
|
|
|
|
|
|

|
|
|
|
Table 8. Possible Values for the QDSPSGNINF System Value:

0
Display is not shown.
1
Display is shown.
|
|
Recommended Value: 1 (Display is shown) is recommended so users can monitor

attempted use of their profiles and know when a new password is needed.
Note: Display sign-on information can also be specified in individual user profiles.
|
|
|
|
|
|
|
Inactive Job Time-Out Interval (QINACTITV)

The QINACTITV system value specifies in minutes how long the system allows a
job to be inactive before taking action. A workstation is considered inactive if it is
waiting at a menu or display, or if it is waiting for message input with no user
interaction. Some examples of user interaction are:
|
|
v
v
v
v
|
|
|
|
|
|
|
Emulation sessions through iSeries Access are included. Local jobs that are signed
on to a remote system are excluded. Jobs that are connected by file transfer
protocol (FTP) are excluded. Prior to Version 4, Release 2, telnet jobs were also
excluded. To control the time-out of FTP connections, change the INACTTIMO
parameter on the Change FTP Attribute (CHGFTPA) command. To control the
time-out of telnet sessions prior to V4R2, use the Change Telnet Attribute
(CHGTELNA) command.
|
|
|
|
|
|
|
Following are examples of how the system determines which jobs are inactive:
v A user uses the system request function to start a second interactive job. A
system interaction, such as the Enter key, on either job causes both jobs to be
marked as active.
v A iSeries Access job may appear inactive to the system if the user is performing
PC functions such as editing a document without interacting with the iSeries
system.
|
|
The QINACTMSGQ system value determines what action the system takes when
an inactive job exceeds the specified interval.
|
|
|
|
|
|
|
When the system is started, it checks for inactive jobs at the interval specified by
the QINACTITV system value. For example, if the system is started at 9:46 in the
morning and the QINACTITV system value is 30 minutes, it checks for inactive
jobs at 10:16, 10:46, 11:16, and so on. If it discovers a job that has been inactive for
30 minutes or more, it takes the action specified by the QINACTMSGQ system
value. In this example, if a job becomes inactive at 10:17, it will not be acted upon
until 11:16. At the 10:46 check, it has been inactive for only 29 minutes.
Using
Using
Using
Using
the Enter key

the paging function
function keys
the Help key
27
|
|
|
The QINACTITV and QINACTMSGQ system values provide security by

preventing users from leaving inactive workstations signed on. An inactive
workstation might allow an unauthorized person access to the system.
|
|
|
|
|
|
Table 9. Possible Values for the QINACTITV System Value:

*NONE:
The system does not check for inactive jobs.
interval-in-minutes
Specify a value of 5 through 300. When a job has been inactive
for that number of minutes, the system takes the action
specified in QINACTMSGQ.
Recommended Value: 60 minutes.
Inactive Job Time-Out Message Queue (QINACTMSGQ)
|
|
|
The QINACTMSGQ system value specifies what action the system takes when the
inactive job time-out interval for a job has been reached.
|
|
|
|
|
|
|

|
|
|
|
|
|
|
|
|
|
|
|
Table 10. Possible Values for QINACTMSGQ System Value:

*ENDJOB
Inactive jobs are ended. If the inactive job is a group job,1 all
jobs associated with the group are also ended. If the job is part
of a secondary job,1 both jobs are ended. The action taken by
*ENDJOB is equal to running the command ENDJOB JOB(name)
OPTION (*IMMED) ADLINTJOBS(*ALL) against the inactive job.
*DSCJOB
The inactive job is disconnected, as are any secondary or group
jobs1 associated with it. The disconnected job time-out interval
(QDSCJOBITV) system value controls whether the system
eventually ends disconnected jobs. See Disconnected Job
Time-Out Interval (QDSCJOBITV) on page 38 for more
information.
|
|
|
|
|
|
Attention: The system cannot disconnect some jobs, such as PC

Organizer and PC text-assist function (PCTA). If the system
cannot disconnect an inactive job, it ends the job instead.
Message CPI1126 is sent to the specified message queue when
the inactive job time-out interval is reached. This message
states: Job &3/&2/&1; has not been active.
message-queue-name
|
|
|
|
|
The message queue must exist before it can be specified for the
QINACTMSGQ system value. This message queue is
automatically cleared during an IPL. If you assign
QINACTMSGQ as the users message queue, all messages in
the users message queue are lost during each IPL.
|
|
|
|
|
Recommended Value: *DSCJOB unless your users run iSeries Access jobs. Using
*DSCJOB when some iSeries Access jobs are running is the equivalent of ending
the jobs. It can cause significant loss of information. Use the message-queue option if
28
The Work Management book describes group jobs and secondary jobs.
|
|
you have the iSeries Access licensed program. The CL Programming book shows an
example of writing a program to handle messages.
|
|
|
|
|
Using a Message Queue: A user or a program can monitor the message queue and
take action as needed, such as ending the job or sending a warning message to the
user. Using a message queue allows you to make decisions about particular
devices and user profiles, rather than treating all inactive devices in the same way.
This method is recommended when you use the iSeries Access licensed program.
|
|
|
|
|
If a workstation with two secondary jobs is inactive, two messages are sent to the
message queue (one for each secondary job). A user or program can use the End
Job (ENDJOB) command to end one or both secondary jobs. If an inactive job has
one or more group jobs, a single message is sent to the message queue. Messages
continue to be sent to the message queue for each interval that the job is inactive.
Limit Device Sessions (QLMTDEVSSN)
|
|
|
|
|
The QLMTDEVSSN system value specifies whether a user is allowed to be signed

on to more than one device at a time. This value does not restrict the System
Request menu or a second sign-on from the same device. If a user has a
disconnected job, the user is allowed to sign on to the system with a new device
session.
|
|
|
|
|
|
|

|
|
|
|
Table 11. Possible Values for the QLMTDEVSSN System Value:

0
The system allows an unlimited number of sign-on sessions.
1
Users are limited to one device session.
|
|
Recommended Value: 1 (Yes) because limiting users to a single device reduces the
likelihood of sharing passwords and leaving devices unattended.
Note: Limiting device sessions can also be specified in individual user profiles.
Limit Security Officer (QLMTSECOFR)
|
|
|
|
The QLMTSECOFR system value controls whether a user with all-object (*ALLOBJ)
or service (*SERVICE) special authority can sign on to any workstation. Limiting
powerful user profiles to certain well-controlled workstations provides security
protection.
|
|
|
The QLMTSECOFR system value is only enforced at security level 30 and higher.
Workstations on page 187 provides more information about the authority
required to sign on at a workstation.
|
|
You can always sign on at the system console with the QSECOFR, QSRV, and
QSRVBAS profiles, no matter how the QLMTSECOFR value is set.
29
|
|
|
|
|
|
|

|
|
|
|
|
|
|
|
|
|
|
|
|
Table 12. Possible Values for the QLMTSECOFR System Value:

1
A user with *ALLOBJ or *SERVICE special authority can sign
on at a display station only if that user is specifically
authorized (that is, given *CHANGE authority) to the display
station or if user profile QSECOFR is authorized (given
*CHANGE authority) to the display station. This authority
cannot come from public authority.
0
Users with *ALLOBJ or *SERVICE special authority can sign on
at any display station for which they have *CHANGE
authority. They can receive *CHANGE authority through
private or public authority or because they have *ALLOBJ
special authority.
Recommended Value: 1 (Yes).
Maximum Sign-On Attempts (QMAXSIGN)
|
|
|
|
|
The QMAXSIGN system value controls the number of consecutive sign-on

attempts that are not correct by local and remote users. Incorrect sign-on attempts
can be caused by a user ID that is not correct, a password that is not correct, or
inadequate authority to use the workstation.
|
|
|
|
When the maximum number of sign-on attempts is reached, the QMAXSGNACN

system value is used to determine the action to be taken. A message is sent to the
QSYSOPR message queue (and QSYSMSG message queue if it exists in library
QSYS) to notify the security officer of a possible intrusion.
|
|
|
|
|
|
If you create the QSYSMSG message queue in the QSYS library, messages about
critical system events are sent to that message queue as well as to QSYSOPR. The
QSYSMSG message queue can be monitored separately by a program or a system
operator. This provides additional protection of your system resources. Critical
system messages in QSYSOPR are sometimes missed because of the volume of
messages sent to that message queue.
|
|
|
|
|
|
|

30
|
|
|
|
|
|
|
|
|
|
|
Table 13. Possible Values for the QMAXSIGN System Value:

3
A user can try to sign on a maximum of 3 times.
*NOMAX
The system allows an unlimited number of incorrect sign-on
attempts. This gives a potential intruder unlimited
opportunities to guess a valid user ID and password
combination.
limit
Specify a value from 1 through 25. The recommended number
of sign-on attempts is three. Usually three attempts are enough
to correct typing errors but low enough to help prevent
unauthorized access.
Recommended Value: 3.
Action When Sign-On Attempts Reached (QMAXSGNACN)
|
|
The QMAXSGNACN system value determines what the system does when the
maximum number of sign-on attempts is reached at a workstation.
|
|
|
|
|
|
|

|
|
|
|
|
Table 14. Possible Values for the QMAXSGNACN System Value:

3
Disable both the user profile and device.
1
Disable the device only.
2
Disable the user profile only.
|
|
|
The system disables a device by varying it off. The device is disabled only if the
sign-on attempts that are not valid are consecutive on the same device. One valid
sign-on resets the count of incorrect sign-on attempts for the device.
|
|
|
|
|
The system disables a user profile by changing the Status parameter to

*DISABLED. The user profile is disabled when the number of incorrect sign-on
attempts for the user reaches the value in the QMAXSIGN system value, regardless
of whether the incorrect sign-on attempts were from the same or different devices.
One valid sign-on resets the count of incorrect sign-on attempts in the user profile.
|
|
|
If you create the QSYSMSG message queue in QSYS, the message sent (CPF1397)
contains the user and device name. Therefore, it is possible to control the disabling
of the device based on the device being used.
|
|
Maximum Sign-On Attempts (QMAXSIGN) on page 30 provides more

information about the QSYSMSG message queue.
|
|
|
If the QSECOFR profile is disabled, you may sign on as QSECOFR at the console
and enable the profile. If the console is varied off and no other user can vary it on,
you must IPL the system to make the console available.
31
Retain Server Security (QRETSVRSEC)
|
|
|
|
|
QRETSVRSEC system value determines whether decryptable authentication

information associated with user profiles or validation list (*VLDL) entries can be
retained on the host system. This does not include the iSeries user profile
password.
|
|
|
If you change the value from 1 to 0, the system disables access to the
authentication information. If you change the value back to 1, the system reenables
access to the authentication information.
|
|
|
|
|
The authentication information can be removed from the system by setting the
QRETSVRSEC system value to 0 and running the CLRSVRSEC (Clear Server
Security Data) command. If you have a large number of user profiles or validation
lists on your system the CLRSVRSEC command may run for an extensive period of
time.
|
|
|
|
|
|
|
The encrypted data field of a validation list entry is typically used to store
authentication information. Applications specify whether to store the encrypted
data in a decryptable or non-decryptable form. If the applications choose a
decryptable form and the QRETSVRSEC value is changed from 1 to 0, the
encrypted data field information is not accessible from the entry. If the encrypted
data field of a validation list entry is stored in a non-decryptable from, it is not
affected by the QRETSVRSEC system value.
|
|
|
|
|
|
|

|
|
|
|
Table 15. Possible Values for the QRETSVRSEC System Value:

0
Server security data is not retained.
1
Server security data is retained.
Remote Sign-On Control (QRMTSIGN)
|
|
|
|
|
The QRMTSIGN system value specifies how the system handles remote sign-on
requests. Examples of remote sign-on are display station pass-through from
another system, the workstation function of the iSeries Access licensed program,
and TELNET access.
|
|
|
|
|
|
|

32
|
|
|
|
|
|
|
|
|
|
|
|
Table 16. Possible Values for the QRMTSIGN System Value:

*FRCSIGNON
Remote sign-on requests must go through the normal sign-on
process.
*SAMEPRF
When the source and target user profile names are the same,
the sign-on display may be bypassed if automatic sign-on is
requested. Password verification occurs before the target
pass-through program is used. If a password that is not valid is
sent on an automatic sign-on attempt, the pass-through session
always ends and an error message is sent to the user. However,
if the profile names are different, *SAMEPRF indicates that the
session ends with a security failure even if the user entered a
valid password for the remote user profile.
|
|
|
|
|
|
|
The sign-on display appears for pass-through attempts not

requesting automatic sign-on.
The *VERIFY value allows you to bypass the sign-on display of
the target system if valid security information is sent with the
automatic sign-on request. If the password is not valid for the
specified target user profile, the pass-through session ends with
a security failure.
*VERIFY
|
|
If the target system has a QSECURITY value of 10, any

automatic sign-on request is allowed.
|
|
|
|
|
|
|
The sign-on display appears for pass-through attempts not

requesting automatic sign-on.
No remote sign-on is permitted.
For TELNET access, there is no action for *REJECT.
The program specified runs at the start and end of every
pass-through session.
*REJECT
program-name library-name
|
|
|
Recommended Value: *REJECT if you do not want to allow any pass-through or

iSeries Access access. If you do allow pass-through or iSeries Access access, use
*FRCSIGNON or *SAMEPRF.
|
|
|
The Remote Work Station Support book contains detailed information about the
QRMTSIGN system value. It also contains the requirements for a remote sign-on
program and an example.
Share Memory Control (QSHRMEMCTL)
|
|
|
|
The QSHRMEMCTL system value defines which users are allowed to use shared
memory or mapped memory that has write capability. To change this system value,
users must have *ALLOBJ and *SECADM special authorities. A change to this
system value takes effect immediately.
|
|
|
|
|
|
|

33
|
|
|
Table 17. Possible Values for the QSHRMEMCTL System Value:.

0
Users cannot use shared memory, or use mapped memory that
has write capability.
|
|
|
|
|
This value means that users cannot use shared-memory APIs

(for example, shmat() Shared Memory Attach API), and
cannot use mapped memory objects that have write capability
(for example, mmap() Memory Map a File API provides this
function).
|
|
Use this value in environments with higher security

requirements.
|
|
|
|
|
|
|
|
|
Users can use shared memory or mapped memory that has

write capability.
This value means that users can use shared-memory APIs (for
example, shmat() Shared Memory Attach API), and can use
mapped memory objects that have write capability (for
example, mmap() Memory Map a File API provides this
function).
Use Adopted Authority (QUSEADPAUT)
|
|
|
|
|
|
The QUSEADPAUT system value defines which users can create programs with
the use adopted authority (*USEADPAUT(*YES)) attribute. All users authorized by
the QUSEADPAUT system value can create or change programs and service
programs to use adopted authority if the user has the necessary authority to the
program or service program.
|
|
|
|
|
The system value can contain the name of an authorization list. The users
authority is checked against this list. If the user has at least *USE authority to the
named authorization list, the user can create, change, or update programs or
service programs with the USEADPAUT(*YES) attribute. The authority to the
authorization list cannot come from adopted authority.
|
|
|
If an authorization list is named in the system value and the authorization list is
missing, the function being attempted will not complete. A message is sent
indicating this.
|
|
|
However, if the program is created with the QPRCRTPG API, and the
*NOADPAUT value is specified in the option template, the program creates
successfully even if the authorization list does not exist.
|
|
|
|
|
If more than one function is requested on the command or API, and the
authorization list is missing, the function is not performed. If the command being
attempted when the authorization list cannot be found is Create Pascal Program
(CRTPASPGM) or Create Basic Program (CRTBASPGM), the result is a function
check.
|
|
|
|
34
|
|
|

|
|
|
|
|
|
|
|
|
|
|
|
|
Table 18. Possible Values for the QUSEADPAUT System Value:

authorization list name
A diagnostic message is signaled to indicate that the program is
created with USEADPAUT(*NO) if all of the following are true:
|
|
|
|
Recommended Value: For production machines, create an authorization list with

authority of *PUBLIC(*EXCLUDE). Specify this authorization list for the
QUSEADPAUT system value. This prevents anyone from creating programs that
use adopted authority.
|
|
|
You should carefully consider the security design of your application before
creating the authorization list for QUSEADPAUT system value. This is especially
important for application development environments.
|
|
|
v An authorization list is specified for the QUSEADPAUT

system value.
v The user does not have authority to the authorization list
mentioned above.
v There are no other errors when the program or service
program is created.
All users can create or change programs and service programs
to use adopted authority if the users have the necessary
authority to the program or service program.
*NONE
Security-Related System Values

Overview:
|
|
Purpose:
Specify system values that relate to security on the system.
|
|
How To:
WRKSYSVAL (Work with System Values command)
|
|
Authority:
*ALLOBJ and *SECADM
|
|
Journal Entry:
SV
Notes: Changes take effect immediately. IPL is not required.
|
|
|
Following are descriptions of additional system values that relate to security on

your system. These system values are not included in the *SEC group on the Work
with System Values display.
|
|
QAUTOCFG
Automatic device configuration
|
|
QAUTOVRT
Automatic configuration of virtual devices
|
|
QDEVRCYACN
Device recovery action
35
|
|
QDSCJOBITV 1
Disconnected job time-out interval
|
|
QRMTSRVATR
Remote service attribute
|
|
Descriptions of these system values follow. For each value, the possible choices are
shown. The choices that are underlined are the system-supplied defaults.
Automatic Device Configuration (QAUTOCFG)
|
|
|
|
QAUTOCFG system value automatically configures locally attached devices. The

value specifies whether devices that are added to the system are configured
automatically.
|
|
|
|
|
|
|

|
|
|
|
|
|
|
|
|
Table 19. Possible Values for the QAUTOCFG System Value:

0
Automatic configuration is off. You must configure manually
any new local controllers or devices that you add to your
system.
1
Automatic configuration is on. The system automatically
configures any new local controllers or devices that you add to
your system. The operator receives a message that indicates the
changes to the systems configuration.
|
|
|
Recommended Value: When initiating system setup or when adding many new
devices, the system value should be set to 1. At all other times the system value
should be set at 0.
Automatic Configuration of Virtual Devices (QAUTOVRT)
|
|
|
|
The QAUTOVRT system value specifies whether pass-through virtual devices and
TELNET full screen virtual devices (as opposed to the workstation function virtual
device) are automatically configured.
|
|
|
A virtual device is a device description that does not have hardware associated
with it. It is used to form a connection between a user and a physical workstation
attached to a remote system.
|
|
|
|
|
|
|
|
Allowing the system to automatically configure virtual devices makes it easier for
users to break into your system using pass-through or telnet. Without automatic
configuration, a user attempting to break in has a limited number of attempts at
each virtual device. The limit is defined by the security officer using the
QMAXSIGN system value. With automatic configuration active, the actual limit is
higher. The system sign-on limit is multiplied by the number of virtual devices that
can be created by the automatic configuration support. This support is defined by
the QAUTOVRT system value.
1. This system value is also discussed in the Information Center (see Prerequisite and related information on page xvi for details).
36
|
|
|
|
|
|
|

|
|
|
|
|
|
|
Table 20. Possible Values for the QAUTOVRT System Value:

0
No virtual devices are created automatically.
number-of- virtual- devices
Specify a value 1 through 9999. If fewer than the specified
number of devices are attached to a virtual controller and no
device is available when a user attempts pass-through or full
screen TELNET, the system configures a new device.
Recommended Value: 0
|
|
|
The Remote Work Station Support book has more information about using display
station pass-through. The TCP/IP Configuration and Reference book as more
information about using TELNET.
Device Recovery Action (QDEVRCYACN)
|
|
QDEVRCYACN specifies what action to take when an I/O error occurs for an
interactive jobs workstation.
|
|
|
|
|
|
|

|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Table 21. Possible Values for the QDEVRCYACN System Value:

*DSCMSG
Disconnects the job. When signing-on again, an error message
is sent to the users application program.
*MSG
Signals the I/O error message to the users application
program. The application program performs error recovery.
*DSCENDRQS
Disconnects the job. When signing-on again, a cancel request
function is performed to return control of the job back to the
last request level.
*ENDJOB
Ends the job. A job log is produced for the job. A message
indicating that the job ended because of the device error is sent
to the job log and the QHST log. To minimize the performance
impact of the ending job, the jobs priority is lowered by 10, the
time slice is set to 100 milliseconds and the purge attribute is
set to yes.
*ENDJOBNOLIST
Ends the job. A job log is not produced for the job. A message
is sent to the QHST log indicating that the job ended because
of the device error.
|
|
|
When a value of *MSG or *DSCMSG is specified, the device recovery action is not
performed until the next I/O operation is performed by the job. In a LAN/WAN
environment, this may allow one device to disconnect and another to connect,
37
|
|
|
|
|
using the same address, before the next I/O operation for the job occurs. The job
may recover from the I/O error message and continue running to the second
device. To avoid this, a device recovery action of *DSCENDRQS, *ENDJOB, or
*ENDJOBNOLIST should be specified. These device recovery actions are performed
immediately when an I/O error, such as a power-off operation, occurs.
|
|
Recommended Value:
*DSCMSG
|
|
Note: *ALLOBJ and *SECADM special authorities are not required to change this
value.
|
|
Before Version 3, Release 6, the default value was *MSG. To leave as *MSG
presents a potential security exposure.
Disconnected Job Time-Out Interval (QDSCJOBITV)
|
|
|
The QDSCJOBITV system value determines if and when the system ends a
disconnected job. The interval is specified in minutes.
|
|
|
|
If you set the QINACTMSGQ system value to disconnect inactive jobs (*DSCJOB),
you should set the QDSCJOBITV to end the disconnected jobs eventually. A
disconnected job uses up system resources, as well as retaining any locks on
objects.
|
|
|
|
|
|
|

|
|
|
|
|
Table 22. Possible Values for the QDSCJOBITV System Value:

240
The system ends a disconnected job after 240 minutes.
*NONE
The system does not automatically end a disconnected job.
time-in-minutes
Specify a value between 5 and 1440.
Remote Service Attribute (QRMTSRVATR)
|
|
|
|
|
|
|
QRMTSRVATR controls the remote system service problem analysis ability. The
value allows the system to be analyzed remotely. New for V5R2, you can also
restrict users with *SECADM and *ALLOBJ authorities from changing this security
related system value with the CHGSYSVAL command. You can specify this
restriction in the System Service Tools (SST) with the Work with system security
option.
|
|
|

38
The values allowed for the QRMTSRVATR system value are:
|
|
|
|
Table 23. Possible Values for the QRMTSRVATR System Value:

0
Remote service attribute is off.
1
Remote service attribute is on.
|
|
For information about remote access and the QRMTSRVATR system value, see
Keylock Security on page 2.
|
|
|
Security-Related Restore System Values

Overview:
|
|
|
Purpose:
Controls how and which security-related objects are restored on
the system.
|
|
How To:
WRKSYSVAL*SEC (Work with System Values command)
|
|
Authority:
*ALLOBJ and *SECADM
|
|
Journal Entry:
SV
|
|
Following are descriptions of system values that relate to restoring security-related

objects on the system.
|
|
QVFYOBJRST
Verify object on restore
|
|
QFRCCVNRST
Force conversion on restore
|
|
QALWOBJRST
Allow restoring of security sensitive objects
|
|
Descriptions of these system values follow. For each value, the possible choices are
shown. The choices that are underlined are the system-supplied defaults.
Verify Object on Restore (QVFYOBJRST)
|
|
|
|
|
|
The QVFYOBJRST system value determines whether objects are required to have
digital signatures in order to be restored to your system. You can prevent anyone
from restoring an object, unless that object has a proper digital signature from a
trusted software provider. This value applies to objects of types: *PGM, *SRVPGM,
*SQLPKG, *CMD and *MODULE. It also applies to *STMF objects which contain
Java programs.
|
|
|
|
|
When an attempt is made to restore an object onto the system, three system values
work together as filters to determine if the object is allowed to be restored. The
first filter is the verify object on restore QVFYOBJRST system value. It is used to
control the restore of some objects that can be digitally signed. The second filter is
the force conversion on restore QFRCCVNRST system value. This system value
39
|
|
|
|
|
|
allows you to specify whether or not to convert programs, service programs, SQL
packages, and module objects during the restore. It can also prevent some objects
from being restored. Only objects that can get past the first two filters are
processed by the third filter. The third filter is the allow object on restore
(QALWOBJRST) system value. It specifies whether or not objects with
security-sensitive attributes can be restored.
|
|
|
|
If Digital Certificate Manager (OS/400 option 34) is not installed on the system, all
objects except those signed by a system trusted source are treated as unsigned
when determining the effects of the QVFYOBJRST system value during a restore
operation.
A change to this system value takes effect immediately.
|
|
|
|
|
|
|

Attention
|
|
|
When your system is shipped, the QVFYOBJRST system value is set to 3. If you
change the value of QVFYOBJRST, it is important to set the QVFYOBJRST value to
3 or lower before installing a new release of the OS/400 operating system.
|
|
|
Table 24. Possible Values for the QVFYOBJRST System Value:

1
Do not verify signatures on restore. Restore all objects
regardless of their signature.
|
|
|
This value should not be used unless you have signed objects
to restore which will fail their signature verification for some
acceptable reason.
|
|
|
|
|
|
|
|
Verify objects on restore. Restore unsigned commands and

user-state objects. Restore signed commands and user-state
objects, even if the signatures are not valid.
This value should be used only if there are specific objects with
signatures that are not valid which you want to restore. In
general, it is dangerous to restore objects with signatures that
are not valid on your system.
40
|
|
|
|
Table 24. Possible Values for the QVFYOBJRST System Value: (continued)
3
Verify signatures on restore. Restore unsigned commands and
user-state objects. Restore signed commands and user-state
objects only if the signatures are valid.
|
|
|
|
|
|
|
|
|
|
|
This value may be used for normal operations, when you

expect some of the objects you restore to be unsigned, but you
want to ensure that all signed objects have signatures that are
valid. Commands and programs you have created or purchased
before digital signatures were available will be unsigned. This
value allows those commands and programs to be restored.
This is the default value.
|
|
|
|
|
|
|
|
|
Verify signatures on restore. Do not restore unsigned

commands and user-state objects. Restore signed commands
and user-state objects, even if the signatures are not valid.
This value should be used only if there are specific objects with
signatures that are not valid which you want to restore, but
you do not want the possibility of unsigned objects being
restored. In general, it is dangerous to restore objects with
signatures that are not valid on your system.
|
|
|
|
Verify signatures on restore. Do not restore unsigned

commands and user-state objects. Restore signed commands
and user-state objects only if the signatures are valid.
This value is the most restrictive value and should be used
when the only objects you want to be restored are those which
have been signed by trusted sources
|
|
|
|
|
|
|
|
Objects which have the system-state attribute and objects which have the
inherit-state attribute are required to have valid signatures from a system trusted
source. The only value which will allow a system-state or inherit-state object to
restore without a valid signature is 1. Allowing such a command or program
represents an integrity risk to your system. If you change the QVFYOBJRST system
value to 1 to allow such an object to restore on your system, be sure to change the
QVFYOBJRST system value back to its previous value after the object has been
restored.
|
|
|
|
|
|
|
Some commands use a signature that does not cover all parts of the object. Some
parts of the command are not signed while other parts are only signed when they
contain a non-default value. This type of signature allows some changes to be
made to the command without invalidating its signature. Examples of changes that
will not invalidate these types of signatures include:
v Changing command defaults.
v Adding a validity checking program to a command that does not have one.
|
|
v Changing the where allowed to run parameter.

v Changing the allow limited user parameter.
|
|
If you wish, you can add your own signature to these commands that includes
these areas of the command object.
41
Force Conversion on Restore (QFRCCVNRST)
|
|
|
|
|
|
|
This system value allows you to specify whether or not to convert the following
object types during a restore:
v program (*PGM)
v service program (*SRVPGM)
v SQL Package (*SQLPKG)
v module (*MODULE)
|
|
|
It can also prevent some objects from being restored. An object which is specified
to be converted by the system value, but cannot be converted because it does not
contain sufficient creation data, will not be restored.
|
|
|
|
|
|
|
|
The *SYSVAL value for the FRCOBJCVN parameter on the restore commands (RST,
RSTLIB, RSTOBJ, RSTLICPGM) uses the value of this system value. Therefore, you
can turn on and turn off conversion for the entire system by changing the
QFRCCVNRST value. However, the FRCOBJCVN parameter overrides the system
value in some cases. Specifying *YES and *ALL on the FRCOBJCVN will override
all settings of the system value. Specifying *YES and *RQD on the FRCOBJCVN
parameter is the same as specifying 2 for this system value and can override the
system value when it is set to 0 or 1.
|
|
|
|
|
|
|
QFRCCVNRST is the second of three system values that work consecutively as

filters to determine if an object is allowed to be restored, or if it is converted
during the restore. The first filter, verify object on restore (QVFYOBJRST) system
value, controls the restore of some objects that can be digitally signed. Only objects
that can get past the first two filters are processed by the third filter, the allow
object restore (QALWOBJRST) system value, which specifies whether or not objects
with security-sensitive attributes can be restored.
|
|
|
|
The shipped value of QFRCCVNRST is 1. For all values of QFRCCVNRST an

object which should be converted but cannot be converted will not be restored.
Objects digitally signed by a system trusted source are restored without conversion
for all values of this system value.
|
|
|
|
You can specify this restriction in the System Service Tools (SST) with the with
theWork with system security option.
|
|
|

42
The table below summarizes the allowed values for QFRCCVNRST:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Table 25. QFRCCVNRST Values

0
Do not convert anything. Do not prevent anything from being
restored.
1
Objects with validation errors will be converted.
2
Objects will be converted if their conversion is required for the
current operating system or if they have a validation error.
3
Objects which are suspected of having been tampered with,
objects which contain validation errors, and objects which
require conversion to be used on the current version of the
operating system will be converted.
4
Objects which contain sufficient creation data to be converted
and do not have valid digital signatures will be converted. An
object that does not contain sufficient creation data will be
restored without conversion. NOTE: Objects (signed and
unsigned) which have validation errors are suspected of having
been tampered with, or require conversion to be used on the
current version of the operating system will be converted, or
will fail to restore if they do not convert.
5
Objects that contain sufficient creation data will be converted.
An object that does not contain sufficient creation data to be
converted will be restored. NOTE: Objects which have
validation errors, are suspected of having been tampered with,
or require conversion to be used on the current version of the
operating system that cannot be converted will not restore.
6
All objects which do not have a valid digital signature will be
converted. NOTE: An object with a valid digital signature that
also has a validation error or is suspected of having been
tampered with will be converted, or if it cannot be converted, it
will not be restored.
7
Every object will be converted.
When an object is converted, its digital signature is discarded. The state of the converted
object is user state. Converted objects will have a good validation value and are not
suspected of having been tampered with.
Recommended Value:3 or higher.
Allow Restoring of Security-Sensitive Objects (QALWOBJRST)
|
|
|
The QALWOBJRST system value determines whether objects that are

security-sensitive may be restored to your system. You can use it to prevent
anyone from restoring a system state object or an object that adopts authority.
|
|
|
|
|
|
|
|
|
|
|
When an attempt is made to restore an object onto the system, three system values
work together as filters to determine if the object is allowed to be restored, or if it
is converted during the restore. The first filter is the verify object on restore
QVFYOBJRST system value. It is used to control the restore of some objects that
can be digitally signed. The second filter is the force conversion on restore
QFRCCVNRST system value. This system value allows you to specify whether or
not to convert programs, service programs, SQL packages, and module objects
during the restore. It can also prevent some objects from being restored. Only
objects that can get past the first two filters are processed by the third filter. The
third filter is the allow object on restore (QALWOBJRST) system value. It specifies
whether or not objects with security-sensitive attributes can be restored.
|
|
When your system is shipped, the QALWOBJRST system value is set to *ALL. This
value is necessary to install your system successfully.
43
ATTENTION: It is important to set the QALWOBJRST value to *ALL before

performing some system activities, such as:
v Installing a new release of the OS/400 licensed program.
v Installing new licensed programs.
v Recovering your system.
|
|
|
|
|
|
|
|
These activities may fail if the QALWOBJRST value is not *ALL. To

ensure system security, return the QALWOBJRST value to your
normal setting after completing the system activity.
|
|
|
|
|
|
|

|
|
You may specify multiple values for the QALWOBJRST system value, unless you
specify *ALL or *NONE.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Table 26. Possible Values for the QALWOBJRST System Value:.

*ALL
Any object may be restored to your system by a user with the
proper authority.
*NONE
Security-sensitive objects, such as system state programs or
programs that adopt authority, may not be restored to the
system.
*ALWSYSSTT
System and inherit state objects may be restored to the system.
*ALWPGMADP
Objects that adopt authority may be restored to the system.
*ALWPTF
System and inherit state objects, objects that adopt authority,
objects that have the S_ISUID(set-user-ID) attribute enabled,
and objects that have S_ISGID (set-group-ID) attribute enabled
can be restored to the system during PTF install.
*ALWSETUID
Allow restore of files that have the S_ISUID (set-user-ID)
attribute enabled.
*ALWSETGID
Allow restore of files that have the S_ISGID (set-group-ID)
attribute enabled.
*ALWVLDERR
Allow restore of objects that do not pass the object validation
tests. If the setting of QFRCCVNRST system value causes the
object to be converted, its validation errors will have been
corrected.
|
|
|
|
|
|
Recommended Value: The QALWOBJRST system value provides a method to

protect your system from programs that may cause serious problems. For normal
operations, consider setting this value to *NONE. Remember to change it to *ALL
before performing the activities listed previously. If you regularly restore programs
and applications to your system, you may need to set the QALWOBJRST system
value to *ALWPGMADP.
|
|
System Values That Apply to Passwords

Overview:
44
|
|
|
Purpose:
Specify system values to set requirements for the passwords
users assign.
|
|
How To:
|
|
Authority:
*ALLOBJ and *SECADM
|
|
Journal Entry:
SV
|
|
|
|
Following are the system values that control passwords. These system values
require users to change passwords regularly and help prevent users from assigning
trivial, easily guessed passwords. They can also make sure passwords meet the
requirements of your communications network:
|
|
QPWDEXPITV 2
Expiration interval
|
|
QPWDLVL
Password level
|
|
QPWDMINLEN 2
Minimum length
|
|
QPWDMAXLEN 2
Maximum length
|
|
QPWDRQDDIF 2
Required difference
|
|
QPWDLMTCHR
Restricted characters
|
|
QPWDLMTAJC
Restrict adjacent characters
|
|
QPWDLMTREP
Restrict repeating characters
|
|
QPWDPOSDIF
Character position difference
|
|
QPWDRQDDGT
Require numeric character
|
|
QPWDVLDPGM
Password validation program
|
|
|
|
|
The password-composition system values are enforced only when the password is
changed using the CHGPWD command, the ASSIST menu option to change a
password, or the QSYCHGPW application programming interface (API). They are
not enforced when the password is set using the CRTUSRPRF or CHGUSRPRF
command.
2. These system values are also discussed in the Information Center (seePrerequisite and related information on page xvi for
details).
45
|
|
|
|
|
|
If the Password Minimum Length (QPWDMINLEN) system value has a value

other than 1 or the Password Maximum Length (QPWDMAXLEN) system value
has a value other than 10 or you change any of the other password-control system
values from the defaults, the system prevents a user from setting the password
equal to the user profile name using the CHGPWD command, the ASSIST menu,
or the QSYCHGPW API.
|
|
|
|
If a password is forgotten, the security officer can use the Change User Profile
(CHGUSRPRF) command to set the password equal to the profile name or to any
other value. The Set password to expired field in the user profile can be used to
require that a password be changed the next time the user signs on.
Password Expiration Interval (QPWDEXPITV)
The QPWDEXPITV system value controls the number of days allowed before a
password must be changed. If a user attempts to sign on after the password has
expired, the system shows a display requiring that the password be changed before
the user is allowed to sign on.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|

|
|
|
|
Table 27. Possible Values for the QPWDEXPITV System Value:

*NOMAX
Users are not required to change their passwords.
limit-in-days
Specify a value from 1 through 366.
Recommended Value: 30 to 90.
|
|
Note: A password expiration interval can also be specified in individual user

profiles.
Sign-on Information
Password has expired.

request.
System:
Password must be changed to continue sign-on
Previous sign-on . . . . . . . . . . . . . :
10/30/91
14:15:00
Password Level (QPWDLVL)
|
|
|
The password level of the system can be set to allow for user profile passwords
from 1-10 characters or to allow for user profile passwords from 1-128 characters.
|
|
|
|
The password level can be set to allow a passphrase as the password value. The
term passphrase is sometimes used in the computer industry to describe a
password value which can be very long and has few, if any, restrictions on the
characters used in the password value. Blanks can be used between letters in a
46
|
|
|
|
|
passphrase, which allows you to have a password value that is a sentence or

sentence fragment. The only restrictions on a passphrase are that it cannot start
with an asterisk (*) and trailing blanks will be removed. Before changing the
password level of your system, please review the section Planning Password
Level Changes on page 209.
|
|
|
|
|
|
|

|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Table 28. Possible Values for the QPWDLVL System Value:.

0
The system supports user profile passwords with a length of
1-10 characters. The allowable characters are A-Z, 0-9 and
characters $, @, # and underscore. QPWDLVL 0 should be used
if your system communicates with other iSeries systems in a
network and those systems are running with either a
QPWDLVL value of 0 or an operating system release less than
V5R1M0. QPWDLVL 0 should be used if your system
communicates with any other system that limits the length of
passwords from 1-10 characters. QPWDLVL 0 must be used if
your system communicates with the Windows 95/98/ME
iSeries Client Support for Windows Network Neighborhood
(NetServer) product and your system communicates with other
systems using passwords from 1-10 characters. When the
QPWDLVL value of the system is set to 0, the operating system
will create the encrypted password for use at QPWDLVL 2 and
3. The password value that can be used at QPWDLVL 2 and 3
will be the same password as is being used at QPWDLVL 0 or
1.
1
QPWDLVL 1 is the equivalent support of QPWDLVL 0 with the
following exception: iSeries NetServer passwords for Windows
95/98/ME clients will be removed from the system. If you use
the client support for the iSeries NetServer product you cannot
use QPWDLVL value 1. QPWDLVL 1 improves the security of
the iSeries system by removing all iSeries NetServer passwords
from the system.
47
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Table 28. Possible Values for the QPWDLVL System Value: (continued).
2
The system supports user profile passwords from 1-128
characters. Upper and lower case characters are allowed.
Passwords can consist of any character and the password will
be case sensitive. QPWDLVL 2 is viewed as a compatibility
level. This level allows for a move back to QPWDLVL 0 or 1 as
long as the password created on QPWDLVL 2 or 3 meets the
length and syntax requirements of a password valid on
QPWDLVL 0 or 1. QPWDLVL 2 can be used if your system
communicates with the Windows 95/98/ME iSeries Client
Support for Windows Network Neighborhood (NetServer)
product as long as your password is 1-14 characters in length.
QPWDLVL 2 cannot be used if your system communicates with
other iSeries systems in a network and those systems are
running with either a QPWDLVL value of 0 or 1 or an
operating system release less than V5R1M0. QPWDLVL 2
cannot be used if your system communicates with any other
system that limits the length of passwords from 1-10 characters.
No encrypted passwords are removed from the system when
QPWDLVL is changed to 2.
3
The system supports user profile passwords from 1-128
characters. Upper and lower case characters are allowed.
Passwords can consist of any character and the password will
be case sensitive. QPWDLVL 3 cannot be used if your system
communicates with other iSeries systems in a network and
those systems are running with either a QPWDLVL value of 0
or 1 or an operating system release less than V5R1M0.
QPWDLVL 3 cannot be used if your system communicates with
any other system that limits the length of passwords from 1-10
characters. QPWDLVL 3 cannot be used if your system
communicates with the Windows 95/98/ME iSeries Client
Support for Windows Network Neighborhood (NetServer)
product. All user profile passwords that are used at QPWDLVL
0 and 1 are removed from the system when QPWDLVL is 3.
Changing from QPWDLVL 3 back to QPWDLVL 0 or 1 requires
a change to QPWDLVL 2 before going to 0 or 1. QPWDLVL 2
allows for the creation of user profile passwords that can be
used at QPWDLVL 0 or 1 as long as the length and syntax
requirements for the password meet the QPWDLVL 0 or 1
rules.
|
|
|
|
Changing the password level of the system from 1-10 character passwords to 1-128
character passwords requires careful consideration. If your system communicates
with other systems in a network, then all systems must be able to handle the
longer passwords.
|
|
|
A change to this system value takes effect at the next IPL. To see the current and
pending password level values, use the CL command DSPSECA (Display Security
Attributes).
Minimum Length of Passwords (QPWDMINLEN)
|
|
|
The QPWDMINLEN system value controls the minimum number of characters in a

password.
|
|
|
|
48
|
|
|

|
|
|
|
|
|
Table 29. Possible Values for the QPWDMINLEN System Value:

6
A minimum of six characters are required for passwords.
minimum-number-ofSpecify a value of 1 through 10 when the password level
characters
(QPWDLVL) system value is 0 or 1. Specify a value of 1 through
128 when the password level (QPWDLVL) system value is 2 or 3.
|
|
Recommended Value: 6, to prevent users from assigning passwords that are easily
guessed, such as initials or a single character.
Maximum Length of Passwords (QPWDMAXLEN)
|
|
|
|
The QPWDMAXLEN system value controls the maximum number of characters in

a password. This provides additional security by preventing users from specifying
passwords that are too long and have to be recorded somewhere because they
cannot be easily remembered.
|
|
|
Some communications networks require a password that is 8 characters or less.

Use this system value to ensure that passwords meet the requirements of your
network.
|
|
|
|
|
|
|

|
|
|
|
|
|
|
Table 30. Possible Values for the QPWDMAXLEN System Value:

8
A maximum of eight characters for a password are allowed.
maximum-number-ofSpecify a value of 1 through 10 when the password level
characters
(QPWDLVL) system value is 0 or 1. Specify a value of 1
through 128 when the password level (QPWDLVL) system
value is 2 or 3.
Required Difference in Passwords (QPWDRQDDIF)
|
|
|
|
|
The QPWDRQDDIF system value controls whether the password must be different
from previous passwords. This value provides additional security by preventing
users from specifying passwords used previously. It also prevents a user whose
password has expired from changing it and then immediately changing it back to
the old password.
|
|
Note: The value of the QPWDRQDDIF system value determines how many of
these previous passwords are checked for a duplicate password.
|
|
|
|
49
|
|
|

|
|
|
|
|
|
|
|
|
|
|
|
Table 31. Possible Values for the QPWDRQDDIF System Value:

Value
Number of Previous Passwords Checked for Duplicates
0
0 Duplicate passwords are allowed.
1
32
2
24
3
18
4
12
5
10
6
8
7
6
8
4
|
|
|
|
|
|
|
Recommended Value: Select a value of 5 or less to prevent the use of repeated

passwords. Use a combination of the QPWDRQDDIF system value and the
QPWDEXPITV (password expiration interval) system value to prevent a password
from being reused for at least 6 months. For example, set the QPWDEXPITV
system value to 30 (days) and the QPWDRQDDIF system value to 5 (10 unique
passwords). This means a typical user, who changes passwords when warned by
the system, will not repeat a password for approximately 9 months.
Restricted Characters for Passwords (QPWDLMTCHR)
|
|
|
|
|
The QPWDLMTCHR system value limits the use of certain characters in a

password. This value provides additional security by preventing users from using
specific characters, such as vowels, in a password. Restricting vowels prevents
users from forming actual words for their passwords.
|
|
|
|
The QPWDLMTCHR system value is not enforced when the password level
(QPWDLVL) system value has a value of 2 or 3. The QPWDLMTCHR system value
can be changed at QPWDLVL 2 or 3, but will not be enforced until QPWDLVL is
changed to a value of 0 or 1.
|
|
|
|
|
|
|

|
|
|
|
|
|
Table 32. Possible Values for the QPWDLMTCHR System Value:

*NONE
There are no restricted characters for passwords.
restricted-characters
Specify up to 10 restricted characters. The valid characters are
A through Z, 0 through 9, and special characters pound (#),
dollar ($), at (@), and underscore (_).
|
|
Recommended Value: A, E, I, O, and U. You may also want to prevent special

characters (#, $, and @) for compatibility with other systems.
50
|
|
Restriction of Consecutive Digits for Passwords

(QPWDLMTAJC)
|
|
|
|
The QPWDLMTAJC system value limits the use of numeric characters next to each
other (adjacent) in a password. This value provides additional security by
preventing users from using birthdays, telephone numbers, or a sequence of
numbers as passwords.
|
|
|
|
|
|
|

|
|
|
|
|
|
Table 33. Possible Values for the QPWDLMTAJC System Value:

0
Numeric characters are allowed next to each other in
passwords.
1
Numeric characters are not allowed next to each other in
passwords.
|
|
Restriction of Repeated Characters for Passwords

(QPWDLMTREP)
|
|
|
|
The QPWDLMTREP system value limits the use of repeating characters in a

password. This value provides additional security by preventing users from
specifying passwords that are easy to guess, such as the same character repeated
several times.
|
|
|
When the password level (QPWDLVL) system value has a value of 2 or 3, the test
for repeated characters is case sensitive. This means that a lowercase a is not the
same as an uppercase A.
|
|
|
|
|
|
|

|
|
|
|
|
|
|
|
Table 34. Possible Values for the QPWDLMTREP System Value:

0
The same characters can be used more than once in a
password.
1
The same character cannot be used more than once in a
password.
2
The same character cannot be used consecutively in a
password.
|
|
Table 35 on page 52 shows examples of what passwords are allowed based on the
QPWDLMTREP system value.
51
Table 35. Passwords with Repeating Characters with QPWDLVL 0 or 1
|
|
Password Example
QPWDLMTREP
Value of 0
QPWDLMTREP
Value of 1
QPWDLMTREP
Value of 2
|
|
|
|
|
A11111
BOBBY
AIRPLANE
N707UK
Allowed
Allowed
Allowed
Allowed
Not
Not
Not
Not
Not allowed
Not allowed
Allowed
Allowed
Table 36. Passwords with Repeating Characters with QPWDLVL 2 or 3
|
|
Password Example
QPWDLMTREP
Value of 0
QPWDLMTREP
Value of 1
QPWDLMTREP
Value of 2
j222222
ReallyFast
MomsApPlePie
AaBbCcDdEe
Allowed
Allowed
Allowed
Allowed
Not allowed
Not allowed
Not allowed
Allowed
Not allowed
Not allowed
Allowed
Allowed
|
|
|
|
|
allowed
allowed
allowed
allowed
Character Position Difference for Passwords (QPWDPOSDIF)
|
|
|
|
The QPWDPOSDIF system value controls each position in a new password. This
provides additional security by preventing users from using the same character
(alphabetic or numeric) in a position corresponding to the same position in the
previous password.
|
|
|
When the password level (QPWDLVL) system value has a value of 2 or 3, the test
for the same character is case sensitive. This means that a lowercase a is not the
same as an uppercase A.
|
|
|
|
|
|
|

|
|
|
|
|
|
Table 37. Possible Values for the QPWDPOSDIF System Value:

0
The same characters can be used in a position corresponding to
the same position in the previous password.
1
The same character cannot be used in a position corresponding
to the same position in the previous password.
Requirement for Numeric Character in Passwords

(QPWDRQDDGT)
|
|
|
|
|
The QPWDRQDDGT system value controls whether a numeric character is

required in a new password. This value provides additional security by preventing
users from using all alphabetic characters.
|
|
|
|
52
|
|
|

|
|
|
|
Table 38. Possible Values for the QPWDRQDDGT System Value:

0
Numeric characters are not required in new passwords.
1
One or more numeric characters are required in new passwords
Password Approval Program (QPWDVLDPGM)
|
|
|
|
|
If *REGFAC or a program name is specified in the QPWDVLDPGM system value,

the system runs one or more programs after the new password has passed any
validation tests you specify in the password-control system values. You can use the
programs to do additional checking of user-assigned passwords before they are
accepted by the system.
|
|
The topic Using a Password Approval Program discusses the requirements of the
password approval program and shows an example.
|
|
A password approval program must reside in the system auxiliary storage pool
(ASP) or a basic user ASP.
|
|
|
|
|
|
|

|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Table 39. Possible Values for the QPWDVLDPGM System Value:

*NONE
No user-written program is used. This includes any password
approval programs registered in the exit registration facility.
*REGFAC
The validation program is retrieved from the registration
facility, exit point QIBM_QSY_VLD_PASSWRD. More than one
validation program can be specified in the registration facility.
Each program will be called until one of them indicates that the
password should be rejected or all of them have indicated the
password is valid.
program-name
Specify the name of the user-written validation program, from
1 through 10 characters. A program name cannot be specified
when the current or pending value of the password level
(QPWDLVL) system value is 2 or 3.
library-name
Specify the name of the library where the user-written program
is located. If the library name is not specified, the library list
(*LIBL) of the user changing the system value is used to search
for the program. QSYS is the recommended library.
|
|
|
|
|
|
Using a Password Approval Program

If *REGFAC or a program name is specified in the QPWDVLDPGM system value,
one or more programs are called by the Change Password (CHGPWD) command
or Change Password (QSYCHGPW) API. The programs are called only if the new
password entered by the user has passed all the other tests you specified in the
password-control system values.
53
|
|
|
In case it is necessary to recover your system from a disk failure, place the
password approval program in library QSYS. This way the password approval
program is loaded when you restore library QSYS.
|
|
If a program name is specified in the QPWDVLDPGM system value, the system

passes the following parameters to the password approval program:
Table 40. Parameters for Password Approval Program
Position
|
|
|
|
|
|
Type
Length
*CHAR
10
2
3
*CHAR
*CHAR
10
1
*CHAR
10
Description
The new password entered by the
user.
The users old password.
Return code: 0 for valid password;
not 0 for incorrect password.
The name of the user.
|
|
|
|
|
If *REGFAC is specified in the QPWDVLDPGM system value, refer to the Security

Exit Program information in the System API manual for information on the
parameters passed to the validation program.
|
|
|
|
|
If your program determines that the new password is not valid, you can either
send your own exception message (using the SNDPGMMSG command ) or set the
return code to a value other than 0 and let the system display an error message.
Exception messages that are signaled by your program must be created with the
DMPLST(*NONE) option of the Add Message Description (ADDMSGD) command.
|
|
|
|
The new password is accepted only if the user-written program ends with no
escape message and a return code of 0. Because the return code is initially set for
passwords that are not valid (not zero), the approval program must set the return
code to 0 for the password to be changed.
|
|
|
|
|
Attention: The current and new password are passed to the validation program
without encryption. The validation program could store passwords in a database
file and compromise security on the system. Make sure the functions of the
validation program are reviewed by the security officer and that changes to the
program are strictly controlled.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The following control language (CL) program is an example of a password

approval program when a program name is specified for QPWDVLDLVL. This
example checks to make sure the password is not changed more than once in the
same day. Additional calculations can be added to the program to check other
criteria for passwords:
Position 4 is optional.
/**************************************************/
/* NAME:
PWDVALID - Password Validation
*/
/*
*/
/* FUNCTION: Limit password change to one per
*/
/*
day unless the password is expired
*/
/**************************************************/
PGM (&NEW &OLD &RTNCD &USER)
DCL VAR(&NEW)
TYPE(*CHAR) LEN(10)
DCL VAR(&OLD)
TYPE(*CHAR) LEN(10)
DCL VAR(&RTNCD)
TYPE(*CHAR) LEN(1)
DCL VAR(&USER)
TYPE(*CHAR) LEN(10)
DCL VAR(&JOBDATE)
TYPE(*CHAR) LEN(6)
DCL VAR(&PWDCHGDAT) TYPE(*CHAR) LEN(6)
54
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
DCL VAR(&PWDEXP)
TYPE(*CHAR) LEN(4)
/* Get the current date and convert to YMD format */
RTVJOBA
DATE(&JOBDATE)
CVTDAT
DATE(&JOBDATE) TOVAR(&JOBDATE) +
TOFMT(*YMD)
TOSEP(*NONE)
/* Get date password last changed and whether
*/
/* password is expired from user profile
*/
RTVUSRPRF USRPRF(&USER) PWDCHGDAT(&PWDCHGDAT)+
PWDEXP(&PWDEXP)
/* Compare two dates
*/
/*
if equal and password not expired
*/
/*
then send *ESCAPE message to prevent change */
/*
else set return code to allow change
*/
IF (&JOBDATE=&PWDCHGDAT *AND &PWDEXP=*NO ) +
SNDPGMMSG MSGID(CPF9898) MSGF(QCPFMSG) +
MSGDTA(Password can be changed only +
once per day) +
MSGTYPE(*ESCAPE)
ELSE CHGVAR &RTNCD 0
ENDPGM
|
|
The following control language (CL) program is an example of a password

approval program when *REGFAC is specified for QPWDVLDLVL.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This example checks to make sure the new password is in CCSID 37 (or if it is in
CCSID 13488 it converts the new password to CCSID 37), that the new password
does not end in a numeric character, and that the new password does not contain
the user profile name. The example assumes that a message file (PWDERRORS)
has been created and message descriptions (PWD0001 and PWD0002) have been
added to the message file. Additional calculations can be added to the program to
check other criteria for passwords:
/**********************************************************/
/*
*/
/* NAME:
PWDEXITPGM1 - Password validation exit 1
*/
/*
*/
/* Validates passwords when *REGFAC is specified for
*/
/* QPWDVLDPGM. Program is registered using the ADDEXITPGM*/
/* CL command for the QIBM_QSY_VLD_PASSWRD exit point.
*/
/*
*/
/*
*/
/* ASSUMPTIONS: If CHGPWD command was used, password
*/
/* CCSID will be job default (assumed to be CCSID 37).
*/
/* If QSYCHGPW API was used, password CCSID will be
*/
/* UNICODE CCSID 13488.
*/
/**********************************************************/
DCL &EXINPUT
DCL &RTN
*CHAR 1000
*CHAR 1
DCL
DCL
DCL
DCL
DCL
DCL
DCL
DCL
*CHAR 10
*CHAR 256
*DEC 5 0
*DEC 5 0
*DEC 5 0
*DEC 5 0
*DEC 5 0
*DEC 5 0
&UNAME
&NEWPW
&NPOFF
&NPLEN
&INDX
&INDX
&INDX
&INDX
DCL &XLTCHR2
DCL &XLTCHR
DCL &XLATEU
*CHAR 2 VALUE(X0000)
*DEC 5 0
*CHAR 255 VALUE(............................... +
!"#$%&()*+,-./0123456789:;<=>?+
@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_+
`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~.+
................................+
55
................................+
................................+
...............................)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
DCL &XLATEC
*CHAR 255 VALUE(...............................+

................................+
................................+
................................+
.ABCDEFGHI.......JKLMNOPQR......+
..STUVWXYZ......................+
................................+
................................)
/*********************************************************************/
/* FORMAT OF EXINPUT IS:
*/
/* POSITION
DESCRIPTION
*/
/* 001 - 020 EXIT POINT NAME
*/
/* 021 - 028 EXIT POINT FORMAT NAME
*/
/* 029 - 032 PASSWORD LEVEL (binary)
*/
/* 033 - 042 USER PROFILE NAME
*/
/* 043 - 044 RESERVED
*/
/* 045 - 048 OFFSET TO OLD PASSWORD (binary)
*/
/* 049 - 052 LENGTH OF OLD PASSWORD (binary)
*/
/* 053 - 056 CCSID OF OLD PASSWORD (binary)
*/
/* 057 - 060 OFFSET TO NEW PASSWORD (binary)
*/
/* 061 - 064 LENGTH OF NEW PASSWORD (binary)
*/
/* 065 - 068 CCSID OF NEW PASSWORD (binary)
*/
/* ??? - ??? OLD PASSWORD
*/
/* ??? - ??? NEW PASSWORD
*/
/*
*/
/*********************************************************************/
/*********************************************************************/
/* Establish a generic monitor for the program.
*/
/*********************************************************************/
MONMSG
CPF0000
/* Assume new password is valid */
CHGVAR &RTN VALUE(0) /* accept */
/* Get new password length, offset and value. Also get user name */
CHGVAR &NPLEN VALUE(%BIN(&EXINPUT 61 4))
CHGVAR &NPOFF VALUE(%BIN(&EXINPUT 57 4) + 1)
CHGVAR &UNAME VALUE(%SST(&EXINPUT 33 10))
CHGVAR &NEWPW VALUE(%SST(&EXINPUT &NPOFF &NPLEN))
/* If CCSID is 13488, probably used the QSYCHGPW API which converts */
/* the passwords to UNICODE CCSID 13488. So convert to CCSID 37, if */
/* possible, else give an error */
IF COND(%BIN(&EXINPUT 65 4) = 13488) THEN(DO)
CHGVAR &INDX2 VALUE(1)
CVT1:
CHGVAR &XLTCHR VALUE(%BIN(&NEWPW &INDX2 2))
IF COND( (&XLTCHR *LT 1) *OR (&XLTCHR *GT 255) ) THEN(DO)
CHGVAR &RTN VALUE(3) /* reject */
SNDPGMMSG MSG(INVALID CHARACTER IN NEW PASSWORD)
GOTO DONE
ENDDO
CHGVAR %SST(&NEWPW &INDX3 1) VALUE(%SST(&XLATEU &XLTCHR 1))
CHGVAR &INDX2 VALUE(&INDX2 + 2)
IF COND(&INDX2 > &NPLEN) THEN(GOTO ECVT1)
GOTO CVT1
ECVT1:
CHGVAR &NPLEN VALUE(&INDX3 - 1)
CHGVAR %SST(&EXINPUT 65 4) VALUE(X00000025)
56
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ENDDO
/* Check the CCSID of the new password value - must be 37
IF COND(%BIN(&EXINPUT 65 4) *NE 37) THEN(DO)
SNDPGMMSG MSG(CCSID OF NEW PASSWORD MUST BE 37)
GOTO DONE
ENDDO
*/
/* UPPERCASE NEW PASSWORD VALUE

*/
CVT4:
CHGVAR %SST(&XLTCHR2 2 1) VALUE(%SST(&NEWPW &INDX2 1))
CHGVAR &XLTCHR VALUE(%BIN(&XLTCHR2 1 2))
IF COND( (&XLTCHR *LT 1) *OR (&XLTCHR *GT 255) ) THEN(DO)
SNDPGMMSG MSG(INVALID CHARACTER IN NEW PASSWORD)
GOTO DONE
ENDDO
IF COND(%SST(&XLATEC &XLTCHR 1) *NE .) +
THEN(CHGVAR %SST(&NEWPW &INDX3 1) VALUE(%SST(&XLATEC &XLTCHR 1)))
IF COND(&INDX2 > &NPLEN) THEN(GOTO ECVT4)
GOTO CVT4
ECVT4:
/*
IF
IF
IF
IF
IF
IF
IF
IF
IF
IF
CHECK IF LAST POSITION OF NEW PASSWORD IS NUMERIC */

COND(%SST(&NEWPW &NPLEN 1) = 0) THEN(GOTO ERROR1)
/* CHECK IF PASSWORD CONTAINS USER PROFILE NAME

CHGVAR &UNLEN VALUE(1)
LOOP2:
/* FIND LENGTH OF USER NAME */
IF COND(%SST(&UNAME &UNLEN 1) *NE ) THEN(DO)
CHGVAR &UNLEN VALUE(&UNLEN + 1)
IF COND(&UNLEN = 11) THEN(GOTO ELOOP2)
GOTO LOOP2
ENDDO
ELOOP2:
CHGVAR &UNLEN VALUE(&UNLEN - 1)
*/
/* CHECK FOR USER NAME IN NEW PASSWORD

*/
IF COND(&UNLEN *GT &NPLEN) THEN(GOTO ELOOP3)
CHGVAR &INDX VALUE(1)
LOOP3:
IF COND(%SST(&NEWPW &INDX &UNLEN) = %SST(&UNAME 1 &UNLEN))+
THEN(GOTO ERROR2)
IF COND((&INDX + &UNLEN + 1) *LT 128) THEN(DO)
CHGVAR &INDX VALUE(&INDX + 1)
GOTO LOOP3
ENDDO
ELOOP3:
/* New Password is valid
GOTO DONE
*/
57
ERROR1: /* NEW PASSWORD ENDS IN NUMERIC CHARACTER */

SNDPGMMSG TOPGMQ(*PRV) MSGTYPE(*ESCAPE) MSGID(PWD0001) MSGF(QSYS/PWDERRORS)
GOTO DONE
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ERROR2: /* NEW PASSWORD CONTAINS USER NAME */

SNDPGMMSG TOPGMQ(*PRV) MSGTYPE(*ESCAPE) MSGID(PWD0002) MSGF(QSYS/PWDERRORS)
GOTO DONE
DONE:
ENDPGM
|
|
System Values That Control Auditing
Overview:
|
|
|
Purpose:
Specify system values to control security auditing on the
system.
|
|
How To:
|
|
Authority:
*AUDIT
|
|
Journal Entry:
SV
These system values control auditing on the system:
|
|
QAUDCTL
Auditing control
|
|
QAUDENDACN
Auditing end action
|
|
QAUDFRCLVL
Auditing force level
|
|
QAUDLVL
Auditing level
|
|
QCRTOBJAUD
Create default auditing
|
|
|
Descriptions of these system values follow. The possible choices are shown. The
choices that are underlined are the system-supplied defaults. For most system
values, a recommended choice is listed.
Auditing Control (QAUDCTL)
The QAUDCTL system value determines whether auditing is performed. It

functions like an on and off switch for the following:
v The QAUDLVL system value
v The auditing defined for objects using the Change Object Auditing
(CHGOBJAUD) and Change DLO Auditing (CHGDLOAUD) commands
|
|
|
|
|
58
|
|
v The auditing defined for users using the Change User Audit (CHGUSRAUD)
command
|
|
|
|
|
|
|

|
|
You can specify more than one value for the QAUDCTL system value, unless you
specify *NONE.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Table 41. Possible Values for the QAUDCTL System Value:

*NONE
No auditing of user actions and no auditing of objects is
performed.
*OBJAUD
Auditing is performed for objects that have been selected using
the CHGOBJAUD, CHGDLOAUD, or CHGAUD commands.
*AUDLVL
Auditing is performed for any functions selected on the
QAUDLVL system value and on the AUDLVL parameter of
individual user profiles. The audit level for a user is specified
using the Change User Audit (CHGUSRAUD) command.
*NOQTEMP
Auditing is not performed for most actions if the object is in
QTEMP library. See Chapter 9, Auditing Security on the
iSeries System on page 247 for more details. You must specify
this value with either *OBJAUD or *AUDLVL.
See Planning Security Auditing on page 253 for a complete
description of the process for controlling auditing on your
system.
Auditing End Action (QAUDENDACN)
|
|
The QAUDENDACN system value determines what action the system takes if
auditing is active and the system is unable to write entries to the audit journal.
|
|
|
|
|
|
|

59
|
|
|
|
|
|
|
Table 42. Possible Values for the QAUDENDACN System Value:

*NOTIFY
Message CPI2283 is sent to the QSYSOPR message queue and
the QSYSMSG message queue (if it exists) every hour until
auditing is successfully restarted. The system value QAUDCTL
is set to *NONE to prevent the system from attempting to write
additional audit journal entries. Processing on the system
continues.
|
|
|
|
|
|
|
|
|
|
|
|
|
*PWRDWNSYS
If an IPL is performed before auditing is restarted, message

CPI2284 is sent to the QSYSOPR and QSYSMSG message
queues during the IPL.
If the system is unable to write an audit journal entry, the
system powers down immediately. The system unit displays
system reference code (SRC) B900 3D10. When the system is
powered on again, it is in a restricted state. This means the
controlling subsystem is in a restricted state, no other
subsystems are active, and sign-on is allowed only at the
console. The QAUDCTL system value is set to *NONE. The
user who signs on the console to complete the IPL must have
*ALLOBJ and *AUDIT special authority.
|
|
|
Recommended Value: For most installations, *NOTIFY is the recommended value.

If your security policy requires that no processing be performed on the system
without auditing, then you must select *PWRDWNSYS.
|
|
|
|
Only very unusual circumstances cause the system to be unable to write audit
journal entries. However, if this does happen and the QAUDENDACN system
value is *PWRDWNSYS, your system ends abnormally. This could cause a lengthy
initial program load (IPL) when your system is powered on again.
Auditing Force Level (QAUDFRCLVL)
|
|
|
|
The QAUDFRCLVL system value determines how often new audit journal entries
are forced from memory to auxiliary storage. This system value controls the
amount of auditing data that may be lost if the system ends abnormally.
|
|
|
|
|
|
|

|
|
|
|
|
|
|
|
Table 43. Possible Values for the QAUDFRCLVL System Value:

*SYS
The system determines when journal entries are written to
auxiliary storage based on internal system performance.
number-of- records
Specify a number between 1 and 100 to determine how many
audit entries can accumulate in memory before they are written
to auxiliary storage. The smaller the number, the greater the
impact on system performance.
|
|
|
Recommended Value: *SYS provides the best auditing performance. However, if

your installation requires that no audit entries be lost when your system ends
abnormally, you must specify 1. Specifying 1 may impair performance.
60
Auditing Level (QAUDLVL)
|
|
|
The QAUDLVL system value determines which security-related events are logged
to the security audit journal (QAUDJRN) for all system users. You can specify
more than one value for the QAUDLVL system value, unless you specify *NONE.
|
|
For the QAUDLVL system value to take effect, the QAUDCTL system value must
include *AUDLVL.
|
|
|
|
|
|
|

|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Table 44. Possible Values for the QAUDLVL System Value:

*NONE
No events controlled by the QAUDLVL system value are
logged. Events are logged for individual users based on the
AUDLVL values of user profiles.
*AUTFAIL
Authority failure events are logged.
*CREATE
Object create operations are logged.
*DELETE
Object delete operations are logged.
*JOBDTA
Actions that affect a job are logged.
*NETCMN
Violation detected by APPN Filter support is logged.
*OBJMGT
Object move and rename operations are logged.
*OFCSRV
Changes to the system distribution directory and office mail
actions are logged.
*OPTICAL
Use of Optical Volumes is logged.
*PGMADP
Obtaining authority from a program that adopts authority is
logged.
*PGMFAIL
System integrity violations are logged.
*PRTDTA
Printing a spooled file, sending output directly to a printer, and
sending output to a remote printer are logged.
*SAVRST
Restore operations are logged.
*SECURITY
Security-related functions are logged.
*SERVICE
Using service tools is logged.
*SPLFDTA
Actions performed on spooled files are logged.
*SYSMGT
Use of system management functions is logged.
|
|
See Planning the Auditing of Actions on page 253 for a complete description of
the journal entry types and the possible values for QAUDLVL.
Auditing for New Objects (QCRTOBJAUD)
|
|
|
|
The QCRTOBJAUD system value is used to determine the auditing value for a new
object, if the auditing default for the library of the new object is set to *SYSVAL.
The QCRTOBJAUD system value is also the default object auditing value for new
folderless documents.
|
|
|
|
For example, the CRTOBJAUD value for the CUSTLIB library is *SYSVAL. The
QCRTOBJAUD value is *CHANGE. If you create a new object in the CUSTLIB
library, its object auditing value is automatically set to *CHANGE. You can change
the object auditing value using the CHGOBJAUD command.
61
|
|
|
|
|
|
|

|
|
|
|
|
|
|
|
|
Table 45. Possible Values for the QCRTOBJAUD System Value:

*NONE
No auditing is done for the object.
*USRPRF
Auditing of the object is based on the value in the profile of the
user accessing the object.
*CHANGE
An audit record is written whenever the object is changed.
*ALL
An audit record is written for any action that affects the
contents of the object. An audit record is also written if an
objects contents change.
|
|
|
|
|
|
Recommended Value: The value you select depends upon the auditing
requirements of your installation. The section Planning the Auditing of Object
Access on page 263 provides more information about methods for setting up
object auditing on your system. You may also control the auditing value at the
library level with the CRTOBJAUD parameter with the CRTLIB command and the
CHGLIB command.
62
Chapter 4. User Profiles

This chapter describes user profiles: their purpose, their features, and how to
design them. User profiles are a powerful and flexible tool. Designing them well
can help you protect your system and customize it for your users.
Overview:
Purpose:
Create and maintain user profiles and group profiles on the
system.
How To:
Work with User Profiles (WRKUSRPRF) command
Change User Audit (CHGUSRAUD) command
Authority:
*SECADM special authority
*AUDIT special authority to change user auditing
Journal Entry:
CP for changes to users profiles
AD for changes to user auditing
ZC for changes to a user profile that are not relevant to security
Roles of the User Profile

The user profile has several roles on the system:
v It contains security-related information that controls how the user signs on the
system, what the user is allowed to do after signing on, and how the users
actions are audited.
v It contains information that is designed to customize the system and adapt it to
the user.
v It is a management and recovery tool for the operating system. The user profile
contains information about the objects owned by the user and all the private
authorities to objects.
v The user profile name identifies the users jobs and printer output.
If the security level (QSECURITY) system value on your system is 10, the system
automatically creates a user profile when someone signs on with a user ID that
does not already exist on the system. Table 133 in Appendix B shows the values
assigned when the system creates a user profile.
If the QSECURITY system value on your system is 20 or higher, a user profile
must exist before a user can sign on.
Group Profiles
A group profile is a special type of user profile. It serves two purposes on the
system:
63
Security tool
A group profile provides a method for organizing authorities on your
system and sharing them among users. You can define object authorities or
special authorities for group profiles rather than for each individual user
profile. A user may be a member of up to 16 group profiles.
Customizing tool
A group profile can be used as a pattern for creating individual user
profiles. Most people who are part of the same group have the same
customizing needs, such as the initial menu and the default printer. You
can define these things in the group profile and then copy the group
profile to create individual user profiles.
You create group profiles in the same way that you create individual profiles. The
system recognizes a group profile when you add the first member to it. At that
point, the system sets information in the profile indicating that it is a group profile.
The system also generates a group identification number (gid) for the profile. You
can also designate a profile as a group profile at the time that you create it by
specifying a value in the GID parameter. Planning Group Profiles on page 229
shows an example of setting up a group profile.
User-Profile Parameter Fields

User profiles can be created in the following ways:
v iSeries Navigator
v Management Central
v Character-based interface
When you create a user profile, the profile is given these authorities to itself:
*OBJMGT, *CHANGE. These authorities are necessary for system functions and
should not be removed.
Following are explanations of each field in the user profile. The fields are described
in the order they appear on the Create User Profile command prompt.
Many system displays have different versions, called assistance levels, to meet the
needs of different users:
v Basic assistance level, which contains less information and does not use technical
terminology.
v Intermediate assistance level, which shows more information and uses technical
terms.
v Advanced assistance level, which uses technical terms and shows the maximum
amount of data by not always displaying function key and option information.
The sections that follow show what the user profile fields are called on both the
basic assistance level and the intermediate assistance level displays. This is the
format used:
Field Title
The title of the section shows how the field name appears on the Create
User Profile command prompt, which is shown when you create a user
profile with intermediate assistance level or the Create User Profile
(CRTUSRPRF) command.
Add User prompt:
This shows how the field name appears on the Add User display and other
64
user-profile displays that use basic assistance level. The basic assistance
level displays show a subset of the fields in the user profile. Not shown
means the field does not appear on the basic assistance level display. When
you use the Add User display to create a user profile, default values are
used for all fields that are not shown.
CL parameter:
You use the CL parameter name for a field in a CL program or when you
enter a user profile command without prompting.
Length:
If you use the Retrieve User Profile (RTVUSRPRF) command in a CL
program, this is the length you should use to define the parameter
associated with the field.
Authority:
If a field refers to a separate object, such as a library or a program, you are
told the authority requirements for the object. To specify the object when
you create or change a user profile, you need the authority listed. To sign
on using the profile, the user needs the authority listed. For example, if
you create user profile USERA with job description JOBD1, you must have
*USE authority to JOBD1. USERA must have *USE authority to JOBD1 to
successfully sign on with the profile.
In addition, each section describes the possible values for the field and a
recommended value.
User Profile Name

Add User prompt:
User
CL parameter:
USRPRF
Length:
10
The user profile name identifies the user to the system. This user profile name is
also known as the user ID. It is the name the user types in the User prompt on the
Sign On display.
The user profile name can be a maximum of 10 characters. The characters can be:
v Any letter (A through Z)
v Any number (0 through 9)
v These special characters: pound (#), dollar ($), underscore (_), at (@).
Note: The Add User display allows only an eight-character user name.
The user profile name cannot begin with a number.
Note: It is possible to create a user profile so that when a user signs on, the user
ID is only numerals. To create a profile like this, specify a Q as the first
character, such as Q12345. A user can then sign on by entering 12345 or
Q12345 for the User prompt on the Sign On display.
For more information about specifying names on the system, see the CL
Programming book.
65
Recommendations for Naming User Profiles: Consider these things when

deciding how to name user profiles:
v A user profile name can be up to 10 characters long. Some communications
methods limit the user ID to eight characters. The Add User display also limits
the user profile name to eight characters.
v Use a naming scheme that makes user IDs easy to remember.
v The system does not distinguish between uppercase and lowercase letters in a
user profile name. If you enter lowercase alphabetic characters at your
workstation, the system translates them to uppercase characters.
v The displays and lists you use to manage user profiles show them in
alphabetical order by user profile name.
v Avoid using special characters in user profile names. Special characters may
cause problems with keyboard mapping for certain workstations or with
national language versions of the OS/400 licensed program.
One technique for assigning user profile names is to use the first seven characters
of the last name followed by the first character of the first name. For example:
User Name
User Profile Name
Anderson, George
Anderson, Roger
Harrisburg, Keith
Jones, Sharon
Jones, Keith
ANDERSOG
ANDERSOR
HARRISBK
JONESS
JONESK
Recommendations for Naming Group Profiles: If you want to be able to easily

identify group profiles on lists and displays, use a naming convention. Begin all
group profile names with the same characters, such as GRP (for group) or DPT (for
department).
Password
Add User prompt:
Password
CL parameter:
PASSWORD
Length:
128
The password is used to verify a users authority to sign on the system. A user ID
and a password must be specified to sign on when password security is active
(QSECURITY system value is 20 or higher).
Passwords can be a maximum of 10 characters when the QPWDLVL system value
is set to 0 or 1. Passwords can be a maximum of 128 characters when the
QPWDLVL system value is set to 2 or 3.
When the password level (QPWDLVL) system value is 0 or 1, the rules for
specifying passwords are the same as those used for user profile names. When the
first character of the password is a Q and the second character is a numeric
character, the Q can be omitted on the Sign On display. If a user specifies Q12345
as the password on the Change Password display, the user can specify either 12345
or Q12345 as the password on the Sign On display. When QPWDLVL is 2 or 3, the
66
user must specify the password as Q12345 on the signon display if the user profile
was created with a password of Q12345. An all numeric password is allowed when
QPWDLVL is 2 or 3, but the user profile password must be created as all numeric.
When the password level (QPWDLVL) system value is 2 or 3, the password is case
sensitive and can contain any character including blank characters. However, the
password may not begin with an asterisk character (*) and trailing blank
characters are removed.
|
|
|
|
|
Note: Passwords can be created using double byte characters. However, a

password containing double byte characters cannot be used to signon via
the system signon screen. Passwords containing double byte characters can
be created by the CRTUSRPRF and CHGUSRPRF commands and can be
passed to the system APIs that support the password parameter.
One-way encryption is used to store the password on the system. If a password is
forgotten, the security officer can use the Change User Profile (CHGUSRPRF)
command to assign a temporary password and set that password to expired,
requiring the user to assign a new password at the next sign-on.
You can set system values to control the passwords that users assign. The
password composition system values apply only when a user changes a password
using the Change Password (CHGPWD) command, the Change password option
from the ASSIST menu, or the QSYCHGPW API. If the password minimum length
(QPWDMINLEN) system value is not 1 or the password maximum length
(QPWDMAXLEN) system value is not 10 or any of the other password
composition system values have been changed from the default values, a user
cannot set the password equal to the user profile name using the CHGPWD
command, the ASSIST menu, or the QSYCHGPW API.
See the topic System Values That Apply to Passwords on page 44 for information
about setting the password composition system values.
Table 46. Possible Values for PASSWORD:
*USRPRF
The password for this user is the same as the user profile
name. When the password level (QPWDLVL) system value is 2
or 3, the password is the uppercased value of the user profile
name. For profile JOHNDOE, the password would be
JOHNDOE, not johndoe.
*NONE
No password is assigned to this user profile. Sign-on is not
allowed with this user profile. You can submit a batch job
using a user profile with password *NONE if you have proper
authority to the user profile.
user- password
A character string (128 characters or less).
Recommendations for Passwords:

v Set the password for a group profile to *NONE. This prevents anyone from
signing on with the group profile.
v When creating an individual user profile, set the password to an initial value
and require a new password to be assigned when the user signs on (set
password expired to *YES). The default password when creating a user profile is
the same as the user profile name.
v If you use a trivial or default password when creating a new user profile, make
sure the user intends to sign on immediately. If you expect a delay before the
user signs on, set the status of the user profile to *DISABLED. Change the status
67
to *ENABLED when the user is ready to sign on. This protects a new user
profile from being used by someone who is not authorized.
v Use the password composition system values to prevent users from assigning
trivial passwords.
v Some communications methods send passwords between systems and limit the
length of password and the characters that passwords can contain. If your
system communicates with other systems, use the QPWDMAXLEN system value
to limit the passwords length. At password levels 0 and 1, the QPWDLMTCHR
system value can be used to specify characters that cannot be used in
passwords.
Set Password to Expired

Add User prompt:
Not shown
CL parameter:
PWDEXP
Length:
4
The Set password to expired field allows a security administrator to indicate in the
user profile that the users password is expired and must be changed the next time
the user signs on. This value is reset to *NO when the password is changed. You
can change the password by using either the CHGPWD or CHGUSRPRF
command, or the QSYCHGPW API, or as part of the next sign-on process.
This field can be used when a user cannot remember the password and a security
administrator must assign a new one. Requiring the user to change the password
assigned by the security administrator prevents the security administrator from
knowing the new password and signing on as the user.
When a users password has expired, the user receives a message at sign-on (see
Figure 1). The user can either press the Enter key to assign a new password or
press F3 (Exit) to cancel the sign-on attempt without assigning a new password. If
the user chooses to change the password, the Change Password display is shown
and password validation is run for the new password.
Sign-on Information
Password has expired.

request.
System:
Password must be changed to continue sign-on
Previous sign-on . . . . . . . . . . . . . :
10/30/91
Figure 1. Password Expiration Message

Table 47. Possible Values for PWDEXP:
*NO:
The password is not set to expired.
*YES:
The password is set to expired.
68
14:15:00
Recommendations: Set the password to expired whenever you create a new user
profile or assign a temporary password to a user.
Status
Add User prompt:
Not shown
CL parameter:
STATUS
Length:
10
The value of the Status field indicates if the profile is valid for sign-on. If the
profile status is enabled, the profile is valid for sign-on. If the profile status is
disabled, an authorized user has to enable the profile again to make it valid for
sign-on.
You can use the CHGUSRPRF command to enable a profile that has been disabled.
You must have *SECADM special authority and *OBJMGT and *USE authority to
the profile to change its status. The topic Enabling a User Profile on page 112
shows an example of an adopted authority program to allow a system operator to
enable a profile.
The system may disable a profile after a certain number of incorrect sign-on
attempts with that profile, depending on the settings of the QMAXSIGN and
QMAXSGNACN system values.
You can always sign on with the QSECOFR (security officer) profile at the console,
even if the status of QSECOFR is *DISABLED. If the QSECOFR user profile
becomes disabled, sign on as QSECOFR at the console and type CHGUSRPRF QSECOFR
STATUS(*ENABLED).
Table 48. Possible Values for STATUS:
*ENABLED
The profile is valid for sign-on.
*DISABLED
The profile is not valid for sign-on until an authorized user
enables it again.
Recommendations: Set the status to *DISABLED if you want to prevent sign-on

with a user profile. For example, you can disable the profile of a user who will be
away from the business for an extended period.
User Class
Add User prompt:
Type of User
CL parameter:
USRCLS
Length:
10
User class is used to control what menu options are shown to the user on OS/400
menus. This does not necessarily limit the use of commands. The Limit capabilities
field controls whether the user can enter commands. User class may not affect
what options are shown on menus provided by other licensed programs.
69
If no special authorities are specified when a user profile is created, the user class
and the security level (QSECURITY) system value are used to determine the
special authorities for the user.
Possible Values for USRCLS: Table 49 shows the possible user classes and what
the default special authorities are for each user class. The entries indicate that the
authority is given at security levels 10 and 20 only, at all security levels, or not at
all.
The default value for user class is *USER.
Table 49. Default Special Authorities by User Class
User Classes
Special
Authority
*SECOFR
*ALLOBJ
*SECADM
*JOBCTL
*SPLCTL
*SAVSYS
*SERVICE
*AUDIT
*IOSYSCFG
All
All
All
All
All
All
All
All
*SECADM
*PGMR
*SYSOPR
10 or 20
All
10 or 20
10 or 20
10 or 20
10 or 20
All
10 or 20
10 or 20
All
*USER
10 or 20
10 or 20
Recommendations: Most users do not need to perform system functions. Set the
user class to *USER, unless a user specifically needs to use system functions.
Assistance Level
Add User prompt:
Not shown
CL parameter:
ASTLVL
Length:
10
For each user, the system keeps track of the last assistance level used for every
system display that has more than one assistance level. That level is used the next
time the user requests that display. During an active job, a user can change the
assistance level for a display or group of related displays by pressing F21 (Select
assistance level). The new assistance level for that display is stored with the user
information.
Specifying the assistance level (ASTLVL) parameter on a command does not
change the assistance level that is stored for the user for the associated display.
The Assistance level field in the user profile is used to specify the default assistance
level for the user when the profile is created. If the assistance level in the user
profile is changed using the CHGUSRPRF or the Change Profile (CHGPRF)
command, the assistance levels stored for all displays for that user are reset to the
new value.
For example, assume the user profile for USERA is created with the default
assistance level (basic). Table 50 on page 71 shows whether USERA sees the Work
70
with User Profiles display or the Work with User Enrollment display when using
different options. The table also shows whether the system changes the version for
the display that is stored with USERAs profile.
Table 50. How Assistance Levels Are Stored and Changed
Action Taken
Version of Display Shown
Version of Display Stored
Use WRKUSRPRF command
Work with User Enrollment

display
No change (basic assistance

level)
From Work with User

Work with User Profiles
Enrollment display, press F21 display
and select intermediate
assistance level.
Changed to intermediate
assistance level

display
No change (intermediate)
Select the work with user

enrollment option from the
SETUP menu.

display
No change (intermediate)
Type CHGUSRPRF USERA

ASTLVL(*BASIC)
Changed to basic assistance

level

display
No change (basic)
Type WRKUSRPRF
ASTLVL(*INTERMED)

display
No change (basic)
Note: The User option field in the user profile also affects how system displays are
shown. This field is described on page 98.
Table 51. Possible Values for ASTLVL:
*SYSVAL
The assistance level specified in the QASTLVL system value is
used.
*BASIC
The Operational Assistant user interface is used.
*INTERMED
The system interface is used.
*ADVANCED
The expert system interface is used. To allow for more list
entries, the option numbers and the function keys are not
always displayed. If a command does not have an advanced
(*ADVANCED) level, the intermediate (*INTERMED) level is
used.
Current Library
Add User prompt:
Default library
CL parameter:
CURLIB
Length:
10
Authority
*USE
The current library is searched before the libraries in the user portion of the library
list for any objects specified as *LIBL. If the user creates objects and specifies
*CURLIB, the objects are put in the current library.
71
The current library is automatically added to the users library list when the user
signs on. It does not need to be included in the initial library list in the users job
description.
The user cannot change the current library if the Limit capabilities field in the user
profile is *YES or *PARTIAL.
The topic Library Lists on page 193 provides more information about using
library lists and the current library.
Table 52. Possible Values for CURLIB:
*CRTDFT
This user has no current library. If objects are created using
*CURLIB on a create command, the library QGPL is used as
the default current library.
current-library-name
The name of a library.
Recommendations: Use the Current library field to control where users are allowed
to put new objects, such as Query programs. Use the Limit capabilities field to
prevent users from changing the current library.
Initial Program
Add User prompt:
Sign on program
CL parameter:
INLPGM
Length:
10 (program name) 10 (library name)
Authority:
*USE for program *EXECUTE for library
You can specify the name of a program to call when a user signs on. This program
runs before the initial menu, if any, is displayed. If the Limit capabilities field in the
users profile is *YES or *PARTIAL, the user cannot specify an initial program on
the Sign On display.
The initial program is called only if the users routing program is QCMD or QCL.
See Starting an Interactive Job on page 185 for more information about the
processing sequence when a user signs on.
Initial programs are used for two main purposes:
v To restrict a user to a specific set of functions.
v To perform some initial processing, such as opening files or establishing the
library list, when the user first signs on.
Parameters cannot be passed to an initial program. If the initial program fails, the
user is not able to sign on.
Table 53. Possible Values for INLPGM:
*NONE
No program is called when the user signs on. If a menu name
is specified on the initial menu (INLMNU) parameter, that
menu is displayed.
program-name
The name of the program that is called when the user signs on.
72
Table 54. Possible Values for INLPGM Library:

*LIBL
The library list is used to locate the program. If the job
description for the user profile has an initial library list, that list
is used. If the job description specifies *SYSVAL for the initial
library list, the QUSRLIBL system value is used.
*CURLIB
The current library specified in the user profile is used to locate
the program. If no current library is specified, QGPL is used.
library-name
The library where the program is located.
Initial Menu
Add User prompt:
First menu
CL parameter:
INLMNU
Length:
10 (menu name) 10 (library name)
Authority
*USE for menu *EXECUTE for library
You can specify the name of a menu to be shown when the user signs on. The
initial menu is displayed after the users initial program runs. The initial menu is
called only if the users routing program is QCMD or QCL.
If you want the user to run only the initial program, you can specify *SIGNOFF for
the initial menu.
If the Limit capabilities field in the users profile is *YES, the user cannot specify a
different initial menu on the Sign On display. If a user is allowed to specify an
initial menu on the Sign On display, the menu specified overrides the menu in the
user profile.
Table 55. Possible Values for MENU:
MAIN
The iSeries system Main Menu is shown.
*SIGNOFF
The system signs off the user when the initial program
completes. Use this to limit users to running a single program.
menu-name
The name of the menu that is called when the user signs on.
Table 56. Possible Values for MENU Library:
*LIBL
The library list is used to locate the menu. If the initial
program adds entries to the library list, those entries are
included in the search, because the menu is called after the
initial program has completed.
*CURLIB
The current library for the job is used to locate the menu. If no
current library entry exists in the library list, QGPL is used.
library-name
The library where the menu is located.
Limit Capabilities
Add User prompt:
Restrict command line use
CL parameter:
LMTCPB
73
Length:
10
You can use the Limit capabilities field to limit the users ability to enter commands
and to override the initial program, initial menu, current library, and
attention-key-handling program specified in the user profile. This field is one tool
for preventing users from experimenting on the system.
A user with LMTCPB(*YES) can only run commands that are defined as allow
limited user (ALWLMTUSR) *YES. These commands are shipped by IBM with
ALWLMTUSR(*YES):
Sign off (SIGNOFF)
Send message (SNDMSG)
Display messages (DSPMSG)
Display job (DSPJOB)
Display job log (DSPJOBLOG)
Start PC Organizer (STRPCO)
Work with Messages (WRKMSG)
The Limit capabilities field in the user profile and the ALWLMTUSR parameter on
commands apply only to commands that are run from the command line, the
Command Entry display or an option from a command grouping menu. Users are
not restricted from doing the following:
v Running commands in CL programs that are running a command as a result of
taking an option from a menu
v Running remote commands through applications.
You can allow the limited capability user to run additional commands, or remove
some of these commands from the list, by changing the ALWLMTUSR parameter
for a command. Use the Change Command (CHGCMD)command. If you create
your own commands, you can specify the ALWLMTUSR parameter on the Create
Command (CRTCMD) command.
Possible Values: Table 57 shows the possible values for Limit capabilities and what
functions are allowed for each value.
Table 57. Functions Allowed for Limit Capabilities Values
Function
*YES
*PARTIAL
*NO
Change Initial Program

Change Initial Menu
Change Current Library
Change Attention Program
Enter Commands
No
No
No
No
A few1
No
Yes
No
No
Yes
Yes
Yes
Yes
Yes
Yes
These commands are allowed: SIGNOFF, SNDMSG, DSPMSG, DSPJOB,

DSPJOBLOG, STRPCO, WRKMSG. The user cannot use F9 to display a command
line from any menu or display.
Recommendations: Using an initial menu, restricting command line use, and

providing access to the menu allow you to set up an environment for a user who
does not need or want to access system functions. See the topic Planning Menus
on page 217 for more information about this type of environment.
74
Text
Add User prompt:
User description
CL parameter:
TEXT
Length:
50
The text in the user profile is used to describe the user profile or what it is used
for. For user profiles, the text should have identifying information, such as the
users name and department. For group profiles, the text should identify the
group, such as what departments the group includes.
Table 58. Possible Values for text:
*BLANK:
No text is specified.
description
Specify no more than 50 characters.
Recommendations: The Text field is truncated on many system displays. Put the
most important identifying information at the beginning of the field.
Special Authority
Add User prompt:
Not shown
CL parameter:
SPCAUT
Length:
100 (10 characters per special authority)
Authority:
To give a special authority to a user profile, you must have that special
authority.
Special authority is used to specify the types of actions a user can perform on
system resources. A user can be given one or more special authorities.
Table 59. Possible Values for SPCAUT:
*USRCLS
Special authorities are granted to this user based on the user
class (USRCLS) field in the user profile and the security level
(QSECURITY) system value. If *USRCLS is specified, no
additional special authorities can be specified for this user.
If you specify *USRCLS when you create or change a user
profile, the system puts the correct special authorities in the
profile as if you had entered them. When you display profiles,
you cannot tell whether special authorities were entered
individually or entered by the system based on the user class.
*NONE
special-authority-name
Table 49 on page 70 shows the default special authorities for

each user class.
No special authority is granted to this user.
Specify one or more special authorities for the user. The special
authorities are described in the sections that follow.
75
*ALLOBJ Special Authority

All-object (*ALLOBJ) special authority allows the user to access any resource on
the system whether or not private authority exists for the user. Even if the user has
*EXCLUDE authority to an object, *ALLOBJ special authority still allows the user
to access the object.
Risks: *ALLOBJ special authority gives the user extensive authority over all
resources on the system. The user can view, change, or delete any object. The user
can also grant to other users the authority to use objects.
A user with *ALLOBJ authority cannot directly perform operations that require
another special authority. For example, *ALLOBJ special authority does not allow a
user to create another user profile, because creating user profiles requires
*SECADM special authority. However, a user with *ALLOBJ special authority can
submit a batch job to run using a profile that has the needed special authority.
Giving *ALLOBJ special authority essentially gives a user access to all functions on
the system.
*SECADM Special Authority

Security administrator (*SECADM) special authority allows a user to create,
change, and delete user profiles. A user with *SECADM special authority can:
v
v
v
v
v
Add users to the system distribution directory.

Display authority for documents or folders.
Add and remove access codes to the system.
Give and remove a users access code authority
Give and remove permission for users to work on another users behalf
v Delete documents and folders.

v Delete document lists.
v Change distribution lists created by other users.
Only a user with *SECADM and *ALLOBJ special authority can give *SECADM
special authority to another user.
*JOBCTL Special Authority

Job control (*JOBCTL) special authority allows the user to:
v Change, delete, hold, and release all files on any output queues specified as
OPRCTL(*YES).
v Display, send, and copy all files on any output queues specified as
DSPDTA(*YES or *NO) and OPRCTL(*YES).
v Hold, release, and clear job queues specified as OPRCTL(*YES).
v Hold, release, and clear output queues specified as OPRCTL(*YES).
v Hold, release, change, and cancel other users jobs.
v Start, change, end, hold, and release writers, if the output queue is specified as
OPRCTL(*YES).
v Change the running attributes of a job, such as the printer for a job.
v Stop subsystems.
v Perform an initial program load (IPL).
Securing printer output and output queues is discussed in Printing on page 197.
76
You can change the job priority (JOBPTY) and the output priority (OUTPTY) of
your own job without job control special authority. You must have *JOBCTL special
authority to change the run priority (RUNPTY) of your own job.
Changes to the output priority and job priority of a job are limited by the priority
limit (PTYLMT) in the profile of the user making the change.
Risks: A user with *JOBCTL special authority can change the priority of jobs and
of printing, end a job before it has finished, or delete output before it has printed.
*JOBCTL special authority can also give a user access to confidential spooled
output, if output queues are specified OPRCTL(*YES). A user who abuses *JOBCTL
special authority can cause negative impacts on individual jobs and on overall
system performance.
*SPLCTL Special Authority

Spool control (*SPLCTL) special authority allows the user to perform all spool
control functions, such as changing, deleting, displaying, holding and releasing
spooled files. The user can perform these functions on all output queues,
regardless of any authorities for the output queue or the OPRCTL parameter for
the output queue.
*SPLCTL special authority also allows the user to manage job queues, including
holding, releasing, and clearing the job queue. The user can perform these
functions on all job queues, regardless of any authorities for the job queue or the
OPRCTL parameter for the job queue.
Risks: The user with *SPLCTL special authority can perform any operation on any
spooled file in the system. Confidential spooled files cannot be protected from a
user with *SPLCTL special authority.
*SAVSYS Special Authority

Save system (*SAVSYS) special authority gives the user the authority to save,
restore, and free storage for all objects on the system, whether or not the user has
object existence authority to the objects.
Risks: The user with *SAVSYS special authority can:
v Save an object and take it to another iSeries system to be restored.
v Save an object and display the tape to view the data.
v Save an object and free storage, thus deleting the data portion of the object.
v Save a document and delete it.
*SERVICE Special Authority

Service (*SERVICE) special authority allows the user to start system service tools
using the STRSST command. It also allows the user to debug a program with only
*USE authority to the program and perform the display and alter service functions.
The dump function can be performed without *SERVICE authority. It also allows
the user to perform various trace functions.
Risks: A user with *SERVICE special authority can display and change confidential
information using service functions. The user must have *ALLOBJ special authority
to change the information using service functions.
To minimize the risk for trace commands, users can be given authorization to
perform service tracing without needing to give the user *SERVICE special
authority. In this way, only specific users will have the ability to perform a trace
command, which would grant them access to sensitive data. The user must be
77
authorized to the command and have either *SERVICE special authority, or be

authorized to the Service Trace function of the operating system through iSeries
Navigators Application Administration support. The Change Function Usage
Information (QSYSCHFUI) API, with the function ID of QIBM_SERVICE_TRACE,
can also be used to change the list of users that are allowed to perform trace
operations.
The commands to which access can be granted in this way include:
Table 60.
STRCMNTRC
Start Communications Trace
ENDCMNTRC
End Communications Trace
PRTCMNTRC
Print Communications Trace
DLTCMNTRC
Delete Communications Trace
CHKCMNTRC
Check Communications Trace
TRCCNN
Trace Connection (seeGranting Access to Traces)
TRCINT
Trace Internal
STRTRC
Start Job Trace
ENDTRC
End Job Trace
PRTTRC
Print Job Trace
DLTTRC
Delete Job Trace
Granting Access to Traces: Trace commands, such as TRCCNN (Trace

Connection) are powerful commands that should not be granted to all users who
need access to other service and debug tools. Following the steps below will let
you limit who can access these trace commands without having *SERVICE
authority:
1. In iSeries Navigator, open Users and Groups.
2. Select All Users to view a list of user profiles.
3. Right-click the user profile to be altered.
4.
5.
6.
7.
8.
9.
10.
11.
Select Properties.
Click Capabilities.
Open the Applications tab.
Select Access for.
Select Host Applications.
Select Operating System.
Select Service.
Use the checkbox to grant or revoke access to trace command.
*AUDIT Special Authority

Audit (*AUDIT) special authority gives the user the ability to change auditing
characteristics. The user can:
v Change the system values that control auditing.
v Use the CHGOBJAUT, CHGDLOAUD, and CHGAUD commands to change
auditing for objects.
v Use the CHGUSRAUD command to change auditing for a user.
78
Risks: A user with *AUDIT special authority can stop and start auditing on the
system or prevent auditing of particular actions. If having an audit record of
security-relevant events is important for your system, carefully control and monitor
the use of *AUDIT special authority.
Note: Only a user with *ALLOBJ, *SECADM, and *AUDIT special authorities can
give another user *AUDIT special authority.
*IOSYSCFG Special Authority

System configuration (*IOSYSCFG) special authority gives the user the ability to
change how the system is configured. For example, adding or removing
communications configuration information, working with TCP/IP servers, and
configuring the internet connection server (ICS). Most commands for configuring
communications require *IOSYSCFG special authority. Appendix D shows what
special authorities are required for specific commands.
Note: You need *ALLOBJ to be able to change data using service functions.
Recommendations for Special Authorities: Giving special authorities to users
represents a security exposure. For each user, carefully evaluate the need for any
special authorities. Keep track of which users have special authorities and
periodically review their requirement for the authority.
In addition, you should control the following situations for user profiles and
programs:
v Whether user profiles with special authorities can be used to submit jobs
v Whether programs created by these users can run using the authority of the
program owner.
Programs adopt the *ALLOBJ special authority of the owner if:
v The programs are created by users who have *ALLOBJ special authority
v The user specifies USRPRF(*OWNER) parameter on the command that creates
the program.
How LAN Server Uses Special Authorities

The LAN Server licensed program uses the special authorities in a users profile to
determine what operator capabilities the user should have in a LAN server
environment. Following are the operator capabilities the system gives to LAN
server users:
*ALLOBJ
System administrator
*IOSYSCFG
Server resource operator privilege
*JOBCTL
Communication device operator privilege
*SECADM
Accounts operator privilege
*SPLCTL
Print operator privilege
v *SAVSYS special authority applies when you save information using the
/QFPNWSSTG directory. *SAVSYS special authority does apply when saving
objects using the /QLANSrv directory, you must have the necessary permission
(authority) to the object or LAN administrator authority.
79
v *ALLOBJ special authority gives enough authority to save /QLANSrv objects

and their authority information if both of the following are true:
You are a defined user in the LAN domain.
The domain controller is a File Server I/O Processor on the local iSeries
system.
Special Environment
Add User prompt:
Not shown
CL parameter:
SPCENV
Length:
10
Special environment determines the environment the user operates in after signing
on. The user can operate in the iSeries, the System/36, or the System/38
environment. When the user signs on, the system uses the routing program and
the special environment in the users profile to determine the users environment.
See Figure 2 on page 81.
Table 61. Possible Values for SPCENV:
*SYSVAL
The QSPCENV system value is used to determine the
environment when the user signs on, if the users routing
program is QCMD.
*NONE
The user operates in the iSeries environment.
*S36
The user operates in the System/36 environment if the users
routing program is QCMD.
Recommendations: If the user runs a combination of iSeries and System/36

applications, use the Start System/36 (STRS36) command before running
System/36 applications rather than specifying the System/36 environment in the
user profile. This provides better performance for the iSeries applications.
80
Figure 2. Description of Special Environment
Description of Special Environment
|
|
|
|
|
Special environment determines the environment the user operates in after signing
on. The user can operate in the iSeries, the System/36, or the System/38
environment. When the user signs on, the system uses the routing program and
the special environment in the users profile to determine the users environment.
The following description explains Figure 2.
|
|
|
|
|
The system determines if the routing program is QCMD. If it is not, then the
system checks to see if the routing program is QCL. If the routing program is QCL,
then the system will use the System/38 special environment. If the routing
program is not QCL, then the system uses the program specified in the routing
entry.
|
|
|
|
If the routing program is QCMD, then the system determines if the SPCENV
system value is set. If it is set then the system retrieves the value for QSPCENV
system value and the system tests the special environment value. If SPCENV
system value is not set, then the system tests the special environment value.
81
If the special environment value is set to *S36, the system runs the System/36
special environment. If the special environment value is set to *NONE, then the
system runs the native iSeries environment.
|
|
|
Display Sign-On Information

Add User prompt:
Not shown
CL parameter:
DSPSGNINF
Length:
7
The Display sign-on information field specifies whether the Sign-on Information
display is shown when the user signs on. Figure 3 shows the display. Password
expiration information is only shown if the password expires within seven days.
Sign-on Information
Previous sign-on . . . . . . . . . . . . . :
10/30/91
Days until password expires . . . . . . . :
System:
14:15:00
Figure 3. Sign-On Information Display

Table 62. Possible Values for DSPSGNINF:
*SYSVAL
The QDSPSGNINF system value is used.
*NO
The Sign-on Information display is not shown when the user
signs on.
*YES
The Sign-on Information display is shown when the user signs
on.
Recommendations: The Sign-on Information display is a tool for users to monitor

their profiles and to detect attempted misuse. Having all users see this display is
recommended. Users with special authority or authority to critical objects should
be encouraged to use the display to make sure no one attempts to use their
profiles.
Password Expiration Interval

Add User prompt:
Not shown
CL parameter:
PWDEXPITV
Length:
5,0
Requiring users to change their passwords after a specified length of time reduces
the risk of an unauthorized person accessing the system. The password expiration
interval controls the number of days that a valid password can be used before it
must be changed.
82
When a users password has expired, the user receives a message at sign-on. The
user can either press the Enter key to assign a new password or press F3 (Exit) to
cancel the sign-on attempt without assigning a new password. If the user chooses
to change the password, the Change Password display is shown and full password
validation is run for the new password. Figure 1 on page 68 shows an example of
the password expiration message.
Recommendations: Use the user profile password interval to require profiles with
*SERVICE, *SAVSYS, or *ALLOBJ special authorities to change passwords more
frequently than other users.
Table 63. Possible Values for PWDEXPITV:
*SYSVAL
The QPWDEXPITV system value is used.
*NOMAX
The system does not require the user to change the password.
password- expiration- interval Specify a number from 1 through 366.
Recommendations: Set the QPWDEXPITV system value for an appropriate

interval, such as 60 to 90 days. Use the Password expiration interval field in the user
profile for individual users who should change their passwords more frequently,
such as security administrators.
Limit Device Sessions

Add User prompt:
Not shown
CL parameter:
LMTDEVSSN
Length:
7
The Limit device sessions field controls whether a user can be signed on at more
than one workstation at a time. The value does not restrict the use of the System
Request menu or a second sign-on from the same device.
Table 64. Possible Values for LMTDEVSSN:
*SYSVAL
The QLMTDEVSSN system value is used.
*NO
The user may be signed on to more than one device at the
same time.
*YES
The user may not be signed on to more than one device at the
same time.
Recommendations: Limiting users to one workstation at a time is one way to

discourage sharing user profiles. Set the QLMTDEVSSN system value to 1 (YES). If
some users have a requirement to sign on at multiple workstations, use the Limit
device sessions field in the user profile for those users.
Keyboard Buffering
Add User prompt:
Not shown
CL parameter:
KBDBUF
Length:
10
83
This parameter specifies the keyboard buffering value used when a job is
initialized for this user profile. The new value takes effect the next time the user
signs on.
The keyboard buffering field controls two functions:
Type-ahead:
Lets the user type data faster than it can be sent to the system.
Attention key buffering:
If attention key buffering is on, the Attention key is treated like any other
key. If attention key buffering is not on, pressing the Attention key results
in sending the information to the system even when other workstation
input is inhibited.
Table 65. Possible Values for KBDBUF:
*SYSVAL
The QKBDBUF system value is used.
*NO
The type-ahead feature and Attention-key buffering option are
not active for this user profile.
*TYPEAHEAD
The type-ahead feature is active for this user profile.
*YES
The type-ahead feature and Attention-key buffering option are
active for this user profile.
Maximum Storage
|
|
Add User prompt:

Not shown
|
|
CL parameter:
MAXSTG
|
|
Length:
|
|
|
|
You can specify the maximum amount of auxiliary storage that is used to store
permanent objects that are owned by a user profile, including objects placed in the
temporary library (QTEMP) during a job. Maximum storage is specified in
kilobytes (1024 bytes).
|
|
If the storage needed is greater than the maximum amount specified when the user
attempts to create an object, the object is not created.
|
|
|
|
|
|
The maximum storage value is independently applied to each independent

auxiliary storage pool (ASP) on the system. Therefore, specifying a value of 5000
means that the user profile can use the following:
v 5000 KB of auxiliary storage in the system ASP and basic user ASPs.
v 5000 KB of auxiliary storage in independent ASP 00033 (if it exists).
v 5000 KB of auxiliary storage in independent ASP 00034 (if it exists).
This provides a total of 15,000 KB of auxiliary storage from the whole system.
|
|
|
|
|
When planning maximum storage for user profiles, consider the following system
functions, which can affect the maximum storage needed by a user:
v A restore operation first assigns the storage to the user doing the restore
operation, and then transfers the objects to the OWNER. Users who do large
restore operations should have MAXSTG(*NOMAX) in their user profiles.
11,0
84
|
|
|
|
|
|
|
|
|
|
|
|
|
|
v The user profile that owns a journal receiver is assigned the storage as the
receiver size grows. If new receivers are created, the storage continues to be
assigned to the user profile that owns the active journal receiver. Users who own
active journal receivers should have MAXSTG(*NOMAX) in their user profiles.
v If a user profile specifies OWNER(*GRPPRF), ownership of any object created by
the user is transferred to the group profile after the object is created. However,
the user creating the object must have adequate storage to contain any created
object before the object ownership is transferred to the group profile.
v The owner of a library is assigned the storage for the descriptions of the objects
that are placed in a library, even when the objects are owned by another user
profile. Examples of such descriptions are text and program references.
v Storage is assigned to the user profile for temporary objects that are used during
the processing of a job. Examples of such objects are commitment control blocks,
file editing spaces, and documents.
|
|
|
|
|
Table 66. Possible Values for MAXSTG:

*NOMAX
As much storage as required can be assigned to this profile.
maximum- KB
Specify the maximum amount of storage in kilobytes (1
kilobyte equals 1024 bytes) that can be assigned to this user
profile.
Priority Limit
Add User prompt:
Not shown
CL parameter:
PTYLMT
Length:
1
A batch job has three different priority values:
Run priority:
Determines how the job competes for machine resources when the job is
running. Run priority is determined by the jobs class.
Job priority:
Determines the scheduling priority for a batch job when the job is on the
job queue. Job priority can be set by the job description or on the submit
command.
Output priority:
Determines the scheduling priority for any output created by the job on
the output queue. Output priority can be set by the job description or on
the submit command.
The priority limit in the user profile determines the maximum scheduling priorities
(job priority and output priority) allowed for any jobs the user submits. It controls
priority when the job is submitted, as well as any changes made to priority while
the job is running or waiting in a queue.
The priority limit also limits changes that a user with *JOBCTL special authority
can make to another users job. You cannot give someone elses job a higher
priority than the limit specified in your own user profile.
85
If a batch job runs under a different user profile than the user submitting the job,
the priority limits for the batch job are determined by the profile the job runs
under. If a requested scheduling priority on a submitted job is higher than the
priority limit in the user profile, the priority of the job is reduced to the level
permitted by the user profile.
Table 67. Possible Values for PTYLMT:
3
The default priority limit for user profiles is 3. The default
priority for both job priority and output priority on job
descriptions is 5. Setting the priority limit for the user profile at
3 gives the user the ability to move some jobs ahead of others
on the queues.
priority- limit
Specify a value, 1 through 9. The highest priority is 1; the
lowest priority is 9.
Recommendations: Using the priority values in job descriptions and on the submit
job commands is usually a better way to manage the use of system resources than
changing the priority limit in user profiles.
Use the priority limit in the user profile to control changes that users can make to
submitted jobs. For example, system operators may need a higher priority limit so
that they can move jobs in the queues.
Job Description
Add User prompt:
Not shown
CL parameter:
JOBD
Length
10 (job description name) 10 (library name)
Authority:
*USE for job description, *READ and *EXECUTE for library
When a user signs on, the system looks at the workstation entry in the subsystem
description to determine what job description to use for the interactive job. If the
workstation entry specifies *USRPRF for the job description, the job description in
the user profile is used.
The job description for a batch job is specified when the job is started. It can be
specified by name, or it can be the job description from the user profile under
which the job runs.
A job description contains a specific set of job-related attributes, such as which job
queue to use, scheduling priority, routing data, message queue severity, library list
and output information. The attributes determine how each job is run on the
system.
See the Work Management book for more information about job descriptions and
their uses.
Table 68. Possible Values for JOBD:
QDFTJOBD
The system-supplied job description found in library QGPL is
used. You can use the Display Job Description (DSPJOBD)
command to see the attributes contained in this job description.
job- description- name
Specify the name of the job description, 10 characters or less.
86
Table 69. Possible Values for JOBD Library:

*LIBL
The library list is used to locate the job description.
*CURLIB
The current library for the job is used to locate the job
description. If no current library entry exists in the library list,
QGPL is used.
library- name
Specify the library where the job description is located, 10
characters or less.
Recommendations: For interactive jobs, the job description is a good method of

controlling library access. You can use a job description for an individual to specify
a unique library list, rather than using the QUSRLIBL system value.
Group Profile
Add User prompt:
User Group
CL parameter:
GRPPRF
Length:
10
Authority:
To specify a group when creating or changing a user profile, you must
have *OBJMGT, *OBJOPR, *READ, *ADD, *UPD, and *DLT authority to the
group profile.
Notes: Adopted authority is not used to check for *OBJMGT authority to the
group profile. For more information about adopted authority, see Objects
That Adopt the Owners Authority on page 135.
Specifying a group profile name makes the user a member of the group profile.
The group profile can provide the user with authority to use objects for which the
user does not have specific authority. You may specify up to 15 additional groups
for the user in the Supplemental group profile (SUPGRPPRF) parameter.
When a group profile is specified in a user profile, the user is automatically
granted *OBJMGT, *OBJOPR, *READ, *ADD, *UPD, and *DLT authorities to the
group profile, if the group profile is not already one of the users group profiles.
These authorities are necessary for system functions and should not be removed.
If a profile specified in the GRPPRF parameter is not already a group profile, the
system sets information in the profile marking it as a group profile. The system
also generates a gid for the group profile, if it does not already have one.
See Planning Group Profiles on page 229 for more information about using group
profiles.
Table 70. Possible Values for GRPPRF:
*NONE
No group profile is used with this user profile.
user- profile- name
Specify the name of a group profile of which this user profile is
a member.
87
Owner
Add User prompt:
Not shown
CL parameter:
OWNER
Length:
10
If the user is a member of a group, you use the owner parameter in the user profile
to specify who owns any new objects created by the user. Objects can be owned
either by the user or by the users first group (the value of the GRPPRF
parameter). You can specify the OWNER field only if you have specified the Group
profile field.
Table 71. Possible Values for OWNER:
*USRPRF
This user profile is the OWNER of any new objects it creates.
*GRPPRF
The group profile is made the OWNER of any objects created
by the user and is given all (*ALL) authority to the objects. The
user profile is not given any specific authority to new objects it
creates. If *GRPPRF is specified, you must specify a group
profile name in the GRPPRF parameter, and the GRPAUT
parameter must be *NONE.
Notes:
1. If you give ownership to the group, all members of the
group can change, replace, and delete the object.
2. The *GRPPRF parameter is ignored for all file systems
except QSYS.LIB. In cases where the parameter is ignored,
the user retains ownership of the object.
Group Authority
Add User prompt:
Not shown
CL parameter:
GRPAUT
Length:
10
If the user profile is a member of a group and OWNER(*USRPRF) is specified, the
Group authority field controls what authority is given to the group profile for any
objects created by this user.
Group authority can be specified only when GRPPRF is not *NONE and OWNER
is *USRPRF. Group authority applies to the profile specified in the GRPPRF
parameter. It does not apply to supplemental group profiles specified in the
SUPGRPPRF parameter.
88
Table 72. Possible Values for GRPAUT:

*NONE
No specific authority is given to the group profile when this
user creates objects.
*ALL
The group profile is given all management and data authorities
to any new objects the user creates.
*CHANGE
The group profile is given the authority to change any objects
the user creates.
*USE
The group profile is given authority to view any objects the
user creates.
*EXCLUDE
The group profile is specifically denied access to any new
objects created by the user.
See Defining How Information Can Be Accessed on page 120 for a complete
explanation of the authorities that can be granted.
Group Authority Type

Add User prompt:
Not shown
CL parameter:
GRPAUTTYP
Length:
10
When a user creates a new object, the Group authority type parameter in the users
profile determines what type of authority the users group receives to the new
object. The GRPAUTTYP parameter works with the OWNER, GRPPRF, and
GRPAUT parameters to determine the groups authority to a new object.
Table 73. Possible Values for GRPAUTTYP: 1
*PRIVATE
The authority defined in the GRPAUT parameter is assigned to
the group profile as a private authority.
*PGP
The group profile defined in the GRPPRF parameter is the
primary group for the newly created object. The primary group
authority for the object is the authority specified in the
GRPAUT parameter.
1
Private authority and primary group authority provide the same access to the
object, but they may have different performance characteristics. Primary Group for
an Object on page 130 explains how primary group authority works.
Recommendations: Specifying *PGP is a method for beginning to use primary

group authority. Consider using GRPAUTTYP(*PGP) for users who frequently
create new objects.
Supplemental Groups
Add User prompt:
Not shown
CL parameter:
SUPGRPPRF
Length:
150
89
Authority:
To specify supplemental groups when creating or changing a user profile,
you must have *OBJMGT, *OBJOPR, *READ, *ADD, *UPD, and *DLT
authority to each group profile.
Note:
*OBJMGT authority cannot come from adopted authority. For more

information, see Objects That Adopt the Owners Authority on page 135.
You may specify the names of up to 15 profiles from which this user is to receive
authority. The user becomes a member of each supplemental group profile. The
user cannot have supplemental group profiles if the GRPPRF parameter is *NONE.
When supplemental group profiles are specified in a user profile, the user is
automatically granted *OBJMGT, *OBJOPR, *READ, *ADD, *UPD, and *DLT
authorities to each group profile, if the group profile is not already one of the
users group profiles. These authorities are necessary for system functions and
should not be removed. If a profile specified in the SUPGRPPRF parameter is not
already a group profile, the system sets information in the profile marking it as a
group profile. The system also generates a gid for the group profile, if it does not
already have one.
See Planning Group Profiles on page 229 for more information about using group
profiles.
Table 74. Possible Values for SUPGRPPRF
*NONE
No supplemental groups are used with this user profile.
group- profile- name
Specify up to 15 names of group profiles to be used with this
user profile. These profiles, in addition to the profile specified
in the GRPPRF parameter, are used to give the user access to
objects.
Accounting Code
Add User prompt:
Not shown
CL parameter:
ACGCDE
Length:
15
Job accounting is an optional function used to gather information about the use of
system resources. The accounting level (QACGLVL) system value determines
whether job accounting is active. The accounting code for a job comes from either
the job description or the user profile. The accounting code can also be specified
when a job is running using the Change Accounting Code (CHGACGCDE)
command.
See the Work Management book for more information about job accounting.
Table 75. Possible Values for ACGCDE:
*BLANK
An accounting code of 15 blanks is assigned to this user profile.
accounting- code
Specify a 15-character accounting code. If less than 15
characters are specified, the string is padded with blanks on the
right.
90
Document Password
Add User prompt:
Not shown
CL parameter:
DOCPWD
Length:
8
You can specify a document password for the user to protect the distribution of
personal mail from being viewed by people working on behalf of the user. The
document password is supported by some Document Interchange Architecture
(DIA) products, such as the Displaywriter.
Table 76. Possible Values for DOCPWD:
*NONE
No document password is used by this user.
document- password
Specify a document password for this user. The password must
consist of from 1 through 8 characters (letters A through Z and
numbers 0 through 9). The first character of the document
password must be alphabetic; the remaining characters can be
alphanumeric. Embedded blanks, leading blanks, and special
characters are not allowed.
Message Queue
Add User prompt:
Not shown
CL parameter:
MSGQ
Length:
10 (message queue name) 10 (library name)
Authority:
*USE for message queue, if it exists. *EXECUTE for the message queue
library.
You can specify the name of a message queue for a user. A message queue is an
object on which messages are placed when they are sent to a person or a program.
A message queue is used when a user sends or receives messages. If the message
queue does not exist, it is created when the profile is created or changed. The
message queue is owned by the profile being created or changed. The user creating
the profile is given *ALL authority to the message queue.
If the message queue for a user profile is changed using the Change User Profile
(CHGUSRPRF) command, the previous message queue is not automatically deleted
by the system.
Table 77. Possible Values for MSGQ:
*USRPRF
A message queue with the same name as the user profile name
is used as the message queue for this user. If the message
queue does not exist, it is created in library QUSRSYS.
message- queue-name
Specify the message queue name that is used for this user. If
you specify a message queue name, you must specify the
library parameter.
91
Table 78. Possible Values for MSGQ Library:

*LIBL
The library list is used to locate the message queue. If the
message queue does not exist, you cannot specify *LIBL.
*CURLIB
The current library for the job is used to locate the message
queue. If no current library entry exists in the library list,
QGPL is used. If the message queue does not exist, it is created
in the current library or QGPL.
library- name
Specify the library where the message queue is located. If the
message queue does not exist, it is created in this library.
Recommendations: When a user signs on, the message queue in the user profile is
allocated to that users job. If the message queue is already allocated to another
job, the user receives a warning message during sign-on. To avoid this, give each
user profile a unique message queue, preferably with the same name as the user
profile.
Delivery
Add User prompt:
Not shown
CL parameter:
DLVRY
Length:
10
The delivery mode of a message queue determines whether the user is interrupted
when a new message arrives on the queue. The delivery mode specified in the user
profile applies to the users personal message queue. If you change the message
queue delivery in the user profile and the user is signed on, the change takes affect
the next time the user signs on. You can also change the delivery of a message
queue with the Change Message Queue (CHGMSGQ) command.
Table 79. Possible Values for DLVRY:
*NOTIFY
The job that the message queue is assigned to is notified when
a message arrives at the message queue. For interactive jobs at
a workstation, the audible alarm is sounded and the
message-waiting light is turned on. The type of delivery cannot
be changed to *NOTIFY if the message queue is also being
used by another user.
*BREAK
The job that the message queue is assigned to is interrupted
when a message arrives at the message queue. If the job is an
interactive job, the audible alarm is sounded (if the alarm is
installed). The type of delivery cannot be changed to *BREAK if
the message queue is also being used by another user.
*HOLD
The messages are held in the message queue until they are
requested by the user or program.
*DFT
Messages requiring replies are answered with their default
reply; information-only messages are ignored.
Severity
Add User prompt:
Not shown
CL parameter:
SEV
92
Length:
2,0
If a message queue is in *BREAK or *NOTIFY mode, the severity code determines
the lowest-level messages that are delivered to the user. Messages whose severity
is lower than the specified severity code are held in the message queue without the
user being notified.
If you change the message queue severity in the user profile and the user is signed
on, the change takes effect the next time the user signs on. You can also change the
severity of a message queue with the CHGMSGQ command.
Table 80. Possible Values for SEV:
00:
If a severity code is not specified, 00 is used. The user is
notified of all messages, if the message queue is in *NOTIFY or
*BREAK mode.
severity- code
Specify a value, 00 through 99, for the lowest severity code that
causes the user to be notified. Any 2-digit value can be
specified, even if no severity code has been defined for it
(either defined by the system or by the user).
Print Device
Add User prompt:
Default printer
CL parameter:
PRTDEV
Length:
10
You can specify the printer used to print the output for this user. Spooled files are
placed on an output queue with the same name as the printer when the output
queue (OUTQ) is specified as the print device (*DEV).
The print device and output queue information from the user profile are used only
if the printer file specifies *JOB and the job description specifies *USRPRF. For
more information about directing printer output, see the Printer Device Programming
book.
Table 81. Possible Values for PRTDEV:
*WRKSTN
The printer assigned to the users workstation (in the device
description) is used.
*SYSVAL
The default system printer specified in the QPRTDEV system
value is used.
print- device- name
Specify the name of the printer that is used to print the output
for this user.
Output Queue
Add User prompt:
Not shown
CL parameter:
OUTQ
93
Length:
10 (output queue name) 10 (library name)
Authority:
*USE for output queue *EXECUTE for library
Both interactive and batch processing may result in spooled files that are to be sent
to a printer. Spooled files are placed on an output queue. The system can have
many different output queues. An output queue does not have to be attached to a
printer to receive new spooled files.
The print device and output queue information from the user profile are used only
if the printer file specifies *JOB and the job description specifies *USRPRF. For
more information about directing printer output, see the Printer Device Programming
book.
Table 82. Possible Values for OUTQ:
*WRKSTN
The output queue assigned to the users workstation (in the
device description) is used.
*DEV
An output queue with the same name as the print device
specified on the PRTDEV parameter is used.
output- queue- name
Specify the name of the output queue that is to be used. The
output queue must already exist. If an output queue is
specified, the library must be specified also.
Table 83. Possible Values for OUTQ library:
*LIBL
The library list is used to locate the output queue.
*CURLIB
The current library for the job is used to locate the output
queue. If no current library entry exists in the library list,
QGPL is used.
library- name
Specify the library where the output queue is located.
Attention-Key-Handling Program
Add User prompt:
Not shown
CL parameter:
ATNPGM
Length:
10 (program name) 10 (library name)
Authority:
*USE for program
*EXECUTE for library
The Attention-key-handling program (ATNPGM) is the program that is called
when the user presses the Attention (ATTN) key during an interactive job.
The ATNPGM is activated only if the users routing program is QCMD. The
ATNPGM is activated before the initial program is called. If the initial program
changes the ATNPGM, the new ATNPGM remains active only until the initial
program ends. If the Set Attention-Key-Handling Program (SETATNPGM)
command is run from a command line or an application, the new ATNPGM
specified overrides the ATNPGM from the user profile.
94
Note: See Starting an Interactive Job on page 185 for more information about the
processing sequence when a user signs on.
The Limit capabilities field determines if a different Attention-key-handling program
can be specified by the user with the Change Profile (CHGPRF) command.
Table 84. Possible Values for ATNPGM:
*SYSVAL
The QATNPGM system value is used.
*NONE
No Attention-key-handling program is used by this user.
*ASSIST
Operational Assistant Attention Program (QEZMAIN) is used.
program- name
Specify the name of the Attention-key-handling program. If a
program name is specified, a library must be specified.
Table 85. Possible Values for ATNPGM Library:
*LIBL
The library list is used to locate the Attention-key-handling
program.
*CURLIB
The current library for the job is used to locate the
Attention-key-handling program. If no current library entry
exists in the library list, QGPL is used.
library- name:
Specify the library where the Attention-key-handling program
is located.
Sort Sequence
Add User prompt:
Not shown
CL parameter:
SRTSEQ
Length:
10 (value or table name) 10 (library name)
Authority:
*USE for table *EXECUTE for library
You can specify what sort sequence is used for this users output. You can use
system-provided sort tables or create your own. A sort table may be associated
with a particular language identifier on the system.
Table 86. Possible Values for SRTSEQ:
*SYSVAL
The QSRTSEQ system value is used.
*HEX
The standard hexadecimal sort sequence is used for this user.
*LANGIDSHR
The sort sequence table associated with the users language
identifier is used. The table can contain the same weight for
multiple characters.
*LANGIDUNQ
The sort sequence table associated with the users language
identifier is used. The table must contain a unique weight for
each character in the code page.
table-name
Specify the name of the sort sequence table for this user.
Table 87. Possible Values for SRTSEQ Library:
*LIBL
The library list is used to locate the table specified for the
SRTSEQ value.
*CURLIB
The current library for the job is used to locate the table
specified for the SRTSEQ value. If no current library entry
exists in the library list, QGPL is used.
library- name
Specify the library where the sort sequence table is located.
95
Language Identifier
Add User prompt:
Not shown
CL parameter:
LANGID
Length:
10
You can specify the language identifier to be used by the system for the user. To
see a list of language identifiers, press F4 (prompt) on the language identifier
parameter from the Create User Profile display or the Change User Profile display.
Table 88. Possible Values for LANGID:
*SYSVAL:
The system value QLANGID is used to determine the language
identifier.
language- identifier
Specify the language identifier for this user.
Country or Region Identifier

Add User prompt:
Not shown
CL parameter:
CNTRYID
Length:
10
You can specify the country or region identifier to be used by the system for the
user. To see a list of country or region identifiers, press F4 (prompt) on the country
or region identifier parameter from the Create User Profile display or the Change
User Profile display.
Table 89. Possible Values for CNTRYID:
*SYSVAL
The system value QCNTRYID is used to determine the country
or region identifier.
country or region identifier
Specify the country or region identifier for this user.
Coded Character Set Identifier

Add User prompt:
Not shown
CL parameter:
CCSID
Length:
5,0
You can specify the coded character set identifier to be used by the system for the
user. To see a list of coded character set identifiers, press F4 (prompt) on the coded
character set identifier parameter from the Create User Profile display or the
Change User Profile display.
96
Table 90. Possible Values for CCSID:

*SYSVAL
The QCCSID system value is used to determine the coded
character set identifier.
coded-character- set-identifier Specify the coded character set identifier for this user.
Character Identifier Control

Add User prompt:
Not shown
CL parameter:
CHRIDCTL
Length:
10
The CHRIDCTL attribute controls the type of coded character set conversion that
occurs for display files, printer files and panel groups. The character identifier
control information from the user profile is used only if the *CHRIDCTL special
value is specified on the CHRID command parameter on the create, change, or
override commands for display files, printer files, and panel groups.
Table 91. Possible Values for CHRIDCTL:
*SYSVAL
The system value QCHRIDCTL is used to determine the
character identifier control.
*DEVD
The CHRID of the device is used to represent the CCSID of the
data. No conversions occur, since the CCSID of the data is
always the same as the CHRID of the device.
*JOBCCSID
Character conversion occurs when a difference exists between
the device CHRID, job CCSID, or data CCSID values. On input,
character data is converted from the device CHRID to the job
CCSID when it isnecessary. On output, character data is
converted from the job CCSID to the device CHRID when it is
necessary. On output, character data is converted from the file
or panel group CCSID to the device CHRID when it is
necessary.
Job Attributes
Add User prompt:
Not shown
CL parameter:
SETJOBATR
Length:
160
The SETJOBATR field specifies which job attributes are to be taken at job initiation
from the locale specified in the LOCALE parameter.
97
Table 92. Possible Values for SETJOBATR:

*SYSVAL
The system value QSETJOBATR is used to determine which job
attributes are to be taken from the locale.
*NONE
No job attributes are to be taken from the locale.
*CCSID
*DATFMT
*DATSEP
*DECFMT
*SRTSEQ
*TIMSEP
Any combination of the following values may be specified:

The coded character set identifier from the locale is used. The
CCSID value from the locale will override the user profile
CCSID.
The date format from the locale is used.
The date separator from the locale is used.
The decimal format from the locale is used.
The sort sequence from the locale is used. The sort sequence
from the locale will override the user profile sort sequence.
The time separator from the locale is used.
Locale
Add User prompt:
Not shown
CL parameter:
LOCALE
Length:
2048
The LOCALE field specifies the path name of the locale that is assigned to the
LANG environment variable for this user.
Table 93. Possible Values for LOCALE:
*SYSVAL
The system value QLOCALE is used to determine the locale
path name to be assigned for this user.
*NONE
No locale is assigned for this user.
*C
The C locale is assigned for this user.
*POSIX
The POSIX locale is assigned for this user.
locale path name
The path name of the locale to be assigned to this user.
User Options
Add User prompt:
Not shown
CL parameter:
USROPT
Length:
240 (10 characters each)
The User options field allows you to customize certain system displays and
functions for the user. You can specify multiple values for the user option
parameter.
98
Table 94. Possible Values for USROPT:

*NONE
No special options are used for this user. The standard system
interface is used.
*CLKWD
Keywords are shown instead of the possible parameter values
when a control language (CL) command is prompted. This is
equivalent to pressing F11 from the normal control language
(CL) command prompting display.
*EXPERT
When the user views displays that show object authority, such
as the Edit Object Authority display or the Edit Authorization
List Display, detailed authority information is shown without
the user having to press F11 (Display detail). Authority
Displays on page 141 shows an example of the expert version
of the display.
*HLPFULL
The user sees full display help information instead of a
window.
*PRTMSG
A message is sent to the users message queue when a spooled
file is printed for this user.
*ROLLKEY
The actions of the Page Up and Page Down keys are reversed.
*NOSTSMSG
Status messages usually shown at the bottom of the display are
not shown to the user.
*STSMSG
Status messages are displayed when sent to the user.
User Identification Number

Add User prompt:
Not shown
CL parameter:
UID
Length:
10,0
The integrated file system uses the user identification number (uid) to identify a
user and verify the users authority. Every user on the system must have a unique
uid.
Table 95. Possible Values for UID:
*GEN
The system generates a unique uid for this user. The generated
uid will be greater than 100.
uid
A value from 1 to 4294967294 to be assigned as the uid for this
user. The uid must not be already assigned to another user.
Recommendations: For most installations, let the system generate a uid for new
users by specifying UID(*GEN). However, if your system is part of a network, you
may need to assign uids to match those assigned on other systems in the network.
Consult your network administrator.
Group Identification Number

Add User prompt:
Not shown
CL parameter:
GID
99
Length:
10,0
The integrated file system uses the group identification number (gid) to identify
this profile as a group profile. A profile that is used as a group profile by the
integrated file system must have a gid.
Table 96. Possible Values for GID:
*NONE
This profile does not have a gid.
*GEN
The system generates a unique gid for this profile. The
generated gid will be greater than 100.
gid
A value from 1 to 4294967294 to be assigned as the gid for this
profile. The gid must not be already assigned to another
profile.
Recommendations: For most installations, let the system generate a gid for new
group profiles by specifying GID(*GEN). However, if your system is part of a
network, you may need to assign gids to match those assigned on other systems in
the network. Consult your network administrator.
Do not assign a gid to a user profile that you do not plan to use as a group profile.
In some environments, a user who is signed on and has a gid is restricted from
performing certain functions.
Home Directory
Add User prompt:
Not shown
CL parameter:
HOMEDIR
Length:
2048
The home directory is the users initial working directory for the integrated file
system. The home directory is the users current directory if a different current
directory has not been specified. If the home directory specified in the profile does
not exist when the user signs on, the users home directory is the root (/)
directory.
Table 97. Possible Values for HOMEDIR:
*USRPRF
The home directory assigned to the user is /home/xxxxx, where
xxxxx is the users profile name.
home-directory
The name of the home directory to assign to this user.
Authority
Add User prompt:
Not shown
CL parameter:
AUT
Length:
10
100
The Authority field specifies the public authority to the user profile. The authority
to a profile controls many functions associated with the profile, such as:
Changing it
Displaying it
Deleting it
Submitting a job using it
Specifying it in a job description
Transferring object ownership to it
Adding members, if it is a group profile
Table 98. Possible Values for AUT:
*EXCLUDE
The public is
*ALL
The public is
user profile.
*CHANGE
The public is
*USE
The public is
specifically denied access to the user profile.

given all management and data authorities to the
given the authority to change the user profile.
given authority to view the user profile.
See Defining How Information Can Be Accessed on page 120 for a complete
explanation of the authorities that can be granted.
Recommendations: To prevent misuse of user profiles that have authority to
critical objects, make sure the public authority to the profiles is *EXCLUDE.
Possible misuses of a profile include submitting a job that runs under that user
profile or changing a program to adopt the authority of that user profile.
Object Auditing
Add User prompt:
Not shown
CL parameter:
OBJAUD
Length:
10
The object auditing value for a user profile works with the object auditing value
for an object to determine whether the users access of an object is audited. Object
auditing for a user profile cannot be specified on any user profile displays. Use the
CHGUSRAUD command to specify object auditing for a user. Only a user with
*AUDIT special authority can use the CHGUSRAUD command.
Table 99. Possible Values for OBJAUD:
*NONE
The OBJAUD value for objects determines whether object
auditing is done for this user.
*CHANGE
If the OBJAUD value for an object specifies *USRPRF, an audit
record is written when this user changes the object.
*ALL
If the OBJAUD value for an object specifies *USRPRF, an audit
record is written when this user changes or reads the object.
Table 100 on page 102 shows how the OBJAUD values for the user and the object
work together:
101
Table 100. Auditing Performed for Object Access

OBJAUD Value for User
OBJAUD Value for
Object
*NONE
*CHANGE
*ALL
*NONE
*USRPRF
*CHANGE
*ALL
None
None
Change
Change and Use
None
Change
Change
Change and Use
None
Change and Use
Change
Change and Use
Planning the Auditing of Object Access on page 263 provides information about
how to use system values and the object auditing values for users and objects to
meet your security auditing needs.
Action Auditing
Add User prompt:
Not shown
CL parameter:
AUDLVL
Length:
640
For an individual user, you can specify which security-relevant actions should be
recorded in the audit journal. The actions specified for an individual user apply in
addition to the actions specified for all users by the QAUDLVL system value.
Action auditing for a user profile cannot be specified on any user profile displays.
It is defined using the CHGUSRAUD command. Only a user with *AUDIT special
authority can use the CHGUSRAUD command.
Table 101. Possible Values for AUDLVL:
*NONE
The QAUDLVL system value controls action auditing for this
user. No additional auditing is done.
*CMD
Command strings are logged. *CMD can be specified only for
individual users. Command string auditing is not available as a
system-wide option using the QAUDLVL system value.
*CREATE
Object create operations are logged.
*DELETE
Object delete operations are logged.
*JOBDTA
Job changes are logged.
*OBJMGT
Object move and rename operations are logged.
*OFCSRV
Changes to the system distribution directory and office mail
actions are logged.
*PGMADP
Obtaining authority to an object through a program that adopts
authority is logged.
*SAVRST
Save and restore operations are logged.
*SECURITY
Security-related functions are logged.
*SERVICE
Using service tools is logged.
*SPLFDTA
Actions performed on spooled files are logged.
*SYSMGT
Use of system management functions is logged.
Planning the Auditing of Actions on page 253 provides information about how to
use system values and the action auditing for users to meet your security auditing
needs.
102
Additional Information Associated with a User Profile

The previous sections described the fields you specify when you create and change
user profiles. Other information is associated with a user profile on the system and
saved with it:
v Private authorities
v Owned object information
v Primary group object information
The amount of this information affects the time it takes to save and restore profiles
and to build authority displays. How Security Information Is Stored on page 236
provides more information about how user profiles are stored and saved.
Private Authorities
All the private authorities a user has to objects are stored with the user profile.
When a user needs authority to an object, the users private authorities may be
searched. Flowchart 3: How User Authority to an Object Is Checked on page 161
provides more information about authority checking.
You can display a users private authorities using the Display User Profile
command: DSPUSRPRF user-profile-name TYPE(*OBJAUT). To change a users
private authorities, you use the commands that work with object authorities, such
as Edit Object Authority (EDTOBJAUT).
You can copy all the private authorities from one user profile to another using the
Grant User Authority (GRTUSRAUT) command. See Copying Authority from a
User on page 153 for more information.
Primary Group Authorities

The names of all the objects for which the profile is the primary group are stored
with the group profile. You can display the objects for which the profile is the
primary group using the DSPUSRPRF command: DSPUSRPRF group-profile-name
TYPE(*OBJPGP). You can also use the Work with Objects by Primary Group
(WRKOBJPGP) command.
|
|
|
|
|
|
|
|
|
|
|
|
Owned Object Information

Private authority information for an object is stored with the user profile that owns
the object. This information is used to build system displays that work with object
authority. If a profile owns a large number of objects that have many private
authorities, the performance of building object authority displays for these objects
can be affected. The size of an owner profile affects performance when displaying
and working with the authority to owned objects, and when saving or restoring
profiles. System operations can also be impacted. To prevent impacts to either
performance or system operations, distribute ownership of objects to multiple
profiles. Because the size of a user profile can impact your performance, it is
suggested that you do not assign all (or nearly all) objects to only one owning
profile.
Digital ID Authentication
The iSeries security infrastructure allows x.509 digital certificates to be used for
identification. The digital certificates allow users to secure communications and
ensure message integrity.
103
The digital ID APIs create, distribute, and manage digital certificates associated
with user profiles. See the API topic in the Information Center (see Prerequisite
and related information on page xvi) for details about the following APIs:
v
v
v
v
v
v
v
v
Add User Certificate (QSYADDUC)

Remove User Certificate (QSYRMVUC)
List User Certificate (QSYLSTUC)
Find Certificate User (QSYFNDUC)
Add Validation List Certificate (QSYADDVC)
Remove Validation List Certificate (QSYRMVVC)
List Validation List Certificate (QSYLSTVC)
Check Validation List Certificate (QSYCHKVC)
v Parse Certificate (QSYPARSC)
Working with User Profiles

This part of the chapter describes the commands and displays you use to create,
change, and delete user profiles. All the fields, options, and function keys are not
described. Use online information for details.
You must have *SECADM special authority to create, change, or delete user
profiles.
Creating User Profiles

You can create user profiles in several ways:
v Using the Work with User Profiles (WRKUSRPRF) list display.
v Using the Create User Profile (CRTUSRPRF) command.
v Using the Work with User Enrollment option from the SETUP menu.
v Using the iSeries Navigator display from the iSeries Access folder.
The user who creates the user profile owns it and is given *ALL authority to it.
The user profile is given *OBJMGT and *CHANGE authority to itself. These
authorities are necessary for normal operations and should not be removed.
A user profile cannot be created with more authorities or capabilities than those of
the user who creates the profile.
Note: When you perform a CRTUSRPRF, you can not create a user profile
(*USRPRF) into an independent disk pool. However, when a user is
privately authorized to an object in the independent disk pool, is the owner
of an object on an independent disk pool, or is the primary group of an
object on an independent disk pool, the name of the profile is stored on the
independent disk pool. If the independent disk pool is moved to another
system, the private authority, object ownership, and primary group entries
will be attached to the profile with the same name on the target system. If a
profile does not exist on the target system, a profile will be created. The user
will not have any special authorities and the password will be set to
*NONE.
|
|
|
|
|
|
|
|
|
|
|
Using the Work with User Profiles Command

You can enter a specific profile name, a generic profile set, or *ALL on the
WRKUSRPRF command. The assistance level determines which list display you
see. When you use the WRKUSRPRF command with *BASIC assistance level, you
|
|
|
104
|
|
will access the Work with User Enrollment display. If *INTERMED assistance level
is specified, you will access the Work with User Profiles display.
You can specify the ASTLVL (assistance level) parameter on the command. If you
do not specify ASTLVL, the system uses the assistance level stored with your user
profile.
On the Work with User Profiles display, type 1 and the name of the profile you
want to create:
|
|
|
|
|
|
|
|
|
|
|
|
||

Type options, press Enter.
1=Create
2=Change
3=Copy
4=Delete
12=Work with objects by owner
User
Opt Profile
1
NEWUSER
__ DPTSM
__ DPTWH
5=Display
Text
Sales and Marketing Departme
Warehouse Department
|
You see the Create User Profile display:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
Create User Profile (CRTUSRPRF)

Type choices, press Enter.
User profile . . . . . .
User password . . . . .
Set password to expired
Status . . . . . . . . .
User class . . . . . . .
Assistance level . . . .
Current library . . . .
Initial program to call
Library . . . . . . . .
Initial menu . . . . . .
Library . . . . . . . .
Limit capabilities . . .
Text description . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
NEWUSER
NEWUSER1
*YES
*ENABLED
*USER
*SYSVAL
*CRTDFT
*NONE
MAIN
QSYS
*NO
|
The Create User Profile display shows all the fields in the user profile. Use F10
(Additional parameters) and page down to enter more information. Use F11
(Display keywords) to see the parameter names.
The Create User Profile display does not add the user to the system directory.
Using the Create User Profile Command

You can use the CRTUSRPRF command to create a user profile. You can enter
parameters with the command, or you can request prompting (F4) and see the
Create User Profile display.
105
Using the Work with User Enrollment Option

Select the Work with User Enrollment option from the SETUP menu. The assistance
level stored with your user profile determines whether you see the Work with User
Profiles display or the Work with User Enrollment display. You can use F21 (Select
assistance level) to change levels.
On the Work with User Enrollment display, use option 1 (Add) to add a new user
to the system.

Type options below, then press Enter.
1=Add
2=Change
3=Copy
4=Remove
5=Display
Opt
1
_
_
User
NEWUSER
DPTSM
DPTWH
Description
Sales and Marketing Departme
You see the Add User display:
Add User
Type choices below, then press Enter.
User . . . . . .
User description
Password . . . .
Type of user . .
User group . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
NEWUSER
NEWUSER
*USER
*NONE

Uses OfficeVision/400 . .
N
Y
Default
Default
Sign on
Library
*WRKSTN
*NONE
library
printer
program
. . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
First menu . . . . . . .
Library . . . . . . . .
F1=Help
F3=Exit
F5=Refresh
F12=Cancel
The Add User display is designed for a security administrator without a technical
background. It does not show all of the fields in the user profile. Default values are
used for all fields that are not shown.
Note: If you use the Add User display, you are limited to eight-character user
profile names.
Page down to see the second display:
106
Add User
Attention key program . .
Library . . . . . . . .
*SYSVAL
Option 50 on OfficeVision/400 menu:

Text for menu option
Operational Assistant Menu
User program . . . . .
QEZAST
Library . . . . . . .
QSYS
The Add user display automatically adds an entry in the system directory with the
same user ID as the user profile name (the first eight characters) and an address of
the system name.
The main menu also includes user Options 5159. These additional options
(Options 51--59) are processed similar to Option 50, except the default values for
the following fields are blank:
v Text for menu options
v User program
v Library
Copying User Profiles

You can create a user profile by copying another user profile or a group profile.
You may want to set up one profile in a group as a pattern. Copy the first profile
in the group to create additional profiles.
You can copy a profile interactively from either the Work with User Enrollment
display or the Work with User Profiles display. No command exists to copy a user
profile.
Copying from the Work with User Profiles Display
On the Work with User Profiles display, type 3 in front of the profile you want to
copy. You see the Create User Profile display:

User profile . . . . . .
User password . . . . .
Set password to expired
Status . . . . . . . . .
User class . . . . . . .
Assistance level . . . .
Current library . . . .
Initial program to call
Library
. . . . . . .
Initial menu . . . . . .
Library
. . . . . . .
Limit capabilities . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
>
>
>
>
>
>
>
>
>
>
>
Name
Name
*NO, *YES
*ENABLED,
*USER,
*SYSVAL,
Name,
Name,
Name,
ICMAIN
Name,
ICPGMLIB
Name,
*NO
*NO,
*USRPRF
*NO
*ENABLED
*USER
*SYSVAL
DPTWH
*NONE
107
All the values from the copy-from user profile are shown on the Create User
Profile display, except these fields:
Home directory
*USRPRF
Locale job attributes
Locale job attributes
Locale Locale
User profile
Blank. Must be filled in.
Password
*USRPRF
Message queue
*USRPRF
Document password
*NONE
*GEN
*NONE
Authority
*EXCLUDE
You can change any fields on the Create User Profile display. Private authorities of
the copy-from profile are not copied. In addition, internal objects containing user
preferences and other information about the user will not be copied.
Copying from the Work with User Enrollment Display
On the Work with User Enrollment display, type 3 in front of the profile you want
to copy. You see the Copy User display:
Copy User
Copy from user . . . . :
DPTWH

User . . . . . .
User description
Password . . . .
Type of user . .
User group . . .
108
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
USER

Uses OfficeVision/400 . .
N
Y
Default library
Default printer
Sign on program
Library . . .
DPTWH
PRT04
*NONE
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
All values from the copy-from profile appear on the Add User display, except the
following:
User
Blank. Must be filled in. Limited to 8 characters.
Password
Blank. If you do not enter a value, the profile is created with the password
equal to the default value specified for the PASSWORD parameter of the
CRTUSRPRF command.
You can change any fields on the Copy User display. User profile fields that do not
appear on the basic assistance level version are still copied from the copy-from
profile, with the following exceptions:
Message queue
*USRPRF
Document password
*NONE
*GEN
*NONE
Authority
*EXCLUDE
Private authorities of the copy-from profile are not copied.
Copying Private Authorities

You can copy the private authorities from one user profile to another using the
Grant User Authority (GRTUSRAUT) command. This can be useful in some
situations, but should not be used in place of group profiles or authorization lists.
Copying authorities does not help you manage similar authorities in the future,
and it can cause performance problems on your system.
The topic Copying Authority from a User on page 153 has more information
about using this command.
Changing User Profiles

You can change a user profile using option 2 (Change) from either the Work with
User Profiles display or the Work with User Enrollment display. You can also use
the Change User Profile (CHGUSRPRF) command.
Users who are allowed to enter commands can change some parameters of their
own profiles using the Change Profile (CHGPRF) command.
A user cannot change a user profile to have more special authorities or capabilities
than the user who changes the profile.
Deleting User Profiles

You cannot delete a user profile that owns objects. You must delete any objects
owned by the profile or transfer ownership of those objects to another profile. Both
basic assistance level and intermediate assistance level allow you to handle owned
objects when you delete a profile.
109
You cannot delete a user profile if it is the primary group for any objects. When
you use the intermediate assistance level to delete a user profile, you can change
or remove the primary group for objects. You can use the DSPUSRPRF command
with the *OBJPGP (object primary group) option to list any objects for which a
profile is the primary group.
When you delete a user profile, the user is removed from all distribution lists and
from the system directory.
You do not need to change ownership of or delete the users message queue. The
system automatically deletes the message queue when the profile is deleted.
You cannot delete a group profile that has members. To list the members of a
group profile, type DSPUSRPRF group-profile-name *GRPMBR. Change the GRPPRF
field in each member profile before deleting the group profile.
Using the Delete User Profile Command

You can enter the Delete User Profile (DLTUSRPRF) command directly, or you can
use option 4 (Delete) from the Work with User Profiles display. The DLTUSRPRF
command has parameters allowing you to handle:
v All objects owned by the profile
v All objects for which the profile is the primary group.
Delete User Profile (DLTUSRPRF)

User profile . . . . . . . . .
Owned object option:
Owned object value . . . . .
User profile name if *CHGOWN
Primary group option:
Primary group value . . . .
New primary group . . . . .
New primary group authority
. > HOGANR
Name
*CHGOWN
WILLISR
*NODLT, *DLT, *CHGOWN

Name
.
.
.
*NOCHG
*NOCHG, *PGP
You can delete all the owned objects or transfer them to a new owner. If you want
to handle owned objects individually, you can use the Work with Objects by
Owner (WRKOBJOWN) command. You can change the primary group for all
objects for which the group profile is the primary group. If you want to handle
objects individually, you can use the Work with Objects by Primary Group
(WRKOBJPGP) command. The displays for both commands are similar:
110
|
|
|
|
|
|
|
|
|
|
|
|
|
||
Work with Objects by Owner

User profile . . . . . . . :
HOGANR

2=Edit authority
4=Delete
5=Display author
8=Display description
9=Change owner
Opt Object
4
HOGANR
9
QUERY1
9
QUERY2
Library
QUSRSYS
DPTWH
DPTWH
Type
*MSGQ
*PGM
*PGM
Attribute
ASP
Device
*SYSBAS
*SYSBAS
*SYSBAS
Using the Remove User Option
From the Work with User Enrollment display, type 4 (Remove) in front of the
profile you want to delete. You see the Remove User display:
Remove User
User . . . . . . . . . . . :
User description . . . . . :
HOGANR
Sales and Marketing Department
To remove this user type a choice below, then press Enter.

1. Give all objects owned by this user to a new owner
2. Delete or change owner of specific objects owned by this user.
To change the ownership of all objects before deleting the profile, select option 1.
You see a display prompting you for the new owner.
To handle the objects individually, select option 2. You see a detailed Remove User
display:
Remove User
User . . . . . . . . . . . :
User description . . . . . :
New owner . . . . . . . . .
HOGANR
Hogan, Richard - Warehouse DPT
Name, F4 for list
To remove this user, delete or change owner of all objects.

Type options below and press Enter.
2=Change to new owner
4=Delete
5=Display details
Opt Object
4
HOGANR
2
QUERY1
2
QUERY2
Library
QUSRSYS
DPTWH
DPTWH
Description
HOGANR message queue
Inventory Query, on-hand report
Inventory Query, on-order report
111
Use the options on the display to delete objects or transfer them to a new owner.
When all objects have been removed from the display, you can delete the profile.
Notes:
1. You can use F13 to delete all the objects owned by the user profile.
2. Spooled files do not appear on the Work with Objects by Owner display. You
can delete a user profile even though that profile still owns spooled files. After
you have deleted a user profile, use the Work with Spooled Files (WRKSPLF)
command to locate and delete any spooled files owned by the user profile, if
they are no longer needed.
3. Any objects for which the deleted user profile was the primary group will have
a primary group of *NONE.
Working with Objects by Primary Group

You can use the Work with Objects by Primary Group (WRKOBJPGP) command to
display and work with objects for which a profile is the primary group. You can
use this display to change an objects primary group to another profile or to set its
primary group to *NONE.
Work with Objects by Primary Group

Primary group . . . . . . :
DPTAR

2=Edit authority
4=Delete
5=Display authority
9=Change primary group
ASP
Opt
Object
Library
Type
Attribute
Device
CUSTMAST
CUSTLIB
*FILE
*SYSBAS
CUSTWRK
CUSTLIB
*FILE
*SYSBAS
CUSTLIB
QSYS
*LIB
*SYSBAS
Enabling a User Profile

If the QMAXSIGN and QMAXSGNACN system values on your system are set up
to disable a user profile after too many sign-on attempts, you may want someone
like a system operator to enable the profile by changing the status to *ENABLE.
However, to enable a user profile, you must have *SECADM special authority and
*OBJMGT and *USE authority to the user profile. Normally, a system operator does
not have *SECADM special authority.
A solution is to use a simple program which adopts authority:
1. Create a CL program owned by a user who has *SECADM special authority
and *OBJMGT and *USE authority to the user profiles on the system. Adopt the
authority of the owner when the program is created by specifying
USRPRF(*OWNER).
2. Use the EDTOBJAUT command to make the public authority to the program
*EXCLUDE and give the system operators *USE authority.
3. The operator enables the profile by entering:
CALL ENABLEPGM profile-name
4. The main part of the ENABLEPGM program looks like this:
112
PGM &PROFILE
DCL VAR(&PROFILE) TYPE(*CHAR) LEN(10)
CHGUSRPRF USRPRF(&PROFILE) STATUS(*ENABLED)
ENDPGM
Listing User Profiles

You can display and print information about user profiles in a variety of formats.
Displaying an Individual Profile

To display the values for an individual user profile, use option 5 (Display) from
either the Work with User Enrollment display or the Work with User Profiles
display. Or, you can use the Display User Profile (DSPUSRPRF) command.
Listing All Profiles

Use the Display Authorized Users (DSPAUTUSR) command to either print or
display all the user profiles on the system. The sequence (SEQ) parameter on the
command allows you to sort the list either by profile name or by group profile.
Display Authorized Users

Group
Profile
DPTSM
DPTWH
QSECOFR
*NO GROUP
User
Profile
Password
Last
Changed
ANDERSR
VINCENT
08/04/0x
09/15/0x
Anders, Roger
Vincent, Mark
ANDERSR
HOGANR
QUINN
08/04/0x
09/06/0x
09/06/0x
Anders, Roger
Hogan, Richard
Quinn, Rose
JONESS
HARRISON
09/20/0x
08/29/0x
Jones, Sharon
Harrison, Ken
DPTSM
DPTWH
09/05/0x
09/18/0x
No
Password
X
X
Text
Sales and Marketing

Warehouse
By pressing F11, you are able to see which user profiles have passwords defined
for use at the various password levels.

User
Profile
ANGELA
ARTHUR
CAROL1
CAROL2
CHUCKE
DENNISS
DPORTER
GARRY
JANNY
Group
Profile
Password Password
Password
Password
Last
for level for level
for
Changed
0 or 1
2 or 3
NetServer
04/21/0x
*YES
*NO
*YES
07/07/0x
*YES
*YES
*YES
05/15/0x
*YES
*YES
*YES
05/15/0x
*NO
*NO
*NO
05/18/0x
*YES
*NO
*YES
04/20/0x
*YES
*NO
*YES
03/30/0x
*YES
*NO
*YES
08/04/0x
*YES
*YES
*YES
03/16/0x
*YES
*NO
*YES
113
Types of User Profile Displays

The Display User Profile (DSPUSRPRF) command provides several types of
displays and listings:
v Some displays and listings are available only for individual profiles. Others can
be printed for all profiles or a generic set of profiles. Consult online information
for details about the available types.
v You can create an output file from some displays by specifying
output(*OUTFILE). Use a query tool or program to produce customized reports
from the output file. The topic Analyzing User Profiles on page 277 gives
suggestions for reports.
Types of User Profile Reports

The following commands provide user profile reports.
v Print User Profile (PRTUSRPRF)
This command allows you to print a report containing information for the user
profiles on the system. Four different reports can be printed. One contains
authority type information, one contains environment type information, one
contains password type information, and one contains password level type
information.
v Analyze Default Password (ANZDFTPWD)
This command allows you to print a report of all the user profiles on the system
that have a default password and to take an action against the profiles. A profile
has a default password when the user profile name matches the profiles
password.
User profiles on the system that have a default password can be disabled and
their passwords can be set to expired.
Renaming a User Profile

The system does not provide a direct method for renaming a user profile.
A new profile can be created with the same authorities for a user with a new
name. Some information, however, cannot be transferred to the new profile. The
following are examples of information that cannot be transferred:
v Spool files.
v Internal objects containing user preferences and other information about the user
will be lost.
v Digital certificates that contain the user name will be invalidated.
v The uid and gid information retained by the IFS cannot be changed.
v You may not be able to change the information that is stored by applications
that contain the user name.
Applications that are run by the user can have application profiles. Creating a
new iSeries user profile to rename a user does not rename any application profiles
the user may have. A Lotus Notes profile is one example of an application profile.
The following example shows how to create a new profile for a user with a new
name and the same authorities. The old profile name is SMITHM. The new user
profile name is JONESM:
1. Copy the old profile (SMITHM) to a new profile (JONESM) using the copy
option from the Work with User Enrollment display.
2. Give JONESM all the private authorities of SMITHM using the Grant User
Authority (GRTUSRAUT) command:
114
GRTUSRAUT JONESM REFUSER(SMITHM)
3. Change the primary group of all objects that SMITHM is the primary group of
using the Work with Objects by Primary Group (WRKOBJPGP) command:
WRKOBJPGP PGP(SMITHM)
Enter option 9 on all objects that need their primary group changed and enter
NEWPGP (JONESM) on the command line.
Note: JONESM must have a gid assigned using the GID parameter on the
Create or Change User Profile (CRTUSRPRF or CHGUSRPRF) command.
4. Display the SMITHM user profile using the Display User Profile (DSPUSRPRF)
command:
DSPUSRPRF USRPRF(SMITHM)
Write down the uid and gid for SMITHM.

5. Transfer ownership of all other owned objects to JONESM and remove the
SMITHM user profile, using option 4 (Remove) from the Work with User
Enrollment display.
6. Change the uid and the gid of JONESM to the uid and gid that belonged to
SMITHM by using the Change User Profile (CHGUSRPRF) command:
CHGUSRPRF USRPRF(JONESM) UID(uid from SMITHM)
GID(gid from SMITHM)
If JONESM owns objects in a directory, the CHGUSRPRF command cannot be

used to change the uid and gid. Use the QSYCHGID API to change the uid and
gid of user profile JONESM.
Working with User Auditing

Use the Change User Auditing (CHGUSRAUD) command to set the audit
characteristics for users. To use this command, you must have *AUDIT authority.
Change User Audit (CHGUSRAUD)

User profile . . . . . . . . . .
Object auditing value . . . . .
User action auditing . . . . . .
HOGANR
JONESS
*SAME
*CMD
*SERVICE
You can specify the auditing characteristics for more than one user at a time by
listing user profile names.
The AUDLVL (user action auditing) parameter can have more than one value. The
values you specify on this command replace the current AUDLVL values for the
users. The values you specify are not added to the current AUDLVL values for the
users.
You can use the Display User Profile (DSPUSRPRF) command to see audit
characteristics for a user.
115
Working with Profiles in CL Programs

You may want to retrieve information about the user profile from within a CL
program. You can use the Retrieve User Profile (RTVUSRPRF) command in your
CL program. The command returns the requested attributes of the profile to
variables you associate with the user profile field names. The descriptions of user
profile fields in this chapter show the field lengths expected by the RTVUSRPRF
command. In some cases, a decimal field can also have a value that is not numeric.
For example, the maximum storage field (MAXSTG) is defined as a decimal field,
but it can have a value of *NOMAX. Online information for the RVTUSRPRF
command describes the values that are returned in a decimal field for values that
are not numeric.
The sample program in Using a Password Approval Program on page 53 shows
an example of using the RTVUSRPRF command.
You may also want to use the CRTUSRPRF or CHGUSRPRF command within a CL
program. If you use variables for the parameters of these commands, define the
variables as character fields to match the Create User Profile prompt display. The
variable sizes do not have to match the field sizes.
You cannot retrieve a users password, because the password is stored with
one-way encryption. If you want the user to enter the password again before
accessing critical information, you can use the Check Password (CHKPWD)
command in your program. The system compares the password entered to the
users password and sends an escape message to your program if the password is
not correct.
User Profile Exit Points

Exit points are provided to create, change, delete, or restore user profiles. You can
write your own exit programs to perform specific user profile functions. When you
register your exit programs with any of the user profile exit points, you are
notified when a user profile is created, changed, deleted, or restored. At the time of
notification, your exit program can perform any of the following:
v Retrieve information about the user profile
v Enroll the user profile that was just created in the system directory.
v Create necessary objects for the user profile.
For more information about the Security exit programs, see the API topic in the
Information Center (see Prerequisite and related information on page xvi for
details).
IBM-Supplied User Profiles

A number of user profiles are shipped with your system software. These
IBM-supplied user profiles are used as object owners for various system functions.
Some system functions also run under specific IBM-supplied user profiles.
IBM-supplied user profiles, except QSECOFR, are shipped with a password of
*NONE and are not intended for sign-on. To allow you to install your system the
first time, the password for the security officer (QSECOFR) profile is the same for
every system that is shipped. However, the password for QSECOFR is shipped as
expired. For new systems, you are required to change the password the first time
you sign-on as QSECOFR.
116
When you install a new release of the operating system, passwords for
IBM-supplied profiles are not changed. If profiles such as QPGMR and QSYSOPR
have passwords, those passwords are not set to *NONE automatically.
Appendix B, IBM-Supplied User Profiles on page 291 contains a complete list of
all the IBM-supplied user profiles and the field values for each profile.
Note: IBM-supplied profiles are provided, but they are used by the Operating
System/400. Therefore, signing on with these profiles or using the profiles to
own user (non-IBM supplied ) objects is not recommended.
Changing Passwords for IBM-Supplied User Profiles

If you need to sign on with one of the IBM-supplied profiles, you can change the
password using the CHGUSRPRF command. You can also change these passwords
using an option from the SETUP menu. To protect your system, you should leave
the password set to *NONE for all IBM-supplied profiles except QSECOFR. Do not
allow trivial passwords for the QSECOFR profile.
Change Passwords for IBM-Supplied

Type new password below for IBM-supplied user,
type password again to verify change, then
press Enter.
New security officer (QSECOFR) password . . . . . .
New password (to verify) . . . . . . . . . . . . .
New system operator (QSYSOPR) password . . . . . . .
New programmer (QPGMR) password . . . . . . . . . .
New user (QUSER) password . . . . . . . . . . . . .
New service (QSRV) password . . . . . . . . . . . .
Page down to change additional passwords:
Change Passwords for IBM-Supplied

Type new password below for IBM-supplied user, type
change, then press Enter.
New basic service (QSRVBAS) password . . . . . . . .
Working with service tools user IDs

There are several enhancements and additions to service tools for this release that
make them easier to use and understand. System service tools (SST) You can now
manage and create service tools user IDs from system service tools (SST) by
selecting option 8 (Work with service tools user IDs) from the main SST display.
You no longer need to go into dedicated service tools (DST) to reset passwords,
117
grant or revoke privileges, or create service tools user IDs. Note: Information
regarding Service tools has been moved to the Information Center.
v Password management enhancements
The server is shipped with limited ability to change default and expired
passwords. This means that you cannot change service tools user IDs that have
default and expired passwords through the Change Service Tools User ID
(QSYCHGDS) API, nor can you change their passwords through SST. You can
only change a service tools user ID with a default and expired password
through DST. And, you can change the setting to allow default and expired
passwords to be changed. Also, you can use the new Start service tools (STRSST)
privilege to create a service tools user ID that can access DST, but can be
restricted from accessing SST.
v Terminology changes
The textual data and other documentation have been changed to reflect the new
service tools terminology. Specifically, the term service tools user IDs replaces
previous terms, such as DST user profiles, DST user IDs, service tools user
profiles, or variations of these names.
For information on how to work with Service tools, see the Information Center
topic, Service tools (Security>Service tools). See Prerequisite and related
information on page xvi for more information on accessing the Information
Center.
System Password
The system password is used to authorize system model changes, certain service
conditions, and ownership changes. If these changes have occurred on your
system, you may be prompted for the system password when you perform an IPL.
118
Chapter 5. Resource Security

Resource security defines which users are allowed to use objects on the system and
what operations they are allowed to perform on those objects.
This chapter describes each of the components of resource security and how they
all work together to protect information on your system. It also explains how to
use CL commands and displays to set up resource security on your system.
Chapter 7 discusses techniques for designing resource security, including how it
affects both application design and system performance.
The topic How the System Checks Authority on page 156 provides detailed
flowcharts and notes about how the system checks authority. You may find it
useful to consult this information as you read the explanations that follow.
Defining Who Can Access Information

You can give authority to individual users, groups of users, and the public.
Note: In some environments, a users authority is referred to as a privilege.
You define who can use an object in several ways:
Public Authority:
The public consists of anyone who is authorized to sign on to your system. Public
authority is defined for every object on the system, although the public authority
for an object may be *EXCLUDE. Public authority to an object is used if no other
specific authority is found for the object.
Private Authority:
You can define specific authority to use (or not use) an object. You can grant
authority to an individual user profile or to a group profile. An object has private
authority if any authority other than public authority, object ownership, or primary
group authority is defined for the object.
User Authority:
Individual user profiles may be given authority to use objects on the system. This
is one type of private authority.
Group Authority:
Group profiles may be given authority to use objects on the system. A member of
the group gets the groups authority unless an authority is specifically defined for
that user. Group authority is also considered private authority.
Object Ownership:
119
Every object on the system has an owner. The owner has *ALL authority to the
object by default. However, the owners authority to the object can be changed or
removed. The owners authority to the object is not considered private authority.
Primary Group Authority:
You can specify a primary group for an object and the authority the primary group
has to the object. Primary group authority is stored with the object and may
provide better performance than private authority granted to a group profile. Only
a user profile with a group identification number (gid) may be the primary group
for an object. Primary group authority is not considered private authority.
Defining How Information Can Be Accessed

Authority means the type of access allowed to an object. Different operations
require different types of authority.
Note: In some environments, the authority associated with an object is called the
objects mode of access.
Authority to an object is divided into three categories: 1) Object Authority defines
what operations can be performed on the object as a whole. 2) Data Authority
defines what operations can be performed on the contents of the object.Field
Authority defines what operations can be performed on the data fields.
Table 102 describes the types of authority available and lists some examples of how
the authorities are used. In most cases, accessing an object requires a combination
of object, data, field authorities. Appendix D provides information about the
authority that is required to perform a specific function.
Table 102. Description of Authority Types
120
Authority
Name
Functions Allowed
Object Authorities:
*OBJOPR
Object Operational
*OBJMGT
Object Management
*OBJEXIST
Object Existence
*OBJALTER
Object Alter
*OBJREF
Object Reference
*AUTLMGT
Authorization List
Management
Look at the description of an object. Use the

object as determined by the users data
authorities.
Specify the security for the object. Move or
rename the object. All functions defined for
*OBJALTER and *OBJREF.
Delete the object. Free storage of the object.
Perform save and restore operations for the
object 1. Transfer ownership of the object.
Add, clear, initialize and reorganize
members of the database files. Alter and add
attributes of database files: add and remove
triggers. Change the attributes of SQL
packages.
Specify a database file as the parent in a
referential constraint. For example, you want
to define a rule that a customer record must
exist in the CUSMAS file before an order for
the customer can be added to the CUSORD
file. You need *OBJREF authority to the
CUSMAS file to define this rule.
Add and remove users and their authorities
from the authorization list 2.
Table 102. Description of Authority Types (continued)

Authority
Name
Functions Allowed
Data Authorities:
*READ
Read
*ADD
Add
*UPD
Update
*DLT
Delete
*EXECUTE
Execute
Display the contents of the object, such as

viewing records in a file.
Add entries to an object, such as adding
messages to a message queue or adding
records to a file.
Change the entries in an object, such as
changing records in a file.
Remove entries from an object, such as
removing messages from a message queue
or deleting records from a file.
Run a program, service program, or SQL
package. Locate an object in a library or a
directory.
Field Authorities:
*Mgt
*Alter
*Ref
Management
Alter
Reference
*Read
Read
*Add
Add
*Update
Update
Specify the security for the field.

Change the attributes of the field.
Specify the field as part of the parent key in
a referential constraint.
Access the contents of the field. For
example, display the contents of the field.
Add entries to data, such as adding
information to a specific field.
Change the content of existing entries in the
field.
If a user has save system (*SAVSYS) special authority, object existence authority is
not required to perform save and restore operations on the object.
See the topic Authorization List Management on page 127 for more information.
Commonly Used Authorities

Certain sets of object and data authorities are commonly required to perform
operations on objects. You can specify these system-defined sets of authority
(*ALL, *CHANGE, *USE) instead of individually defining the authorities needed
for an object. *EXCLUDE authority is different than having no authority.
*EXCLUDE authority specifically denies access to the object. Having no authority
means you use the public authority defined for the object. Table 103 shows the
system-defined authorities available using the object authority commands and
displays.
Table 103. System-Defined Authority
Authority
*ALL
*CHANGE
*USE
*EXCLUDE
Object Authorities
*OBJOPR
*OBJMGT
*OBJEXIST
*OBJALTER
*OBJREF
X
X
X
X
X
Data Authorities
*READ
*ADD
X
X
X
X
121
Table 103. System-Defined Authority (continued)

Authority
*ALL
*UPD
*DLT
*EXECUTE
*CHANGE
X
X
X
*USE
*EXCLUDE
X
X
X
Table 104 shows additional system-defined authorities that are available using the
WRKAUT and CHGAUT commands:
Authority
Object Authorities
*OBJOPR
*OBJMGT
*OBJEXIST
*OBJALTER
*OBJREF
Data Authorities
*READ
*ADD
*UPD
*DLT
*EXECUTE
*RWX
*RW
*RX
*R
*WX
X
X
X
X
X
X
X
X
X
*W
*X
X
X
X
X
X
X
X
The LAN Server licensed program uses access control lists to manage authority. A
users authorities are called permissions. Table 105 shows how the LAN Server
permissions map to object and data authorities:
Table 105. LAN Server Permissions
Authority
*EXCLUDE
Object Authorities
*OBJOPR
*OBJMGT
*OBJEXIST
*OBJALTER
*OBJREF
Data Authorities
*READ
*ADD
*UPD
*DLT
*EXECUTE
122
LAN Server Permissions

None
See note 1
Permission
Create, Delete
Attribute
No equivalent
Read
Create
Write
Delete
Execute
Unless NONE is specified for a user in the access control list, the user is
implicitly given *OBJOPR.
Defining What Information Can Be Accessed

You can define resource security for individual objects on the system. You can also
define security for groups of objects using either library security or an
authorization list:
Library Security
Most objects on the system reside in libraries. To access an object, you need
authority both to the object itself and the library in which the object resides. For
most operations, including deleting an object, *USE authority to the object library
is sufficient (in addition to the authority required for the object). Creating a new
object requires *ADD authority to the object library. Appendix D shows what
authority is required by CL commands for objects and the object libraries.
Using library security is one technique for protecting information while
maintaining a simple security scheme. For example, to secure confidential
information for a set of applications, you could do the following:
v Use a library to store all confidential files for a particular group of applications.
v Ensure that public authority is sufficient for all objects (in the library) that are
used by applications (*USE or *CHANGE).
v Restrict public authority to the library itself (*EXCLUDE).
v Give selected groups or individuals authority to the library (*USE, or *ADD if
the applications require it).
Although library security is a simple, effective method for protecting information,
it may not be adequate for data with high security requirements. Highly sensitive
objects should be secured individually or with an authorization list, rather than
relying on library security.
Library Security and Library Lists

When a library is added to a users library list, the authority the user has to the
library is stored with the library list information. The users authority to the library
remains for the entire job, even if the users authority to the library is revoked
while the job is active.
When access is requested to an object and *LIBL is specified for the object, the
library list information is used to check authority for the library. If a qualified
name is specified, the authority for the library is specifically checked, even if the
library is included in the users library list.
Attention: If a user is running under adopted authority when a library is added to
the library list, the user remains authorized to the library even when the user is no
longer running under adopted authority. This represents a potential security
exposure. Any entries added to a users library list by a program running under
adopted authority should be removed before the adopted authority program ends.
In addition, applications that use library lists rather than qualified library names
have a potential security exposure. A user who is authorized to the commands to
work with library lists could potentially run a different version of a program. See
Library Lists on page 193 for more information.
Field Authorities
Field authorities are now supported for database files. Authorities supported are
Reference and Update. You can only administer these authorities through the SQL
123
statements, GRANT and REVOKE. You can display these authorities through the
Display Object Authority (DSPOBJAUT) and the Edit Object Authority
(EDTOBJAUT) commands. You can only display the field authorities with the
EDTOBJAUT command; you cannot edit them.
|
Display Object Authority
Object . . . . . :
Library. . . . :
Object type. . . :
PLMITXT
RLN
*FILE
Owner . . . . . . . :
Primary group . . . :
ASP Device . . . . :
PGMR1
DPTAR
*SYSBAS
Object secured by authorization list . . . . . . . . : *NONE

Object
---------------Data--------------User
Group
Authority Read Add Update Delete Execute
PGMR1
*ALL
X
X
X
X
X
USER1
*USE
X
X
USER2
USER DEF
X
X
X
USER3
USER DEF
X
X
*PUBLIC
*CHANGE
X
X
X
X
X
Press Enter to continue

F3=Exit
F11=Nondisplay detail F12=Cancel F16=Display field authorities
Figure 4. Display Object Authority display showing F16=Display field authorities. This function
key will be displayed when a database file has field authorities.
124
Display Field Authority

Object . . . . . . . :
Library . . . . . :
Object type . . . . :
Field
Field3
Field4
User
PGMR1
USER1
USER2
USER3
*PUBLIC
PGMR1
USER1
USER2
USER3
*PUBLIC
PLMITXT
RLN
*FILE
Owner . . . . . . . :
Object
Authority
*ALL
*Use
USER DEF
USER DEF
*CHANGE
*ALL
*Use
USER DEF
USER DEF
*CHANGE
-----Field Authorities----------Mgt Alter Ref Read Add Update

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
More
Press Enter to continue.
PGMR1
*NONE
F3=Exit F5=Refresh F12=Cancel F16=Repeat position to F17=Position to
Figure 5. Display Field Authority display. When F17=Position to, is pressed the Position the
List prompt will be displayed. If F16 is pressed, the previous position to operation will be
repeated
Changes for field authorities include the following:

v The Print Private Authority (PRTPVTAUT) command has a new field that
indicates when a file has field authorities.
v The Display Object Authority (DSPOBJAUT) command now has a new
Authority Type parameter to allow display of object authorities, field authorities,
or all authorities. If the object type is not *FILE, you can display only object
authorities.
v Information provided by List Users Authorized to Object (QSYLUSRA) API now
indicates if a file has field authorities.
v The Grant User Authority (GRTUSRAUT) command will not grant a users field
authorities.
v When a grant with reference object is performed using the GRTOBJAUT
command and both objects (the one being granted to and the referenced one) are
database files, all field authorities will be granted where the field names match.
v If a users authority to a database file is removed, any field authorities for the
user are also removed.
Security and the System/38 Environment

The System/38 Environment and CL programs of type CLP38 represent a potential
security exposure. When a non-library qualified command is entered from the
System/38 Command Entry screen, or invoked by any CLP38 CL program, library
QUSER38 (if it exists) is the first library searched for that command. Library
QSYS38 is the second library searched. A programmer or other knowledgeable user
could place another CL command in either of these libraries and cause that
command to be used instead of one from a library in the library list.
125
Library QUSER38 is not shipped with the operating system. However, it can be
created by anyone with enough authority to create a library.
See the System/38 Environment Programming manual for more information about the
System/38 Environment.
Recommendation for System/38 Environment

Use these measures to protect your system for the System/38 Environment and CL
programs of type CLP38:
v Check the public authority of the QSYS38 library and if it is *ALL or *CHANGE
then change it to *USE.
v Check the public authority of the QUSER38 library and if it is *ALL or
*CHANGE then change it to *USE.
v If the QUSER38 and QSYS38 do not exist then create them and set them to
public *USE authority. This will prevent anyone else from creating it at a later
time and giving themselves or the public too much authority to it.
Directory Security
When accessing an object in a directory, you must have authority to all the
directories in the path containing the object. You must also have the necessary
authority to the object to perform the operation you requested.
You may want to use directory security in the same way that you use library
security. Limit access to directories and use public authority to the objects within
the directory. Limiting the number of private authorities defined for objects
improves the performance of the authority checking process.
Authorization List Security

You can group objects with similar security requirements using an authorization
list. An authorization list, conceptually, contains a list of users and the authority
that the users have to the objects secured by the list. Each user can have a different
authority to the set of objects the list secures. When you give a user authority to
the authorization list, the operating system actually grants a private authority for
that user to the authorization list.
You can also use an authorization list to define public authority for the objects on
the list. If the public authority for an object is set to *AUTL, the object gets its
public authority from its authorization list.
The authorization list object is used as a management tool by the system. It
actually contains a list of all objects which are secured by the authorization list.
This information is used to build displays for viewing or editing the authorization
list objects.
You cannot use an authorization list to secure a user profile or another
authorization list. Only one authorization list can be specified for an object.
Only the owner of the object, a user with all object (*ALLOBJ) special authority, or
a user with all (*ALL) authority to the object, can add or remove the authorization
list for an object.
Objects in the system library (QSYS) can be secured with an authorization list.
However, the name of the authorization list that secures an object is stored with
126
the object. In some cases, when you install a new release of the operating system,
all the objects in the QSYS library are replaced. The association between the objects
and your authorization list would be lost.
See the topic Planning Authorization Lists on page 227 for examples of how to
use authorization lists.
Authorization List Management

You can grant a special operational authority called Authorization List
Management (*AUTLMGT) for authorization lists. Users with *AUTLMGT
authority are allowed to add and remove the users authority to the authorization
list and change the authorities for those users. *AUTLMGT authority, by itself,
does not give authority to secure new objects with the list or to remove objects
from the list.
A user with *AUTLMGT authority can give only the same or less authority to
others. For example, assume USERA has *CHANGE and *AUTLMGT authority to
authorization list CPLIST1. USERA can add USERB to CPLIST1 and give USERB
*CHANGE authority or less. USERA cannot give USERB *ALL authority to
CPLIST1, because USERA does not have *ALL authority.
A user with *AUTLMGT authority can remove the authority for a user if the
*AUTLMGT user has equal or greater authority to the list than the user profile
name being removed. If USERC has *ALL authority to CPLIST1, then USERA
cannot remove USERC from the list, because USERA has only *CHANGE and
*AUTLMGT.
Using Authorization Lists to Secure IBM-Supplied Objects

You may choose to use an authorization list to secure IBM-supplied objects. For
example, you may want to restrict the use of a group of commands to a few users.
Objects in IBM-supplied libraries, other than the QUSRSYS and QGPL libraries, are
replaced whenever you install a new release of the operating system. Therefore, the
link between objects in IBM-supplied libraries and authorization lists is lost. Also,
if an authorization list secures an object in QSYS and a complete system restore is
required, the link between the objects in QSYS and the authorization list is lost.
After you install a new release or restore your system, use the EDTOBJAUT or
GRTOBJAUT command to re-establish the link between the IBM-supplied object
and the authorization list.
The Implementation Guide for AS/400 Security and Auditing redbook contains sample
programs, such as ALLAUTL and FIXAUTL, that can be used to attach
authorization lists to the objects after the authorization lists are restored.
Authority for New Objects in a Library

Every library has a parameter called CRTAUT (create authority). This parameter
determines the default public authority for any new object that is created in that
library. When you create an object, the AUT parameter on the create command
determines the public authority for the object. If the AUT value on the create
command is *LIBCRTAUT, which is the default, the public authority for the object
is set to the CRTAUT value for the library.
For example, assume library CUSTLIB has a CRTAUT value of *USE. Both of the
commands below create a data area called DTA1 with public authority *USE:
v Specifying the AUT parameter:
127
CRTDTAARA DTAARA(CUSTLIB/DTA1) +
TYPE(*CHAR) AUT(*LIBCRTAUT)
v Allowing the AUT parameter to default. *LIBCRTAUT is the default:

CRTDTAARA DTAARA(CUSTLIB/DTA1) +
TYPE(*CHAR)
The default CRTAUT value for a library is *SYSVAL. Any new objects created in
the library using AUT(*LIBCRTAUT) have public authority set to the value of the
QCRTAUT system value. The QCRTAUT system value is shipped as *CHANGE.
For example, assume the ITEMLIB library has a CRTAUT value of *SYSVAL. This
command creates the DTA2 data area with public authority of change:
CRTDTAARA DTAARA(ITEMLIB/DTA2) +
Assigning Authority and Ownership to New Objects on page 131 shows more
examples of how the system assigns ownership and authority to new objects.
Attention: Several IBM-supplied libraries, including QSYS, have a CRTAUT value
of *SYSVAL. If you change QCRTAUT to something other than *CHANGE, you
may encounter problems. For example, devices are created in the QSYS library. The
default when creating devices is AUT(*LIBCRTAUT). The CRTAUT value for the
QSYS library is *SYSVAL. If QCRTAUT is set to *USE or *EXCLUDE, public
authority is not sufficient to allow sign-on at new devices.
The CRTAUT value for a library can also be set to an authorization list name. Any
new object created in the library with AUT(*LIBCRTAUT) is secured by the
authorization list. The public authority for the object is set to *AUTL.
The CRTAUT value of the library is not used during a move (MOVOBJ), create
duplicate (CRTDUPOBJ), or restore of an object into the library. The public
authority of the existing object is used.
If the REPLACE (*YES) parameter is used on the create command, then the
authority of the existing object is used instead of the CRTAUT value of the library.
Create Authority (CRTAUT) Risks

If your applications use default authority for new objects created during
application processing, you should control who has authority to change the library
descriptions. Changing the CRTAUT authority for an application library could
allow unauthorized access to new objects created in the library.
Authority for New Objects in a Directory

When you create a new object in a directory, you specify the data authority and
object authority that the public receives for the object. You use the *INDIR option
to have the public authority set the same as that of the last directory in the path
name.
Object Ownership
Each object is assigned an owner when it is created. The owner is either the user
who creates the object or the group profile if the member user profile has specified
that the group profile should be the owner of the object. When the object is
created, the owner is given all the object and data authorities to the object.
128
Assigning Authority and Ownership to New Objects on page 131 shows

examples of how the system assigns ownership to new objects.
The owner of an object always has all the authority for the object unless any or all
authority is removed specifically. As an object owner, you may choose to remove
some specific authority as a precautionary measure. For example, if a file exists
that contains critical information, you may remove your object existence authority
to prevent yourself from accidentally deleting the file. However, as object owner,
you can grant any object authority to yourself at any time.
Ownership of an object can be transferred from one user to another. Ownership
can be transferred to an individual user profile or a group profile. A group profile
can own objects whether or not the group has members.
When changing an objects owner, you have the option to keep or revoke the
former owners authority. A user with *ALLOBJ authority can transfer ownership,
as can any user who has the following:
v Object existence authority for the object (except for an authorization list)
v Ownership of the object, if the object is an authorization list
v Add authority for the new owners user profile
v Delete authority for the present owners user profile
You cannot delete a profile that owns objects. Ownership of objects must be
transferred to a new owner or the objects must be deleted before the profile can be
deleted. The Delete User Profile (DLTUSRPRF) command allows you to handle
owned objects when you delete the profile.
Object ownership is used as a management tool by the system. The owner profile
for an object contains a list of all users who have private authority to the object.
This information is used to build displays for editing or viewing object authority.
Profiles that own many objects with many private authorities can become very
large. The size of a profile that owns many objects affects performance when
displaying and working with the authority to objects it owns, and when saving or
restoring profiles. System operations can also be impacted. To prevent impacts to
either performance or system operations, do not assign objects to only one owner
profile for your entire iSeries system. Each application and the application objects
should be owned by a separate profile. Also, IBM-supplied user profiles should not
own user data or objects.
The owner of an object also needs sufficient storage for the object. See Maximum
Storage on page 84 for more information.
Group Ownership of Objects

When an object is created, the system looks at the profile of the user creating the
object to determine object ownership. If the user is a member of a group profile,
the OWNER field in the user profile specifies whether the user or the group
should own the new object.
If the group owns the object (OWNER is *GRPPRF), the user creating the object is
not automatically given any specific authority to the object. The user gets authority
to the object through the group. If the user owns the object (OWNER is *USRPRF),
the groups authority to the object is determined by the GRPAUT field in the user
profile.
129
The group authority type (GRPAUTTYP) field in the user profile determines whether
the group 1) becomes the primary group for the object or 2) is given private
authority to the object. Assigning Authority and Ownership to New Objects on
page 131 shows several examples.
If the user who owns the object changes to a different user group, the original
group profile still retains authority to any objects created.
Even if the Owner field in a user profile is *GRPPRF, the user must still have
sufficient storage to hold a new object while it is being created. After it is created,
ownership is transferred to the group profile. The MAXSTG parameter in the user
profile determines how much auxiliary storage a user is allowed.
Evaluate the objects a user might create, such as query programs, when choosing
between group and individual user ownership:
v If the user moves to a different department and a different user group, should
the user still own the objects?
v Is it important to know who creates objects? The object authority displays show
the object owner, not the user who created the object.
Note: The Display Object Description display shows the object creator.
If the audit journal function is active, a Create Object (CO) entry is written to the
QAUDJRN audit journal at the time an object is created. This entry identifies the
creating user profile. The entry is written only if the QAUDLVL system value
specifies *CREATE and the QAUDCTL system value includes *AUDLVL.
Primary Group for an Object

You can specify a primary group for an object. The name of the primary group
profile and the primary groups authority to the object are stored with the object.
Using primary group authority may provide better performance than private
group authority when checking authority to an object.
A profile must be a group profile (have a gid) to be assigned as the primary group
for an object. The same profile cannot be the owner of the object and its primary
group.
When a user creates a new object, parameters in the user profile control whether
the users group is given authority to the object and the type of authority given.
The Group authority type (GRPAUTTYP) parameter in a user profile can be used to
make the users group the primary group for the object. Assigning Authority and
Ownership to New Objects on page 131 shows examples of how authority is
assigned when new objects are created.
Use the Change Object Primary Group (CHGOBJPGP) command or the Work with
Objects by Primary Group (WRKOBJPGP) command to specify the primary group
for an object. You can change the authority the primary group has using the Edit
Object Authority display or the grant and revoke authority commands.
Default Owner (QDFTOWN) User Profile

The Default Owner (QDFTOWN) user profile is an IBM-supplied user profile that
is used when an object has no owner or when object ownership might pose a
security exposure. Following are situations that cause ownership of an object to be
assigned to the QDFTOWN profile:
130
v If an owning profile becomes damaged and is deleted, its objects no longer have
an owner. Using the Reclaim Storage (RCLSTG) command assigns ownership of
these objects to the default owner (QDFTOWN) user profile.
v If an object is restored and the owner profile does not exist.
v If a program that needs to be created again is restored, but the program creation
is not successful. See the topic Validation of Programs Being Restored on
page 17 for more information about which conditions cause ownership to be
assigned to QDFTOWN.
v If the maximum storage limit is exceeded for the user profile that owns an
authority holder that has the same name as a file being moved, renamed, or
whose library is being renamed.
The system supplies the QDFTOWN user profile because all objects must have an
owner. When the system is shipped, only a user with *ALLOBJ special authority
can display and access this user profile and transfer ownership of objects
associated with the QDFTOWN user profile. You can grant other users authority to
the QDFTOWN profile. QDFTOWN user profile is intended for system use only.
You should not design your security such that QDFTOWN normally owns object.
Assigning Authority and Ownership to New Objects

The system uses several values to assign authority and ownership when a new
object is created on the system:
Parameters on the CRTxxx command
The QCRTAUT system value
The CRTAUT value of the library
Values in the user profile of the creator
Figure 6 through Figure 9 show several examples of how these values are used:
131
QCRTAUT system value:

*CHANGE
CRTAUT library parameter:
*USE
Values in USERA (Creator) Profile:
GRPPRF:
DPT806
OWNER:
*USRPRF
GRPAUT:
*CHANGE
GRPAUTTYP:
*PRIVATE
Command Used to Create Object:
CRTDTAARA DTAARA(CUSTLIB/DTA1)
or
TYPE(*CHAR)
Values for New Object:
Public authority:
*USE
Owner authority:
USERA *ALL
Primary group authority:
None
Private authority:
DPT806 *CHANGE
Note: *LIBCRTAUT is the default value for the AUT
parameter on most CRTxxx commands.
Figure 6. New Object Example: Public Authority from Library, Group Given Private Authority
132

*CHANGE
*SYSVAL
GRPPRF:
DPT806
OWNER:
*USRPRF
GRPAUT:
*CHANGE
GRPAUTTYP:
*PRIVATE
Public authority:
*CHANGE
Owner authority:
USERA *ALL
None
Private authority:
DPT806 *CHANGE
Figure 7. New Object Example: Public Authority from System Value, Group Given Private
Authority
133

*CHANGE
*USE
GRPPRF:
DPT806
OWNER:
*USRPRF
GRPAUT:
*CHANGE
GRPAUTTYP:
*PGP
Public authority:
*USE
Owner authority:
USERA *ALL
DPT806 *CHANGE
Private authority:
None
Figure 8. New Object Example: Public Authority from Library, Group Given Primary Group
Authority
134

*CHANGE
*USE
GRPPRF:
DPT806
OWNER:
*GRPPRF
GRPAUT:
GRPAUTTYP:
TYPE(*CHAR) AUT(*CHANGE)
Public authority:
*CHANGE
Owner authority:
DPT806 *ALL
None
Private authority:
None
Figure 9. New Object Example: Public Authority Specified, Group Owns Object
Objects That Adopt the Owners Authority

Sometimes a user needs different authorities to an object or an application,
depending on the situation. For example, a user may be allowed to change the
information in a customer file when using application programs providing that
function. However, the same user should be allowed to view, but not change,
customer information when using a decision support tool, such as SQL.
A solution to this situation is 1) give the user *USE authority to customer
information to allow querying the files and 2) use adopted authority in the
customer maintenance programs to allow the user to change the files.
When an object uses the owners authority, this is called adopted authority.
Objects of type *PGM, *SRVPGM, *SQLPKG and Java programs can adopt
authority.
When you create a program, you specify a user profile (USRPRF) parameter on the
CRTxxxPGM command. This parameter determines whether the program uses the
authority of the owner of the program in addition to the authority of the user
running the program.
135
Consult the Information Center concerning security considerations and adopted

authority when using SQL packages (see Prerequisite and related information on
page xvi for details).
The following applies to adopted authority:
v Adopted authority is added to any other authority found for the user.
v Adopted authority is checked only if the authority that the user, the users
group, or the public has to an object is not adequate for the requested operation.
v The special authorities (such as *ALLOBJ) in the owners profile are used.
v If the owner profile is a member of a group profile, the groups authority is not
used for adopted authority.
v Public authority is not used for adopted authority. For example, USER1 runs the
program LSTCUST, which requires *USE authority to the CUSTMST file:
Public authority to the CUSTMST file is *USE.
USER1s authority is *EXCLUDE.

USER2 owns the LSTCUST program, which adopts owner authority.
USER2 does not own the CUSTMST file and has no private authority to it.
Although public authority is sufficient to give USER2 access to the CUSTMST
file, USER1 does not get access. Owner authority, primary group authority,
and private authority are used for adopted authority.
Only the authority is adopted. No other user profile attributes are adopted.
For example, the limited capabilities attributes are not adopted.
v Adopted authority is active as long as the program using adopted authority
remains in the program stack. For example, assume PGMA uses adopted
authority:
If PGMA starts PGMB using the CALL command, these are the program
stacks before and after the CALL command:
Program Stack before CALL Command:
Program Stack after CALL Command:
QCMD
.
.
.
PGMA
QCMD
.
.
.
PGMA
PGMB
Figure 10. Adopted Authority and the CALL Command
Because PGMA remains in the program stack after PGMB is called, PGMB
uses the adopted authority of PGMA. (The use adopted authority
(USEADPAUT) parameter can override this. See Programs That Ignore
Adopted Authority on page 139 for more information about the
USEADPAUT parameter.)
If PGMA starts PGMB using the Transfer Control (TFRCTL) command, the
program stacks look like this:
136
Program Stack before TFRCTL Command:
Program Stack after TFRCTL Command:
QCMD
.
.
.
PGMA
QCMD
.
.
.
PGMB
Figure 11. Adopted Authority and the TFRCTL Command
PGMB does not use the adopted authority of PGMA, because PGMA is no
longer in the program stack.
v If the program running under adopted authority is interrupted, the use of
adopted authority is suspended. The following functions do not use adopted
authority:
System request
Attention key (If a Transfer to Group Job (TFRGRPJOB) command is running,
adopted authority is not passed to the group job.)
Break-message-handling program
Debug functions
Note: Adopted authority is immediately interrupted by the attention key or a
group job request. The user must have authority to the
attention-key-handling program or the group job initial program, or the
attempt fails.
v
v
For example, USERA runs the program PGM1, which adopts the authority of
USERB. PGM1 uses the SETATNPGM command and specifies PGM2. USERB has
*USE authority to PGM2. USERA has *EXCLUDE authority to PGM2. The
SETATNPGM function is successful because it is run using adopted authority.
USERA receives an authority error when attempting to use the attention key
because USERBs authority is no longer active.
If a program that uses adopted authority submits a job, that submitted job does
not have the adopted authority of the submitting program.
When a trigger program or exit point program is called, adopted authority from
previous programs in the call stack will not be used as a source of authority for
the trigger program or exit point program.
The program adopt function is not used when you use the Change Job
(CHGJOB) command to change the output queue for a job. The user profile
making the change must have authority to the new output queue.
Any objects created, including spooled files that may contain confidential data,
are owned by the user of the program or by the users group profile, not by the
owner of the program.
v Adopted authority can be specified on either the command that creates the
program (CRTxxxPGM) or on the Change Program (CHGPGM) command.
v If a program is created using REPLACE(*YES) on the CRTxxxPGM command,
the new copy of the program has the same USRPRF, USEADPAUT, and AUT
values as the replaced program. The USRPRF and AUT parameters specified on
the CRTxxxPGM parameter are ignored.
v Only the owner of the program can specify REPLACE(*YES) on the CRTxxxPGM
command when USRPRF(*OWNER) is specified on the original program.
v Only a user who owns the program or has *ALLOBJ and *SECADM special
authorities can change the value of the USRPRF parameter.
137
v You must be signed on as a user with *ALLOBJ and *SECADM special

authorities to transfer ownership of an object that adopts authority.
v If someone other than the programs owner or a user with *ALLOBJ and
*SECADM special authorities restores a program that adopts authority, all
private and public authorities to the program are revoked to prevent a possible
security exposure.
The Display Program (DSPPGM) and Display Service Program (DSPSRVPGM)
commands show whether a program adopts authority (User profile prompt) and
whether it uses adopted authority from previous programs in the program stack
(Use adopted authority prompt). The Display Program Adopt (DSPPGMADP)
command shows all the objects that adopt the authority of a specific user profile.
The Print Adopting Objects (PRTADPOBJ) command provides a report with more
information about objects that adopt authority. This command also provides an
option to print a report for objects that changed since the last time the command
was run.
Flowchart 8: How Adopted Authority Is Checked on page 169 provides more
information about adopted authority. The topic Using Adopted Authority in
Menu Design on page 218 shows an example of how to use adopted authority in
an application.
Adopted Authority and Bound Programs:
An ILE* program (*PGM) is an object that contains one or more modules. It is
created by an ILE* compiler. An ILE program can be bound to one or more service
programs (*SRVPGM).
To activate an ILE program successfully, the user must have *EXECUTE authority
to the ILE program and to all service programs to which it is bound. If an ILE
program uses adopted authority from a program higher in the program call stack,
that adopted authority is used to check authority to all service programs to which
the ILE program is bound. If the ILE program adopts authority, the adopted
authority will not be checked when the system checks the users authority to the
service programs at program activation time.
Adopted Authority Risks and Recommendations

Allowing a program to run using adopted authority is an intentional release of
control. You permit the user to have authority to objects, and possibly special
authority, which the user would not normally have. Adopted authority provides an
important tool for meeting diverse authority requirements, but it should be used
with care:
v Adopt the minimum authority required to meet the application requirements.
Adopting the authority of an application owner is preferable to adopting the
authority of QSECOFR or a user with *ALLOBJ special authority.
v Carefully monitor the function provided by programs that adopt authority. Make
sure these programs do not provide a means for the user to access objects
outside the control of the program, such as command entry capability.
v Programs that adopt authority and call other programs must perform a library
qualified call. Do not use the library list (*LIBL) on the call.
v Control which users are permitted to call programs that adopt authority. Use
menu interfaces and library security to prevent these programs from being called
without sufficient control.
138
Programs That Ignore Adopted Authority

You may not want some programs to use the adopted authority of previous
programs in the program stack. For example, if you use an initial menu program
that adopts owner authority, you may not want some of the programs called from
the menu program to use that authority.
The use adopted authority (USEADPAUT) parameter of a program determines
whether the system uses the adopted authority of previous programs in the stack
when checking authority for objects.
When you create a program, the default is to use adopted authority from previous
programs in the stack. If you do not want the program to use adopted authority,
you can change the program with the Change Program (CHGPGM) command or
Change Service Program (CHGSRVPGM) command to set the USEADPAUT
parameter to *NO. If a program is created using REPLACE(*YES) on the
CRTxxxPGM command, the new copy of the program has the same USRPRF,
USEADPAUT, and AUT values as the replaced program.
The topic Ignoring Adopted Authority on page 220 shows an example of how to
use this parameter in menu design. See Use Adopted Authority (QUSEADPAUT)
on page 34 for information on the QUSEADPAUT system value.
Attention: In some situations, you can use the MODINVAU MI instruction to
prevent passing adopted authority to called functions. The MODINVAU instruction
can be used to prevent passing any adopted authority from C and C++ programs
to called functions in another program or service program. This may be useful
when you do not know the USEADPAUT setting of the function that is called.
Authority Holders
An authority holder is a tool for keeping the authorities for a program-described
database file that does not currently exist on the system. Its primary use is for
System/36 environment applications, which often delete program-described files
and create them again.
|
|
An authority holder can be created for a file that already exists or for a file that
does not exist, using the Create Authority Holder (CRTAUTHLR) command. The
following applies to authority holders:
v Authority holders can only secure files in the system auxiliary storage pool
(ASP) or a basic user ASP. They cannot secure files in an independent ASP.
v The authority holder is associated with a specific file and library. It has the same
name as the file.
v Authority holders can be used only for program-described database files and
logical files created in the S/36 environment.
v Once the authority holder is created, you add private authorities for it like a file.
Use the commands to grant, revoke, and display object authorities, and specify
object type *FILE. On the object authority displays, the authority holder is
indistinguishable from the file itself. The displays do not indicate whether the
file exists nor do they show that the file has an authority holder.
v If a file is associated with an authority holder, the authorities defined for the
authority holder are used during authority checking. Any private authorities
defined for the file are ignored.
139
v Use the Display Authority Holder (DSPAUTHLR) command to display or print

all the authority holders on the system. You can also use it to create an output
file (Outfile) for processing.
v If you create an authority holder for a file that exists:
The user creating the authority holder must have *ALL authority to the file.
The owner of the file becomes the owner of the authority holder regardless of
the user creating the authority holder.
The public authority for the authority holder comes from the file. The public
authority (AUT) parameter on the CRTAUTHLR command is ignored.
The existing files authority is copied to the authority holder.
v If you create a file and an authority holder for that file already exists:
The user creating the file must have *ALL authority to the authority holder.
The owner of the authority holder becomes the owner of the file regardless of
the user creating the file.
The public authority for the file comes from the authority holder. The public
authority (AUT) parameter on the CRTPF or CRTLF command is ignored.
The authority holder is linked to the file. The authority specified for the
authority holder is used to secure the file.
v If an authority holder is deleted, the authority information is transferred to the
file itself.
v If a file is renamed and the new file name matches an existing authority holder,
the authority and ownership of the file are changed to match the authority
holder. The user renaming the file needs *ALL authority to the authority holder.
v If a file is moved to a different library and an authority holder exists for that file
name and the target library, the authority and ownership of the file are changed
to match the authority holder. The user moving the file must have *ALL
authority to the authority holder.
v Ownership of the authority holder and the file always match. If you change the
ownership of the file, ownership of the authority holder also changes.
v When a file is restored, if an authority holder exists for that file name and the
library to which it is being restored, it is linked to the authority holder.
v Authority holders cannot be created for files in these libraries: QSYS, QRCL,
QRECOVERY, QSPL, QTEMP, and QSPL0002 QSPL0032.
Authority Holders and System/36 Migration

The System/36 Migration Aid creates an authority holder for every file that is
migrated. It also creates an authority holder for entries in the System/36 resource
security file if no corresponding file exists on the System/36.
You need authority holders only for files that are deleted and re-created by your
applications. Use the Delete Authority Holder (DLTAUTHLR) command to delete
any authority holders that you do not need.
Authority Holder Risks

An authority holder provides the capability of defining authority for a file before
that file exists. Under certain circumstances, this could allow an unauthorized user
to gain access to information. If a user knew that an application would create,
move, or rename a file, the user could create an authority holder for the new file.
The user would thus gain access to the file.
140
To limit this exposure, the CRTAUTHLR command is shipped with public

authority *EXCLUDE. Only users with *ALLOBJ authority can use the command,
unless you grant authority to others.
Working with Authority

This part of the chapter describes commonly-used methods for setting up,
maintaining, and displaying authority information on your system. Appendix A,
Security Commands on page 283 provides a complete list of the commands
available for working with authority. The descriptions that follow do not discuss
all the parameters for commands or all the fields on the displays. Consult online
information for complete details.
Authority Displays
Four displays show object authorities:
Display Object Authority display
Edit Object Authority display
Display Authority display
Work with Authority display
This section describes some characteristics of these displays. Figure 12 shows the
basic version of the Display Object Authority display:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|

Object . . . . . . :
Library. . . . . :
Object type . . . :
CUSTNO
CUSTLIB
*DTAARA
Owner . . . . . . . :
ASP device . . . . :
PGMR1
DPTAR
*SYSBAS
Object secured by authorization list . . . . . . . . :
*NONE
Object
User
Group
Authority
PGMR1
*ALL
DPTAR
*CHANGE
DPTSM
*USE
*PUBLIC
*EXCLUDE
F3=Exit F11=Display detail object authorities F12=Cancel
F17=Top
Figure 12. Display Object Authority Display
The system-defined names of the authorities are shown on this display. F11 acts as
a toggle between this and two other versions of the display. One shows detailed
object authorities:
141
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
||
|
||

Object . . . . . . :
Library. . . . . :
Object type. . . . :
CUSTNO
CUSTLIB
*DTAARA
Owner . . . . . . :
ASP device . . . :
Object secured by authorization list
. . . . . . . . . :
PGMR1
DPTAR
*SYSBAS
*NONE
Object
----------Object----------User
Group
Authority Opr Mgt Exist Alter Ref
PGMR1
*ALL
X
X
X
X
X
DPTAR
*CHANGE
X
DPTSM
*USE
X
*PUBLIC
*EXCLUDE
X
.
.
.
F3=Exit F11=Display data authorities F12=Cancel F17=Top F18=Bottom
The other shows data authorities:

|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||

Object . . . . . . :
Library. . . . . :
CUSTNO
CUSTLIB
*DTAARA
Owner . . . . . . . :
Object secured by authorization list. . . . . . . . . . :

User
PGMR1
DPTAR
DPTSM
*PUBLIC
Group
PGMR1
DPTAR
*SYSBAS
*NONE
Object
---------------Data--------------Authority Read Add Update Delete Execute
*ALL
X
X
X
X
X
*CHANGE
X
X
X
X
X
*USE
X
X
*EXCLUDE
If you have *OBJMGT authority to an object, you see all private authorities for that
object. If you do not have *OBJMGT authority, you see only your own sources of
authority for the object.
For example, if USERA displays authority for the CUSTNO data area, only public
authority is shown.
If USERB, who is a member of the DPTAR group profile, displays the authority for
the CUSTNO data area, it looks like this:
142
|
|
|
|
|
|
|
|
|
|
|
|
||

Object . . . . . . :
Library. . . . . :
CUSTNO
CUSTLIB
*DTAARA
Owner . . . . . . . :

User
*GROUP
Group
DPTAR
PGMR1
DPTAR
*SYSBAS
*NONE
Object
Authority
*CHANGE
If USERB runs a program that adopts the authority of PGMR1 and displays the
authority for the CUSTNO data area, it looks like this:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||

Object .. . . . . . :
Library . . . . :
CUSTNO
CUSTLIB
*DTAARA
Owner . . . . . . . :
Object secured by authorization list . . . . . . . . . . :

User
PGMR1
*GROUP
DPTSM
*PUBLIC
*ADOPTED
Group
DPTAR
PGMR1
DPTAR
*SYSBAS
*NONE
Object
Authority
*ALL
*CHANGE
*USE
*EXCLUDE
USER DEF
The *ADOPTED authority indicates only the additional authority received from the
program owner. USERB receives from PGMR1 all the authorities that are not
included in *CHANGE. The display shows all private authorities because USERB
has adopted *OBJMGT. The detailed display looks like this:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|

Object . . . . . . :
Library. . . . . :
CUSTNO
CUSTLIB
*DTAARA
Owner . . . . . . . :
ASP device
. . . . :
Object secured by authorization list . . . . . . . . . . :
PGMR1
DPTAR
*SYSBAS
*NONE
Object
-----------Object----------User
Group
Authority Opr Mgt Exist Alter Ref
PGMR1
*ALL
X
X
X
X
X
*GROUP
DPTAR
*CHANGE
X
DPTSM
*USE
X
*PUBLIC
*EXCLUDE
*ADOPTED
USER DEF
X
X
X
X
F3=Exit F11=Display data authorities F12=Cancel F17=Top F18=Bottom
143
If the user option (USROPT) field in USERBs user profile includes *EXPERT, this is
how the display looks:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|

Object . . . . . . :
Library. . . . . :
CUSTNO
CUSTLIB
*DTAARA
Owner . . . . . . . :
ASP device . . . . .:
Object secured by authorization list . . . . . . . . . :

User
Group
PGMR1
*GROUP DPTAR
DPTSM
*PUBLIC
*ADOPTED
PGMR1
DPTAR
*SYSBAS
*NONE
OBJECT
-----Object------ ------Data-------Authority
O
M
E
A
R
R
A
U
D
E
*ALL
X
X
X
X
X
X
X
X
X
X
*CHANGE
X
X
X
X
X
X
*USE
X
X
X
*EXCLUDE
USER DEF
X
X
X
X
Authority Reports
Several reports are available to help you monitor your security implementation.
For example, you can monitor objects with *PUBLIC authority other than
*EXCLUDE and objects with private authorities with the following commands:
v Print Public Authority (PRTPUBAUT)
v Print Private Authority (PRTPVTAUT)
For more information about security tools, see the Tips and Tools for Securing Your
iSeries.
Working with Libraries

Two parameters on the Create Library (CRTLIB) command affect authority:
Authority (AUT): The AUT parameter can be used to specify either of the
following:
v The public authority for the library
v The authorization list that secures the library.
The AUT parameter applies to the library itself, not to the objects in the library. If
you specify an authorization list name, the public authority for the library is set to
*AUTL.
If you do not specify AUT when you create a library, *LIBCRTAUT is the default.
The system uses the CRTAUT value from the QSYS library, which is shipped as
*SYSVAL.
Create Authority (CRTAUT): The CRTAUT parameter determines the default
authority for any new objects that are created in the library. CRTAUT can be set to
one of the system-defined authorities (*ALL, *CHANGE, *USE, or *EXCLUDE), to
*SYSVAL (the QCRTAUT system value), or to the name of an authorization list.
Note: You can change the CRTAUT value for a library using the Change Library
(CHGLIB) command.
If user PGMR1 enters this command:
144
CRTLIB TESTLIB AUT(LIBLST) CRTAUT(OBJLST)
the authority for the library looks like this:

|
|
|
|
|
|
|
|
|
|
|
|
|
||

Object . . . . . . :
Library. . . . . :
TESTLIB
QSYS
*LIB
Owner . . . . . . . :
Object secured by authorization list. . . . . . . . . . . :

User
PGMR1
*PUBLIC
PGMR1
*NONE
*SYSBAS
LIBLST
Object
Authority
*ALL
*AUTL
Group
v Because an authorization list was specified for the AUT parameter, public
authority is set to *AUTL.
v The user entering the CRTLIB command owns the library, unless the users
profile specifies OWNER(GRPPRF). The owner is automatically given *ALL
authority.
v The CRTAUT value is not shown on the object authority displays. Use the
Display Library Description (DSPLIBD) command to see the CRTAUT value for
a library.
|
|
|
|
|
|
|
|
|
|
|
||
Display Library Description

Library . . . . . . . . . . . . . . . . . :
CUSTLIB
Type . . . . . . . . .
ASP number . . . . . .
ASP device . . . . . .
Create authority . . .
Create object auditing
PROD
1
*SYSBAS
*OBJLST
*SYSVAL
Customer Rec
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
:
:
:
:
:
:
Creating Objects
When you create a new object, you can either specify the authority (AUT) or use
the default, *LIBCRTAUT. If PGMR1 enters this command:
CRTDTAARA (TESTLIB/DTA1) +
TYPE(*CHAR)
the authority for the data area looks like this:
145

Object . . . . . . :
Library. . . . . :
DTA1
TESTLIB
*DTAARA
Owner . . . . . . . :
ASP device . . . . . :

User
PGMR1
*PUBLIC
Group
PGRM1
*NONE
*SYSBAS
OBJLST
Object
Authority
*ALL
*AUTL
The authorization list (OBJLST) comes from the CRTAUT parameter that was
specified when TESTLIB was created.
If PGMR1 enters this command:
CRTDTAARA (TESTLIB/DTA2) AUT(*CHANGE) +
TYPE(*CHAR)
the authority for the data area looks like this:

Object . . . . . . :
Library . . . . :
DTA2
TESTLIB
*DTAARA
Owner . . . . . . . :
Object secured by authorization list . . . . . . . . . :

User
PGMR1
*PUBLIC
Group
PGRM1
*NONE
*SYSBAS
*NONE
Object
Authority
*ALL
*CHANGE
Working with Individual Object Authority

To change the authority for an object you must have one of the following:
v *ALLOBJ authority or membership in a group profile that has *ALLOBJ special
authority.
Note: The groups authority is not used if you have private authority to the
object.
v Ownership of the object. If a group profile owns the object, any member of the
group can act as the object owner, unless the member has been given specific
authority that does not meet the requirements for changing the objects
authority.
v *OBJMGT authority to the object and any authorities being granted or revoked
(except *EXCLUDE). Any user who is allowed to work with the objects
authority can grant or revoke *EXCLUDE authority.
The easiest way to change authority for an individual object is with the Edit Object
Authority display. This display can be called directly by using the Edit Object
146
Authority (EDTOBJAUT) command or selected as an option from the Work with

Objects by Owner (WRKOBJOWN) or WRKOBJ (Work with Objects) display.
You can also use these commands to change object authority:
Edit Object Authority
Object. . . . . . :
Library . . . . :
Object type.. . . :
DTA1
TESTLIB
*DTAARA
Owner . . . . . . . :
PGMR1
*NONE
*SYSBAS
Type changes to current authorities, press Enter.

Object secured by authorization list . . . . . . . :
User
PGMR1
*PUBLIC
Group
OBJLST
Object
Authority
*ALL
*AUTL
Change Authority (CHGAUT)

Work with Authority (WRKAUT)
Grant Object Authority (GRTOBJAUT)
Revoke Object Authority (RVKOBJAUT)
To specify the generic authority subsets, such as Read/Write (*RX) or
Write/Execute (*WX), you must use the CHGAUT or WRKAUT commands.
Specifying User-Defined Authority

The Object Authority column on the Edit Object Authority display allows you to
specify any of the system-defined sets of authorities (*ALL, *CHANGE, *USE,
*EXCLUDE). If you want to specify authority that is not a system-defined set, use
F11 (Display detail).
Note: If the User options (USROPT) field in your user profile is set to *EXPERT,
you always see this detailed version of the display without having to press
F11.
For example, PGMR1 removes *OBJEXIST authority to the CONTRACTS file, to
prevent accidentally deleting the file. Because PGMR1 has a combination of
authorities that is not one of the system-defined sets, the system puts USER DEF
(user-defined) in the Object Authority column:
147

Object . . . . . . :
Library. . . . . :
CONTRACTS
TESTLIB
*FILE
Owner . . . . . . . :
PGMR1
*NONE
*SYSBAS

User
PGMR1
*PUBLIC
Group
OBJECT
Authority
USER DEF
*AUTL
Opr
X
LIST2
----------Object----------Mgt Exist Alter Ref

X
X
X
You can press F11 (Display data authorities) to view or change the data authorities:

Object . . . . . . :
Library . . . . . :
CONTRACTS
TESTLIB
*FIL
Owner . . . . . . . :
PGMR1
*NONE
*SYSBAS

Object secured by authorization list. . . . . . . . . :
User
PGMR1
*PUBLIC
Group
LIST2
OBJECT
USER DEF
X
X
X
X
X
*AUTL
Giving Authority to New Users

To give authority to additional users, press F6 (Add new users) from the Edit
Object Authority display. You see the Add New Users display, which allows you to
define authority for multiple users:
Add New Users

Object . . . . . . . :
Library . . . . . :
DTA1
TESTLIB
Type new users, press Enter.

User
USER1
USER2
PGMR2
Object
Authority
*USE
*CHANGE
*ALL
Removing a Users Authority

Removing a users authority for an object is different from giving the user
*EXCLUDE authority. *EXCLUDE authority means the user is specifically not
allowed to use the object. Only *ALLOBJ special authority and adopted authority
148
override *EXCLUDE authority. Removing a users authority means the user has no
specific authority to the object. The user can gain access through a group profile,
an authorization list, public authority, *ALLOBJ special authority, or adopted
authority.
You can remove a users authority using the Edit Object Authority display. Type
blanks in the Object Authority field for the user and press the Enter key. The user
is removed from the display. You can also use the Revoke Object Authority
(RVKOBJAUT) command. Either revoke the specific authority the user has or
revoke *ALL authority for the user.
Note: The RVKOBJAUT command revokes only the authority you specify. For
example, USERB has *ALL authority to FILEB in library LIBB. You revoke
*CHANGE authority:
RVKOBJAUT OBJ(LIBB/FILEB) OBJTYPE(*FILE) +
USER(*USERB) AUT(*CHANGE)
After the command, USERBs authority to FILEB looks like this:

Object . . . . . . :
Library. . . . . :
FILEB
LIBB
*FILE
Owner . . . . . . . :
Object secured by authorization list. . . . . . . . :

User
USERB
Group
PGMR1
*NONE
*SYSBAS
*NONE
Object
--------Object-----------Authority Read Add Update Delete Execute
USER DEF
X
X
X
X

Object . . . . . . :
Library. . . . . :
Object type . . . :
FILEB
LIBB
*FILE
Owner . . . . . . . :
tion list . . . . . . . . . . . .
User
PGMR1
Group
PGMR1
*NONE
*SYSBAS
*NONE
Object
USER DEF
Working with Authority for Multiple Objects

The Edit Object Authority display allows you to interactively work with the
authority for one object at a time. The Grant Object Authority (GRTOBJAUT)
command allows you to make authority changes to more than one object at a time.
You can use the GRTOBJAUT authority command interactively or in batch. You
can also call it from a program.
Following are examples of using the GRTOBJAUT command, showing the prompt
display. When the command runs, you receive a message for each object indicating
149
whether the change was made. Authority changes require an exclusive lock on the
object and cannot be made when an object is in use. Print your job log for a record
of changes attempted and made.
v To give all the objects in the TESTLIB library a public authority of *USE:

Object . . . . . . . . . . . . .
Library . . . . . . . . . . . . .
Object type . . . . . . . . . .
ASP device . . . . . . . . . . .
Users . . . . . . . . . . . . .
+ for more values
Authority . . . . . . . . . . .
*ALL
TESTLIB
*ALL
*
*PUBLIC
*USE
This example for the GRTOBJAUT command gives the authority you specify, but
it does not remove any authority that is greater than you specified. If some
objects in the TESTLIB library have public authority *CHANGE, the command
just shown would not reduce their public authority to *USE. To make sure that
all objects in TESTLIB have a public authority of *USE, use the GRTOBJAUT
command with the REPLACE parameter.
GRTOBJAUT OBJ(TESTLIB/*ALL) OBJTYPE(*ALL) +
USER(*PUBLIC) REPLACE(*YES)
The REPLACE parameter indicates whether the authorities you specify replaces
the existing authority for the user. The default value of REPLACE(*NO) gives
the authority that you specify, but it does not remove any authority that is
greater than the authority you specify, unless you are granting *EXCLUDE
authority.
These commands set public authority only for objects that currently exist in the
library. To set the public authority for any new objects that are created later, use
the CRTAUT parameter on the library description.
v To give *ALL authority to the work files in the TESTLIB library to users AMES
and SMITHR. In this example, work files all start with the characters WRK:

Object . . . . . . . . . . . . .
Library . . . . . . . . . . .
Object type . . . . . . . . . .
ASP device . . . . . . . . . . .
Users . . . . . . . . . . . . .
+ for more values
Authority . . . . . . . . . . .
WRK*
TESTLIB
*FILE
*
AMES
SMITHR
*ALL
This command uses a generic name to specify the files. You specify a generic
name by typing a character string followed by an asterisk (*). Online information
tells which parameters of a command allow a generic name.
150
v To secure all the files starting with the characters AR* using an authorization list
called ARLST1 and have the files get their public authority from the list, use the
following two commands:
1. Secure the files with the authorization list using the GRTOBJAUT command:
Grant Object Authority

Object . . . . . . . . . . . . .
Library . . . . . . . . . . .
Object type . . . . . . . . . .
ASP device . . . . . . . . . . .
AR*
TESTLIB
*FILE
*
.
.
.
Authorization list . . . . . . .
ARLST1
2. Set public authority for the files to *AUTL, using the GRTOBJAUT command:

Object . . . . . . . . . . . . .
Library . . . . . . . . . . .
Object type . . . . . . . . . .
ASP device . . . . . . . . . . .
Users . . . . . . . . . . . . .
+ for more values
Authority . . . . . . . . . . .
AR*
TESTLIB
*FILE
*
*PUBLIC
*AUTL
Working with Object Ownership

To change ownership of an object, use one of the following:
The Change Object Owner (CHGOBJOWN) command
The Work with Objects by Owner (WRKOBJOWN) command
The Change Owner (CHGOWN) command
The Work with Objects by Owner display shows all the objects owned by a profile.
You can assign individual objects to a new owner. You can also change ownership
for more than one object at a time by using the NEWOWN (new owner) parameter
at the bottom of the display:
151

User profile . . . . . . . :
OLDOWNER

2=Edit authority
4=Delete
5=Display author
9=Change owner
Opt
9
9
Object
COPGMMSG
CUSTMAS
CUSTMSGQ
ITEMMSGQ
Library
COPGMLIB
CUSTLIB
CUSTLIB
ITEMLIB
Parameters or command
===> NEWOWN(OWNIC)
F3=Exit
F4=Prompt
F5=Refresh
F18=Bottom
Type
*MSGQ
*FILE
*MSGQ
*MSGQ
Attribute
ASP
Device
*SYSBAS
*SYSBAS
*SYSBAS
*SYSBAS
F9=Retrieve
When you change ownership using either method, you can choose to remove the
previous owners authority to the object. The default for the CUROWNAUT
(current owner authority) parameter is *REVOKE.
To transfer ownership of an object, you must have:
v Object existence authority for the object
v *ALL authority or ownership, if the object is an authorization list
v Add authority for the new owners user profile
v Delete authority for the present owners user profile
You cannot delete a user profile that owns objects. The topic Deleting User
Profiles on page 109 shows methods for handling owned objects when deleting a
profile.
The Work with Objects by Owner display includes integrated file system objects.
For these objects, the Object column on the display shows the first 18 characters of
the path name. If the path name is longer than 18 characters, a greater than symbol
(>) appears at the end of the path name. To see the absolute path name, place your
cursor anywhere on the path name and press the F22 key.
Working with Primary Group Authority

To change the primary group or primary groups authority to an object, use one of
the following commands:
Change Object Primary Group (CHGOBJPGP)
Work with Objects by Primary Group (WRKOBJPGP)
Change Primary Group (CHGPGP)
When you change an objects primary group, you specify what authority the new
primary group has. You can also revoke the old primary groups authority. If you
do not revoke the old primary groups authority, it becomes a private authority.
The new primary group cannot be the owner of the object.
To change an objects primary group, you must have all of the following:
v *OBJEXIST authority for the object.
152
v If the object is a file, library, or subsystem description, *OBJOPR and *OBJEXIST

authority.
v If the object is an authorization list, *ALLOBJ special authority or be the owner
of the authorization list.
v If revoking authority for the old primary group, *OBJMGT authority.
v If a value other than *PRIVATE is specified, *OBJMGT authority and all the
authorities being given.
Using a Referenced Object

Both the Edit Object Authority display and the GRTOBJAUT command allow you
to give authority to an object (or group of objects) based on the authority of a
referenced object. This is a useful tool in some situations, but you should also
evaluate the use of an authorization list to meet your requirements. See Planning
Authorization Lists on page 227 for information about the advantages of using
authorization lists.
Copying Authority from a User

You can copy all the private authorities from one user profile to another using the
Grant User Authority (GRTUSRAUT) command. This method can be useful in
certain situations. For example, the system does not allow you to rename a user
profile. To create an identical profile with a different name involves several steps,
including copying the original profiles authorities. Renaming a User Profile on
page 114 shows an example of how to do this.
The GRTUSRAUT command copies private authorities only. It does not copy
special authorities, nor does it transfer object ownership.
The GRTUSRAUT command should not be used in place of creating group
profiles. GRTUSRAUT creates a duplicate set of private authorities, which increases
the time it takes to save the system and makes authority management more
difficult. GRTUSRAUT copies authorities as they exist at a particular moment. If
authority is required to new objects in the future, each profile must be granted
authority individually. The group profile provides this function automatically.
To use the GRTUSRAUT command, you must have all the authorities being copied.
If you do not have an authority, that authority is not granted to the target profile.
The system issues a message for each authority that is granted or not granted to
the target user profile. Print the job log for a complete record. To avoid having a
partial set of authorities copied, the GRTUSRAUT command should be run by a
user with *ALLOBJ special authority.
Working with Authorization Lists

Setting up an authorization list requires three steps:
1. Creating the authorization list.
2. Adding users to the authorization list.
3. Securing objects with the authorization list.
Steps 2 and 3 can be done in any order.
Creating an Authorization List

You do not need any authority to the QSYS library to create an authorization list
into that library. Use the Create Authorization List (CRTAUTL) command:
153
Create Authorization List (CRTAUTL)

Authorization list . . . . . . .
Text description . . . . . . .
custlst1
Files cleared at month-end
Additional Parameters
Authority . . . . . . . . . . .
*use
The AUT parameter sets the public authority for any objects secured by the list.
The public authority from the authorization list is used only when the public
authority for an object secured by the list is *AUTL.
Giving Users Authority to an Authorization List

To work with the authority that users have to the authorization list, you must
have *AUTLMGT (authorization list management) authority, as well as the specific
authorities you are granting. See the topic Authorization List Management on
page 127 for a complete description.
You can use the Edit Authorization List (EDTAUTL) display to change user
authority to the authorization list or to add new users to the list:
Edit Authorization List

Object . . . . . . . :
Library . . . . . :
CUSTLST1
QSYS
Owner . . . . . . . :
PGMR1
*NONE

User
PGMR1
*PUBLIC
Object
List
Authority Mgt
*ALL
X
*USE
To give new users authority to the authorization list, press F6 (Add new users):
Each users authority to the list is actually stored as a private authority in that
Add New Users
Object . . . . . . . :
Library . . . . . :
CUSTLST1
QSYS
Owner . . . PGMR1
Type new users, press Enter.

User
AMES
SMITHR
Object
List
Authority Mgt
*CHANGE
*CHANGE
users profile. You can also use commands to work with authorization list users,
either interactively or in batch:
154
v Add Authorization List Entry (ADDAUTLE) to define authority for additional

users
v Change Authorization List Entry (CHGAUTLE) to change authority for users
who are already authorized to the list
v Remove Authorization List Entry (RMVAUTLE) to remove a users authority to
the list.
Securing Objects with an Authorization List

To secure an object with an authorization list, you must own the object, have *ALL
authority to it, or have *ALLOBJ special authority. You must not have *EXCLUDE
authority to the authorization list.
Use the Edit Object Authority display or the GRTOBJAUT command to secure an
object with an authorization list:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||

Object . . . . . . :
Library . . . . :
Object type . . . :
ARWRK1
TESTLIB
*FILE
Owner . . . . . . . :
Primary group. . . . :
PGMR1
*NONE
*SYSBAS

Object secured by authorization list . . . . . . . . . .
User
PGMR1
*PUBLIC
ARLST1
Object
Authority
*ALL
*AUTL
Set the public authority for the object to *AUTL if you want public authority to
come from the authorization list.
On the Edit Authorization List display, you can use F15 (Display authorization list
objects) to list all the objects secured by the list:
This is an information list only. You cannot add or remove objects from the list.
Display Authorization List Objects
Authorization list
Library . . . .
Owner . . . . . .
Primary group . .
Object
CUSTMAS
CUSTADDR
.
.
.
.
Library
CUSTLIB
CUSTLIB
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Type
*FILE
*FILE
.
.
.
.
.
.
.
.
:
:
:
:
CUSTLST1
CUSTLIB
OWNAR
DPTAR
Owner
OWNAR
OWNAR
Primary
group
Text
You can also use the Display Authorization List Objects (DSPAUTLOBJ) command
to view or print a list of all objects secured by the list.
Deleting an Authorization List

You cannot delete an authorization list if it is used to secure any objects. Use the
DSPAUTLOBJ command to list all the objects secured by the list. Use either the
155
Edit Object Authority display or the Revoke Object Authority (RVKOBJAUT)

command to change the authority for each object. When the authorization list no
longer secures any objects, use the Delete Authorization List (DLTAUTL) command
to delete it.
How the System Checks Authority

When a user attempts to perform an operation on an object, the system verifies
that the user has adequate authority for the operation. The system first checks
authority to the library or directory path that contains the object. If the authority to
the library or directory path is adequate, the system checks authority to the object
itself. In the case of database files, authority checking is done at the time the file is
opened, not when each individual operation to the file is performed.
During the authority-checking process, when any authority is found (even if it is
not adequate for the requested operation) authority checking stops and access is
granted or denied. The adopted authority function is the exception to this rule.
Adopted authority can override any specific (and inadequate) authority found. See
the topic Objects That Adopt the Owners Authority on page 135 for more
information about adopted authority.
The system verifies a users authority to an object in the following order:
1. Objects authority - fast path
2. Users *ALLOBJ special authority
3. Users specific authority to the object
4. Users authority on the authorization list securing the object
5. Groups *ALLOBJ special authority
6. Groups authority to the object
7. Groups authority on the authorization list securing the object
8. Public authority specified for the object or for the authorization list securing the
object
9. Program owners authority, if adopted authority is used
Note: Authority from one or more of the users groups may be accumulated to
find sufficient authority for the object being accessed.
Authority Checking Flowcharts

Following are charts, descriptions, and examples of how authority is checked. Use
them to answer specific questions about whether a particular authority scheme will
work or diagnose problems with your authority definitions. The charts also
highlight the types of authority that cause the greatest performance impact.
The process of checking authority is divided into a primary flowchart and several
smaller flowcharts showing specific parts of the process. Depending on the
combination of authorities for an object, the steps in some flowcharts may be
repeated several times.
The numbers at the upper left of figures on the flowcharts are used in the
examples following the flowcharts.
The steps representing the search of a profiles private authorities are highlighted:
Step 6 in Flowchart 3 on page 161
Step 6 in Flowchart 6 on page 167
156
Step 2 in Flowchart 8B on page 172

Repeating these steps is likely to cause performance problems in the authority
checking process.
Flowchart 1: Main Authority Checking Process

The steps in Flowchart 1 show the main process the system follows in checking
authority for an object.
157
Figure 13. Flowchart 1: Main Authority Checking Process
Description of Flowchart 1: Main Authority Checking Process
|
|
Note: At any step in the authority checking process, the system may find sufficient
authority and authorize the user to the object.
158
|
|
|
1. The system checks the objects authority. (Refer to Flowchart 2: Fast Path for
Object Authority Checking.) If the system finds that authority is insufficient, it
proceeds to Step 2.
|
|
|
|
|
|
2. The system checks the users authority to the object. (Refer to Flowchart 3: How
User Authority to an Object Is Checked.) If the system determines that the user
does not have authority to the object, it proceeds to Step 3. If the system finds
that the users authority is insufficient, it proceed to Step 6.
3. The system checks whether the user profile belongs to any groups. If it does,
the system proceeds to Step 4. If it does not, the system proceed to Step 5.
|
|
|
|
4. The system determines the group authority. (Refer to Flowchart 6). If the
system determines that the group does not have authority to the object, it
proceeds to Step 5. If the system determines that the group does not have
sufficient authority to the object, it proceeds to Step 6.
|
|
|
|
5. The system checks the public authority of the object. (Refer to Flowchart 7.) If
the system determines that the public authority is insufficient, it proceeds to
Step 6.
6. The system checks the adopted authority of the object. (Refer to Flowchart 8.)
If the user is not authorized, one or more of the following happens:
v A message is sent to the user or program
v The program fails
v An AF entry is written to the audit journal
Flowchart 2: Fast Path for Object Authority Checking

The steps in Flowchart 2 are performed using information stored with the object.
This is the fastest method for authorizing a user to an object.
159
Figure 14. Flowchart 2: Fast Path for Object Authority
Description of Flowchart 2: Fast Path for Object Authority
|
|
|
|
|
|
|
|
|
|
|
1. The system determines whether the object has any private authorities. If it
does, the system returns to calling flowchart with insufficient. If it does not, the
system proceeds to Step 2.
2. The system determines whether the object is secured by an authorization list. If
it is, the system returns to calling flowchart with insufficient. If it does not, the
3. The system determines whether the owner of the object has sufficient authority.
If it does, the system returns to calling flowchart with insufficient. If it does
not, the system proceeds to Step 4.
4. The system determines whether the object has a primary group. If it does, the
system proceeds to Step 5. If it does not the system proceeds to Step 6.
|
|
|
5. The system determines whether the objects primary group has sufficient
authority. If it does, the system proceeds to Step 6. If it does not, the system
returns to calling flowchart with insufficient.
160
|
|
|
6. The system determines whether public authority is sufficient. If it is, the object
is authorized. If it is not, the system returns to calling flowchart with
insufficient.
Flowchart 3: How User Authority to an Object Is Checked

The steps in Flowchart 3 are performed for the individual user profile.
|
|
|
|
|
Figure 15. Flowchart 3: Check User Authority
Description of Flowchart 3: Check User Authority
161
|
|
|
1. The system determines if the user profile has *ALLOBJ authority. If the profile
does have *ALLOBJ authority, then the profile is authorized. If it does not have
*ALLOBJ authority, then the authority checking proceeds to Step 2.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2. The system sets the authority of the object to the equal the original object. The
authority checking proceeds to Step 3.
3. The system check the owner authority. If the authority is unsufficient, then it
proceeds to Step 8. If no authority is found, then it proceeds to Step 4.
4. The system completes a fast path authority check of the original object. (Refer
to Flowchart 5). If authority is insufficient, then authority checking proceeds to
Step 5.
5. The system determines if the object has private authorities. If it does, then the
authority check proceeds to Step 6. If there are no private authorities, then the
authority checking goes to Step 7.
6. The system check for private authorities with the user profile. If the authority is
sufficient, then the user is authorized. If authority is not sufficient, then the
authority checking proceeds to Step 8. If no authority is found, then the
authority checking proceeds to Step 7.
7. The system determines if the object is secured by an authorization list. If it is
not, then the authority checking proceeds to Step 8. If it is secured by an
authorization list, then the authority checking proceeds to Step 9.
8. The system sets the object to test equal to the original object and returns to the
calling flowchart with insufficient authority or no authority found.
9. The system sets the object to test equal to the authorization list and returns to
Step 3.
Flowchart 4: How Owner Authority Is Checked

Figure 16 shows the process for checking owner authority. The name of the owner
profile and the owners authority to an object are stored with the object.
Several possibilities exist for using the owners authority to access an object:
v
v
v
v
v
v
162
The user profile owns the object.

The user profile owns the authorization list.
The users group profile owns the object.
The users group profile owns the authorization list.
Adopted authority is used, and the program owner owns the object.
Adopted authority is used, and the program owner owns the authorization list.
Figure 16. Flowchart 4: Owner Authority Checking
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Description of Flowchart 4: Owner Authority Checking

1. The system determines if the user profile owns the object being checked. If the
user profile does own the object, then in moves to Step 2. If the user profile
does not own the object, then the system returns to the calling flowchart with
no authority found.
2. If the user profile does own the object, the system then determines if the
owner has authority to the object. If he or she is the owner, then the authority
check proceeds to Step 3. If the system determines that the owner does not
have authority to the object, then the system returns to the calling flowchart
with no authority found.
3. If the owner does have authority to the object, then the system determines
whether or not this authority is sufficient to access to object. If the authority is
sufficient, then the owner is authorized to the object. If it is not sufficient, then
the system returns to the calling flowchart with insufficient authority found.
Flowchart 5: Fast Path for User Authority Checking

Figure 17 on page 164 shows the fast path for testing user authority without
searching private authorities.
163
Figure 17. Flowchart 5: Fast Path for User Authority
Notes for Flowchart 5:

1. Authority is considered less than public if any authority that is present for
*PUBLIC is not present for another user. In the example shown in Table 106, the
public has *OBJOPR, *READ, and *EXECUTE authority to the object. WILSONJ
has *EXCLUDE authority and does not have any of the authorities the public
has. Therefore, this object does have private authority less than its public
authority. (OWNAR also has less authority than the public, but owner authority
is not considered private authority.)
164
Table 106. Public versus Private Authority

Users
Authority
Object Authorities:
*OBJOPR
*OBJMGT
*OBJEXIST
*OBJALTER
*OBJREF
Data Authorities
*READ
*ADD
*UPD
*DLT
*EXECUTE
*EXCLUDE
OWNAR
DPTMG
WILSONJ
*PUBLIC
X
X
X
X
X
X
X
2. This path provides a method for using public authority, if possible, even
though private authority exists for an object. The system tests to make sure that
nothing later in the authority checking process might deny access to the object.
If the result of these tests is Sufficient, searching private authorities can be
avoided.
Description of Flowchart 5: Fast Path for User Authority
This flowchart shows the fast path for testing user authority without searching
private authorities.
1. The system determines if there are any private authorities to the object being
checked. If there are private authorities to the object then the authority check
proceeds to Step 2. If there is no private authority, the authority check proceeds
to Step 3.
2. If private authorities exist, then the system determines if the object has private
authorities that are less than its public authority. (See note 1.) If the object does
have private authorities that are less than its public authority, then the system
returns to the calling flowchart with no authority or insufficient authority
found. If the object does not have private authorities that are less than its
public authority, (See note 2), then the authority check proceeds to Step 3.
3. If the object does not have private authorities that are less than its public
authority, then the system determine if the public authority is sufficient. If the
public authority is sufficient, then the authority check proceeds to Step 4. If the
public authority is insufficient, then system returns to the calling flowchart
with no authority or insufficient authority found.
4. If the public authority is sufficient, then the system determines if the object
owners authority is sufficient. If the object owners authority is sufficient, then
the authority check proceeds to Step 5. If the object owners authority is
insufficient, then system returns to the calling flowchart with no authority or
insufficient authority found.
5. If the object owners authority is sufficient, then the system determines if the
objects primary group authority is sufficient. If the objects primary group
authority is sufficient, then the authority check proceeds to Step 6. If objects
primary group authority is insufficient, then the system returns to the calling
flowchart with no authority or insufficient authority found.
165
6. If the objects primary group authority is sufficient, then the system determines
if the object is secured by an authorization list. If the object is secured by an
authorization list, then the system returns to the calling flowchart with no
authority or insufficient authority found. If the object is not secured by an
authorization list, then the user is authorized to the object.
Flowchart 6: How Group Authority Is Checked

A user may be a member of up to 16 groups. A group may have private authority
to an object, or it may be the primary group for an object.
Authority from one or more of the users groups may be accumulated to find
sufficient authority for the object being accessed. For example, WAGNERB needs
*CHANGE authority to the CRLIM file. *CHANGE authority includes *OBJOPR,
*READ, *ADD, *UPD, *DLT, and *EXECUTE. Table 107 shows the authorities for
the CRLIM file:
Table 107. Accumulated Group Authority
Users
Authority
Object Authorities:
*OBJOPR
*OBJMGT
*OBJEXIST
*OBJALTER
*OBJREF
Data Authorities
*READ
*ADD
*UPD
*DLT
*EXECUTE
*EXCLUDE
OWNAR
DPT506
DPT702
X
X
X
X
X
X
X
X
X
X
X
X
X
*PUBLIC
X
X
X
X
WAGNERB needs both DPT506 and DPT702 to get sufficient authority to the
CRLIM file. DPT506 is missing *DLT authority, and DPT702 is missing *ADD
authority.
Flowchart 6 on page 167 shows the steps in checking group authority.
166
Figure 18. Flowchart 6: Group Authority Checking
Note: If the user is signed on as the profile that is the primary group for an object,
the user cannot receive authority to the object through the primary group.
|
|
|
|
|
|
|
Description of Flowchart 6: Group Authority Checking

1. The system determines if the group has ALLOBJ authority. If it does, then the
group is authorized. If it does not, authority checking proceeds to Step 2.
2. If the group does not have ALLOBJ authority, the system sets the object that is
being checked to be equal to the original object.
3. After the system sets the object to the original, it checks owner authority (See
Flowchart 4) If authority is sufficient, then the group is authorized. If the
167
authority is not sufficient, then the authority check goes to Step 7. If the
authority is not found, then the authority check proceeds to Step 4.
4. If the owner authority is not found, then the system checks if the group is the
objects primary group.
|
|
|
|
Note: If the user is signed on as the profile that is the primary group for an
object, the user cannot receive authority to the object through the
primary group.
If the group is the objects primary group, then the authority check proceeds
to Step 5. If the group is not the objects primary group, then authority check
proceeds to Step 6.
|
|
|
|
|
|
|
|
|
|
5. If the group is the objects primary group, then the system checks and tests
the primary group authority. If primary group authority is sufficient, then the
group is authorized. If primary group authority is insufficient or is not found,
then the authority check goes to Step 7.
|
|
|
|
|
|
|
|
|
|
|
|
6. If the group is not the objects primary group, then the system looks up the
private authorities in the group profile. If authority is found then authority
checking goes to Step 10. If authority is not found then authority checking
proceeds to Step 7.
7. If no authority is found for the private authorities for the group profile then
the system checks to see if the object is secured by an authorization list. If the
object is secured by an authorization list, then the authority check proceeds to
Step 8. If the object is not secured by an authorization list then the authority
check goes to Step 11.
8. If the object is secured by an authorization list, then the system set the object
to be checked equal to the authorization list and authority check returns to
Step 3.
|
|
|
9.
If the user does belong to another group profile, then the system sets this
profile to the next group profile and returns to Step 1 to start the authority
checking process over again.
|
|
|
|
10. If authority is found for private authorities within the group profile, then the
private authorities are checked and tested in the group profile. If authorities
are sufficient, then the group profile is authorized. If it is not sufficient then
the authority check goes to Step 7.
|
|
|
|
|
11. If an object is not secured by an authorization list, then the system checks to
see if the users is associated with another group profile. If the user does
belong to another group profile, then the system goes to Step 9. If the user
does not belong to another group profile then the system returns to the calling
flowchart with insufficient authority or no authority found.
Flowchart 7: How Public Authority Is Checked

When checking public authority, the system must determine whether to use the
public authority for the object or the authorization list. Flowchart 7 shows the
process:
168
Figure 19. Flowchart 7: Check Public Authority
Description of Flowchart 7: Check Public Authority
|
|
Flowchart 7 shows how the system must determine whether to use the public
authority for the object or the authorization list.
|
|
|
|
|
|
1. The system determine if the public authority for the original object is *AUTL. If
the public authority for the original object is *AUTL, then the system proceeds
to Step 2. If the public authority for the original object is not *AUTL, then the
2. If the public authority for the original object is *AUTL, then the system sets the
object being checked equal to the authorization list and proceeds to Step 4.
|
|
3. If the public authority for the original object is not *AUTL, then the system sets
the object being checked to the original object and proceeds to Step 4.
|
|
|
|
|
4. If the object being checked has been set equal to the authorization list or the
original object, the system determines of the public authority is sufficient. If the
public authority is sufficient then user is authorized to the object. If the public
authority is not sufficient then the system returns to the calling flowchart with
insufficient authority.
Flowchart 8: How Adopted Authority Is Checked

If insufficient authority is found by checking user authority, the system checks
adopted authority. The system may use adopted authority from the original
program the user called or from earlier programs in the program stack. To provide
the best performance and minimize the number of times private authorities are
searched, the process for checking adopted authority checks to see if the program
owner has *ALLOBJ special authority or owns the object being tested. This is
repeated for every program in the stack that uses adopted authority.
If sufficient authority is not found, the system checks to see if the program owner
has private authority for the object being checked. This is repeated for every
program in the stack that uses adopted authority.
169
Figure 20 and Figure 21 on page 172 show the process for checking adopted
authority.
Figure 20. Flowchart 8A: Checking Adopted Authority User *ALLOBJ and Owner
|
|
Description of Flowchart 8A: Checking Adopted Authority User *ALLOBJ and

Owner
|
|
|
|
|
|
|
|
Flowchart 8A describes how the system checks adopted authority when insufficient
authority has been found by checking user authority.
1. The system sets the object being checked to the original object and proceeds to
Step 2.
2. The system determines if the program adopts authority. If the program does
adopt authority then the authority checking proceeds to Step 3. If the program
does not adopt authority and the authority is insufficient, then authority
checking goes to Step 5.
170
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3. If the program does adopt authority, then the system determines if the program
owner has *ALLOBJ authority. If the program owner does have *ALLOBJ
authority, then the user is authorized. If the program owner does not have
*ALLOBJ authority, then the authority checking proceeds to Step 4.
4. If the program owner does not have *ALLOBJ authority, then the system checks
and tests the owner authority. If the authority is sufficient, then the user is
authorized. If the authority is insufficient then authority checking proceeds to
Step 5.
5. The system checks USEADPAUT value for the program currently being test. If
the value equals *NO then authority checking proceeds to Step 8. If the value is
equal to *YES then the authority checking proceeds to Step 6.
6. If the USEADPAUT value is equal to *YES, then the system determine if there
are more programs waiting in the stack. If there are more programs in the
stack, then authority checking proceeds to Step 7. If there are not any more
programs waiting in the stack, then authority checking goes to Step 8.
7. If there are more programs in the stack, the system test the next program in
the stack.
|
|
|
|
|
8. If there are no more programs in the stack or the USEADPAUT value is equal
to *NO, then system sets the object and program to the original values and
proceeds to Step 9.
9. The system check private authority. This is described in Flowchart 8B:
Checking Adopted Authority Using Private Authorities.
171
Figure 21. Flowchart 8B: Checking Adopted Authority Using Private Authorities
Description of Flowchart 8B: Checking Adopted Authority Using Private

Authorities
1. The system determines whether the program can adopt authority. If yes,
proceed to Step 2. If no, proceed to Step 7.
2. The system determines whether the object has private authorities. If yes,
proceed to Step 3. If no, proceed to Step 4.
|
|
|
|
|
|
172
|
|
|
|
|
|
|
|
|
|
|
|
3. The system checks the private and primary group authorities for the program
owner. If authority is sufficient, the program is authorized. If insufficient
authority is found, proceed to Step 7. If no authority is found, proceed to Step
4.
4. The system determines whether the object is secured by an authorization list.
If yes, proceed to Step 5. If no, proceed to Step 7.
5. The system sets object equal to authorization list and then proceeds to Step 6.
6. The system checks the owners authority to the authorization list. (Refer to
Flowchart 4.) If not authority is found, go back to Step 2. If sufficient
authority is found, the program is authorized.
7. The system tests the USEADPAUT authority value for the program currently
being checked. If *YES, proceed to Step 8. If *NO, access denied.
|
|
|
8. The system checks whether there are more programs in the stack. If yes,
proceed to Step 9. If no, access denied.
9. The system sets object equal to original object and proceeds to Step 10.
10. Text using next program in stack and start back at Step 1.
Authority Checking Examples

Following are several examples of authority checking. These examples demonstrate
the steps the system uses to determine whether a user is allowed a requested
access to an object. These examples are intended to show how authority checking
works and where potential performance problems may occur.
Figure 22 shows the authorities for the PRICES file. Following the figure are
several examples of requested access to this file and the authority checking process.
In the examples, searching private authorities (Flowchart 4, step 6) is highlighted
because this is the part of the authority checking process that can cause
performance problems if it is repeated several times.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|

Object . . . . . . . :
Library . . . . . :
Object type
. . . :
PRICES
CONTRACTS
*FILE
Owner . . . . . . . :
Object secured by authorization list . . . . . . . . . . . . :

User
OWNCP
DPTSM
DPTMG
WILSONJ
*PUBLIC
Group
OWNCP
*NONE
*SYSBAS
*NONE
Object
Authority
*ALL
*CHANGE
*CHANGE
*USE
*USE
Figure 22. Authority for the PRICES File
Case 1: Using Private Group Authority

User ROSSM wants to access the PRICES file using the program CPPGM01.
CPPGM01 requires *CHANGE authority to the file. ROSSM is a member of group
profile DPTSM. Neither ROSSM nor DPTSM has *ALLOBJ special authority. The
system performs these steps in determining whether to allow ROSSM access to the
PRICES file:
173
1. Flowchart 1, step 1.
a. Flowchart 2, step 1.
a. Flowchart 3, steps 1 and 2. Object to check = CONTRACTS/PRICES *FILE.
b. Flowchart 3, step 3.
1) Flowchart 4, step 1. Return to Flowchart 3 with no authority found.
ROSSM does not own the PRICES file.
c. Flowchart 3, step 4.
1) Flowchart 5, steps 1, 2, and 3. Public is not sufficient.
d. Flowchart 3, step 5.
e. Flowchart 3, step 6. ROSSM does not have private authority to the PRICES
file.
f. Flowchart 3, steps 7 and 8. The PRICES file is not secured by an
authorization list. Return to Flowchart 1 with no authority found.
3. Flowchart 1, steps 3 and 4. DPTSM is the group profile for ROSSM.
a. Flowchart 6, steps 1, 2, and 3.
1) Flowchart 4, step 1. DPTSM does not own the PRICES file.
b. Flowchart 6, step 4. DPTSM is not the primary group for the PRICES file.
c. Flowchart 6, step 6. Authorized. (DPTSM has *CHANGE authority.)
Result: ROSSM is authorized because the group profile DPTSM has *CHANGE
authority.
Analysis: Using group authority in this example is a good method for managing
authorities. It reduces the number of private authorities on the system and is easy
to understand and audit. However, using private group authority usually causes
two searches of private authorities (for the user and the group), when public
authority is not adequate. One search of the private authority could have been
avoided by making DPTSM the primary group for the PRICES file.
Case 2: Using Primary Group Authority

ANDERSJ needs *CHANGE authority to the CREDIT file. ANDERSJ is a member
of the DPTAR group. Neither ANDERSJ nor DPTAR has *ALLOBJ special
authority. Figure 23 shows the authorities for the CREDIT file.
|
|
|
|
|
|
|
|
|
|
|
|
|
||
Object . . . . . . . :
Library . . . . . :
Object type
. . . :
CREDIT
ACCTSRCV
*FILE
Owner . . . . . . . :

User
OWNAR
DPTAR
*PUBLIC
|
|
Group
Object
Authority
*ALL
*CHANGE
*USE
Figure 23. Authority for the CREDIT File
174
OWNAR
DPTAR
*SYSBAS
*NONE
The system performs these steps to determine whether to allow ANDERSJ to have
*CHANGE access to the CREDIT file:
a. Flowchart 2, step 1. DPTARs authority is primary group authority, not
private authority.
b. Flowchart 2, steps 2, 3, 4, 5, and 6. Public authority is not sufficient.
a. Flowchart 3, steps 1 and 2. Object to check = ACCTSRCV/CREDIT *FILE.
1) Flowchart 4, step 1. ANDERSJ does not own the CREDIT file. Return to
Flowchart 3 with no authority found.
1) Flowchart 5, step 1. The CREDIT file has no private authorities.
2) Flowchart 5, step 3. Public authority is not sufficient. Return to
d. Flowchart 3, steps 5, 7, and 8. The CREDIT file is not secured by an
3. Flowchart 1, steps 3 and 4. ANDERSJ is a member of the DPTAR group profile.
a. Flowchart 6, steps 1 and 2. Object to check = ACCTSRCV/CREDIT *FILE.
1) Flowchart 4, step 1. DPTAR does not own the CREDIT file. Return to
c. Flowchart 6, steps 4 and 5. Authorized. DPTAR is the primary group for the
CREDIT file and has *CHANGE authority.
Result: ANDERSJ is authorized because DPTAR is the primary group for the
CREDIT file and has *CHANGE authority.
Analysis: If you use primary group authority, the authority checking performance
is better than if you specify private authority for the group. This example does not
require any search of private authorities.
Case 3: Using Public Authority

User JONESP wants to access the CREDIT file using the program CPPGM06.
CPPGM06 requires *USE authority to the file. JONESP is a member of group
profile DPTSM and does not have *ALLOBJ special authority. The system performs
these steps in determining whether to allow JONESP access to the CREDIT file:
a. Flowchart 2, step 1. The CREDIT file has no private authorities. DPTARs
authority is primary group authority, not private authority.
b. Flowchart 2, steps 2 and 3. Owners authority (OWNAR) is sufficient.
c. Flowchart 2, steps 4 and 5. Primary group authority (DPTAR) is sufficient.
d. Flowchart 2, step 6. Authorized. Public authority is sufficient.
Analysis: This example shows the performance benefit gained when you avoid
defining any private authorities for an object.
Case 4: Using Public Authority Without Searching Private

Authority
User JONESP wants to access the PRICES file using the program CPPGM06.
CPPGM06 requires *USE authority to the file. JONESP is a member of group
175
profile DPTSM and does not have *ALLOBJ special authority. The system performs
these steps in determining whether to allow JONESP access to the PRICES file:
a. Flowchart 2, step 1. The PRICES file has private authorities.
1) Flowchart 4, step 1. JONESP does not own the PRICES file. Return to
1) Flowchart 5, steps 1, 2, and 3. Public authority is sufficient.
2) Flowchart 5, step 4. Owner authority is sufficient. (OWNCP has *ALL.)
3) Flowchart 5, step 5. The PRICES file does not have a primary group.
4) Flowchart 5, step 6. Authorized. (The PRICES file is not secured by an
authorization list.)
Analysis: This example shows the performance benefit gained when you avoid
defining any private authorities for an object that are less than public authority.
Although private authority exists for the PRICES file, the public authority is
sufficient for this request and can be used without searching private authorities.
Case 5: Using Adopted Authority

User SMITHG wants to access the PRICES file using program CPPGM08. SMITHG
is not a member of a group and does not have *ALLOBJ special authority. Program
CPPGM08 requires *CHANGE authority to the file. CPPGM08 is owned by the
profile OWNCP and adopts owner authority (USRPRF is *OWNER).
1) Flowchart 4, step 1. SMITHG does not own the PRICES file. Return to
e. Flowchart 3, step 6. SMITHG does not have private authority.
f. Flowchart 3, steps 7 and 8. The PRICES file is not secured by an
3. Flowchart 1, step 3. SMITHG does not have a group.
a. Flowchart 7, step 1. Public authority is not *AUTL.
b. Flowchart 7, step 3. Object to check = CONTRACTS/PRICES *FILE.
c. Flowchart 7, step 4. Public authority is not sufficient.
a. Flowchart 8A, step 1. Object to check = CONTRACTS/PRICES *FILE.
b. Flowchart 8A, steps 2 and 3. OWNCP does not have *ALLOBJ authority.
c. Flowchart 8A, step 4.
176
1) Flowchart 4, steps 1, 2, and 3. Authorized. OWNCP owns the PRICES

files and has sufficient authority.
Analysis: This example demonstrates the performance advantage in using
adopted authority when the program owner also owns the application objects.
The number of steps required to perform authority checking has almost no impact
on performance, because most of the steps do not require retrieving new
information. In this example, although many steps are performed, private
authorities are searched only once (for user SMITHG).
Compare this with Case 1 on page Case 1: Using Private Group Authority on
page 173.
v If you were to change Case 1 so that the group profile DPTSM owns the PRICES
file and has *ALL authority to it, the performance characteristics of the two
examples would be the same. However, having a group profile own application
objects may represent a security exposure. The members of the group always
have the groups (owner) authority, unless you specifically give group members
less authority. When you use adopted authority, you can control the situations in
which owner authority is used.
v You could also change Case 1 so that DPTSM is the primary group for the
PRICES file and has *CHANGE authority to it. If DPTSM is the first group for
SMITHG (specified in the GRPPRF parameter of SMITHGs user profile), the
performance characteristics would be the same as Case 5.
Case 6: User and Group Authority

User WILSONJ wants to access file PRICES using program CPPGM01, which
requires *CHANGE authority. WILSONJ is a member of group profile DPTSM and
does not have *ALLOBJ special authority. Program CPPGM01 does not use
adopted authority, and it ignores any previous adopted authority (USEADPAUT is
*NO).
a. Flowchart 2, step 1. PRICES has private authorities.
1) Flowchart 4, step 1. WILSONJ does not own the PRICES file. Return to
e. Flowchart 3, step 6. WILSONJ has *USE authority, which is not sufficient.
f. Flowchart 3, step 8. Object to test = CONTRACTS/PRICES *FILE. Return to
Flowchart 1 with insufficient authority.
a. Flowchart 8A, step 1. Object to check = CONTRACTS/PRICES *FILE.
b. Flowchart 8A, step 2. Program CPPGM01 does not adopt authority.
c. Flowchart 8A, step 5. The *USEADPAUT parameter for the CPPGM01
program is *NO.
d. Flowchart 8A, steps 8 and 9.
1) Flowchart 8B, step 1. Program CPPGM01 does not adopt authority.
177
2) Flowchart 8B, step 7. The *USEADPAUT parameter for the CPPGM01

program is *NO. Access is denied.
Analysis: This example demonstrates that a user can be denied access to an object
even though the users group has sufficient authority.
Giving a user the same authority as the public but less than the users group does
not affect the performance of authority checking for other users. However, if
WILSONJ had *EXCLUDE authority (less than public), you would lose the
performance benefits shown in Case 4.
Although this example has many steps, private authorities are searched only once.
This should provide acceptable performance.
Case 7: Public Authority without Private Authority

The authority information for the ITEM file looks like this:
|
|
|
|
|
|
|
|
|
|
|
|
|
||

Object . . . . . . . :
Library . . . . . :
ITEM
ITEMLIB
*FILE
Owner . . . . . . . :

User
OWNIC
*PUBLIC
|
|
Group
OWNIC
*NONE
*SYSBAS
*NONE
Object
Authority
*ALL
*USE
Figure 24. Display Object Authority
ROSSM needs *USE authority to the ITEM file. ROSSM is a member of the DPTSM
group profile. These are the authority-checking steps:
a. Flowchart 2, steps 1, 2, and 3. OWNICs authority is sufficient.
b. Flowchart 2, step 4. The ITEM file does not have a primary group.
c. Flowchart 2, step 6. Authorized. Public authority is sufficient.
Analysis: Public authority provides the best performance when it is used without
any private authorities. In this example, private authorities are never searched.
Case 8: Adopted Authority without Private Authority

For this example, all programs in the application are owned by the OWNIC profile.
Any program in the application requiring more than *USE authority adopts owner
authority. These are the steps for user WILSONJ to obtain *CHANGE authority to
the ITEM file using program ICPGM10, which adopts authority:
a. Flowchart 2, steps 1, 2, 3, 4, and 6. Public authority is not sufficient.
a. Flowchart 3, steps 1 and 2. Object to check = ITEMLIB/ITEM *FILE.
178
1) Flowchart 4, step 1. WILSONJ does not own the ITEM file. Return to
1) Flowchart 5, steps 1 and 3. Public authority is not sufficient. Return to
d. Flowchart 3, steps 5, 7, and 8. The ITEM file is not secured by an
3. Flowchart 1, steps 3 and 5. (WILSONJ does not have a group profile.)
a. Flowchart 7, steps 1, 3, and 4. The public has *USE authority, which is not
sufficient.
a. Flowchart 8A, step 1. Object to check = ITEMLIB/ITEM *FILE.
b. Flowchart 8A, steps 2, 3, and 4. The OWNIC profile does not have *ALLOBJ
authority.
1) Flowchart 4, steps 1, 2, and 3. Authorized. OWNIC has sufficient
authority to the ITEM file.
Analysis: This example shows the benefits of using adopted authority without
private authority, particularly if the owner of the programs also owns application
objects. This example did not require searching private authorities.
Case 9: Using an Authorization List

The ARWKR01 file in library CUSTLIB is secured by the ARLST1 authorization list.
Figure 25 and Figure 26 on page 180 show the authorities:
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|

Object . . . . . . . :
Library . . . . . :
ARWRK01
CUSTLIB
*FILE
Owner . . . . . . . :
Object secured by authorization list. . . . . . . . . . . . :

User
OWNCP
*PUBLIC
Group
OWNAR
*NONE
*SYSBAS
ARLST1
Object
Authority
*ALL
*USE
Figure 25. Authority for the ARWRK01 File
179
Display Authorization List

Object . . . . . . . :
Library . . . . . :
User
OWNCP
AMESJ
*PUBLIC
Group
ARLST1
QSYS
Owner . . . . . . . :
OWNAR
*NONE
Object
List
Authority Mgt
*ALL
*CHANGE
*USE
Figure 26. Authority for the ARLST1 Authorization List
User AMESJ, who is not a member of a group profile, needs *CHANGE authority
to the ARWRK01 file. These are the authority-checking steps:
a. Flowchart 2, steps 1 and 2. The ARWRK01 file is secured by an
authorization list.
a. Flowchart 3, steps 1 and 2. Object to check = CUSTLIB/ARWRK01 *FILE.
1) Flowchart 4, step 1. AMESJ does not own the ARWRK01 file. Return to
1) Flowchart 5, steps 1 and 3. Public authority is not sufficient. Return to
d. Flowchart 3, steps 5, 7, and 9. Object to check = ARLST1 *AUTL.
e. Flowchart 3, step 3.
1) Flowchart 4, step 1. AMESJ does not own the ARLST1 authorization list.
Return to Flowchart 3 with no authority found.
f. Flowchart 3, steps 4 and 5.
g. Flowchart 3, step 6. Authorized. AMESJ has *CHANGE authority to the
ARLST1 authorization list.
Analysis: This example demonstrates that authorization lists can make authorities
easy to manage and provide good performance. This is particularly true if objects
secured by the authorization list do not have any private authorities.
If AMESJ were a member of a group profile, it would add additional steps to this
example, but it would not add an additional search of private authorities, as long
as no private authorities are defined for the ARWRK01 file. Performance problems
are most likely to occur when private authorities, authorization lists, and group
profiles are combined, as in Case 11: Combining Authorization Methods on
page 181.
Case 10: Using Multiple Groups

WOODBC needs *CHANGE authority to the CRLIM file. WOODBC is a member
of three groups: DPTAR, DPTSM, and DPTMG. DPTAR is the first group profile
(GRPPRF). DPTSM and DPTMG are supplemental group profiles (SUPGRPPRF).
Figure 27 on page 181 shows the authorities for the CRLIM file:
180
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|

Object . . . . . . . :
Library . . . . . :
Object type
. . . :
CRLIM
CUSTLIB
*FILE
Owner . . . . . . . :

User
OWNAR
DPTAR
DPTSM
*PUBLIC
Group
OWNAR
DPTAR
*SYSBAS
*NONE
Object
Authority
*ALL
*CHANGE
*USE
*EXCLUDE
Figure 27. Authority for the CRLIM File
These are the authority checking steps:

a. Flowchart 2, step 1. Return to calling flowchart with insufficient authority.
a. Flowchart 3, steps 1 and 2. Object to check = CUSTLIB/CRLIM *FILE.
1) Flowchart 4, step 1. WOODBC does not own the CRLIM file. Return to
1) Flowchart 5, steps 1, 2 and 3. Public authority is not sufficient.
e. Flowchart 3, step 6. WOODBC does not have any authority to the CRLIM
file.
f. Flowchart 3, steps 7 and 8. The CRLIM file is not secured by an
3. Flowchart 1, steps 3 and 4. The first group for WOODBC is DPTAR.
a. Flowchart 6, steps 1 and 2. Object to check = CUSTLIB/CRLIM *FILE.
1) Flowchart 4, step 1. DPTAR does not own the CRLIM file. Return to
c. Flowchart 6, steps 4 and 5. Authorized. DPTAR is the primary group and
has sufficient authority.
Case 11: Combining Authorization Methods

WAGNERB needs *ALL authority to the CRLIMWRK file. WAGNERB is a member
of these groups: DPTSM, DPT702, and DPTAR. WAGNERBs first group (GRPPRF)
is DPTSM. Figure 28 on page 182 shows the authority for the CRLIMWRK file.
181
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||

Object . . . . . . . :
Library . . . . . :
Object type
. . . :
CRLIMWRK
CUSTLIB
*FILE
Owner . . . . . . . :

User
OWNAR
DPTSM
WILSONJ
*PUBLIC
|
|
Group
OWNAR
*NONE
*SYSBAS
CRLST1
Object
Authority
*ALL
*USE
*EXCLUDE
*USE
Figure 28. Authority for CRLIMWRK File
The CRLIMWRK file is secured by the CRLST1 authorization list. Figure 29 shows
the authority for the CRLST1 authorization list.

Object . . . . . . . :
Library . . . . . :
User
OWNAR
DPTAR
*PUBLIC
Group
CRLST1
QSYS
Owner . . . . . . . :
Primary Group . . . :
OWNAR
DPTAR
Object
List
Authority Mgt
*ALL
X
*ALL
*EXCLUDE
Figure 29. Authority for the CRLST1 Authorization List
This example shows many of the possibilities for authority checking. It also
demonstrates how using too many authority options for an object can result in
poor performance.
Following are the steps required to check WAGNERBs authority to the
CRLIMWRK file:
a. Flowchart 3, steps 1 and 2. Object to check = CUSTLIB/CRLIMWRK
*FILE.
1) Flowchart 4, step 1. WAGNERB does not own the CRLIMWRK file.
Return to Flowchart 3 with no authority found.
1) Flowchart 5, steps 1 and 2. WILSONJ has *EXCLUDE authority, which
is less than the public authority of *USE.
182
d. Flowchart 3, steps 5 and 6 (first search of private authorities). WAGNERB

does not have private authority.
e. Flowchart 3, steps 7 and 9. Object to check = CRLST1 *AUTL.
f. Flowchart 3, step 3.
1) Flowchart 4, step 1. WILSONJ does not own CRLST1. Return to
g. Flowchart 3, steps 4 and 5.
h. Flowchart 3, step 6 (second search of private authorities). WAGNERB
does not have private authority to CRLST1.
i. Flowchart 3, steps 7 and 8. Object to check = CUSTLIB/CRLIMWRK *FILE.
3. Flowchart 1, steps 3 and 4. WAGNERBs first group profile is DPTSM.
a. Flowchart 6, steps 1 and 2. Object to check = CUSTLIB/CRLIMWRK
*FILE.
1) Flowchart 4, step 1. DPTSM does not own the CRLIMWRK file. Return
to Flowchart 6 with no authority found.
c. Flowchart 6, step 4. DPTSM is not the primary group for the CRLIMWRK
file.
d. Flowchart 6, step 6 (third search of private authorities). DPTSM has *USE
authority to the CRLIMWRK file, which is not sufficient.
e. Flowchart 6, step 6 continued. *USE authority is added to any authorities
already found for WAGNERBs groups (none). Sufficient authority has not
yet been found.
f. Flowchart 6, steps 9 and 10. WAGNERBs next group is DPT702.
g. Flowchart 6, steps 1 and 2. Object to check = CUSTLIB/CRLIMWRK
*FILE.
h. Flowchart 6, step 3.
1) Flowchart 4, step 1. DPT702 does not own the CRLIMWRK file. Return
i. Flowchart 6, step 4. DPT702 is not the primary group for the CRLIMWRK
file.
j. Flowchart 6, step 6 (fourth search of private authorities). DPT702 has no
authority to the CRLIMWRK file.
k. Flowchart 6, steps 7 and 8. Object to check = CRLST1 *AUTL
l. Flowchart 6, step 3.
1) Flowchart 5, step 1. DPT702 does not own the CRLST1 authorization
list. Return to Flowchart 6 with no authority found.
m. Flowchart 6, steps 4 and 6. (fifth search of private authorities). DPT702
has no authority to the CRLST1 authorization list.
n. Flowchart 6, steps 7, 9, and 10. DPTAR is WAGNERBs next group profile.
o. Flowchart 6, steps 1 and 2. Object to check = CUSTLIB/CRLIMWRK
*FILE.
p. Flowchart 6, step 3.
1) Flowchart 4, step 1. DPTAR does not own the CRLIMWRK file. Return
q. Flowchart 6, steps 4 and 6. (sixth search of private authorities). DPTAR
has no authority to the CRLIMWRK file.
r. Flowchart 6, steps 7 and 8. Object to check = CRLST1 *AUTL
183
s. Flowchart 6, step 3.
1) Flowchart 4, step 1. DPTAR does not own the CRLST1 authorization
list. Return to Flowchart 6 with no authority found.
t. Flowchart 6, steps 4 and 5. Authorized. DPTAR is the primary group for
the CRLST1 authorization list and has *ALL authority.
Result: WAGNERB is authorized to perform the requested operation using
DPTARs primary group authority to the CRLIST1 authorization list.
Analysis: This example demonstrates poor authority design, both from a
management and performance standpoint. Too many options are used, making it
difficult to understand, change, and audit. Private authorities are searched 6
separate times, which may cause noticeable performance problems:
Profile
Object
Type
Result
WAGNERB
WAGNERB
DPTSM
CRLIMWRK
CRLST1
CRLIMWRK
*FILE
*AUTL
*FILE
DPT702
DPT702
DPTAR
CRLIMWRK
CRLST1
CRLIMWRK
*FILE
*AUTL
*FILE
No authority found
No authority found
*USE authority
(insufficient)
No authority found
No authority found
No authority found
Changing the sequence of WAGNERBs group profiles would change the

performance characteristics of this example. Assume DPTAR is WAGNERBs first
group profile (GRPPRF). The system would search private authorities 3 times
before finding DPTARs primary group authority to the CRLST1 authorization list.
v WAGNERB authority for CRLIMWRK file
v WAGNERB authority for CRLST1 authorization list
v DPTAR authority for CRLIMWRK file
Careful planning of group profiles and authorization lists is essential to good
system performance.
Authority Cache
In Version 3, Release 7, the system creates an authority cache for a user the first
time the user accesses an object. Each time the object is accessed, the system looks
for authority in the users cache before looking at the userss profile. This results in
a faster check for private authority.
The authority cache contains up to 32 private authorities to objects and up to 32
private authorities to authorization lists. The cache is updated when a user
authority is granted or revoked. All user caches are cleared when the system IPL is
performed.
While limited use of private authorities is recommended, the cache offers
flexibility. For example, you can choose how to secure objects with less concern
about the impact on system performance. This is especially true if users access the
same objects repeatedly.
184
Chapter 6. Work Management Security

This chapter discusses security issues associated with work management on the
system:
Job initiation
Workstations
Subsystem descriptions
Job descriptions
Library lists
Printing
Network attributes
Performance tuning
For complete information about work management topics, see the Work
Management book.
Job Initiation
When you start a job on the system, objects are associated with the job, such as an
output queue, a job description, and the libraries on the library list. Authority for
some of these objects is checked before the job is allowed to start and for other
objects after the job starts. Inadequate authority may cause errors or may cause the
job to end.
Objects that are part of the job structure for a job may be specified in the job
description, the user profile, and on the Submit Job (SBMJOB) command for a
batch job.
Starting an Interactive Job

Following is a description of the security activity performed when an interactive
job is started. Because many possibilities exist for specifying the objects used by a
job, this is only an example.
When an authority failure occurs during the sign-on process, a message appears at
the bottom of the Sign On display describing the error. Some authority failures also
cause a job log to be written. If a user is unable to sign on because of an authority
failure, either change the users profile to specify a different object or grant the user
authority to the object.
After the user enters a user ID and password, these steps are performed before a
job is actually started on the system:
1. The user profile and password are verified. The status of the user profile must
be *ENABLED. The user profile that is specified on the sign-on display must
have *OBJOPR, and *CHANGE authority to itself.
2. The users authority to use the workstation is checked. See Workstations on
page 187 for details.
3. The system verifies authority for the values in the user profile and in the users
job description that are used to build the job structure, such as:
Job description
185
Output queue
Current library
Libraries in library list
If any of these objects does not exist or the user does not have adequate
authority, a message is displayed at the bottom of the Sign On display, and the
user is unable to sign on. If authority is successfully verified for these objects,
the job is started on the system.
Note: Authority to the print device and job queue is not verified until the user
attempts to use them.
After the job is started, these steps are performed before the user sees the first
display or menu:
1. If the routing entry for the job specifies a user program, normal authority
checking is done for the program, the program library, and any objects used by
the program. If authority is not adequate, a message is sent to the user on the
Sign On display and the job ends.
2. If the routing entry specifies the command processor (QCMD):
a. Authority checking is done for the QCMD processor program, the program
library, and any objects used, as described in step 1.
b. The users authority to the Attention-key-handling program and library is
checked. If authority is not adequate, a message is sent to the user and
written to the job log. Processing continues.
If authority is adequate, the Attention-key-handling program is activated.
The program is not started until the first time the user presses the Attention
key. At that time, normal authority checking is done for the objects used by
the program.
c. Normal authority checking is done for the initial program (and its
associated objects) specified in the user profile. If authority is adequate, the
program is started. If authority is not adequate, a message is sent to the
user and written to the job log. The job ends.
d. Normal authority checking is done for the initial menu (and its associated
objects) specified in the user profile. If authority is adequate, the menu is
displayed. If authority is not adequate, a message is sent to the user and
written to the job log. The job ends.
Starting a Batch Job

Following is a description of the security activity performed when a batch job is
started. Because several methods exist for submitting batch jobs and for specifying
the objects used by the job, this is only a guideline. This example uses a job
submitted from an interactive job using the submit job (SBMJOB) command.
When you enter the SBMJOB command, this checking is performed before the job
is added to the job queue:
1. If you specify a user profile on the SBMJOB command, you must have *USE
2. Authority is checked for objects specified as parameters on the SBMJOB
command and in the job description. Authority is checked for the user profile
the job will run under.
186
3. If the security level is 40 and the SBMJOB command specifies USER(*JOBD),

the user submitting the job must have *USE authority to the user profile in the
job description.
4. If an object does not exist or if authority is not adequate, a message is sent to
the user and the job is not submitted.
When the system selects the job from the job queue and attempts to start the job,
the authority checking sequence is similar to the sequence for starting an
interactive job.
Adopted Authority and Batch Jobs

When a new job is started, a new program stack is created for the job. Adopted
authority cannot take effect until the first program is added to the program stack.
Adopted authority cannot be used to gain access to any objects, such as an output
queue or a job description, that are added to the job structure before the job is
routed. Therefore, even if your interactive job is running under adopted authority
when you submit a job, that adopted authority is not used when authority is
checked for the objects on your SBMJOB request.
You can change characteristics of a batch job when it is waiting to run, using the
Change Job (CHGJOB) command. See 369 for the authority that is required to
change parameters for a job.
Workstations
A device description contains information about a particular device or logical unit
that is attached to the system. When you sign on the system, your workstation is
attached to either a physical or virtual device description. To successfully sign on,
you must have *CHANGE authority to the device description.
The QLMTSECOFR (limit security officer) system value controls whether users
with *ALLOBJ or *SERVICE special authority must be specifically authorized to
device descriptions.
Figure 30 on page 188 shows the logic for determining whether a user is allowed to
sign on at a device:
187
Figure 30. Authority Checking for Workstations
Note: Normal authority checking is performed to determine whether the user has
at least *CHANGE authority to the device description. *CHANGE authority
may be found by using the following:
v *ALLOBJ special authority from the user profile, group profile, or
supplemental group profiles.
v Private authority to the device description in the user profile, the group
profile, or supplemental group profiles.
v Authority to an authorization list used to secure the device description.
v Authority to an authorization list used to secure the public authority.
188
Authority checking for the device description is done before any programs
are in the program stack for the job; therefore, adopted authority does not
apply.
|
Description of Authority Checking for Workstations
|
|
|
|
The system determines the users authority to the workstation. (See note 1) If the
authority is less than *CHANGE then the sign-on fails. If the authority is
*CHANGE or greater than the system check to see it the security level on the
system is 30 or higher. If it is not, then the user is allowed to sign-on.
|
|
|
If the security level is 30 or higher, the system checks if the user has *ALLOBJ or
*SERVICE special authorities. If the user does not have either of these special
authorities, then sign-on is allowed.
|
|
|
If the user has either *ALLOBJ or *SERVICE special authorities, then the system
checks if the QLMTSECOFR system value is set to 1. If it is not set to 1, then
sign-on is allowed.
|
|
|
|
|
If the QLMTSECOFR system value is set to 1, then the system will test the users
authority to the workstation. If the users authority is *CHANGE or higher, then
sign-on is allowed. If the users authority is less than *CHANGE, sign-on fails. If
the user has no authority to the workstation, the system checks the users group
authority to the workstation.
|
|
|
|
If the users group authority is *CHANGE or higher, then sign-on is allowed. If the
users group authority is less than *CHANGE, sign-on fails. If the user has no
authority to the workstation, the system checks whether or not the user has
*SERVICE but not *ALLOBJ special authority.
|
|
|
If the user has *SERVICE but not *ALLOBJ special authority, then sign-on fails. If
the user does have *SERVICE but not *ALLOBJ special authority, then the system
checks if QSECOFR has *CHANGE or higher.
|
|
If QSECOFR does not have*CHANGE or higher, then sign-on fails. If QSECOFR

has *CHANGE or higher, then sign-on is allowed.
The security officer (QSECOFR), service (QSRV), and basic service (QSRVBAS) user
profiles are always allowed to sign on at the console. The QCONSOLE (console)
system value is used to determine which device is the console. If the QSRV or
QSRVBAS profile attempts to sign on at the console and does not have *CHANGE
authority, the system grants *CHANGE authority to the profile and allows sign-on.
Ownership of Device Descriptions

The default public authority on the CRTDEVxxx commands is *LIBCRTAUT.
Devices are created in library QSYS, which is shipped with a CRTAUT value of
*SYSVAL. The shipped value for the QCRTAUT system value is *CHANGE.
To limit the users who can sign on at a workstation, set the public authority for the
workstation to *EXCLUDE and give *CHANGE authority to specific users or
groups.
The security officer (QSECOFR) is not specifically given authority to any devices. If
the QLMTSECOFR system value is set to 1 (YES), you must give the security
189
officer *CHANGE authority to devices. Anyone with *OBJMGT and *CHANGE

authority to a device can give *CHANGE authority to another user.
If a device description is created by the security officer, the security officer owns
that device and is specifically given *ALL authority to it. When the system
automatically configures devices, most devices are owned by the QPGMR profile.
Devices created by the QLUS program (*APPC type devices) are owned by the
QSYS profile.
If you plan to use the QLMTSECOFR system value to limit where the security
officer can sign on, any devices you create should be owned by a profile other than
QSECOFR.
To change ownership of a display device description, the device must be powered
on and varied on. Sign on at the device and change the ownership using the
CHGOBJOWN command. If you are not signed on at the device, you must allocate
the device before changing ownership, using the Allocate Object (ALCOBJ)
command. You can allocate the device only if no one is using it. After you have
changed ownership, deallocate the device using the Deallocate Object (DLCOBJ)
command.
Signon screen display file

The system administrator can change the system signon display to add text or
company logo to the display. Care must be taken to make sure the field names or
buffer lengths of the display file are not changed when adding text to the display
file. Changing the field names or buffer lengths may cause signon to fail.
Changing the signon screen display

The source code for the signon display file is shipped with the operating system.
The source is shipped in file QSYS/QAWTSSRC. This source code can be changed
to add text to the signon screen display. Field names and buffer lengths should not
be changed.
Display file source for the Signon screen

The source for the signon display file is shipped as a member (QDSIGNON or
QDSIGNON2) in the QSYS/QAWTSSRC physical file. QDSIGNON contains the
source for the signon screen source used when system value QPWDLVL is set to 0
or 1. Member QDSIGNON2 contains the signon screen source used when the
system value QPWDLVL is set to 2 or 3.
The file QSYS/QAWTSSRC is deleted and restored each time the OS/400
operating system is installed. If you plan to create your own version of the signon
screen, then you should first copy the appropriate source file member, either
QDSIGNON or QDSIGNON2, to your own source file and make changes to the
copy in your source file.
Changing the signon display file

To change the format of the Signon display:
1. Create a changed signon display file.
A hidden field in the display file named UBUFFER can be changed to manage
smaller fields. UBUFFER is 128 bytes long and is stated as the last field in the
display file. This field can be changed to function as an input/output buffer so
the data specified in this field of the display will be available to application
190
programs when the interactive job is started. You can change the UBUFFER
field to contain as many smaller fields as you need if the following
requirements are met:
v The new fields must follow all other fields in the display file. The location of
the fields on the display does not matter as long as the order in which they
are put in the data description specifications (DDS) meets this requirement.
v The length must total 128. If the length of the fields is more than 128, some
of the data will not be passed.
v All fields must be input/output fields (type B in DDS source) or hidden
fields (type H in DDS source).
2. The order in which the fields in the signon display file are declared must not
be changed. The position in which they are shown on the display can be
changed. Do not change the existing field names in the source for the signon
screen display file.
3. Do not change the total size of the input or output buffers. Serious problems
can occur if the order or size of the buffers are changed.
4. Do not use the data descriptions specifications (DDS) help function in the
signon display file.
5. Change a subsystem description to use the changed display file instead of the
system default of QSYS/QDSIGNON. You can change the subsystem
descriptions for subsystems that you want to use the new display. To change
the subsystem description:
a. Use the Change Subsystem Description (CHGSBSD) command.
b. Specify the new display file on the SGNDSPF parameter.
c. Use a test version of a subsystem to verify that the display is valid before
attempting to change the controlling subsystem.
6. Test the change.
7. Change the other subsystem descriptions.
Notes:
1. The buffer length for the display file must be 318. If it is less than 318, the
subsystem uses the default sign-on display, QDSIGNON in library QSYS when
system value QPWDLVL is 0 or 1 and QDSIGNON2 in library QSYS when
QPWDLVL is 2 or 3.
2. The copyright line cannot be deleted.
Subsystem Descriptions
Subsystem descriptions control:
How jobs enter your system
How jobs are started
Performance characteristics of jobs
Only a few users should be authorized to change subsystem descriptions, and
changes should be carefully monitored.
Controlling How Jobs Enter the System

Several subsystem descriptions are shipped with your system. After you have
changed your security level (QSECURITY system value) to level 20 or higher,
signing on without entering a user ID and password is not allowed with the
subsystems shipped by IBM.
191
However, defining a subsystem description and job description combination that

allows default sign-on (no user ID and password) is possible and represents a
security exposure. When the system routes an interactive job, it looks at the
workstation entry in the subsystem description for a job description. If the job
description specifies USER(*RQD), the user must enter a valid user ID (and
password) on the Sign On display. If the job description specifies a user profile in
the User field, anyone can press the Enter key to sign on as that user.
At security levels 30 and higher, the system logs an entry (type AF, sub-type S) in
the audit journal, if default sign-on is attempted and the auditing function is
active. At security level 40 and higher, the system does not permit default sign-on,
even if a combination of workstation entry and job description exists that would
allow it. See Signing On without a User ID and Password on page 16 for more
information.
Make sure all workstation entries for interactive subsystems refer to job
descriptions with USER(*RQD). Control the authority to change job descriptions
and monitor any changes that are made to job descriptions. If the auditing function
is active, the system writes a JD type journal entry every time the USER parameter
in a job description is changed.
Communications entries in a subsystem description control how communications
jobs enter your system. A communications entry points to a default user profile,
which allows a job to be started without a user ID and password. This represents a
potential security exposure. Evaluate the communications entries on your system
and use network attributes to control how communications jobs enter your system.
Network Attributes on page 200 discusses the network attributes that are
important for security.
Job Descriptions
A job description is a valuable tool for security and work management. You can
also set up a job description for a group of users who need the same initial library
list, output queue, and job queue. You can set up a job description for a group of
batch jobs that have similar requirements.
A job description also represents a potential security exposure. In some cases, a job
description that specifies a profile name for the USER parameter can allow a job to
enter the system without appropriate security checking. Controlling How Jobs
Enter the System on page 191 discusses how this can be prevented for interactive
and communications jobs.
When a batch job is submitted, the job might run using a different profile other
than the user who submitted the job. The profile can be specified on the SBMJOB
command, or it can come from the USER parameter of the job description. If your
system is at security level (QSECURITY system value) 30 or lower, the user
submitting a job needs authority to the job description but not to the user profile
specified on the job description. This represents a security exposure. At security
level 40 and higher, the submitter needs authority to both the job description and
the user profile.
For example:
v USERA is not authorized to file PAYROLL.
v USERB has *USE authority to the PAYROLL file and to program PRLIST, which
lists the PAYROLL file.
192
v Job description PRJOBD specifies USER(USERB). Public authority for PRJOBD is

*USE.
At security level 30 or lower, USERA can list the payroll file by submitting a batch
job:
SBMJOB RQSDTA("Call PRLIST") JOBD(PRJOBD) +
USER(*JOBD)
You can prevent this by using security level 40 and higher or by controlling the
authority to job descriptions that specify a user profile.
|
|
|
|
Sometimes, a specific user profile name in a job description is required for certain
types of batch work to function properly. For example, the QBATCH job
description is shipped with USER(QPGMR). This job description is shipped with
the public authority of *EXCLUDE.
|
|
|
|
|
|
If your system is at security level 30 or lower, any user on the system who has
authority to the Submit Job (SBMJOB) command or the start reader commands,
and has *USE authority to the QBATCH job description, can submit work under
the programmer (QPGMR) user profile, whether or not the user has authority to
the QPGMR profile. At security level 40 and higher, *USE authority to the QPGMR
profile is also required.
System Operator Message Queue

The iSeries Operational Assistant (ASSIST) menu provides an option to manage
your system, users, and devices. The Manage Your System, Users, and Devices
menu provides an option to work with system operator messages. You may want
to prevent users from responding to messages in the QSYSOPR (system operator)
message queue. Incorrect responses to system operator messages can cause
problems on your system.
Responding to messages requires *USE and *ADD authorities to the message
queue. Removing messages requires *USE and *DLT authorities. (See 392.) Give the
authority to respond to and remove messages in QSYSOPR only to users with
system operator responsibility. Public authority to QSYSOPR should be *OBJOPR
and *ADD, which allows adding new messages to QSYSOPR.
Attention: All jobs need the ability to add new messages to the QSYSOPR message
queue. Do not make the public authority to QSYSOPR *EXCLUDE.
Library Lists
The library list for a job indicates which libraries are to be searched and the order
in which they are to be searched. When a program specifies an object, the object
can be specified with a qualified name, which includes both the object name and
the library name. Or, the library for the object can be specified as *LIBL (library
list). The libraries on the library list are searched, in order, until the object is found.
Table 108 on page 194 summarizes the parts of the library list and how they are
built during a job. The sections that follow discuss the risks and protection
measures for library lists.
193
Table 108. Parts of the Library List. The library list is searched in this sequence:
Part
How It Is Built
System Portion 15 Initially built using the QSYSLIBL system value. Can be changed during
entries
a job with the CHGSYSLIBL command.
Product Library
Portion 2 entries
Initially blank. A library is added to the product library portion of the

library list when a command or menu runs that was created with a
library in the PRDLIB parameter. The library remains in the product
library portion of the library list until the command or menu ends.
Current Library 1 Specified in the user profile or on the Sign On display. Can be changed
entry
when a command or menu runs that specifies a library for the CURLIB
parameter. Can be changed during the job with the CHGCURLIB
command.
User Portion 250
entries
Initially built using the initial library list from the users job description.
If the job description specifies *SYSVAL, the QUSRLIBL system value is
used. During a job, the user portion of the library list can be changed
with the ADDLIBLE, RMVLIBLE, CHGLIBL, and EDTLIBL commands.
Security Risks of Library Lists

Library lists represent a potential security exposure. If a user is able to change the
sequence of libraries on the library list, or add additional libraries to the list, the
user may be able to perform functions that break your security requirements.
Library Security and Library Lists on page 123 provides some general
information about the issues associated with library lists. This topic gives more
specific examples of the possible exposures and how to avoid them.
Following are two examples of how changes to a library list might break security
requirements:
Change in Function
Figure 31 shows an application library. Program A calls Program B, which is
expected to be in LIBA. Program B performs updates to File A. Program B is called
without a qualified name, so the library list is searched until Program B is found.
Figure 31. Library ListExpected Environment
A programmer or another knowledgeable user could place another Program B in

the library LIBB. The substitute program might perform different functions, such as
making a copy of confidential information or updating files incorrectly. If LIBB is
placed ahead of LIBA in the library list, the substitute Program B is run instead of
the original Program B, because the program is called without a qualified name:
194
Figure 32. Library ListActual Environment
Unauthorized Access to Information

Assume Program A in Figure 31 on page 194 adopts the authority of USER1, who
has *ALL authority to File A. Assume Program B is called by Program A (adopted
authority remains in effect). A knowledgeable user could create a substitute
Program B which simply calls the command processor. The user would have a
command line and complete access to File A.
Recommendations for System Portion of Library List

The system portion of the library list is intended for IBM-supplied libraries.
Application libraries that are carefully controlled can also be placed in the system
portion of the library list. The system portion of the library list represents the
greatest security exposure, because the libraries in this part of the list are searched
first.
Only a user with *ALLOBJ and *SECADM special authority can change the
QSYSLIBL system value. Control and monitor any changes to the system portion of
the library list. Follow these guidelines when adding libraries:
v Only libraries that are specifically controlled should be placed on this list.
v The public should not have *ADD authority to these libraries.
v A few IBM-supplied libraries, such as QGPL are shipped with public authority
*ADD for production reasons. Regularly monitor what objects (particularly
programs, source files, and commands) are added to these libraries.
The CHGSYSLIBL command is shipped with public authority *EXCLUDE. Only
users with *ALLOBJ authority are authorized to the command, unless you grant
authority to other users. If the system library list needs to be changed temporarily
during a job, you can use the technique described in the topic Changing the
System Library List on page 216.
Recommendations for Product Library

The product library portion of the library list is searched before the user portion. A
knowledgeable user could create a command or menu that inserts a product
library into the library list. For example, this statement creates CMDX, which runs
program PGMA:
CRTCMD CMDX PGM(PGMA) PRDLIB(LIBB)
195
As long as CMDX is running, LIBB is in the product portion of the library list.
Use these measures to protect the product portion of the library list:
v Control authority to the Create Command (CRTCMD), Change Command
(CHGCMD), Create Menu (CRTMNU), and Change Menu (CHGMNU)
commands.
v When you create commands and menus, specify PRDLIB(*NONE), which
removes any entries currently in the product portion of the library list. This
protects you from having unknown libraries searched ahead of the library you
expect when your command or menu runs.
Note: The default when you create a command or menu is PRDLIB(*NOCHG).
*NOCHG means that when the command or menu is run, the product
library portion of the library list is not changed.
Recommendations for the Current Library

The current library can be used by decision-support tools, such as Query/400. Any
query programs created by a user are, by default, placed in the users current
library. When you create a menu or command, you can specify a current library to
be used while the menu is active.
The current library provides an easy method for the user and the programmer to
create new objects, such as query programs, without worrying about where they
should be located. However, the current library poses a security risk, because it is
searched before the user portion of the library list. You can take several precautions
to protect the security of your system while still making use of the current library
capability:
v Specify *YES for the Limit capabilities field in the user profile. This prevents a
user from changing the current library on the Sign On display or using the
CHGPRF command.
v Restrict authority to the Change Current Library (CHGCURLIB), Create Menu
(CRTMNU), Change Menu (CHGMNU), Create Command (CRTCMD), and
Change Command (CHGCMD) commands.
v Use the technique described in Controlling the User Library List on page 215
to set the current library during application processing.
Recommendations for the User Portion of the Library List

The user portion of the library list usually changes more than the other portions
and is more difficult to control. Many application programs change the library list.
Job descriptions also affect the library list for a job.
Following are some suggested alternatives for controlling the user portion of the
library list to make sure unauthorized libraries with substitute programs and files
are not used during processing:
v Restrict users of production applications to a menu environment. Set the Limit
capabilities field in user profiles to *YES to restrict their ability to enter
commands. Planning Menus on page 217 provides an example of this
environment.
v Use qualified names (object and library) in your applications. This prevents the
system from searching the library list to find an object.
v Control the ability to change job descriptions, because the job description sets
the initial library list for a job.
196
v Use the Add Library List Entry (ADDLIBLE) command at the beginning of the
program to ensure the desired objects are at the beginning of the user portion of
the library list. At the end of the program, the library can be removed.
If the library is already on the library list, but you are not sure if it is at the
beginning of the list, you must remove the library and add it. If the sequence of
the library list is important to other applications on the system, use the next
method instead.
v Use a program that retrieves and saves the library list for a job. Replace the
library list with the list desired for the application. When the application ends,
return the library list to its original setting. See Controlling the User Library
List on page 215 for an example of this technique.
Printing
Most information that is printed on your system is stored as a spooled file on an
output queue while it is waiting to print. Unless you control the security of output
queues on your system, unauthorized users can display, print, and even copy
confidential information that is waiting to print.
One method for protecting confidential output is to create a special output queue.
Send confidential output to the output queue and control who can view and
manipulate the spooled files on the output queue.
To determine where output goes, the system looks at the printer file, job attributes,
user profile, workstation device description, and the print device (QPRTDEV)
system value in sequence. If defaults are used, the output queue associated with
the QPRTDEV printer is used. The Printer Device Programming book provides
examples of how to direct output to a particular output queue.
Securing Spooled Files

A spooled file is a special type of object on the system. You cannot directly grant
and revoke authority to view and manipulate a spooled file. The authority to a
spooled file is controlled by several parameters on the output queue that holds the
spooled file.
When you create a spooled file, you are the owner of that file. You can always
view and manipulate any spooled files you own, regardless of how the authority
for the output queue is defined. You must have *READ authority to add new
entries to an output queue. If your authority to an output queue is removed, you
can still access any entries you own on that queue using the Work with Spooled
Files (WRKSPLF) command.
The security parameters for an output queue are specified using the Create Output
Queue (CRTOUTQ) command or the Change Output Queue (CHGOUTQ)
command. You can display the security parameters for an output queue using the
Work with Output Queue Description (WRKOUTQD) command.
Attention: A user with *SPLCTL special authority can perform all functions on all
entries, regardless of how the output queue is defined. Some parameters on the
output queue allow a user with *JOBCTL special authority to view the contents of
entries on the output queue.
197
Display Data (DSPDTA) Parameter of Output Queue

The DSPDTA parameter is designed to protect the contents of a spooled file. It
determines what authority is required to perform the following functions on
spooled files owned by other users:
v
v
v
v
View the contents of a spooled file (DSPSPLF command)

Copy a spooled file (CPYSPLF command)
Send a spooled file (SNDNETSPLF command)
Move a spooled file to another output queue (CHGSPLFA command)
Possible Values for DSPDTA

*NO
A user cannot display, send, or copy spooled files owned by

other users, unless the user has one of the following:
v *JOBCTL special authority if the OPRCTL parameter is *YES.
v *CHANGE authority to the output queue if the *AUTCHK
parameter is *DTAAUT.
*YES
*OWNER
v Ownership of the output queue if the *AUTCHK parameter

is *OWNER.
Any user with *READ authority to the output queue can
display, copy, or send the data of spooled files owned by
others.
Only the owner of a spooled file or a user with *SPLCTL (spool
control) can display, copy, send, or move the file. If the
OPRCTL value is *YES, users with *JOBCTL special authority
can hold, change, delete, and release spooled files on the
output queue, but they cannot display, copy, send, or move the
spooled files. This is intended to allow operators to manage
entries on an output queue without being able to view the
contents.
Authority to Check (AUTCHK) Parameter of Output Queue

The AUTCHK parameter determines whether *CHANGE authority to the output
queue allows a user to change and delete spooled files owned by other users.
Possible Values for AUTCHK
*OWNER
Only the user who owns the output queue can change or delete
spooled files owned by others.
*DTAAUT
Specifies that any user with *READ, *ADD, and *DLT authority
to the output queue can change or delete spooled files owned
by others.
Operator Control (OPRCTL) Parameter of Output Queue

The OPRCTL parameter determines whether a user with *JOBCTL special authority
can control the output queue.
Possible Values for OPRCTL
198
*YES
A user with *JOBCTL special authority can perform all

functions on the spooled files, unless the DSPDTA value is
*OWNER. If the DSPDTA value is *OWNER, *JOBCTL special
authority does not allow the user to display, copy, send, or
move spooled files.
*NO
*JOBCTL special authority does not give the user any authority
to perform operations on the output queue. Normal authority
rules apply to the user.
Output Queue and Parameter Authorities Required for Printing

Table 109 shows what combination of output queue parameters and authority to
the output queue is required to perform print management functions on the
system. For some functions, more than one combination is listed. The owner of a
spooled file can always perform all functions on that file. For more information see
Writer Commands on page 440.
The authority and output queue parameters for all commands associated with
spooled files are listed on Spooled File Commands on page 427. Output queue
commands are listed on Output Queue Commands on page 404.
Attention: A user with *SPLCTL (spool control) special authority is not subject to
any authority restrictions associated with output queues. *SPLCTL special
authority allows the user to perform all operations on all output queues. Carefully
evaluate giving *SPLCTL special authority to any user.
Table 109. Authority Required to Perform Printing Functions
Output Queue Parameters
Printing Function
Add spooled files to queue
DSPDTA
AUTCHK
OPRCTL
Output
Queue
Authority
*READ
*YES
View list of spooled files
(WRKOUTQ command 2)
Display, copy, or send spooled files
(DSPSPLF, CPYSPLF, SNDNETSPLF, SNDTCPSP2)
*READ
*YES
*YES
*NO
*NO
*YES
*NO
*OWNER
Change, delete, hold, and release spooled file
(CHGSPLFA, DLTSPLF, HLDSPLF, RLSSPLF 2)
*READ
*READ,
*ADD,
*DLT
Owner 3
*DTAAUT
*OWNER
*YES
*YES
*DTAAUT
*READ,
*ADD,
*DLT
Owner 3
*OWNER
*YES
Change, clear, hold, and release output queue
(CHGOUTQ, CLROUTQ, HLDOUTQ, RLSOUTQ 2)
*DTAAUT
*READ,
*ADD,
*DLT
Owner 3
*OWNER
*YES
Start a writer for the queue
(STRPRTWTR, STRRMTWTR 2)
*DTAAUT
*CHANGE
*YES
Special
Authority
None
*JOBCTL
None
*JOBCTL
None
None
None
*JOBCTL
*JOBCTL
None
None
*JOBCTL
None
None
*JOBCTL
None
*JOBCTL
This is the authority required to direct your output to an output queue.
Using these commands or equivalent options from a display.
You must be the owner of the output queue.
Also requires *USE authority to the printer device description.
*CHGOUTQ requires *OBJMGT authority to the output queue, in addition to *READ, *ADD, and *DLT
authorities.
199
Examples: Output Queue

Following are several examples of setting security parameters for output queues to
meet different requirements:
v Create a general-purpose output queue. All users are allowed to display all
spooled files. The system operators are allowed to manage the queue and
change spooled files:
CRTOUTQ OUTQ(QGPL/GPOUTQ) DSPDTA(*YES) +
OPRCTL(*YES) AUTCHK(*OWNER) AUT(*USE)
v Create an output queue for an application. Only members of the group profile
GRPA are allowed to use the output queue. All authorized users of the output
queue are allowed to display all spooled files. System operators are not allowed
to work with the output queue:
CRTOUTQ OUTQ(ARLIB/AROUTQ) DSPDTA(*YES) +
OPRCTL(*NO) AUTCHK(*OWNER) AUT(*EXCLUDE)
GRTOBJAUT OBJ(ARLIB/AROUTQ) OBJTYP(*OUTQ) +
USER(GRPA) AUT(*CHANGE)
v Create a confidential output queue for the security officers to use when printing
information about user profiles and authorities. The output queue is created and
owned by the QSECOFR profile.
CRTOUTQ OUTQ(QGPL/SECOUTQ) DSPDTA(*OWNER) +
AUTCHK(*DTAAUT) OPRCTL(*NO) +
AUT(*EXCLUDE)
Even if the security officers on a system have *ALLOBJ special authority, they
are not able to access spooled files owned by others on the SECOUTQ output
queue.
v Create an output queue that is shared by users printing confidential files and
documents. Users can work with only their own spooled files. System operators
can work with the spooled files, but they cannot display the contents of the files.
CRTOUTQ OUTQ(QGPL/CFOUTQ) DSPDTA(*OWNER) +
AUTCHK(*OWNER) OPRCTL(*YES) AUT(*USE)
Network Attributes
Network attributes control how your system communicates with other systems.
Some network attributes control how remote requests to process jobs and access
information are handled. These network attributes directly affect security on your
system and are discussed in the topics that follow:
Job action (JOBACN)
Client request access (PCSACC)
DDM request access (DDMACC)
Possible values for each network attribute are shown. The default value is
underlined. To set the value of a network attribute, use the Change Network
Attribute (CHGNETA) command.
Job Action (JOBACN) Network Attribute

The JOBACN network attribute determines how the system processes incoming
requests to run jobs.
200
Possible Values for JOBACN:

*REJECT
*FILE
*SEARCH
The input stream is rejected. A message stating the input

stream was rejected is sent to both the sender and the intended
receiver.
The input stream is filed on the queue of network files for the
receiving user. This user can display, cancel, or receive the
input stream into a database file or submit it to a job queue. A
message stating that the input stream was filed is sent to both
the sender and the receiver.
The network job table controls the actions by using the values
in the table.
Recommendations
If you do not expect to receive remote job requests on your system, set the
JOBACN network attribute to *REJECT.
For more information about the JOBACN attribute, refer to the SNA Distribution
Services book.
Client Request Access (PCSACC) Network Attribute

The PCSACC network attribute determines how the iSeries Access for Windows
licensed program processes requests from attached personal computers to access
objects. The PCSACC network attribute controls whether personal computer jobs
can access objects on the iSeries system, not whether the personal computer can
use workstation emulation.
Note: PCSACC network attribute controls only the DOS and OS/2 clients. This
attribute has no effect on any other Client Access clients.
Possible Values for PCSACC:
*REJECT
*OBJAUT
*REGFAC
qualified- program- name
iSeries Access rejects every request from the personal computer

to access objects on the iSeries system. An error message is sent
to the PC application.
The iSeries Access programs on the system verify normal object
authorities for any object requested by a PC program. For
example, if file transfer is requested, authority to copy data
from the database file is checked.
The system uses the systems registration facility to determine
which exit program (if any) to run. If no exit program is
defined for an exit point and this value is specified, *OBJAUT
is used.
The iSeries Access program calls this user-written exit program
to determine if the PC request should be rejected. The exit
program is called only if normal authority checking for the
object is successful. The iSeries Access program passes
information about the user and the requested function to the
exit program. The program returns a code indicating whether
the request should be allowed or rejected. If the return code
indicates the request should be rejected or if an error occurs, an
error message is sent to the personal computer.
Risks and Recommendations

Normal security measures on your system may not be sufficient protections if the
iSeries Access program is installed on your system. For example, if a user has *USE
authority to a file and the PCSACC network attribute is *OBJAUT, the user can use
201
the iSeries Access program and a program on the personal computer to transfer
that entire file to the personal computer. The user can then copy the data to a PC
diskette or tape and remove it from the premises.
Several methods are available to prevent an iSeries workstation user with *USE
authority to a file from copying the file:
v
v
v
v
Setting LMTCPB(*YES) in the user profile.

Restricting authority to commands that copy files.
Restricting authority to commands used by iSeries Access.
Not giving the user *ADD authority to any library. *ADD authority is required
to create a new file in a library.
v Not giving the user access to any *SAVRST device.
None of these methods work for the PC user of the iSeries Access licensed
program. Using an exit program to verify all requests is the only adequate
protection measure.
The iSeries Access program passes information for the following types of access to
the user exit program called by the PCSACC network attribute:
File transfer
Virtual print
Message
Shared folder
For additional information on Client Access, refer to the Information Center (see
Prerequisite and related information on page xvi for details).
DDM Request Access (DDMACC) Network Attribute

The DDMACC network attribute determines how the system processes requests
from other systems to access data using the distributed data management (DDM)
or the distributed relational database function.
Possible Values for
DDMACC:
*REJECT
*OBJAUT
qualified- program- name
The system does not allow any DDM or DRDA requests from
remote systems. *REJECT does not prevent this system from
functioning as the requester system and sending requests to
other server systems.
Remote requests are controlled by the object authority on the
system.
This user-written exit program is called after normal object
authority has been verified. The exit program is called only for
DDM files, not for distributed relational database functions.
The exit program is passed a parameter list, built by the remote
system, that identifies the local system user and the request.
The program evaluates the request and sends a return code,
granting or denying the requested access.
For more information about the DDMACC network attribute and the security
issues associated with DDM, see the Information Center (see Prerequisite and
related information on page xvi for details).
202
Save and Restore Operations

The ability to save objects from your system or restore objects to your system
represents an exposure to your organization.
For example, programmers often have *OBJEXIST authority to programs because
this authority is required to recompile a program (and delete the old copy).
*OBJEXIST authority is also required to save an object. Therefore, the typical
programmer can make a tape copy of your programs, which may represent a
substantial financial investment.
A user with *OBJEXIST authority to an object can also restore a new copy of an
object over an existing object. In the case of a program, the restored program might
have been created on a different system. It might perform different functions. For
example, assume the original program worked with confidential data. The new
version might perform the same functions, but it might also write a copy of
confidential information to a secret file in the programmers own library. The
programmer does not need authority to the confidential data because the regular
users of the program will be accessing the data.
Restricting Save and Restore Operations

You can control the ability to save and restore objects in several ways:
v Restrict physical access to save and restore devices, such as tape units, optical
units, and diskette units.
v Restrict authority to the device descriptions objects for the save and restore
devices. To save an object to a tape unit, you must have *USE authority to the
device description for the tape unit.
v Restrict the save and restore commands. This allows you to control what is
saved from your system and restored to your system through all interfaces including save files. See Example: Restricting Save and Restore Commands for
an example of how to do this. The system sets the restore commands to
PUBLIC(*EXCLUDE) when you install your system.
v Only give *SAVSYS special authority to trusted users.
Example: Restricting Save and Restore Commands

Following is an example of the steps that you can use to restrict the save and
restore commands on your system:
1. To create an authorization list that you can use to give authority to the
commands to system operators, type the following:
CRTAUTL AUTL(SRLIST) TEXT(Save and Restore List)
AUT(*EXCLUDE)
2. To use the authorization list to secure the save commands, type the following:
GRTOBJAUT OBJ(SAV*) OBJTYPE(*CMD) AUTL(SRLIST)
3. To ensure *PUBLIC authority comes from the authorization list, type the
following:
GRTOBJAUT OBJ(SAV*) OBJTYPE(*CMD) USER(*PUBLIC)
AUT(*AUTL)
4. To use the authorization list to secure the restore commands, type the
following:
GRTOBJAUT OBJ(RST*) OBJTYPE(*CMD) AUTL(SRLIST)
5. To ensure *PUBLIC authority comes from the authorization list, type the
following:
203
GRTOBJAUT OBJ(RST*) OBJTYPE(*CMD) USER(*PUBLIC)

AUT(*AUTL)
6. Although system operators who are responsible for saving the system have
*SAVSYS special authority, they must now be given explicit authority to the
SAVxxx commands. You do this by adding the system operators to the
authorization list:
ADDAUTLE AUTL(SRLIST) USER(USERA USERB) AUT(*USE)
Note: You may want your system operators to have authority only to the save
commands. In that case, secure the save commands and the restore
commands with two separate authorization lists.
7. To restrict the save and restore APIs and secure it with the authorization list,
type the following commands:
GRTOBJAUT OBJ(QSRSAVO) OBJTYPE(*PGM) AUTL(SRLIST)
GRTOBJAUT OBJ(QSRSAVO) OBJTYPE(*PGM) USER(*PUBLIC)
AUT(*AUTL)
GRTOBJAUT OBJ(QSRLIB01) OBJTYPE(*SRVPGM) AUTL(SRLIST)
GRTOBJAUT OBJ(QSRLIB01) OBJTYPE(*SRVPGM) USER(*PUBLIC)
AUT(*AUTL)
Performance Tuning
Monitoring and tuning performance is not the responsibility of a security officer.
However, the security officer should ensure that users are not altering the
performance characteristics of the system to speed up their own jobs at the
expense of others.
Several work management objects affect the performance of jobs in the system:
v The class sets the run priority and time slice for a job.
v The routing entry in the subsystem description determines the class and the
storage pool the job uses.
v The job description can determine the output queue, output priority, job queue,
and job priority.
Knowledgeable users with appropriate authority can create their own environment
on the system and give themselves better performance than other users. Control
this by limiting the authority to create and change work management objects. Set
the public authority to work management commands to *EXCLUDE and grant
authority to a few trusted users.
Performance characteristics of the system can also be changed interactively. For
example, the Work with System Status (WRKSYSSTS) display can be used to
change the size of storage pools and the activity levels. Also, a user with *JOBCTL
(job control) special authority can change the scheduling priority of any job on the
system, subject to the priority limit (PTYLMT) in the users profile. Assign
*JOBCTL special authority and PTYLMT in user profiles carefully.
To allow users to view performance information using the WRKSYSSTS command
but not change it, do the following:
GRTOBJAUT OBJ(CHGSHRPOOL) OBJTYPE(*CMD) +
USER(*PUBLIC)
AUT(*EXCLUDE)
Authorize users responsible for system tuning to change performance

characteristics:
204
GRTOBJAUT OBJ(CHGSHRPOOL) OBJTYPE(*CMD) +

USER(USRTUNE)
AUT(*USE)
Restricting Jobs to Batch

You can create or change commands to restrict certain jobs to be run only in a
batch environment. For example, you may want to run certain reports or program
compiles in batch. A job running in batch usually affects system performance less
than the same job running interactively.
For example, to restrict the command that runs program RPTA to batch, do the
following:
v Create a command to run RPTA and specify that the command can be run only
in batch:
CRTCMD CMD(RPTA) PGM(RPTA) ALLOW(*BATCH *BPGM)
To restrict compiles to batch, do the following for the create command for each
program type:
CHGCMD CMD(CRTxxxPGM) ALLOW(*BATCH *BPGM)
205
206
Chapter 7. Designing Security

Protecting information is an important part of most applications. Security should
be considered, along with other requirements, at the time the application is
designed. For example, when deciding how to organize application information
into libraries, try to balance security requirements with other considerations, such
as application performance and backup and recovery.
This chapter contains guidelines to help application developers and systems
managers include security as part of the overall design. It also contains examples
of techniques you can use to accomplish security objectives on your system. Some
of the examples in this chapter contain sample programs. These programs are
included for illustrative purposes only. Many of them will not compile or run
successfully as is, nor do they include message handling and error recovery.
The Basic System Security and Planning topic in the Information Center is
intended for the security administrator. It contains forms, examples, and guidelines
for planning security for applications that have already been developed. If you
have responsibility for designing an application, you may find it useful to review
the forms and examples in the Information Center (see Prerequisite and related
information on page xvi for details). They can help you view your application
from the perspective of a security administrator and understand what information
you need to provide.
The Basic System Security and Planning topic in the Information Center also uses a
set of example applications for a fictional company called the JKL Toy Company.
This chapter discusses design considerations for the same set of example
applications. Figure 33 on page 208 shows the relationships between user groups,
applications, and libraries for the JKL Toy Company:
207
Figure 33. Example Applications
Description of graphic
|
|
|
|
|
|
|
|
This graphic shows how how five sets of user groups access applications and
libraries on the system at JKL Toy Company. The user groups include Warehouse,
Manufacturing, Sales and Marketing, Order Processing, and Accounting. The
Warehouse, Manufacturing and Sales and Marketing user groups all can access the
Inventory Control applications. The Sales and Marketing user group also has
access to the Contracts and Pricing application and the Customer Order
application. The Order Processing user group also can access the Customer Order
application. The Accounting user group uses the Accounts Receivable application.
Overall Recommendations
The recommendations in this chapter and in the Basic System Security and
Planning topic in the Information Center rely on one important principle:
simplicity. Keeping your security design as simple as possible makes it easier to
manage and audit security. It also improves application performance and backup
performance.
Following is a list of general recommendations for security design:
v Use resource security along with the methods available, such as limited
capabilities in the user profile and restricting users to a set of menus, to protect
information.
208
v
v
Attention: It is not sufficient to use only limited capabilities in the user profile
and menu access control to secure your system if you use a product
such as Client Access/400 or have communication lines attached to
your system. You must use resource security to secure those objects
you do not want accessible through these interfaces.
Secure only those objects that really require security. Analyze a library to
determine which objects, such as data files, are confidential and secure those
objects. Use public authority for other objects, such as data areas and message
queues.
Move from the general to the specific:
Plan security for libraries. Deal with individual objects only when necessary.
Plan public authority first, followed by group authority and individual
authority.
Make the public authority for new objects in a library (CRTAUT parameter) the
same as the public authority for the majority of existing objects in the library.
To make auditing easier and improve authority-checking performance, avoid
defining private authority that is less than the public authority for an object.
v Use authorization lists to group objects with the same security requirements.
Authorization lists are simpler to manage than individual authorities and help to
recover security information.
Planning Password Level Changes

Changing password levels should be planned carefully. Operations with other
systems may fail or users may not be able to sign on to the system if you havent
planned for the password level change adequately. Prior to changing the
QPWDLVL system value, make sure you have saved your security data using the
SAVSECDTA or SAVSYS command. If you have a current backup, you will be able
to reset the passwords for all users profiles if you need to return to a lower
password level.
Products that you use on the system, and on clients with which the system
interfaces, may have problems when the password level (QPWDLVL) system value
is set to 2 or 3. Any product or client that sends passwords to the system in an
encrypted form, rather than in the clear text a user enters on a sign-on screen,
must be upgraded to work with the new password encryption rules for QPWDLVL
2 or 3. Sending the encrypted password is known as password substitution.
Password substitution is used to prevent a password from being captured during
transmission over a network. Password substitutes generated by older clients that
do not support the new algorithm for QPWDLVL 2 or 3, even if the specific
characters typed in are correct, will not be accepted. This also applies to any iSeries
to iSeries peer access which utilizes the encrypted values to authenticate from one
system to another.
The problem is compounded by the fact that some affected products (i.e. Java
Toolbox) are provided as middleware. A third party product that incorporates a
prior version of one of these products will not work correctly until rebuilt using an
updated version of the middleware.
Given this and other scenarios, it is easy to see why careful planning is necessary
before changing the QPWDLVL system value.
209
Considerations for changing QPWDLVL from 0 to 1

Password level 1 allows a system, which does not have a need to communicate
with the Windows 95/98/ME iSeries Client Support for Windows Network
Neighborhood (NetServer) product, to have the NetServer passwords eliminated
from the system. Eliminating unnecessary encrypted passwords from the system
increases the overall security of the system.
At QPWDLVL 1, all current, pre-V5R1 password substitution and password
authentication mechanisms will continue to work. There is very little potential for
breakage except for functions/services that require the NetServer password.
The functions/services that require the NetServer password include:
v iSeries Support for Windows Network Neighborhood, Windows 95/98/ME
edition, (NetServer)
Considerations for changing QPWDLVL from 0 or 1 to 2

Password level 2 introduces the use of case sensitive passwords up to 128
characters in length (also called passphrases) and provides the maximum ability to
revert back to QPWDLVL 0 or 1.
Regardless of the password level of the system, password level 2 and 3 passwords
are created whenever a password is changed or a user signs on to the system.
Having a level 2 and 3 password created while the system is still at password level
0 or 1 helps prepare for the change to password level 2 or 3.
Prior to changing QPWDLVL to 2, the system administrator should use the
DSPAUTUSR or PRTUSRPRF TYPE(*PWDINFO) commands to locate all user
profiles which do not have a password that is usable at password level 2.
Depending on the profiles located, the administrator may wish to use one of the
following mechanisms to have a password level 2 and 3 password added to the
profiles.
v Change the password for the user profile using the CHGUSRPRF or CHGPWD
CL command or the QSYCHGPW API. This will cause the system to change the
password that is usable at password levels 0 and 1; and the system also creates
two equivalent case sensitive passwords that are usable at password levels 2 and
3. An all uppercase and all lowercase version of the password is created for use
at password level 2 or 3.
For example, changing the password to C4D2RB4Y results in the system
generating C4D2RB4Y and c4d2rb4y password level 2 passwords.
v Sign on to the system through a mechanism that presents the password in clear
text (does not use password substitution). If the password is valid and the user
profile does not have a password that is usable at password levels 2 and 3, the
system creates two equivalent case sensitive passwords that are usable at
password levels 2 and 3. An all uppercase and all lowercase version of the
password is created for use at password level 2 or 3.
The absence of a password that is usable at password level 2 or 3 can be a problem
whenever the user profile also does not have a password that is usable at
password levels 0 and 1 or when the user tries to sign on through a product that
uses password substitution. In these cases, the user will not be able to sign on
when the password level is changed to 2.
If a user profile does not have a password that is usable at password levels 2 and
3, the user profile does have a password that is usable at password levels 0 and 1,
210
and the user signs on through a product that sends clear text passwords, then the
system validates the user against the password level 0 password and creates two
password level 2 passwords (as described above) for the user profile. Subsequent
sign ons will be validated against the password level 2 passwords.
Any client/service which uses password substitution will not work correctly at
QPWDLVL 2 if the client/service hasnt been updated to use the new password
(passphrase) substitution scheme. The administrator should check whether a
client/service which hasnt been updated to the new password substitution scheme
is required.
The clients/services that use password substitution include:
v TELNET
v iSeries Access
v iSeries Host Servers
v QFileSrv.400
v iSeries NetServer Print support
v DDM
v DRDA
v SNA LU6.2
It is highly recommended that the security data be saved prior to changing to
QPWDLVL 2. This can help make the transition back to QPWDLVL 0 or 1 easier if
that becomes necessary.
It is recommended that the other password system values, such as QPWDMINLEN
and QPWDMAXLEN not be changed until after some testing at QPWDLVL 2 has
occurred. This will make it easier to transition back to QPWDLVL 1 or 0 if
necessary. However, the QPWDVLDPGM system value must specify either
*REGFAC or *NONE before the system will allow QPWDLVL to be changed to 2.
Therefore, if you use a password validation program, you may wish to write a new
one that can be registered for the QIBM_QSY_VLD_PASSWRD exit point by using
the ADDEXITPGM command.
NetServer passwords are still supported at QPWDLVL 2, so any function/service
that requires a NetServer password should still function correctly.
Once the administrator is comfortable with running the system at QPWDLVL 2,
they can begin to change the password system values to exploit longer passwords.
However, the administrator needs to be aware that longer passwords will have
these effects:
v If passwords greater than 10 characters are specified, the password level 0 and 1
password is cleared. This user profile would not be able to signon if the system
is returned to password level 0 or 1.
v If passwords contain special characters or do not follow the composition rules
for simple object names (excluding case sensitivity), the password level 0 and 1
password is cleared.
v If passwords greater than 14 characters are specified, the NetServer password for
the user profile is cleared.
v The password system values only apply to the new password level 2 value and
do not apply to the system generated password level 0 and 1 password or
NetServer password values (if generated).
211
Considerations for changing QPWDLVL from 2 to 3

After running the system at QPWDLVL 2 for some period of time, the
administrator can consider moving to QPWDLVL 3 to maximize his password
security protection.
At QPWDLVL 3, all NetServer passwords are cleared so a system should not be
moved to QPWDLVL 3 until there is no need to use NetServer passwords.
At QPWDLVL 3, all password level 0 and 1 passwords are cleared. The
administrator can use the DSPAUTUSR or PRTUSRPRF commands to locate user
profiles which dont have password level 2 or 3 passwords associated with them.
Changing to a lower password level

Returning to a lower QPWDLVL value, while possible, is not expected to be a
completely painless operation. In general, the mind set should be that this is a
one-way trip from lower QPWDLVL values to higher QPWDLVL values. However,
there may be cases where a lower QPWDLVL value must be reinstated.
The following sections each discuss the work required to move back to a lower
password level.
Considerations for changing from QPWDLVL 3 to 2

This change is relatively easy. Once the QPWDLVL is set to 2, the administrator
needs to determine if any user profile is required to contain NetServer passwords
or password level 0 or 1 passwords and, if so, change the password of the user
profile to an allowable value.
Additionally, the password system values may have to be changed back to values
compatible with NetServer and password level 0 or 1 passwords, if those
passwords are needed.
Considerations for changing from QPWDLVL 3 to 1 or 0

Because of the very high potential for causing problems for the system (like no one
can sign on because all of the password level 0 and 1 passwords have been
cleared), this change is not supported directly. To change from QPWDLVL 3 to
QPWDLVL 1 or 0, the system must first make the intermediary change to
QPWDLVL 2.

Prior to changing QPWDLVL to 1, the administrator should use the DSPAUTUSR
or PRTUSRPRF TYPE(*PWDINFO) commands to locate any user profiles that do
not have a password level 0 or 1 password. If the user profile will require a
password after the QPWDLVL is changed, the administrator should ensure that a
password level 0 and 1 password is created for the profile using one of the
following mechanisms:
v Change the password for the user profile using the CHGUSRPRF or CHGPWD
CL command or the QSYCHGPW API. This will cause the system to change the
password that is usable at password levels 2 and 3; and the system also creates
an equivalent uppercase password that is usable at password levels 0 and 1. The
system is only able to create the password level 0 and 1 password if the
following conditions are met:
The password is 10 characters or less in length.
The password can be converted to uppercase EBCDIC characters A-Z, 0-9, @,
#, $, and underscore.
The password does not begin with a numeric or underscore character.
212
For example, changing the password to a value of RainyDay would result in the
system generating a password level 0 and 1 password of RAINYDAY. But
changing the the password value to Rainy Days In April would cause the system
to clear the password level 0 and 1 password (because the password is too long
and it contains blanks).
No message or indication is produced if the password level 0 or 1 password
could not be created.
v Sign on to the system through a mechanism that presents the password in clear
text (does not use password substitution). If the password is valid and the user
profile does not have a password that is usable at password levels 0 and 1, the
system creates an equivalent uppercase password that is usable at password
levels 0 and 1. The system is only able to create the password level 0 and 1
password if the conditions listed above are met.
The administrator can then change QPWDLVL to 1. All NetServer passwords are
cleared when the change to QPWDLVL 1 takes effect (next IPL).

The considerations are the same as for changing from QPWDLVL 2 to 1 except that
all NetServer passwords are retained when the change takes effect.

After changing QPWDLVL to 0, the administrator should use the DSPAUTUSR or
PRTUSRPRF commands to locate any user profiles that do not have a NetServer
password. If the user profile requires a NetServer password, it can be created by
changing the users password or signing on through a mechanism that presents the
password in clear text.
The administrator can then change QPWDLVL to 0.
Planning Libraries
Many factors affect how you choose to group your application information into
libraries and manage libraries. This topic addresses some of the security issues
associated with library design.
To access an object, you need authority to the object itself and to the library
containing the object. You can restrict access to an object by restricting the object
itself, the library containing the object, or both.
A library is like a directory used to locate the objects in the library. *USE authority
to a library allows you to use the directory to find objects in the library. The
authority for the object itself determines how you can use the object. *USE
authority to a library is sufficient to perform most operations on the objects in the
library. See Library Security on page 123 for more information about the
relationship between library and object authority.
Using public authority for objects and restricting access to libraries can be a
simple, effective security technique. Putting programs in a separate library from
other application objects can also simplify security planning. This is particularly
true if files are shared by more than one application. You can use authority to the
libraries containing application programs to control who can perform application
functions.
213
Following are two examples of using library security for the JKL Toy Company
applications. (See Figure 33 on page 208 for a diagram of the applications.)
v The information in the CONTRACTS library is considered confidential. The
public authority for all the objects in the library is sufficient to perform the
functions of the Pricing and Contracts application (usually *CHANGE). The
public authority to the CONTRACTS library itself is *EXCLUDE. Only users or
groups authorized to the Contracts and Pricing application are granted *USE
authority to the library.
v The JKL Toy Company is a small company with a nonrestrictive approach to
security, except for the contract and pricing information. All system users are
allowed to view customer and inventory information, although only authorized
users can change it. The CUSTLIB and the ITEMLIB libraries, and the objects in
the libraries, have public authority of *USE. Users can view information in these
libraries through their primary application or by using Query. The program
libraries have public authority *EXCLUDE. Only users who are allowed to
change inventory information have access to the ICPGMLIB. Programs that
change inventory information adopt the authority of the application owner
(OWNIC) and thus have *ALL authority to the files in the ITEMLIB library.
Library security is effective only if these rules are followed:
v Libraries contain objects with similar security requirements.
v Users are not allowed to add new objects to restricted libraries. Changes to
programs in the libraries are controlled. That is, application libraries should have
public authority of *USE or *EXCLUDE unless users need to create objects
directly into the library.
v Library lists are controlled.
Planning Applications to Prevent Large Profiles

Because of the potential impacts to performance and security, IBM strongly
recommends the following to avoid profiles from becoming too full:
v Do not have one profile own everything on your system.
Create special user profiles to own applications. Owner profiles that are specific
to an application make it easier to recover applications and to move applications
between systems. Also, information about private authorities is spread among
several profiles, which improves performance. By using several owner profiles,
you can prevent a profile from becoming too large because of too many objects.
Owner profiles also allow you to adopt the authority of the owner profile rather
than a more powerful profile that provides unnecessary authority.
v Avoid having applications owned by IBM-supplied user profiles, such as
QSECOFR or QPGMR.
These profiles own a large number of IBM-supplied objects and can become
difficult to manage. Having applications owned by IBM-supplied user profiles
can also cause security problems when moving applications from one system to
another. Applications owned by IBM-supplied user profiles can also impact
performance for commands, such as, CHKOBJITG and WRKOBJOWN.
v Use authorization lists to secure objects.
If you are granting private authorities to many objects for several users, you
should consider using an authorization list to secure the objects. Authorization
lists will cause one private authority entry for the authorization list in the users
profile rather than one private authority entry for each object. In the object
owners profile, authorization lists cause an authorized object entry for every
214
user granted authority to the authorization list rather than an authorized object
entry for every object multiplied by the number of users that are granted the
private authority.
Library Lists
The library list for a job provides flexibility. It also represents a security exposure.
This exposure is particularly important if you use public authority for objects and
rely on library security as your primary means of protecting information. In this
case, a user who gains access to a library has uncontrolled access to the
information in the library. The topic Library Lists on page 193 provides a
discussion of security issues associated with library lists.
To avoid the security risks of library lists, your applications can specify qualified
names. When both the object name and the library are specified, the system does
not search the library list. This prevents a potential intruder from using the library
list to circumvent security.
However, other application design requirements may prevent you from using
qualified names. If your applications rely on library lists, the technique described
in the next section can reduce the security exposure.
Controlling the User Library List

As a security precaution, you may want to make sure the user portion of the
library list has the correct entries in the expected sequence before a job runs. One
method for doing this is to use a CL program to save the users library list, replace
it with the desired list, and restore it at the end of the application. Following is a
sample program to do this:
PGM
DCL
DCL
DCL
DCL
MONMSG
&USRLIBL *CHAR LEN(2750)

&CURLIB *CHAR LEN(10)
&ERROR *LGL
&CMD *CHAR LEN(2800)
MSGID(CPF0000) +
EXEC(GOTO SETERROR)
RTVJOBA USRLIBL(&USRLIBL) +
CURLIB(&CURLIB)
IF COND(&CURLIB=(*NONE)) +
THEN(CHGVAR &CURLIB *CRTDFT )
CHGLIBL LIBL(QGPL) CURLIB(*CRTDFT)
/*********************************/
/*
*/
/*
Normal processing
*/
/*
*/
/*********************************/
GOTO
ENDPGM
SETERROR: CHGVAR
&ERROR 1
ENDPGM:
CHGVAR
&CMD +
(CHGLIBL LIBL+
( *CAT &USRLIBL *CAT) +
CURLIB( *CAT &CURLIB *TCAT ))
CALL
QCMDEXC PARM(&CMD 2800)
IF
&ERROR SNDPGMMSG MSGID(CPF9898) +
MSGF(QCPFMSG) MSGTYPE(*ESCAPE) +
MSGDTA(The xxxx error occurred)
ENDPGM
Figure 34. Program to Replace and Restore Library List
215
Notes:
1. Regardless of how the program ends (normally or abnormally), the library list
is returned to the version it held when the program was called, because error
handling includes restoring the library list.
2. Because the CHGLIBL command requires a list of library names, it cannot be
run directly. The RTVJOBA command, therefore, retrieves the libraries used to
build the CHGLIBL command as a variable. The variable is passed as a
parameter to the QCMDEXC function.
3. If you exit to an uncontrolled function (for example, a user program, a menu
that allows commands to be entered, or the Command Entry display) in the
middle of a program, your program should replace the library list on return, to
ensure adequate control.
Changing the System Library List

If your application needs to add entries to the system portion of the library list,
you can use a CL program similar to the one shown in Figure 34 on page 215, with
the following changes:
v Instead of using the RTVJOBA command, use the Retrieve System Values
(RTVSYSVAL) command to get the value of the QSYSLIBL system value.
v Use the Change System Library List (CHGSYSLIBL) command to change the
system portion of the library list to the desired value.
v At the end of your program, use the CHGSYSLIBL command again to restore
the system portion of the library list to its original value.
v The CHGSYSLIBL command is shipped with public authority *EXCLUDE. To
use this command in your program, do one of the following:
Grant the program owner *USE authority to the CHGSYSLIBL command and
use adopted authority.
Grant users running the program *USE authority to the CHGSYSLIBL
command.
Describing Library Security

As an application designer, you need to provide information about a library for the
security administrator. The security administrator uses this information to decide
how to secure the library and its objects. Typical information needed is:
v Any application functions which add objects to the library.
v Whether any objects in the library are deleted during application processing.
v What profile owns the library and its objects.
v Whether the library should be included on library lists.
Figure 35 on page 217 provides a sample format for providing this information:
216
Library name: ITEMLIB

Public authority to the library:
*EXCLUDE
Public authority to objects in the library:
*CHANGE
Public authority for new objects (CRTAUT):
*CHANGE
Library owner: OWNIC

Include on library lists? No. Library is added to library list by initial application program or initial
query program.
List any functions that require *ADD authority to the library:
No objects are added to the library during normal application processing. List any objects requiring *OBJMGT
or *OBJEXIST authority and what functions need that authority:
All work files, whose names begin with the characters ICWRK, are cleared at month-end.
*OBJMGT authority.
Figure 35. Format for Describing Library Security
This requires
Planning Menus
Menus are a good method for providing controlled access on your system. You can
use menus to restrict a user to a set of strictly controlled functions by specifying
limited capabilities and an initial menu in the user profile.
To use menus as an access control tool, follow these guidelines when designing
them:
v Do not provide a command line on menus designed for restricted users.
v Avoid having functions with different security requirements on the same menu.
For example, if some application users are allowed to only view information, not
change it, provide a menu that has only display and print options for those
users.
v Make sure the set of menus provides all the necessary links between menus so
the user does not need a command line to request one.
v Provide access to a few system functions, such as viewing printer output. The
ASSIST system menu gives this capability and can be defined in the user profile
as the Attention-key-handling program. If the user profile has a class of *USER
and has limited capabilities, the user cannot view the output or jobs of other
users.
v Provide access to decision-support tools from menus. The topic Using Adopted
Authority in Menu Design on page 218 gives an example of how to do this.
v Consider controlling access to the System Request Menu or some of the options
on this menu. See System Request Menu on page 222 for more information.
v For users who are allowed to run only a single function, avoid menus entirely
and specify an initial program in the user profile. Specify *SIGNOFF as the
initial menu.
At the JKL Toy Company, all users see an inquiry menu allowing access to most
files. For users who are not allowed to change information, this is the initial menu.
The return option on the menu signs the user off. For other users, this menu is
called by an inquiry option from application menus. By pressing F12 (Return), the
217
user returns to the calling menu. Because library security is used for program
libraries, this menu and the programs it calls are kept in the QGPL library:
INQMENU
Inquiry Menu
1.
2.
3.
4.
5.
Item Descriptions
Item Balances
Customer Information
Query
Office
Enter option ==>

F1=Help F12=Return
Figure 36. Sample Inquiry Menu
Using Adopted Authority in Menu Design

The availability of decision-support tools, such as Query/400, poses challenges for
security design. You may want users to be able to view information in files using a
query tool, but you probably want to make sure that the files are changed only by
tested application programs.
No method exists in the resource security definitions for a user to have different
authority to a file in different circumstances. However, using adopted authority
allows you to define authority to meet different requirements.
Note: Objects That Adopt the Owners Authority on page 135 describes how
adopted authority works. Flowchart 8: How Adopted Authority Is
Checked on page 169 describes how the system checks for adopted
authority.
Figure 37 shows a sample initial menu that uses adopted authority to provide
controlled access to files using query tools:
MENU1
Initial Menu
1.
2.
3.
4.
Inventory Control
Customer Orders
Query
Office
(ICSTART)
(COSTART)
(QRYSTART)
(OFCSTART)
(no command line)
Figure 37. Sample Initial Menu
The programs that start applications (ICSTART and COSTART) adopt the authority
of a profile that owns the application objects. The programs add application
libraries to the library list and display the initial application menu. Following is an
example of the Inventory Control program (ICSTART).
218
PGM
ADDLIBLE ITEMLIB
ADDLIBLE ICPGMLIB
GO ICMENU
RMVLIBLE ITEMLIB
RMVLIBLE ICPGMLIB
ENDPGM
Figure 38. Sample Initial Application Program
The program that starts Query (QRYSTART) adopts the authority of a profile
(QRYUSR) provided to allow access to files for queries. Figure 39 shows the
QRYSTART program:
PGM
ADDLIBLE
ADDLIBLE
STRQRY
RMVLIBLE
RMVLIBLE
ENDPGM
ITEMLIB
CUSTLIB
ITEMLIB
CUSTLIB
Figure 39. Sample Program for Query with Adopted Authority
The menu system uses three types of user profiles, shown in Table 110. Table 111
describes the objects used by the menu system.
Table 110. User Profiles for Menu System
Profile Type
Description
Application owner Owns all application objects and has

*ALL authority. OWNIC owns
Inventory Control application.
Application user 1 Example profile for anyone who uses
the menu system
Query Profile
Used to provide access to libraries for
query
1
Password
Limit
Special
Capabilities Authorities
Initial
Menu
*NONE
N/A
As needed by N/A
application
Yes
*YES
None
MENU1
*NONE
N/A
None
N/A
The current library specified in the application user profile is used to store any queries created. The
Attention-key-handling program is *ASSIST, giving the user access to basic system functions.
Table 111. Objects Used by Menu System

Object Name
Owner
Public
Authority
MENU1 in QGPL library
See Note
*EXCLUDE
ICSTART program in QGPL OWNIC
*EXCLUDE
QRYSTART program in
QGPL
QRYUSR
*EXCLUDE
ITEMLIB
ICPGMLIB
OWNIC
OWNIC
*EXCLUDE
*EXCLUDE
Private Authorities
Additional Information
*USE authority for any

users who are allowed to
use the menu
*USE authority for users
authorized to Inventory
Control application
*USE authority for users
authorized to create or run
queries
QRYUSR has *USE
In QGPL library because

users do not have authority
to application libraries
Created with
USRPRF(*OWNER) to
adopt OWNIC authority
Created with
USRPRF(*OWNER) to
adopt QRYUSR authority
219
Table 111. Objects Used by Menu System (continued)

Object Name
Owner
Public
Authority
Private Authorities
Additional Information
Files available for Query in OWNIC

*USE
ITEMLIB
Files not available for
OWNIC
*EXCLUDE
Query in ITEMLIB
Programs in ICPGMLIB
OWNIC
*USE
Note: A special owner profile can be created for objects used by multiple applications.
When USERA selects option 1 (Inventory Control) from MENU1, program

ICSTART runs. The program adopts the authority of OWNIC, giving *ALL
authority to the inventory control objects in ITEMLIB and the programs in
ICPGMLIB. USERA is thus authorized to make changes to the inventory control
files while using options from the ICMENU.
When USERA exits ICMENU and returns to MENU1, the ITEMLIB and ICPGMLIB
libraries are removed from the USERA library list, and program ICSTART is
removed from the program stack. USERA is no longer running under adopted
authority.
When USERA selects option 3 (Query) from MENU1, program QRYSTART runs.
The program adopts the authority of QRYUSR, giving *USE authority to the
ITEMLIB library. The public authority to the files in ITEMLIB determines which
files USERA is allowed to query.
This technique has the advantage of minimizing the number of private authorities
and providing good performance when checking authority:
v The objects in the application libraries do not have private authorities. For some
application functions, public authority is adequate. If public authority is not
adequate, owner authority is used. Case 8: Adopted Authority without Private
Authority on page 178 shows the authority checking steps.
v Access to the files for query uses public authority to the files. The QRYUSR
profile is only specifically authorized to the ITEMLIB library.
v By default, any query programs created are placed in the users current library.
The current library should be owned by the user, and the user should have
*ALL authority.
v Individual users only need to be authorized to MENU1, ICSTART, and
QRYSTART.
Consider these risks and precautions when using this technique:
v USERA has *ALL authority to all entire inventory control objects from ICMENU.
Make sure the menu does not allow access to a command line or allow
unwanted delete and update functions.
v Many decision-support tools allow access to a command line. The QRYUSR
profile should be a limited capability user without special authorities to prevent
unauthorized functions.
Ignoring Adopted Authority

Using Adopted Authority in Menu Design shows a technique for providing query
capability without allowing uncontrolled changes to application files. This
technique requires the user to return to the initial menu before running queries. If
220
you want to provide the convenience of starting query from application menus as
well as from the initial menu, you can set up the QRYSTART program to ignore
adopted authority.
Note: Programs That Ignore Adopted Authority on page 139 provides more
information about ignoring adopted authority. Flowchart 8: How Adopted
Authority Is Checked on page 169 describes how the system checks for
adopted authority.
Figure 40 shows an application menu that includes the QRYSTART program:
ICMENU
Inventory Control Menu

1.
2.
3.
4.
Issues (ICPGM1)
Receipts (ICPGM2)
Purchases (ICPGM3)
Query (QRYSTART)
(no command line)
Figure 40. Sample Application Menu with Query
The authority information for the QRYSTART program is the same as shown in
Table 111 on page 219. The program is created with the use adopted authority
(USEADPAUT) parameter set to *NO, to ignore the adopted authority of previous
programs in the stack.
Following are comparisons of the program stacks when USERA selects query from
MENU1 (see Figure 37 on page 218) and from ICMENU:
Program stack when query selected from MENU1
MENU1 (no adopted authority)
QRYSTART (adopted authority QRYUSR)
Program stack when query selected from ICMENU
MENU1 (no adopted authority)
ICMENU (adopted authority OWNIC)
QRYSTART (adopted authority QRYUSR)
By specifying the QRYSTART program with USEADPAUT(*NO), the authority of
any previous programs in the stack is not used. This allows USERA to run query
from ICMENU without having the ability to change and delete files, because the
authority of OWNIC is not used by the QRYSTART program.
When USERA ends query and returns to ICMENU, adopted authority is once
again active. Adopted authority is ignored only as long as the QRYSTART program
is active.
If public authority to the QRYSTART program is *USE, specify USEADPAUT(*NO)
as a security precaution. This prevents anyone running under adopted authority
from calling the QRYSTART program and performing unauthorized functions.
221
The inquiry menu (Figure 36 on page 218) at the JKL Toy Company also uses this
technique, because it can be called from menus in different application libraries. It
adopts the authority of QRYUSR and ignores any other adopted authority in the
program stack.
Describing Menu Security

As an application designer, you need to provide information about a menu for the
security administrator. The security administrator uses this information to decide
who should have access to the menu and what authorities are required. Typical
information needed is:
v Whether any menu options require special authorities, such as *SAVSYS or
*JOBCTL.
v Whether menu options call programs that adopt authority.
v What authority to objects is required for each menu option. You should only
need to identify those authorities that are greater than normal public authority.
Figure 41 shows a sample format for providing this information.
Menu name: MENU1
Library:
Program called: QRYSTART
Library:
QGPLOption number: 3
Description:
Query
QGPL
Authority adopted: QRYUSR

Special authority required: None
Object authorities required: User must have *USE authority to QRYSTART
program. QRYUSR must have *USE authority to libraries containing
files to be queried. User, QRYUSR, or public must have *USE
authority to files being queried.
Figure 41. Format for Menu Security Requirements
System Request Menu

A user can use the system request function to suspend the current job and display
the System Request Menu. The System Request Menu allows the user to send and
display messages, transfer to a second job, or end the current job.
When your system is shipped, public authority to the System Request Menu is
*USE. The simplest way to prevent users from accessing this menu is by restricting
authority to the panel group QGMNSYSR:
v To prevent specific users from seeing the System Request Menu, specify
*EXCLUDE authority for those users:
GRTOBJAUT OBJ(QSYS/QGMNSYSR) +
OBJTYPE(*PNLGRP)
+
USER(USERA) AUT(*EXCLUDE)
v To prevent most users from seeing the System Request Menu, revoke public
authority and grant *USE authority to specific users:
RVKOBJAUT OBJ(QSYS/QGMNSYSR) +
OBJTYPE(*PNLGRP) +
USER(*PUBLIC) AUT(*ALL)
GRTOBJAUT OBJ(QSYS/QGMNSYSR) +
OBJTYPE(*PNLGRP)
+
USER(USERA) AUT(*USE)
222
You can prevent users from selecting specific options from the System Request
Menu by restricting the authority to the associated commands. Table 112 shows the
commands associated with the menu options:
Table 112. Options and Commands for the System Request Menu
Option
Command
1
2
3
4
5
6
7
10
Transfer Secondary Job (TFRSECJOB)

End Request (ENDRQS)
Display Job (DSPJOB)
Display Message (DSPMSG)
Send Message (SNDMSG)
Display Message (DSPMSG)
Display Work Station User (DSPWSUSR)
Start System Request at Previous System (TFRPASTHR). (See note
below.)
Transfer to previous system (TFRPASTHR). (See note below.)
Display 3270 emulation options (See note below.)
Start System Request at Home System (TFRPASTHR). (See note
below.)
Transfer to Home System (TFRPASTHR). (See note below.)
Transfer to End System (TFRPASTHR). (See note below.)
End Request on Remote System (ENDRDBRQS). (See note below.)
Disconnect Job (DSCJOB)
Sign-Off (SIGNOFF)
11
12
13
14
15
50
80
90
Notes:
1. Options 10, 11, 13, 14, and 15 are displayed only if display station pass-through has been
started with the Start Pass-Through (STRPASTHR) command. Option 10, 13, and 14 are
only displayed on the target system.
2. Option 12 is only displayed when 3270 emulation is active.
3. Option 50 is displayed only if a remote jobs is active.
4. Some of the options have restrictions for the System/36 environment.
For example, to prevent users from transferring to an alternative interactive job,

revoke public authority to the Transfer to Secondary Job (TFRSECJOB) command
and grant authority only to specific users:
RVKOBJAUT OBJ(TFRSECJOB) OBJTYPE(*CMD)
USER(*PUBLIC) AUT(*ALL)
GRTOBJAUT OBJ(TFRSECJOB) OBJTYPE(*CMD)
USER(USERA) AUT(*USE)
If a user selects an option for which the user does not have authority, a message is
displayed.
If you want to prevent users from general use of the commands from the System
Request menu but still want them to be able to run a command at a specific time
(such as sign-off), you can create a CL program that adopts the authority of an
authorized user and runs the command.
Planning Command Security

Menu security is a good technique for users who need applications and limited
system functions. Some users need a more flexible environment and the capability
to run commands. When your system arrives, the ability to use commands is set
up to meet the security needs of most installations. Some commands can be run
223
only by a security officer. Others require a special authority, such as *SAVSYS.

Most commands can be used by anyone on the system.
You can change the authority to commands to meet your security requirements.
For example, you may want to prevent most users on your system from working
with communications. You can set the public authority to *EXCLUDE for all
commands that work with communications objects, such the CHGCTLxxx,
CHGLINxxx, and CHGDEVxxx commands.
If you need to control which commands can be run by users, you can use object
authority to the commands themselves. Every command on the system has object
type *CMD and can be authorized to the public or only to specific users. To run a
command, the user needs *USE authority to it. Appendix C lists all the commands
that are shipped with the public authority set to *EXCLUDE.
If you use the System/38 library, you need to restrict security-relevant commands
in that library also. Or, you could restrict access to the entire library. If you use one
or more national language versions of the OS/400 licensed program on your
system, you need to restrict commands in the additional QSYSxxx libraries on your
system as well.
Another useful security measure is to change the default values for some
commands. The Change Command Default (CHGCMDDFT) command allows you
to do this.
Planning File Security

The information contained in database files is usually the most important asset on
your system. Resource security allows you to control who can view, change, and
delete information in a file. If users require different authority to files depending
on the situation, you can use adopted authority. Using Adopted Authority in
Menu Design on page 218 gives an example of this method.
For critical files on your system, keep a record of what users have authority to the
file. If you use group authority and authorization lists, you need to keep track of
users who have authority through those methods, as well as users who are directly
authorized. If you use adopted authority, you can list programs that adopt the
authority of a particular user using the Display Program Adopt (DSPPGMADP)
command.
You can also use the journaling function on the system to monitor activity against
a critical file. Although the primary intent of a journal is to recover information, it
can be used as a security tool. It contains a record of who has accessed a file and
in what way. You can use the Display Journal (DSPJRN) command to view a
sampling of journal entries periodically.
Securing Logical Files

Resource security on the system supports field-level security of a file. You can also
use logical files to protect specific fields or records in a file. See the DB2 Universal
Database for iSeries topic in the Information Center for more information. See
Prerequisite and related information on page xvi for details.
A logical file can be used to specify a subset of records that a user can access (by
using select and omit logic). Therefore, specific users can be prevented from
224
accessing certain record types. A logical file can be used to specify a subset of fields
in a record that a user can access. Therefore, specific users can be prevented from
accessing certain fields in a record.
A logical file does not contain any data. It is a particular view of one or more
physical files that contain the data. Providing access to the information defined by
a logical file requires data authority to both the logical file and the associated
physical files.
Figure 42 shows an example of a physical file and three different logical files
associated with it.
Figure 42. Using a Logical File for Security
Members of the sales department (group profile DPTSM) are allowed to view all
fields, but they cannot change the credit limit. Members of the accounts receivable
department (group profile DPTAR) are allowed to view all fields, but they cannot
change the sales field. The authority to the physical file looks like this:
Table 113. Physical File Example: CUSTMAST File
Users
Authority
Object Authorities
*OBJOPR
*OBJMGT
*OBJEXIST
*OBJALTER
*OBJREF
Data Authorities
*READ
*ADD
*UPD
*DLT
*EXECUTE
*PUBLIC
X
X
X
X
X
*EXCLUDE
225
The public should have all data rights but no operational rights to the CUSTMAST
physical file. The public cannot access the CUSTMAST file directly because
*OBJOPR authority is required to open a file. The publics authority makes all the
data rights potentially available to users of the logical file.
Authority to the logical files looks like this:
|
|
|
|
|
|
|
|
|
|
|
|
||

Object . . . . . . . :
Library . . . . . :
CUSTINFO
CUSTLIB
*FILE
Owner . . . . . . . :
Object secured by authorization list . . . . . . . . . . . :

User
*PUBLIC
|
|
|
|
|
|
|
|
|
|
|
|
|
||
Group
OWNAR
*NONE
*SYSBAS
*NONE
Object
Authority
*USE

Object . . . . . . . :
Library . . . . . :
CUSTCRDT
CUSTLIB
*FILE
Owner . . . . . . . :

User
DPTAR
*PUBLIC
|
|
|
|
|
|
|
|
|
|
|
|
|
||
Group
OWNAR
DPTAR
*SYSBAS
*NONE
Object
Authority
*CHANGE
*USE

Object . . . . . . . :
Library . . . . . :
CUSTSLS
CUSTLIB
*FILE
Owner . . . . . . . :

User
DPTSM
*PUBLIC
Group
OWNSM
DPTSM
*SYSBAS
*NONE
Object
Authority
*CHANGE
*USE
Making the group profile, such as DPTSM, the primary group for the logical file is
not necessary for this authority scheme to work. However, using primary group
authority eliminates searching private authorities for both the user attempting to
access the file and the users group. Case 2: Using Primary Group Authority on
page 174 shows how using primary group authority affects the authority checking
process.
226
You can specify data authorities for logical files beginning with V3R1 of the
OS/400 licensed program. When you move to V3R1 from an earlier version, the
system converts your logical files when the system is installed. The first time a
logical file is accessed, the system gives it all data authorities.
To use logical files as a security tool, do this:
v Grant all data authorities to the underlying physical files.
v Revoke *OBJOPR from the physical files. This prevents users from accessing the
physical files directly.
v Grant the appropriate data authorities to logical files. Revoke any authorities
you do not want.
v Grant *OBJOPR to the logical files.
Overriding Files
Override commands can be used to have a program use a different file with the
same format. For example, assume that a program in the contracts and pricing
application at the JKL Toy Company writes pricing information to a work file
before making price changes. A user with access to a command line who wanted to
capture confidential information could use an override command to cause the
program to write data to a different file in a library controlled by the user. You can
make sure a program processes the correct files by using override commands with
SECURE(*YES) before the program runs.
File Security and SQL

Structured Query Language (SQL) uses cross-reference files to keep track of
database files and their relationships. These files are collectively referred to as the
SQL catalog. Public authority to the SQL catalog is *READ. This means that any
user who has access to the SQL interface can display the names and text
descriptions for all files on your system. The SQL catalog does not affect the
normal authority required to access the contents of database files.
Care should be taken when using a CL program that adopts authority to start SQL
or Query Manager. Both of these query programs allow users to specify a file
name. The user can, therefore, access any file that the adopted profile has authority
to.
Planning Authorization Lists

An authorization list has these advantages:
v Authorization lists simplify managing authorities. User authority is defined for
the authorization list, not for the individual objects on the list. If a new object is
secured by the authorization list, the users on the list gain authority to the
object.
v One operation can be used to give a user authority to all the objects on the list.
v Authorization lists reduce the number of private authorities on the system. Each
user has a private authority to one object, the authorization list. This gives the
user authority to all the objects on the list. Reducing the number of private
authorities in the system has the following advantages:
Reduces the size of user profiles.
Improves the performance when saving the system (SAVSYS) or saving the
security data (SAVSECDTA).
227
v Authorization lists provide a good way to secure files. If you use private
authorities, each user will have a private authority for each file member. If you
use an authorization list, each user will have only one authority. Also, files that
are open cannot have authority granted to the file or revoked from the file. If
you secure the file with an authorization list, you can change the authorities,
even when the file is open.
v Authorization lists provide a way to remember authorities when an object is
saved. When an object is saved that is secured by an authorization list, the name
of the authorization list is saved with the object. If the object is deleted and
restored to the same system, it is automatically linked to the authorization list
again. If the object is restored on a different system, the authorization list is not
linked, unless ALWOBJDIF(*ALL) is specified on the restore command.
Advantages of Using an Authorization List

From a security management view, an authorization list is the preferred method to
manage objects that have the same security requirements. Even when there are
only a few objects that would be secured by the list, there is still an advantage to
using an authorization list instead of using private authorities on the object.
Because the authorities are in one place (the authorization list), it is easier to
change who is authorized to the objects. It is also easier to secure any new objects
with the same authorities as the existing objects.
If you use authorization lists, then you should not have private authorities on the
object. Two searches of the users private authorities are required during the
authority checking if the object has private authorities and the object is also
secured by an authorization list. The first search is for the private authorities on
the object; the second search is for the private authorities on the authorization list.
Two searches require use of system resources; therefore, the performance can be
impacted. If you use only the authorization list, only one search is performed.
Also, because of the use of authority caching with the authorization list, the
performance for the authority check will be the same as it is for checking only
private authorities on the object.
At the JKL Toy Company, an authorization list is used to secure all the work files
used in month-end inventory processing. These work files are cleared, which
requires *OBJMGT authority. As application requirements change, more work files
may be added to the application. Also, as job responsibilities change, different
users run month-end processing. An authorization list makes it simpler to manage
these changes.
Following are the steps to set up the authorization list:
1. Create the authorization list:
CRTAUTL ICLIST1
2. Secure all the work files with the authorization list:

GRTOBJAUT OBJ(ITEMLIB/ICWRK*) +
OBJTYP(*FILE) AUTL(ICLIST1)
3. Add users to the list who perform month-end processing:

ADDAUTLE AUTL(ICLIST1) USER(USERA) AUT(*ALL)
228
Planning Group Profiles

A group profile is a useful tool when several users have similar security
requirements. They are particularly useful when job requirements and group
membership change. For example, if members of a department have responsibility
for an application, a group profile can be set up for the department. As users join
or leave the department, the group profile field in their user profiles can be
changed. This is easier to manage than removing individual authorities from user
profiles.
You can create profiles specifically to be group profiles, or you can make an
existing profile into a group profile. A group profile is simply a special type of user
profile. It becomes a group profile when one of the following occurs:
v Another profile designates it as a group profile
v You assign a group identification number (gid) to it.
For example:
1. Create a profile called GRPIC:
CRTUSRPRF GRPIC
2. When the profile is created, it is an ordinary profile, not a group profile.

3. Designate GRPIC as the group profile for another group profile:
CHGUSRPRF USERA GRPPRF(GRPIC)
4. The system now treats GRPIC as a group profile and assigns a gid to it.
Planning Primary Groups for Objects

Any object on the system can have a primary group. Primary group authority can
provide a performance advantage if the primary group is the first group for most
users of an object.
Often, one group of users is responsible for some information on the system, such
as customer information. That group needs more authority to the information than
other system users. By using primary group authority, you can set up this type of
authority scheme without affecting the performance of authority checking. Case 2:
Using Primary Group Authority on page 174 shows an example of this.
Planning Multiple Group Profiles

A user can be a member of up to 16 groups: the first group (GRPPRF parameter in
the user profile) and 15 supplemental groups (SUPGRPPRF parameter in the user
profile). By using group profiles, you can manage authority more efficiently and
reduce the number of individual private authorities for objects. However, the
misuse of group profiles can have a negative impact on the performance of
authority checking.
Follow these suggestions when using multiple group profiles:
v Try to use multiple groups in combination with primary group authority and
eliminate private authority to objects.
v Carefully plan the sequence in which group profiles are assigned to a user. The
users first group should relate to the users primary assignment and the objects
used most often. For example, assume a user called WAGNERB does inventory
work regularly and does order entry work occasionally. The profile needed for
inventory authority (DPTIC) should be WAGNERBs first group. The profile
needed for order entry work (DPTOE) should be WAGNERBs first
supplemental group.
229
Note: The sequence in which private authorities are specified for an object has
no effect on authority checking performance.
v If you plan to use multiple groups, study the authority checking process
described in How the System Checks Authority on page 156. Be sure you
understand how using multiple groups in combination with other authority
techniques, such as authorization lists, may affect your system performance.
Accumulating Special Authorities for Group Profile Members

Special authorities of group profiles are available to the members of that group.
User profiles that are members of one or more groups have their own special
authorities, plus the special authorities of any group profiles for which the user is
a member. Special authorities are cumulative for users who are members of
multiple groups. For example, assume that profile GROUP1 has *JOBCTL, profile
GROUP3 has *AUDIT, and profile GROUP16 has *IOSYSCFG special authorities. A
user profile that has all three profiles as its group profiles has *JOBCTL, *AUDIT,
and *IOSYSCFG special authorities.
Note: ATTENTION
If a group member owns a program, the program adopts only the authority
of the owner. The authorities of the group are not adopted.
Using an Individual Profile as a Group Profile

Creating profiles specifically to be group profiles is preferable to making existing
profiles into group profiles. You may find that a specific user has all the authorities
needed by a group of users and be tempted to make that user profile into a group
profile. However, using an individuals profile as a group profile may cause
problems in the future:
v If the user whose profile is used as the group profile changes responsibilities, a
new profile needs to be designated as the group profile, authorities need to be
changed, and object ownership needs to be transferred.
v All members of the group automatically have authority to any objects created by
the group profile. The user whose profile is the group profile loses the ability to
have private objects, unless that user specifically excludes other users.
Try to plan group profiles in advance. Create specific group profiles with password
*NONE. If you discover after an application has been running that a user has
authorities that should belong to a group of users, do the following:
1. Create a group profile.
2. Use the GRTUSRAUT command to give the users authorities to the group
profile.
3. Remove the private authorities from the user, because they are no longer
needed. Use the RVKOBJAUT or EDTOBJAUT command.
Comparison of Group Profiles and Authorization Lists

Group profiles are used to simplify managing user profiles that have similar
security requirements. Authorization lists are used to secure objects with similar
security requirements. Table 114 on page 231 shows the characteristics of the two
methods:
230
Table 114. Authorization List and Group Profile Comparison

Item Being Compared
Authorization
List
Group Profile
Yes
Yes
Yes
Yes
Yes
No
Yes
No
Yes
Yes
Yes
Yes
No
No
Yes
Yes 1
Yes
Yes
Yes
No
Used to secure multiple objects

User can belong to more than one
Private authority overrides other authority
User must be assigned authority independently
Authorities specified are the same for all objects
Object can be secured by more than one
Authority can be specified when the object is created
Can secure all object types
Association with object is deleted when the object is
deleted
Association with object is saved when the object is
saved
The group profile can be given authority when an object is created by using the
GRPAUT parameter in the profile of the user creating an object.
Primary group authority is saved with the object.
Planning Security for Programmers

Programmers pose a problem for the security officer. Their knowledge makes it
possible for them to bypass security procedures that are not carefully designed.
They can bypass security to access data they need for testing. They can also
circumvent the normal procedures that allocate system resources in order to
achieve better performance for their own jobs. Security is often seen by them as a
hindrance to doing the tasks required by their job, such as testing applications.
However, giving programmers too much authority on the system breaks the
security principle of separating duties. It also allows a programmer to install
unauthorized programs.
Follow these guidelines when setting up an environment for application
programmers:
v Do not grant all special authorities to programmers. However, if you must give
programmers special authorities, give them only the special authority required
to perform the jobs or tasks assigned to the programmer.
v Do not use the QPGMR user profile as a group profile for programmers.
v Use test libraries and prevent access to production libraries.
v Create programmer libraries and use a program that adopts authority to copy
selected production data to programmer libraries for testing.
v If interactive performance is an issue, consider changing the commands for
creating programs to run only in batch:
CHGCMD CMD(CRTxxxPGM) ALLOW(*BATCH *BPGM)
v Perform security auditing of application function before moving applications or

program changes from test to production libraries.
v Use the group profile technique when an application is being developed. Have
all application programs owned by a group profile. Make programmers who
work on the application members of the group and define the programmer user
profiles to have the group own any new objects created (OWNER(*GRPPRF)).
When a programmer moves from one project to another, you can change the
group information in the programmers profile. See Group Ownership of
Objects on page 129 for more information.
231
v Develop a plan for assigning ownership of applications when they are moved
into production. To control changes to a production application, all application
objects, including programs, should be owned by the user profile designated for
the application.
Application objects should not be owned by a programmer because the
programmer would have uncontrolled access to them in a production
environment. The profile that owns the application may be the profile of the
individual responsible for the application, or it may be a profile specifically
created as the application owner.
Managing Source Files

Source files are important to the integrity of your system. They may also be a
valuable company asset, if you have developed or acquired custom applications.
Source files should be protected like any other important file on the system.
Consider placing source files in separate libraries and controlling who can update
them and move them to production.
When a source file is created on the system, the default public authority is
*CHANGE, which allows any user to update any source member. By default, only
the owner of the source file or a user with *ALLOBJ special authority can add or
remove members. In most cases, this default authority for source physical files
should be changed. Programmers working on an application need *OBJMGT
authority to the source files to add new members. The public authority should
probably be reduced to *USE or *EXCLUDE, unless the source files are in a
controlled library.
Planning Security for System Programmers or Managers

Most systems have someone responsible for housekeeping functions. This person
monitors the use of system resources, particularly disk storage, to make sure that
users regularly remove unused objects to free space. System programmers need
broad authority to observe all the objects on the system. However, they do not
need to view the contents of those objects.
You can use adopted authority to provide a set of display commands for system
programmers, rather than giving special authorities in their user profiles.
Planning the Use of Validation List Objects

Validation list objects are a new object type in Version 4, Release 1 that provide a
method for applications to securely store user authentication information.
For example, the Internet Connection Server (ICS) uses validation lists to
implement the concept of an Internet user. For Version 4, Release 1, the ICS can
perform basic authentication before a web page is served. Basic authentication
requires users to provide some type of authentication information, such as a
password, PIN, or account number. The name of the user and the authentication
information can be stored securely in a validation list. The ICS can use the
information from the validation list rather than require all users of the ICS to have
an iSeries user id and password.
An internet user can be permitted or denied access to the iSeries from the web
server. The user, however, has no authority to any iSeries resources or authority to
sign-on or run jobs. An iSeries user profile is never created for the internet users.
232
To create and delete validation lists, you can use the CL commands Create
Validation List (CRTVLDL) and the Delete Validation List (DLTVLDL). Application
Programming Interfaces (APIs) are also provided to allow applications to add,
change, remove, verify (authenticate), and find entries in a validation list. For more
information and examples, see the API topic in the Information Center
(seePrerequisite and related information on page xvi for details).
Validation list objects are available for all applications to use. For example, if an
application requires a password, the application passwords can be stored in a
validation list object rather than a database file. The application can use the
validation list APIs to verify a users password, which is encrypted, rather than the
application performing the verification itself.
In Version 4, Release 1, the authentication information (password, PIN, account
number) that is associated with a validation list is always stored in a
nondecryptable form, which cannot be returned to the user.
In Version 4, Release 2, you can choose to store the authentication information in a
decryptable form. If a user has the appropriate security, the authentication
information can be decrypted and returned to the user. For information about
controlling the storage of decryptable data in validation lists, see Retain Server
Security (QRETSVRSEC) on page 32.
Limit Access to Program Function

The limit access to program function allows you to define who can use an
application, the parts of an application, or the functions within a program. This
support is not a replacement for resource security. Limit access to program
function does not prevent a user from accessing a resource (such as a file or
program) from another interface.
The limit access to program function support provides APIs to:
v
v
v
v
Register a function
Retrieve information about the function
Define who can or cannot use the function
Check to see if the user is allowed to use the function
To use this support within an application, the application provider must register
the functions when the application is installed. The registered function corresponds
to a code block for specific functions in the application. When the user runs the
application, the application calls the check usage API to see if the user is allowed
to use the function that is associated with the code block, before invoking the code
block. If the user is allowed to use the registered function, the code block is run. If
the user is not allowed to use the function, the user is prevented from running the
code block.
The system administrator specifies who is allowed or denied access to a function.
The administrator can either use the API to manage the access to program function
or use the iSeries Navigator. The OS/400 API section in the Information Center
provides information about the limit access to program function APIs.
233
234
Chapter 8. Backup and Recovery of Security Information

This chapter discusses how security relates to backup and recovery on your
system:
v How security information is saved and restored
v How security affects saving and restoring objects
v Security issues associated with *SAVSYS special authority
The Backup and Recovery book provides more information about backup and
recovery. You may also refer to the Backup and Recovery topics in the iSeries
Information Center (seePrerequisite and related information on page xvi for
details).
Saving your security information is just as important as saving your data. In some
situations, you may need to recover user profiles, object authorities, and the data
on your system. If you do not have your security information saved, you may
need to manually rebuild user profiles and object authorities. This can be
time-consuming and can lead to errors and security exposures.
Planning adequate backup and recovery procedures for security information
requires understanding how the information is stored, saved, and restored.
Table 115 shows the commands used to save and restore security information. The
sections that follow discuss saving and restoring security information in more
detail.
Table 115. How Security Information Is Saved and Restored
Save and Restore Commands Used
Security Information Saved or Restored

User profiles
Object ownership 1
Primary group 1
Public authorities 1
Private authorities
Authorization lists
Authority holders
Link with the authorization list and authority holders
Object auditing value
Function registration information 2
Function usage information
SAVCHGOBJ
SAVOBJ
SAVLIB
SAVSECDTA SAVDLO
SAVSYS
SAVCFGRSTUSRPRF
X
RSTAUT
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
RSTOBJ
RSTLIB
RSTDLO
RSTCFG
X
X
X
X
The SAVSECDTA, SAVSYS, and RSTUSRPRF commands save and restore ownership, primary group,
primary group authority, and public authority for these object types : User profile (*USRPRF), Authorization
list (*AUTL), and Authority holder (*AUTHLR).
The object to save/restore is QUSEXRGOBJ, type *EXITRG in QUSRSYS library.
235
How Security Information Is Stored

Security information is stored with objects, user profiles, and authorization lists:
Authority Information Stored with Object:
Public authority
Owner name
Owners authority to object
Primary group name
Primary groups authority to object
Authorization list name
Whether any private authority exists
Whether any private authority is less than public
Authority Information Stored with User Profile:
Heading Information:
The user profile attributes shown on the Create User Profile display.
The uid and gid.
Private Authority Information:
Private authority to objects. This includes private authority to authorization
lists.
Ownership Information:
List of owned objects
For each owned object, a list of users with private authority to the object.
Primary Group Information:
List of objects for which the profile is the primary group.
Auditing Information:
Action auditing value
Function Usage Information:
Usage settings for registered functions.
Authority Information Stored with Authorization Lists:
Normal authority information stored with any object, such as the public
authority and owner.
List of all objects secured by the authorization list.
Saving Security Information

Security information is stored differently on the save media than it is on your
system. When you save user profiles, the private authority information stored with
the user profile is formatted into an authority table. An authority table is built and
saved for each user profile that has private authorities. This reformatting and
saving of security information can be lengthy if you have many private authorities
on your system.
This is how security information is stored on the save media:
236
Authority Information Saved with Object:

Public authority
Owner name
Owners authority to object
Primary group name
Primary groups authority to object
Authorization list name
Field level authorities
Whether any private authority exists
Whether any private authority is less than public
Authority Information Saved with Authorization List:
Normal authority information stored with any object, such as the public
authority, owner, and primary group.
Authority Information Saved with User Profile:
The user profile attributes shown on the Create User Profile display.
Authority Table Saved Associated with User Profile:
One record for each private authority of the user profile, including usage
settings for registered functions.
Function Registration Information Saved with QUSEXRGOBJ object:
The function registration information can be saved by saving the QUSEXRGOBJ
*EXITRG object in QUSRSYS.
Recovering Security Information

Recovering your system often requires restoring data and associated security
information. The usual sequence for recovery is:
1. Restore user profiles and authorization lists (RSTUSRPRF USRPRF(*ALL)).
2. Restore objects (RSTLIB, RSTOBJ, or RSTCFG).
3. Restore the private authorities to objects (RSTAUT).
The Backup and Recovery book provides more information about planning recovery.
Restoring User Profiles

Some changes may be made to a user profile when it is restored. The following
applies:
v If profiles are being restored individually (RSTUSRPRF USRPRF(*ALL) is not
specified), SECDTA(*PWDGRP) is not requested, and the profile being restored
does not exist on the system, these fields are changed to *NONE:
Group profile name (GRPPRF)

Password (PASSWORD)
Document password (DOCPWD)
Supplemental group profiles (SUPGRPPRF)
Product passwords are changed to *NONE, so they will be incorrect after

restoring an individual user profile that did not exist on the system.
237
v If profiles are being restored individually (RSTUSRPRF USRPRF(*ALL) is not

specified) SECDTA(*PWDGRP) is not requested, and the profile exists on the
system, the password, document password, and group profile are not changed.
User profiles can be restored individually with the password and group
information restored from the save media by specifying the SECDTA(*PWDGRP)
parameter on the RSTUSRPRF command. *ALLOBJ and *SECADM special
authorities are required to restore the password and group information when
restoring individual profiles. Product passwords restored with the user profile
will be incorrect after restoring an individual user profile that existed on the
system, unless the SECDTA(*PWDGRP) parameter is specified on the
RSTUSRPRF command.
v If all user profiles are being restored to your system, all the fields in any profiles
that already exist on the system are restored from the save media, including the
password.
Attention: User Profiles saved from a system with a different password level
(QPWDLVL system value) than the system that is being restored may result in
having a password that is not valid on the restored system. For example, if the
saved user profile came from a system that was running password level 2, the
user could have a password of This is my password. This password would not
be valid on a system running password level 0 or 1.
Attention: Keep a record of the security officer (QSECOFR) password associated
with each version of your security information that is saved to make sure you
can sign on to your system if you need to do a complete restore operation.
You can use DST (Dedicated Service Tools) to reset the password for the
QSECOFR profile. See Service tools topic in the Information Center for
instructions. See Prerequisite and related information on page xvi for more
information about accessing the Information Center.
v If a profile exists on the system, the restore operation does not change the uid or
gid.
v If a profile does not exist on the system, the uid and gid for a profile are
restored from the save media. If either the uid or the gid already exists on the
system, the system generates a new value and issues a message (CPI3810).
v *ALLOBJ special authority is removed from user profiles being restored to a
system at security level 30 or higher in either of these situations:
The profile was saved from a different system and the user performing the
RSTUSRPRF does not have *ALLOBJ and *SECADM special authorities.
The profile was saved from the same system at security level 10 or 20.
ATTENTION: The system uses the machine serial number on the system and
on the save media to determine whether objects are being
restored to the same system or a different system.
*ALLOBJ special authority is not removed from these IBM-supplied profiles:
QSYS (system) user profile
QSECOFR (security officer) user profile
QLPAUTO (licensed program automatic install) user profile
QLPINSTALL (licensed program install) user profile
Restoring Objects
When you restore an object to the system, the system uses the authority
information stored with the object. The following applies to security of the restored
object:
238
Object ownership:
v If the profile that owns the object is on the system, ownership is restored to that
profile.
v If the owner profile does not exist on the system, ownership of the object is
given to the QDFTOWN (default owner) user profile.
v If the object exists on the system and the owner on the system is different from
the owner on the save media, the object is not restored unless
ALWOBJDIF(*ALL) is specified. In that case, the object is restored and the owner
on the system is used.
v See Restoring Programs on page 241 for additional considerations when
restoring programs.
Primary group:
For an object that does not exist on the system:
v If the profile that is the primary group for the object is on the system, the
primary group value and authority are restored for the object.
v If the profile that is the primary group does not exist on the system:
The primary group for the object is set to none.
The primary group authority is set to no authority.
When an existing object is restored, the primary group for the object is not
changed by the restore operation.
Public authority:
v If the object being restored does not exist on the system, public authority is set
to the public authority of the saved object.
v If the object being restored does exist and is being replaced, public authority is
not changed. The public authority from the saved version of the object is not
used.
v The CRTAUT for the library is not used when restoring objects to the library.
Authorization list:
v If an object, other than a document or folder, already exists on the system and is
linked to an authorization list, the ALWOBJDIF parameter determines the result:
If ALWOBJDIF(*NONE) is specified, the existing object must have the same
authorization list as the saved object. If not, the object is not restored.
If ALWOBJDIF(*ALL) is specified, the object is restored. The object is linked
to the authorization list associated with the existing object.
v If a document or folder that already exists on the system is restored, the
authorization list associated with the object on the system is used. The
authorization list from the saved document or folder is not used.
v If the authorization list does not exist on the system, the object is restored
without being linked to an authorization list and the public authority is changed
to *EXCLUDE.
v If the object is being restored on the same system from which it was saved, the
object is linked to the authorization list again.
v If the object is being restored on a different system, the ALWOBJDIF parameter
on the restore command is used to determine whether the object is linked to the
authorization list:
If ALWOBJDIF(*ALL) is specified, the object is linked to the authorization list.
239
If ALWOBJDIF(*NONE) is specified, then the object is not linked to the

authorization list and the public authority of the object is changed to
*EXCLUDE.
Private authorities:
v Private authority is saved with user profiles, not with objects.
v If user profiles have private authority to an object being restored, those private
authorities are usually not affected. Restoring certain types of programs may
result in private authorities being revoked. See Restoring Programs on
page 241 for more information.
v If an object is deleted from the system and then restored from a saved version,
private authority for the object no longer exists on the system. When an object is
deleted, all private authority to the object is removed from user profiles.
v If private authorities need to be recovered, the Restore Authority (RSTAUT)
command must be used. The normal sequence is:
1. Restore user profiles
2. Restore objects
3. Restore authority
Object Auditing:
v If the object being restored does not exist on the system, the object auditing
(OBJAUD) value of the saved object is restored.
v If the object being restored does exist and is being replaced, the object auditing
value is not changed. The OBJAUD value of the saved version of the object is
not restored.
v If a library being restored does not exist on the system, the create object auditing
(CRTOBJAUD) value for the library is restored.
v If a library being restored exists and is being replaced, the CRTOBJAUD value
for the library is not restored. The CRTOBJAUD value for the existing library is
used.
Authority Holder:
v If a file is restored and an authority holder exists for that file name and the
library to which it is being restored, the file is linked to the authority holder.
v The authority information associated with the authority holder replaces the
public authority and owner information saved with the file.
User Domain Objects:
v For systems running Version 2 Release 3 or later of the OS/400 licensed
program, the system restricts user domain objects (*USRSPC, *USRIDX, and
*USRQ) to the libraries specified in the QALWUSRDMN system value. If a
library is removed from the QALWUSRDMN system value after a user domain
object of type *USRSPC, *USRIDX, or *USRQ is saved, the system changes the
object to system domain when it is restored.
Function Registration Information:
v The function registration information can be restored by restoring the
QUSEXRGOBJ *EXITRG object into QUSRSYS. This restores all of the registered
functions. The usage information associated with the functions is restored when
user profiles and authorities are restored.
Applications that Use Certificates Registration
240
v The applications that use certificates registration information can be restored by

restoring the QUSEXRGOBJ *EXITRG object into QUSRSYS. This restores all of
the registered applications. The association of the application to its certificate
information can be restored by restoring the QYCDCERTI *USRIDX object into
QUSRSYS.
Restoring Authority
When security information is restored, private authorities must be rebuilt. When
you restore a user profile that has an authority table, the authority table for the
profile is also restored.
The Restore Authority (RSTAUT) command rebuilds the private authority in the
user profile using the information from the authority table. The grant authority
operation is run for each private authority in the authority table. If authority is
being restored for many profiles and many private authorities exist in the authority
tables, this can be a lengthy process.
The RSTUSRPRF and RSTAUT commands can be run for a single profile, a list of
profiles, a generic profile name, or all profiles. The system searches the save media
or save file created by the SAVSECDTA or SAVSYS command or the QSRSAVO
API to find the profiles you want to restore.
Restoring Field Authority:
The following steps are required to restore private field authorities for database
files that do not already exist on the system:
v Restore or create the necessary user profiles.
v Restore the files.
v Run the Restore Authority (RSTAUT) command.
The private field authorities are not fully restored until the private object
authorities that they restrict are also established again.
Restoring Programs
Restoring programs to your system that are obtained from an unknown source
poses a security exposure. Programs might perform operations that break your
security requirements. Of particular concern are programs that contain restricted
instructions, programs that adopt their owner authority, and programs that have
been tampered with. This includes object types *PGM, *SRVPGM, *MODULE, and
*CRQD. You can use the QVFYOBJRST, QFRCCVNRST, and QALWOBJRST system
values to prevent these object types from being restored to your system. See
Security-Related Restore System Values for more information about these system
values.
|
|
|
|
The system uses a validation value to help protect programs. This value is stored
with a program and recalculated when the program is restored. The systems
actions are determined by the ALWOBJDIF parameter on the restore command and
the force conversion on restore (QFRCCVNRST) system value.
Note: Programs that are created for iSeries Version 5 Release 1 or later contain
information that allows the program to be re-created at restore time if
necessary. The information needed to re-create the program remains with the
program even when the observability of the program is removed. If a
program validation error is determined to exist at the time the program is
241
restored, the program will be re-created in order to correct the program

validation error. The action of re-creating the program at restore time is not
new to iseries Version 5 Release 1. In previous releases, any program
validation error that was encountered at restore time resulted in the
program being re-created if possible (if observability existed in the program
being restored). The difference with iSeries Version 5 Release 1 or later
programs is that the information needed to re-create the program remains
even when observability was removed from the program.
Restoring Programs That Adopt the Owners Authority:
When a program is restored that adopts owner authority, the ownership and
authority to the program may be changed. The following applies:
v The user profile doing the restore operation must either own the program or
have *ALLOBJ and *SECADM special authorities.
v The user profile doing the restore operation can receive the authority to restore
the program by
Being the program owner.
Being a member of the group profile that owns the program (unless you have
private authority to the program).
Having *ALLOBJ and *SECADM special authority.
Being a member of a group profile that has *ALLOBJ and *SECADM special
authority.
Running under adopted authority that meets one of the tests just listed.
v If the restoring profile does not have adequate authority, all public and private
authorities to the program are revoked, and the public authority is changed to
*EXCLUDE.
v If the owner of the program does not exist on the system, ownership is given to
the QDFTOWN user profile. Public authority is changed to *EXCLUDE and the
authorization list is removed.
Restoring Licensed Programs

The Restore Licensed Programs (RSTLICPGM) command is used to install
IBM-supplied programs on your system. It can also be used to install non-IBM
programs created using the SystemView* System Manager/400* licensed program.
When your system is shipped, only users with *ALLOBJ special authority can use
the RSTLICPGM command. The RSTLICPGM procedure calls an exit program to
install programs that are not supplied by IBM.
To protect security on your system, the exit program should not run using a profile
with *ALLOBJ special authority. Use a program that adopts *ALLOBJ special
authority to run the RSTLICPGM command, instead of having a user with
*ALLOBJ authority run the command directly.
Following is an example of this technique. The program to be installed using the
RSTLICPGM command is called CPAPP (Contracts and Pricing).
1. Create a user profile with sufficient authority to successfully install the
application. Do not give this profile *ALLOBJ special authority. For the
example, the user profile is called OWNCP.
2. Write a program to install the application. For the example, the program is
called CPINST:
242
PGM
RSTLICPGM CPAPP
ENDPGM
3. Create the CPINST program to adopt the authority of a user with *ALLOBJ
special authority, such as QSECOFR, and authorize OWNCP to the program:
CRTCLPGM QGPL/CPINST USRPRF(*OWNER) +
AUT(*EXCLUDE)
GRTOBJAUT OBJ(CPINST) OBJTYP(*PGM) +
USER(OWNCP) AUT(*USE)
4. Sign on as OWNCP and call the CPINST program. When the CPINST program
runs the RSTLICPGM command, you are running under QSECOFR authority.
When the exit program runs to install the CPAPP programs, it drops adopted
authority. The programs called by the exit program run under the authority of
OWNCP.
Restoring Authorization Lists

Authorization lists are saved by either the SAVSECDTA command or the SAVSYS
command. Authorization lists are restored by the command:
RSTUSRPRF USRPRF(*ALL)
No method exists for restoring an individual authorization list.

When you restore an authorization list, authority and ownership are established
just as they are for any other object that is restored. The link between authorization
lists and objects is established if the objects are restored after the authorization list.
See Restoring Objects on page 238 for more information. Users private
authorities to the list are restored using the RSTAUT command.
Recovering from a Damaged Authorization List

When an object is secured by an authorization list and the authorization list
becomes damaged, access to the object is limited to users that have all object
(*ALLOBJ) special authority.
To recover from a damaged authorization list, two steps are required:
1. Recover users and their authorities on the authorization list.
2. Recover the association of the authorization list with the objects.
These steps must be done by a user with *ALLOBJ special authority.
Recovering the Authorization List: If users authorities to the authorization list
are known, simply delete the authorization list, create the authorization list again,
and then add users to it.
If it is not possible to create the authorization list again because you do not know
all the user authorities, the authorization list can be restored and the users restored
to the authorization list using your last SAVSYS or SAVSECDTA tapes. To restore
the authorization list, do the following:
1. Delete the damaged authorization list using the Delete Authorization List
(DLTAUTL) command.
2. Restore the authorization list by restoring user profiles:
RSTUSRPRF USRPRF(*ALL)
3. Restore users private authorities to the list using the RSTAUT command.
243
Attention: This procedure restores user profile values from the save media. See
Restoring User Profiles on page 237 for more information.
Recovering the Association of Objects to the Authorization List: When the
damaged authorization list is deleted, the objects secured by the authorization list
need to be added to the new authorization list. Do the following:
1. Find the objects that were associated with the damaged authorization list using
the Reclaim Storage (RCLSTG) command. Reclaim storage assigns the objects
that were associated with the authorization list to the QRCLAUTL
authorization list.
2. Use the Display Authorization List Objects (DSPAUTLOBJ) command to list the
objects associated with the QRCLAUTL authorization list.
3. Use the Grant Object Authority (GRTOBJAUT) command to secure each object
with the correct authorization list:
GRTOBJAUT OBJ(library-name/object-name) +
OBJTYPE(object-type) +
AUTL(authorization-list-name)
Note: If a large number of objects are associated with the QRCLAUTL

authorization list, create a database file by specifying OUTPUT(*OUTFILE)
on the DSPAUTLOBJ command. You can write a CL program to run the
GRTOBJAUT command for each object in the file.
Restoring the Operating System

When you perform a manual IPL on your system, the IPL or Install the System
menu provides an option to install the operating system. The dedicated service
tools (DST) function provides the ability to require anyone using this menu option
to enter the DST security password. You can use this to prevent someone from
restoring an unauthorized copy of the operating system.
To secure the installation of your operating system, do the following:
1.
2.
3.
4.
5.
6.
Perform a manual IPL.

From the IPL or Install the System menu, select DST.
From the Use DST menu, select the option to work with the DST environment.
Select the option to change DST passwords.
Select the option to change the operating system install security.
Specify 1 (secure).
7. Press F3 (exit) until you return to the IPL or Install the System menu.
8. Complete the manual IPL and return the keylock to its normal position.
Notes:
1. If you no longer want to secure the installation of the operating system, follow
the same steps and specify 2 (not secure).
2. You can also prevent installation of the operating system by keeping your
keylock switch in the normal position and removing the key.
*SAVSYS Special Authority

To save or restore an object, you must have *OBJEXIST authority to the object or
*SAVSYS special authority. A user with *SAVSYS special authority does not need
any additional authority to an object to save or restore it.
244
*SAVSYS special authority gives a user the capability to save an object and take it
to a different system to be restored or to display (dump) the media to view the
data. It also gives a user the capability to save an object and free storage thus
deleting the data in the object. When saving documents, a user with *SAVSYS
special authority has the option to delete those documents. *SAVSYS special
authority should be given carefully.
Auditing Save and Restore Operations

A security audit record is written for each restore operation if the action auditing
value (QAUDLVL system value or AUDLVL in the user profile) includes *SAVRST.
When you use a command that restores a large number of objects, such as RSTLIB,
an audit record is written for each object restored. This may cause problems with
the size of the audit journal receiver, particularly if you are restoring more than
one library.
The RSTCFG command does not create an audit record for each object restored. If
you want to have an audit record of this command, set object auditing for the
command itself. One audit record will be written whenever the command is run.
Commands that save a very large number of objects, such as SAVSYS,
SAVSECDTA, and SAVCFG, do not create individual audit records for the objects
saved, even if the saved objects have object auditing active. To monitor these
commands, set up object auditing for the commands themselves.
245
246
Chapter 9. Auditing Security on the iSeries System

This chapter describes techniques for auditing the effectiveness of security on your
system. People audit their system security for several reasons:
v To evaluate whether the security plan is complete.
v To make sure that the planned security controls are in place and working. This
type of auditing is usually performed by the security officer as part of daily
security administration. It is also performed, sometimes in greater detail, as part
of a periodic security review by internal or external auditors.
v To make sure that system security is keeping pace with changes to the system
environment. Some examples of changes that affect security are:
New objects created by system users
New users admitted to the system
Change of object ownership (authorization not adjusted)
Change of responsibilities (user group changed)
Temporary authority (not timely revoked)
New products installed
v To prepare for a future event, such as installing a new application, moving to a
higher security level, or setting up a communications network.
The techniques described in this chapter are appropriate for all these situations.
Which things you audit and how often depends on the size and security needs of
your organization. The purpose of this chapter is to discuss what information is
available, how to obtain it, and why it is needed, rather than to give guidelines for
the frequency of audits.
This chapter has three parts:
v A checklist of security items that can be planned and audited.
v Information about setting up and using the audit journal provided by the
system.
v Other techniques that are available to gather security information on the system.
Security auditing involves using commands on the iSeries system and accessing
log and journal information on the system. You may want to create a special
profile to be used by someone doing a security audit of your system. The auditor
profile will need *AUDIT special authority to be able to change the audit
characteristics of your system. Some of the auditing tasks suggested in this chapter
require a user profile with *ALLOBJ and *SECADM special authority. Be sure that
you set the password for the auditor profile to *NONE when the audit period has
ended.
Checklist for Security Officers and Auditors

This checklist can be used both to plan and to audit system security. As you plan
security, choose the items from the list that meet your security requirements. When
you audit the security of your system, use the list to evaluate the controls you
have in place and to determine if additional controls are needed.
247
This list serves as a review of the information in this book. The list contains brief
descriptions of how to do each item and how to monitor that it has been done,
including what entries in the QAUDJRN journal to look for. Details about the
items are found throughout the book.
Physical Security
Note: The Basic System Security and Planning topic in the Information Center
contains a complete discussion of physical security on the iSeries system.
See Prerequisite and related information on page xvi for details.
The system unit and system console are in a secure location.
Backup media is protected from damage and theft.
The keylock switch setting on the processor unit is in the Secure or Auto
position. The key is removed. The keys are kept separately, both under tight
physical security. See the Information Center for more information about the
keylock switch (see Prerequisite and related information on page xvi for
details).
Access to publicly located workstations and the console is restricted. Use the
DSPOBJAUT command to see who has *CHANGE authority to the
workstations. Look for AF entries in the audit journal with the object type field
equal to *DEVD to find attempts to sign on at restricted workstations.
Sign-on for users with *ALLOBJ or *SERVICE special authority is limited to a
few workstations. Check to see that the QLMTSECOFR system value is 1. Use
the DSPOBJAUT command for devices to see if the QSECOFR profile has
*CHANGE authority.
System Values
Security system values follow recommended guidelines. To print the security
system values, type: WRKSYSVAL *SEC OUTPUT(*PRINT). Two important system
values to audit are:
QSECURITY, which should be set to 40 or higher.
QMAXSIGN, which should not be greater than 5.
Note: If the auditing function is active, an SV entry is written to the QAUDJRN
journal whenever a system value is changed.
Decisions about system values are reviewed periodically, particularly when the
system environment changes, such as the installation of new applications or a
communications network.
IBM-Supplied User Profiles

The password has been changed for the QSECOFR user profile. This profile is
shipped with the password set to QSECOFR so you can sign on to install your
system. The password must be changed the first time you sign-on your system
and changed periodically after the installation.
Verify that it has been changed by checking a DSPAUTUSR list for the date the
QSECOFR password was changed and by attempting to sign on with the
default password.
Note: See IBM-Supplied User Profiles on page 116 and Appendix B for more
information about IBM-supplied user profiles.
The IBM passwords for dedicated service tools (DST) are changed. DST profiles
do not appear on a DSPAUTUSR list. To verify that the userids and passwords
248
are changed, start DST and attempt to use the default values. See the topic
Working with service tools user IDs on page 117 for more information.
Signing on with IBM-supplied user profiles, except QSECOFR, is not
recommended. These IBM-supplied profiles are designed to own objects or to
run system functions. Use a DSPAUTUSR list to verify that the following
IBM-supplied user profiles have a password of *NONE:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
QAUTPROF
QBRMS
QCLUMGT
QCLUSTER
QCOLSRV
QDBSHR
QDBSHRDO
QDFTOWN
QDIRSRV
QDLFM
QDOC
QDSNX
QEJB
QFNC
QIPP
QGATE
QLPAUTO
QLPINSTALL
QMSF
QNETSPLF
QNFSANON
QNTP
QPEX
QPGMR
QPM400
QRJE
QSNADS
QSPL
QSPLJOB
QSRV
QSRVBAS
QSYS
QSYSOPR
QTCM
QTCP
QTFTP
QTMHHTP1
QTMHHTTP
QTSTRQS
QUSER
QYPSJSVR
Password Control
Users can change their own passwords. Allowing users to define their own
passwords reduces the need for users to write down their passwords. Users
should have access to the CHGPWD command or to the Change Password
function from the Security (GO SECURITY) menu.
A password change is required according to the organizations security
guidelines, usually every 30 to 90 days. The QPWDEXPITV system value is set
to meet the security guidelines.
If a user profile has a password expiration interval that is different from the
system value, it meets the security guidelines. Review user profiles for a
PWDEXPITV value other than *SYSVAL.
Trivial passwords are prevented by using the system values to set the password
rules and by using a password approval program. Use the WRKSYSVAL *SEC
command and look at the settings for the values beginning with QPWD.
Group profiles have a password of *NONE. Use the DSPAUTUSR command to
check for any group profiles that have passwords.
Whenever the system is not operating at password level 3 and users change their
password, the system will attempt to create an equivalent password that is usable
at the other password levels, if possible. You can use the DSPAUTUSR or
PRTUSRPRF TYPE(*PWDINFO) commands to see which user profiles have
passwords that are usable at the various password levels.
Note: The equivalent password is a best effort attempt to create a usable password
for the other password levels but it may not have passed all of the password
rules if the other password level was in effect. For example, if password
BbAaA3x is specified at password level 2, the system will create an
equivalent password of BBAAA3X for use at password levels 0 and 1. This
would be true even if the QPWDLMTCHR system value includes A as one
of the limited characters (QPWDLMTCHR is not enforced at password level
2) or QPWDLMTREP system value specified that consecutive characters
249
cannot be the same (because the check is case sensitive at password level 2
but case insensitive at password levels 0 and 1).
User and Group Profiles

Each user is assigned a unique user profile. The QLMTDEVSSN system value
should be set to 1. Although limiting each user to one device session at a time
does not prevent sharing user profiles, it discourages it.
User profiles with *ALLOBJ special authority are limited, and are not used as
group profiles. The DSPUSRPRF command can be used to check the special
authorities for user profiles and to determine which profiles are group profiles.
The topic Printing Selected User Profiles on page 278 shows how to use an
output file and query to determine this.
The Limit capabilities field is *YES in the profiles of users who should be
restricted to a set of menus. The topic Printing Selected User Profiles on
page 278 gives an example of how to determine this.
Programmers are restricted from production libraries. Use the DSPOBJAUT
command to determine the public and private authorities for production
libraries and critical objects in the libraries.
Planning Security for Programmers on page 231 has more information about
security and the programming environment.
Membership in a group profile is changed when job responsibilities change. To
verify group membership, use one of these commands:
DSPAUTUSR SEQ(*GRPPRF)
DSPUSRPRF profile-name *GRPMBR
You should use a naming convention for group profiles. When authorities are
displayed, you can then easily recognize the group profile.
The administration of user profiles is adequately organized. No user profiles
have large numbers of private authorities. The topic Examining Large User
Profiles on page 278 discusses how to find and examine large user profiles on
your system.
Employees are removed from the system immediately when they are
transferred or released. Regularly review the DSPAUTUSR list to make sure
only active employees have access to the system. The DO (Delete Object) entries
in the audit journal can be reviewed to make sure user profiles are deleted
immediately after employees leave.
Management regularly verifies the users authorized to the system. You can use
the DSPAUTUSR command for this information.
The password for an inactive employee is set to *NONE. Use the DSPAUTUSR
command to verify that the inactive user profiles do not have passwords.
Management regularly verifies the users with special authorities, particularly
*ALLOBJ *SAVSYS, and *AUDIT special authorities. The topic Printing
Selected User Profiles on page 278 gives an example of how to determine this.
Authorization Control
Owners of data understand their obligation to authorize users on a
need-to-know basis.
Owners of objects regularly verify the authority to use the objects, including
public authority. The WRKOBJOWN command provides a display for working
with the authorities to all objects owned by a user profile.
Sensitive data is not public. Check the authority for user *PUBLIC for critical
objects using the DSPOBJAUT command.
250
Authority to user profiles is controlled. The public authority to user profiles

should be *EXCLUDE. This prevents users from submitting jobs that run under
another users profile.
Job descriptions are controlled:
Job descriptions with public authority of *USE or greater are specified as
USER(*RQD). This means jobs submitted using the job description must run
using the submitters profile.
Job descriptions that specify a user have public authority *EXCLUDE.
Authorization to use these job descriptions is controlled. This prevents
unauthorized users from submitting jobs that run using another profiles
authority.
|
|
To find out what job descriptions are on the system, type:
To check the User parameter of a job description, use the Display Job
Description (DSPJOBD) command. To check the authority to a job description,
use the DSPOBJAUT command.
DSPOBJD OBJ(*ALL/*ALL) OBJTYPE(*JOBD) ASPDEV(*ALLAVL) OUTPUT(*PRINT)
Note: At security level 40 or 50, a user submitting a job using a job description
that specifies a user profile name must have *USE authority to both the
job description and the user profile. At all security levels, an attempt to
submit or schedule a job without *USE authority to the user specified in
the job description causes an AF entry with violation type J in the audit
journal.
Users are not allowed to sign on by pressing the Enter key on the Sign On
display. Make sure no workstation entries in subsystem descriptions specify a
job description that has a user profile name specified for the USER parameter.
Default sign-on is prevented at security level 40 or 50, even if a subsystem
description allows it. At all security levels, an AF entry with violation type S is
written to the audit journal if default sign-on is attempted and a subsystem
description is defined to allow it.
The library list in application programs is controlled to prevent a library that
contains a similar program from being added before the production libraries.
The topic Library Lists on page 193 discusses methods for controlling the
library list.
Programs that adopt authority are used only when required and are carefully
controlled. See the topic Analyzing Programs That Adopt Authority on
page 279 for an explanation of how to evaluate the use of the program adopt
function.
Application program interfaces (APIs) are secured.
Good object security techniques are used to avoid performance problems.
Unauthorized Access
Security-related events are logged to the security auditing journal (QAUDJRN)
when the auditing function is active. To audit authority failures, use the
following system values and settings:
QAUDCTL must be set to *AUDLVL
QAUDLVL must include the values of *PGMFAIL and *AUTFAIL.
The best method to detect unauthorized attempts to access information is to
review entries in the audit journal on a regular basis.
251
The QMAXSIGN system value limits the number of consecutive incorrect access
attempts to five or less. The QMAXSGNACN system value is set at 2 or 3.
The QSYSMSG message queue is created and monitored.
The audit journal is audited for repeated attempts by a user. (Authorization
failures cause AF type entries in the audit journal.)
Programs fail that attempt to access objects using interfaces that are not
supported. (QSECURITY system value is set to 40 or 50.)
User ID and password are required to sign on. Security levels 40 and 50 enforce
this. At level 20 or 30, you must ensure that no subsystem descriptions have a
workstation entry which uses a job description that has a user profile name.
Unauthorized Programs
The QALWOBJRST system value is set to *NONE to prevent anyone from
restoring security-sensitive programs to the system.
The Check Object Integrity (CHKOBJITG) command is run periodically to
detect unauthorized changes to program objects. This command is described in
Checking for Objects That Have Been Altered on page 280.
Communications
Telephone communications is protected by call-back procedures.
Encryption is used on sensitive data.
Remote sign-on is controlled. The QRMTSIGN system value is set to
*FRCSIGNON or a pass-through validation program is used.
Access to data from other systems, including personal computers, is controlled
using the JOBACN, PCSACC, and DDMACC network attributes. The JOBACN
network attribute should be *FILE.
Using the Security Audit Journal

The security audit journal is the primary source of auditing information on the
system. A security auditor inside or outside your organization can use the auditing
function provided by the system to gather information about security-related
events that occur on the system.
You can define auditing on your system at three different levels:
v System-wide auditing that occurs for all users.
v Auditing that occurs for specific objects.
v Auditing that occurs for specific users.
You use system values, user profile parameters, and object parameters to define
auditing. Planning Security Auditing on page 253 describes how to do this.
When a security-related event that may be audited occurs, the system checks
whether you have selected that event for audit. If you have, the system writes a
journal entry in the current receiver for the security auditing journal (QAUDJRN in
library QSYS).
When you want to analyze the audit information you have collected in the
QAUDJRN journal, you can use the Display Journal (DSPJRN) command. With this
command, information from the QAUDJRN journal can be written to a database
file. An application program or a query tool can be used to analyze the data.
252
The security auditing function is optional. You must take specific steps to set up
security auditing.
The following sections describe how to plan, set up, and manage security auditing,
what information is recorded, and how to view that information. Appendix F
shows record layouts for the audit journal entries. Appendix E describes what
operations are audited for each type of object.
Planning Security Auditing

To plan the use of security auditing on your system:
v Determine which security-relevant events you want to record for all system
users. The auditing of security-relevant events is called action auditing.
v Check whether you need additional auditing for specific users.
v Decide whether you want to audit the use of specific objects on the system.
v Determine whether object auditing should be used for all users or specific users.
Planning the Auditing of Actions

The QAUDCTL (audit control) system value, the QAUDLVL (audit level) system
value, and the AUDLVL (action auditing) parameter in user profiles work together
to control action auditing:
v The QAUDLVL system value specifies which actions are audited for all users of
the system
v The AUDLVL parameter in the user profile determines which actions are audited
for a specific user. The values for the AUDLVL parameter apply in addition to the
values for the QAUDLVL system value.
v The QAUDCTL system value starts and stops action auditing.
Which events you choose to log depends on both your security objectives and your
potential exposures. Table 116 on page 254 describes the possible audit level values
and how you might use them. It shows whether they are available as a system
value, a user profile parameter, or both.
Table 117 on page 255 provides more information about the journal entries that are
written for the action auditing values specified on the QAUDLVL system value
and in the user profile. It shows:
v The type of entry written to the QAUDJRN journal.
v The model database outfile that can be used to define the record when you
create an output file with the DSPJRN command. Complete layouts for the
model database outfiles are found in Appendix F.
v The detailed entry type. Some journal entry types are used to log more than one
type of event. The detailed entry type field in the journal entry identifies the
type of event.
v The ID of the message that can be used to define the entry-specific information
in the journal entry.
253
Table 116. Action Auditing Values
Possible Value
Available on
QAUDLVL System
Value
Available on
CHGUSRAUD
Command
*NONE
Yes
Yes
*AUTFAIL
Yes
No
*CMD
No
Yes
*CREATE
Yes
Yes
*DELETE
Yes
Yes
*JOBDTA
Yes
Yes
*OBJMGT
Yes
Yes
*OPTICAL
Yes
Yes
*NETCMN
Yes
No
254
Description
If the QAUDLVL system value is *NONE, no
actions are logged on a system-wide basis.
Actions are logged for individual users based on
the AUDLVL value in their user profiles.
If the AUDLVL value in a user profile is *NONE,
no additional action auditing is done for this
user. Any actions specified for the QAUDLVL
system value are logged for this user.
Authorization failures: Unsuccessful attempts to
sign on the system and to access objects are
logged. *AUTFAIL can be used regularly to
monitor users trying to perform unauthorized
functions on the system. *AUTFAIL can also be
used to assist with migration to a higher security
level and to test resource security for a new
application.
Commands: The system logs command strings
run by a user. If a command is run from a CL
program that is created with LOG(*NO) and
ALWRTVSRC(*NO), only the command name
and library name are logged. *CMD may be used
to record the actions of a particular user, such as
the security officer.
Creating objects: The system writes a journal
entry when a new or replacement object is
created. *CREATE may be used to monitor when
programs are created or recompiled.
Deleting objects: The system writes a journal
entry when an object is deleted.
Job tasks: Actions that affect a job are logged,
such as starting or stopping the job, holding,
releasing, canceling, or changing it. *JOBDTA
may be used to monitor who is running batch
jobs.
Object management tasks: Moving an object to
a different library or renaming it is logged.
*OBJMGT may be used to detect copying
confidential information by moving the object to
a different library.
Optical functions: All optical functions are
audited, including functions related to optical
files, optical directories, optical volumes, and
optical cartridges. *OPTICAL may be used to
detect attempts to create or delete an optical
directory.
Network Communications Auditing: The
violations detected by the APPN Filter support
are logged to the security auditing journal when
the Directory search filter and the End point
filter are audited.
Table 116. Action Auditing Values (continued)
Possible Value
Available on
QAUDLVL System
Value
Available on
CHGUSRAUD
Command
*PGMADP
Yes
Yes
*PGMFAIL
Yes
No
*PRTDTA
Yes
No
*SAVRST
Yes
Yes
*SECURITY
Yes
Yes
*SERVICE
Yes
Yes
*SPLFDTA
Yes
Yes
*SYSMGT
Yes
Yes
Description
Adopting authority: The system writes a journal
entry when adopted authority is used to gain
access to an object. *PGMADP may be used to
test where and how a new application uses
adopted authority.
Program failures: The system writes a journal
entry when a program causes an integrity error.
*PGMFAIL may be used to assist with migration
to a higher security level or to test a new
application.
Printing functions: Printing a spooled file,
printing directly from a program, or sending a
spooled file to a remote printer is logged.
*PRTDTA may be used to detect printing
confidential information.
Restore operations: *SAVRST may be used to
detect attempts to restore unauthorized objects.
Security tasks: Security-relevant events, such as
changing a user profile or system value, are
logged. *SECURITY may be used to keep a
record of all security activity.
Service tasks: The use of service tools, such as
DMPOBJ (Dump Object) and STRCPYSCN (Start
Copy Screen), is logged. *SERVICE may be used
to detect attempts to circumvent security by
using service tools.
Operations on spooled files: Actions performed
on spooled files are logged, including creating,
copying, and sending. *SPLFDTA may be used to
detect attempts to print or send confidential
data.
System management tasks: The system writes a
journal entry for system management activities,
such as changing a reply list or the power on/off
schedule. *SYSMGT may be used to detect
attempts to use system management functions to
circumvent security controls.
| Table 117. Security Auditing Journal Entries

| Action or
Journal
| Object Auditing Entry
| Value
Type
| Action Auditing:
| *AUTFAIL 1
AF
|
|
|
|
|
|
|
|
|
Model Database
Outfile
QASYAFJE/J4/J5
Detailed Entry
A
F
G
J
Description
Attempt made to access an object or
perform an operation to which the
user was not authorized.
ICAPI authorization error
ICAPI authentication error
Attempt made to submit or schedule
a job under a job description which
has a user profile specified. The
submitter did not have *USE
255
| Table 117. Security Auditing Journal Entries (continued)

| Action or
Journal
| Value
Type
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Model Database
Outfile
Detailed Entry
N
P
S
T
U
V
W
X
Y
Z
AU
QASYAUJ5
CV
DI
QASYCVJ4/J5
QASYDIJ4/J5
GR
KF
IP
PW
QASYGRJ4/J5
QASYKFJ4/J5
QASYIPJE/J4/J5
QASYPWJE/J4/J5
E
E
AF
PW
R
F
P
F
A
D
E
*CMD
VO
QASYVOJ4/J5
P
U
X
Y
Z
U
VC
QASYVCJE/J4/J5
VN
QASYVNJE/J4/J5
VP
QASYVPJE/J4/J5
CD
QASYCDJE/J4/J5
C
L
O
256
Description
Profile token not a regenerable profile
token
Attempt made to use a profile handle
that is not valid on the QWTSETP
API.
Attempt made to sign on without
entering a user ID or a password.
Not authorized to TCP/IP port
A user permission request was not
valid.
Profile token not valid for generating
new profile token
Profile token not valid for swap
Operation violation
Not authorized to the current JUID
field during a clear JUID operation
Not authorized to the current JUID
field during a set JUID operation
Enterprise Identity Mapping (EIM)
configuration change
Connection ended abnormally
Authority failures
Password failures
Connection rejected
Function registration operations.
An incorrect password was entered.
Authority failure for an IPC request.
APPC bind failure.
An incorrect DST user name was
entered.
An incorrect DST password was
entered.
An incorrect password was entered.
User name not valid
Service tools user is disabled
Service tools user not valid
Service tools password not valid
Unsuccessful verify of a validation
list entry.
A connection was rejected because of
incorrect password.
A network logon was rejected
because of expired account, incorrect
hours, incorrect user id, or incorrect
password.
An incorrect network password was
used.
A command was run.
An S/36E control language statement
was run.
An S/36E operator control command
was run.

| Action or
Journal
| Value
Type
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Model Database
Outfile
Detailed Entry
P
S
U
*CREATE
*DELETE
*JOBDTA
CO
QASYCOJE/J4/J5
DI
DO
QASYDIJ4/J5
QASYDOJE/J4/J5
DI
JS
QASYDIJ4/J5
QASYJSJE/J4/J5
N
R
CO
A
C
D
P
R
DO
A
B
C
E
H
I
M
N
P
Q
R
S
T
*NETCMN
SG
QASYSGJE/J4/J5
VC
QASYVCJE/J4/J5
VN
QASYVNJE/J4/J5
VS
QASYVSJE/J4/J5
CU
QASYCUJE/J4/J5
U
A
P
S
E
F
O
S
E
M
R
CV
QASYCVJ4/J5
IR
QASYIRJ4/J5
C
E
L
N
Description
An S/36E procedure was run.
Command run after command
substitution took place.
An S/36E utility control statement
was run.
Creation of a new object, except
creation of objects in QTEMP library.
Replacement of existing object.
Object create
Object deleted
Pending delete committed
Pending create rolled back
Delete pending
Pending delete rolled back
Object delete
The ENDJOBABN command was
used.
A job was submitted.
A job was changed.
A job was ended.
A job was held.
A job was disconnected.
Modify profile or group profile.
The ENDJOB command was used.
A program start request was attached
to a prestart job.
Query attributes changed.
A held job was released.
A job was started.
Modify profile or group profile using
a profile token.
CHGUSRTRC command.
Asynchronous AS/400 signal process.
Asynchronous Private Address Space
Environment (PASE) signal processed.
A connection was started.
A connection was ended.
Logoff requested.
Logon requested.
A server session was started.
A server session was ended.
Creation of an object by the cluster
control operation.
Creation of an object by the Cluster
Resource Group (*GRP) management
operation.
Connection established.
Connection ended normally.
IP rules have been loaded from from
a file.
IP rule have been unloaded for an IP
Security connection.
257

| Action or
Journal
| Value
Type
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| *OBJMGT 3
|
|
|
| *OFCSRV
|
|
| *OPTICAL
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| *PGMADP
|
|
|
|
|
258
Model Database
Outfile
Detailed Entry
P
R
U
IS
QASYISJ4/J5
ND
QASYNDJE/J4/J5
1
2
A
NE
QASYNEJE/J4/J5
SK
QASYSKJ4/J5
DI
OM
QASYDIJ4/J5
QASYOMJE/J4/J5
A
C
F
R
OM
M
ML
SD
QASYMLJE/J4/J5
QASYSDJE/J4/J5
R
O
S
O1
QASY01JE/J4/J5
O2
QASY02JE/J4/J5
O3
QASY03JE/J4/J5
AP
QASYAPJE/J4/J5
R
U
D
C
X
C
R
B
S
M
I
B
N
C
M
E
L
A
R
S
Description
IP rules have been loaded for and IP
Security connection.
IP rules have been read and copied to
a file.
IP rules have been unloaded
(removed).
Phase 1 negotiation.
Phase 2 negotiation.
A violation was detected by the
APPN Filter support when the
Directory search filter was audited.
A violation is detected by the APPN
Filter support when the End point
filter is audited.
Accept
Connect
Filtered mail
Reject mail
Object rename
An object was moved to a different
library.
An object was renamed.
A mail log was opened.
A change was made to the system
distribution directory.
Open file or directory
Change or retrieve attributes
Delete file directory
Create directory
Release held optical file
Copy file or directory
Rename file
Backup file or directory
Save held optical file
Move file
Initialize volume
Backup volume.
Rename volume
Convert backup volume to primary
Import
Export
Change authorization list
Change volume attributes
Absolute read
A program started that adopts owner
authority. The start entry is written
the first time adopted authority is
used to gain access to an object, not
when the program enters the
program stack.

| Action or
Journal
| Value
Type
|
|
|
|
|
|
|
|
|
|
|
| *PGMFAIL 1
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| *PRTDTA 1
|
|
|
|
|
| *SAVRST 3
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Model Database
Outfile
Detailed Entry
E
A
AF
QASYAFJE/J4/J5
B
C
E
R
PO
QASYPOJE/J4/J5
D
R
S
OR
QASYORJE/J4/J5
N
E
RA
QASYRAJE/J4/J5
RJ
QASYRJJE/J4/J5
RO
QASYROJE/J4/J5
RP
QASYRPJE/J4/J5
RQ
QASYRQJE/J4/J5
RU
QASYRUJE/J4/J5
Description
A program ended that adopts owner
authority. The end entry is written
when the program leaves the
program stack. If the same program
occurs more than once in the
program stack, the end entry is
written when the highest (last)
occurrence of the program leaves the
stack.
Adopted authority was used during
program activation.
A program ran a restricted machine
interface instruction.
A program which failed the
restore-time program validation
checks was restored. Information
about the failure is in the Validation
Value Violation Type field of the
record.
A program accessed an object
through an unsupported interface or
callable program not listed as a
callable API.
Hardware storage protection
violation.
Attempt made to update an object
that is defined as read-only.
(Enhanced hardware storage
protection is logged only at security
level 40 and higher)
Printer output was printed directly to
a printer.
Output sent to remote system to
print.
Printer output was spooled and
printed.
A new object was restored to the
system.
An object was restored that replaces
an existing object.
The system changed the authority to
an object being restored. 4
A job description that contains a user
profile name was restored.
The object owner was changed to
QDFTOWN during restore
operation.4
A program that adopts owner
authority was restored.
A *CRQD object with
PROFILE(*OWNER) was restored.
Authority was restored for a user
profile using the RSTAUT command.
259

| Action or
Journal
| Value
Type
|
|
| *SECURITY
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
260
Model Database
Outfile
Detailed Entry
RZ
QASYRZJE/J4/J5
AD
QASYADJE/J4/J5
D
O
U
CA
QASYCAJE/J4/J5
CP
QASYCPJE/J4/J5
CQ
CV
QASYCQJE/J4/J5
QASYCVJ4/J5
CY
QASYCYJ4/J5
DI
QASYDIJ4/J5
DS
QASYDSJE/J4/J5
A
C
E
R
A
F
M
AD
BN
CA
CP
OW
UB
A
EV
QASYEVJ4/J5
GR
QASYGRJ4/J5
GS
QASYGSJE/J4/J5
C
A
C
D
A
D
F
R
G
QASYIPJE/J4/J5
R
U
A
JD
QASYJDJE/J4/J5
C
D
G
A
KF
QASYKFJ4/J5
NA
QASYNAJE/J4/J5
IP
C
K
T
A
Description
The primary group for an object was
changed during a restore operation.
Auditing of a DLO was changed with
CHGDLOAUD command.
Auditing of an object was changed
with CHGOBJAUD command.
Auditing for a user was changed
with CHGUSRAUD command.
Changes to authorization list or object
authority.
Create, change, or restore operation
of user profile.
A *CRQD object was changed.
Connection established.
Connection ended normally.
Connection rejected.
Access Control function
Facility Control function
Master Key function
Audit change
Successful bind
Authority change
Password change
Ownership change
Successful unbind
Request to reset DST QSECOFR
password to system-supplied default.
DST profile changed.
Add.
Change.
Delete.
Exit program added
Edit program removed
Function registration operation
Exit program replaced
A socket descriptor was given to
another job. (The GS audit record is
created if it is not created for the
current job.)
Receive descriptor.
Unable to use descriptor.
The ownership or authority of an IPC
object was changed.
Create an IPC object.
Delete an IPC object.
Get an IPC object.
The USER parameter of a job
description was changed.
Certificate operation.
Key ring file operation.
Trusted root operation.
A network attribute was changed.

| Action or
Journal
| Value
Type
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Model Database
Outfile
Detailed Entry
OW
PA
QASYOWJE/J4/J5
QASYPAJE/J4/J5
A
A
PG
QASYPGJE/J4/J5
PS
QASYPSJE/J4/J5
A
E
H
I
M
P
R
S
SE
QASYSEJE/J4/J5
SO
QASYSOJ4/J5
SV
QASYSVJE/J4/J5
VA
QASYVAJE/J4/J5
V
A
A
C
R
A
B
C
S
F
V
VU
QASYVUJE/J4/J5
X0
QASYX0J4/J5
G
M
U
1
2
3
4
5
6
7
8
9
A
B
C
Description
object ownership was changed.
A program was changed to adopt
owner authority.
The primary group for an object was
changed.
A target user profile was changed
during a pass-through session.
An office user ended work on behalf
of another user.
A profile handle was generated
through the QSYGETPH API.
All profile tokens were invalidated.
Maximum number of profile tokens
have been generated.
Profile token generated for user.
All profile tokens for a user have
been removed.
An office user started work on behalf
of another user.
User profile authenticated.
A subsystem routing entry was
changed.
Add entry.
Change entry.
Remove entry.
A system value was changed.
Service attributes were changed.
Change to system clock.
The access control list was changed
successfully.
The change of the access control list
failed.
Successful verify of a validation list
entry.
A group record was changed.
User profile global information
changed.
A user record was changed.
Service ticket valid.
Service principals do not match
Client principals do not match
Ticket IP address mismatch
Decryption of the ticket failed
Decryption of the authenticator failed
Realm is not within client and local
realms
Ticket is a replay attempt
Ticket not yet valid
Deecrypt of KRB_AP_PRIV or
KRB_AP_SAFE checksum error
Remote IP address mismatch
Local IP address mismatch
261

| Action or
Journal
| Value
Type
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| *SERVICE
|
|
|
|
|
| *SPLFDTA
|
|
|
|
|
|
|
| *SYSMGT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
262
Model Database
Outfile
Detailed Entry
D
E
F
K
L
M
N
O
P
Q
ST
VV
QASYSTJE/J4/J5
QASYVVJE/J4/J5
SF
QASYSFJE/J4/J5
A
C
E
P
R
S
A
QASYDIJ4/J5
QASYSMJE/J4/J5
C
D
H
I
R
U
CF
B
DI
SM
C
D
F
N
O
P
S
T
VL
QASYVLJE/J4/J5
A
D
L
U
W
Description
KRB_AP_PRIV or KRB_AP_SAFE
timestamp error
replay error
KRB_AP_PRIV KRB_AP_SAFE
sequence order error
GSS accept - expired credential
GSS accept - checksum error
GSS accept - channel bindings
GSS unwrap or GSS verify expired
context
GSS unwrap or GSS verify
decrypt/decode
GSS unwrap or GSS verify checksum
error
GSS unwrap or GSS verify sequence
error
A service tool was used.
The service status was changed.
The server was stopped.
The server paused.
The server was restarted.
The server was started.
A spooled file was read by someone
other than the owner.
A spooled file was created.
A spooled file was deleted.
A spooled file was held.
An inline file was created.
A spooled file was released.
A spooled file was changed.
Configuration changes
Backup options were changed using
xxxxxxxxxx.
Automatic cleanup options were
changed using xxxxxxxxxx.
A DRDA* change was made.
An HFS file system was changed.
A network file operation was
performed.
A backup list was changed using
xxxxxxxxxx.
The power on/off schedule was
changed using xxxxxxxxxx.
The system reply list was changed.
The access path recovery times were
changed.
The account is expired.
The account is disabled.
Logon hours were exceeded.
Unknown or unavailable.
Workstation not valid.

| Action or
Journal
| Value
Type
| Object Auditing:
| *CHANGE
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| *ALL 5
|
|
|
|
Model Database
Outfile
DI
QASYDIJ4/J5
GR
LD
QASYGRJ4/J5
QASYLDJE/J4/J5
VF
QASYVFJE/J4/J5
Detailed Entry
IM
ZC
F
L
U
K
A
N
S
VO
QASYVOJ4/J5
VR
QASYVRJE/J4/J5
YC
QASYYCJE/J4/J5
ZC
DI
QASYZCJE/J4/J5
QASYDIJ4/J5
GR
YR
ZR
QASYGRJ4/J5
QASYYRJE/J4/J5
QASYZRJE/J4/J5
A
C
F
R
F
S
C
C
EX
ZR
F
R
R
Description
LDAP directory import
Object changes
Function registration operations6
Link a directory.
Unlink a directory.
Search a directory.
The file was closed because of
administrative disconnection.
The file was closed because of normal
client disconnection.
The file was closed because of session
disconnection.
Add validation list entry.
Change validation list entry.
Find validation list entry.
Remove validation list entry.
Resource access failed.
Resource access was successful.
A document library object was
changed.
An object was changed.
LDAP directory export
Object read
Function registration operations6
A document library object was read.
An object was read.
|
|
This value can only be specified for the QAUDLVL system value. It is not a value for the AUDLVL
parameter of a user profile.
|
|
This value can only be specified for the AUDLVL parameter of a user profile. It is not a value for the
QAUDLVL system value.
|
|
If object auditing is active for an object, an audit record is written for a create, delete, object management, or
restore operation even if these actions are not included in the audit level.
|
|
See the topic Restoring Objects on page 238 for information about authority changes which may occur
when an object is restored.
When *ALL is specified, the entries for both *CHANGE and *ALL (DI, YC, YR, ZC, ZR) are written.
|
|
When the QUSRSYS/QUSEXRGOBJ *EXITRG object is being audited.
Planning the Auditing of Object Access

The system provides the ability to log accesses to an object in the security audit
journal. This is called object auditing. The QAUDCTL system value, the OBJAUD
value for an object, and the OBJAUD value for a user profile work together to
control object auditing. The OBJAUD value for the object and the OBJAUD value
for the user who is using the object determine whether a specific access should be
logged. The QAUDCTL system value starts and stops the object auditing function.
Table 118 on page 264 shows how the OBJAUD values for the object and the user
profile work together.
263
Table 118. How Object and User Auditing Work Together

OBJAUD Value for User
OBJAUD Value for
Object
*NONE
*CHANGE
*ALL
*NONE
*USRPRF
*CHANGE
*ALL
None
None
Change
Change and Use
None
Change
Change
Change and Use
None
Change and Use
Change
Change and Use
You can use object auditing to keep track of all users accessing a critical object on
the system. You can also use object auditing to keep track of all the object accesses
by a particular user. Object auditing is a flexible tool that allows you to monitor
those object accesses that are important to your organization.
Taking advantage of the capabilities of object auditing requires careful planning.
Poorly designed auditing may generate many more audit records than you can
analyze, and can have a severe impact on system performance. For example,
setting the OBJAUD value to *ALL for a library results in an audit entry being
written every time the system searches for an object in that library. For a heavily
used library on a busy system, this would generate a very large number of audit
journal entries.
The following are some examples of how to use object auditing.
v If certain critical files are used throughout your organization, you may
periodically review who is accessing them using a sampling technique:
1. Set the OBJAUD value for each critical file to *USRPRF using the Change
Object Auditing command:
Change Object Auditing (CHGOBJAUD)

Object . . . . . . . .
Library . . . . . .
Object type . . . . .
ASP device . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
file-name
library-name
*FILE
*
*USRPRF
2. Set the OBJAUD value for each user in your sample to *CHANGE or *ALL
using the CHGUSRAUD command.
3. Make sure the QAUDCTL system value includes *OBJAUD.
4. When sufficient time has elapsed to collect a representative sample, set the
OBJAUD value in the user profiles to *NONE or remove *OBJAUD from the
QAUDCTL system value.
5. Analyze the audit journal entries using the techniques described in
Analyzing Audit Journal Entries with Query or a Program on page 274.
v If you are concerned about who is using a particular file, you can collect
information about all accesses of that file for a period of time:
1. Set object auditing for the file independent of user profile values:
CHGOBJAUD OBJECT(library-name/file-name)
OBJTYPE(*FILE) OBJAUD(*CHANGE or *ALL)
264

3. When sufficient time has elapsed to collect a representative sample, set the
OBJAUD value in the object to *NONE.
4. Analyze the audit journal entries using the techniques described in
Analyzing Audit Journal Entries with Query or a Program on page 274.
v To audit all object accesses for a specific user, do the following:
1. Set the OBJAUD value for all objects to *USRPRF using the CHGOBJAUD
command:
|
|
|
|
|
|
|
|
|
|
||

Object . . . . . . . . . . . . .
Library . . . . . . . . . . . .
Object type . . . . . . . . . .
ASP device . . . . . . . . . . .
Object auditing value . . . . .
*ALL
*ALLAVL
*ALL
*
*USRPRF
Attention: Depending on how many objects are on your system, this

command may take many hours to run. Setting up object auditing for all
objects on the system is usually not necessary and will severely degrade
performance. Selecting a subset of object types and libraries for auditing is
recommended.
2. Set the OBJAUD value for the specific user profile to *CHANGE or *ALL
using the CHGUSRAUD command.
4. When you have collected a specific sample, set the OBJAUD value for the
user profile to *NONE.
Displaying Object Auditing: Use the DSPOBJD command to display the current
object auditing level for an object. Use the DSPDLOAUD command to display the
current object auditing level for a document library object.
Setting Default Auditing for Objects: You can use the QCRTOBJAUD system
value and the CRTOBJAUD value for libraries and directories to set object auditing
for new objects that are created. For example, if you want all new objects in the
INVLIB library to have an audit value of *USRPRF, use the following command:
CHGLIB LIB(INVLIB) CRTOBJAUD(*USRPRF)
This command affects the auditing value of new objects only. It does not change
the auditing value of objects that already exist in the library.
Use the default auditing values carefully. Improper use could result in many
unwanted entries in the security audit journal. Effective use of the object auditing
capabilities of the system requires careful planning.
Preventing Loss of Auditing Information

Two system values control what the system does when error conditions may cause
the loss of audit journal entries.
Audit Force Level: The QAUDFRCLVL system value determines how often the
system writes audit journal entries from memory to auxiliary storage. The
265
QAUDFRCLVL system value works like the force level for database files. You
should follow similar guidelines in determining the correct force level for your
installation.
If you allow the system to determine when to write entries to auxiliary storage, it
balances the performance impact against the potential loss of information in a
power outage. *SYS is the default and the recommended choice.
If you set the force level to a low number, you minimize the possibility of losing
audit records, but you may notice a negative performance impact. If your
installation requires that no audit records be lost in a power failure, you must set
the QAUDFRCLVL to 1.
Audit End Action: The QAUDENDACN system value determines what the
system does if it is unable to write an entry to the audit journal. The default value
is *NOTIFY. The system does the following if it is unable to write audit journal
entries and QAUDENDACN is *NOTIFY:
1. The QAUDCTL system value is set to *NONE to prevent additional attempts to
write entries.
2. Message CPI2283 is sent to the QSYSOPR message queue and the QSYSMSG
message queue (if it exists) every hour until auditing is successfully restarted.
3. Normal processing continues.
4. If an IPL is performed on the system, message CPI2284 is sent to the QSYSOPR
and QSYSMSG message queues during the IPL.
Note: In most cases, performing an IPL resolves the problem that caused
auditing to fail. After you have restarted your system, set the QAUDCTL
system value to the correct value. The system attempts to write an audit
journal record whenever this system value is changed.
You can set the QAUDENDACN to power down your system if auditing fails
(*PWRDWNSYS). Use this value only if your installation requires that auditing be
active for the system to run. If the system is unable to write an audit journal entry
and the QAUDENDACN system value is *PWRDWNSYS, the following happens:
1. The system powers down immediately (the equivalent of issuing the
PWRDWNSYS *IMMED command).
2. SRC code B900 3D10 is displayed.
Next, you must do the following:
1. Start an IPL from the system unit. Make sure that the device specified in the
system console (QCONSOLE) system value is powered on.
2. To complete the IPL, a user with *ALLOBJ and *AUDIT special authority must
sign on at the console.
3. The system starts in a restricted state with a message indicating that an
auditing error caused the system to stop.
4. The QAUDCTL system value is set to *NONE.
5. To restore the system to normal, set the QAUDCTL system value to a value
other than none. When you change the QAUDCTL system value, the system
attempts to write an audit journal entry. If it is successful, the system returns to
a normal state.
If the system does not successfully return to a normal state, use the job log to
determine why auditing has failed. Correct the problem and attempt to reset
the QAUDCTL value again.
266
Choosing to not audit QTEMP objects

The value, *NOQTEMP, can be specified as a value for system value QAUDCTL. If
specified, you must also specify either *OBJAUD or *AUDLVL. When auditing is
active and *NOQTEMP is specified the following actions on objects in the QTEMP
library will NOT be audited.
Changing or reading objects in QTEMP (journal entry types ZC, ZR).
Changing the authority, owner, or primary group of objects in QTEMP (journal
entry types CA, OW, PG).
Using CHGSECAUD to Set up Security Auditing

Overview:
Purpose:
Set up the system to collect security events in the QAUDJRN
journal.
How To:
CHGSECAUD
DSPSECAUD
Authority:
The user must have *ALLOBJ and *AUDIT special authority.
Journal Entry:
CO (create object)
SV (system value change)
AD (object and user audit changes)
Notes: The CHGSECAUD command creates the journal and journal
receiver if it does not exist. The CHGSECAUD then sets the
QAUDCTL and QAUDLVL system values.
Setting up Security Auditing

Overview:
Purpose:
Set up the system to collect security events in the QAUDJRN
journal.
How To:
CRTJRNRCV
CRTJRN QSYS/QAUDJRN
WRKSYSVAL *SEC
CHGOBJAUD
CHGDLOAUD
CHGUSRAUD
Authority:
*ADD authority to QSYS and to journal
receiver library
*AUDIT special authority
267
Journal Entry:
CO (create object)
SV (system value change)
AD (object and user audit changes)
Notes: QSYS/QAUDJRN must exist before QAUDCTL can be
changed.
To set up security auditing, do the following steps. Setting up auditing requires
*AUDIT special authority.
1. Create a journal receiver in a library of your choice by using the Create Journal
Receiver (CRTJRNRCV) command. This example uses a library called JRNLIB
for journal receivers.
CRTJRNRCV
JRNRCV(JRNLIB/AUDRCV0001) +
THRESHOLD(100000) AUT(*EXCLUDE)
+
TEXT(Auditing Journal Receiver)
v Place the journal receiver in a library that is saved regularly. Do not place the
journal receiver in library QSYS, even though that is where the journal will
be.
v Choose a journal receiver name that can be used to create a naming
convention for future journal receivers, such as AUDRCV0001. You can use
the *GEN option when you change journal receivers to continue the naming
convention. Using this type of naming convention is also useful if you
choose to have the system manage changing your journal receivers.
v Specify a receiver threshold appropriate to your system size and activity. The
size you choose should be based on the number of transactions on your
system and the number of actions you choose to audit. If you use system
change-journal management support, the journal receiver threshold must be
at least 5,000KB. For more information on journal receiver threshold refer to
the Backup and Recovery book.
v Specify *EXCLUDE on the AUT parameter to limit access to the information
stored in the journal.
2. Create the QSYS/QAUDJRN journal by using the Create Journal (CRTJRN)
command:
CRTJRN
JRN(QSYS/QAUDJRN) +
JRNRCV(JRNLIB/AUDRCV0001) +
MNGRCV(*SYSTEM) DLTRCV(*NO) +
AUT(*EXCLUDE) TEXT(Auditing Journal)
v The name QSYS/QAUDJRN must be used.

v Specify the name of the journal receiver you created in the previous step.
v Specify *EXCLUDE on the AUT parameter to limit access to the information
stored in the journal. You must have authority to add objects to QSYS to
create the journal.
v Use the Manage receiver (MNGRCV) parameter to have the system change the
journal receiver and attach a new one when the attached receiver exceeds the
threshold specified when the journal receiver was created. If you choose this
option, you do not have to use the CHGJRN command to detach receivers
and create and attach new receivers manually.
v Do not have the system delete detached receivers. Specify DLTRCV(*NO),
which is the default. The QAUDJRN receivers are your security audit trail.
Ensure that they are adequately saved before deleting them from the system.
The Backup and Recovery book provides more information about working with
journals and journal receivers.
268
3. Set the audit level (QAUDLVL) system value using the WRKSYSVAL
command. The QAUDLVL system value determines which actions are logged
to the audit journal for all users on the system. See Planning the Auditing of
Actions on page 253.
4. Set action auditing for individual users if necessary using the CHGUSRAUD
command. See Planning the Auditing of Actions on page 253.
5. Set object auditing for specific objects if necessary using the CHGOBJAUD and
CHGDLOAUD commands. See Planning the Auditing of Object Access on
page 263.
6. Set object auditing for specific users if necessary using the CHGUSRAUD
command.
7. Set the QAUDENDACN system value to control what happens if the system
cannot access the audit journal. See Audit End Action on page 266.
8. Set the QAUDFRCLVL system value to control how often audit records are
written to auxiliary storage. See Preventing Loss of Auditing Information on
page 265.
9. Start auditing by setting the QAUDCTL system value to a value other than
*NONE.
The QSYS/QAUDJRN journal must exist before you can change the QAUDCTL
system value to a value other than *NONE. When you start auditing, the system
attempts to write a record to the audit journal. If the attempt is not successful, you
receive a message and auditing does not start.
Managing the Audit Journal and Journal Receivers

The auditing journal, QSYS/QAUDJRN, is intended solely for security auditing.
Objects should not be journaled to the audit journal. Commitment control should
not use the audit journal. User entries should not be sent to this journal using the
Send Journal Entry (SNDJRNE) command or the Send Journal Entry (QJOSJRNE)
API.
Special locking protection is used to ensure that the system can write audit entries
to the audit journal. When auditing is active (the QAUDCTL system value is not
*NONE), the system arbitrator job (QSYSARB) holds a lock on the
QSYS/QAUDJRN journal. You cannot perform certain operations on the audit
journal when auditing is active, such as:
v DLTJRN command
v
v
v
v
v
v
v
v
ENDJRNxxx (End Journaling) commands

APYJRNCHG command
RMVJRNCHG command
DMPOBJ or DMPSYSOBJ command
Moving the journal
Restoring the journal
Operations that work with authority, such as the GRTOBJAUT command
WRKJRN command
The information recorded in the security journal entries is described in Appendix F.

All security entries in the audit journal have a journal code of T. In addition to
security entries, system entries also appear in the journal QAUDJRN. These are
entries with a journal code of J, which relate to initial program load (IPL) and
general operations performed on journal receivers (for example, saving the
receiver).
269
If damage occurs to the journal or to its current receiver so that the auditing
entries cannot be journaled, the QAUDENDACN system value determines what
action the system takes. Recovery from a damaged journal or journal receiver is the
same as for other journals.
You may want to have the system manage the changing of journal receivers.
Specify MNGRCV(*SYSTEM) when you create the QAUDJRN journal, or change
the journal to that value. If you specify MNGRCV(*SYSTEM), the system
automatically detaches the receiver when it reaches its threshold size and creates
and attaches a new journal receiver. This is called system change-journal
management.
If you specify MNGRCV(*USER) for the QAUDJRN, a message is sent to the
threshold message queue specified for the journal when the journal receiver
reaches a storage threshold. The message indicates that the receiver has reached its
threshold. Use the CHGJRN command to detach the receiver and attach a new
journal receiver. This prevents Entry not journaled error conditions. If you do
receive a message, you must use the CHGJRN command for security auditing to
continue.
The default message queue for a journal is QSYSOPR. If your installation has a
large volume of messages in the QSYSOPR message queue, you may want to
associate a different message queue, such as AUDMSG, with the QAUDJRN
journal. You can use a message handling program to monitor the AUDMSG
message queue. When a journal threshold warning is received (CPF7099), you can
automatically attach a new receiver. If you use system change-journal management,
then message CPF7020 is sent to the journal message queue when a system change
journal is completed. You can monitor for this message to know when to do a save
of the detached journal receivers.
Attention: The automatic cleanup function provided using Operational Assistant
menus does not clean up the QAUDJRN receivers. You should regularly detach,
save, and delete QAUDJRN receivers to avoid problems with disk space.
See the Backup and Recovery book for complete information about managing
journals and journal receivers.
Note: The QAUDJRN journal is created during an IPL if it does not exist and the
QAUDCTL system value is set to a value other than *NONE. This occurs
only after an unusual situation, such as replacing a disk device or clearing
an auxiliary storage pool.
Saving and Deleting Audit Journal Receivers

Overview:
Purpose:
To attach a new audit journal receiver; to save and delete the
old receiver
How To:
CHGJRN QSYS/QAUDJRN
JRNRCV(*GEN) SAVOBJ (to
save old receiver) DLTJRNRCV (to delete old receiver)
Authority:
*ALL authority to journal receiver *USE authority to journal
270
Journal Entry:
J (system entry to QAUDJRN)
Notes: Select a time when the system is not busy.
You should regularly detach the current audit journal receiver and attach a new
one for two reasons:
v Analyzing journal entries is easier if each journal receiver contains the entries for
a specific, manageable time period.
v Large journal receivers can affect system performance, in addition to taking
valuable space on auxiliary storage.
Having the system manage receivers automatically is the recommended approach.
You can specify this by using the Manage receiver parameter when you create the
journal.
If you have set up action auditing and object auditing to log many different events,
you may need to specify a large threshold value for the journal receiver. If you are
managing receivers manually, you may need to change journal receivers daily. If
you log only a few events, you may want to change receivers to correspond with
the backup schedule for the library containing the journal receiver.
You use the CHGJRN command to detach a receiver and attach a new receiver.
System-Managed Journal Receivers: If you have the system manage the
receivers, use the following procedure to save all detached QAUDJRN receivers
and to delete them:
1. Type WRKJRNA QAUDJRN. The display shows you the currently attached receiver.
Do not save or delete this receiver.
2. Use F15 to work with the receiver directory. This shows all receivers that have
been associated with the journal and their status.
3. Use the SAVOBJ command to save each receiver, except the currently attached
receiver, which has not already been saved.
4. Use the DLTJRNRCV command to delete each receiver after it is saved.
Note: An alternative to the above procedure could be done using the journal
message queue and monitoring for the CPF7020 message which indicates
that the system change journal has completed successfully. See the Backup
and Recovery for more information on this support.
User-Managed Journal Receivers: If you choose to manage journal receivers
manually, use the following procedure to detach, save and delete a journal
receiver:
1. Type CHGJRN JRN(QAUDJRN) JRNRCV(*GEN). This command:
a. Detaches the currently attached receiver.
b. Creates a new receiver with the next sequential number.
c. Attaches the new receiver to the journal.
For example, if the current receiver is AUDRCV0003, the system creates and
attaches a new receiver called AUDRCV0004.
The Work with Journal Attributes (WRKJRNA) command tells you which
receiver is currently attached: WRKJRNA QAUDJRN.
271
2. Use the Save Object (SAVOBJ) command to save the detached journal receiver.
Specify object type *JRNRCV.
3. Use the Delete Journal Receiver (DLTJRNRCV) command to delete the receiver.
If you try to delete the receiver without saving it, you receive a warning
message.
Stopping the Audit Function

You may want to use the audit function periodically, rather than all the time. For
example, you might want to use it when testing a new application. Or you might
use it to perform a quarterly security audit.
To stop the auditing function, do the following:
1. Use the WRKSYSVAL command to change the QAUDCTL system value to
*NONE. This stops the system from logging any more security events.
2. Detach the current journal receiver using the CHGJRN command.
3. Save and delete the detached receiver, using the SAVOBJ and DLTJRNRCV
commands.
4. You can delete the QAUDJRN journal once you change QAUDCTL to *NONE.
If you plan to resume security auditing in the future, you may want to leave
the QAUDJRN journal on the system. However, if the QAUDJRN journal is set
up with MNGRCV(*SYSTEM), the system detaches the receiver and attaches a
new one whenever you perform an IPL, whether or not security auditing is
active. You need to delete these journal receivers. Saving them before deleting
them should not be necessary, because they do not contain any audit entries.
Analyzing Audit Journal Entries

Once you have set up the security auditing function, you can use several different
methods to analyze the events that are logged:
v Viewing selected entries at your workstation
v Using a query tool or program to analyze entries
v Using the Display Audit Journal Entries (DSPAUDJRNE) command
You can also use the Receive Journal Entry (RCVJRNE) command on the
QAUDJRN journal to receive the entries as they are written to the QAUDJRN
journal.
Viewing Audit Journal Entries

Overview:
Purpose:
View QAUDJRN entries
How To:
DSPJRN (Display Journal command)
Authority:
*USE authority to QSYS/QAUDJRN *USE authority to journal
receiver
The Display Journal (DSPJRN) command allows you to view selected journal
entries at your workstation. To view journal entries, do the following:
1. Type DSPJRN QAUDJRN and press F4. On the prompt display, you can enter
information to select the range of entries that is shown. For example, you can
272
select all entries in a specific range of dates, or you can select only a certain
type of entry, such as an incorrect sign-on attempt (journal entry type PW).
The default is to display entries from only the attached receiver. You can use
RCVRNG(*CURCHAIN) to see entries from all receivers that are in the receiver
chain for the QAUDJRN journal, up to and including the receiver that is
currently attached.
2. When you press the Enter key, you see the Display Journal Entries display:
Display Journal Entries

Journal . . . . . . :
QAUDJRN
Library . . . . . . :
QSYS

5=Display entire entry
Opt
Sequence
28018
28020
28021
28022
28023
28024
28025
28026
28027
28028
28029
28030
F3=Exit
Code
J
T
T
T
T
T
T
T
T
T
T
T
Type
PR
AF
PW
AF
AF
AF
AF
PW
PW
PW
PW
PW
Object
Library
Job
JONES1
QSYSARB
QINTER
QSYSARB
QSYSARB
QSYSARB
QSYSARB
QINTER
SMITHJ
QINTER
QINTER
QINTER
Time
11:02:05
11:07:33
11:08:18
11:09:29
11:10:07
11:10:32
11:32:57
11:58:05
11:58:43
12:37:34
12:37:36
12:49:04
F12=Cancel
3. Use option 5 (Display entire entry) to see information about a specific entry:
Display Journal Entry

Object
Member
Code .
Type .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
:
:
:
:
QAUDJRN
Library . . . . . . :
Sequence . . . . . . :
T - Audit trail entry
PW - Invalid password or user ID
QSYS
28026
Entry specific data

Column
*...+....1....+....2....+....3....+....4....+....5
00001
PBECHER
DSP03
00051

Press Enter to continue.
F3=Exit
F6=Display only entry specific data
F10=Display only entry details
F12=Cancel
F24=More keys
4. You can use F6 (Display only entry specific data) for entries with a large
amount of entry-specific data. You can also select a hexadecimal version of that
display. You can use F10 to display details about the journal entry without any
entry-specific information.
273
Appendix F contains the layout for each type of QAUDJRN journal entry.
Analyzing Audit Journal Entries with Query or a Program

Overview:
Purpose:
Display or print selected information from journal entries.
How To:
DSPJRN OUTPUT(*OUTFILE) Create query or program Run
query or program
Authority:
*USE authority to QSYS/QAUDJRN *USE authority to journal
receiver *ADD authority to library for output file
You can use the Display Journal (DSPJRN) command to write selected entries from
the audit journal receivers to an output file. You can use a program or a query to
view the information in the output file.
For the output parameter of the DSPJRN command, specify *OUTFILE. You see
additional parameters prompting you for information about the output file:
Display Journal (DSPJRN)

Type
choices, press Enter.
.
.
.
Output . . . . . . . . . . . .
Outfile format . . . . . . . .
File to receive output . . . .
Library . . . . . . . . . .
Output member options:
Member to receive output . .
Replace or add records . . .
Entry data length:
Field data format . . . . .
Variable length field length
Allocated length . . . . . .
. > *OUTFILE
. *TYPE4
. dspjrnout
.
mylib
.
.
*FIRST
*REPLACE
*OUTFILFMT
All security-related entries in the audit journal contain the same heading
information, such as the entry type, the date of the entry, and the job that caused
the entry. The QJORDJE4 record format is provided to define these fields when
you specify *TYPE4 as the outfile format parameter. See Table 142 on page 503 for
more information.
For more information on other records and their outfile formats see Appendix F.
If you want to perform a detailed analysis of a particular entry type, use one of the
model database outfiles provided. For example, to create an output file called
AUDJRNAF in QGPL that includes only authority failure entries:
1. Create an empty output file with the format defined for AF journal entries:
CRTDUPOBJ OBJ(QASYAFJ4) FROMLIB(QSYS) +
OBJTYPE(*FILE) TOLIB(QGPL) NEWOBJ(AUDJRNAF)
2. Use the DSPJRN command to write selected journal entries to the output file:
274
DSPJRN JRN(QAUDJRN) ... +

JRNCDE(T) ENTTYP(AF) OUTPUT(*OUTFILE) +
OUTFILFMT(*TYPE4) OUTFILE(QGPL/AUDJRNAF)
3. Use Query or a program to analyze the information in the AUDJRNAF file.

Table 117 on page 255 shows the name of the model database outfile for each entry
type. Appendix F shows the file layouts for each model database outfile.
Following are a few examples of how you might use QAUDJRN information:
v If you suspect someone is trying to break into your system:
1. Make sure the QAUDLVL system value includes *AUTFAIL.
2. Use the CRTDUPOBJ object command to create an empty output file with
the QASYPWJ4 format.
3. A PW type journal entry is logged when someone enters an incorrect user ID
or password on the Sign On display. Use the DSPJRN command to write PW
type journal entries to the output file.
4. Create a query program that displays or prints the date, time, and
workstation for each journal entry. This information should help you
determine where and when the attempts are occurring.
v If you want to test the resource security you have defined for a new application:
1. Make sure the QAUDLVL system value includes *AUTFAIL.
2. Run application tests with different user IDs.
the QASYAFJ4 format.
4. Use the DSPJRN command to write AF type journal entries to the output file.
5. Create a query program that displays or prints information about the object,
job and user. This information should help you to determine what users and
application functions are causing authority failures.
v If you are planning a migration to security level 40:
1. Make sure the QAUDLVL system value includes *PGMFAIL and *AUTFAIL.
the QASYAFJ4 format.
3. Use the DSPJRN command to write AF type journal entries to the output file.
4. Create a query program that selects the type of violations you are
experiencing during your test and prints information about the job and
program that causes each entry.
Note: Table 117 on page 255 shows which journal entry is written for each
authority violation message.
Other Techniques for Monitoring Security

The security audit journal (QAUDJRN) is the primary source of information about
security-related events on your system. The following sections discuss other ways
to observe security-related events and the security values on your system.
You will find additional information in Appendix G, Commands and Menus for
Security Commands on page 599. This appendix includes examples to use the
commands and information about the menus for the security tools.
275
Monitoring Security Messages

Some security-relevant events, such as incorrect sign-on attempts, cause a message
in the QSYSOPR message queue. You can also create a separate message queue
called QSYSMSG in the QSYS library.
If you create the QSYSMSG message queue in the QSYS library, messages about
critical system events are sent to that message queue as well as to QSYSOPR. The
QSYSMSG message queue can be monitored separately by a program or a system
operator. This provides additional protection of your system resources. Critical
system messages in QSYSOPR are sometimes missed because of the volume of
messages sent to that message queue.
Using the History Log

Some security-related events, such as exceeding the incorrect sign-on attempts
specified in the QMAXSIGN system value, cause a message to be sent to the QHST
(history) log. Security messages are in the range 2200 to 22FF. They have the
prefixes CPI, CPF, CPC, CPD, and CPA.
Beginning with Version 2 Release 3 of the OS/400 licensed program, some
authority failure and integrity violation messages are no longer sent to the QHST
(history) log. All information that was available in the QHST log can be obtained
from the security audit journal. Logging information to the audit journal provides
better system performance and more complete information about these
security-related events than the QHST log. The QHST log should not be considered
a complete source of security violations. Use the security audit functions instead.
These messages are no longer written to the QHST log:
v CPF2218. These events can be captured in the audit journal by specifying
*AUTFAIL for the QAUDLVL system value.
v CPF2240. These events can be captured in the audit journal by specifying
*AUTFAIL for the QAUDLVL system value.
Using Journals to Monitor Object Activity

If you include the *AUTFAIL value for system action auditing (the QAUDLVL
system value), the system writes an audit journal entry for every unsuccessful
attempt to access a resource. For critical objects, you can also set up object auditing
so the system writes an audit journal entry for each successful access.
The audit journal records only that the object was accessed. It does not log every
transaction to the object. For critical objects on your system, you may want more
detailed information about the specific data that was accessed and changed. Object
journaling is used primarily for object integrity and recovery. Refer to the Backup
and Recovery book for a list of object types which can be journaled, and what is
journaled for each object type. A security officer or auditor can also use these
journal entries to review object changes. Do not journal any objects to the
QAUDJRN journal.
Journal entries can include:
v Identification of the job and user and the time of access
v Before- and after-images of all object changes
v Records of when the object was opened, closed, changed, saved, etc.
276
A journal entry cannot be altered by any user, even the security officer. A complete
journal or journal receiver can be deleted, but this is easily detected.
If you are journaling files and want to print all information about a particular file,
type the following:
DSPJRN JRN(library/journal) +
FILE(library/file) OUTPUT(*PRINT)
For example, if journal JRNCUST in library CUSTLIB is used to record information

about file CUSTFILE (also in library CUSTLIB), the command would be:
DSPJRN JRN(CUSTLIB/JRNCUST) +
FILE(CUSTLIB/CUSTFILE) OUTPUT(*PRINT)
If you are journaling other object types and want to see the information for a
particular object, type the following:
DSPJRN JRN(library/journal)
OUTPUT(*OUTFILE)
OUTFILEFMT(*TYPE4)
OUTFILE(library/outfile)
ENTDTALEN(*CALC)
You can then do a query or use SQL to select all of the records from this outfile for
a specific object name.
If you want to find out which journals are on the system, use the Work with
Journals (WRKJRN) command. If you want to find out which objects are being
journaled by a particular journal, use the Work with Journal Attributes
(WRKJRNA) command.
The Backup and Recovery book provides complete information about journaling.
Analyzing User Profiles

You can display or print a complete list of all the users on your system with the
Display Authorized Users (DSPAUTUSR) command. The list can be sequenced by
profile name or group profile name. Following is an example of the group profile
sequence:
277

Group
Profile
DPTSM
DPTWH
QSECOFR
*NO GROUP
User
Profile
Password
Last
Changed
ANDERSOR
VINCENTM
08/04/0x
09/15/0x
Roger Anders
Mark Vincent
ANDERSOR
WAGNERR
08/04/0x
09/06/0x
Roger Anders
Rose Wagner
JONESS
HARRISOK
09/20/0x
08/29/0x
Sharon Jones
Ken Harrison
DPTSM
DPTWH
RICHARDS
SMITHJ
09/05/0x
08/13/0x
09/05/0x
09/18/0x
No
Password
X
X
Text
Sales and Marketing

Warehouse
Janet Richards
John Smith
Printing Selected User Profiles

You can use the Display User Profile (DSPUSRPRF) command to create an output
file, which you can process using a query tool.
DSPUSRPRF USRPRF(*ALL) +
TYPE(*BASIC) OUTPUT(*OUTFILE)
You can use a query tool to create a variety of analysis reports of your output file,
such as:
v A list of all users who have both *ALLOBJ and *SPLCTL special authority.
v A list of all users sequenced by a user profile field, such as initial program or
user class.
You can create query programs to produce different reports from your output file.
For example:
v List all user profiles that have any special authorities by selecting records where
the field UPSPAU is not equal to *NONE.
v List all users who are allowed to enter commands by selecting records where the
Limit capabilities field (called UPLTCP in the model database outfile) is equal to
*NO or *PARTIAL.
v List all users who have a particular initial menu or initial program.
v List inactive users by looking at the date last sign-on field.
v List all users who do not have a password for use at password levels 0 and 1 by
selecting records where the Password present for level 0 or 1 field (called
UPENPW in the model outfile) is equal to N.
v List all users who have a password for use at password levels 2 and 3 by
selecting records where the Password present for level 2 or 3 field (called
UPENPH in the model outfile) is equal to Y.
Examining Large User Profiles

User profiles with large numbers of authorities, appearing to be randomly spread
over most of the system, can reflect a lack of security planning. Following is one
method for locating large user profiles and evaluating them:
278
1. Use the Display Object Description (DSPOBJD) command to create an output

file containing information about all the user profiles on the system:
DSPOBJD OBJ(*ALL) OBJTYPE(*USRPRF) +
DETAIL(*BASIC) OUTPUT(*OUTFILE)
2. Create a query program to list the name and size of each user profile, in
descending sequence by size.
3. Print detailed information about the largest user profiles and evaluate the
authorities and owned objects to see if they are appropriate:
DSPUSRPRF USRPRF(user-profile-name) +
TYPE(*OBJAUT) OUTPUT(*PRINT)
DSPUSRPRF USRPRF(user-profile-name) +
TYPE(*OBJOWN) OUTPUT(*PRINT)
Some IBM-supplied user profiles are very large because of the number of
objects they own. Listing and analyzing them is usually not necessary.
However, you should check for programs adopting the authority of the
IBM-supplied user profiles that have *ALLOBJ special authority, such as
QSECOFR and QSYS. See Analyzing Programs That Adopt Authority.
Appendix B provides information about all the IBM-supplied user profiles and
their functions.
Analyzing Object Authorities

You can use the following method to determine who has authority to libraries on
the system:
1. Use the DSPOBJD command to list all the libraries on the system:
DSPOBJD OBJ(QSYS/*ALL) OBJTYPE(*LIB) ASPDEV(*ALLAVL) OUTPUT(*PRINT)
2. Use the Display Object Authority (DSPOBJAUT) command to list the

authorities to a specific library:
|
|
DSPOBJAUT OBJ(library-name) OBJTYPE(*LIB) +

ASPDEV(asp-device-name) OUTPUT(*PRINT)
3. Use the Display Library (DSPLIB) command to list the objects in the library:
|
|
DSPLIB LIB(library-name) ASPDEV(asp-device-name) OUTPUT(*PRINT)
Using these reports, you can determine what is in a library and who has access to
the library. If necessary, you can use the DSPOBJAUT command to view the
authority for selected objects in the library also.
Analyzing Programs That Adopt Authority

Programs that adopt the authority of a user with *ALLOBJ special authority
represent a security exposure. The following method can be used to find and
inspect those programs:
1. For each user with *ALLOBJ special authority, use the Display Programs That
Adopt (DSPPGMADP) command to list the programs that adopt that users
authority:
DSPPGMADP USRPRF(user-profile-name) +
OUTPUT(*PRINT)
Note: The topic Printing Selected User Profiles on page 278 shows how to list
users with *ALLOBJ authority.
2. Use the DSPOBJAUT command to determine who is authorized to use each
adopting program and what the public authority is to the program:
279
DSPOBJAUT OBJ(library-name/program-name) +
OBJTYPE(*PGM) ASPDEV(asp-device-name) OUTPUT(*PRINT)
|
|
3. Inspect the source code and program description to evaluate:

v Whether the user of the program is prevented from excess function, such as
using a command line, while running under the adopted profile.
v Whether the program adopts the minimum authority level needed for the
intended function. Applications that use program failure can be designed
using the same owner profile for objects and programs. When the authority
of the program owner is adopted, the user has *ALL authority to application
objects. In many cases, the owner profile does not need any special
authorities.
4. Verify when the program was last changed, using the DSPOBJD command:
DSPOBJD OBJ(library-name/program-name) +
OBJTYPE(*PGM) ASPDEV(asp-device-name) DETAIL(*FULL)
|
|
Checking for Objects That Have Been Altered

You can use the Check Object Integrity (CHKOBJITG) command to look for objects
that have been altered. An altered object is usually an indication that someone is
attempting to tamper with your system. You may want to run this command after
someone has:
v Restored programs to your system
v Used dedicated service tools (DST)
|
|
|
|
|
|
|
|
When you run the command, the system creates a database file containing
information about any potential integrity problems. You can check objects owned
by one or more profiles, objects that match a path name, or all objects on the
system. You can look for objects whose domain has been altered and objects that
have been tampered with. You can recalculate program validation values to look
for objects of type *PGM, *SRVPGM, *MODULE, and *SQLPKG that have been
altered. You can check the signature of objects that can be digitally signed. You can
also check if libraries and commands have been tampered with.
|
|
|
|
|
|
Running the CHKOBJITG program requires *AUDIT special authority. The

command may take a long time to run because of the scans and calculations it
performs. You should run it at a time when your system is not busy. Most IBM
commands duplicated from a release prior to V5R2 will be logged as violations.
These commands should be deleted and re-created using the CRTDUPOBJ (Create
duplicate object) command each time a new release is loaded.
Auditing the Security Officers Actions

You may want to keep a record of all actions performed by users with *ALLOBJ
and *SECADM special authority. You can use the action auditing value in the user
profile to do this:
1. For each user with *ALLOBJ and *SECADM special authority, use the
CHGUSRAUD command to set the AUDLVL to have all values that are not
included in the QAUDLVL system value on your system. For example, if the
QAUDLVL system value is set to *AUTFAIL, *PGMFAIL, *PRTDTA, and
*SECURITY, use this command to set the AUDLVL for a security officer user
profile:
CHGUSRAUD USER((SECUSER)
AUDLVL(*CMD *CREATE *DELETE +
*OBJMGT *OFCSRV *PGMADP +
*SAVRST *SERVICE, +
*SPLFDTA *SYSMGT)
280
Note: Table 116 on page 254 shows all the possible values for action auditing.
2. Remove the *AUDIT special authority from user profiles with *ALLOBJ and
*SECADM special authority. This prevents these users from changing the
auditing characteristics of their own profiles.
Note: You cannot remove special authorities from the QSECOFR profile.
Therefore, you cannot prevent a user signed on as QSECOFR from
changing the auditing characteristics of that profile. However, if a user
signed on as QSECOFR uses the CHGUSRAUD command to change
auditing characteristics, an AD entry type is written to the audit journal.
It is recommended that security officers (users with *ALLOBJ or *SECADM
special authority) use their own profiles for better auditing. The password for
the QSECOFR profile should not be distributed.
3. Make sure the QAUDCTL system value includes *AUDLVL.
4. Use the DSPJRN command to review the entries in the audit journal using the
techniques described in Analyzing Audit Journal Entries with Query or a
Program on page 274.
281
282
Appendix A. Security Commands

This appendix contains the system commands related to security. You can use these
commands in place of the system menus, if you prefer, by typing these commands
on a command line. The commands are divided into task-oriented groups.
The CL topic in the Information Center contains more detailed information about
these commands. See Prerequisite and related information on page xvi for details.
The tables in Appendix D show what object authorities are required to use these
commands.
Table 119. Commands for Working with Authority Holders
Command Name
Descriptive Name
Function
CRTAUTHLR
Create Authority Holder
DLTAUTHLR
Delete Authority Holder
DSPAUTHLR
Display Authority Holder
Allows you to secure a file before the file exists.

Authority holders are valid only for program-described
database files.
Allows you to delete an authority holder. If the
associated file exists, the authority holder information is
copied to the file.
Allows you to display all the authority holders on the
system.
Table 120. Commands for Working with Authorization Lists

Command Name
Descriptive Name
Function
ADDAUTLE
Add Authorization List Entry
CHGAUTLE
Change Authorization List Entry
CRTAUTL
DLTAUTL
DSPAUTL
Create Authorization List

Delete Authorization List
DSPAUTLOBJ
EDTAUTL
RMVAUTLE
RTVAUTLE
Remove Authorization List Entry

Retrieve Authorization List Entry
WRKAUTL
Work with Authorization Lists
Allows you to add a user to an authorization list. You

specify what authority the user has to all the objects on
the list.
Allows you to change users authorities to the objects on
the authorization list.
Allows you to create an authorization list.
Allows you to delete an entire authorization list.
Allows you to display a list of users and their authorities
to an authorization list.
Allows you to display a list of objects secured by an
authorization list.
Allows you to add, change, and remove users and their
authorities on an authorization list.
Allows you to remove a user from an authorization list.
Used in a control language (CL) program to get one or
more values associated with a user on the authorization
list. The command can be used with the CHGAUTLE
command to give a user new authorities in addition to
the existing authorities that the user already has.
Allows you to work with authorization lists from a list
display.
283
Table 121. Commands for Working with Object Authority and Auditing
Command Name
Descriptive Name
CHGAUD
CHGAUT
CHGOBJAUD
Change Auditing
Change Authority
Change Object Auditing
CHGOBJOWN
CHGOBJPGP
CHGOWN
CHGPGP
DSPAUT
DSPOBJAUT
DSPOBJD
EDTOBJAUT
GRTOBJAUT
RVKOBJAUT
WRKAUT
WRKOBJ
WRKOBJOWN
WRKOBJPGP
284
Function
Allows you to change the auditing value for an object.

Allows you to change the authority of users to objects.
Allows you to specify whether access to an object is
audited.
Change Object Owner
Allows you to change the ownership of an object from
one user to another.
Change Object Primary Group
Allows you to change the primary group for an object to
another user or to no primary group.
Change Owner
Allows you to change the ownership of an object from
one user to another.
Change Primary Group
Allows you to change the primary group for an object to
another user or to no primary group.
Display Authority
Allows you to display users authority to an object.
Displays the object owner, public authority to the object,
any private authorities to the object, and the name of the
authorization list used to secure the object.
Display Object Description
Displays the object auditing level for the object.
Allows you to add, change, or remove a users authority
for an object.
Allows you to specifically give authority to named users,
all users (*PUBLIC), or users of the referenced object for
the objects named in this command.
Revoke Object Authority
Allows you to remove one or more (or all) of the
authorities given specifically to a user for the named
objects.
Work with Authority
Allows you to work with object authority by selecting
options on a list display.
Work with Objects
Allows you to work with object authority by selecting
Allows you to work with the objects owned by a user
profile.
Work with Objects by Primary Group Allows you to work with the objects for which a profile
is the primary group using options from a list display.
Table 122. Commands for Working with Passwords
|
|
|
|
|
|
Command Name
Descriptive Name
Function
CHGDSTPWD
CHGPWD
CHGUSRPRF
Change Dedicated Service Tools

Password
Change Password
Change User Profile
CHKPWD
Check Password
CRTUSRPRF1
Create User Profile
Allows you to reset the DST security capabilites profile

to the default password shipped with the system.
Allows a user to change the users own password.
Allows you to change the values specified in a users
profile, including the users password.
Allows verification of a users password. For example, if
you want the user to enter the password again to run a
particular application, you can use CHKPWD in your CL
program to verify the password.
When you add a user to the system, you assign a
password to the user.
When a CRTUSRPRF is done, you cant specify that the *USRPRF is to be created into an IASP. However,
when a user is privately authorized to an object on and IASP, is the owner of an object on an IASP, or is the
primary group of an object on an IASP, the profiles name is stored on the IASP. If the IASP is moved to
another system, the private authority, object ownership, and primary group entries will be attached to the
profile with the same name on the target system. If a profile does not exist on the target system, a profile
will be created. The user will not have any special authorities and the password will be set to *NONE.
285
Table 123. Commands for Working with User Profiles

Command Name
Descriptive Name
Function
CHGPRF
Change Profile
CHGUSRAUD
Change User Audit
CHGUSRPRF
Change User Profile
CHKOBJITG
Check Object Integrity
CRTUSRPRF
Create User Profile
DLTUSRPRF
Delete User Profile
DSPAUTUSR
DSPUSRPRF
Display User Profile command
GRTUSRAUT
Grant User Authority
PRTPRFINT
Print Pofile Internals
PRTUSRPRF
Print User Profile
RTVUSRPRF
Retrieve User Profile
WRKUSRPRF
Allows a user to change some of the attributes of the

users own profile.
Allows you to specify the action and object auditing for
a user profile.
Allows you to change the values specified in a users
profile such as the users password, special authorities,
initial menu, initial program, current library, and priority
limit.
Check the objects owned by one or more user profiles or
check the objects that match the pathname to ensure the
objects have not been tampered with.
Allows you to add a user to the system and to specify
values such as the users password, special authorities,
initial menu, initial program, current library, and priority
limit.
Allows you to delete a user profile from the system. This
command provides an option to delete or change
ownership of objects owned by the user profile.
Displays or prints the following for all user profiles on
the system: associated group profile (if any), whether the
user profile has a password usable at any password
level, whether the user profile has a password usable at
the various password levels, whether the user profile has
a password usable with NetServer, the date the
password was last changed, and the user profile text.
Allows you to display a user profile in several different
formats.
Allows you to copy private authorities from one user
profile to another user profile.
Allows you to print a report of internal information on
the number of entries.
Allows you to analyze user profiles that meet specified
criteria.
Used in a control language (CL) program to get and use
one or more values that are stored and associated with a
user profile.
Allows you to work with user profiles by entering
286
Table 124. Related User Profile Commands

Command Name
Descriptive Name
Function
DSPPGMADP
Display Programs That Adopt
RSTAUT
Restore Authority
RSTUSRPRF
Restore User Profile
SAVSECDTA
Save Security Data
SAVSYS
Save System
Allows you to display a list of programs and SQL

packages that adopt a specified user profile.
Allows you to restore authorities for objects held by a
user profile when the user profile was saved. These
authorities can only be restored after a user profile is
restored with the Restore User Profile (RSTUSRPRF)
command.
Allows you to restore a user profile and its attributes.
Restoring specific authority to objects is done with the
RSTAUT command after the user profile is restored. The
RSTUSRPRF command also restores all authorization
lists and authority holders if RSTUSRPRF(*ALL) is
specified.
Saves all user profiles, authorization lists, and authority
holders without using a system that is in a restricted
state.
Saves all user profiles, authorization lists, and authority
holders on the system. A dedicated system is required to
use this function.
Table 125. Commands for Working with Auditing

Command Name
Descriptive Name
Function
CHGAUD
CHGDLOAUD
Change Auditing
Change Document Library Object
Auditing
Change User Audit
Allows you to specify the auditing for an object.

Allows you to specify whether access is audited for a
document library object.
Allows you to specify the auditing for an object.
Allows you to specify the action and object auditing for
a user profile.
CHGOBJAUD
CHGUSRAUD
Table 126. Commands for Working with Document Library Objects.

Command Name
Descriptive Name
ADDDLOAUT
Add Document Library Object

Authority
CHGDLOAUD
CHGDLOAUT
CHGDLOOWN
CHGDLOPGP
DSPAUTLDLO
DSPDLOAUD
DSPDLOAUT
EDTDLOAUT
Function
Allows you to give a user access to a document or folder

or to secure a document or folder with an authorization
list or an access code.
Allows you to specify the object auditing level for a
Auditing
document library object.
Allows you to change the authority for a document or
Authority
folder.
Transfers document or folder ownership from one user
Owner
to another user.
Allows you to change the primary group for a document
Primary Group
library object.
Display Authorization List Document Allows you to display the documents and folders that
Library Objects
are secured by the specified authorization list.
Display Document Library Object
Displays the object auditing level for a document library
Auditing
object.
Allows you to display authority information for a
Authority
document or a folder.
Edit Document Library Object
Used to add, change, or remove users authorities to a
Authority
document or folder.
287
Table 126. Commands for Working with Document Library Objects (continued).
Command Name
Descriptive Name
Function
GRTUSRPMN
Grant User Permission
RMVDLOAUT
Remove Document Library Object

Authority
Revoke User Permission
Gives permission to a user to handle documents and

folders or to do office-related tasks on behalf of another
user.
Used to remove a users authority to documents or
folders.
Takes away document authority from one user (or all
users) to access documents on behalf of another user.
RVKUSRPMN
Table 127. Commands for Working with Server Authentication Entries

Command Name
Descriptive Name
ADDSVRAUTE
Add Server Authentication Entry
CHGSVRAUTE
| DSPSVRAUTE
RMVSVRAUTE
Function
Allows you to add server authentication information for

a user profile.
Change Server Authentication Entry Allows you to change existing server authentication
entries for a user profile.
Display Server Authentication Entries Allows you to display server authentication entries for a
user profile.
Remove Server Authentication Entry Allows you to remove server authentication entries from
the specified user profile.
These commands allow a user to specify a user name, the associated password, and the name of a remote
server machine. Distributed Relational Database Access (DRDA) uses these entries to run database access
requests as the specified user on the remote server.
Table 128. Commands for Working with the System Distribution Directory
Command Name
Descriptive Name
Function
ADDDIRE
Add Directory Entry
CHGDIRE
Change Directory Entry
RMVDIRE
Remove Directory Entry
WRKDIRE
Work with Directory
Adds new entries to the system distribution directory.

The directory contains information about a user, such as
the user ID and address, system name, user profile
name, mailing address, and telephone number.
Changes the data for a specific entry in the system
distribution directory. The system administrator has
authority to update any of the data contained in a
directory entry, except the user ID, address, and the user
description. Users can update their own directory entries,
but they are limited to updating certain fields.
Removes a specific entry from the system distribution
directory. When a user ID and address is removed from
the directory, it is also removed from any distribution
lists.
Provides a set of displays that allow a user to view, add,
change, and remove entries in the system distribution
directory.
288
Table 129. Commands for Working with Validation Lists

Command Name
Descriptive Name
Function
CRTVLDL
Create Validation List
Allows you to create a validation list object that contains

entries consisting of an identifier, data that will be
encrypted by the system when it is stored, and free-form
data.
DLTVLDL
Delete Validation List
Allows you to delete the specified validation list from a

library.
The following tables describe several different kinds of security tools. For more
information on the security tools, see Appendix G, Commands and Menus for
Security Commands.
Table 130. Security Tools for Working with Auditing
Command Name
Descriptive Name
Function
CHGSECAUD
Change Security Auditing
DSPAUDJRNE
Display Audit Journal Entries
DSPSECAUD
Display Security Auditing Values
Allows you to set up security auditing and to change the

system values that control security auditing.
Allows you to display or print information about entries
in the security audit journal. You can select specific entry
types, specific users, and a time period.
Allows you to display information about the security
audit journal and the system values that control security
auditing.
Table 131. Security Tools for Working with Authorities

Command Name
Descriptive Name
Function
PRTJOBDAUT
Print Job Description Authority
PRTPUBAUT
Print Publicly Authorized Objects
PRTPVTAUT
Print Private Authorities
PRTQAUT
Print Queue Authority
Allows you to print a list of job descriptions whose

public authority is not *EXCLUDE. You can use this
command to print information about job descriptions
that specify a user profile that every user on the system
can access.
Allows you to print a list of objects of the specified type
whose public authority is not *EXCLUDE.
Allows you to print a list of private authorities for
objects of the specified type.
Allows you to print the security settings for output
queues and job queues on your system. These settings
control who can view and change entries in the output
queue or job queue.
PRTSBSDAUT
Print Subsystem Description

Authority
Allows you to print a list of subsystem descriptions in a

library that contains a default user in a subsystem entry.
PRTTRGPGM
Print Trigger Programs
PRTUSROBJ
Print User Objects
Allows you to print a list of trigger programs that are

associated with database files on your system.
Allows you to print a list of the user objects (objects not
supplied by IBM) that are in a library.
289
| Table 132. Security Tools for Working with System Security

| Command Name
Descriptive Name
Function
| CHGSECA 1
|
|
|
| CFGSYSSEC
|
|
| CLRSVRSEC
|
|
|
|
|
| DSPSECA
|
| PRTCMNSEC
|
| PRTSYSSECA
|
|
| RVKPUBAUT
|
Change Security Attributes
Allows you to set new starting values for generating

user ID numbers or group ID numbers. Users can specify
a starting user ID number and a starting group ID
number.
Allows you to set security-relevant system values to their
recommended settings. The command also sets up
security auditing on your system.
Allows you to clear decryptable authentication
information that is associated with user profiles and
validation list (*VLDL) entries.
Note: This is the same information that was cleared in
releases previous to V5R2 when the QRETSVRSEC
system value was changed from 1 to 0.
Allows you to display the current and pending values of
some system security attributes.
Allows you to print the security attributes of the *DEVD,
*CTL, and *LIND objects on the system.
Allows you to print a list of security-relevant system
values and network attributes. The report shows the
current value and the recommended value.
Allows you to set the public authority to *EXCLUDE for
a set of security-sensitive commands on your system.
|
|
Configure System Security
Clear Server Security Data
Display Security Attributes

Print Communications Security
Print System Security Attributes
Revoke Public Authority
To use this command, you must have *SECADM special authority.
For more information on tools and suggestions about how to use the security tools,
see the Tips for Making Your iSeries 400 Secure book, GC41-0615.
290
Appendix B. IBM-Supplied User Profiles

This appendix contains information about the user profiles that are shipped with
the system. These profiles are used as object owners for various system functions.
Some system functions also run under specific IBM-supplied user profiles.
Table 133 shows the default values that are used for all IBM-supplied user profiles
and on the Create User Profile (CRTUSRPRF) command. The parameters are
sequenced in the order they appear on the Create User Profile display.
Table 134 lists each IBM-supplied profile, its purpose, and any values for the
profile that are different from the defaults for IBM-supplied user profiles.
Note:
Table 134 now includes additional user profiles that are shipped with the
licensed program products. The table includes only some, but not all user
profiles for licensed program products; therefore, the list is not inclusive.
Attention:
v Password for the QSECOFR profile
You must change the password for the QSECOFR profile after you install your
system. This password is the same for every iSeries system and poses a security
exposure until it is changed. However, do not change any other values for
IBM-supplied user profiles. Changing these profiles may cause system functions
to fail.
v Authorities for IBM-supplied profies
Use caution when removing authorities that IBM-supplied profiles have to
objects that are shipped with the operating system. Some IBM-supplied profiles
are granted private authorities to objects that are shipped with the operating
system. Removing any of these authorities may cause system functions to fail.
Table 133. Default Values for User Profiles
Default Values
User Profile Parameter
IBM-Supplied User
Profiles
Create User Profile

Display
Password (PASSWORD)
Set password to expired (PWDEXP)
Status (STATUS)
User class (USRCLS)
Assistance level (ASTLVL)
Current library (CURLIB)
Initial program (INLPGM)
Initial menu (INLMNU)
Initial menu library
Limited capabilities (LMTCPB)
Text (TEXT)
Special authority (SPCAUT)
Special environment (SPCENV)
Display sign-on information (DSPSGNINF)
*NONE
*NO
*ENABLED
*USER
*SYSVAL
*CRTDFT
*NONE
MAIN
*LIBL
*NO
*BLANK
*ALLOBJ1 *SAVSYS1
*SYSVAL
*SYSVAL
*USRPRF4
*NO
*ENABLED
*USER
*SYSVAL
*CRTDFT
*NONE
MAIN
*LIBL
*NO
*BLANK
*USRCLS2
*SYSVAL
*SYSVAL
291
Table 133. Default Values for User Profiles (continued)

Default Values
|
|
|
|
|
|
|
|
|
|
292
User Profile Parameter
IBM-Supplied User
Profiles
Create User Profile

Display
Password expiration interval (PWDEXPITV)

Limit device sessions (LMTDEVSSN)
Keyboard buffering (KBDBUF)
Maximum storage (MAXSTG)
Priority limit (PTYLMT)
Job description (JOBD)
Job description library
Group profile (GRPPRF)
Owner (OWNER)
Group authority (GRPAUT)
Group authority type (GRPAUTTYP)
Supplemental groups (SUPGRPPRF)
Accounting code (ACGCDE)
Document password (DOCPWD)
Message queue (MSGQ)
Delivery (DLVRY)
Severity (SEV)
Printer device (PRTDEV)
Output queue (OUTQ)
Attention program (ATNPGM)
Sort sequence (SRTSEQ)
Language identifier (LANGID)
Country or Region Identifier (CNTRYID)
Coded Character Set Identifier (CCSID)
Set Job Attributes (SETJOBATR)
Locale (LOCALE)
User Option (USROPT)
User Identification Number (UID)
Group Identification Number (GID)
Home Directory (HOMEDIR)
Authority (AUT)
Action auditing (AUDLVL) 3
Object auditing (OBJAUD) 3
*SYSVAL
*SYSVAL
*SYSVAL
*NOMAX
0
QDFTJOBD
QGPL
*NONE
*USRPRF
*NONE
*PRIVATE
*NONE
*SYS
*NONE
*USRPRF
*NOTIFY
00
*WRKSTN
*WRKSTN
*NONE
*SYSVAL
*SYSVAL
*SYSVAL
*SYSVAL
*SYSVAL
*NONE
*NONE
*GEN
*NONE
*USRPRF
*EXCLUDE
*NONE
*NONE
*SYSVAL
*SYSVAL
*SYSVAL
*NOMAX
3
QDFTJOBD
*LIBL
*NONE
*USRPRF
*NONE
*PRIVATE
*NONE
*BLANK
*NONE
*USRPRF
*NOTIFY
00
*WRKSTN
*WRKSTN
*SYSVAL
*SYSVAL
*SYSVAL
*SYSVAL
*SYSVAL
*SYSVAL
*SYSVAL
*NONE
*GEN
*NONE
*USRPRF
*EXCLUDE
*NONE
*NONE
When the system security level is changed from level 10 or 20 to level 30 or above,
this value is removed.
When a user profile is automatically created at security level 10, the *USER user
class gives *ALLOBJ and *SAVSYS special authority.
Action and object auditing are specified using the CHGUSRAUD command.
When you perform a CRTUSRPRF, you can not create a user profile (*USRPRF) into
an independent disk pool. However, when a user is privately authorized to an
object in the independent disk pool, is the owner of an object on an independent
disk pool, or is the primary group of an object on an independent disk pool, the
name of the profile is stored on the independent disk pool. If the independent disk
pool is moved to another system, the private authority, object ownership, and
primary group entries will be attached to the profile with the same name on the
target system. If a profile does not exist on the target system, a profile will be
created. The user will not have any special authorities and the password will be set
to *NONE.
Table 134. IBM-Supplied User Profiles

Profile Name
Descriptive Name
Parameters Different from Default Values
QADSM
ADSM user profile
v USERCLS: *SYSOPR
v CURLIB: QADSM
v TEXT: ADSM profile used by ADSM server
v SPCAUT: *JOBCTL, *SAVSYS
v JOBD: QADSM/QADSM
v OUTQ: QADSM/QADSM
QAFOWN
APD user profile
v USRCLS: *PGMR
v SPCAUT: *JOBCTL
v JOBD: QADSM/QADSM
v TEXT: Internal APD User Profile
QAFUSR
APD user profile
QAFDFTUSR
APD user profile
v INLPGM: *LIBL/QAFINLPG
v LMTCPB: *YES
QAUTPROF
IBM authority user

profile
QBRMS
BRM user profile
QCLUMGT
Cluster management
profile
v STATUS: *DISABLED
v MSGQ: *NONE
v ATNPGM: *NONE
QCLUSTER
High availability
cluster profile
QCOLSRV
Management central
collection services user
profile
QDBSHR
Database share profile
v AUT: *ADD, *DELETE
QDBSHRDO
Database share profile
v AUT: *ADD, *DELETE
QDCEADM
DCE user profile
v PASSWORD: *USRPRF
v SPCAUT: *IOSYSCFG
v PWDEXP: *YES
v STATUS: *DISABLED
v TEXT: *NONE
v SPCAUT: *JOBCTL
QDFTOWN
Default owner profile
v PTYLMT: 3
v ACGCDE: *BLANK
QDIRSRV
OS/400 Directory
services server user
profile
v LMTCPB: *YES
v JOBD: QGPL/QBATCH
v DSPSGNINF: *NO
v LMTDEVSSN: *NO
v DLVRY: *HOLD
v SPCENV: *NONE
v ATNPGM: *NONE
293
Table 134. IBM-Supplied User Profiles (continued)

Profile Name
Descriptive Name
QDLFM
DataLink File Manager v SRTSEQ: *HEX

profile
QDOC
Document profile
v ACGCDE: *BLANK
v AUT: *CHANGE
QDSNX
Distributed systems
node executive profile
v PTYLMT: 3
v CCSID: *HEX
v ACGCDE: *BLANK
v SRTSEQ: *HEX
QEJB
Enterprise Java user

profile
QFNC
Finance profile
v PTYLMT: 3
QGATE
VM/MVS* bridge
profile
v CCSID: *HEX
QIPP
Internet printing
profile
v MSGQ: QUSRSYS/QIPP
QLPAUTO
Licensed program
automatic install
profile
v USRCLS: *SYSOPR
v SRTSEQ: *HEX
v INLMNU: *SIGNOFF
v SPCAUT: *ALLOBJ, *JOBCTL ,*SAVSYS, *SECADM, *IOSYSCFG
v INLPGM: QLPINATO
v Library: QSYS
v DLVRY: *HOLD
v SEV: 99
QLPINSTALL
Licensed program
install profile
v USRCLS: *SYSOPR
v DLVRY: *HOLD
v SPCAUT: *ALLOBJ, *JOBCTL, *SAVSYS, *SECADM, *IOSYSCFG
QMSF
Mail server framework v CCSID: *HEX

profile
v SRTSEQ: *HEX
QMQM
MQSeries user profile v USRCLS: *SECADM

v SPCAUT: *NONE
v PRTDEV: *SYSVAL
v TEXT: MQM user which owns the QMQM library
QNFSANON
NFS user profile
QNETSPLF
Network spooling
profile
QNETWARE
ECS user profile
v STATUS: *DISABLED
v TEXT: QFPNTWE USER PROFILE
QNTP
Network time profile
v JOBD: QTOTNTP
v JOBD LIBRARY: QSYS
294

Profile Name
Descriptive Name
QOIUSER
OSI Communication
Subsystem
v USRCLS: *SYSOPR
v SPCAUT: *JOBCTL, *SAVSYS, *IOSYSCFG
v CURLIB: QOSI
v MSGQ: QOSI/QOIUSER
v DLVRY: *HOLD
v OUTQ: *DEV
v PRTDEV: *SYSVAL
v ATNPGM: *NONE
v CCSID: *HEX
v TEXT: Internal OSI Communication Subsystem User Profile
QOSIFS
OSI File Server User

Profile
v USRCLS: *SYSOPR
v SPCAUT: *JOBCTL, *SAVSYS
v OUTQ: *DEV
v CURLIB: *QOSIFS
v CCSID: *HEX
v TEXT: Internal OSI File Services User Profile
QPGMR
Programmer profile
v USRCLS: *PGMR
v SPCAUT: *ALLOBJ
*SAVSYS *JOBCTL
v PTYLMT: 3
v ACGCDE: *BLANK
| QPEX
Performance Explorer
user profile
v PTYLMT: 3
v ATNPGM: *SYSVAL
v TEXT: IBM-supplied User Profile
v ACGCDE: *BLANK
QPM400
Performance
Management/400
(PM/400)
v SPCAUT: *IOSYSCFG, *JOBCTL
QPRJOWN
Parts and projects

owner user profile
v STATUS: *DISABLED
v CURLIB: QADM
v TEXT: User profile of parts and projects owner
QRDARSADM
R/DARS user profile
v INLMNU: *SIGNOFF
v TEXT: R/DARS Administration Profile
QRDAR
R/DARS owning
profile
v USRCLS: *PGMR
v INLMNU: *SIGNOFF
v OUTQ: *DEV
v TEXT: R/DARS-400 owning profile
QRDARS4001
R/DARS owning
profile 1
v INLMNU: *SIGNOFF
v GRPPRF: QRDARS400
v OUTQ: *DEV
v TEXT: R/DARS-400 owning profile 1
295

Profile Name
Descriptive Name
QRDARS4002
R/DARS owning
profile 2
v INLMNU: *SIGNOFF
v GRPPRF: QRDARS400
v OUTQ: *DEV
QRDARS4003
R/DARS owning
profile 3
v INLMNU: *SIGNOFF
v GRPPRF: QRDARS400
v OUTQ: *DEV
QRDARS4004
R/DARS owning
profile 4
v INLMNU: *SIGNOFF
v GRPPRF: QRDARS400
v OUTQ: *DEV
QRDARS4005
R/DARS owning
profile 5
v INLMNU: *SIGNOFF
v GRPPRF: QRDARS400
v OUTQ: *DEV
QRMTCAL
Remote Calendar user

profile
v TEXT: OfficeVision Remote Calendar User
QRJE
Remote job entry

profile
v USRCLS: *PGMR
Security officer profile
v PWDEXP: *YES
QSECOFR
SPCAUT: *ALLOBJ
*SAVSYS
*JOBCTL
v USRCLS: *SECOFR
v SPCAUT: *ALLOBJ, *SAVSYS, *JOBCTL, *SECADM, *SPLCTL,
*SERVICE, *AUDIT, *IOSYSCFG
v ACGCDE: *BLANK
v UID: 0
v PASSWORD: QSECOFR
QSNADS
QSOC
SNA distribution
services profile
v CCSID: *HEX
OptiConnect user
profile
v USRCLS: *SYSOPR
v SRTSEQ: *HEX
v CURLIB: *QSOC
v SPCAUT: *JOBCTL
v MSGQ: QUSRSYS/QSOC
QSPL
Spool profile
QSPLJOB
Spool job profile
v AUT: *USE
QSRV
Service profile
v USRCLS: *PGMR
v SPCAUT: *ALLOBJ 1, *SAVSYS 1, *JOBCTL, *SERVICE
v ASTLVL: *INTERMED
v ATNPGM: QSCATTN
v Library: QSYS
296

Profile Name
Descriptive Name
QSRVBAS
Service basic profile
v USRCLS: *PGMR
v
SPCAUT: *ALLOBJ
*SAVSYS
*JOBCTL
v ASTLVL: *INTERMED
v ATNPGM: QSCATTN
v Library: QSYS
QSVCCS
CC Server user profile v USRCLS: *SYSOPR

v SPCAUT: *JOBCTL
v SPCENV: *SYSVAL
v TEXT: CC Server User Profile
QSVCM
Client Management
Server user profile
v TEXT: Client Management Server User Profile
QSVSM
ECS user profile
v USRCLS: *SYSOPR
v STATUS: *DISABLED
v SPCAUT: *JOBCTL
v SPCENV: *SYSVAL
v TEXT: SystemView System Manager User Profile
QSVSMSS
Managed System
Service user profile
v STATUS: *DISABLED
v USRCLS: *SYSOPR
v SPCAUT: *JOBCTL
v SPCENV: *SYSVAL
v TEXT: Managed System Service User Profile
QSYS
System profile
v USRCLS: *SECOFR
v SPCAUT: *ALLOBJ, *SECADM, *SAVSYS, *JOBCTL, *AUDIT,
*SPLCTL, *SERVICE, *IOSYSCFG
QSYSOPR
System operator
profile
v USRCLS: *SYSOPR
v SPCAUT: *ALLOBJ 1, *SAVSYS, *JOBCTL
v INLMNU: SYSTEM
v LIBRARY: *LIBL
v MSGQ: QSYSOPR
v DLVRY: *BREAK
v SEV: 40
v ACGCDE: *BLANK
QTCM
Triggered cache
manager profile
v STATUS: *DISABLED
QTCP
Transmission control
protocol (TCP) profile
v USRCLS: *SYSOPR
v SPCAUT: *JOBCTL
v CCSID: *HEX
v SRTSEQ: *HEX
QTFTP
Trivial File Transfer

Protocol
297

Profile Name
Descriptive Name
QTMPLPD
Transmission control
protocol/Internet
protocol (TCP/IP)
printing support
profile
v PTYLMT: 3
Remote LPR user

profile
v JOBD: QGPL/QDFTJOBD
QTMPLPD
v AUT: *USE
v PWDEXPITV: *NOMAX
v MSGQ: QTCP/QTMPLPD
QTMTWSG
QTMHHTTP
QTMHHTP1
HTML Workstation
Gateway Profile user
profile
v MSGQ: QUSRSYS/QTMTWSG
HTML Workstation
profile
v MSGQ: QUSRSYS/QTMHHTTP
HTML Workstation
profile
v MSGQ: QUSRSYS/QTMHHTTP
v TEXT: HTML Workstation Gateway Profile
v TEXT: HTTP Server Profile
v TEXT: HTTP Server CGI Profile
QTSTRQS
Test request profile
QUMB
Ultimedia System
Facilities user profile
QUMVUSER
Ultimedia Business
Conferencing user
profile
QUSER
Workstation user
profile
QX400 user profile
OSI Messages Services v CURLIB: *QX400

File Services User
v USRCLS: *SYSOPR
Profile
v MSGQ: QX400/QX400
v PTYLMT: 3
v DLVRY: *HOLD
v OUTQ: *DEV
v PRTDEV: *SYSVAL
v ATNPGM: *NONE
v CCSID: *HEX
v TEXT: Internal OSI Messages Services User Profile
QYPSJSVR
Management Central
Java Server profile
QYPUOWN
Internal APU user

profile
298
v TEXT: Internal APU User profile
When the system security level is changed from level 10 or 20 to level 30 or above, this value is removed.
|
|
Appendix C. Commands Shipped with Public Authority

*EXCLUDE
|
|
|
|
|
Table 135 identifies which commands have restricted authorization (public

authority is *EXCLUDE) when your system is shipped. It shows what
IBM-supplied user profiles are authorized to use these restricted commands. For
more information about IBM-supplied user profiles, see the topic IBM-Supplied
User Profiles on page 116.
|
|
|
|
|
In Table 135, commands that are restricted to the security officer, and any user
profile with *ALLOBJ authority, have an R in the QSECOFR profile. Commands
that are specifically authorized to one or more IBM-supplied user profiles, in
addition to the security officer, have an S under the profile names for which they
are authorized).
|
|
|
|
Any commands not listed here are public, which means they can be used by all
users. However, some commands require special authority, such as *SERVICE or
*JOBCTL. The special authorities required for a command are listed in Appendix D,
Authority Required for Objects Used by Commands on page 309
|
|
|
|
|
|
If you choose to grant other users or the public *USE authority to these commands,
update this table to indicate that commands are no longer restricted on your
system. Using some commands may require the authority to certain objects on the
system as well as to the commands themselves. See Appendix D, Authority
Required for Objects Used by Commands on page 309 for the object authorities
required for commands.
| Table 135. Authorities of IBM-Supplied User Profiles to Restricted Commands

| Command Name
QSECOFR
| ADDCMDCRQA
QPGMR
QSYSOPR
| ADDDSTQ
| ADDDSTRTE
| ADDDSTSYSN
| ADDCRSDMNK
QSRV
QSRVBAS
S
| ADDEXITPGM
| ADDMFS
| ADDNETJOBE
| ADDOBJCRQA
| ADDOPTCTG
| ADDOPTSVR
| ADDPEXDFN
| ADDPEXFTR
| ADDPRDCRQA
| ADDPTFCRQA
| ADDRPYLE
| ADDRSCCRQA
299
| Table 135. Authorities of IBM-Supplied User Profiles to Restricted Commands (continued)

| Command Name
QSECOFR
| ANSQST
| ANZACCGRP
| ANZBESTMDL
| ANZDBF
| ANZDBFKEY
| ANZDFTPWD
| ANZPFRDTA
| ANZPGM
| ANZPRB
QPGMR
| ANZPRFACT
| ANZS34OCL
| ANZS36OCL
| APYJRNCHG
QSYSOPR
QSRV
QSRVBAS
| APYPTF
| APYRMTPTF
| CFGDSTSRV
| CFGRPDS
| CHGDSTQ
| CHGDSTRTE
| CHGMGDSYSA
| CHGMGRSRVA
| CFGSYSSEC
| CHGACTSCDE
| CHGCMDCRQA
| CHGCRSDMNK
| CHGDSTPWD
| CHGFCNARA
| CHGGPHFMT
| CHGGPHPKG
| CHGJOBTRC
| CHGJOBTYP
| CHGJRN
| CHGMSTK
| CHGNETA
| CHGNETJOBE
| CHGNFSEXP
| CHGNWSA
300
| CHGEXPSCDE
| CHGLICINF

| Command Name
QSECOFR
| CHGOBJCRQA
| CHGOPTA
QPGMR
S
QSYSOPR
S
QSRV
QSRVBAS
S
| CHGPEXDFN
| CHGPRB
| CHGPRDCRQA
| CHGPTFCRQA
| CHGPTR
| CHGQSTDB
S
R
| CHGRCYAP
| CHGRPYLE
| CHGRSCCRQA
| CHGSYSLIBL
| CHGSYSVAL
| CHGS34LIBM
| CHKCMNTRC
| CHKPRDOPT
| CPYPTF
| CPYPTFGRP
| CPHDTA
| CPYFCNARA
| CPYGPHFMT
| CPYGPHPKG
| CPYPFRDTA
| CRTAUTHLR
| CRTBESTMDL
| CRTCLS
| CRTFCNARA
| CRTGPHFMT
| CRTGPHPKG
| CRTHSTDTA
| CRTJOBD
| CRTPFRDTA
| CRTLASREP
| CRTPEXDT
| CRTQSTDB
| CRTQSTLOD
| CRTSBSD
| CRTUDFS
| CRTUDFS
Appendix C. Commands Shipped with Public Authority *EXCLUDE
301

| Command Name
QSECOFR
| CRTVLDL
| CVTBASSTR
| CVTBASUNF
| CVTBGUDTA
| CVTPFRDTA
| CVTPFRTHD
| CVTS36CFG
| CVTS36FCT
| CVTS36JOB
| CVTS36QRY
| CVTS38JOB
QPGMR
QSYSOPR
QSRV
QSRVBAS
| CVTTCPCL
| DLTAPARDTA
| DLTBESTMDL
| DLTCMNTRC
| DLTFCNARA
| DLTGPHFMT
| DLTGPHPKG
| DLTHSTDTA
| DLTLICPGM
| DLTPEXDTA
| DLTPFRDTA
| DLTPRB
| DLTPTF
| DLTRMTPTF
| DLTSMGOBJ
| DMPDLO
| DMPJOB
| DMPJOBINT
| DLTQST
| DLTQSTDB
| DLTUDFS
| DLTVLDL
| DMPOBJ
| DMPSYSOBJ
| DMPTRC
| DSPACCGRP
| DSPAUDJRNE
| DSPDSTLOG
302

| Command Name
QSECOFR
| DSPHSTGPH
| DSPMFSINF
| DSPMGDSYSA
QPGMR
QSYSOPR
QSRV
QSRVBAS
| DSPPTF
| DSPSRVSTS
| DSPPFRDTA
| DSPPFRGPH
| DSPUDFS
| EDTCPCST
| EDTQST
S
R
| EDTRBDAP
| EDTRCYAP
| ENCCPHK
| ENCFRMMSTK
| ENCTOMSTK
| ENDCHTSVR
| ENDCMNTRC
| ENDDBGSVR
| ENDHOSTSVR
| ENDIPSIFC
| ENDJOBABN
| ENDMGDSYS
| ENDMGRSRV
| ENDIDXMON
| ENDJOBTRC
| ENDMSF
| ENDNFSSVR
| ENDPEX
| ENDPFRTRC
| ENDSRVJOB
| ENDSYSMGR
| ENDTCP
| ENDTCPCNN
| ENDTCPIFC
| ENDTCPSVR
| GENCPHK
| GENCRSDMNK
| GENMAC
| GENPIN
303

| Command Name
QSECOFR
| GENS36RPT
| GENS38RPT
| GRTACCAUT
QPGMR
QSYSOPR
| HLDCMNDEV
| HLDDSTQ
| INSPTF
| INZDSTQ
| LODQSTDB
| MGRS36
| MGRS36APF
| MGRS36CBL
| MGRS36DFU
| MGRS36DSPF
| MGRS36ITM
| MGRS36LIB
| MGRS36MNU
| MGRS36MSGF
| MGRS36QRY
| MGRS36RPG
| MGRS36SEC
| MGRS38OBJ
| MIGRATE
| PKGPRDDST
| PRTACTRPT
| PRTADPOBJ
| PRTCMNSEC
| PRTCMNTRC
| PRTCPTRPT
| PRTJOBRPT
| PRTJOBTRC
| PRTLCKRPT
| PRTPOLRPT
| PRTRSCRPT
| PRTSYSRPT
| PRTTNSRPT
| PRTTRCRPT
| LODPTF
304
QSRVBAS
| INSRMTPRD
| INZSYS
QSRV

| Command Name
| PRTDSKINF
QSECOFR
QPGMR
QSYSOPR
QSRV
QSRVBAS
| PRTERRLOG
| PRTINTDTA
| PRTJOBDAUT
| PRTPRFINT
| PRTPVTAUT
| PRTQAUT
| PRTSBSDAUT
| PRTSYSSECA
| PRTTRGPGM
| PRTUSRPRF
| PRTUSROBJ
| PWRDWNSYS
| RCLOPT
| RCLSPLSTG
| RCLSTG
| RCLTMPSTG
| RLSCMNDEV
| RLSDSTQ
| RMVDSTQ
| RMVDSTRTE
| RMVDSTSYSN
| RESMGRNAM
| RLSIFSLCK
| RLSRMTPHS
| RMVACC
| RMVCRSDMNK
| RMVEXITPGM
| RMVJRNCHG
| RMVPEXDFN
| RMVPEXFTR
| RMVLANADP
| RMVMFS
| RMVNETJOBE
| RMVOPTCTG
| RMVOPTSVR
| RMVPTF
| RMVRMTPTF
| RMVRPYLE
| RSTAUT
R
305

| Command Name
| RST
QSECOFR
QPGMR
QSYSOPR
QSRV
QSRVBAS
| RSTCFG
| RSTDLO
| RSTLIB
| RSTLICPGM
| RSTOBJ
| RSTS36F
| RSTS36FLR
| RSTS36LIBM
| RSTS38AUT
| RSTUSFCNR
R
5
| RSTUSRPRF
| RTVDSKINF
| RTVPRD
| RTVPTF
| RTVSMGOBJ
| RUNLPDA
| RUNSMGCMD
| RUNSMGOBJ
| SNDDSTQ
| SNDPRD
| SNDPTF
| RVKPUBAUT
| SAVAPARDTA
| SAVLICPGM
| SBMFNCJOB
| SBMNWSCMD
| SETMSTK
| SNDPTFORD
| SNDSMGOBJ
| SNDSRVRQS
| STRBEST
| STRCHTSVR
| STRCMNTRC
| STRDBG
| STRDBGSVR
| STRHOSTSVR
| STRIDXMON
306
| STRIPSIFC
| STRJOBTRC

| Command Name
QSECOFR
QPGMR
QSYSOPR
QSRV
QSRVBAS
| STRMGDSYS
| STRMGRSRV
| STRMSF
| STRNFSSVR
| STRPEX
| STRPFRG
| STRPFRT
| STRPFRTRC
| STRRGZIDX
| STRSRVJOB
| STRSST
| STRSYSMGR
| STRTCP
| STRTCPIFC
| STRTCPSVR
| STRS36MGR
| STRS38MGR
| STRUPDIDX
| TRCCPIC
| TRCICF
| TRCINT
| TRCJOB
| VFYCMN
| VFYLNKLPDA
| VFYPRT
| VFYTAP
| TRNPIN
| VFYMSTK
| VFYPIN
| WRKCNTINF
| WRKDEVTBL
| WRKDPCQ
| WRKDSTQ
| WRKFCNARA
| WRKJRN
| WRKLICINF
| WRKORDINF
| WRKPEXDFN
| WRKPEXFTR
| WRKPGMTBL
R
307

| Command Name
QSECOFR
QPGMR
QSYSOPR
QSRV
QSRVBAS
| WRKPRB
| WRKPTFGRP
| WRKSRVPVD
| WRKSYSACT
| WRKTXTIDX
| WRKUSRTBL
|
|
The CHGDSTPWD command is shipped with public authority *USE, but you must be signed on as
QSECOFR to use this command.
The QMSF user profile is also authorized to this command.
QSRV can only run this command if an IPL is not being done.
In addition to QSYS, user profile QRDARS400 has authority.
| 5
|
308
In addition to QSYS, user profile QUMB has authority.
|
|
Appendix D. Authority Required for Objects Used by

Commands
|
|
|
|
|
The tables in this appendix show what authority is needed for objects referenced
by commands. For example, in the entry for the Change User Profile
(CHGUSRPRF) command in User Profile Commands on page 436, the table lists
all the objects you need authority to, such as the users message queue, job
description, and initial program.
|
|
|
|
|
The tables are organized in alphabetical order according to object type. In addition,
tables are included for items that are not OS/400 objects (jobs, spooled files,
network attributes, and system values) and for some functions (device emulation
and finance). Additional considerations (if any) for the commands are included as
footnotes to the table.
Following are descriptions of the columns in the tables:
|
|
|
Referenced Object: The objects listed in the Referenced Object column are objects to
which the user needs authority when using the command. See Assumptions on
page 311 for information about objects which are not listed for each command.
|
|
|
|
|
|
Authority Needed for Object: The authorities specified in the tables show the
object authorities and the data authorities required for the object when using the
command. Table 136 describes the authorities that are specified in the Authority
Needed column. The description includes examples of how the authority is used. In
most cases, accessing an object requires a combination of object and data
authorities.
|
|
|
|
|
Authority Needed for Library: This column shows what authority is needed for
the library containing the object. For most operations, *EXECUTE authority is
needed to locate the object in the library. Adding an object to a library usually
requires *READ and *ADD authority. Table 136 describes the authorities that are
specified in the Authority Needed column.
Table 136. Description of Authority Types
Authority
Name
Functions Allowed
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Object Authorities:
*OBJOPR
Object Operational
*OBJMGT
Object Management
*OBJEXIST
Object Existence
*OBJALTER
Object Alter
Look at the description of an object. Use the

object as determined by the users data
authorities.
Specify the security for the object. Move or
rename the object. All functions defined for
*OBJALTER and *OBJREF.
Delete the object. Free storage of the object.
Perform save and restore operations for the
object 1. Transfer ownership of the object.
Add, clear, initialize and reorganize
members of the database files. Alter and add
attributes of database files: add and remove
triggers. Change the attributes of SQL
packages. Move a library or folder to a
different ASP.
309
Table 136. Description of Authority Types (continued)
Authority
Name
Functions Allowed
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
*OBJREF
Object Reference
*AUTLMGT
Authorization List
Management
Specify a database file as the parent in a

referential constraint. For example, you want
to define a rule that a customer record must
exist in the CUSMAS file before an order for
the customer can be added to the CUSORD
file. You need *OBJREF authority to the
CUSMAS file to define this rule.
Add and remove users and their authorities
from the authorization list 2.
Data Authorities:
*READ
Read
*ADD
Add
*UPD
Update
*DLT
Delete
*EXECUTE
Execute
Display the contents of the object, such as

viewing records in a file.
Add entries to an object, such as adding
messages to a message queue or adding
records to a file.
Change the entries in an object, such as
changing records in a file.
Remove entries from an object, such as
removing messages from a message queue
or deleting records from a file.
Run a program, service program, or SQL
package. Locate an object in a library or a
directory.
|
|
If a user has save system (*SAVSYS) special authority, object existence authority is
not required to perform save and restore operations on the object.
|
|
See the topic Authorization List Management on page 127 for more information.
|
|
|
In addition to these values, the Authority Needed columns of the table may show
system-defined subsets of these authorities. Table 137 shows the subsets of object
authorities and data authorities.
Authority
|
|
|
|
|
|
|
|
|
|
|
|
|
Object Authorities
*OBJOPR
*OBJMGT
*OBJEXIST
*OBJALTER
*OBJREF
Data Authorities
*READ
*ADD
*UPD
*DLT
*EXECUTE
|
|
Table 138 on page 311 shows additional authority subsets that are supported by the
CHGAUT and WRKAUT commands.
310
*ALL
*CHANGE
*USE
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
*EXCLUDE
Authority
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Object
Authorities
*OBJOPR
*OBJMGT
*OBJEXIST
*OBJALTER
*OBJREF
Data
Authorities
*READ
*ADD
*UPD
*DLT
*EXECUTE
|
|
For more information on these authorities and their descriptions, see Defining
How Information Can Be Accessed on page 120.
|
|
*RWX
*RW
*RX
*R
*WX
*W
*X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Assumptions
|
|
1. To use any command, *USE authority is required to the command. This

authority is not specifically listed in the tables.
|
|
|
|
2. To enter any display command, you need operational authority to the

IBM-supplied display file, printer output file, or panel group used by the
command. These files and panel groups are shipped with public authority
*USE.
|
|
||
Authority Needed
Command
Referenced Object
For Object
|
|
|
|
Change (CHG) with

F4 (Prompt)7
Current values
The current values are *EXECUTE

displayed if the user
has authority to those
values.
|
|
Command accessing
object in directory
Directories in path prefix for QLANSrv file

system
*R
|
|
Directories in path prefix for all other file

systems
*X
|
|
Directory when pattern is specified (* or ?)

for QLANSrv file system
None
|
|
Directory when pattern is specified (* or ?)

for all other file system
*R
For Library
Appendix D. Authority Required for Objects Used by Commands
311

|
Authority Needed
Command
Referenced Object
For Object
For Library
|
|
|
|
|
Copy (CPY) where

to-file is a database
file
Object to be copied
*OBJOPR, *READ
*EXECUTE
CRTPF command, if CRTFILE (*YES) is

specified
*OBJOPR
*EXECUTE
To-file, if CRTFILE (*YES) is specified1
*ADD, *EXECUTE
|
|
To-file, if it exists and new member is added *OBJOPR, *OBJMGT,

*ADD, *DLT
*ADD, *EXECUTE
|
|
To-file, if file and member exist and *ADD

option is specified
*OBJOPR, *ADD
*EXECUTE
|
|
To-file, if file and member exist and

*REPLACE option is specified
*OBJOPR, *OBJMGT,
*ADD, *DLT
*EXECUTE
|
|
To-file, if it exists, a new member is added,

and *UPDADD option is specified.8
*OBJOPR, *OBJMGT,
*ADD, *UPD
*EXECUTE
|
|
To-file, if file and member exist and

*UPDADD option is specified.8
*OBJOPR, *ADD,
*UPD
*EXECUTE
Create (CRT)
|
|
|
Object to be created2
*READ, *ADD
User profile that will own created object

(either the user profile running the job or
the users group profile)
*ADD
Object to be created (and replaced)2
*OBJMGT, *OBJEXIST, *READ, *ADD

*READ5
User profile that will own created object

(either the user profile running the job or
the users group profile)
*ADD
|
|
|
|
|
|
Create (CRT) if
REPLACE(*YES) is
specified 6, 9
|
|
|
|
|
|
|
Display (DSP) or
Object to be displayed
*USE
other operation using
3
Output file, if file does not exist
output file
(OUTPUT(*OUTFILE)) Output file, if file exists and new member is *OBJOPR, *OBJMGT,
added, or if *REPLACE option specified and *ADD, *DLT
member did not previously exist
*EXECUTE
*ADD, *EXECUTE
*ADD, *EXECUTE
|
|
Output file, if file and member exist and

*ADD option is specified
*OBJOPR, *ADD
*EXECUTE
|
|
Output file, if file and member exist and

*REPLACE option is specified
*OBJOPR, *OBJMGT,
*ADD, *DLT
*EXECUTE
|
|
Format file (QAxxxxx file in QSYS), if

output file does not exist
*OBJOPR, *READ
Object to be displayed
*USE
*EXECUTE
*READ
*EXECUTE
Printer file (QPxxxxx in QSYS)
*USE
*EXECUTE
Device description
*USE
*EXECUTE
Device file associated with device

*USE
description, such as QSYSTAP for the TAP01
device description
*EXECUTE
|
|
|
|
|
Display (DSP) using

*PRINT or Work
(WRK) using *PRINT
|
|
|
|
|
|
Save (SAV) or other

operation using
device description
312
Output queue

|
Authority Needed
Command
|
|
|
|
|
|
The user profile running the copy command becomes the owner of the to-file, unless the user is a member
of a group profile and has OWNER(*GRPPRF). If the users profile specifies OWNER(*GRPPRF), the group
profile becomes the owner of the to-file. In that case, the user running the command must have *ADD
authority to the group profile and the authority to add a member and write data to the new file. The to-file
is given the same public authority, primary group authority, private authorities, and authorization list as
the from-file.
|
|
|
|
The user profile running the create command becomes the owner of the newly created object, unless the
user is a member of a group profile and has OWNER(*GRPPRF). If the users profile specifies
OWNER(*GRPPRF), the group profile becomes the owner of the newly created object. Public authority to
the object is controlled by the AUT parameter.
|
|
|
|
The user profile running the display command becomes the owner of the newly created output file, unless
the user is a member of a group profile and has OWNER(*GRPPRF). If the users profile specifies
OWNER(*GRPPRF), the group profile becomes the owner of the output file. Public authority to the output
file is controlled by the CRTAUT parameter of the output file library.
|
|
|
If the output queue is defined as OPRCTL (*YES), a user with *JOBCTL special authority does not need any
authority to the output queue. A user with *SPLCTL special authority does not need any authority to the
output queue.
For device files, *OBJOPR authority is also required.
|
|
The REPLACE parameter is not available in the S/38 environment. REPLACE(*YES) is equivalent to using
a function key from the programmer menu to delete the current object.
Authority to the corresponding (DSP) command is also required.
The *UPDADD option in only available on the MBROPT parameter of the CPYF command.
|
|
This does not apply to the REPLACE parameter on the CRTJVAPGM command.
|
|
Referenced Object
For Object
Commands Common for Most Objects

Commands identified by (Q) are shipped with public authority *EXCLUDE.
Appendix C shows which IBM-supplied user profiles are authorized to the
command. The security officer can grant *USE authority to others.
|
|
|
||
|
|
Authority Needed
Command
ALCOBJ
1,2,11
ANZUSROBJ
CHGOBJAUD
CHGOBJD
Referenced Object
For Object
For Library
Object
*OBJOPR
*EXECUTE
ASP Device (if specified)
*USE
Object, if it is a file
*OBJOPR, *OBJMGT
*EXECUTE
Object, if it is not a file
*OBJMGT
*EXECUTE
Object
*OBJEXIST
*EXECUTE
20
For Library
18
CHGOBJOWN
3,4
Object (if file, library, subsystem description) *OBJOPR, *OBJEXIST
*EXECUTE
Object (if authorization list)
Ownership or
*ALLOBJ
*EXECUTE
Old user profile
*DLT
*EXECUTE
New user profile
*ADD
*EXECUTE
*USE
313

Authority Needed
Command
CHGOBJPGP
CHKOBJ
CPROBJ
CHKOBJITG
11
CRTDUPOBJ
3,9,11,21
1,11
DMPOBJ (Q)
DMPSYSOBJ (Q)
DSPOBJAUT
DSPOBJD
GRTOBJAUT
314
EDTOBJAUT
For Object
For Library
Object
*OBJEXIST
*EXECUTE
Object (if file, library, subsystem description) *OBJOPR, *OBJEXIST
*EXECUTE
Object (if authorization list)
Ownership and
*OBJEXIST, or
*ALLOBJ
*EXECUTE
Old user profile
*DLT
New user profile
*ADD
*USE
Object
Authority specified by *EXECUTE

AUT parameter 14
Object
*OBJMGT
*EXECUTE
(Q)
DCPOBJ
DLCOBJ
Referenced Object
3,5,6,15
3,5,6,15
New object
*USE, *ADD
Object being copied, if it is an authorization

list
*AUTLMGT
*USE, *ADD
Object being copied, all other types
*OBJMGT, *USE
*USE
CRTSAVF command (if the object is a save

file)
*OBJOPR
Object
*USE
*EXECUTE
Object
*OBJOPR
*EXECUTE
Object
*OBJOPR, *READ
*EXECUTE
Object
*OBJOPR, *READ
*EXECUTE
Object (to see all authority information)
*OBJMGT or
*ALLOBJ special
authority or
ownership
*EXECUTE
Output file
See General Rules on

page 311

page 311
*USE
Output file

page 281

page 281
Object
*OBJMGT
*EXECUTE
Object (if file)
*OBJOPR, *OBJMGT
*EXECUTE
Authorization list, if used to secure object
Not *EXCLUDE
*USE
Object
*OBJMGT
*EXECUTE
Object (if file)
*OBJOPR, *OBJMGT
*EXECUTE
Authorization list, if used to secure object
Not *EXCLUDE
*USE
Reference ASP Device (if specified)
*EXECUTE

Authority Needed
Command
MOVOBJ
3,7,12
140
PRTADPOBJ
For Object
For Library
Object
*OBJMGT
Object (if *File)
*OBJOPR, *OBJMGT
From-library
*CHANGE
To-library
*READ, *ADD
(Q)
20
PRTPUBAUT
PRTUSROBJ
Referenced Object
20
PRTPVTAUT
20
RCLSTG (Q)
RCLTMPSTG (Q)
RNMOBJ
RSTOBJ
3,11
3,13
(Q)
Object
*OBJMGT
*EXECUTE
Object
*OBJMGT
*UPD, *EXECUTE
Object, if authorization list
*AUTLMGT
*EXECUTE
Object (if *FILE)
*OBJOPR, *OBJMGT
*UPD, *EXECUTE
Object, if it already exists in the library
*OBJEXIST
Media definition
*USE
*EXECUTE
Message queues being restored to library

where they already exist
*OBJOPR, *OBJEXIST
*EXECUTE, *ADD
User profile owning objects being created
*ADD
Program that adopts authority
Owner or *SECADM
and *ALLOBJ special
authority
To-library
*EXECUTE, *ADD
(Q)
RSTOBJ
(continued)
Save file
*USE
Tape unit, diskette unit or optical unit
*USE
Tape (QSYSTAP) file or diskette (QSYSDKT) *USE

file
Optical File (OPTFILE)22
*EXECUTE
*EXECUTE
8
*EXECUTE
N/A
*X
N/A
Optical volume
*USE
N/A
QSYS/QPSRLDSP print file, if

OUTPUT(*PRINT) specified
*USE
*EXECUTE
Output file, if specified

page 311

page 311
QSYS/QASRRSTO field reference file for

output file, if an output file is specified and
does not exist
*USE
*EXECUTE
Path prefix of OPTFILE

24
*X
22
RTVOBJD
*EXECUTE
N/A
Parent Directory of optical file (OPTFILE)
20
*R
22
RVKPUBAUT
*EXECUTE, *ADD
Library for saved object if VOL(*SAVVOL) is *USE

specified
3,13
Tape (QSYSTAP) file or diskette (QSYSDKT) *USE

file
22
*EXECUTE
*R
N/A
*X
N/A
315

Authority Needed
Command
RVKOBJAUT
Referenced Object
3,5,15
For Object
For Library
*X
N/A
Optical volume
*USE
N/A
QSYS/QPSRLDSP print file, if

OUTPUT(*PRINT) specified
*USE
*EXECUTE
*USE

page 311

page 311
QSYS/QASRRSTO field reference file for

does not exist
*USE
*EXECUTE
Tape unit, diskette unit, optical unit
*USE
*EXECUTE
Save file, if empty
*USE, *ADD
*EXECUTE
Save file, if records exist in it
*OBJMGT, *USE,
*ADD
*EXECUTE
Save active message queue
*OBJOPR, *ADD
*EXECUTE
*RW
N/A
22

24
SAVCHGOBJ
SAVCHGOBJ
(continued)
22
Optical File (OPTFILE)
22
*WX
N/A
22
*X
N/A
22, 23
*RWX
N/A

Path prefix of optical file (OPTFILE)
Root Directory (/) of optical volume

24
SAVOBJ
316
Optical volume
*CHANGE

page 311
QSYS/QASAVOBJ field reference file for

does not exist
*USE
QSYS/QPSAVOBJ print file
*USE

page 311
*EXECUTE
*EXECUTE
8
Object
*OBJEXIST
Media definition
*USE
*EXECUTE
Tape unit, diskette unit, optical unit
*USE
*EXECUTE
Save file, if empty
*USE, *ADD
*EXECUTE
*OBJMGT, *USE,
*ADD
*EXECUTE
*OBJOPR, *ADD
*EXECUTE
*EXECUTE

Authority Needed
Command
SAVOBJ
Referenced Object
22
(continued) Optical File (OPTFILE)
22

22
Root directory (/) of optical volume
22, 23
24
For Library
*RW
N/A
*WX
N/A
*X
N/A
*RWX
N/A
Optical volume
*CHANGE

page 311
QSYS/QASAVOBJ field reference file for

does not exist
*USE
*EXECUTE
QSYS/QPSAVOBJ print file
*USE
*EXECUTE
Tape unit, optical unit
*USE
*EXECUTE
Root directory (/) of optical volume22
*RWX
N/A
Optical volume24
*CHANGE
N/A
Object
*OBJOPR
*EXECUTE
Object
Any authority
*USE
User profile
*READ
*EXECUTE
User profile
*READ
*EXECUTE

page 311
10
SAVSTG
SAVSYS
For Object
10
SAVRSTCHG
On the source system, same authority as

required by SAVCHGOBJ command.
On the target system, same authority as
required by RSTOBJ command.
SAVRSTLIB

required by SAVLIB command.
required by RSTLIB command.
SAVRSTOBJ

required by SAVOBJ command.
required by RSTOBJ command.
SETOBJACC
WRKOBJ
19
WRKOBJLCK
WRKOBJOWN
WRKOBJPGP
17
17
See the OBJTYPE keyword of the ALCOBJ command for the list of object types that can be allocated and
deallocated.
Some authority to the object (other than *EXCLUDE) is required.
This command cannot be used for documents or folders. Use the equivalent Document Library Object
(DLO) command.
You must have *ALLOBJ and *SECADM special authority to change the object owner of a program, service
program, or SQL package that adopts authority.
You must be the owner or have *OBJMGT authority and the authorities being granted or revoked.
317

Authority Needed
Command
Referenced Object
For Object
For Library
You must be the owner or have *ALLOBJ special authority to grant *OBJMGT or *AUTLMGT authority.
This command cannot be used for user profiles, controller descriptions, device descriptions, line
descriptions, documents, document libraries, and folders.
If you have *SAVSYS special authority, you do not need the authority specified.
If the user running the CRTDUPOBJ command has OWNER(*GRPPRF) in his user profile, the owner of the
new object is the group profile. To successfully copy authorities to a new object owned by the group
profile, the following applies:
v The user running the command must have some private authority to the from-object.
v If the user has some private authority to the object, additional authorities can be obtained from adopted
authority.
v If an error occurs while copying authorities to the new object, the newly created object is deleted.
v *OBJMGT authority is only copied if the user running the CRTDUPOBJ command is the object owner or
has *ALLOBJ special authority. Adopted authority can be used to obtain ownership or *ALLOBJ special
authority.
10
You must have *SAVSYS special authority.
11
This command cannot be used for journals and journal receivers.
12
This command cannot be used for journals and journal receivers, unless the from-library is QRCL and the
to-library is the original library for the journal or journal receiver.
13
You must have *ALLOBJ special authority to specify ALWOBJDIF(*ALL).
14
To check a users authority to an object, you must have the authority you are checking. For example, to
check whether a user has *OBJEXIST authority for FILEB, you must have *OBJEXIST authority to FILEB.
15
To secure an object with an authorization list or remove the authorization list from the object, you must
(one of the following):
v Own the object.
v Have *ALL authority to the object.
v Have *ALLOBJ special authority.
16
If either the original file or the renamed file has an associated authority holder, *ALL authority to the
authority holder is required.
17
This command does not support the QOPT file system.
18
You must have *AUDIT special authority.
19
To use an individual operation, you must have the authority required by the individual operation.
20
You must have *ALLOBJ special authority.
21
All authorities on the from-object are duplicated to the new object. The primary group of the new object is
determined by the group authority type (GRPAUTTYP) field in the user profile that is running the
command. If the from-object has a primary group, the new object may not have the same primary group,
but the authority that the primary group has on the from-object will be duplicated to the new object.
22
This authority check is only made when the Optical media format is Universal Disk Format.
23
This authority check is only made if you are clearing the optical volume
24
Optical volumes are not actual system objects. The link between the optical volume and the authorization
list used to secure the volume is maintained by the optical support function.
318
Authorities Needed
Access Path Recovery Commands
These commands do not require object authorities.
CHGRCYAP 1,
(Q)
DSPRCYAP
EDTRBDAP
(Q)
You must have *JOBCTL special authority to use this command.
You must have *ALLOBJ special authority to use this command.
You must have *USE authority to access IASP device description.
EDTRCYAP 1,
(Q)
Advanced Function Printing Commands

Authority Needed
Command
Referenced Object
For Object
For Library
ADDFNTTBLE
Font table
*CHANGE
*EXECUTE
CHGCDEFNT
Font resource
*CHANGE
*EXECUTE
CHGFNTTBLE
Font table
*CHANGE
*EXECUTE
CRTFNTRSC
Source file
*USE
*EXECUTE
Font resource: REPLACE(*NO)

Font resource: REPLACE(*YES)
CRTFNTTBL
Font table
CRTFORMDF
Source file
*READ, *ADD
page 311
*READ, *ADD
*USE
Form definition: REPLACE(*NO)
CRTOVL
Form definition: REPLACE(*YES)

page 311
*READ, *ADD
Source file
*USE
*EXECUTE
*READ, *ADD
Overlay: REPLACE(*YES)

page 311
*READ, *ADD
Source file
*USE
*EXECUTE
Page definition: REPLACE(*NO)
CRTPAGSEG
*EXECUTE
*READ, *ADD
Overlay: REPLACE(*NO)
CRTPAGDFN
*READ, *ADD
*READ, *ADD
Page definition: REPLACE(*YES)

page 311
*READ, *ADD
Source file
*USE
*EXECUTE
Page segment: REPLACE(*NO)
*READ, *ADD
Page segment: REPLACE(*YES)

page 311
*READ, *ADD
DLTFNTRSC
Font resource
*OBJEXIST
*EXECUTE
DLTFNTTBL
Font table
*CHANGE
*EXECUTE
DLTFORMDF
Form definition
*OBJEXIST
*EXECUTE
319
Printing Commands
Authority Needed
Command
Referenced Object
For Object
For Library
DLTOVL
Overlay
*OBJEXIST
*EXECUTE
DLTPAGDFN
Page definition
*OBJEXIST
*EXECUTE
DLTPAGSEG
Page segment
*OBJEXIST
*EXECUTE
DSPCDEFNT
Font resource
*USE
*EXECUTE
DSPFNTRSCA
Font resource
*USE
*EXECUTE
DSPFNTTBL
Font table
*USE
*EXECUTE
Font table
*CHANGE
*EXECUTE
Font resource
*USE
*USE
Form definition
*USE
*USE
Overlay
*USE
*USE
Page definition
Any authority
*USE
Page segment
*USE
Any authority
RMVFNTTBLE
WRKFNTRSC
WRKFORMDF
WRKOVL
WRKPAGDFN
WRKPAGSEG
1
1
1
To use individual operations, you must have the authority required by the individual operation.
AF_INET Sockets Over SNA Commands

These commands do not require any authority to objects:
ADDIPSIFC1
ADDIPSRTE1
ADDIPSLOC1
CFGIPS
CHGIPSIFC1
CHGIPSLOC1
CHGIPSTOS1
CVTIPSIFC
CVTIPSLOC
ENDIPSIFC (Q)
PRTIPSCFG
RMVIPSIFC1
RMVIPSLOC1
RMVIPSRTE1
STRIPSIFC (Q)
You must have *IOSYSCFG special authority to use this command.
Alerts
command. The security officer can grant *USE to others.
Authority Needed
Command
Referenced Object
For Object
For Library
ADDALRD
Alert table
*USE, *ADD
*EXECUTE
CHGALRD
Alert table
*USE, *UPD
*EXECUTE
CHGALRTBL (Q)
Alert table
*CHANGE
*EXECUTE
CRTALRTBL (Q)
Alert table
DLTALR
Physical file QAALERT
*USE, *DLT
*EXECUTE
DLTALRTBL (Q)
Alert table
*OBJEXIST
*EXECUTE
RMVALRD
Alert table
*USE, *DLT
*EXECUTE
Physical file QAALERT
*USE
*EXECUTE
WRKALR
320
*READ, *ADD
Alerts
Authority Needed
Command
WRKALRD
WRKALRTBL
1
Referenced Object
For Object
For Library
Alert table
*USE
*EXECUTE
Alert table
*READ
*USE
Application Development Commands

Authority Needed
Command
Referenced Object
For Object
EXPPART
Object to be created by export, if it does not

already exist
For Library
*USE, *ADD
Object to be created by export, if it is being

replaced
*OBJOPR, *OBJMGT,
*OBJEXIST
*USE, *ADD, *DLT
Source file to which part is being exported,

if the member does not exist
*OBJOPR, *OBJMGT,
*ADD
*USE, *ADD
Source file to which part is being exported,

if the member is being replaced
*OBJOPR, *OBJMGT,
*OBJEXIST, *ADD,
*DLT
*USE, *ADD
User profile to which ownership of exported *ADD

part is assigned
IMPPART
Any importable objects
*OBJMGT, *USE
*USE
Source file, when importing a source

member
*USE
*USE
FNDSTRPDM
Source part
*READ
*EXECUTE
MRGFORMD
Form description
*READ
*EXECUTE
Source file
*OBJMGT, *CHANGE *READ, *ADD
Commands CRTPF, CRTLF, ADDPFM,

ADDLFM, and RMVM
*USE
*OBJMGT, *CHANGE *EXECUTE
STRAPF
STRBGU
Chart
STRDFU
Program (if create program option)
STRPDM
*EXECUTE
*READ, *ADD
Program (if change or delete program

option)
*OBJEXIST
*EXECUTE
Program (if change or display data option)
*USE
*EXECUTE
Database file (if change data option)
*OBJOPR, *ADD,
*UPD, *DLT
*EXECUTE
Database file (if display data option)
*USE
*EXECUTE
Display file (if display or change data

option)
*USE
*EXECUTE
Display file (if change program option)
*USE
*EXECUTE
Display file (if delete program option)
*OBJEXIST
*EXECUTE
321
Application Development Commands

Authority Needed
Command
Referenced Object
For Object
STRRLU
Source file
*READ, *ADD, *UPD, *EXECUTE

*DLT
Edit, add, or change a member
*OBJOPR, *OBJMGT
*READ, *ADD
Browse a member
*OBJOPR
*EXECUTE
Print a prototype report
*OBJOPR
*EXECUTE
Remove a member
*OBJOPR, *OBJEXIST
*EXECUTE
Change type or text of member
*OBJOPR
*EXECUTE
Source file
*READ, *ADD, *UPD, *EXECUTE

*DLT
Update and add new member
*CHANGE, *OBJMGT *READ, *ADD
Delete member
*ALL
*EXECUTE
Source file
*USE
*EXECUTE
Edit or change a member
*CHANGE, *OBJMGT *EXECUTE
Add a member
*USE, *OBJMGT
*READ, *ADD
Browse a member
*USE
*EXECUTE
Print a member
*USE
*EXECUTE
Remove a member
*USE, *OBJEXIST
*EXECUTE
Change type or text of a member
*USE, *OBJMGT
*EXECUTE
*READ
*EXECUTE
Source file
*USE
*EXECUTE
File
*READ
*EXECUTE
*READ
*EXECUTE
*READ
*EXECUTE
STRSDA
STRSEU
1,4
WRKGRPPDM
WRKLIBPDM
WRKMBRPDM
WRKOBJPDM
WRKPARTPDM
WRKPRJPDM
Group
For Library
1,4
1,4
Part (object or source member)

Project
To use the individual operations, you must have the authority required by the individual operation.
A group corresponds to a library.
A project consists of one or more groups (libraries).
For more information, see the WebSphere Development Studio: Application Development Manager Users Guide
book.
Authority Holder Commands

Authority Needed
Command
Referenced Object
For Object
For Library
CRTAUTHLR (Q)
Associated object if it exists
*ALL
*EXECUTE
DLTAUTHLR
Authority holder
*ALL
*EXECUTE
DSPAUTHLR
Output file

page 311

page 311
322
Authorization List Commands
Authorization List Commands

Authority Needed
Command
Referenced Object
For Object
For QSYS Library
ADDAUTLE
Authorization list
*AUTLMGT or
ownership
*EXECUTE
CHGAUTLE
Authorization list
*AUTLMGT or
ownership
*EXECUTE
DLTAUTL
Authorization list
Owner or *ALLOBJ
*EXECUTE
DSPAUTL
Authorization list
CRTAUTL
*EXECUTE
Output file

page 311

page 311
DSPAUTLDLO
Authorization list
*USE
*EXECUTE
DSPAUTLOBJ
Authorization list
*READ
*EXECUTE
Output file

page 311

page 311
Authorization list
*AUTLMGT or
ownership
*EXECUTE
Authorization list
*AUTLMGT or
ownership
*EXECUTE
Authorization list
*AUTLMGT or
ownership
*EXECUTE
EDTAUTL 1
RMVAUTLE
RTVAUTLE
WRKAUTL 3,4,5
Authorization list
You must be the owner or have authorization list management authority and have the authorities being
given or taken away.
If do not have *OBJMGT or *AUTLMGT, you can retrieve *PUBLIC authority and your own authority. You
must have *READ authority to your own profile to retrieve your own authority.
To use an individual operation, you must have the authority required by the operation
You must not be excluded (*EXCLUDE) from the authorization list.
Some authority to the authorization list is required.
Binding Directory Commands

Authority Needed
Command
Referenced Object
For Object
For Library
ADDBNDDIRE
Binding directory
*OBJOPR, *ADD
*USE
CRTBNDDIR
Binding directory
DLTBNDDIR
Binding directory
*OBJEXIST
*EXECUTE
DSPBNDDIR
Binding directory
*READ, *OBJOPR
*USE
Binding directory
*OBJOPR, *DLT
*READ, *OBJOPR
Binding directory
Any authority
*USE
Binding directory
*READ, *OBJOPR
*USE
RMVBNDDIRE
WRKBNDDIR
WRKBNDDIRE
1
*READ, *ADD
To use individual operations, you must have the authority required by the operation.
323
Change Request Description Commands
Change Request Description Commands

Authority Needed
Command
Referenced Object
For Object
For Library
ADDCMDCRQA (Q)
Change request description
*CHANGE
*EXECUTE
ADDOBJCRQA (Q)
*CHANGE
*EXECUTE
ADDPRDCRQA (Q)
*CHANGE
*EXECUTE
ADDPTFCRQA (Q)
*CHANGE
*EXECUTE
ADDRSCCRQA (Q)
*CHANGE
*EXECUTE
CHGCMDCRQA (Q)
*CHANGE
*EXECUTE
CHGOBJCRQA (Q)
*CHANGE
*EXECUTE
CHGPRDCRQA (Q)
*CHANGE
*EXECUTE
CHGPTFCRQA (Q)
*CHANGE
*EXECUTE
CHGCRQD
*CHANGE
*EXECUTE
CHGRSCCRQA (Q)
*CHANGE
*EXECUTE
CRTCRQD
DLTCRQD
*OBJEXIST
*EXECUTE
RMVCRQDA
*CHANGE
*EXECUTE
WRKCRQD
1
*READ, *ADD
*EXECUTE
Chart Commands
Authority Needed
Command
Referenced Object
For Object
For Library
DLTCHTFMT
Chart format
*OBJEXIST
*EXECUTE
DSPCHT
Chart format
*USE
*USE
Database file
*USE
*USE
Database file
*USE
*USE
Chart format
*CHANGE,
*OBJEXIST
*EXECUTE
Chart format
Any authority
*USE
DSPGDF
STRBGU (Option 3)
WRKCHTFMT
To use an individual operation, you must have the authority required by the operation .
Option 3 on the BGU menu (shown when STRGBU is run) is the Change chart format option.
Class Commands
Authority Needed
Command
Referenced Object
For Object
For Library
CHGCLS
Class
*OBJMGT, *OBJOPR
*EXECUTE
324
Class Commands
Authority Needed
Command
Referenced Object
CRTCLS
Class
DLTCLS
Class
*OBJEXIST
*EXECUTE
Class
*OBJOPR
*EXECUTE
Class
*OBJOPR
*USE
DSPCLS
WRKCLS
1
For Object
For Library
*READ, *ADD
Class-of-Service Commands
Authority Needed
Command
3
CHGCOSD
CRTCOSD
For Object
For Library
Class-of-service description
*CHANGE, OBJMGT
*EXECUTE
*OBJEXIST
*EXECUTE
*USE
*EXECUTE
*OBJOPR
*EXECUTE
DLTCOSD
DSPCOSD
WRKCOSD
Referenced Object
1,2
Some authority to the object is required.
To use this command, you must have *IOSYSCFG special authority.
Command (*CMD) Commands

Authority Needed
Command
Referenced Object
For Object
For Library
CHGCMD
Command
*OBJMGT
*EXECUTE
CHGCMDDFT
Command
*OBJMGT, *USE
*EXECUTE
CRTCMD
Source file
*USE
*EXECUTE
Command: REPLACE(*NO)
*READ, *ADD
Command: REPLACE(*YES)

page 311

page 311
DLTCMD
Command
*OBJEXIST
*EXECUTE
DSPCMD
Command
*USE
*EXECUTE
SBMRMTCMD
Command
*OBJOPR
*EXECUTE
DDM file
*USE
*EXECUTE
Command
Any authority
*USE
Command
Any authority
*USE
SLTCMD
WRKCMD
Ownership or some authority to the object is required.
325
Commitment Control Commands
Commitment Control Commands

Authority Needed
Command
Referenced Object
For Object
For Library
Message queue, as specified on NFYOBJ

keyword for the associated STRCMTCTL
command.
*OBJOPR, *ADD
*EXECUTE
Message queue, when specified on NFYOBJ

keyword
*OBJOPR, *ADD
*EXECUTE
Data area, as specified on NFYOBJ keyword

for the associateed STRCMTCTL command.
*CHANGE
*EXECUTE
Files, as specified on NFYOBJ keyword for

the associated STRCMTCTL command.
*OBJOPR *READ
*EXECUTE
COMMIT
ENDCMTCTL
ROLLBACK
STRCMTCTL
WRKCMTDFN
1
Any user can run this command for commitment definitions that belong to a job that is running under the
user profile of the user. A user who has job control (*JOBCTL) special authority can run this command for
any commitment definition.
Communications Side Information Commands

Authority Needed
Command
Referenced Object
CHGCSI
Communications side information object

Device description
CRTCSI
For Object
For Library
*USE, *OBJMGT
*EXECUTE
*CHANGE

Device description
*READ, *ADD
*CHANGE
DLTCSI
*OBJEXIST
*EXECUTE
DSPCSI
*READ
*EXECUTE
WRKCSI
Communications side information objects
*USE
*EXECUTE
Authority is verified when the communications side information object is used.
Configuration Commands
Authority Needed
Command
Referenced Object
For Object
PRTDEVADR
Controller description (CTL)
*USE
*EXECUTE
Device description
*USE
*EXECUTE
326
For Library
Configuration Commands
Authority Needed
Command
Referenced Object
5
RSTCFG (Q)
For Object
Every object being restored over by a saved

version
*OBJEXIST
For Library
1
*EXECUTE
To-library
*ADD, *EXECUTE
User profile owning objects being created
*ADD
Tape unit
*USE
*EXECUTE
1
*EXECUTE
Tape file (QSYSTAP)
*USE
Save file, if specified
*USE
*EXECUTE
Print file (QPSRLDSP), if output(*print) is

specified
*USE
*EXECUTE

page 311

page 311
QSYS/QASRRSTO field reference file, if

output file is specified and it does not exist
*USE
*EXECUTE
RTVCFGSTS
Object
*OBJOPR
*EXECUTE
RTVCFGSRC
Object
*USE
*EXECUTE
Source file
*OBJOPR, *OBJMGR,
*ADD, *DLT
*EXECUTE
Save file, if empty
*USE, *ADD
*EXECUTE
*USE, *ADD,
*OBJMGT
*EXECUTE
Object
*USE, *OBJMGT
*EXECUTE
Object
*OBJOPR
*EXECUTE
SAVCFG
SAVRSTCFG

required by SAVCFG command.
required by RSTCFG command.
VRYCFG
3,6
WRKCFGSTS
You must have *SAVSYS special authority.
If a user has *JOBCTL special authority, authority to the device is not needed.
You must have *IOSYSCFG special authority for media library when status is *ALLOCATE or
*DEALLOCATE.
Configuration List Commands

Authority Needed
Command
ADDCFGLE
CHGCFGL 2
CHGCFGLE
CPYCFGL 2
Referenced Object
For Object
Configuration list
For Library
Configuration list
Configuration list
Configuration list
*USE, *OBJMGT
*ADD
327
Configuration List Commands

Authority Needed
Command
Referenced Object
2
CRTCFGL
2
2
RMVCFGLE
1, 2
WRKCFGL
For Library
Configuration list
*OBJEXIST
*EXECUTE
Configuration list
*USE, *OBJMGT
*EXECUTE
Configuration list
Configuration list
*OBJOPR
Configuration list
DLTCFGL
DSPCFGL
For Object
*EXECUTE
Connection List Commands

Authority Needed
Command
2
ADDCNNLE
CHGCNNL
2
2
CHGCNNLE
CRTCNNL
Referenced Object
For Object
Connection list
Connection list
Connection list
For Library
*EXECUTE
DLTCNNL
DSPCNNL
Connection list
*OBJEXIST
*EXECUTE
*EXECUTE
Connection list
*USE
RMVCNNLE
Connection list
RNMCNNLE
Connection list
Connection list
*OBJOPR
*EXECUTE
Connection list
*USE
*EXECUTE
WRKCNNL
1
1
WRKCNNLE
1
Controller Description Commands

Authority Needed
Command
CHGCTLAPPC
CHGCTLASC
CHGCTLBSC
CHGCTLFNC
328
Referenced Object
For Object
Controller description
Line description (SWTLINLST)
*USE
*EXECUTE
Connection list (CNNLSTOUT)
*USE
*EXECUTE
*USE
*USE
*USE
For Library
*EXECUTE
*EXECUTE
*EXECUTE

Authority Needed
Command
CHGCTLHOST
CHGCTLLWS
CHGCTLNET
CHGCTLRTL
CHGCTLRWS
CHGCTLTAP
CHGCTLVWS
CRTCTLAPPC
2
2
Referenced Object
For Object
For Library
*USE
*EXECUTE
*USE
*EXECUTE
Program (INZPGM)
*USE
*USE
*USE
*EXECUTE
*USE
*EXECUTE
Controller
Line description (LINE or SWTLINLST)
*USE
*EXECUTE
Device description (DEV)
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
Program (INZPGM)
*USE
*EXECUTE
Line description (LINE)
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
*EXECUTE
*EXECUTE
CRTCTLASC
CRTCTLBSC
CRTCTLFNC
CRTCTLHOST
CRTCTLLWS

CRTCTLNET
CRTCTLRTL
329

Authority Needed
Command
2
CRTCTLRWS
Referenced Object
For Object
For Library
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
CRTCTLTAP

CRTCTLVWS

DLTCTLD
*OBJEXIST
*EXECUTE
DSPCTLD
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
*OBJOPR
*EXECUTE
ENDCTLRCY
PRTCMNSEC
2, 3
RSMCTLRCY
WRKCTLD
To use this command, you must have *ALLOBJ special authority.
Cryptography Commands
Authority Needed
Command
Referenced Object
For Object
For Library
ADDCRSDMNK (Q)
QUSRSYS/QACRKTBL *FILE
*OBJOPR, *ADD
*EXECUTE
QHST message queue
*OBJOPR, *ADD
*EXECUTE
*OBJOPR, *READ,
*UPD
*EXECUTE
QHST message queue
*OBJOPR, *ADD
*EXECUTE
*OBJOPR, *READ,
*UPD
*EXECUTE
QHST message queue
*OBJOPR, *ADD
*EXECUTE
*OBJOPR, *ADD
*EXECUTE
CHGCRSDMNK (Q)
CHGMSTK (Q)
CPHDTA (Q)
ENCCPHK (Q)
ENCFRMMSTK (Q)
ENCTOMSTK (Q)
*OBJOPR, *READ
*EXECUTE
GENCPHK (Q)
*OBJOPR, *READ
*EXECUTE
330
Cryptography Commands
Authority Needed
Command
Referenced Object
For Object
For Library
GENCRSDMNK (Q)
*OBJOPR, *ADD
*EXECUTE
QCRP/QPCRGENX *FILE
*OBJOPR, *READ
*EXECUTE
QHST message queue
*OBJOPR, *ADD
*EXECUTE
GENPIN (Q)
*OBJOPR, *READ
*EXECUTE
RMVCRSDMNK (Q)
*OBJOPR, *READ,
*DLT
*EXECUTE
QHST message queue
*OBJOPR, *ADD
*EXECUTE
*OBJOPR, *READ,
*UPD
*EXECUTE
QHST message queue
*OBJOPR, *ADD
*EXECUTE
TRNPIN (Q)
*OBJOPR, *READ
*EXECUTE
VFYMSTK (Q)
QHST message queue
*OBJOPR, *ADD
*EXECUTE
VFYPIN (Q)
*OBJOPR, READ
*EXECUTE
GENMAC (Q)
SETMSTK (Q)
Data Area Commands

Authority Needed
Command
CHGDTAARA
CRTDTAARA
Referenced Object
For Object
For Library
Data area
*CHANGE
*EXECUTE
Data area
APPC device description
DLTDTAARA
DSPDTAARA
RTVDTAARA
WRKDTAARA
*READ, *ADD
4
*CHANGE
Data area
*OBJEXIST
*EXECUTE
Data area
*OBJOPR
*EXECUTE
Data area
*OBJOPR
*EXECUTE
Data area
Any authority
*USE
If the create and change data area commands are run using high-level language functions, these authorities
are still required although authority to the command is not.
Authority is verified at run time, but not at compilation time.
To use an individual operation, you must have the authority required by the operation.
Authority is verified when the data area is used.
331
Data Queue Command
Data Queue Commands

Authority Needed
Command
Referenced Object
CRTDTAQ
Data queue
DLTDTAQ
WRKDTAQ
For Object
For Library
*READ, *ADD
Target data queue for the QSNDDTAQ

program
*OBJOPR, *ADD
*EXECUTE
Source data queue for the QRCVDTAQ

program
*OBJOPR, *READ
*EXECUTE
APPC device description2
*CHANGE
Data queue
*OBJEXIST
*EXECUTE
Data queue
*READ
*USE
Authority is verified when the data area is used.
Device Description Commands

Authority Needed
Command
4
CFGDEVMLB
CHGDEVAPPC
4
CHGDEVASC
CHGDEVASP
4
4
CHGDEVBSC
CHGDEVDKT
CHGDEVDSP
CHGDEVFNC
CHGDEVHOST
Referenced Object
For Object
For Library
Device description
Device description
Mode description (MODE)
*USE
Device description
Device description
Device description
Device description
Device description
Printer (PRINTER)
*USE
Device description
Device description
*EXECUTE
*EXECUTE
Device description
CHGDEVMLB
Device description
CHGDEVNET
Device description
CHGDEVOPT
Device description
CHGDEVPRT
Device description
CHGDEVRTL
CHGDEVINTR
Device description
CHGDEVSNPT
Device description
CHGDEVSNUF
Device description
Device description
*USE
*EXECUTE
*USE
*EXECUTE
CHGDEVTAP
CRTDEVAPPC
4
4
Device description
Mode description (MODE)
332

Authority Needed
Command
Referenced Object
For Object
For Library
*USE
*EXECUTE
CRTDEVASC
CRTDEVASP
Device description
CRTDEVBSC
Device description
*EXECUTE
*USE
*EXECUTE
Printer description (PRINTER)
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
Device description
4
CRTDEVDKT
Device description
CRTDEVDSP
Device description
4
CRTDEVFNC

Device description
4
CRTDEVHOST

Device description
CRTDEVINTR
Device description
CRTDEVMLB
Device description
CRTDEVNET
CRTDEVOPT
Device description
CRTDEVPRT
CRTDEVRTL
*EXECUTE
*USE
*EXECUTE
Device description
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
Device description
*OBJEXIST
*EXECUTE
DSPCNNSTS
Device description
*OBJOPR
*EXECUTE
DSPDEVD
Device description
*USE
*EXECUTE
Device description
*USE
*EXECUTE
Device description
*OBJOPR
*EXECUTE
RLSCMNDEV
Device description
*OBJOPR
*EXECUTE
RSMDEVRCY
Device description
*USE
*EXECUTE
Device description
*OBJOPR
*EXECUTE
Device description
Device description
CRTDEVSNPT
CRTDEVSNUF

Device description
Device description
CRTDEVTAP

Device description
DLTDEVD
ENDDEVRCY
HLDCMNDEV
PRTCMNSEC
WRKDEVD
4, 5
333

Authority Needed
Command
Referenced Object
For Object
For Library
To remove an associated output queue, object existence (*OBJEXIST) authority to the output queue and
read authority to the QUSRSYS library are required.
You must have job control (*JOBCTL) special authority and object operational authority to the device
description.
You must have *IOSYSCFG special authority to run this command.
You must have *ALLOBJ special authority to run this command.
Device Emulation Commands

Authority Needed
Command
Referenced Object
For Object
For Library
ADDEMLCFGE
Emulation configuration file
*CHANGE
*EXECUTE
CHGEMLCFGE
*CHANGE
*EXECUTE
EJTEMLOUT
Emulation device description when specified *OBJOPR
*EXECUTE
Emulation device description when location

specified
*OBJOPR
*EXECUTE
*EXECUTE

specified
*OBJOPR
*EXECUTE
*EXECUTE

specified
*OBJOPR
*EXECUTE
Emulation device description
*OBJOPR
*EXECUTE
Emulation controller description
*OBJOPR
*EXECUTE
RMVEMLCFGE
*CHANGE
*EXECUTE
STREML3270
*OBJOPR
*EXECUTE
Emulation device, emulation controller

description, display station device, and
display station controller description
*OBJOPR
*EXECUTE
Printer device description, user exit

program, and translation tables when
specified
*OBJOPR
*EXECUTE
*OBJOPR
*EXECUTE
Emulation device description and emulation *OBJOPR

controller description
*EXECUTE
Printer device description, print file,

message queue, job description, job queue,
and translation tables when specified
*OBJOPR
*EXECUTE
SNDEMLIGC
From-file
*OBJOPR
*EXECUTE
TRMPRTEML
Emulation device description
*OBJOPR
*EXECUTE
ENDPRTEML
EMLPRTKEY
EML3270
STRPRTEML
334

These commands do not require any object authorities:
ADDDIRE 2
ADDDIRSHD 1
CHGSYSDIRA 2
CHGDIRE 3
CHGDIRSHD 1
CPYFRMDIR 1
CPYTODIR 1
DSPDIRE
ENDDIRSHD
RMVDIRE 1
RMVDIRSHD
RNMDIRE 2
STRDIRSHD 4
WRKDIRE 3,5
WRKDIRLOC 1,5
WRKDIRSHD 1,5
You must have *SECADM special authority.
You must have *SECADM or *ALLOBJ special authority.
A user with *SECADM special authority can work with all directory entries. Users without *SECADM
special authority can work only with their own entries.
You must have *JOBCTL special authority.
Disk Commands
These commands to not require authority to any objects:
ENDDSKRGZ (Q)
1
STRDSKRGZ (Q)
WRKDSKSTS
Display Station Pass-Through Commands

Authority Needed
Command
Referenced Object
For Object
For Library
APPC device on source system
*CHANGE
*EXECUTE
*CHANGE
*EXECUTE
*USE
*EXECUTE
*CHANGE
*EXECUTE
ENDPASTHR
STRPASTHR
APPC device on target system

Virtual controller on target system
1 2
Virtual device on target system ,
Program specified in the QRMTSIGN system *USE

value on target system, if any1
*USE
TFRPASTHR
1
The user profile that requires this authority is the profile that runs the pass-through batch job. For
pass-through that bypasses the sign-on display, the user profile is the one specified in the remote user
(RMTUSER) parameter. For pass-through that uses the normal sign-on procedure (RMTUSER(* NONE)),
the user is the default user profile specified in the communications entry of the subsystem that handles the
pass-through request. Generally, this is QUSER.
If the pass-through is one that uses the normal sign-on procedure, the user profile specified on the sign-on
display on the target system must have authority to this object.
335
Distribution Commands
Distribution Commands
Authority Needed
Command
Referenced Object
For Object
For Library
*CHANGE
*EXECUTE
Journal
*USE
*EXECUTE
Journal receiver
*USE
*EXECUTE
ADDDSTQ (Q)
ADDDSTRTE (Q)
ADDDSTSYSN (Q)
CFGDSTSRV (Q)
CFGRPDS (Q)
CHGDSTD
Document
CHGDSTQ (Q)
CHGDSTRTE (Q)
1
DLTDST
DSPDSTLOG (Q)
DSPDSTSRV (Q)
HLDDSTQ (Q)
INZDSTQ (Q)
QRYDST
Requested file
*CHANGE
*EXECUTE
RCVDST
Requested file
*CHANGE
*EXECUTE
Folder
*CHANGE
*EXECUTE
Requested file or document
*USE
*EXECUTE
RLSDSTQ (Q)
RMVDSTQ (Q)
RMVDSTRTE (Q)
RMVDSTSYSN (Q)
SNDDST
SNDDSTQ (Q)
WRKDSTQ (Q)
WRKDPCQ (Q)
1
If the user is asking for distribution for another user, the user must have the authority to work on behalf of
the other user.
When the Distribution is filed.
Distribution List Commands

ADDDSTLE
CHGDSTL1
336
CRTDSTL
DLTDSTL
DSPDSTL
RMVDSTLE
RNMDSTL
WRKDSTL
1
2
Distribution List Commands

1
You must have *SECADM special authority or own the distribution list.
Document Library Object Commands

Authority Needed
Command
Referenced Object
For Object
For Library
Document library object
*ALL or owner
*EXECUTE
CHGDLOAUT
*ALL or owner
*EXECUTE
CHGDLOOWN
Owner or *ALLOBJ
special authority
*EXECUTE
Old user profile
*DLT
*EXECUTE
New user profile
*ADD
*EXECUTE
Owner or *ALLOBJ
special authority
*EXECUTE
Old primary group profile
*DLT
*EXECUTE
New primary group profile
*ADD
*EXECUTE
Document description
*CHANGE
*EXECUTE
As required by the
AUT keyword
*EXECUTE
Document
*CHANGE
*EXECUTE
Spelling aid dictionary
*CHANGE
*EXECUTE
From-document
*USE
*EXECUTE
ADDDLOAUT
CHGDLOAUD
CHGDLOPGP
CHGDOCD
CHKDLO
CHKDOC
CPYDOC
CRTDOC
CRTFLR
3
DLTDLO
DLTDOCL
To-document, if replacing existing document *CHANGE
*EXECUTE
To-folder if to-document is new
*CHANGE
*EXECUTE
In-folder
*CHANGE
*EXECUTE
In-folder
*CHANGE
*EXECUTE
*ALL
*EXECUTE
4
*EXECUTE
Document list
*ALL
Authorization list
*USE
*EXECUTE
*USE
*EXECUTE
DSPDLOAUD

page 311

page 311
DSPDLOAUT
*USE or owner
*EXECUTE
DSPDLONAM
*USE
*EXECUTE
DSPDOC
Document
*USE
*EXECUTE
DSPFLR
Folder
*USE
*EXECUTE
EDTDLOAUT
*ALL or owner
*EXECUTE
EDTDOC
Document
*CHANGE
*EXECUTE
Requested file
*USE
*EXECUTE
Folder
*CHANGE
*EXECUTE
DMPDLO
15
DSPAUTLDLO
FILDOC
337

Authority Needed
Command
Referenced Object
For Object
For Library
MOVDOC
From-folder, if source document is in a

folder
*CHANGE
*EXECUTE
From-document
*ALL
*EXECUTE
To-folder
*CHANGE
*EXECUTE
Document
*USE
*EXECUTE
From-folder
*USE
*EXECUTE
To-document if document is replaced

page 311

page 311
To-folder if to-document is new

page 311

page 311
PAGDOC
Document
*CHANGE
*EXECUTE
PRTDOC
Folder
*USE
*EXECUTE
Document
*USE
*EXECUTE
DLTPF, DLTF, and DLTOVR commands, if

an INDEX instruction is specified
*USE
*EXECUTE
CRTPF, OVRPRTF, DLTSPLF, and DLTOVR

commands, if a RUN instruction is specified
*USE
*EXECUTE
Save document, if SAVOUTPUT (*YES) is

specified
*USE
*EXECUTE
Save folder, if SAVOUTPUT (*YES) is

specified
*USE
*EXECUTE
Requested file
*USE
*EXECUTE
Document list, if it exists
*CHANGE
*EXECUTE
*CHANGE or owner
*EXECUTE
MRGDOC
QRYDOCLIB
2,6
RCLDLO

Internal documents or all documents and
folders16
RGZDLO

DLO(*MAIL), DLO(*ANY), or DLO(*FLR)
16
RMVDLOAUT
*ALL or owner
*EXECUTE
RNMDLO
*ALL
*EXECUTE
In-folder
*CHANGE
*EXECUTE
Requested file
*READ
*EXECUTE
Document
*CHANGE
*EXECUTE
RPLDOC
338

Authority Needed
Command
Referenced Object
RSTDLO
For Object
Document library object, if replacing
10
*CHANGE
10
*ADD
*EXECUTE

page 311

page 311
Save file
*USE
*EXECUTE
*R
N/A
*X
N/A
Optical volume
*USE
N/A
Tape, diskette, and optical unit
*USE
*EXECUTE
S/36 folder
*USE
*EXECUTE
To-folder
*CHANGE
*EXECUTE
Device file or device description
*USE
*EXECUTE
*USE
*EXECUTE
Document if checking out
*CHANGE
*EXECUTE
Document if not checking out
*USE
*EXECUTE
Requested file
*CHANGE
Optical file (OPTFILE)
17
Path prefix of optical file (OPTFILE)

19
RTVDLONAM
RTVDOC
SAVDLO
7,13
10
*EXECUTE
*ALL
*EXECUTE
Tape unit, diskette unit, and optical unit
*USE
*EXECUTE
Save file, if empty
*USE, *ADD
*EXECUTE
*USE, *ADD,
*OBJMGT
*EXECUTE

page 311

page 311
*RW
N/A
*WX
N/A
*X
N/A
*RWX
N/A
*CHANGE
N/A

17
Parent directory of optical file (OPTFILE)

17
Path Prefix of optical file (OPTFILE)

17, 18
Root Directory (/) of volume

19
Optical Volume
SAVRSTDLO
*EXECUTE
Owning user profile, if new DLO
17
RSTS36FLR
*EXECUTE
*ALL
Parent folder, if new DLO
11,12,14
For Library
10

required by SAVDLO command.
required by RSTDLO command.
WRKDOC
Folder
*USE
WRKFLR
Folder
*USE
339

Authority Needed
Command
Referenced Object
For Object
For Library
If the user is working on behalf of another user, the other users authority to the object is checked.
The user must have *ALL authority to all the objects in the folder in order to delete the folder and all the
objects in the folder.
If you have *ALLOBJ or *SECADM special authority, you do not need all *ALL authority to the document
library list.
The user must have authority to the object being used as the merge source. For example, if
MRGTYPE(*QRY) is specified, the user must have use authority to the query specified for the QRYDFN
parameter.
Only objects that meet the criteria of the query and to which the user has at least *USE authority are
returned in the document list or output file.
*SAVSYS, *ALLOBJ, or enrollment in the system distribution directory is required.
*SAVSYS or *ALLOBJ special authority is required to use the following parameter combination: RSTDLO
DLO(*MAIL).
*ALLOBJ is required to specify ALWOBJDIF(*ALL).
10
If you have *SAVSYS or *ALLOBJ special authority, you do not need the authority specified.
11
You need *ALL authority to the document if replacing it. You need operational and all the data authorities
to the folder if restoring new information into the folders, or you need *ALLOBJ special authority.
12
If used for a data dictionary, only the authority to the command is required.
13
*SAVSYS or *ALLOBJ special authority is required to use the following parameter combinations:
SAVDLO DLO(*ALL) FLR(*ANY)
SAVDLO DLO(*MAIL)
SAVDLO DLO(*CHG)
SAVDLO DLO(*SEARCH) OWNER(not *CURRENT)
14
You must be enrolled in the system distribution directory if the source folder is a document folder.
15
You must have *ALLOBJ special authority to dump internal document library objects.
16
You must have *ALLOBJ or *SECADM special authority.
17
This authority check is only made when the Optical Media Format is Universal Disk Format (UDF).
18
This authority check is only made when you are clearing the optical volume.
19
Double-Byte Character Set Commands

Authority Needed
Command
Referenced Object
For Object
For Library
CPYIGCTBL
DBCS sort table (*IN)
*ALL
*EXECUTE
DBCS sort table (*OUT)
*USE
*EXECUTE
CRTIGCDCT
DBCS conversion dictionary
DLTIGCDCT
340
*READ, *ADD
*OBJEXIST
*EXECUTE
Double-Byte Character Set Commands

Authority Needed
Command
Referenced Object
For Object
For Library
DLTIGCSRT
DBCS sort table
*OBJEXIST
*EXECUTE
DLTIGCTBL
DBCS font table
*OBJEXIST
*EXECUTE
DSPIGCDCT
*USE
*EXECUTE
EDTIGCDCT
*USE, *UPD
*EXECUTE
User dictionary
*ADD, *DLT
*EXECUTE
DBCS sort table
*CHANGE
*EXECUTE
DBCS font table
*CHANGE
*EXECUTE
DBCS font table, if copy-to option specified
*OBJOPR, *READ
*ADD, *UPD
*EXECUTE
DBCS font table, if copy-from option

specified
*OBJOPR, *READ
*EXECUTE
Font management aid work file

(QGPL/QAFSVDF)
*CHANGE
*EXECUTE
STRCGU
STRFMA
Edit Description Commands

Authority Needed
Command
Referenced Object
CRTEDTD
Edit description
DLTEDTD
Edit description
*OBJEXIST
*EXECUTE
Edit description
*OBJOPR
*EXECUTE
Edit description
Any authority
*USE
DSPEDTD
WRKEDTD
1
For Object
For Library
*EXECUTE, *ADD
Environment Variable Commands

These commands do not require any object authorities.
ADDENVVAR1
1
CHGENVVAR
RMVENVVAR1
WRKENVVAR1
To update system-level environment variables, you need *JOBCTL special authority.
Extended Wireless LAN Configuration Commands

Authority Needed
Command
Referenced Object
For Object
For Library
ADDEWCBCDE
Source file
*USE
*EXECUTE
ADDEWCM
Source file
*USE
*EXECUTE
ADDEWCPTCE
Source file
*USE
*EXECUTE
ADDEWLM
Source file
*USE
*EXECUTE
CHGEWCBCDE
Source file
*USE
*EXECUTE
CHGEWCM
Source file
*USE
*EXECUTE
CHGEWCPTCE
Source file
*USE
*EXECUTE
341
Extended Wireless LAN Configuration Commands

Authority Needed
Command
Referenced Object
For Object
For Library
CHGEWLM
Source file
*USE
*EXECUTE
DSPEWCBCDE
Source file
*USE
*EXECUTE
DSPEWCM
Source file
*USE
*EXECUTE
DSPEWCPTCE
Source file
*USE
*EXECUTE
DSPEWLM
Source file
*USE
*EXECUTE
RMVEWCBCDE
Source file
*USE
*EXECUTE
RMVEWCPTCE
Source file
*USE
*EXECUTE
File Commands
Authority Needed
Command
Referenced Object
For Object
For Library
ADDICFDEVE
ICF file
*OBJOPR, *OBJMGT
*EXECUTE
ADDLFM
Logical file
*OBJOPR, *OBJMGT
or *OBJALTER
*EXECUTE, *ADD
File referenced in DTAMBRS parameter,

when logical file is keyed
*OBJOPR, *OBJMGT
or *OBJALTER
*EXECUTE

when logical file is not keyed
*OBJOPR
*EXECUTE
Dependent file, if TYPE(*REFCST) is

specified
*OBJMGT or
*OBJALTER
*EXECUTE
Parent file, if TYPE(*REFCST) is specified
*OBJMGT or *OBJREF *EXECUTE
File, if TYPE(*UNQCST) or TYPE(*PRIKEY)

is specified
*OBJMGT
*EXECUTE
ADDPFM
Physical file
*OBJOPR, *OBJMGT
or *OBJALTER
*EXECUTE, *ADD
ADDPFTRG
Physical file, to insert trigger
*OBJALTER,
*OBJMGT, *READ,
*OBJOPR
*EXECUTE
Physical file, to delete trigger
*OBJALTER,
*OBJMGT, *READ,
*OBJOPR
*EXECUTE
Physical file, to update trigger
*OBJALTER,
*OBJMGT, *READ,
*OBJOPR
*EXECUTE
Trigger program
*EXECUTE
*EXECUTE
*OBJOPR, *OBJMGT
*EXECUTE
ADDPFCST
CHGDDMF
DDM file
Device description
CHGDKTF
342
*CHANGE
Diskette file
*OBJOPR, *OBJMGT
*EXECUTE
Device if device name specified in the

command
*OBJOPR
*EXECUTE
File Commands
Authority Needed
Command
Referenced Object
For Object
For Library
CHGDSPF
Display file
*OBJOPR, *OBJMGT
*EXECUTE
Device if device name specified
*OBJOPR
*EXECUTE
Data file
*OBJOPR, *ADD,
*UPD, *DLT
*EXECUTE
Program
*USE
*EXECUTE
Display file
*USE
*EXECUTE
CHGICFDEVE
ICF file
*OBJOPR, *OBJMGT
*EXECUTE
CHGICFF
ICF file
*OBJOPR, *OBJMGT
*EXECUTE
CHGLF
Logical file
*OBJMGT or
*OBJALTER
*EXECUTE
CHGLFM
Logical file
*OBJMGT or
*OBJALTER
*EXECUTE
CHGPF
Physical file
*OBJMGT or
*OBJALTER
*EXECUTE
CHGPFCST
Dependent file
*OBJMGT or
*OBJALTER
*EXECUTE
CHGPFM
Physical file
*OBJMGT or
*OBJALTER
*EXECUTE
CHGPFTRG
Physical file
*OBJMGT or
*OBJALTER
*EXECUTE
CHGPRTF
Print file
*OBJOPR, *OBJMGT
*EXECUTE
*OBJOPR
*EXECUTE
CHGSAVF
Save file
*OBJOPR, *OBJMGT
*EXECUTE
CHGSRCPF
Source physical file
*OBJMGT or
*OBJALTER
*EXECUTE
CHGTAPF
Tape file
*OBJOPR, *OBJMGT
*EXECUTE
*OBJOPR
*EXECUTE
CLRPFM
Physical file
*OBJOPR, *OBJMGT
or *OBJALTER, *DLT
*EXECUTE
CLRSAVF
Save file
*OBJOPR, *OBJMGT
*EXECUTE
CPYF
From-file
*OBJOPR, *READ
*EXECUTE
To-file (device file)
*OBJOPR, *READ
*EXECUTE
To-file (physical file)

page 311

page 311
Based-on file if from-file is logical file
*READ
*EXECUTE
From-file
*OBJOPR, *READ
*EXECUTE
*OBJOPR, *READ
*EXECUTE

page 311

page 311
CHGDTA
CPYFRMDKT
343
File Commands
Authority Needed
Command
Referenced Object
For Object
For Library
CPYFRMIMPF
From-file
*OBJOPR, *READ
*USE
*OBJOPR, *READ
*USE

page 311

page 311
*READ
*USE
From-file
*OBJOPR, *READ
*EXECUTE
*OBJOPR, *READ
*EXECUTE

page 311

page 311
Stream file
*R
Directories in stream file path name prefix
*X
Target database file, if MBROPT(*ADD)

specified
*X, *ADD
CPYFRMQRYF
CPYFRMSTMF
CPYFRMTAP
CPYSRCF
CPYTODKT
CPYTOIMPF
344
*X
Target database file, if MBROPT(*REPLACE) *X, *ADD, *DLT,

specified
*OBJMGT
*X
Target database file, if new member created
*X, *ADD
*X, *OBJMGT, or
*OBJALTER
Conversion table *TBL used to translate data *OBJOPR
*X
From-file
*OBJOPR, *READ
*EXECUTE
*OBJOPR, *READ
*EXECUTE

page 311

page 311
From-file
*OBJOPR, *READ
*EXECUTE
*OBJOPR, *READ
*EXECUTE

page 311

page 311
To-file and from-file
*OBJOPR, *READ
*EXECUTE
Device if device name specified on the

command
*OBJOPR, *READ
*EXECUTE
Based-on physical file if from-file is logical

file
*READ
*EXECUTE
From-file
*OBJOPR, *READ
*USE
*OBJOPR, *READ
*USE

page 311

page 311
*READ
*USE
File Commands
Authority Needed
Command
Referenced Object
For Object
For Library
CPYTOSTMF
Database file
*RX
*X
Stream file, if it already exists
*W
Stream file parent directory, if the stream file *WX,

does not exist
CPYTOTAP
CRTDDMF
Document parent folder, if the document

parent folder does not exist
*RWX
Stream file path name prefix
*X
Conversion table *TBL used to translate data *OBJOPR
*X
To-file and from file
*OBJOPR, *READ
*EXECUTE
Device if device name is specified
*OBJOPR, *READ
*EXECUTE
Based-on physical file if from-file is logical

file
*READ
*EXECUTE
DDM file: REPLACE(*NO)
*READ, *ADD
DDM file: REPLACE(*YES)

Device description
CRTDKTF

page 311
*CHANGE
*OBJOPR
Diskette file: REPLACE(*NO)
CRTDSPF
CRTICFF
*READ, *ADD
*EXECUTE
*READ, *ADD,
*EXECUTE
Diskette file: REPLACE(*YES)

page 311
*READ, *ADD,
*EXECUTE
Source file
*USE
*EXECUTE
*OBJOPR
*EXECUTE
File specified in REF and REFFLD keywords *OBJOPR
*EXECUTE
Display file: REPLACE(*NO)
*READ, *ADD,
*EXECUTE
Display file: REPLACE(*YES)

page 311
*READ, *ADD,
*EXECUTE
Source file
*USE
*EXECUTE
File specified in REF and REFFLD keywords *OBJOPR
*EXECUTE
ICF file: REPLACE(*NO)
*READ, *ADD
ICF file: REPLACE(*YES)

page 311
*READ, *ADD
345
File Commands
Authority Needed
Command
Referenced Object
For Object
For Library
CRTLF
Source file
*USE
*EXECUTE
File specified on PFILE or JFILE keyword,

*OBJOPR, *OBJMGT
or *OBJALTER
*EXECUTE
File specified on PFILE or JFILE keyword,

*OBJOPR
*EXECUTE
Files specified on FORMAT and

REFACCPTH keywords
*OBJOPR
*EXECUTE
Tables specified in the ALTSEQ keyword
*OBJOPR
*EXECUTE

*OBJOPR, *OBJMGT
or *OBJALTER
*EXECUTE

*OBJOPR
*EXECUTE
Source file
*USE
*EXECUTE
Files specified in FORMAT and REFFLD

keywords and tables specified in the
ALTSEQ keyword
*OBJOPR
*EXECUTE
Logical file
CRTPF
*EXECUTE, *ADD
Physical file
CRTPRTF
*EXECUTE, *ADD
Source file
*USE
*EXECUTE
*OBJOPR
*EXECUTE
Files specified in the REF and REFFLD

keywords
*OBJOPR
*EXECUTE
Print file: Replace(*NO)

Print file: Replace(*YES)
*READ, *ADD,
*EXECUTE
page 311
*READ, *ADD,
*EXECUTE
CRTSAVF
Save file
*READ, *ADD,
*EXECUTE
CRTSRCPF
Source physical file
*READ, *ADD,
*EXECUTE
CRTS36DSPF
To-file source file when TOMBR is not

*NONE
*ALL
*CHANGE
Source file QS36SRC
*USE
*EXECUTE
CRTTAPF
*READ, *ADD

page 311
*READ, *ADD
Create Display File (CRTDSPF) command
*OBJOPR
*EXECUTE
Tape file: REPLACE(*NO)
*READ, *ADD
Tape file: REPLACE(*YES)

page 311
*READ, *ADD
*OBJOPR
*EXECUTE
DLTF
File
*OBJOPR, *OBJEXIST
*EXECUTE
DSPCPCST
Database file that has constraint pending
*OBJOPR, *READ
*EXECUTE
346
File Commands
Authority Needed
Command
Referenced Object
For Object
For Library
DSPDBR
Database file
*OBJOPR
*EXECUTE

page 311

page 311
DSPDDMF
DDM file
*OBJOPR
DSPDTA
Data file
*USE
*EXECUTE
Program
*USE
*EXECUTE
Display file
*USE
*EXECUTE
File
*OBJOPR
*EXECUTE
Output file

page 311

page 311
DSPFD
File is a physical file and TYPE(*ALL, *MBR, A data authority other *EXECUTE
OR *MBRLST) is specified
than *EXECUTE
DSPFFD
File
*OBJOPR
*EXECUTE
Output file

page 311

page 311
DSPPFM
Physical file
*USE
*EXECUTE
DSPSAVF
Save file
*USE
*EXECUTE
EDTCPCST
Data area, as specified on NFYOBJ keyword

for the associated STRCMTCTL command.
*CHANGE
*EXECUTE
Files, as specified on NFYOBJ keyword for

the associated STRCMTCTL command.
*OBJOPR, *ADD
*EXECUTE
GENCAT
Database file
*OBJOPR and a data

authority other than
*EXECUTE
*EXECUTE
INZPFM
Physical file, when RECORD(*DFT) is

specified
*OBJOPR, *OBJMGT
*EXECUTE
or *OBJALTER, *ADD
Physical file, when RECORD(*DLT) is

specified
*OBJOPR, *OBJMGT
*EXECUTE
or *OBJALTER, *ADD,
*DLT
Target file
*CHANGE, *OBJMGT *CHANGE
Maintenance file
*USE
*EXECUTE
Root file
*USE
*EXECUTE
OPNDBF
Database file
*OBJOPR and a data

*EXECUTE
*EXECUTE
OPNQRYF
Database file
*OBJOPR and a data

*EXECUTE
*EXECUTE
RGZPFM
File containing member
*OBJOPR, *OBJMGT
*EXECUTE
or *OBJALTER,
*READ, *ADD, *UPD,
*DLT, *EXECUTE
RMVICFDEVE
ICF file
*OBJOPR, *OBJMGT
*EXECUTE
RMVM
*OBJEXIST, *OBJOPR
*EXECUTE
MRGSRC
PRTTRGPGM
347
File Commands
Authority Needed
Command
Referenced Object
For Object
For Library
RMVPFCST
File
*OBJMGT or
*OBJALTER
*EXECUTE
RMVPFTRG
Physical file
*OBJALTER,
*OBJMGT
*EXECUTE
RNMM
*OBJOPR, *OBJMGT
*EXECUTE, *UPD
To-file
*ALL

page 311
From-file
*USE
*EXECUTE
Based on physical file, if file being restored

is a logical (alternative) file
*CHANGE
*EXECUTE
Device description for diskette or tape
*USE
*EXECUTE
RTVMBRD
File
*USE
*EXECUTE
SAVSAVFDTA
Tape, diskette, or optical device description
*USE
*EXECUTE
Save file
*USE
*EXECUTE
Optical Save/Restore File (if previously

exists)
*RW
N/A
Parent Directory of OPTFILE8
*WX
N/A
*X
N/A
*RWX
N/A
Optical Volume
*CHANGE
N/A
From-file
*USE
*EXECUTE
To-file, when it is a physical file
*ALL

page 311
*USE
*EXECUTE
*ALL

page 311
From-file
*USE
*EXECUTE
*USE
*EXECUTE
Source file
*OBJMGT, *CHANGE *READ, *ADD
Commands CRTPF, CRTLF, ADDPFM,

ADDLFM, and RMVM
*USE
*EXECUTE
Data area, when specified on NFYOBJ

keyword
*CHANGE
*EXECUTE
Files, when specified on NFYOBJ keyword
*OBJOPR, *ADD
*EXECUTE
Journal, when specified on DFTJRN

keyword
*OBJOPR, *ADD
*EXECUTE
RSTS36F
(Q)
Path Prefix of OPTFILE
Root Directory (/) of Optical Volume
8,9
10
SAVS36F
SAVS36LIBM
STRAPF
STRDFU
UPDDTA
348
Program (if create program option)
*READ, *ADD
Program (if change or delete program

option)
*OBJEXIST
*READ, *ADD
File (if change or display data option)
*OBJOPR, *ADD,
*UPD, *DLT
*EXECUTE
File (if display data option)
*READ
*EXECUTE
File
*CHANGE
*EXECUTE
File Commands
Authority Needed
Command
WRKCMTDFN
WRKDDMF
WRKF
3,5
WRKPFCST
Referenced Object
For Object
For Library
DDM file
*OBJOPR, *OBJMGT,
*OBJEXIST
*READ, *ADD
Files
*OBJOPR
*USE
*EXECUTE
The CPYFRMQRYF command uses a FROMOPNID parameter rather than a FROMFILE parameter. A user
must have sufficient authority to perform the OPNQRYF command prior to running the CPYFRMQRYF
command. If CRTFILE(*YES) is specified on the CPYFRMQRYF command, the first file specified on the
corresponding OPNQRYF FILE parameter is considered to be the from-file when determining the
authorities for the new to-file. (See note 1 of General Rules on page 311.)
Ownership or operational authority to the file is required.
If a new file is created and an authority holder exists for the file, then the user must have all (*ALL)
authority to the authority holder or be the owner of the authority holder. If there is no authority holder, the
owner of the file is the user who entered the RSTS36F command and the public authority is *ALL.
Some authority to the object is required.
Authority is verified when the DDM file is used.
This authority check is only made when the Optical media format is Universal Disk Format (UDF).
This authority check is only made if you are clearing the optical volume.
10
Filter Commands
Authority Needed
Command
Referenced Object
For Object
For Library
ADDALRACNE
Filter
*USE, *ADD
*EXECUTE
ADDALRSLTE
Filter
*USE, *ADD
*EXECUTE
ADDPRBACNE
Filter
*USE, *ADD
*EXECUTE
ADDPRBSLTE
Filter
*USE, *ADD
*EXECUTE
CHGALRACNE
Filter
*USE, *UPD
*EXECUTE
CHGALRSLTE
Filter
*USE, *UPD
*EXECUTE
CHGFTR
Filter
*OBJMGT
*EXECUTE
CHGPRBACNE
Filter
*USE, *UPD
*EXECUTE
CHGPRBSLTE
Filter
*USE, *UPD
*EXECUTE
CRTFTR
Filter
DLTFTR
Filter
*OBJEXIST
*EXECUTE
RMVFTRACNE
Filter
*USE, *DLT
*EXECUTE
RMVFTRSLTE
Filter
*USE, *DLT
*EXECUTE
Filter
Any authority
*EXECUTE
WRKFTR
*READ, *ADD
349
Filter Commands
Authority Needed
Command
WRKFTRACNE
WRKFTRSLTE
1
Referenced Object
For Object
For Library
Filter
*USE
*EXECUTE
Filter
*USE
*EXECUTE
Finance Commands
Authority Needed
Command
Referenced Object
SBMFNCJOB (Q)
SNDFNCIMG (Q)
WRKDEVTBL (Q)
For Object
For Library
Job description and message queue
*OBJOPR
*EXECUTE
Job description and message queue
*OBJOPR
*EXECUTE
At least one data

authority
*EXECUTE
Device description
WRKPGMTBL (Q)
WRKUSRTBL (Q)
1
The QFNC user profile must have this authority.
OS/400 Graphical Operations

Authority Needed
Command
Referenced Object
For Object
For Library
Workstation object
Workstation object
RVKWSOAUT
Workstation object
SETCSTDTA
Copy-from user profile
*CHANGE
*EXECUTE
Copy-to user profile
*CHANGE
*EXECUTE
EDTWSOAUT
GRTWSOAUT
*OBJMGT
2,3,4
*EXECUTE
*OBJMGT
2,3,4
*EXECUTE
*OBJMGT
2,3,4
*EXECUTE
The workstation object is an internal object that is created when you install the OS/400 Graphical
Operations feature. It is shipped with public authority of *USE.
You must be the owner or have *OBJMGT authority and the authorities being granted or revoked.
You must be the owner of have *ALLOBJ authority to grant *OBJMGT or *AUTLMGT authority.
To secure the workstation object with an authorization list or remove the authorization list, you must have
one of the following:
Own the workstation object.
Have *ALL authority to the workstation object.
Have *ALLOBJ special authority.
350
Graphics Symbol Set Commands
Graphics Symbol Set Commands

Authority Needed
Command
Referenced Object
For Object
For Library
CRTGSS
Source file
*USE
*EXECUTE
Graphics symbol set

DLTGSS
WRKGSS
1
*READ, *ADD
Graphics symbol set
*OBJEXIST
*EXECUTE
Graphics symbol set
*OBJOPR
*USE
Host Server Commands

ENDHOSTSVR (Q)
STRHOSTSVR (Q)
Integrated File System Commands

Command
Referenced Object
Object Type
File System
ADDLNK
Object
*STMF
QOpenSys,
"root" ,
UDFS
*FILE
18
Authority
Needed for
Object1
*OBJEXIST
*OBJMGT
QOpenSys,
*WX
"root", UDFS
Parent of new link
*DIR
Path prefix
See General Rules on page 311
351

Authority
Needed for
Object1
Command
Referenced Object
Object Type
File System
CHGATR
Object when setting an attribute other than

*USECOUNT, *ALWCKPWRT, *DISKSTGOPT,
or *MAINSTGOPT
Any
All except
QSYS.LIB
*W
Object when setting *USECOUNT,

DISKSTGOPT, or *MAINSTGOPT
Any
All except
QSYS.LIB
*OBJMGT
*FILE
QSYS.LIB
*R, *W, or *X
plus
*OBJMGT
*MBR
QSYS.LIB
*X,
*OBJMGT
(authority
inherited
from parent
*FILE)
other
QSYS.LIB
*OBJMGT
Object when setting *ALWCKPWRT
Any
All
*OBJMGT
Directory that contains objects when

SUBTREE(*ALL) is specified
Any
directory
All
*RX
Object
All
QOpenSys,
root, UDFS
Ownership15
QSYS.LIB,
QOPT11
Ownership
or *ALLOBJ
QDLS
Ownership,
*ALL, or
*ALLOBJ
CHGAUD
CHGAUT
*OBJMGT
CHGCURDIR
CHGOWN
CHGOWN
(continued)
QOPT
*CHANGE
Optical volume
*DDIR
Object specified by DIR parameter
Any
directory
Optical volume
*DDIR
QOPT8
*X
Object
All
QSYS.LIB
*OBJEXIST
*FILE,
*LIB18,
*SBSD
QSYS.LIB
*OBJEXIST,
*OBJOPR
All
QOpenSys,
root UDFS
Ownership
and
*OBJEXIST15
All
QDLS
Ownership
or *ALLOBJ
QOPT11
Ownership
or *ALLOBJ
*DLT
*R
User profile of old ownerall except QOPT
*USRPRF
All
User profile of new ownerall except QOPT
*USRPRF
All
Optical volume
352
*DDIR
*ADD
8
QOPT
*CHANGE
Command
Referenced Object
Object Type
File System
Authority
Needed for
Object1
CHGPGP
Object
All
QSYS.LIB
*OBJEXIST
*FILE,
*LIB18,
*SBSD
QSYS.LIB
*OBJEXIST,
*OBJOPR
All
QOpenSys,
root UDFS
Ownership5,
All
QDLS
Ownership
or *ALLOBJ
QOPT11
Ownership
or *ALLOBJ
*USRPRF
All
*DLT
User profile of new primary groupall except

QOPT
*USRPRF
All
*ADD
Optical volume
*DDIR
QOPT8
*CHANGE
Object, if the user who checked it out.
*STMF
QOpenSys,
root UDFS
*W
*DOC
QDLS
*W
*STMF
QOpenSys,
root UDFS
*All or
*ALLOBJ or
Ownership
*DOC
QDLS
*All or
Ownership
*DIR18
QOpenSys,
root UDFS
*X
*FLR
QDLS
None
CHGPGP (continued) User profile of old primary groupall except

QOPT
CHKIN
Object, if not the user who checked it out.
CHKIN (continued)
CHKOUT
15
Path, if not the user who checked out
Path prefix
Object
*STMF
QOpenSys,
root UDFS
*W
*DOC
QDLS
*W
Path prefix
353

Authority
Needed for
Object1
Command
Referenced Object
Object Type
File System
CPY
Object being copied, origin object
Any
QOpenSys,
root UDFS
*R, and
*OBJMGT or
ownership
*DOC
QDLS
*RWX and
*ALL or
ownership
*MBR
QSYS.LIB
None
others
QSYS.LIB
*RX,
*OBJMGT
*DSTMF
QOPT11
*R
Any
All10
*W,
*OBJEXIST,
*OBJMGT
*DSTMF
QOPT11
*W
QOpenSys,
root, UDFS
*RX,
*OBJMGT
Destination object when REPLACE(*YES)

specified (if destination object already exists)
CPY (continued)
18
Directory being copied that contains objects

when SUBTREE(*ALL) is specified, so that its
contents are copied
*DIR
Path (target), parent directory of destination

object
*FILE
QSYS.LIB
*RX,
*OBJMGT
*LIB18
QSYS.LIB
*RX, *ADD
QOpenSys,
root UDFS
*WX
QDLS
*RWX
*DIR
18
*FLR
11
*WX
*USE
QOPT
*CHANGE
QOpenSys,
root UDFS
*X
*FLR
QDLS
*X
Others
QSYS.LIB
*DDIR
Source Optical volume
Target Optical volume
CPY (continued)
Parent directory of origin object
*DDIR
*DDIR
*DIR
18
*DDIR
Path prefix (target destination)
*LIB
18
*DIR
18
*FLR
*DDIR
Path prefix (origin object)
*DDIR
QOPT
QOPT
QOPT
11
CRTDIR
Parent directory
*WX
QOpenSys,
root UDFS
*X
QDLS
*X
QOPT
11
*X
QOPT
11
*X
*IOSYSCNFG
QOpenSys,
root UDFS
*WX
*FLR
QDLS
*CHANGE
*FILE
QSYS.LIB
*RX, *ADD
*DIR
Any
*DDIR
354
*X
QSYS.LIB
*CHRSF
18
*RX
*ADD
QOPT
11
*WX
Command
Referenced Object
Object Type
CRTDIR (continued)
Path prefix
Optical volume
*DDIR
QOPT8
*CHANGE
Object
All
QDLS
*ALL
All
All others
*OBJMGT or
ownership
ALL
QOPT11
None
CVTDIR (Q)
File System
Authority
Needed for
Object1
16
DSPAUT
DSPCURDIR
QOPT
*DDIR
Path prefix
Path prefix
*DIR18
QOpenSys,
root UDFS
*RX
*FLR
QDLS
*RX
18
*LIB , *FILE QSYS.LIB

*DIR
18
*DDIR
DSPCURDIR
(continued)
Current directory
*DIR
18
*R
QOPT
11
QOpenSys,
root UDFS
*RX
*X
*X
*FLR
*X
QDLS
18
*DDIR
DSPLNK (continued)
*RX
*LIB18, *FILE QSYS.LIB
*DIR
DSPLNK
*USE
Optical volume
*R
QOPT
11
*X
Optical volume
*DDIR*
QOPT
*USE
Any
Any
root,
QOpenSys,
UDFS
QSYS.LIB,
QDLS,
QOPT11
None
File, Option 12 (Display Links)
root,
*STMF,
QOpenSys,
*SYMLNK,
*DIR18,*BLKSF,UDFS
*SOCKET
*R
Symbolic link object
*SYMLNK
root,
QOpenSys,
UDFS
None
Optical volume
*DDIR
QOPT8
*USE
root,
QOpenSys,
UDFS
*X
*LIB18 *FILE
QSYS.LIB
*X
*FLR
QDLS
*X
Parent directory of referenced object - No

Pattern 13
*DIR
18
*DDIR
*DDIR
QOPT
11
*X
*R
355
Command
DSPLNK (continued)
Referenced Object
Object Type
Parent directory of referenced object - Pattern

specified13
*DIR
18
File System
root,
QOpenSys,
UDFS
*R
*LIB18 *FILE
QSYS.LIB
*R
*FLR
QDLS
*R
*DDIR
QOPT
11
*DDIR
Parent directory of referenced object- Option 8
(Display Attributes)
18
*R
*X
*LIB18 *FILE
QSYS.LIB
*X
*FLR
QDLS
*X
QOPT
11
*DDIR
18
*R
*RX
*SYMLNK
root,
QOpenSys,
UDFS
*X
*LIB18 *FILE
QSYS.LIB
*X
*FLR
QDLS
*X
*DDIR
QOPT
11
*DDIR
DSPLNK (continued)
Prefix of parent referenced object - No Pattern
*DIR
18
*R
*X
*LIB18 *FILE
QSYS.LIB
*X
*FLR
QDLS
*X
QOPT
11
*DDIR
Prefix of parent referenced object - Pattern
specified13
*DIR
18
*R
*X
*LIB18 *FILE
QSYS.LIB
*X
*FLR
QDLS
*X
*DDIR
*X
root,
QOpenSys,
UDFS
*DDIR
356
*X
root,
QOpenSys,
UDFS
*DDIR
DSPLNK (continued)
*X
root,
QOpenSys,
UDFS
Parent directory of referenced object - Option 12 *DIR

(Display Links)
13
*R
root,
QOpenSys,
UDFS
*DIR
*DDIR
DSPLNK (continued)
Authority
Needed for
Object1
QOPT
11
*X
*R
Command
DSPLNK (continued)
Referenced Object
Object Type
Prefix of parent referenced object - Option 8

*DIR
18
File System
root,
QOpenSys,
UDFS
*RX
*LIB18 *FILE
QSYS.LIB
*X
*FLR
QDLS
*X
*DDIR
QOPT
11
*DDIR
DSPLNK (continued)

(Display Links)
18
*R
*RX
*SYMLNK
root,
QOpenSys,
UDFS
*X
*LIB18 *FILE
QSYS.LIB
*X
*FLR
QDLS
*X
QOPT
11
*DDIR
DSPLNK (continued)
Relative Path Name : Current working

directory containing object -No Pattern13
*DIR
18
*R
*RX
*LIB18 *FILE
QSYS.LIB
*X
*FLR
QDLS
*X
QOPT
11
*DDIR
directory containing object -Pattern Specified13
*DIR
18
*R
*RX
*LIB18 *FILE
QSYS.LIB
*RX
*FLR
QDLS
*RX
QOPT
11
*DDIR
DSPLNK (continued)
Relative Path Name : Prefix of current

working directory containing object -No Pattern
*RX
root,
QOpenSys,
UDFS
*DDIR
14
*X
root,
QOpenSys,
UDFS
*DDIR
14
*X
root,
QOpenSys,
UDFS
*DIR
*DDIR
14
Authority
Needed for
Object1
*DIR
18
*RX
*R
root,
QOpenSys,
UDFS
*RX
*LIB18 *FILE
QSYS.LIB
*RX
*FLR
QDLS
*RX
13
*DDIR
*DDIR
QOPT
11
*RX
*R
357
Command
DSPLNK (continued)
Referenced Object
Object Type
14

working directory containing object -Pattern
specified13
*DIR
18
root,
QOpenSys,
UDFS
*RX
*LIB18 *FILE
QSYS.LIB
*RX
*FLR
QDLS
*RX
*DDIR
ENDJRN
Object
Parent Directory
MOV
QOPT
11
*RX
*DDIR
*R
*DIR if
QOpenSys,
Subtree(*ALL) root, UDFS
*R, *X,
*OBJMGT
*DIR if
Subtree
(*NONE),
*SYMLNK,
*STMF
*R,
*OBJMGT
QOpenSys,
root. UDFS
*DTAARA18, QSYS.LIB
*DTAQ18
*OBJOPR,
*READ,
*OBJMGT
*DIR18
QOpenSys,
root, UDFS
*X
*LIB18
QSYS.LIB
*X
Path Prefix
Object moved within same file system
*DIR18
QOpenSys,
root
*OBJMGT,
*W
not *DIR
QOpenSys,
root
*OBJMGT
*DOC
QDLS
*ALL
*FILE
QSYS.LIB
*OBJOPR,
*OBJMGT
*MBR
QSYS.LIB
None
other
QSYS.LIB
None
*STMF
358
File System
Authority
Needed for
Object1
QOPT
11
*W
Command
MOV (continued)
Referenced Object
Object Type
Path (source), parent directory
Path (target), parent directory
*DIR
18
QOpenSys,
root
*WX
*FLR
QDLS
*RWX
*FILE
QSYS.LIB,
root
*RX,
*OBJEXIST
others
QOpenSys,
root
*RWX
*DIR18
QSYS.LIB
*WX
*FLR
QDLS
*CHANGE
(*RWX)
*FILE
QSYS.LIB
*X, *ADD,
*DLT,
*OBJMGT
*LIB18
QSYS.LIB
*RWX
*DDIR
MOV (continued)
Path prefix (target)
*LIB
18
*FLR
*DIR
Object moved across file systems into

QOpenSys, root or QDLS (stream file *STMF
and *DOC, *MBR only) .
MOV (continued)
Moved into QSYS *MBR
18
Path (source) moved across file systems, parent

directory
QOPT
11
*WX
QSYS.LIB
*X, *ADD
QDLS
*X
others
*X
11
*X
*DDIR
QOPT
*STMF
QOpenSys,
root UDFS
*R,
*OBJEXIST,
*OBJMGT
*DOC
QDLS
*ALL
*MBR
QSYS.LIB
11
N/A
*RW
*DSTMF
QOPT
*STMF
QOpenSys,
root UDFS
*R,
*OBJMGT,
*OBJEXIST
*DOC
QDLS
*ALL
*DSTMF
MOV (continued)
File System
Authority
Needed for
Object1
18
QOPT
11
*RW
QOpenSys,
root UDFS
*WX
*FLR
QDLS
*X
*FILE
QSYS. LIB
ownership,
*RX,
*OBJEXIST
*DDIR
QOPT11
*WX
*DIR
Path Prefix
Optical volume (Source and Target)
*DDIR
QOPT8
*CHANGE
359
Command
RMVDIR
Referenced Object
Directory
Object Type
*DIR
18
QOpenSys,
root UDFS
*OBJEXIST
*LIB18
QSYS.LIB
*RX,
*OBJEXIST
*FILE
QSYS.LIB
*OBJOPR,
*OBJEXIST
*FLR
QDLS
*ALL
*DDIR
RMVDIR (continued)
Parent directory
File System
18
QOPT
11
QOpenSys,
root UDFS
*WX
*FLR
QDLS
*X

*DDIR
QOPT
11
*X
*WX
Path Prefix
Optical volume
*DDIR
QOPT8
*CHANGE
Object
*DOC
QDLS
*ALL
*MBR
QSYS.LIB
*FILE
QSYS.LIB
*OBJOPR,
*OBJEXIST
*JRNRCV18
QSYS.LIB
*OBJEXIST,
*R
other
QSYS.LIB
*OBJEXIST
RMVLNK (continued) Parent Directory
11
*W
*DSTMF
QOPT
any
QOpenSys,
root UDFS
*OBJEXIST
*FLR
QDLS
*X
*FILE
QSYS.LIB
*X,
*OBJEXIST
*LIB18
QSYS.LIB
*X
QOpenSys,
root UDFS
*WX
QOPT11
*WX
*DIR
18
*DDIR
360
*W
*DIR
18
RMVLNK
Authority
Needed for
Object1
Path prefix
(See General Rules on page 311)
Optical volume
*DDIR
QOPT8
*CHANGE
Command
RNM
Referenced Object
File System
Authority
Needed for
Object1
*DIR
QOpenSys,
root UDFS
*OBJMGT,
*W
Not *DIR
QOpenSys,
root UDFS
*OBJMGT
*DOC, *FLR
QDLS
*ALL
*MBR
QSYS.LIB
N/A
*FILE
QSYS.LIB
*OBJMGT,
*OBJOPR
others
QSYS.LIB
*OBJMGT
Object Type
18
Object
11
*W
QOPT
*CHANGE
*DIR
QOpenSys,
root UDFS
*WX
*FLR
QDLS
*CHANGE
(*RWX)
*FILE
QSYS.LIB
*X,
*OBJMGT
*LIB18
QSYS.LIB
*X,*UPD
*DSTMF
Optical Volume (Source and Target)
RNM (continued)
*DDIR
18
Parent directory
*DDIR
Path prefix
RST (Q)
*LIB
Object, if it exists2
18
QOPT
QOPT
11
QSYS.LIB
*WX
*X, *UPD
any
*X
QOpenSys,
root user
defined file
systemQDLS
Any
QOpenSys,
root UDFS
*W,
*OBJEXIST
QSYS.LIB
Varies
QDLS
*ALL
10
*OBJMGT,
*OBJALTER,
*READ,
*UPD
Path prefix
RST (Q) (continued)

*DIR18
QOpenSys,
root UDFS
*WX
Parent directory of object being restored, if the

object does not exist2
*FLR
QDLS
*CHANGE
User profile owning new object being restored2
*USRPRF
Parent directory of object being restored
*DIR
18
Tape unit, diskette unit, optical unit, or save file *DEVD,

*FILE
*OBJMGT,
*OBJALTER,
*READ,
*ADD, *UPD
QSYS.LIB
*ADD
QSYS.LIB
*RX
361
Command
RST (Q) (continued)
Referenced Object
Object Type
18
*EXECUTE
*LIB
*STMF
QOpenSys,
root UDFS
*W
*USRSPC18
QSYS.LIB
*RWX
QOpenSys,
root UDFS
*X
QSYS.LIB
*RX
*DIR
18
*LIB18
RTVCURDIR
QSYS.LIB
Library for device description or save file
Path prefix of output file
RST (Q) (continued)
File System
Authority
Needed for
Object1
Optical volume if restoring from optical device
*DDIR
*USE
11
*X
*R
QOPT
Optical path prefix and parent if restoring from

optical device
*DDIR
QOPT
Optical file if restoring from optical device
*DSTMF
QOPT11
Path prefix
18
*DIR
QOpenSys,
*RX
root,
UDFS,QDLS,
QOPT11
*DDIR
QOPT11
*RX
*FLR
QDLS
*RX
18
RTVCURDIR
(continued)
Current directory
*RX
Any
*R
*DIR
18
*DDIR
QOpenSys,
*X
root,
UDFS,QOPT11
QOPT11
18
*X
*FLR
*X
QDLS
Any
2
SAV
Object
*X
Any
*R
QOpenSys,
root UDFS
*R,
*OBJEXIST
QSYS.LIB
Varies
QDLS
*ALL
10
*OBJMGT, *R
SAV (continued)
362
Path prefix
Tape unit, diskette unit, or optical unit
*DEVD
QSYS.LIB
*RX
Save file, if empty
*FILE
QSYS.LIB
*USE, *ADD
Save file, if not empty
*FILE
QSYS.LIB
*OBJMGT,
*USE, *ADD
Save-while-active message queue
*MSGQ
QSYS.LIB
*OBJOPR,
*ADD
Libraries for device description, save file,

save-while-active message queue
*LIB18
QSYS.LIB
*EXECUTE

Authority
Needed for
Object1
Command
Referenced Object
Object Type
File System
SAV (continued)
*STMF
QOpenSys,
root UDFS
*W
*USRSPC18
QSYS.LIB
*RWX
QOpenSys,
root UDFS
*X
QSYS.LIB
*RX
Path prefix of output file
*DIR
18
*LIB18
SAV (continued)
Optical volume, if saving to optical device

Optical path prefix if saving to optical device
SAVRST
*DDIR
*DDIR
*CHANGE
QOPT
11
*X
11
*WX
*RW
QOPT
Optical parent directory if saving to optical

device
*DDIR
QOPT
Optical file (If it previously exists)
*DSTMF
QOPT11

required by SAV command.
required by RST command.
STRJRN
Object
Parent Directory
WRKAUT
6, 7
*DIR if
QOpenSys,
Subtree(*ALL) root, UDFS
*R, *X,
*OBJMGT
*DIR if
QOpenSys,
subtree(*NONE),
root, UDFS
*SYMLNK,
*STMF
*R,
*OBJMGT
*DTAARA18, QSYS.LIB
*DTAQ
*OBJOPR,
*READ,
*OBJMGT
*DIR18
QOpenSys,
root, UDFS
*X
*LIB18
QSYS.LIB
*X
Path Prefix
Object
*DOC or
*FLR
QDLS
*ALL
All
not QDLS
*OBJMGT or
ownership
*DDIR and
*DSTMF
QOPT11
*NONE
Path prefix
Optical volume
*DDIR
QOPT8
*USE
363

Authority
Needed for
Object1
Command
Referenced Object
Object Type
File System
WRKLNK
Any
Any
root,
QOpenSys,
UDFS,
QSYS.LIB,
QDLS,
QOPT11
None
File, Option 12 (Display Links)
*STMF,
*SYMLNK,
*DIR18,
*BLKSF,
*SOCKET
root,
QOpenSys,
UDFS
*R
Symbolic link object
*SYMLNK
root,
QOpenSys,
UDFS
None
Optical volume
*DDIR
QOPT8
*USE
root,
QOpenSys,
UDFS
*X
*LIB18 *FILE
QSYS.LIB
*X
*FLR
QDLS
*X
WRKLNK
(continued)
Parent directory of referenced object - No

Pattern 13
*DIR
18
*DDIR
QOPT
11
*DDIR
WRKLNK
(continued)
Parent directory of referenced object - Pattern

Specified
18
*R
root,
QOpenSys,
UDFS
*R
*LIB18 *FILE
QSYS.LIB
*R
*FLR
QDLS
*R
*DIR
*DDIR
QOPT
11
*DDIR
WRKLNK
(continued)
Parent directory of referenced object- Option 8

18
*R
*X
*LIB18 *FILE
QSYS.LIB
*X
*FLR
QDLS
*X
QOPT
11
*DDIR
18
*R
*RX
*SYMLNK
root,
QOpenSys,
UDFS
*X
*LIB18 *FILE
QSYS.LIB
*X
*FLR
QDLS
*X
*DDIR
*X
root,
QOpenSys,
UDFS
Parent directory of referenced object - Option 12 *DIR

(Display Links)
*DDIR
364
*R
root,
QOpenSys,
UDFS
*DIR
*DDIR
WRKLNK
(continued)
*X
QOPT
11
*X
*R
Command
WRKLNK
(continued)
Referenced Object
Object Type
Prefix of parent referenced object - No Pattern
13
*DIR
18
File System
root,
QOpenSys,
UDFS
*X
*LIB18 *FILE
QSYS.LIB
*X
*FLR
QDLS
*X
*DDIR
QOPT
11
*DDIR
WRKLNK
(continued)
Prefix of parent referenced object - Pattern

specified13
*DIR
18
*R
*X
*LIB18 *FILE
QSYS.LIB
*X
*FLR
QDLS
*X
QOPT
11
*DDIR
18
*R
*RX
*LIB18 *FILE
QSYS.LIB
*X
*FLR
QDLS
*X
QOPT
11
*DDIR
(Display Links)
*X
root,
QOpenSys,
UDFS
*DIR
*DDIR
WRKLNK
(continued)
*X
root,
QOpenSys,
UDFS
*DDIR
WRKLNK
(continued)
Authority
Needed for
Object1
18
*X
*R
root,
QOpenSys,
UDFS
*RX
*SYMLNK
root,
QOpenSys,
UDFS
*X
*LIB18 *FILE
QSYS.LIB
*X
*FLR
QDLS
*X
*DIR
*DDIR
*DDIR
QOPT
11
*X
*R
365
Command
WRKLNK
(continued)
Referenced Object
Object Type
14,
Relative Path Name

: Current working
directory containing object -No Pattern13
*DIR
18
File System
root,
QOpenSys,
UDFS
*RX
*LIB18 *FILE
QSYS.LIB
*X
*FLR
QDLS
*X
*DDIR
QOPT
11
*DDIR
14

directory containing object -Pattern Specified13
*DIR
18
*R
*RX
*LIB18 *FILE
QSYS.LIB
*RX
*FLR
QDLS
*RX
QOPT
11
*DDIR
WRKLNK
(continued)

working directory containing object -No Pattern
*RX
root,
QOpenSys,
UDFS
*DDIR
14
Authority
Needed for
Object1
*DIR
18
*RX
*R
root,
QOpenSys,
UDFS
*RX
*LIB18 *FILE
QSYS.LIB
*RX
*FLR
QDLS
*RX
13
*DDIR
QOPT
11
*DDIR
14
Relative Path Name Prefix of current working *DIR

directory containing object -Pattern specified13
18
*RX
*R
root,
QOpenSys,
UDFS
*RX
*LIB18 *FILE
QSYS.LIB
*RX
*FLR
QDLS
*RX
*DDIR
QOPT
11
*DDIR
*RX
*R
Adopted authority is not used for Integrated File system commands.
If you have *SAVSYS special authority, you do not need the authority specified for the QSYS.LIB, QDLS,
QOpenSys, and "root" file systems.
The authority required varies by object type. See the description of the QLIRNMO API in the Information
Center (see Prerequisite and related information on page xvi for details). If the object is a database
member, see the authorities for the Rename Member (RNMM) command.
You must have *AUDIT special authority to change an auditing value.
If the user issuing the command does not have *ALLOBJ authority, the user must be a member of the new
primary group.
These commands require the authority shown plus the authorities required for the DSPCURDIR command.
366
Command
Referenced Object
Object Type
File System
Authority
Needed for
Object1
See Chapter 7 of iSeries Optical Support book for information on restrictions regarding this command.
10
Authority required varies by the native command used. See the respective SAVOBJ or RSTOBJ command
for the required authority.
11
Authority required by QOPT against media formatted in Universal Disk Format (UDF).
12
*ADD is needed only when object being moved to is a *MRB.
13
Pattern: In some commands, an asterick (*) or a question mark (?) can be used in the last component of the
path name to search for names matching a pattern.
14
Relative path name: If a path name does not begin with a slash, the predecessor of the first component of
the path name is taken to be the current working directory of the process. For example, if a path name of
a/b is specified, and the current working directory is /home/john, then the object being accessed is
/home/john/a/b.
15
If you have *ALLOBJ special authority, you do not need the listed authority.
16
You must have have *ALLOBJ special authority to use this command.
|
|
17
In the above table, QSYS.LIB refers to independant ASP QSYS.LIB file systems as well as QSYS.LIB file
system.
18
This object is allowed on independant ASP.
Interactive Data Definition Commands

Authority Needed
Command
Referenced Object
For Object
For Library
ADDDTADFN
Data dictionary
*CHANGE
*EXECUTE
File
*OBJOPR, *OBJMGT
*EXECUTE
CRTDTADCT
DLTDTADCT
Data dictionary
3
DSPDTADCT
1
LNKDTADFN
*READ, *ADD
Data dictionary
OBJEXIST, *USE
Data dictionary
*USE
*EXECUTE
Data dictionary
*USE
*EXECUTE
File
*OBJOPR, *OBJMGT
*EXECUTE
Data dictionary
*OBJOPR
*EXECUTE
STRIDD
WRKDTADCT
WRKDBFIDD
WRKDTADFN
Data dictionary
*USE
*EXECUTE
Database file
*OBJOPR
*EXECUTE
Data dictionary
*USE, *CHANGE
*EXECUTE
Authority to the data dictionary is not required to unlink a file.
Before the dictionary is deleted, all linked files are unlinked. Refer to the LNKDTADFN command for
authority required to unlink a file.
You need use authority to the data dictionary to create a new file. No authority to the data dictionary is
needed to enter data in an existing file.
367
Interactive Data Definition Commands
Internetwork Packet Exchange (IPX) Commands

Authority Needed
Command
Referenced Object
For Object
For Library
DLTIPXD
IPX description
*OBJEXIST
*EXECUTE
DSPIPXD
IPX description
*USE
*EXECUTE
WRKIPXD
IPX description
*OBJOPR
*EXECUTE
Information Search Index Commands

Authority Needed
Command
Referenced Object
For Object
For Library
ADDSCHIDXE
Search index
*CHANGE
*USE
Panel group
*USE
*EXECUTE
CHGSCHIDX
Search index
*CHANGE
*USE
CRTSCHIDX
Search Index
DLTSCHIDX
Search index
*OBJEXIST
*EXECUTE
RMVSCHIDXE
Search index
*CHANGE
*USE
STRSCHIDX
*READ, *ADD
Search index
*USE
*EXECUTE
Search index
*ANY
*USE
WRKSCHIDXE
Search index
*USE
*USE
WRKSCHIDX
IPL Attribute Commands

These commands do not require authorities to objects:
CHGIPLA (Q)
DSPIPLA
1
To use this command, you must have *SECADM and *ALLOBJ special authorities.
Job Commands
368
Job Commands
Authority Needed
Command
Referenced Object
BCHJOB
For Object
For Library
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
*USE, *ADD
*EXECUTE
*READ
*EXECUTE
*USE
*EXECUTE
Message queue if associating a message

queue with a group
*OBJOPR
*EXECUTE
New job queue, if changing the job

queue10,11
*READ
*EXECUTE
New output queue, if changing the output

queue7
*READ
*EXECUTE
Sort sequence table7
*USE
*EXECUTE
User profile for the program start request to

specify *PGMSTRRQS
*USE
*EXECUTE
User profile and job description
*USE
*EXECUTE
User trace buffer when CLEAR (*YES) is

used.15
*OBJOPR
*EXECUTE
Job description
9,11
User profile in job description

Sort sequence table
Message queue
Job queue
CHGGRPA 4
1,2,3
CHGJOB
10
10,11
Output queue
CHGACGCDE
10
CHGPJ
CHGSYSJOB(Q)
CHGUSRTRC14
13
User trace buffer when MAXSTG is used15
*OBJOPR
*EXECUTE
User trace buffer
15
*OBJOPR, *OBJEXIST
*EXECUTE
User trace buffer
15
*OBJOPR
*EXECUTE
Outfile and member exist
*OBJOPR, *OBJMGT,
*ADD
*EXECUTE
Member does not exist
*OBJOPR, *OBJMGT,
*ADD
*EXECUTE, *ADD
Outfile does not exist
*OBJOPR
*EXECUTE, *ADD
User trace buffer when TRCFULL is used.

DLTUSRTRC
*CHANGE, *OBJMGT *USE

15
DLYJOB
DMPUSRTRC
1
DSCJOB
DSPACTPJ
1
DSPJOB
DSPJOBTBL
DSPJOBLOG
1,5
ENDGRPJOB
ENDJOB
ENDJOBABN
ENDPJ
HLDJOB
RLSJOB
RRTJOB
RTVJOBA
369
Job Commands
Authority Needed
Command
Referenced Object
For Object
For Library
SBMDBJOB
Database file
*USE
*EXECUTE
Job queue
*READ
*EXECUTE
Message queue
*USE, *ADD
*EXECUTE
*READ
*EXECUTE
*USE
*EXECUTE
SBMDKTJOB
Job queue and device description

SBMJOB
2, 12
|
|
Job description
9,11
Libraries in the library list (system, current,

and user)7
*USE
Message queue
*USE, *ADD
*EXECUTE
*USE
*EXECUTE
*USE (at level 40)
*EXECUTE
*READ
*EXECUTE
*READ
*EXECUTE
*USE
*EXECUTE
Database file
*USE
*EXECUTE
Subsystem description
*USE
*EXECUTE
Program
*USE
*EXECUTE
TFRBCHJOB
Job queue
*READ
*EXECUTE
TFRGRPJOB
Initial group program
*USE
*EXECUTE
Job queue
*READ
*EXECUTE
Subsystem description to which the job

queue is allocated
*USE
*EXECUTE
User profile
10,11
User profile in job description

Job queue
10,11
Output queue
Sort sequence table

SBMNETJOB
STRPJ
TFRJOB
10
10
TFRSECJOB
WRKACTJOB
WRKJOB
WRKSBMJOB
WRKSBSJOB
WRKUSRJOB
1
Any user can run these commands for jobs running under his own user profile. A user with job control
(*JOBCTL) special authority can run these commands for any job. If you have *SPLCTL special authority,
you do not need any authority to the job queue. However, you need authority to the library that contains
the job queue.
You must have the authority (specified in your user profile) for the scheduling priority and output priority
specified.
To change certain job attributes, even in the users own job, requires job control (*JOBCTL) special
authority. These attributes are RUNPTY, TIMESLICE, PURGE, DFTWAIT, and TSEPOOL.
This command only affects the job in which it was specified.
To display the log for a job which was run with *ALLOBJ special authority, you must also have *JOBCTL
and *ALLOBJ special authority.
370
Job Commands
Authority Needed
Command
Referenced Object
For Object
For Library
To use this command, job control *JOBCTL special authority is required.
The user profile under which the submitted job runs is checked for authority to the referenced object. The
adopted authority of the user submitting or changing the job is not used.
If the job being transferred is an interactive job, the following restrictions apply:
v The job queue where the job is placed must be associated with an active subsystem.
v The work station associated with the job must have a corresponding work station entry in the subsystem
description associated with the new subsystem.
v The work station associated with the job must not have another job associated with it that has been
suspended by means of the Sys Req (System Request) key. The suspended job must be canceled before
the Transfer Job command can run.
v The job must not be a group job.
Both the user submitting the job and the user profile under which the job will run are checked for
authority to the referenced object.
10
The user submitting the job is checked for authority to the referenced object.
11
The adopted authority of the user issuing the CHGJOB or SBMJOB command is used.
12
You must be authorized to the user profile and the job description; the user profile must also be authorized
to the job description.
13
To change certain job attributes, even in the users own job, requires job control (*JOBCTL) and all object
(*ALLOBJ) special authorities.
14
Any user can run these commands for jobs running under his own user profile. A user with job control
(*JOBCTL) special authority can run these commands for any job.
15
A user trace buffer is a user space (*USRSPC) object in library QUSRSYS by the name QPOZnnnnnn, where
nnnnnn is the job number of the job using the user trace facility.
Job Description Commands

Authority Needed
Command
Referenced Object
For Object
For Library
CHGJOBD
Job description
*OBJOPR, *OBJMGT
*EXECUTE
User profile (USER)
*OBJOPR
*EXECUTE
User profile (USER)
*OBJOPR
*EXECUTE
CRTJOBD (Q)
Job description
DLTJOBD
DSPJOBD
PRTJOBDAUT
WRKJOBD
1
*READ, *ADD
Job description
*OBJEXIST
*EXECUTE
Job description
*OBJOPR, *READ
*EXECUTE
Job description
Any
*USE
371
Job Queue Commands
Job Queue Commands

Referenced
Object
Command
1
CLRJOBQ
Job queue
Authority Needed
For Object
Job Queue Parameters
For Library
AUTCHK
*READ, *ADD, *EXECUTE

*DLT
*DTAAUT
Owner
*EXECUTE
CRTJOBQ
Job queue
DLTJOBQ
HLDJOBQ
Job queue
*OBJEXIST
*JOBCTL
Job queue

*DLT
2
*EXECUTE
*YES
*JOBCTL
*YES
*JOBCTL
*YES
*JOBCTL
*DTAAUT
*OWNER
Job queue

*DLT
Owner
*EXECUTE
*DTAAUT
*OWNER
*EXECUTE
WRKJOBQ
*YES
*EXECUTE
*EXECUTE
RLSJOBQ
Special
Authority
*READ, *ADD
Owner
PRTQAUT
OPRCTL
*OWNER
*EXECUTE
1
1,3
Job queue
*READ
Owner
*EXECUTE
*DTAAUT
*EXECUTE
*OWNER
*EXECUTE
1
If you have *SPLCTL special authority, you do not need any authority to the job queue but you need
authority to the library containing the job queue.
You must be the owner of the job queue.
If you request to work with all job queues, your list display includes all the job queues in libraries to
which you have *EXECUTE authority.
To display the job queue parameters, use the QSPRJOBQ API.
Job Schedule Commands

Authority Needed
Command
Referenced Object
For Object
For Library
ADDJOBSCDE
Job schedule
*CHANGE
*EXECUTE
*USE
*EXECUTE
*READ
*EXECUTE
*USE
*EXECUTE
*USE, *ADD
*EXECUTE
Job description
Job queue
1,2
User profile
Message queue
372
Job Schedule Commands

Authority Needed
Command
CHGJOBSCDE
Referenced Object
For Object
For Library
Job schedule
*CHANGE
*EXECUTE
*USE
*EXECUTE
*READ
*EXECUTE
*USE
*EXECUTE
*USE, *ADD
*EXECUTE
Job schedule
*CHANGE
*EXECUTE
Job description
Job queue
1,2
User profile
Message queue
HLDJOBSCDE
Job schedule
*CHANGE
*EXECUTE
RMVJOBSCDE
Job schedule
*CHANGE
*EXECUTE
WRKJOBSCDE
Job schedule
*USE
*EXECUTE
RLSJOBSCDE
Both the user profile adding the entry and the user profile under which the job will run are checked for
authority to the referenced object.
Authority to the job queue cannot come from adopted authority.
You must have *JOBCTL special authority or have added the entry.
To display the details of an entry (option 5 or print format *FULL), you must have *JOBCTL special
authority or have added the entry.
Journal Commands
Authority Needed
For Object
Command
Referenced Object
ADDRMTJRN
Source journal
Target journal
APYJRNCHG (Q)
CHGJRN (Q)
CHGRMTJRN
For Library or
Directory
*EXEC,*ADD
Journal
*USE
*EXECUTE
Journal receiver
*USE
*EXECUTE
Non-IFS objects whose journaled changes

are being applied
IFS objects whose journal changes are being

applied
*RW, *OBJMGT
*RX (if subtree *ALL)
Journal receiver, if specified
*OBJMGT, *USE
*EXECUTE
Attached journal receiver
*OBJMGT, *USE
*EXECUTE
Journal
*OBJOPR, *OBJMGT,
*UPD
*EXECUTE
Journal if RCVSIZOPT(*MINFIXLEN) is
specified.
*OBJOPR, *OBJMGT,
*UPD, *OBJALTER
*EXECUTE
Source journal
Source journal
*USE, *OBJMGT
*EXECUTE
373
Journal Commands
Authority Needed
For Library or
Directory
Journal
*USE
*EXECUTE
Journal receiver
*USE
*EXECUTE
File
*USE
*EXECUTE
Referenced Object
CMPJRNIMG
CRTJRN
Journal
DLTJRN
For Object
Command
DSPAUDJRNE (Q)
DSPJRN
*READ, *ADD
Journal receiver
*OBJOPR, *OBJMGT,
*READ
*EXECUTE
Journal
*OBJOPR, *OBJEXIST
*EXECUTE
Journal
*USE
*EXECUTE
Journal if FILE(*ALLFILE) is specified, the

specified file has been deleted from the
system or *IGNFILSLT is specified for any
selected journal codes or the journal is a
remote journal.
*OBJEXIST, *USE
*EXECUTE
Journal receiver
*USE
*EXECUTE
File if specified
*USE
*EXECUTE
Output file

page 311

page 311
DSPJRNMNU1
ENDJRN
See Integrated File System Commands on page 351
ENDJRNAP
Journal
*OBJOPR, *OBJMGT
*EXECUTE
File
*OBJOPR, *OBJMGT
*EXECUTE
Journal
*OBJOPR, *OBJMGT
*EXECUTE
Object
*OBJOPR, *READ,
*OBJMGT
*EXECUTE
Journal
*OBJOPR, *OBJMGT
*EXECUTE
File
*OBJOPR, *OBJMGT,
*READ
*EXECUTE
Journal
*USE
*EXECUTE

remote journal.
*OBJEXIST, *USE
*EXECUTE
Journal receiver
*USE
*EXECUTE
File
*USE
*EXECUTE
Exit program
*EXECUTE
*EXECUTE
Journal
*USE
*EXECUTE
Journal receiver
*USE
*EXECUTE
Non-IFS objects whose journaled changes

are being removed
ENDJRNOBJ
ENDJRNPF
JRNAP
JRNPF
2
3
RCVJRNE
RMVJRNCHG (Q)
374
Journal Commands
Authority Needed
For Object
For Library or
Directory
Journal
*USE
*EXECUTE

remote journal.
*OBJEXIST, *USE
*EXECUTE
Journal receiver
*USE
*EXECUTE
File
*USE
*EXECUTE
Journal
*OBJOPR, *ADD
*EXECUTE
Non-IFS object if specified
*OBJOPR
*EXECUTE
IFS object if specified
*R
*X
Command
Referenced Object
RTVJRNE
SNDJRNE
STRJRN
See Integrated File System Commands on page 351
STRJRNAP
Journal
*OBJOPR, *OBJMGT
*EXECUTE
File
*OBJOPR, *OBJMGT
*EXECUTE
Journal
*OBJOPR, *OBJMGT
*EXECUTE
File
*OBJOPR, *OBJMGT
*EXECUTE
Journal
*OBJOPR, *OBJMGT
*EXECUTE
Object
*OBJOPR, *READ,
*OBJMGT
*EXECUTE
Journal
*USE
*READ7
Journal receiver if receiver information is

requested
*USE
*EXECUTE
File if forward or backout recovery is

requested
Objects that are deleted during recovery
*OBJEXIST
*EXECUTE
Journal
*OBJOPR and a data

*EXECUTE
*EXECUTE
*OBJOPR and a data

*EXECUTE
*EXECUTE
STRJRNPF
STRJRNOBJ
WRKJRN
WRKJRNA
(Q)
Journal receiver
See the WRKJRN command (this command has the same function)
See the STRJRNAP command.
See the STRJRNPF command.
Additional authority is required for specific functions called during the operation selected. For example, to
restore an object you must have the authority required for the RSTOBJ command.
*OBJOPR and *OBJEXIST authority is required for journal receivers if the option is chosen to delete
receivers.
To specify JRN(*INTSYSJRN), you must have *ALLOBJ special authority.
*READ authority to the journals library is required to display the WRKJRN menu. *EXECUTE authority to
the library is required to use an option on the menu.
You must have *ALLOBJ and *AUDIT special authorities to use this command.
375
Journal Receiver Commands
Journal Receiver Commands

Authority Needed
Command
Referenced Object
CRTJRNRCV
Journal receiver
DLTJRNRCV
Journal receiver
*OBJOPR, *OBJEXIST, *EXECUTE

and a data authority
other than *EXECUTE
Journal
*OBJOPR
*EXECUTE
Journal receiver
*OBJOPR and a data

*EXECUTE
*EXECUTE
Journal, if attached
*OBJOPR
*EXECUTE
Journal receiver
Any authority
*USE
DSPJRNRCVA
1 2 3
WRKJRNRCV , ,
For Object
For Library
*READ, *ADD
*OBJOPR and *OBJEXIST authority is required for journal receivers if the option is chosen to delete
receivers.
*OBJOPR and a data authroity other than *EXECUTE is required for journal receivers if the option is
chosen to display the description.
Language Commands
Authority Needed
Command
Referenced Object
For Object
For Library
CRTBNDC
Source file
*USE
*EXECUTE
Externally described device files and

database files referred to in source program
*OBJOPR
*EXECUTE
Program: REPLACE(*NO)
CRTBNDCBL
*READ, *ADD
Program: REPLACE(*YES)

page 311
*READ, *ADD
Directory specified in OUTPUT,

PPSRCSTMF or MAKEDEP parameter
*USE
*EXECUTE
File specified in OUTPUT, PPSRCSTMF or

MAKEDEP parameter

page 311
*READ, *ADD
Source file
*USE
*EXECUTE

*OBJOPR
*EXECUTE
376
*READ,*ADD

page 311
*READ,*ADD
Binding directory
*USE
*EXECUTE
Table specified in SRTSEQ parameter
*USE
*EXECUTE
Language Commands
Authority Needed
Command
Referenced Object
For Object
For Library
CRTBNDCL
Source file
*USE
*EXECUTE

*OBJOPR
*EXECUTE
CRTBNDCPP
*READ, *ADD

page 311

page 311
*USE
*EXECUTE
Source File
*USE
*EXECUTE

*OBJOPR
*EXECUTE
CRTBNDRPG
*READ, *ADD

page 311
*READ, *ADD

PPSRCSTMF, TEMPLATE or MAKEDEP
parameter
*USE
*EXECUTE
File specified in OUTPUT, PPSRCSTMF,

TEMPLATE or MAKEDEP parameter

page 311
*READ, *ADD
Headers generated by TEMPLATE

parameter
*USE
*EXECUTE
Source file
*USE
*EXECUTE

*OBJOPR
*EXECUTE
CRTCBLMOD
*READ,*ADD

page 311
*READ,*ADD
Binding directory
*USE
*EXECUTE
*USE
*EXECUTE
Source file
*USE
*EXECUTE

*OBJOPR
*EXECUTE
Module: REPLACE(*NO)
CRTCLD
*READ, *ADD
Module: REPLACE(*YES)

page 311
*READ, *ADD
*USE
*EXECUTE
Source file
*USE
*EXECUTE
Locale object - REPLACE(*NO)

Locale object - REPLACE(*YES)
*READ, *ADD
page 311
*READ, *ADD
377
Language Commands
Authority Needed
Command
Referenced Object
For Object
For Library
CRTCLMOD
Source file
*USE
*EXECUTE

*OBJOPR
*EXECUTE
CRTCLPGM
*READ, *ADD

page 311

page 311
*USE
*EXECUTE
Source file
*USE
*EXECUTE

*OBJOPR
*EXECUTE
CRTCBLPGM
(COBOL/400*
licensed program or
S/38 environment)
*READ, *ADD

page 311

page 311
*USE
*EXECUTE
Source file
*USE
*EXECUTE

*OBJOPR
*EXECUTE
CRTCMOD
*READ, *ADD

page 311
*READ, *ADD
*USE
*EXECUTE
Source file
*USE
*EXECUTE

*OBJOPR
*EXECUTE
CRTCPPMOD
*READ, *ADD

page 311
*READ, *ADD

MAKEDEP parameter
*USE
*EXECUTE

MAKEDEP parameter

page 311
*READ, *ADD
Source file
*USE
*EXECUTE

*OBJOPR
*EXECUTE
378
*READ, *ADD

page 311
*READ, *ADD

PPSRCSTMF, TEMPLATE or MAKEDEP
parameter
*USE
*EXECUTE
File specified in OUTPUT, PPSRCSTMF,

TEMPLATE or MAKEDEP parameter

page 311
*READ, *ADD
Headers generated by TEMPLATE

parameter
*USE
*EXECUTE
Language Commands
Authority Needed
Command
Referenced Object
For Object
For Library
CRTRPGMOD
Source file
*USE
*EXECUTE

*OBJOPR
*EXECUTE
CRTRPGPGM
(RPG/400* licensed
program and S/38
environment)
*READ,*ADD

page 311
*READ,*ADD
*USE
*EXECUTE
Source file
*USE
*EXECUTE

*OBJOPR
*EXECUTE
CRTRPTPGM
(RPG/400 licensed
program and S/38
environment)
CRTS36CBL (S/36
environment)
CRTS36RPG
*READ, *ADD

page 311
*READ, *ADD
*USE
*EXECUTE
Source file
*USE
*EXECUTE
Program - REPLACE(*NO)
*READ, *ADD
Program - REPLACE(*YES)

page 311
*READ, *ADD
Source file for generated RPG program
See General Rules for

replacing and adding
members on page 311

members on page 311

*OBJOPR
*EXECUTE
*USE
*EXECUTE
Source file
*USE
*EXECUTE
*READ, *ADD

page 311
*READ, *ADD
Source file
*USE
*READ, *ADD
CRTS36RPGR
*READ, *ADD
Program - REPLACE(*YES)

page 311
*READ, *ADD
Source file
*USE
*READ, *ADD
CRTS36RPT
*READ, *ADD

page 311
*READ, *ADD
Source file
*USE
*EXECUTE
Source file for generated RPG program

members on page 311

members on page 311
*READ, *ADD
page 311
*READ, *ADD
379
Language Commands
Authority Needed
Command
Referenced Object
For Object
For Library
CRTSQLC OS/400
(DB2 Query Manager
and SQL
Development for
OS/400 licensed
program) 1
Source file
*OBJOPR, *READ
*EXECUTE
To Source file
*OBJOPR, *OBJMGT,
*EXIST, *READ,
*ADD, *UPDATE,
*DELETE, *EXECUTE
*ADD, *EXECUTE
Data description specifications
*OBJOPR
*EXECUTE
*READ, *ADD

page 311
*READ, *ADD
*USE
*EXECUTE
*OBJOPR, *READ
*EXECUTE
*OBJOPR, *OBJMGT,
*EXIST, *READ,
*ADD, *UPDATE,
*DELETE, *EXECUTE
*ADD, *EXECUTE
*OBJOPR
*EXECUTE
Source file
CRTSQLCI (DB2
Query Manager and
To Source file
SQL Development for
OS/400 licensed
program) 1
Object: REPLACE(*NO)
*READ, *ADD
Object: REPLACE(*YES)

page 311
*READ, *ADD
*USE
*EXECUTE
*OBJOPR, *READ
*EXECUTE
*OBJOPR, *OBJMGT,
*EXIST, *READ,
*ADD, *UPDATE,
*DELETE, *EXECUTE
*ADD, *EXECUTE
*OBJOPR
*EXECUTE
Source file
CRTSQLCBL (DB2
Query Manager and
To Source file
SQL Development for
OS/400 licensed
program) 1
*READ, *ADD

page 311
*READ, *ADD
*USE
*EXECUTE
*OBJOPR, *READ
*EXECUTE
*OBJOPR, *OBJMGT,
*EXIST, *READ,
*ADD, *UPDATE,
*DELETE, *EXECUTE
*ADD, *EXECUTE
*OBJOPR
*EXECUTE
Source file
CRTSQLCBLI (DB2
Query Manager and
To Source file
SQL Development for
OS/400 licensed
program) 1
380
*READ, *ADD

page 311
*READ, *ADD
*USE
*EXECUTE
Language Commands
Authority Needed
Command
Referenced Object
Source file
CRTSQLCPPI (DB2
Query Manager and
To Source file
SQL Development for
OS/400 licensed
program) 1
For Object
For Library
*OBJOPR, *READ
*EXECUTE
*OBJOPR, *OBJMGT,
*EXIST, *READ,
*ADD, *UPDATE,
*DELETE, *EXECUTE
*ADD, *EXECUTE
*OBJOPR
*EXECUTE
*READ, *ADD

page 311
*READ, *ADD
*USE
*EXECUTE
*OBJOPR, *READ
*EXECUTE
*OBJOPR, *OBJMGT,
*EXIST, *READ,
*ADD, *UPDATE,
*DELETE, *EXECUTE
*ADD, *EXECUTE
*OBJOPR
*EXECUTE
Source file
CRTSQLFTN (DB2
Query Manager and
To Source file
SQL Development for
OS/400 licensed
program) 1
*READ, *ADD

page 311
*READ, *ADD
*USE
*EXECUTE
*OBJOPR, *READ
*EXECUTE
*OBJOPR, *OBJMGT,
*EXIST, *READ,
*ADD, *UPDATE,
*DELETE, *EXECUTE
*ADD, *EXECUTE
*OBJOPR
*EXECUTE
Source file
CRTSQLPLI (DB2
Query Manager and
To Source file
SQL Development for
OS/400 licensed
program) 1
*READ, *ADD

page 311
*READ, *ADD
*USE
*EXECUTE
*OBJOPR, *READ
*EXECUTE
*OBJOPR, *OBJMGT,
*EXIST, *READ,
*ADD, *UPDATE,
*DELETE, *EXECUTE
*ADD, *EXECUTE
*OBJOPR
*EXECUTE
Source file
CRTSQLRPG (DB2
Query Manager and
To Source file
SQL Development for
OS/400 licensed
program) 1
*READ, *ADD

page 311
*READ, *ADD
*USE
*EXECUTE
381
Language Commands
Authority Needed
Command
Referenced Object
Source file
CRTSQLRPGI (DB2
Query Manager and
To Source file
SQL Development for
OS/400 licensed
program) 1
For Object
For Library
*OBJOPR, *READ
*EXECUTE
*OBJOPR, *OBJMGT,
*EXIST, *READ,
*ADD, *UPDATE,
*DELETE, *EXECUTE
*ADD, *EXECUTE
*OBJOPR
*EXECUTE
CVTRPGSRC
CVTSQLCPP
*READ, *ADD

page 311
*READ, *ADD
*USE
*EXECUTE
Source file
*USE
*EXECUTE
Output file
*OBJOPR, *OBJMGT,
*ADD
*EXECUTE
Log file
*OBJOPR, *OBJMGT,
*ADD
*EXECUTE
Source file
*OBJOPR, *READ
*EXECUTE
To Source file
*OBJOPR, *OBJMGT,
*EXIST, *READ,
*ADD, *UPDATE,
*DELETE, *EXECUTE
*ADD, *EXECUTE
*OBJOPR
*EXECUTE
*READ, *ADD

page 311
*READ, *ADD
*USE
*EXECUTE
ENDCBLDBG
Program
(COBOL/400 licensed
program or S/38
environment)
*CHANGE
*EXECUTE
ENTCBLDBG (S/38
environment)
Program
*CHANGE
*EXECUTE
DLTCLD
Locale object
*OBJEXIST, *OBJMGT *EXECUTE
RTVCLDSRC
Locale object
*USE
*EXECUTE
To-file

page 311

page 311
RUNSQLSTM
(SQL/400 licensed
program) 1
Source file
*OBJOPR, *READ
*EXECUTE
STRCBLDBG
Program
*CHANGE
*EXECUTE
STRREXPRC
Source file
*USE
*EXECUTE
Exit program
*USE
*EXECUTE
Sort sequence table
*USE
*EXECUTE
Printer device description
*USE
*EXECUTE
Printer output queue
*USE
*EXECUTE
Printer file
*USE
*EXECUTE
STRSQL (DB2 Query

Manager and SQL
Development for
OS/400 licensed
program) 1
382
Language Commands
Authority Needed
Command
1
Referenced Object
For Object
For Library
The DB2 Universal Database for iSeries topic in the Information Center contains more information about
security requirements for structured query language (SQL) statements. See Prerequisite and related
information on page xvi for details.
Library Commands
Authority Needed
Referenced Object
ADDLIBLE
Library
*USE
CHGCURLIB
New current library
*USE
Library
*OBJMGT
CHGLIBL
Every library being placed

in the library list
*USE
CHGSYSLIBL (Q)
Libraries in new list
*USE
CHGLIB
CLRLIB
For Object
For Library Being Acted

On
Command
Every object being deleted

from library
*OBJEXIST
*USE
See the authority required

Object types *DTADCT14,
*JRN14,*JRNRCV14, *MSGQ, by the DLTxxx command
*SBSD
for the object type
CPYLIB
From-Library
*USE
To-library, if it exists
*USE, *ADD
CHKOBJ, CRTDUPOBJ
commands
*USE
CRTLIB command, if the

target library is being
created
*USE
Object being copied
The authority that is

required when you use the
CRTDUPOBJ command to
copy the object type.
CRTLIB
Library
DLTLIB
Every object being deleted

from library
*OBJEXIST
*USE, *OBJEXIST
See the authority required

Object types *DTADCT14,
*JRN14,*JRNRCV14, *MSGQ, by the DLTxxx command
*SBSD
for the object type
DSPLIB
Library
Objects in the library
*READ
5
Any authority other than

*EXCLUDE
DSPLIBD
Library
Some authority other than

*EXCLUDE
EDTLIBL
Library to add to list
*USE
383
Library Commands
Authority Needed
Command
Referenced Object
RCLLIB
Library
RSTLIB
(Q)

On
For Object
*USE, *OBJEXIST
Media definition
*USE
*EXECUTE
Library, if it does not exist

*OBJOPR, *OBJEXIST
Programs that adopt

authority
Owner or *ALLOBJ and

*SECADM
Library saved if
VOL(*SAVVOL) is specified
Every object being restored
over in the library
Tape unit, diskette unit,

optical unit
7
(Q) (continued)
RSTS36LIBM
RTVLIBD
384
*EXECUTE. *READ, *ADD
*EXECUTE
*USE
*OBJEXIST
User profile owning objects *ADD

being created
RSTLIB
Message queues being

restored to library where
they already exist
*EXECUTE, *READ, *ADD
*USE
Tape (QSYSTAP) or diskette *USE

(QSYSDKT) file
*EXECUTE
6
*EXECUTE
QSYS/QPSRLDSP print file, *USE

if OUTPUT(*PRINT)
specified
*EXECUTE
Save file
*USE
*EXECUTE
12
Optical File (OPTFILE)
*R
N/A
Path prefix of optical file

(OPTFILE)12
*X
N/A
Optical volume11
*USE
From-file
*USE
*EXECUTE
To-file
*CHANGE
*EXECUTE
To-library
*CHANGE
*EXECUTE
Device file or device

description
*USE
*EXECUTE
Library
Some authority other than

*EXCLUDE
Library Commands
Authority Needed
On
Command
Referenced Object
For Object
SAVLIB
Every object in the library
*OBJEXIST
Media definition
*USE
*EXECUTE
Save file, if empty
*USE, *ADD
*EXECUTE
Save file, if records exist in

it
*USE, *ADD, *OBJMGT
*EXECUTE
*OBJOPR, *ADD
*EXECUTE
Tape unit, diskette unit,

optical unit
*USE
*EXECUTE
See General Rules on page

311
See General Rules on page

311
QSYS/QASAVOBJ field
reference file, if output file
is specified and does not
exist
*USE
*EXECUTE
QSYS/QPSAVOBJ print file *USE
*EXECUTE
SAVLIB (continued)
SAVS36LIBM
WRKLIB
10.
*READ, *EXECUTE
Optical File12
*RW
N/A
Parent Directory of optical

file (OPTFILE)12
*WX
N/A
Path Prefix of optical file

(OPTFILE)12
*X
N/A
Root Directory (/) of

Optical Volume12, 13
*RWX
N/A
Optical volume11
*CHANGE
Save to a physical file
*OBJOPR, *OBJMGT
*EXECUTE
Either QSYSDKT for

diskette or QSYSTAP for
tape, and all commands
need authority to the
device
*OBJOPR
*EXECUTE
Save to a physical file if

MBROPT(*ADD) is
specified
*ADD
*READ, *ADD
Save to a physical file if

MBROPT(*REPLACE) is
specified
*ADD, *DLT
*EXECUTE
From-library
*USE
Library
*USE
385
Library Commands
Authority Needed
Command
Referenced Object

On
For Object
The authority needed for the library being acted upon is indicated in this column. For example, to add the
library CUSTLIB to a library list using the ADDLIBLE command requires Use authority to the CUSTLIB
library.
The authority needed for the QSYS library is indicated in this column, because all libraries are in QSYS
library.
If object existence is not found for some objects in the library, those objects are not deleted, and the library
is not completely cleared and deleted. Only authorized objects are deleted.
All restrictions that apply to the CRTDUPOBJ command, also apply to this command.
If you do not have authority to an object in the library, the text for the object says *NOT AUTHORIZED.
You must have *AUDIT special authority to change the CRTOBJAUD value for a library. *OBJMGT is not
required if you change only the CRTOBJAUD value. *OBJMGT is required if you change the CRTOBJAUD
value and other values.
You must have *AUDIT special authority to specify a CRTOBJAUD value other than *SYSVAL.
10
You must have the authority required by th operation to use an individual operation.
11
12
This authority check is only made when the Optical media format is Universal Disk Format.
13
This authority check is only made when you are clearing the optical volume.
14
This object is allowed on independent ASP.
License Key Commands

Authority Needed
Command
Referenced Object
For Object
For Library
ADDLICKEY (Q)
Output file
*USE
*EXECUTE
DSPLICKEY (Q)
Output file

page 311

page 311
RMVLICKEY (Q)
Output file
*CHANGE
*EXECUTE
Licensed Program Commands

386
Licensed Program Commands

Authority Needed
Command
CHGLICINF (Q)
1,2
(Q)
RSTLICPGM
1,2
(Q)
SAVLICPGM
1,2
(Q)
DLTLICPGM
Referenced Object
For Object
For Library
WRKLICINF command
*USE
*EXECUTE
DSPTM
INZSYS (Q)
WRKLICINF (Q)
1
Some licensed programs can be deleted, saved, or restored only if you are enrolled in the system
distribution directory.
If deleting, restoring, or saving a licensed program that contains folders, all restrictions that apply to the
DLTDLO command also apply to this command.
Line Description Commands

Authority Needed
Command
Referenced Object
For Object
For Library
Line description
Controller description (SWTCTLLST)
*USE
Line description
CHGLINASC
CHGLINBSC
*USE
CHGLINDDI
Line description
CHGLINETH
Line description
CHGLINFAX
Line description
Line description
Connection list (CNNLSTIN)
*USE
*EXECUTE
Network interface description

(SWTNWILST)
*USE
*EXECUTE
*USE
*EXECUTE
Line description
CHGLINFR
2
2
CHGLINIDLC
*EXECUTE
*EXECUTE
Line description
CHGLINSDLC
Line description
CHGLINTDLC
Line description
Line description
Line description
*USE
*EXECUTE
Connection list (CNNLSTIN or

CNNLSTOUT)
*USE
*EXECUTE

(SWTNWILST)
*USE
*EXECUTE
CHGLINNET
CHGLINTRN
CHGLINX25
387

Authority Needed
Command
2
CHGLINWLS
CRTLINASC
CRTLINBSC
CRTLINDDI
Referenced Object
For Object
Line description
Program (INZPGM)
*USE
*EXECUTE
Controller description (CTL and

SWTCTLLST)
*USE
*EXECUTE
Line description
CRTLINETH
Controller description (SWTCTLLST and

CTL)
*READ, *ADD
*USE
CRTLINFAX
*READ, *ADD
Line description
*READ, *ADD
Network interface description (NWI)
*USE
*EXECUTE
Controller description (NETCTL)
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
Network server description (NWS)
*USE
*EXECUTE
CRTLINFR
*READ, *ADD
Line description
*READ, *ADD
*USE
Line description
CRTLINIDLC
CRTLINNET
*USE
*EXECUTE
*USE
*EXECUTE
Connection list (CNNLSTIN)
*USE
*EXECUTE
Network interface description (NWI or

SWTNWILST)
*USE
*EXECUTE
*USE
*EXECUTE
*READ, *ADD
*USE
*EXECUTE
*USE
*EXECUTE
Line description
CRTLINSDLC
CRTLINTDLC
*READ, *ADD
*USE
Line description
Controller description (WSC and CTL)
CRTLINTRN
*USE
*EXECUTE
*READ, *ADD
*USE
Line description
388
*EXECUTE
*READ, *ADD
Line description
2
*EXECUTE
*READ, *ADD
Line description
2
*EXECUTE
Line description
Line description
For Library
*EXECUTE
*READ, *ADD
*USE
*EXECUTE
Network server description (NWS)
*USE
*EXECUTE

Authority Needed
Command
CRTLINX25
Referenced Object
For Object
For Library
*USE
*EXECUTE
Permanent virtual circuit (PVC) controller

description (LGLCHLE)
*USE
*EXECUTE
Line description
CRTLINWLS
*READ, *ADD
Connection list (CNNLSTIN or

CNNLSTOUT)
*USE
*EXECUTE
Network interface description (NWI or

SWTNWILST)
*USE
*EXECUTE
Line description
*READ, *ADD
*USE
*EXECUTE
Program (INZPGM)
*USE
*EXECUTE
DLTLIND
Line description
*OBJEXIST
*EXECUTE
DSPLIND
Line description
*USE
*EXECUTE
ENDLINRCY
Line description
*OBJOPR
*EXECUTE
Line description
*OBJOPR
*EXECUTE
Line description
*OBJOPR
*EXECUTE
PRTCMNSEC 2, 3
RSMLINRCY
WRKLIND
Local Area Network (LAN) Commands

ADDLANADPI
CHGLANADPI
DSPLANADPP
DSPLANSTS
RMVLANADPT (Q)
RMVLANADPI
WRKLANADPT
Locale Commands
Authority Needed
Command
Referenced Object
For Object
For Library
CRTLOCALE
Source file
*USE
*USE, *ADD
DLTLOCALE
Locale
*OBJEXIST
*USE
Mail Server Framework Commands

389
Mail Server Framework Commands

ENDMSF (Q)
STRMSF (Q)
Media Commands
Authority Needed
Command
Referenced Object
For Object
For Library
Tape Library description
*USE
*EXECUTE
CFGDEVMLB (Q)
*USE
*EXECUTE
CHGDEVMLB (Q)
*USE
*EXECUTE
CHGJOBMLBA
*CHANGE
*EXECUTE
CHGTAPCTG
*USE
*EXECUTE
CHKDKT
Diskette device description
*USE
*EXECUTE
CHKTAP
Tape device description
*USE
*EXECUTE
CLRDKT
*USE
*EXECUTE
CRTTAPCGY
*USE
*EXECUTE
DLTDKTLBL
*USE
*EXECUTE
DLTMEDDFN
Media definition
*OBJEXIST
*EXECUTE
DLTTAPCGY
*USE
*EXECUTE
DMPTAP
*USE
*EXECUTE
DSPDKT
*USE
*EXECUTE
DSPTAP
*USE
*EXECUTE
DSPTAPCGY
*USE
*EXECUTE
DSPTAPCTG
*USE
*EXECUTE
DSPTAPSTS
*USE
*EXECUTE
DUPDKT
*USE
*EXECUTE
DUPTAP
*USE
*EXECUTE
INZDKT
*USE
*EXECUTE
INZTAP
*USE
*EXECUTE
RMVTAPCTG
*USE
*EXECUTE
RNMDKT
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
ADDTAPCTG
1
SETTAPCGY
WRKMLBRSCQ
WRKMLBSTS
WRKTAPCTG
(Q)
To use individual operation, you must have the authority required by the operation.
To change the session media library attributes, you must have *CHANGE authority to the Tape Library
description.
390
Menu and Panel Group Commands
Menu and Panel Group Commands

Authority Needed
Command
Referenced Object
For Object
For Library
CHGMNU
Menu
*CHANGE
*USE
CRTMNU
Source file
*USE
*EXECUTE
Menu: REPLACE(*NO)
*READ, *ADD
Menu: REPLACE(*YES)
CRTPNLGRP

page 311
Panel group: Replace(*NO)
CRTS36MNU
*READ, *ADD
*READ, *ADD
Panel group: REPLACE(*YES)

page 311
*READ, *ADD
Source file
*USE
*EXECUTE
Include file
*USE
*EXECUTE
Menu: REPLACE(*NO)
*READ, *ADD
Menu: REPLACE(*YES)

page 311
*READ, *ADD
Source file
*USE
*EXECUTE
Message files named in source
*OBJOPR, *OBJEXIST
*EXECUTE

*NONE
*OBJOPR, *OBJMGT,
*OBJEXIST, *ADD
*READ, *ADD
Menu display file when REPLACE(*YES) is

specified
*OBJOPR, *OBJEXIST
*EXECUTE
Command text message file
*OBJOPR, *OBJEXIST
*EXECUTE
Create Message File (CRTMSGF) command
*OBJOPR
*EXECUTE
Add Message Description (ADDMSGD)

command
*OBJOPR
*EXECUTE
*OBJOPR
*EXECUTE
DLTMNU
Menu
*OBJOPR, *OBJEXIST
*EXECUTE
DLTPNLGRP
Panel group
*OBJEXIST
*EXECUTE
DSPMNUA
Menu
*USE
*USE
GO
Menu
*USE
*USE
Display file and message files with *DSPF

specified
*USE
*EXECUTE
Current and Product libraries
*USE
Program with *PGM specified
*USE
*EXECUTE
Menu
Any
*USE
Panel group
Any
*EXECUTE
|
WRKMNU
WRKPNLGRP
1
391
Message Commands
Message Commands
Authority Needed
Command
Referenced Object
For Object
For Library
DSPMSG
Message queue
*USE
*USE
Message queue that receives the reply to an

inquiry message
*USE, *ADD
*USE
Remove messages from message queue
*USE, *DLT
*USE
Message queue
*USE
*EXECUTE
Remove messages from queue
*USE, *DLT
*EXECUTE
RMVMSG
Message queue
*OBJOPR, *DLT
*EXECUTE
RTVMSG
Message file
*USE
*EXECUTE
SNDBRKMSG
Message queue that receives the reply to

inquiry messages
*OBJOPR, *ADD
*EXECUTE
SNDMSG
Message queue
*OBOPR, *ADD
*EXECUTE

inquiry message
*OBJOPR, *ADD
*EXECUTE
Message queue
*OBJOPR, *ADD
*EXECUTE
Message file, when sending predefined

message
*USE
*EXECUTE

inquiry message
*OBJOPR, *ADD
*EXECUTE
Message queue
*USE, *ADD
*EXECUTE
Remove messages from queue
*USE, *ADD, *DLT
*EXECUTE
Message queue
*OBJOPR, *ADD
*EXECUTE
Message file, when sending predefined

message
*USE
*EXECUTE
Message queue
*USE
*USE

inquiry message
*USE, *ADD
*USE
Remove messages from message queue
*USE, *DLT
*USE
RCVMSG
SNDPGMMSG
SNDRPY
SNDUSRMSG
WRKMSG
Message Description Commands

Authority Needed
Command
Referenced Object
For Object
For Library
ADDMSGD
Message file
*USE, *ADD
*EXECUTE
CHGMSGD
Message file
*USE, *UPD
*EXECUTE
DSPMSGD
Message file
*USE
*EXECUTE
Message file
*OBJOPR, *DLT
*EXECUTE
Message file
*USE
*EXECUTE
RMVMSGD
WRKMSGD
1
392
Message File Commands
Message File Commands

Authority Needed
Command
Referenced Object
For Object
For Library
CHGMSGF
Message file
*USE, *DLT
*EXECUTE
CRTMSGF
Message file
DLTMSGF
Message file
*OBJEXIST
*EXECUTE
DSPMSGF
Message file
*USE
*EXECUTE
MRGMSGF
From-message file
*USE
*EXECUTE
To-message file
*USE, *ADD, *DLT
*EXECUTE
Replace-message file
*USE, *ADD
*EXECUTE
Message file
Any authority
*USE
WRKMSGF
1
1.
*READ, *ADD
Message Queue Commands

Authority Needed
Command
Referenced Object
For Object
For Library
CHGMSGQ
Message queue
*USE, *DLT
*EXECUTE
CLRMSGQ
Message queue
*OBJOPR, *DLT
*EXECUTE
CRTMSGQ
Message queue
DLTMSGQ
Message queue
*READ, *ADD
*OBJEXIST, *USE,
*DLT
DSPLOG
WRKMSGQ
1
*EXECUTE
*EXECUTE
Message queue
Any authority
*USE
Migration Commands
Authority Needed
Command
Referenced Object
For Object
For Library
RCVMGRDTA
File
*ALL
*READ, *ADD
Device
*CHANGE
*EXECUTE
File
*ALL
*READ, *ADD
Device
*CHANGE
*EXECUTE
SNDMGRDTA
The following commands do not require any object authorities.

They are shipped with public authority *EXCLUDE. You must have
*ALLOBJ special authority to use these commands.
393
Migration Commands
Authority Needed
Command
Referenced Object
For Object
For Library
ANZS34OCL
ANZS36OCL
CHGS34LIBM
CHKS36SRCA
CVTBASSTR
CVTBASUNF
CVTBGUDTA
CVTS36CFG
CVTS36FCT
CVTS36JOB
CVTS36QRY
CVTS38JOB
GENS36RPT
GENS38RPT
MGRS36
MGRS36APF
MGRS36CBL
MGRS36DFU
MGRS36DSPF
MGRS36ITM
MGRS36LIB
MGRS36MNU
MGRS36MSGF
MGRS36QRY 1
MGRS36RPG
MGRS36SEC
MGRS38OBJ
MIGRATE
QMUS36
RESMGRNAM
RSTS38AUT
STRS36MGR
STRS38MGR
You must have *ALLOBJ special authority and have OS/400 option 4 installed.
Mode Description Commands

Authority Needed
Command
CHGMODD
CRTMODD
Referenced Object
For Object
For Library
Mode description
Mode description
*READ, *ADD
CHGSSNMAX
Device description
*OBJOPR
*EXECUTE
DLTMODD
Mode description
*OBJEXIST
*EXECUTE
DSPMODD
Mode description
*USE
*EXECUTE
DSPMODSTS
Device
*OBJOPR
*EXECUTE
Mode description
*OBJOPR
*EXECUTE
Device description
*OBJOPR
*EXECUTE
Device description
*OBJOPR
*EXECUTE
Mode description
*OBJOPR
*EXECUTE
ENDMOD
STRMOD
WRKMODD
Module Commands
Authority Needed
Command
Referenced Object
For Object
For Library
CHGMOD
Module
*OBJMGT, *USE
*USE
Module, if OPTIMIZE specified
*OBJMGT, *USE
*USE, *ADD, *DLT
Module, if FRCCRT(*YES) specified
*OBJMGT, *USE
*USE, *ADD, *DLT
Module, if ENBPRFCOL specified
*OBJMGT, *USE
*USE, *ADD,
*DELETE
DLTMOD
Module
*OBJEXIST
*EXECUTE
DSPMOD
Module
*USE
*EXECUTE
394
Module Commands
Authority Needed
Command
RTVBNDSRC
|
|
WRKMOD
1
Referenced Object
For Object
For Library
Module
*USE
*EXECUTE
*SRVPGMs and modules specified with

*SRVPGMs
*USE
*EXECUTE
Database source file if file and member

*OBJOPR, *OBJMGT,
exists and MBROPT(*REPLACE) is specified. *ADD, *DLT
*EXECUTE

exists and MBROPT(*ADD) is specified
*OBJOPR, *ADD
*EXECUTE
Database source file if file exists and

member needs to be created.
*OBJOPR, *OBJMGT,
*ADD
*EXECUTE, *READ,
*ADD

needs to be created.
*EXECUTE, *READ,
*ADD
CRTSCRPF command if file does not exist
*EXECUTE
ADDPFM command if member does not

exist
*EXECUTE
RGZPFM command to reorganize source file *OBJMGT

member
*EXECUTE
Module
*USE
Any authority
You need *USE authority to the:

v CRTSRCPF command if the file does not exist.
v ADDPFM command if the member does not exist.
v RGZPFM command so the source file member is reorganized. Either *CHANGE and *OBJALTER
authorities or *OBJMGT authority is required to reorganize the source file member. The RTVBNDSRC
command function then completes with the source file member reorganized with sequence numbers of
zero.
NetBIOS Description Commands

Authority Needed
Command
CHGNTBD
CRTNTBD
DLTNTBD
DSPNTBD
WKRNTBD
Referenced Object
For Object
For Library
NetBIOS description
NetBIOS description
*EXECUTE
NetBIOS description
*OBJEXIST
*EXECUTE
NetBIOS description
*USE
*EXECUTE
NetBIOS description
*OBJOPR
*EXECUTE
Network Commands
395
Network Commands
Authority Needed
Command
Referenced Object
For Object
ADDNETJOBE (Q)
User profile in the network job entry
*USE
APING
Device description
*CHANGE
Device description
*CHANGE
AREXEC
CHGNETA (Q)
CHGNETJOBE (Q)
DLTNETF
For Library
*USE
Output file

page 311

page 311
To-file member does not exist,

MBROPT(*ADD) specified
*OBJMGT, *USE
*EXECUTE, *ADD
To-file member does not exist,

MBROPT(*REPLACE) specified
*OBJMGT, *CHANGE *EXECUTE, *ADD
To-file member exists, MBROPT(*ADD)

specified
*USE
DSPNETA
RCVNETF
*EXECUTE
To-file member exists, MBROPT(*REPLACE) *OBJMGT, *CHANGE *EXECUTE

specified
RMVNETJOBE (Q)
*USE
RUNRMTCMD
Device description
*CHANGE
SNDNETF
Physical file or save file
*USE
*EXECUTE
SNDNETMSG to a
local user
Message queue
*OBJOPR, *ADD
*EXECUTE
VFYAPPCCNN
Device description
*CHANGE
QUSRSYS/QANFNJE
*USE
RTVNETA
WRKNETF
2,3
WRKNETJOBE
*EXECUTE
A user can run these commands on the users own network files or on network files owned by the users
group profile. *ALLOBJ special authority is required to process network files for another user.
To use an individual operation, you must have the authority required by that operation.
To change some network attributes, you must have *ALLOBJ and *IOSYSCFG special authorities.
Network File System Commands

Command
ADDMFS
396
1,2,3
Referenced Object
Object Type
File System
Authority
Needed for
Object
/dev/QASPxx
*DIR
"root"
*RWX
/dev/QASPxx/yyy
*BLKSF
"root"
*R
dir_to_be_ mounted_over
*DIR
"root"
*RWX
Network File System Commands
Command
CHGNFSEXP
1,4
DSPMFSINF
ENDNFSSVR
EXPORTFS
MOUNT
1,2,3
RMVMFS
Referenced Object
Object Type
File System
some_dirs
*DIR
"root"
*RX
/etc
*DIR
"root"
*RWX
/etc/exports
*STMF
"root"
*RWX
/etc/netgroup
*STMF
"root"
*RWX
some_dirs
*DIR
"root"
*RX
some_dirs
*DIR
"root"
*RX
/etc
*DIR
"root"
*RWX
/etc/exports
*STMF
"root"
*RWX
/etc/netgroup
*STMF
"root"
*RWX
/dev/QASPxx
*DIR
"root"
*RWX
none
1,4,5
RLSIFSLCK
STATFS
1,4,5
Authority
Needed for
Object
1,4
/dev/QASPxx/yyy
*BLKSF
"root"
*R
*DIR
"root"
*RWX
some_dirs
*DIR
"root"
*RX
some_stmf
*STMF
"root"
*RWX
some_dirs
*DIR
"root"
*RX
some_dirs
*DIR
"root"
*RX
*DIR
"root"
*RX
STRNFSSVR
none
UNMOUNT
some_dirs
QASPxx is either 01 (system asp) or 02-16 based on which user asp is needed. This is the directory that
contains the *BLKSF that is being mounted.
The directory that is mounted over (dir_to_be_mounted_over) is any IFS directory that can be mounted
over.
You must provide a path to some object. You must have *RX authority for all directories in that path.
You must have *RX authority to the /etc/exports stream file and the directories in the /etc/exports path.
You must provide a path to some *STMF. You must have *RX authority for all directories in that path.
You must have update (*RWX) authority to the stream file for which you are releasing locks.
This object is allowed on independent disk pools.
Network Interface Description Commands

Authority Needed
Command
CHGNWIFR
CHGNWIISDN
CRTNWIFR
Referenced Object
For Object
For Library
Line description (CHLENTRY)
*USE

Line description (DLCI)
*EXECUTE
*READ, *ADD
*USE
*EXECUTE
397
Network Interface Description Commands

Authority Needed
Command
CRTNWIISDN
DLTNWID
DSPNWID
WRKNWID
Referenced Object
For Object
For Library
*USE
*EXECUTE
Line description (CHLENTRY)
*USE
*EXECUTE
*OBJEXIST
*EXECUTE
*USE
*EXECUTE
*OBJOPR
*EXECUTE
Network Server Commands

Command
Referenced Object
Object Type
File System
Authority
Needed for
Object
ADDNWSSTGL 2
Path (/QFPNWSSTG)
*DIR
"root"
*X
Parent directory (name of the storage

space)
*DIR
"root"
*WX
Files that make up the storage space
*FILE
"root"
*RW
Network server description
*NWSD
QSYS.LIB
*CHANGE,
*OBJMGT
User Profile
*USRPRF
CHGNWSUSRA 4
*OBJMGT,
*USE
CRTNWSSTG
Path (root and /QFPNWSSTG)
*DIR
"root"
*WX
DLTNWSSTG
Path (/QFPNWSSTG)
*DIR
"root"
*WX

space)
*DIR
"root"
*RWX,
*OBJEXIST
*FILE
"root"
*OBJEXIST
Path to the storage space
*DIR
"root"
*X
*FILE
"root"
*R
Path (/QFPNWSSTG)
*DIR
"root"
*X

space)
*DIR
"root"
*WX
*FILE
"root"
*RW
*NWSD
QSYS.LIB
*CHANGE,
*OBJMGT
Path to the storage space
*DIR
"root"
*X
*FILE
"root"
*R
DSPNWSSTG
RMVNWSSTGL
WRKNWSSTG

ADDRMTSVR
CHGNWSA 4(Q)
CHGNWSALS
CRTNWSALS
DLTNWSALS
DSPNWSA
398
DSPNWSALS
DSPNWSSSN
DSPNWSSTC
DSPNWSUSR
DSPNWSUSRA
SBMNWSCMD (Q)
SNDNWSMSG
WRKNWSALS
WRKNWSENR
WRKNWSSSN
WRKNWSSTS
3
Network Server Commands
Command
Referenced Object
Object Type
File System
Authority
Needed for
Object
Adopted authority is not used for Network Server commands.
To use this command, you must have *JOBCTL special authority.
You must have *SECADM special authority to specify a value other than *NONE for the NDSTREELST and
the NTW3SVRLST paramaters.
Network Server Description Commands

Authority Needed
Command
2
CHGNWSD
CRTNWSD
DLTNWSD
DSPNWSD
1
WRKNWSD
Referenced Object
For Object
For QSYS Library
NetBIOS description (NTB)
*USE
*EXECUTE
NetBIOS description (NTB)
*USE
*EXECUTE
Line description (PORTS)
*USE
*EXECUTE
*OBJEXIST
*EXECUTE
*USE
*EXECUTE
*OBJOPR
*EXECUTE
Node List Commands

Authority Needed
Command
Referenced Object
For Object
For Library
ADDNODLE
Node list
*OBJOPR, *ADD
*EXECUTE
CRTNODL
Node list
DLTNODL
Node list
*OBJEXIST
*EXECUTE
RMVNODLE
Node list
*OBJOPR, *READ,
*DLT
*EXECUTE
WRKNODL 1
Node list
*USE
*USE
WRKNODLE
Node list
*USE
*EXECUTE
*READ, *ADD
Office Services Commands

399
Office Services Commands

GRTACCAUT 1,2,3 (Q)
GRTUSRPMN 1,2
RMVACC 1 (Q)
RVKACCAUT 1
ADDACC (Q)
DSPACC
DSPACCAUT
DSPUSRPMN
RVKUSRPMN 1,2
WRKDOCLIB 4
WRKDOCPRTQ
You must have *ALLOBJ special authority to grant or revoke access code authority or document authority
for other users.
Access is restricted to documents, folders, and mail that are not personal.
The access code must be defined to the system (using the Add Access Code (ADDACC) command) before
you can grant access code authority. The user being granted access code authority must be enrolled in the
system distribution directory.
You must have *SECADM special authority.
Additional authorities are required for specific functions called by the operations selected. The user also
needs additional authorities for any commands called during a specific function.
Online Education Commands

Authority Needed
Command
Referenced Object
For Object
For Library
CVTEDU
STREDU
Operational Assistant Commands

Authority Needed
Command
Referenced Object
For Object
For Library
QUSRSYS/QEZBACKUPL *USRIDX
*CHANGE
*EXECUTE
PWRDWNSYS *CMD
*USE
*EXECUTE
PWRDWNSYS *CMD
*USE
*EXECUTE
DSPBCKSTS
*USE
*EXECUTE
DSPBCKUP
*USE
*EXECUTE
DSPBCKUPL
*USE
*EXECUTE
QUSRSYS/QEZBACKUPF *USRIDX
*USE
*EXECUTE
CHGBCKUP
CHGCLNUP
CHGPWRSCD
CHGPWRSCDE
DSPPWRSCD
EDTBCKUPL
ENDCLNUP
*EXECUTE
1
PRTDSKINF (Q)
400
*CHANGE
*EXECUTE
*CHANGE
*EXECUTE
ENDJOB *CMD
*USE
*EXECUTE
QUSRSYS/QAEZDISK *FILE, member

QCURRENT
*USE
*EXECUTE
Operational Assistant Commands

Authority Needed
Command
Referenced Object
For Object
For Library
RTVBCKUP
*USE
*EXECUTE
DSPPWRSCD command
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
Commands: SAVLIB, SAVCHGOBJ,

SAVDLO, SAVSECDTA, SAVCFG, SAVCAL,
SAV
*USE
*EXECUTE
QPGMR User profile
*USE
Job queue
*USE
RTVCLNUP
RTVDSKINF (Q)
RTVPWRSCDE
RUNBCKUP
STRCLNUP4
You must have *ALLOBJ or *SAVSYS special authority.
You must have *ALLOBJ, *SECADM, and *JOBCTL special authorities.
You must have *ALLOBJ and *SECADM special authorities.
*EXECUTE
Optical Commands
Table 139.
Authority Needed
Command
Referenced Object
Object
Library
ADDOPTCTG (Q)
Optical Device
*USE
*EXECUTE
ADDOPTSVR (Q)
Server CSI
*USE
*EXECUTE
Optical Device
Root directory (/) of

volume when
changing the Text
Description5
*W
N/A
N/A
Optical Device
*USE
N/A
N/A
Server CSI
*USE
N/A
N/A
CHGDEVOPT
Optical Volume
CHGOPTA (Q)
CHGOPTVOL
401
Optical Commands
Table 139. (continued)
Authority Needed
Command
Referenced Object
Object
Library
Optical Volume
CPYOPT
Optical Device
*X
N/A
N/A
Each preceding dir in *X

path of source file
N/A
N/A
Each preceding dir in *X

path of target file
N/A
N/A
Source file (*DSTMF)5 *R
N/A
N/A
Parent dir of target

file
*WX
N/A
N/A
Parent of parent dir if *WX

creating dir
N/A
N/A
N/A
N/A
Target file if replaced *RW

due to
SLTFILE(*CHANGED)
N/A
N/A
Each dir in path that

precedes source dir
*X
N/A
N/A
Each dir in path that

precedes target dir
*X
N/A
N/A
Dir being copied5
*R
N/A
N/A
Dir being copied if it

contains entries
*RX
N/A
N/A
Parent of target dir
*WX
N/A
N/A
Target dir if replaced

due to
SLTFILE(*ALL)
*W
N/A
N/A
Target dir if replaced *RW

due to
SLTFILE(*CHANGED)
N/A
N/A
Target dir if entries

are to be created
*WX
N/A
N/A
Source files
*R
N/A
N/A
Target file if replaced

due to
SLTFILE(*ALL)
*W
N/A
N/A
Target file if replaced *RW

due to
SLTFILE(*CHANGED)
N/A
N/A
CRTDEVOPT4
Optical Device
*EXECUTE
*ALL - Target Volume
CVTOPTBKU
Optical Device
*EXECUTE
*ALL
CPYOPT (continued)
CPYOPT (continued)
COPYOPT
(continued)
402
Target file if replaced

due to
SLTFILE(*ALL)
*W
*USE
Optical Commands
Table 139. (continued)
Authority Needed
Command
Referenced Object
Object
Library
Optical Volume
DSPOPT
Path Prefix when

DATA (*SAVRST)5
*X
N/A
N/A
File Prefix when

(*SAVRST)2
*R
N/A
N/A
Optical Device
*EXECUTE
*USE
Server CSI
*USE
*EXECUTE
DSPOPTSVR
Server CSI
*USE
*EXECUTE
DUPOPT
Optical Device
*USE
*EXECUTE
DSPOPTLCK
*USE - Source Volume

*ALL - Target Volume
INZOPT
Root directory (/) of

volume
*RWX
N/A
N/A
Optical Device
*USE
*EXECUTE
*ALL
RCLOPT (Q)
Optical Device
*USE
*EXECUTE
RMVOPTCTG (Q)
Optical Device
*USE
*EXECUTE
RMVOPTSVR (Q)
Server CSI
*USE
*EXECUTE
Optical Device
*USE
*EXECUTE
Server CSI
*USE
*EXECUTE
Optical Device
*USE
*EXECUTE
Server CSI
*USE
*EXECUTE
Optical Device
*USE
*EXECUTE
Server CSI
*USE
*EXECUTE
Optical Device
*USE
*EXECUTE
WRKHLDOPTF
WRKOPTDIR
WRKOPTF
WRKOPTVOL
*USE
*USE
*USE
There are seven options that can be invoked from the optical utilities that are not commands themselves.
These options and their required authorities to the optical volume are shown below.
Delete File: *CHANGE
Rename File: *CHANGE
Delete Directory: *CHANGE
Create Directory: *CHANGE
Rename Volume: *ALL
Release Held Optical File: *CHANGE
Save Held Optical File: *USE - Source Volume, *Change - Target Volume
Authorization list management authority to the authorization list currently securing the optical volume is
needed to change the authorization list used to secure the volume.
This authority check is only made when the Optical media format is Universal Disk Format (UDF).
403
Optical Commands
Output Queue Commands

Command
1
CHGOUTQ
Authority Needed
Referenced
Object
For Object
For Library
Data queue
*READ
*EXECUTE
Output queue
*OBJMGT,
*EXECUTE
*READ, *ADD,
*DLT
Owner
*EXECUTE

AUTCHK
CLROUTQ
Output queue

*DLT
Owner
*EXECUTE
Data queue
*READ
HLDOUTQ
RLSOUTQ
Output queue
*OBJEXIST
Output queue

*DLT
Output queue
*EXECUTE
Output queue
Output queue
*YES
*JOBCTL
*YES
*JOBCTL
*YES
*JOBCTL
*OWNER
*EXECUTE
*DTAAUT
*OWNER
*READ
*EXECUTE
*EXECUTE
WRKOUTQD
*JOBCTL
*DTAAUT
*EXECUTE
WRKOUTQ
*YES
*EXECUTE

*DLT
Owner
1,3
*JOBCTL
*OWNER
*EXECUTE
PRTQAUT
*YES
*DTAAUT
*READ, *ADD
Owner
4
*JOBCTL
*EXECUTE
Output queue
DLTOUTQ
*YES
*OWNER
*EXECUTE
CRTOUTQ
Special
Authority
*DTAAUT
*EXECUTE
1
OPRCTL
*READ
*EXECUTE
1,3
*EXECUTE
1
If you have *SPLCTL special authority, you do not need authority to the output queue. You do need
*EXECUTE authority, however, to the library for the outqueue.
If you request to work with all output queues, your list display includes all the output queues in libraries
to which you have *EXECUTE authority.
404
Package Commands
Package Commands
Authority Needed
Command
Referenced Object
For Object
For Library
CRTSQLPKG
Program
*OBJOPR, *READ
*EXECUTE
SQL package: REPLACE(*NO)
*OBJOPR, *READ,
*ADD, *EXECUTE
SQL package: REPLACE(*YES)
*OBJOPR, *OBJMGT,
*OBJEXIST, *READ
*OBJOPR, *READ,
*ADD, *EXECUTE
DLTSQLPKG
Package
*OBJEXIST
*EXECUTE
PRTSQLINF
Package
*OBJOPR, *READ
*EXECUTE
Program
*OBJOPR, *READ
*EXECUTE
Service program
*OBJOPR, *READ
*EXECUTE
STRSQL
Performance Commands
Appendix C shows which IBM-Supplied user profiles are authorized to the
command. The security officer can grant *USE to others.
Authority Needed
Command
Referenced Object
ADDPEXDFN (Q)
ADDPEXFTR (Q)
ANZACCGRP (Q)
For Object
PGM Library
*EXECUTE
PGMTRG Library
*EXECUTE
PGMFTR Library
*EXECUTE
JVAFTR Path
*X for directory
PATHFTR Path
*X for directory
QPFR/QPTPAGA0 *PGM
*USE
Model library
ANZBESTMDL (Q)
ANZDBF (Q)
ANZDBFKEY (Q)
Job description
*USE
*EXECUTE
QPFR/QCYRBCPP *PGM
*USE
*EXECUTE
QPFR/QCYMBREX *PGM
*USE
*EXECUTE
QPFR/QCYRBMN *PGM
*USE
*EXECUTE
*EXECUTE
Job description
*USE
*EXECUTE
QPFR/QCYRBMN *PGM
*USE
*EXECUTE
Job description
*USE
*EXECUTE
QPFR/QPTANZKC *PGM
*USE
*EXECUTE
Application libraries that contain the

programs to be analyzed
Job description
ANZPGM (Q)
*EXECUTE
*EXECUTE, *ADD
Application libraries that contain the

database files to be analyzed
4
For Library
QPFR/QPTANZPC *PGM
2
Performance data
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
*ADD, *READ
405
Authority Needed
Command
ANZPFRDTA (Q)
Referenced Object
For Object
For Library
QPFR/QACVPP *PGM
*USE
*EXECUTE
*ADD, *READ
Performance data
ANZPFRDT2 (Q)
CHGFCNARA (Q)
CHGGPHFMT (Q)
CHGGPHPKG (Q)
CHGJOBTYP (Q)
*USE
*EXECUTE
QAPTAPGP *FILE
*CHANGE
*EXECUTE
DLTFCNARA command (Q)
*USE
*EXECUTE
QPFR/QPTAGRP *PGM
*USE
*EXECUTE
QPFR/QPTAGRPD *PGM
*USE
*EXECUTE
QAPGGPHF *FILE
*CHANGE
*EXECUTE
QPFR/QPGCRTFM *PGM
*USE
*EXECUTE
QAPGPKGF *FILE
*CHANGE
*EXECUTE
QAPGGPHF *FILE
*USE
*EXECUTE
QPFR/QPGCRTPK *PGM
*USE
*EXECUTE
QAPMDMPT *FILE
*CHANGE
*EXECUTE
QPFR/QPTCHGJT *PGM
*USE
*EXECUTE
PGM Library
QPFR/QPTAGRPR *PGM
*USE
*EXECUTE
QAPGGPHF *FILE in From library
*USE
*EXECUTE
CHGPEXDFN (Q)
CPYFCNARA (Q)
QPFR/QAVCPP *PGM
CPYGPHFMT (Q)4
*EXECUTE
To library (if QAPGGPHF *FILE does not

exist)
*EXECUTE, *ADD
QAPGGPHF *FILE in To library (if adding *CHANGE

a new graph format or replacing an existing
one)
*EXECUTE
QPFR/QPGCPYGP *PGM
*USE
*EXECUTE
QAPGPKGF *FILE in From library
*USE
*EXECUTE
To library (if QAPGPKGF *FILE does not

exist)
QAPGPKGF *FILE in To library (if adding
a new graph package or replacing an
existing one)
CPYGPHPKG (Q)
*CHANGE
*EXECUTE
QAPGGPHF *FILE in To library (if adding *USE

a new graph package or replacing an
existing one)
*EXECUTE
QPFR/QPGCPYGP *PGM
*EXECUTE
*USE
From library
*EXECUTE
To library
*EXECUTE, *ADD
Job description
406
*EXECUTE, *ADD
*USE
*EXECUTE
Authority Needed
Command
Referenced Object
For Object
For Library
CPYPFRDTA (Q)
QPFR/QITCPYCP *PGM
*USE
*EXECUTE
Performance data (all QAPM* files)
*USE
*EXECUTE
Model library
CRTBESTMDL (Q)
*EXECUTE, *ADD
Job description
*USE
*EXECUTE
QPFR/QCYCBMCP *PGM
*USE
*EXECUTE
QPFR/QCYCBMDL *PGM
*USE
*EXECUTE
QPFR/QCYOPDBS *PGM
*USE
*EXECUTE
QPFR/QCYCLIDS *PGM
*USE
*EXECUTE
QPFR/QCYCAPT *PGM
*USE
*EXECUTE
Library where the Functional Area is created
CRTFCNARA (Q)
*EXECUTE, *ADD
QAPTAPGP *FILE in target library (if

adding a new functional area)
*CHANGE
*EXECUTE
QPFR/QPTAGRP *PGM
*USE
*EXECUTE
Library where the Graph Format is created
CRTGPHFMT (Q)
*EXECUTE, *ADD
QAPGGPHF *FILE in target library (if

adding a new graph format)
*CHANGE
*EXECUTE
QPFR/QPGCRTFM *PGM
*USE
*EXECUTE
Library where the Graph Package is created
CRTGPHPKG (Q)
*EXECUTE, *ADD
QAPGGPHF *FILE
*CHANGE
*EXECUTE
QAPGPKGF *FILE in target library (if

adding a new graph package)
*USE
*EXECUTE
QPFR/QPGCRTPK *PGM
*USE
*EXECUTE
Library where the historical data is created
CRTHSTDTA (Q)
*ADD, *READ
Job description
*USE
*EXECUTE
QPFR/QPGCRTHS *PGM
*USE
*EXECUTE
To Library
CRTPEXDTA (Q)
*MGTCOL Library
Data library
CRTPFRDTA (Q)
CVTPFRDTA (Q)
*EXECUTE
*READ,*ADD2
From Library
*EXECUTE
To Library
*ADD, *READ
From Library
*USE
Job description
*USE
2
CVTPFRTHD (Q)
DLTBESTMDL (Q)
*ADD, *READ
*EXECUTE
Performance data
*ADD, *READ
Model library
*EXECUTE, *ADD
QPFR/QCYDBMDL *PGM
*USE
*EXECUTE
QPFR/QCYCVTBD *CMD
*USE
*EXECUTE
QPFR/QCYCBTOD *PGM
*USE
*EXECUTE
QAPTAPGP *FILE in the functional area

library
*CHANGE
*EXECUTE
407
Authority Needed
Command
DLTFCNARA (Q)
DLTGPHFMT (Q)4
DLTGPHPKG (Q)4
DLTHSTDTA (Q)4
DLTPEXDTA (Q)
Referenced Object
For Object
For Library
QPFR/QPTAGRPD *PGM
*USE
*EXECUTE
QAPGGPHF *FILE in the graph format

library
*CHANGE
*EXECUTE
QPFR/QPGDLTGP *PGM
*USE
*EXECUTE
QAPGPKGF *FILE in the graph package

library
*CHANGE
*EXECUTE
QPFR/QPGDLTGP *PGM
*USE
*EXECUTE
QAPGHSTD *FILE in the historical data

library
*CHANGE
*EXECUTE
QAPGHSTI *FILE in the historical data

library
*CHANGE
*EXECUTE
QAPGSUMD *FILE in the historical data

library
*CHANGE
*EXECUTE
QPFR/QPGDLTHS *PGM
*USE
*EXECUTE
Data Library
*EXECUTE, *DELETE
2
DLTPFRDTA (Q)4
DMPTRC (Q)
QPFR/QPTDLTCP *PGM
*USE
Library where the trace data will be stored
DSPACCGRP (Q)
DSPHSTGPH (Q)
DSPPFRDTA (Q)
*EXECUTE, *ADD
Output file (QAPTPAGD)
*CHANGE
*EXECUTE, *ADD
QPFR/QPTPAGD0 *PGM
*USE
*EXECUTE
Format or package library
*EXECUTE
Historical data library
*EXECUTE
Output file library
*EXECUTE, *ADD
Output queue
*USE
*EXECUTE
Job description
*USE
*EXECUTE
QPFR/QPGCTRL *PGM
*USE
*EXECUTE
Historical data library

QPFR/QAVCPP *PGM
*EXECUTE
*USE
Format or package library
DSPPFRGPH (Q)
Performance data
*EXECUTE
Output file library
*EXECUTE, *ADD
Output queue
*USE
*EXECUTE
Job description
*USE
*EXECUTE
QPFR/QPGCTRL *PGM
*USE
*EXECUTE
Output file library
ENDJOBTRC (Q)
ENDPEX (Q)
PRTACTRPT (Q)4
408
*EXECUTE
*EXECUTE
*EXECUTE
*EXECUTE
Job description
*USE
*EXECUTE
QPFR/QPTTRCJ0 *PGM
*USE
*EXECUTE
Data Library
*READ, *ADD
QPFR/QITPRTAC *PGM
*USE
*EXECUTE
Performance data2
*USE
*ADD, *READ
Job description
*USE
*EXECUTE
Authority Needed
Command
4
PRTCPTRPT (Q)
Referenced Object
For Object
For Library
QPFR/QPTCPTRP *PGM
*USE
*EXECUTE
*ADD, *READ
Performance data
Job description
PRTJOBRPT (Q)
QPFR/QPTITVXC *PGM
*USE
*EXECUTE
*USE
*EXECUTE
*ADD, *READ
Performance data
PRTJOBTRC (Q)
Job description
*USE
*EXECUTE
QPFR/QPTTRCRP *PGM
*USE
*EXECUTE
Job trace file (QAPTTRCJ) library
PRTLCKRPT (Q)
PRTPEXRPT
Job description
*USE
*EXECUTE
QPFR/QPTLCKQ *PGM
*USE
*EXECUTE
Data Library
PRTPOLRPT (Q)
*EXECUTE
*EXECUTE2
Outfile
*USE
*EXECUTE,*ADD
QPFR/QVPEPRTC *PGM
*USE
*EXECUTE
QPFR/QVPESVGN *SRVPGM
*USE
*EXECUTE
QPFR/QYPESVGN *SRVPGM
*USE
*EXECUTE
QPFR/QPTITVXC *PGM
*USE
*EXECUTE
*ADD, *READ
Performance data
Job description
PRTRSCRPT (Q)
QPFR/QPTITVXC *PGM
*USE
*EXECUTE
*USE
*EXECUTE
*ADD, *READ
Performance data
PRTSYSRPT (Q)
Job description
*USE
*EXECUTE
QPFR/QPTTNSRP *PGM
*USE
*EXECUTE
QAPMDMPT *FILE
PRTTNSRPT (Q)
*EXECUTE
Job description
*USE
*EXECUTE
QPFR/QPTTNSRP *PGM
*USE
*EXECUTE
Trace file (QTRJOBT) library
PRTTRCRPT (Q)
RMVPEXDFN (Q)
*EXECUTE
Job description
*USE
*EXECUTE
QPFR/QPTTRCCP *PGM
*USE
*EXECUTE
QPFR/QCYBMAIN *PGM
*USE
*EXECUTE
Output file
*OBJOPR, *ADD
*EXECUTE
QPFR/QPTTRCJ1 *PGM
*USE
*EXECUTE
QPFR/QPGSTART *PGM
*USE
*EXECUTE
RMVPEXFTR (Q)5
STRBEST (Q)4
STRDBMON
3, 4
STRJOBTRC (Q)
STRPEX (Q)
STRPFRG (Q)4
409
Authority Needed
Command
STRPFRT (Q)
WRKFCNARA (Q)
WRKPEXDFN (Q)
Referenced Object
For Object
For Library
QPFR/QMNMAIN0 *PGM
*USE
*EXECUTE
QAPTAPGP *FILE in the functional areas

library
*CHANGE
*EXECUTE
CHGFCNARA command (Q)
*USE
*EXECUTE
CPYFCNARA command (Q)
*USE
*EXECUTE
CRTFCNARA command (Q)
*USE
*EXECUTE
DLTFCNARA command (Q)
*USE
*EXECUTE
QPFR/QPTAGRP *PGM
*USE
*EXECUTE
QPFR/QPTAGRPD *PGM
*USE
*EXECUTE
QPFR/QPTAGRPR *PGM
*USE
*EXECUTE
QPFR/QPTAGRPC *PGM
*USE
*EXECUTE
Output file (QAITMON)
*CHANGE, *ALTER
*EXECUTE, *ADD
QPFR/QITMONCP *PGM
*USE
*EXECUTE
WRKPEXFTR (Q)5
WRKSYSACT (Q)3, 4

v ENDDBMON3
v ENDPFRTRC (Q)
v STRPFRTRC (Q)
1
If the default library (QPEXDATA) is specified, authority to that library is not checked.
Authority is needed to the library that contains the set of database files. Authority to the individual set of
database files is not checked.
To use this command, you must have *JOBCTL special authority.
To use this command, you must have *SERVICE special authority.
To use this command, you must have *SERVICE special authority or you must be authorized to the Service
Trace function of Operating System/400 through iSeries Navigators Application Administration support.
The Change Function Usage Information (QSYCHFUI) API, with a function ID of QIBM_SERVICE_TRACE,
can also be used to change the list of users that are allowed to perform trace operations..
Print Descriptor Group Commands

Authority Needed
Command
Referenced Object
For Object
CHGPDGPRF
User profile
*OBJMGT
CRTPDG
Print descriptor group
DLTPDG
Print descriptor group
*OBJEXIST
DSPPDGPRF
User profile
*OBJMGT
RTVPDGPRF
User profile
*READ
410
For Library
*READ, *ADD
*EXECUTE

Authority Needed
Command
Referenced Object
For Object
For Library
1, 2
CHGPSFCFG
CRTGPSFCFG 1, 2
*READ, *ADD
DLTPSFCFG
1, 2
PSF Configuration
*OBJEXIST
*EXECUTE
DSPPSFCFG
PSF Configuration
*USE
*EXECUTE
PSF Configuration
*READ
*EXECUTE
WRKPSFCFG
The PSF/400 feature is required to use this command.
*IOSYSCFG special authroity is required to use this command.
Problem Commands
Authority Needed
Command
Referenced Object
For Object
For Library
ADDPRBACNE (Q)
Filter
*USE, *ADD
*EXECUTE
ADDPRBSLTE (Q)
Filter
*USE, *ADD
*EXECUTE
ANZPRB (Q)
SNDSRVRQS command
*USE
*EXECUTE
CHGPRB (Q)
*EXECUTE
CHGPRBACNE (Q)
Filter
*USE, *UPD
*EXECUTE
CHGPRBSLTE (Q)
Filter
*USE, *UPD
*EXECUTE
Command: DLTAPARDTA
*USE
*EXECUTE
Output file

page 311

page 311
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
DLTPRB (Q)
DSPPRB
PTRINTDTA (Q)
QRYPRBSTS (Q)
VFYCMN (Q)
Line description
Network ID
VFYOPT (Q)
Device description
*USE
*EXECUTE
VFYTAP (Q)
Device description
*USE
*EXECUTE
Device description
*USE
*EXECUTE
Line, controller, NWID (Netword ID), and

device based on problem analysis action
*USE
*EXECUTE
VFYPRT (Q)
WRKPRB (Q)
You need *USE authority to the communications object you are verifying.
You must have *USE authority to the SNDSRVRQS command to be able to report a problem.
You must have authority to DLTAPARDTA if you want the APAR data associated with the problem to be
deleted also. See DLTAPARDTA in the Service Commands-Authorities Needed table to determine
additional authorities that are needed.
411
Program Commands
Program Commands
Authority Needed
Command
Referenced Object
For Object
For Library
The object authorities required for the CRTxxxPGM commands are listed in the Languages table in Language
Commands on page 376
ADDBKP
1
1,2
ADDPGM
ADDTRC
CALL
Breakpoint handling program
*USE
*EXECUTE
Program
*CHANGE
*EXECUTE
Trace handling program
*USE
*EXECUTE
Program
*OBJOPR, *EXECUTE
*EXECUTE
*EXECUTE
*EXECUTE
Debug operation
*USE, *ADD, *DLT
*EXECUTE
Program
*OBJMGT, *USE
*USE
Program, if recreate option specified,

optimization level changed, or performance
data collection changed
*OBJMGT, *USE
*USE, *ADD, *DLT
Program, if USRPRF or USEADPAUT

parameter is being changed
Owner
*USE, *ADD, *DLT
Service program
*OBJMGT, *USE
Service program
CHGDBG
CHGHLLPTR
CHGPGM
CHGPGMVAR
CHGPTR
CHGSRVPGM
Service program, if recreate option specified, *OBJMGT, *USE

optimization level changed, or performance
data collection changed
*USE
*USE, *ADD, *DLT
Service program, if USRPRF or

USEADPAUT parameter is being changed.
Owner 7, *USE,
*OBJMGT
*USE, *ADD, *DLT
Program, Replace(*NO)

page 311
*READ, *ADD
Program, Replace(*YES)

page 311
*READ, *ADD
Service program specified in the

BNDSRVPGM parameter.
*USE
*EXECUTE
Module
*USE
*EXECUTE
Binding directory
*USE
*EXECUTE
Service program, Replace(*NO)

page 311
*READ, *ADD
Service program, Replace(*YES)

page 311
*READ, *ADD
Module
*USE
*EXECUTE
Service program specified in BNDSRVPGM

parameter
*USE
*EXECUTE
Export source file
*OBJOPR *READ
*EXECUTE
Binding directory
*USE
*EXECUTE
CLRTRCDTA 1
CRTPGM
CRTSRVPGM
412
Program Commands
Authority Needed
Command
Referenced Object
For Object
For Library
CVTCLSRC
From-file
*USE
*EXECUTE
To-file
*OBJOPR, *OBJMGT,
*USE, *ADD, *DLT
*READ, *ADD
Program
*OBJEXIST
*EXECUTE
Display file
*OBJEXIST
*EXECUTE
DLTPGM
Program
*OBJEXIST
*EXECUTE
DLTSRVPGM
Service program
*OBJEXIST
*EXECUTE
DMPCLPGM
CL Program
*USE
None
Source file
*USE
*USE
Any include files
*USE
*USE
Program
*CHANGE
*EXECUTE
Program
*READ
*EXECUTE
Program, if DETAIL(*MODULE) specified
*USE
*EXECUTE
Program
*OBJOPR
*EXECUTE
Output file

page 311

page 311
Service program
*READ
*EXECUTE
Service program, if DETAIL(*MODULE)

specified
*USE
*EXECUTE
*CHANGE
*EXECUTE
*USE
*USE
DLTDFUPGM
DSPBKP
1
1
DSPDBG
DSPDBGWCH
DSPMODSRC2, 4
DSPPGM
DSPPGMREF
DSPPGMVAR
DSPSRVPGM
DSPTRC
DSPTRCDTA 1
ENDCBLDBG
Program
(COBOL/400 licensed
program or S/38
environment)
ENDDBG
ENDRQS
Source debug program
*EXECUTE
ENTCBLDBG (S/38
environment)
Program
*CHANGE
*EXECUTE
EXTPGMINF
Source file and database files
*OBJOPR
*EXECUTE
Program information
PRTCMDUSG
RMVBKP
RSMBKP
*USE
*EXECUTE
1
1
RMVPGM
RMVTRC
Program
*READ, *ADD
1
1
413
Program Commands
Authority Needed
Command
Referenced Object
For Object
For Library
RTVCLSRC
Program
*OBJMGT, *USE
*EXECUTE
Database source file
*OBJOPR, *OBJMGT,
*ADD, *DLT
*EXECUTE
SETATNPGM
Attention-key-handling program
*OBJOPR or one or
more data authorities
*EXECUTE
SETPGMINF
Database files
*OBJOPR
*EXECUTE
Source file
*USE
*EXECUTE
Root program
*CHANGE
*READ, *ADD
Sub-program
*USE
*EXECUTE
Program
*CHANGE
*EXECUTE
*CHANGE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
Source debug program
*USE
*EXECUTE
Unmonitored message program
*USE
*EXECUTE
Program
*USE or a data
*EXECUTE
*EXECUTE
Some language functions when using

high-level languages
*READ
*EXECUTE
Program
*OBJMGT, *OBJEXIST, *USE, *ADD

*USE
Service program specified in the

BNDSRVPGM parameter.
*USE
*EXECUTE
Module
*USE
*EXECUTE
Binding directory
*USE
*EXECUTE
Service Program
*OBJMGT, *OBJEXIST, *USE, *ADD

*USE
Service program specified in BNDSRVPGM

parameter
*USE
*EXECUTE
Module
*USE
*EXECUTE
Binding directory
*USE
*EXECUTE
Export source file
*OBJOPR *READ
*EXECUTE
Program
Any authority
*USE
Service program
Any authority
*USE
STRCBLDBG
STRDBG
Program
Source file
Any include files
TFRCTL
UPDPGM
UPDSRVPGM
WRKPGM
WRKSRVPGM
414
Program Commands
Authority Needed
Command
Referenced Object
For Object
For Library
When a program is in a debug operation, no further authority is needed for debug commands.
If you have *SERVICE special authority, you need only *USE authority to the program.
The DMPCLPGM command is requested from within a CL program that is already running. Because
authority to the library containing the program is checked at the time the program is called, authority to
the library is not checked again when the DMPCLPGM command is run.
Applies only to ILE programs.
The DB2 Universal Database for iSeries topic in the Information Center contains more information about
security requirements for SQL statements. See Prerequisite and related information on page xvi for
details.
To use individual operations, you need the authority required by the individual operation.
You must own the program or have *ALLOBJ and *SECADM special authorities.
Query Commands
Authority Needed
Command
ANZQRY
CHGQRYA
Referenced Object
For Object
For Library
Query definition
*USE
*EXECUTE
CRTQMFORM
CRTQMQRY
Query management form: REPLACE(*NO)
*READ, *ADD,
*EXECUTE
Query management form: REPLACE(*YES)
*ALL
*READ, *ADD,
*EXECUTE
Source file
*USE
*EXECUTE
Query management query: REPLACE(*NO)
*READ, *ADD,
*EXECUTE
Query management query: REPLACE(*YES)
*ALL
*READ, *ADD,
*EXECUTE
Source file
*USE
*EXECUTE
OVRDBF command
*USE
*EXECUTE
DLTQMFORM
Query management form
OBJEXIST
*EXECUTE
DLTQMQRY
Query management query
*OBJEXIST
*EXECUTE
DLTQRY
Query definition
*OBJEXIST
*EXECUTE
RTVQMFORM
Query manager form
*OBJEXIST
*EXECUTE
Target source file
*ALL
*READ, *ADD,
*EXECUTE
ADDPFM, CHGPFM, CLRPFM, CPYSRCF,

CRTPRTF, CRTSRCPF, DLTF, DLTOVR,
OVRDBF, RMVM commands
*USE
*EXECUTE
Query manager query
*USE
*EXECUTE
Target source file
*ALL
*READ, *ADD
ADDPFM, CHGPFM, CLRPFM, CPYSRCF,

CRTPRTF, CRTSRCPF, DLTF, DLTOVR,
OVRDBF, RMVM commands
*USE
*EXECUTE
RTVQMQRY
415
Query Commands
Authority Needed
Command
Referenced Object
For Object
For Library
RUNQRY
Query definition
*USE
*USE
Input files
*USE
*EXECUTE
Output files

page 311

page 311
*USE
*EXECUTE
Query management form, if specified
*USE
*EXECUTE
Query definition, if specified
*USE
*EXECUTE
Output file

page 311

page 311
STRQMQRY
STRQMPRC
ADDPFM, CHGOBJD, CHGPFM, CLRPFM, *USE

CPYSRCF, CRTPRTF, CRTSRCPF, DLTF,
DLTOVR, GRTOBJAUT OVRDBF, OVRPRTF
RMVM commands (if OUTPUT(*OUTFILE)
is specified)
*EXECUTE
Source file containing query manager

procedure
*USE
*EXECUTE
Source file containing command source file,

if specified
*USE
*EXECUTE
OVRPRTF command, if statements result in

printed report or query object.
*USE
*EXECUTE
STRQRY
*EXECUTE
WRKQMFORM
WRKQMQRY
WRKQRY
Query management form
Any authority
*USE
Any authority
*USE
To run STRQM, you must have the authority required by the statements in the query. For example, to
insert a row in a table requires *OBJOPR, *ADD, and *EXECUTE authority to the table.
To use individual command, you must have *JOBCTL special authority.
QSH Shell Interpreter Commands

These commands do not require any authorities to objects:
STRQSH
QSH1
QSH is an alias for the STRQSH CL command.
Question and Answer Commands

416
Question and Answer Commands

Authority Needed
Command
Referenced Object
Database file QAQAxxBQPY
ASKQST
Database file QAQAxxBBPY

QAQAxxBQPY 1
CHGQSTDB (Q)
ANSQST (Q)
CRTQSTDB
(Q)
or
For Object
For Library
*READ
*READ
*READ
*READ
*READ
*READ
Database files
*READ, *ADD,
*EXECUTE
*READ
*READ
*READ
*READ
*READ
*READ
*READ
*READ
1,3
*READ
*READ, *ADD,
*EXECUTE

QAQAxxBQPY 1
*READ
*READ
WRKQST

QAQAxxBQPY 1
*READ
*USE
CRTQSTLOD (Q)
DLTQST (Q)
DLTQSTDB (Q)
EDTQST (Q)
LODQSTDB
STRQST
(Q)
or
WRKCNTINF
*EXECUTE
The xx portion of the file name is the index of the Question and Answer database being operated on by
the command. The index is a two-digit number in the range 00 to 99. To obtain the index for a particular
Question and Answer database, use the WRKCNTINF command.
The user profile running the command becomes the owner of newly created files, unless the OWNER
parameter of the users profile is *GRPPRF. Public authority for new files, except QAQAxxBBPY, is set to
*EXCLUDE. Public authority for QAQAxxBBPY is set to *READ.
Authority to the file is required only if loading a previously existing Question and Answer database.
The command displays the Question and Answer menu. To use individual options, you must have the
authority required by those options.
Reader Commands
Authority Needed
Command
Referenced Object
For Object
For Library
STRDBRDR
Message queue
*OBJOPR, *ADD
*EXECUTE
Database file
*OBJOPR, *USE
*EXECUTE
Job queue
*READ
*EXECUTE
Message queue
*OBJOPR, *ADD
*EXECUTE
Job queue
*READ
*EXECUTE
Device description
*OBJOPR, *READ
*EXECUTE
STRDKTRDR
These commands to not require any authority to objects:

ENDRDR
1
HLDRDR
RLSRDR
You must be the user who started the reader, or you must have all object (*ALLOBJ) or job control
(*JOBCTL) special authority.
417
Registration Facility Commands
Registration Facility Commands

Authority Needed
Command
Referenced Object
For Object
For Library
ADDEXITPGM (Q)
Exit program
*USE
*EXECUTE
RMVEXITPGM (Q)
Exit program
*USE
*EXECUTE
WRKREGINF
Exit program
*USE
*EXECUTE
Relational Database Commands

Authority Needed
Command
Referenced Object
For Object
For Library
ADDRDBDIRE
*EXECUTE
*EXECUTE
CHGRDBDIRE
*EXECUTE
*EXECUTE
Remote location devide description

DSPRDBDIRE
*CHANGE
page 311

page 311
These commands do not require any authority to objects:

RMVRDBDIRE
WRKRDBDIRE
1
Authority verified when the RDB directory entry is used.
Resource Commands
Authority Needed
Command
Referenced Object
For Object
For Library

page 311

page 311
DSPHDWRSC
DSPSFWRSC
EDTDEVRSC
WRKHDWRSC
1
418
If you use the option to create a configuration object, you must have authority to use the appropriate CRT
command.
RJE (Remote Job Entry) Commands

Authority Needed
Command
Referenced Object
For Object
For Library
ADDFCTE
Forms control table
*DELETE, *USE,
*ADD
*READ, *EXECUTE
*USE
*READ, *EXECUTE
Device file
1,2
Physical file
1,2
(RJE generates members)
*OBJMGT, *USE,
*ADD
*READ, *EXECUTE,
*ADD
Physical file
1,2
(member specified)
*USE, *ADD
*READ, *EXECUTE
*USE
*READ, *EXECUTE
*USE, *ADD
*READ, *EXECUTE
QUSER user profile
*USE
*READ, *EXECUTE
Session description
*USE, *ADD, *DLT
*READ, *EXECUTE
*USE
*READ, *EXECUTE
*USE
*READ, *EXECUTE
QUSER user profile
*USE
*READ, *EXECUTE
Session description
*READ, *ADD, *DLT
*READ, *EXECUTE
*READ
*READ, *EXECUTE
*READ, *ADD
*READ, *EXECUTE
*READ, *ADD, *DLT
*READ, *EXECUTE
*USE
*READ, *EXECUTE
Program
1,2
Message queue
ADDRJECMNE
BSC/CMN file
1,2
1,2
Device description
ADDRJERDRE
Job queue
Message queue
ADDRJEWTRE
Session description
Device file
1,2
Physical file
1,2
*OBJMGT, *USE,
*ADD
*READ, *EXECUTE,
*ADD
Physical file
1.2
(member specified)
*OBJOPR, *ADD
*READ, *EXECUTE
*USE
*READ, *EXECUTE
*USE, *ADD
*READ, *EXECUTE
QUSER user profile
*USE
*READ, *EXECUTE
CHGFCT
Forms control table
*OBJOPR, *OBJMGT
*READ, *EXECUTE
CHGFCTE
Forms control table
*USE
*READ, *EXECUTE
*USE
*READ, *EXECUTE
Program
1,2
Message queue
Device file
1,2
Physical file
1,2
*OBJMGT, *USE,
*ADD
*READ, *EXECUTE,
*ADD
Physical file
1,2
(member specified)
*USE, *ADD
*READ, *EXECUTE
*USE
*READ, *EXECUTE
*USE, *ADD
*READ, *EXECUTE
QUSER user profile
*USE
*READ, *EXECUTE
Session description
*USE
*READ, *EXECUTE
*USE
*READ, *EXECUTE
*USE
*READ, *EXECUTE
*USE
*READ, *EXECUTE
Program
1,2
Message queue
CHGRJECMNE
1,2
BSC/CMN file
1,2
1,2
Device description
QUSER user profile
419

Authority Needed
Command
Referenced Object
For Object
For Library
CHGRJERDRE
Session description
*USE, *ADD, *DLT
*READ, *EXECUTE
*USE
*READ, *EXECUTE
*USE, *ADD
*READ, *EXECUTE
*USE
*READ, *EXECUTE
*USE
*READ, *EXECUTE
Job queue
Message queue
CHGRJEWTRE
Session description
Device File
1,2
Physical file
1,2
*OBJMGT, *USE,
*ADD
*READ, *EXECUTE,
*ADD
Physical file
1,2
(member specified)
*OBJOPR, *ADD
*READ, *EXECUTE
*USE
*READ, *EXECUTE
*USE, *ADD
*READ, *EXECUTE
QUSER user profile
*USE
*READ, *EXECUTE
Session description
*OBJMGT, *READ,
*UPD, *OBJOPR
*EXECUTE, *READ
*USE
*EXECUTE
*USE, *ADD
*EXECUTE
*USE
*EXECUTE
QUSER user profile
*USE
*EXECUTE
Session description
*USE
*EXECUTE
Message queue
*USE, *ADD
*EXECUTE
Session description
*USE
*EXECUTE
Message queue
*USE, *ADD
*EXECUTE
Program
1,2
Message queue
CHGSSND
Job queue
1,2
1,2
Message queue
1,2
Forms control table
CNLRJERDR
CNLRJEWTR
1,2
CRTFCT
Forms control table
*READ, *ADD
CRTRJEBSCF
BSC file
*READ, *EXECUTE,
*ADD
CRTRJECFG
420
Source physical file (DDS)
*READ
*EXECUTE
Device description
*READ
*EXECUTE
Session description
*READ, *ADD, *UPD,

*OBJOPR
Job queue
*READ, *ADD
Job description
*READ, *OBJOPR,
*ADD
*READ, *OBJOPR,
*ADD
Message queue
*READ, *ADD
CMN file
*READ, *EXECUTE,
*ADD
BSC file
*READ, *EXECUTE,
*ADD
Printer file
*USE, *ADD

Authority Needed
Command
Referenced Object
CRTRJECFG
(continued)
Physical file
For Object
*EXECUTE, *ADD
3
*USE
*EXECUTE
Output queue
*READ
*EXECUTE
Forms control table
*READ
*READ
User profile QUSER
CRTRJECMNF
CRTSSND
For Library
Device description
*EXECUTE
*EXECUTE
Line description
*EXECUTE
Communication file
*READ, *EXECUTE,
*ADD
Source physical file (DDS)
*READ
*EXECUTE
Device description
*READ
*EXECUTE
Session description
*READ, *ADD, *UPD,

*OBJOPR
1,2
*USE
*EXECUTE
*USE, *ADD
*EXECUTE
*USE
*EXECUTE
QUSER user profile
*USE
*EXECUTE
Forms control table
*USE
*EXECUTE
Input file
*USE, *UPD
*EXECUTE
Output file (RJE generates member)
*OBJMGT, *USE,
*ADD
*READ, *EXECUTE,
*ADD
Output file (member specified)
*USE, *ADD
*EXECUTE
DLTFCT
Forms control table
*OBJEXIST
*EXECUTE
DLTRJECFG
Session description
*OBJEXIST
*EXECUTE
Job queue
*OBJEXIST
*EXECUTE
BSC/CMN file
*OBJEXIST, *OBJOPR
*EXECUTE
Physical file
*OBJEXIST, *OBJOPR
*EXECUTE
Printer file
*OBJEXIST, OBJOPR
*EXECUTE
Message queue
*OBJEXIST, *USE,
*DLT
*EXECUTE
Job description
*OBJEXIST
*EXECUTE
*OBJEXIST, *USE
*EXECUTE
*OBJEXIST
*EXECUTE
*OBJEXIST
*EXECUTE
*OBJEXIST
*EXECUTE
Session description
*OBJEXIST
*EXECUTE
Session description
*READ
*EXECUTE
Session description
*USE
*EXECUTE
Forms control table
*OBJOPR, *READ,
*ADD, *DLT
*EXECUTE
Job queue
Message queue
1,2
Forms control table
CVTRJEDTA
1,2
Device description
Line description
DLTSSND
DSPRJECFG
ENDRJESSN
RMVFCTE
421

Authority Needed
Command
Referenced Object
For Object
For Library
RMVRJECMNE
Session description
*OBJOPR, *READ,
*ADD, *DLT
*EXECUTE
RMVRJERDRE
Session description
*OBJOPR, *READ,
*ADD, *DLT
*EXECUTE
RMVRJEWTRE
Session description
*OBJOPR, *READ,
*ADD, *DLT
*EXECUTE
SNDRJECMD
Session description
*USE
*EXECUTE
SBMRJEJOB
Session description
*USE
*EXECUTE
*USE
*EXECUTE
*USE, *ADD
*EXECUTE
Input file
Message queue
Job-related objects
SNDRJECMD
Session description
*USE
*EXECUTE
STRRJECSL
Session description
*USE
*EXECUTE
Message queue
*USE
*EXECUTE
Session description
*USE
*USE
Session description
*USE
*USE, *ADD
Program
*USE
*EXECUTE
*USE
*EXECUTE
STRRJERDR
STRRJESSN
User profile QUSER

Job-related objects
STRRJEWTR
*USE
*USE
*USE
*READ, *EXECUTE
*USE, *ADD
*READ, *EXECUTE
Device file
Physical file
*OBJMGT, *USE,
*ADD
*OBJOPR, *ADD
Physical file
(member specified)
*READ, *ADD
*READ, *EXECUTE
*USE, *ADD
*READ, *EXECUTE
QUSER user profile
*USE
*READ, *EXECUTE
Forms control table
*USE
*EXECUTE
Session description
*USE
*EXECUTE
Session description
*CHANGE
*EXECUTE
Message queue
WRKFCT
WRKRJESSN
WRKSSND
*EXECUTE
Session description
Program
User profile QUSER requires authority to this object.
If the object is not found or the required authority is not held, an information message is sent and the
function of the command is still performed.
This authority is required to create job description QRJESSN.
This authority is only required when DLTCMN(*YES) is specified.
Input files include those imbedded using the .. READFILE control statement.
Refer to authority required for the SBMJOB command 370.
422
Security Attributes Commands
Security Attributes Commands

Authority Needed
Command
CHGSECA
Referenced Object
For Object
For Library
CHGSECAUD
CFGSYSSEC
2,3
1,2,3
DSPSECA
DSPSECAUD
2,3
PRTSYSSECA 2
1
You must have *SECADM special authority to use this command.
You must have *AUDIT special authority to use this command.
Server Authentication Entry Commands

Authority Needed
Command
ADDSVRAUTE
Referenced Object
For Object
For Library
User profile
*READ
*EXECUTE
CHGSVRAUTE1
DSPSVRAUTE
RMVSVRAUTE
1
If the user profile for this operation is not *CURRENT or the current user for the job, you must have
*SECADM special authority and *OBJMGT and *USE authority to the profile.
Service Commands
Authority Needed
Command
APYPTF (Q)
Referenced Object
For Object
Product library
*OBJMGT
For Library
CHGSRVA (Q)
CHKCMNTRC
(Q)
CHKPRDOPT (Q)
*EXECUTE
All objects in product option
423
Service Commands
Authority Needed
Command
2
CPYPTF (Q)
Referenced Object
For Object
For Library
From file
*USE
*EXECUTE
To-file
Same requirements as Same requirements as

the SAVOBJ command the SAVOBJ command
Device description
*USE
Licensed program
CPYPTFGRP2 (Q)
*EXECUTE
*USE
Commands: CHKTAP, CPYFRMTAP,

CPYTOTAP, CRTLIB, CRTSAVF, CRTTAPF,
and OVRTAPF
*USE
*EXECUTE
QSRV library
*USE
*EXECUTE
Device description
*USE
*EXECUTE
To-file
*Same requirements
as the SAVOBJ
command
*Same requirements
as the SAVOBJ
command
From-file
*USE
*EXECUTE
Commands: CHKTAP, CRTLIB, CRTSAVF
*USE
*EXECUTE
NWID (network ID) or line description
*USE
*EXECUTE
DLTAPARDTA (Q)
3
DLTCMNTRC
(Q)
DLTPTF (Q)
Cover letter file

PTF save file
DLTTRC (Q)
*EXECUTE
*EXECUTE
RMVM command
*USE
QSYS Library
*EXECUTE
Database Files
*OBJEXIST, *OBJOPR
DMPJOB (Q)
*EXECUTE
DMPJOBINT (Q)
DSPPTF (Q)
Output file

page 311

page 311
NWID or line description
*USE
*EXECUTE
Device description
*USE
*EXECUTE
QSYS Library
*ADD, *EXECUTE
Database files
*OBJOPR,
*OBJMGMT, *ADD,
*DLT
Commands: PTRTRC, DLTTRC
*USE
Device Description
*USE
*EXECUTE
RSTOBJ command
*USE
*EXECUTE
*USE
*EXECUTE
Output file

page 311

page 311
DSPSRVA (Q)
DSPSRVSTS (Q)
ENDCMNTRC
(Q)
ENDCPYSCN (Q)
ENDSRVJOB (Q)
ENDTRC (Q)
INSPTF (Q)
LODPTF (Q)
LODRUN
PRTCMNTRC
424
(Q)
Service Commands
Authority Needed
Command
Referenced Object
For Object
For Library
PRTERRLOG (Q)
Output file

page 311

page 311
QSYS Library
*EXECUTE
Database Files
*USE
DLTTRC command
*USE
Product library
*OBJMGT
Line description
*READ
*EXECUTE
Commands: CRTDUPOBJ, CRTLIB,

CRTOUTQ, CRTSAVF, DLTF, DMPOBJ,
DMPSYSOBJ, DSPCTLD, DSPDEVD,
DSPHDWRSC, DSPJOB, DSPLIND,
DSPLOG, DSPNWID, DSPPTF,
DSPSFWRSC, OVRPRTF, PRTERRLOG,
PRTINTDTA, SAV, SAVDLO, SAVLIB,
SAVOJB, WRKACTJOB, and WRKSYSVAL
*USE
*EXECUTE
*CHANGE
*EXECUTE
*USE
*EXECUTE
Job queue
*USE
*EXECUTE
Device description
*USE
*EXECUTE

page 311

page 311
User profile of job
*USE
*EXECUTE
PRTINTDTA (Q)
PRTTRC (Q)
RMVPTF (Q)
RUNLPDA (Q)
6
SAVAPARDTA (Q)
Existing problem
SNDPTFORD
10
(Q)
SNDSRVRQS (Q)
STRCMNTRC
(Q)
STRCPYSCN
STRSRVJOB (Q)
STRSST
(Q)
STRTRC (Q)
TRCCNN
*READ, *WRITE
11
TRCCPIC (Q)
TRCICF (Q)
TRCINT11 (Q)
TRCJOB (Q)
VFYCMN (Q)

page 311

page 311
Exit program, if specified
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
Line description
Network ID
VFYLNKLPDA (Q)
Line description
*READ
*EXECUTE
VFYPRT (Q)
Device description
*USE
*EXECUTE
VFYOPT (Q)
Device description
*USE
*EXECUTE
VFYTAP (Q)
Device description
*USE
*EXECUTE
QUSRSYS/QPVINDEX *USRIDX
*CHANGE
*USE
WRKCNTINF (Q)
WRKFSTAF (Q)
425
Service Commands
Authority Needed
Command
Referenced Object
For Object
For Library
WRKFSTPCT (Q)
QUSRSYS/QPVPCTABLE *USRIDX
*CHANGE
*USE
Line, controller, NWID (Network ID), and

device based on problem analysis action
*USE, *ADD
*EXECUTE
WRKPRB
1, 10
(Q)
WRKPTFGRP (Q)
WRKSRVPVD (Q)
1
You need authority to the PRTERRLOG command for some analysis procedures or if the error log records
are being saved.
All restrictions for the RSTOBJ command also apply.
Service (*SERVICE) special authority is required to run this command.
The objects listed are used by the command, but authority to the objects is not checked. Authority to use
the command is sufficient to use the objects.
You need *USE authority to the communications object that you are verifying.
You must have *SPLCTL special authority to save a spooled file.
When SAVAPARDTA is run for a new problem, a unique APAR library is created for that problem. If you
run SAVAPARDTA again for the same problem to collect more information, you must have Use authority
to the APAR library for the problem.
The option to add a new member to an existing output file is not valid for this command.
This command has the same authorities and restrictions as the APYPTF command and the LODPTF
command.
10
To access options 1 and 3 on the Select Reporting Option display, you must have *USE authority to the
SNDSRVRQS command.
11
To use this command, you must have *SERVICE special authority, or be authorized to the Service Trace
function of OS/400 through Operations Navigators Application Administration support. The Change
Function Usage Information (QSYCHFUI) API, with a function ID of QIBM_SERVICE_TRACE, can also be
used to change the list of users that are allowed to perform trace operations.
11
To use this command, you must have *SERVICE special authority, or be authorized to the Service Trace
function of OS/400 through Operations Navigators Application Administration support. The Change
Function Usage Information (QSYCHFUI) API, with a function ID of QIBM_SERVICE_TRACE, can also be
used to change the list of users that are allowed to perform trace operations.
Spelling Aid Dictionary Commands

Authority Needed
Command
Referenced Object
For Object
For Library
CRTSPADCT
*OBJEXIST
*EXECUTE
Dictionary - REPLACE(*NO)
DLTSPADCT
WRKSPADCT
1
426
*READ, *ADD
Dictionary - REPLACE(*YES)

page 311
*READ, *ADD
*OBJEXIST
*EXECUTE
Any authority
*USE
Sphere of Control Commands
Sphere of Control Commands

Authority Needed
Command
Referenced Object
For Object
For Library
ADDSOCE
Sphere of control
*USE, *ADD
*EXECUTE
Sphere of control
*USE, *DLT
*EXECUTE
Sphere of control
*USE
*EXECUTE
DSPSOCSTS
RMVSOCE
WRKSOC
1
The sphere of control is physical file QUSRSYS/QAALSOC.
Spooled File Commands

Command
CHGSPLFA
1,2
Authority Needed
Referenced
Object
For Object
For Library
Output
queue 3
*READ,
*DLT, *ADD
*EXECUTE
*DTAAUT
*EXECUTE
*OWNER
Owner
1
CHGSPLFA , Original
if moving
output
queue 3
spooled file
*READ,
*ADD, *DLT
Owner
DSPDTA
AUTCHK
*EXECUTE
*DTAAUT
*EXECUTE
*OWNER
*YES or *NO
CPYSPLF
Spooled file
Owner
Target
output
queue7
*READ
Target
device
*USE
Database
file
See General
Rules on
page 311
Spooled file
Owner
Output
queue 3
*READ
*EXECUTE
*YES
*READ,
*ADD, *DLT
*EXECUTE
*NO
*DTAAUT
*EXECUTE
*NO
*OWNER
*EXECUTE
*YES or *NO
Owner
DLTSPLF
Output
queue 3
Special
Authority
*YES
*JOBCTL
*YES
*JOBCTL
*YES
*JOBCTL
*YES
*JOBCTL
*YES
*JOBCTL
*OWNER
*EXECUTE
See General
Rules on
page 311
*OWNER
*READ,
*ADD, *DLT
Owner
OPRCTL
*EXECUTE
*DTAAUT
*EXECUTE
*OWNER
427
Spooled File Commands

Referenced
Object
Command
DSPSPLF
Output
queue 3
Authority Needed
For Object
For Library
DSPDTA
*READ
*EXECUTE
*YES
*READ,
*ADD, *DLT
*EXECUTE
*NO
*DTAAUT
*EXECUTE
*NO
*OWNER
Owner
AUTCHK
*YES or *NO
HLDSPLF
Spooled file
Owner
Output
queue 3
*READ,
*ADD, *DLT
Owner
OPRCTL
Special
Authority
*YES
*JOBCTL
*YES
*JOBCTL
*YES
*JOBCTL
*YES
*JOBCTL
*OWNER
*EXECUTE
*DTAAUT
*EXECUTE
*OWNER
RCLSPLSTG
(Q)
RLSSPLF 1, 8
Output
queue 3
*READ,
*ADD, *DLT
Owner
SNDNETSPLF Output
1,5
queue 3
*DTAAUT
*EXECUTE
*OWNER
*READ
*EXECUTE
*YES
*READ,
*ADD, *DLT
*EXECUTE
*NO
*DTAAUT
*EXECUTE
*NO
*OWNER
*EXECUTE
*YES or *NO
Owner
Spooled file
*EXECUTE
Owner
*OWNER
WRKSPLF
|
|
|
Users are always authorized to control their own spooled files.
To move a spooled file to the front of an output queue (PRTSEQ(*NEXT)) or change its priority to a value
greater than the limit specified in your user profile, you must have one of the authorities shown for the
output queue or have *SPLCTL special authority.
If you have *SPLCTL special authority, you do not need any authority to the output queue.
You must have *USE authority to the recipients output queue and output queue library when sending a
file to a user on the same system.
If you have job control (*JOBCTL) special authority and the output queue is set to OPRCTL(*YES), you do
not need *EXECUTE authority to the library of the output queue.
If you have *SPLCTL special authority, you must have *EXECUTE authority to the target output queue
library.
When the spooled file has been held with HLDJOB SPLFILE(*YES) and the spooled file was also decoupled
from the job, the user will need to have *USE authority to the RLSJOB command and either have *JOBCTL
special authority or be the owner of the spooled file.
Subsystem Description Commands

428

Authority Needed
Command
Referenced Object
For Object
For Library
ADDAJE
*OBJOPR, *OBJMGT,
*READ
*EXECUTE
Job description
*OBJOPR, *READ
*EXECUTE
*OBJOPR, *OBJMGT,
*READ
*EXECUTE
Job description
*OBJOPR, *READ
*EXECUTE
User profile
*OBJOPR, *READ
ADDJOBQE
*OBJOPR, *OBJMGT,
*READ
*EXECUTE
ADDPJE
*OBJOPR, *OBJMGT,
*READ
*EXECUTE

specify *PGMSTRRQS
*OBJOPR, *READ
*EXECUTE
User profile
*OBJOPR, *READ
Job description
*OBJOPR, *READ
*EXECUTE
ADDRTGE
*OBJOPR, *OBJMGT,
*READ
*EXECUTE
ADDWSE
*OBJOPR, *OBJMGT,
*READ
*EXECUTE
Job description
*OBJOPR, *READ
*EXECUTE
*OBJOPR, *OBJMGT,
*READ
*EXECUTE
Job description
*OBJOPR, *READ
*EXECUTE
*OBJOPR, *OBJMGT,
*READ
*EXECUTE
Job description
*OBJOPR, *READ
*EXECUTE
User profile
*OBJOPR, *READ
CHGJOBQE
*OBJOPR, *OBJMGT,
*READ
*EXECUTE
CHGPJE
*OBJOPR, *OBJMGT,
*READ
*EXECUTE

specify *PGMSTRRQS
*OBJOPR, *READ
*EXECUTE
User profile
*OBJOPR, *READ
Job description
*OBJOPR, *READ
*EXECUTE
*OJBOPR, *OBJMGT,
*READ
*EXECUTE
*OJBOPR, *OBJMGT,
*READ
*EXECUTE
Sign-on display file4
*YES
*EXECUTE
*OJBOPR, *OBJMGT,
*READ
*EXECUTE
Job description
*OBJOPR, *READ
*EXECUTE
ADDCMNE
CHGAJE
CHGCMNE
CHGRTGE
CHGSBSD
CHGWSE
429

Authority Needed
Command
CRTSBSD
Referenced Object
(Q)
For Object
For Library
Sign-on display file
*READ, *ADD
*USE
*EXECUTE
DLTSBSD
*OBJEXIST, *USE
*EXECUTE
DSPSBSD
*OBJOPR, *READ
*EXECUTE
RMVAJE
*OBJOPR, *OBJMGT,
*READ
*EXECUTE
RMVCMNE
*OBJOPR, *OBJMGT,
*READ
*EXECUTE
RMVJOBQE
*OBJOPR, *OBJMGT,
*READ
*EXECUTE
RMVPJE
*OBJOPR, *OBJMGT,
*READ
*EXECUTE
RMVRTGE
*OBJOPR, *OBJMGT,
*READ
*EXECUTE
RMVWSE
*OBJOPR, *OBJMGT,
*READ
*EXECUTE
ENDSBS
PRTSBSDAUT
STRSBS
WRKSBS
*USE
*READ, *EXECUTE
2, 3
Any authority
*USE
Any authority
*USE
WRKSBSD
1
You must have job control (*JOBCTL) special authority to use this command.
Requires some authority (anything but *EXCLUDE)
The authority is needed to complete format checks of the display file. This helps predict that the display
will work correctly when the subsystem is started. When you are not authorized to the display file or its
library, those format checks will not be performed.
You must have *SECADMIN or *ALLBOJ special authority to specify a specific library for the subsystem
library.
You must have *ALLBOJ special authority to use this command.
System Commands
CHGSHRPOOL
DSPSYSSTS
ENDSYS1
PWRDWNSYS1
RCLACTGRP1
1
430
RCLRSC
RETURN
RTVGRPA
SIGNOFF
WRKSHRPOOL
You must have job control (*JOBCTL) special authority to use this command.
WRKSYSSTS
System Reply List Commands
System Reply List Commands

These commands do not require object authorities:
ADDRPYLE (Q)
CHGRPYLE (Q)
RMVRPYLE (Q)
WRKRPYLE
System Value Commands

These commands to not require any authority to objects:
CHGSYSVAL (Q)
1,2
DSPSYSVAL
WRKSYSVAL 1,2
RTVSYSVAL
To change some system values, you must have *ALLOBJ and *SECADM special authority.
To change some system values, you must have *AUDIT special authority.
System/36 Environment Commands

Authority Needed
Command
Referenced Object
For Object
For Library
CHGS36
S/36 configuration object QS36ENV
*UPD
*EXECUTE
CHGS36A
*UPD
*EXECUTE
CHGS36PGMA
Program
*OBJMGT, *USE
*EXECUTE
CHGS36PRCA
File QS36PRC
*OBJMGT, *USE
*EXECUTE
CHGS36SRCA
Source
*OBJMGT, *USE
*EXECUTE
CRTMSGFMNU
Menu: REPLACE(*NO)
CRTS36DSPF
*READ, *ADD
Menu: REPLACE(*YES)

page 311
*READ, *ADD
Display file if it exists
*ALL
*EXECUTE
Message file
*USE
*CHANGE
Source file QS36SRC
*ALL
*EXECUTE
*READ, *ADD

page 311
*READ, *ADD,
*CHANGE

*NONE
*ALL
*CHANGE
Source file QS36SRC
*USE
*EXECUTE
*OBJOPR
*EXECUTE
431

Authority Needed
Command
Referenced Object
CRTS36MNU
Menu: REPLACE(*NO)
For Object
*READ, *ADD,
*CHANGE
Menu: REPLACE(*YES)

page 311
*READ, *ADD,
*CHANGE

*NONE
*ALL
*CHANGE
Source file QS36SRC
*USE
*EXECUTE
Display file when REPLACE(*YES) is

specified
*ALL
*EXECUTE
Message files named in source
*ALL
*EXECUTE
Display file
CRTS36MSGF
For Library
*CHANGE
CRTMSGF command
*OBJOPR, *OBJEXIST
*EXECUTE
ADDMSGD command
*OBJOPR
*EXECUTE
CRTDSPF command
*OBJOPR
*EXECUTE
Message file: REPLACE(*NO)
*READ, *ADD,
*CHANGE
Message file: REPLACE(*YES)

page 311
*READ, *ADD,
*CHANGE

*NONE
*ALL
*CHANGE
Source file QS36SRC
*USE
*EXECUTE
Display file when REPLACE(*YES) is

specified
*ALL
*EXECUTE
Message file named in source
*ALL
*EXECUTE
Message file named in source when

OPTION is *ADD or *CHANGE
*CHANGE
*EXECUTE
Message files named in source when

OPTION(*CREATE) is specified
*ALL
*EXECUTE
CRTMSGF command
*OBJOPR, *OBJEXIST
*EXECUTE
ADDMSGD command
*OBJOPR
*EXECUTE
CHGMSGD command when

OPTION(*CHANGE) is specified
*OBJOPR
*EXECUTE
DSPS36
*READ
*EXECUTE
EDTS36PGMA
Program, to modify attributes
*OBJMGT, *USE
*EXECUTE
Program, to view attributes
*USE
*EXECUTE
File QS36PRC, to modify attributes
*OBJMGT, *USE
*EXECUTE
File QS36PRC, to view attributes
*USE
*EXECUTE
Source file QS36SRC, to modify attributes
*OBJMGT, *USE
*EXECUTE
Source file QS36SRC, to view attributes
*USE
*EXECUTE
EDTS36PRCA
EDTS36SRCA
432

Authority Needed
Command
Referenced Object
For Object
For Library
RSTS36F (Q)
From-file
*USE
*EXECUTE
To-file
*ALL

page 311
Based-on physical file, if file being restored

is a logical (alternative) file
*CHANGE
*EXECUTE
*USE
*EXECUTE
S/36 folder
*USE
*EXECUTE
To-folder
*CHANGE
*EXECUTE
*USE
*EXECUTE
From-file
*USE
*EXECUTE
To-file
*ALL

page 311
*USE
*EXECUTE
RTVS36A
*UPD
*EXECUTE
SAVS36F
From-file
*USE
*EXECUTE
*ALL

page 311
*USE
*EXECUTE
From-file
*USE
*EXECUTE
*ALL

page 311
*USE
*EXECUTE
WRKS36
*READ
*EXECUTE
WRKS36PGMA
Program, to modify attributes
*OBJMGT, *USE
*EXECUTE
Program, to view attributes
*USE
*EXECUTE
File QS36PRC, to modify attributes
*OBJMGT, *USE
*EXECUTE
File QS36PRC, to view attributes
*USE
*EXECUTE
Source file QS36SRC, to modify attributes
*OBJMGT, *USE
*EXECUTE
Source file QS36SRC, to view attributes
*USE
*EXECUTE
RSTS36FLR
1,2,3
(Q)
RSTS36LIBM (Q)
SAVS36LIBM
WRKS36PRCA
WRKS36SRCA
You need *ALL authority to the document if replacing it. You need operational and all the data authorities
to the folder if restoring new information into the folders, or you need *ALLOBJ special authority.
If used for a data dictionary, only the authority to the command is required.
You must be enrolled in the system distribution directory if the source folder is a document folder.
Table Commands
Authority Needed
Command
Referenced Object
CRTTBL
Table
DLTTBL
For Object
For Library
*READ, *ADD,
*EXECUTE
Source file
*USE
*EXECUTE
Table
*OBJEXIST
*EXECUTE
433
Table Commands
Authority Needed
Command
WRKTBL
1
Referenced Object
For Object
For Library
Table
Any authority
*USE
TCP/IP Commands
Authority Needed
Command
Referenced Object
For Object
For Library
CVTTCPCL (Q)
File objects
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
File Objects
*USE
*EXECUTE
ENDTCPSRV (Q)
File objects
*USE
*EXECUTE
FTP
File objects
*USE
*EXECUTE
Table objects
*USE
*EXECUTE
Workstation customizing object
*USE
*EXECUTE
Table objects
*USE
*EXECUTE
*USE
*EXECUTE
File objects
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
Table objects
*USE
*EXECUTE
File objects
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
ENDTCP (Q)
Line description
Device description
File Objects
ENDTCPIFC (Q)
File objects
Line description
Device description
ENDTCPPTP
Line description
Device description
LPR
SETVTTBL
SNDTCPSPLF
STRTCP (Q)
Line description
Device description
STRTCPFTP
STRTCPIFC (Q)
File objects
Line description
Device description
434
Transmission Control Protocol/Internet Protocol Commands

Authority Needed
Command
Referenced Object
For Object
For Library
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
File Objects
*USE
*EXECUTE
Table objects
*USE
*EXECUTE
File objects
*USE
*EXECUTE
Table objects
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
CHGVTMAP
DSPVTMAP
ENDTCPCNN
MGRTCPHT 1
NETSTAT
PING
RMVCOMSNMP
RMVNETTBLE 1
RMVPCLTBLE 1
RMVSRVTBLE 1
RMVTCPHTE1
RMVTCPIFC1
RMVTCPPORT 1
RMVTCPRSI 1
RMVTCPRTE 1
RNMTCPHTE 1
SETVTMAP
VFYTCPCNN
WRKNAMSMTP
WRKNETTBLE1
WRKPCLTBLE1
WRKSRVTBLE1
WRKTCPSTS
STRTCPPTP
Line description
Device description
STRTCPSVR (Q)
STRTCPTELN
File objects
Virtual workstation device
TELNET
Table objects
File objects
Virtual workstation device

ADDCOMSNMP
ADDNETTBLE 1
ADDPCLTBLE 1
ADDSRVTBLE 1
ADDTCPHTE 1
ADDTCPIFC 1
ADDTCPPORT 1
ADDTCPRSI 1
ADDTCPRTE 1
CFGTCP
CFGTCPAPP
CFGTCPFTP 1
CFGTCPLPD 1
CFGTCPSMTP
CFGTCPSNMP
CFGTCPTELN
CHGCOMSNMP
CHGFTPA 1
CHGLPDA 1
CHGSMTPA 1
CHGSNMPA 1
CHGTCPA 1
CHGTCPHTE1
CHGTCPIFC1
CHGTCPRTE 1
CHGTELNA 1
You must have *IOSYSCFG special authority to use this command.
The SNDTCPSPLF command and the LPR command use the same combinations of referenced object
authorities as the SNDNETSPLF command. See page 428.
You must have *SECADM special authority to change the system alias table or another user profiles alias
table.
If you have *JOBCTL special authority, you do not need the specified authority to the object.
If you have *JOBCTL special authority, you do not need the specified authority to the object on the remote
system.
Upgrade Order Information Data Commands

These commands are shipped with public authority *EXCLUDE. Appendix C
shows which IBM-supplied user profiles are authorized to the command. The
security officer can grant *USE authority to others.
Authority Needed
Command
Referenced Object
For Object
For Library
WRKORDINF
QGPL/QMAHFILE file
*CHANGE,
*OBJALTER
*EXECUTE
435
User Profile Commands
User Index, User Queue, User Space Commands

Table 140.
Command
Referenced Object
Authority Needed
For Object
For Library
DLTUSRIDX
User index
*OBJEXIST
*EXECUTE
DLTUSRQ
User queue
*OBJEXIST
*EXECUTE
DLTUSRSPC
User space
*OBJEXIST
*EXECUTE

Authority Needed
Command
ANZDFTPWD
(Q)
Referenced Object
For Object
User profile
*OBJMGT, *USE
For Library
3, 14,
15
ANZPRFACT 3, 14,
15(Q)
CHGACTPRFL 14(Q)
CHGACTSCDE 3, 14,
15(Q)
CHGDSTPWD
CHGEXPSCDE 3, 14,
15(Q)
CHGPRF
Initial program
*USE
*EXECUTE
Job description
*USE
*EXECUTE
Message queue
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
Output queue
Attention-key- handling program

Current library
CHGPWD
436
11
*EXECUTE
Initial menu
CHGUSRAUD
*USE
(Q)

Authority Needed
Command
3
CHGUSRPRF
Referenced Object
For Object
For Library
User profile
*OBJMGT, *USE
*EXECUTE
*USE
*EXECUTE
Initial program
*USE
*EXECUTE
Job description
*USE
*EXECUTE
Message queue
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
*USE
*EXECUTE
Initial menu
Output queue
Current library
2
2,4
CHGUSRPRTI
Group profile (GRPPRF or SUPGRPPRF)
*OBJMGT, *OBJOPR, *EXECUTE

*READ, *ADD, *UPD,
*DLT
User profile
*CHANGE
Initial program
*USE
*EXECUTE
Initial menu
*USE
*EXECUTE
Job description
*USE
*EXECUTE
Message queue
*USE
*EXECUTE
Output queue
*USE
*EXECUTE
Attention-key- handling program
*USE
*EXECUTE
*USE
*EXECUTE
CHKPWD
CRTUSRPRF 3, 12, 17
Current library
4
3,9
DLTUSRPRF
Group profile (GRPPRF or SUPGRPPRF)
*OBJMGT, *OBJOPR, *EXECUTE

*READ, *ADD, *UPD,
*DLT
User profile
*OBJEXIST, *USE
*EXECUTE
*OBJEXIST, *USE,
*DLT
*EXECUTE
Message queue
DSPACTPRFL 14(Q)
DSPACTSCD
14
DSPAUTUSR
DSPEXPSCD
14
(Q)
DSPUSRPRF
DSPUSRPRTI
PRTPRFINT
14
*READ
User profile
*OBJMGT
Output file

page 311

page 311
User profile
*READ
*EXECUTE
Output file

page 311

page 311
User profile
*USE
Referenced user profile
*READ
Objects you are granting authority to
*OBJMGT
(Q)
DSPPGMADP
GRTUSRAUT
User profile
*EXECUTE
(Q)
PRTUSRPRF
14
RSTAUT (Q)
(Q)
437

Authority Needed
Command
RSTUSRPRF (Q)
Referenced Object
For Object
For Library
User profile
*READ
User profile
*USE
Save file, if empty
*USE, *ADD
*EXECUTE
Save file, if records exist
*OBJMGT, *USE,
*ADD
*EXECUTE
User profile
Any authority
8,10,
16
RTVUSRPRF
RTVUSRPRTI
SAVSECDTA
WRKUSRPRF
|
|
|
|
|
|
|
|
13
This command can be run only if you are signed on as QSECOFR.
You need authority only to the objects for fields you are changing in the user profile.
*SECADM special authority is required.
*OBJMGT authority to the group profile cannot come from adopted authority.
The message queue associated with the user profile is deleted if it is owned by that user profile. To delete
the message queue, the user running the DLTUSRPRF command must have the authorities specified.
The display includes only user profiles to which the user running the command has the specified authority.
See the authorities required for the GRTOBJAUT command on page Commands Common for Most
Objects on page 313.
*SAVSYS special authority is required.
If you select the option to delete objects owned by the user profile, you must have the necessary authority
for the delete operations. If you select the option to transfer ownership to another user profile, you must
have the necessary authority to the objects and to the target user profile. See information for the
CHGOBJOWN command on page Commands Common for Most Objects on page 313.
10
11
12
The user whose profile is created is given these authorities to it: *OBJMGT, *OBJOPR, *READ, *ADD, *DLT,
*UPD, *EXECUTE.
13
14
15
You must have *JOBCTL special authority to use this command.
16
You must have *ALLOBJ and *SECADM special authorities to specify SECDTA(*PWDGRP), USRPRF(*ALL)
or OMITUSRPRF.
17
When you perform a CRTUSRPRF, you can not create a user profile (*USRPRF) into an independent disk
pool. However, when a user is privately authorized to an object in the independent disk pool, is the owner
of an object on an independent disk pool, or is the primary primary group of an object on an independent
disk pool, the name of the profile is stored on the independent disk pool. If the independent disk pool is
moved to another system, the private authority, object ownership, and primary group entries will be
attached to the profile with the same name on the target system. If a profile does not exist on the target
system, a profile will be created. The user will not have any special authorities and the password will be
set to *NONE.
438
User-Defined File System
User-Defined File System

Command
ADDMFS
1,2,3,4
CRTUDFS
1,2
DLTUDFS
1,2,6,7
(Q)
(Q)
Referenced Object
Object Type
File System
Authority
Needed for
Object
/dev/QASPxx
*DIR
"root"
*W, *RX
/dev/QASPxx/yyy
*BLKSF
"root"
*R
*DIR
"root"
*W
/dev/QASPxx
*DIR
"root"
*RWX
/dev/QASPxx
*DIR
"root"
*RWX
"root"
*RWX,
*OBJEXIST
any_epfs_object
DSPUDFS
MOUNT
1,2,3,4
RMVMFS
1,4
UNMOUNT
1,4
some_dirsxx
*DIR
"root"
*RX
/dev/QASPxx
*DIR
"root"
*RWX
/dev/QASPxx/yyy
*BLKSF
"root"
*R
*DIR
"root"
*W
some_dirs
*DIR
"root"
n/a
some_dirs
*DIR
"root"
n/a
QASPxx is either 01 (system asp) or 02-16 based on which user asp is needed. This is the directory that
contains the *BLKSF that is being mounted.
The directory that is mounted over (dir_to_be_mounted_over) is any IFS directory that can be mounted
over.
You must provide a path to some object. You must have *X authority for all directories in that path.
You must have *RX authority to the /etc/exports stream file and the directories in the /etc/exports path.
A UDFS can contain an entire subtree of EPFS objects, so when you delete a UDFS, you delete objects of all
types that can be stored in an EPFS file system.
When using the DLTUDFS commands, you must have *OBJEXIST authority on every object in the UDFS or
no objects are deleted.
This object is allowed on independent disk pools.
Validation List Commands

Authority Needed
Command
Referenced Object
CRTVLDL
Validation list
DLTVLDL
Validation list
For Object
For Library
*ADD, *READ
*OBJEXIST
*EXECUTE
439
Workstation Customizing Commands
Workstation Customizing Commands

Authority Needed
Command
Referenced Object
For Object
For Library
CRTWSCST
Source file
*USE
*EXECUTE
Workstation customizing object, if

REPLACE(*NO)
*READ, *ADD
Workstation customizing object, if

REPLACE(*YES)
*OBJMGT, *OBJEXIST *READ, *ADD
DLTWSCST
*OBJEXIST
*EXECUTE
RTVWSCST
To-file, if it exists and a new member is

added
*OBJOPR, *OBJMGT,
*ADD
*EXECUTE
To-file, if file and member exist
*OBJOPR, *ADD,
*DLT
*EXECUTE
To-file, if the file does not exist
*READ, *ADD
Writer Commands
Authority Needed
Referenced
Object
Command
CHGWTR 2, 4
For Object
For Library
AUTCHK
Current output *READ, *ADD, *EXECUTE

queue1
*DLT
*DTAAUT
Owner
ENDWTR
Output queue
HLDWTR
Output queue
RLSWTR
Output queue
STRDKTWTR
Output queue
*EXECUTE
*EXECUTE

*DLT
Owner
*EXECUTE

*DLT
Owner

*DLT
Owner
*EXECUTE

*DLT
Owner
*EXECUTE
*EXECUTE
Message queue *OBJOPR,

*ADD
Device
description
440
*OBJOPR,
*READ
*EXECUTE
OPRCTL
Special
Authority
*YES
*JOBCTL
*YES
*JOBCTL
*YES
*JOBCTL
*YES
*JOBCTL
*YES
*JOBCTL
*OWNER
*DTAAUT
*OWNER
*DTAAUT
*OWNER
*DTAAUT
*OWNER
*DTAAUT
*OWNER
Writer Commands
Referenced
Object
Command
STRPRTWTR
Output queue
Authority Needed
For Object
For Library
AUTCHK

*DLT
*DTAAUT
Owner
*EXECUTE
STRRMTWTR
*EXECUTE
User-defined
*READ
driver program
*EXECUTE
Data transform *READ

program
*EXECUTE
Separator
program
*READ
*EXECUTE
Device
description
*OBJOPR,
*READ
Output queue

*DLT
Owner
*EXECUTE
*YES
*JOBCTL
*YES
*JOBCTL
*DTAAUT
*OWNER
*EXECUTE
User data
transform
Special
Authority
*OWNER
*EXECUTE
*ADD
OPRCTL

*ADD
*EXECUTE
User driver
program
*READ
*EXECUTE
*READ
*EXECUTE
WRKWTR
1
If you have *SPLCTL special authority, you do not need any authority to the output queue.
To change the output queue for the writer, you need one of the specified authorities for the new output
queue.
You must have *EXECUTE authority to the new output queues library even if the user has *SPLCTL
special authority.
441
Writer Commands
442
Appendix E. Object Operations and Auditing

This appendix lists operations that can be performed against objects on the system,
and whether those operations are audited. The lists are organized by object type.
The operations are grouped by whether they are audited when *ALL or *CHANGE
is specified for the OBJAUD value of the CHGOBJAUD or CHGDLOAUD
command.
Whether an audit record is written for an action depends on a combination of
system values, a value in the user profile of the user performing the action, and a
value defined for the object. Planning the Auditing of Object Access on page 263
describes how to set up auditing for objects.
Operations shown in the tables in uppercase, such as CPYF, refer to CL commands,
unless they are labeled as an application programming interface (API).
Operations Common to All Object Types:
v Read operation
CRTDUPOBJ
Create Duplicate Object (if *ALL is specified for from-object).
DMPOBJ
Dump Object
DMPSYSOBJ
Dump System Object
SAV
Save Object in Directory
SAVCHGOBJ
Save Changed Object
SAVLIB
Save Library
SAVOBJ
Save Object
SAVSAVFDTA
Save Save File Data
SAVDLO
Save DLO Object
SAVLICPGM
Save Licensed Program
SAVSHF
Save Bookshelf
Note: The audit record for the save operation will identify if the save
was done with the STG(*FREE).
v Change operation
APYJRNCHG
Apply Journaled Changes
443
Object Auditing
CHGOBJD
Change Object Description
CHGOBJOWN
Change Object Owner
CRTxxxxxx
Create object
Notes:
1. If *ALL or *CHANGE is specified for the target library, a ZC entry is
written when an object is created.
2. If *CREATE is active for action auditing, a CO entry is written when
an object is created.
DLTxxxxxx
Delete object
Notes:
1. If *ALL or *CHANGE is specified for the library containing the
object, a ZC entry is written when an object is deleted.
2. If *ALL or *CHANGE is specified for the object, a ZC entry is written
when it is deleted.
3. If *DELETE is active for action auditing, a DO entry is written when
an object is deleted.
ENDJRNxxx
End Journaling
GRTOBJAUT
Note: If authority is granted based on a referenced object, an audit
record is not written for the referenced object.
MOVOBJ
Move Object
QjoEndJournal
End Journaling
QjoStartJournal
Start Journaling
RCLSTG
Reclaim Storage:
If an object is secured by a damaged *AUTL, an audit record is
written when the object is secured by the QRCLAUTL authorization
list.
An audit record is written if an object is moved into the QRCL
library.
RMVJRNCHG
Remove Journaled Changes
RNMOBJ
Rename Object
RST
Restore Object in Directory
RSTCFG
Restore Configuration Objects
444
Object Auditing
RSTLIB
Restore Library
RSTLICPGM
Restore Licensed Program
RSTOBJ
Restore Object
RVKOBJAUT
STRJRNxxx
Start Journaling
v Operations that are not audited
Prompt
Prompt override program for a change command (if one exists)

CHKOBJ
Check Object
ALCOBJ
Allocate Object
CPROBJ
Compress Object
DCPOBJ
Decompress Object
DLCOBJ
Deallocate Object
DSPOBJD
DSPOBJAUT
EDTOBJAUT
Note: If object authority is changed and action auditing includes
*SECURITY, or the object is being audited, an audit record is
written.
QSYCUSRA
Check Users Authority to an Object API
QSYLUSRA
List Users Authorized to an Object API. An audit record is not written
for the object whose authority is being listed. An audit record is written
for the user space used to contain information.
QSYRUSRA
Retrieve Users Authority to Object API
RCLTMPSTG
Reclaim Temporary Storage
3. A prompt override program displays the current values when prompting is requested for a command. For example, if you type
CHGURSPRF USERA and press F4 (prompt), the Change User Profile display shows the current values for the USERA user
profile.
445
Object Auditing
RTVOBJD
Retrieve Object Description
SAVSTG
Save Storage (audit of SAVSTG command only)
WRKOBJLCK
Work with Object Lock
WRKOBJOWN
WRKxxx
Work with object commands
Operations for Access Path Recovery Times:
Note: Changes to access path recovery times are audited if the action auditing
(QAUDLVL) system value or the action auditing (AUDLVL) parameter in
the user profile includes *SYSMGT.
v Operations that are audited
CHGRCYAP
Change Recovery for Access Paths
EDTRCYAP
Edit Recovery for Access Paths
DSPRCYAP
Display Recovery for Access Paths
Operations for Alert Table (*ALRTBL):
v Read operation
None
v Change operation
ADDALRD
Add Alert Description
CHGALRD
Change Alert Description
CHGALRTBL
Change Alert Table
RMVALRD
Remove Alert Description
Print
Print alert description
WRKALRD
Work with Alert Description
WRKALRTBL
Work with Alert Table
Operations for Authorization List (*AUTL):
v Read operation
446
Object Auditing
None
v Change operation
ADDAUTLE
CHGAUTLE
EDTAUTL
RMVAUTLE
DSPAUTL
DSPAUTLOBJ
DSPAUTLDLO
Display Authorization List DLO
RTVAUTLE
QSYLATLO
List Objects Secured by *AUTL API
WRKAUTL
Work with authorization list
Operations for Authority Holder (*AUTHLR):
v Read operation
None
v Change operation
Associated
When used to secure an object.
DSPAUTHLR
Operations for Binding Directory (*BNDDIR):
v Read operation
CRTPGM
Create Program
CRTSRVPGM
Create Service Program
|
|
RTVBNDSRC
Retrieve Binder Source
UPDPGM
Update Program
447
Object Auditing
UPDSRVPGM
Update Service Program
v Change operation
ADDBNDDIRE
Add Binding Directory Entries
RMVBNDDIRE
Remove Binding Directory Entries
DSPBNDDIR
Display the contents of a binding directory
WRKBNDDIR
Work with Binding Directory
WRKBNDDIRE
Work with Binding Directory Entry
Operations for Configuration List (*CFGL):
v Read operation
CPYCFGL
Copy Configuration List. An entry is written for the from-configuration-list
v Change operation
ADDCFGLE
Add Configuration List Entries
CHGCFGL
Change Configuration List
CHGCFGLE
Change Configuration List Entry
RMVCFGLE
Remove Configuration List Entry
DSPCFGL
Display Configuration List
WRKCFGL
Work with Configuration List
|
Operations for Special Files (*CHRSF):
See Operations for Stream File (*STMF) for *CHRSF auditing.

Operations for Chart Format (*CHTFMT):
v Read operation
Display
DSPCHT command or option F10 from the BGU menu
Print/Plot
DSPCHT command or option F15 from the BGU menu
Save/Create
Save or create graphics data file (GDF) using CRTGDF command or
option F13 from the BGU menu
448
Object Auditing
v Change operation
None
None
Operations for Change Request Description (*CRQD):
v Read operation
QFVLSTA
List Change Request Description Activities API
QFVRTVCD
Retrieve Change Request Description API
SBMCRQ
Submit Change Request
v Change operation
ADDCMDCRQA
Add Command Change Request Activity
ADDOBJCRQA
Add Object Change Request Activity
ADDPRDCRQA
Add Product Change Request Activity
ADDPTFCRQA
Add PTF Change Request Activity
ADDRSCCRQA
Add Resource Change Request Activity
CHGCMDCRQA
Change Command Change Request Activity
CHGCRQD
Change Change Request Description
CHGOBJCRQA
Change Object Change Request Activity
CHGPRDCRQA
Change Product Change Request Activity
CHGPTFCRQA
Change PTF Change Request Activity
CHGRSCCRQA
Change Resource Change Request Activity
QFVADDA
Add Change Request Description Activity API
QFVRMVA
Remove Change Request Description Activity API
RMVCRQDA
Remove Change Request Dscription Activity
WRKCRQD
Work with Change Request Descriptions
449
Object Auditing
Operations for C Locale Description (*CLD):
v Read operation
RTVCLDSRC
Retrieve C Locale Source
Setlocale
Use the C locale object during C program run time using the Set locale
function.
v Change operation
None
None
Operations for Class (*CLS):
v Read operation
None
v Change operation
CHGCLS
Change Class
Job start
When used by work management to start a job
DSPCLS
Display Class
WRKCLS
Work with Class
Operations for Command (*CMD):
v Read operation
Run
When command is run
v Change operation
CHGCMD
Change Command
CHGCMDDFT
Change Command Default
DSPCMD
Display Command
PRTCMDUSG
Print Command Usage
QCDRCMDI
Retrieve Command Information API
WRKCMD
Work with Command
The following commands are used within CL programs to control processing
and to manipulate data within the program. Their use is not audited.
450
Object Auditing
CALL 1
CALLPRC
CHGVAR
COPYRIGHT
DCL
DCLF
DO
ELSE
ENDDO
1
ENDPGM
ENDRCV
GOTO
IF
MONMSG
PGM
RCVF
RETURN
SNDF
SNDRCVF
TFRCTL
WAIT
CALL is audited if it is run interactively. It is not audited if it is run within a CL

program.
Operations for Connection List (*CNNL):

v Read operation
None
v Change operation
ADDCNNLE
Add Connection List Entry
CHGCNNL
Change Connection List
CHGCNNLE
Change Connection List Entry
RMVCNNLE
Remove Connection List Entry
RNMCNNLE
Rename Connection List Entry
Copy
Option 3 of WRKCNNL
DSPCNNL
Display Connection List
RTVCFGSRC
Retrieve source of connection list
WRKCNNL
Work with Connection List
WRKCNNLE
Work with Connection List Entry
Operations for Class-of-Service Description (*COSD):
v Read operation
None
v Change operation
CHGCOSD
Change Class-of-Service Description
DSPCOSD
Display Class-of-Service Description
451
Object Auditing
RTVCFGSRC
Retrieve source of class-of-service description
WRKCOSD
Copy class-of-service description
WRKCOSD
Work with Class-of-Service Description
Operations for Communications Side Information (*CSI):
v Read operation
DSPCSI
Display Communications Side Information
Initialize
Initialize conversation
v Change operation
CHGCSI
Change Communications Side Information
WRKCSI
Work with Communications Side Information
Operations for Cross System Product Map (*CSPMAP):
v Read operation
Reference
When referred to in a CSP application
v Change operation
None
DSPCSPOBJ
Display CSP Object
WRKOBJCSP
Work with Objects for CSP
Operations for Cross System Product Table (*CSPTBL):
v Read operation
Reference
When referred to in a CSP application
v Change operation
None
DSPCSPOBJ
Display CSP Object
WRKOBJCSP
Operations for Controller Description (*CTLD):
v Read operation
452
Object Auditing
SAVCFG
Save Configuration
VFYCMN
Link test
v Change operation
CHGCTLxxx
Change controller description
VRYCFG
Vary controller description on or off
DSPCTLD
Display Controller Description
ENDCTLRCY
End Controller Recovery
PRTDEVADR
Print Device Address
RSMCTLRCY
Resume Controller Recovery
RTVCFGSRC
Retrieve source of controller description
RTVCFGSTS
Retrieve controller description status
WRKCTLD
Copy controller description
WRKCTLD
Work with Controller Description
Operations for Device Description (*DEVD):
v Read operation
Acquire
First acquire of the device during open operation or explicit acquire
operation
Allocate
Allocate conversation
SAVCFG
Save Configuration
STRPASTHR
Start pass-through session
Start of the second session for intermediate pass-through
VFYCMN
Link test
v Change operation
CHGDEVxxx
Change device description
453
Object Auditing
HLDDEVxxx
Hold device description
RLSDEVxxx
Release device description
QWSSETWS
Change type-ahead setting for a device
VRYCFG
Vary device description on or off
DSPDEVD
Display Device Description
DSPMODSTS
Display Mode Status
ENDDEVRCY
End Device Recovery
HLDCMNDEV
Hold Communications Device
RLSCMNDEV
Release Communications Device
RSMDEVRCY
Resume Device Recovery
RTVCFGSRC
Retrieve source of device description
RTVCFGSTS
Retrieve device description status
WRKCFGSTS
Work with device status
WRKDEVD
Copy device description
WRKDEVD
Work with Device Description
Operations for Directory (*DIR):
v Read/search operations
|
|
|
access, accessx, QlgAccess, QlgAccessx

Determine file accessibility
|
|
CHGATR
Change Attribute
CPY
|
|
DSPCURDIR
Display Current Directory
|
|
DSPLNK
Display Links
|
|
faccessx
Determine file accessibility for a class of users by descriptor
454
Copy Object
Object Auditing
|
|
getcwd, qlgGetcwd
Get Path Name of Current Directory API
|
|
givedescriptor
Give File Access API
|
|
Qp0lGetAttr, QlgGetAttr
Get attributes APIs
|
|
Qp0lGetPathFromFileID, QlgGetPathFromFileID
Get Path From File APIs
|
|
Qp0lProcessSubtree, QlgProcessSubtree
Process a Path Name APIs
|
|
open, open64, QlgOpen, QlgOpen64, Qp0lOpen

Open File APIs
|
|
Qp0lSetAttr, QlgSetAttr
Set Attributes APIs
|
|
opendir, QlgOpendir
Open Directory APIs
|
|
RTVCURDIR
Retrieve Current Directory
SAV
|
|
WRKLNK
Work with Links
Save
v Change operation
CHGATR
Change Attributes
CHGAUD
Change Auditing
CHGAUT
Change Authority
CHGOWN
Change Owner
CHGPGP
chmod, QlgChmod
Change File Authorizations API
chown, QlgChown
Change Owner and Group API
CPY
Copy
CRTDIR
Create Directory
fchmod
Change File Authorizations by Descriptor API
fchown
Change Owner and Group of File by Descriptor API
givedescriptor
455
Object Auditing
mkdir, QlgMkdir
Make Directory API
MOV Move
|
|
Qp0lRenameKeep, QlgRenameKeep
Rename File or Directory, Keep New APIs
|
|
Qp0lRenameUnlink, QlgRenameUnlink
Rename File or Directory, Unlink New APIs
|
|
Qp0lSetAttr, QlgSetAttr
Set Attribute APIs
rmdir, QlgRmdir
Remove Directory API
RMVDIR
Remove Directory
RNM
Rename
RST
Restore
utime, QlgUtime
Set File Access and Modifcation Times API
WRKAUT
Work with Authority
WRKLNK
Work with Links
chdir, QlgChdir
Change Directory API
CHGCURDIR
Change Current Directory
close
Close File Descriptor API
closedir
Close Directory API
DSPAUT
Display Authority
dup
Duplicate Open File Descriptor API
dup2
Duplicate Open File Descriptor to Another Descriptor API
|
|
faccessx
Determine file accessibility for a class of users by descriptor
fchdir Change current directory by descriptor

fcntl
Perform File Control Command API
fpathconf
Get Configurable Path Name Variables by Descriptor API
fstat, fstat64
Get File Information by Descriptor APIs
|
|
givedescriptor
456
Object Auditing
ioctl
Perform I/O Control Request API
|
|
lseek, lseek64
Set File Read/Write Offset APIs
|
|
lstat, lstat64, QlgLstat, QlgLstat64

Get File or Link Information APIs
pathconf, QlgPathconf
Get Configurable Path Name Variables API
readdir
Read Directory Entry API
rewinddir
Reset Directory Stream API
select
Check I/O Status of Multiple File Descriptors API
stat, QlgStat
Get File Information API
takedescriptor
Take File Access API
Operations for Directory Services:
Note: Directory services actions are audited if the action auditing (QAUDLVL)
system value or the action auditing (AUDLVL) parameter in the user profile
includes *OFCSRV.
Add
Adding new directory entries
Change
Changing directory entry details
Delete Deleting directory entries
Rename
Renaming directory entries
Print
Displaying or printing directory entry details

Displaying or printing department details
Displaying or printing directory entries as the result of a search
RTVDIRE
Retrieve Directory Entry
Collect
Collecting directory entry data using directory shadowing
Supply
Supplying directory entry data using directory shadowing
CL commands
CL commands that work on the directory may be audited separately
using the object auditing function.
Note: Some CL directory commands cause an audit record because they
perform a function that is audited by *OFCSRV action auditing,
such as adding a directory entry.
457
Object Auditing
CHGSYSDIRA
Change System Directory Attributes
Departments
Adding, changing, deleting, or displaying directory department data
Descriptions
Assigning a description to a different directory entry using option 8
from the WRKDIR panel.
Adding, changing, or deleting directory entry descriptions
Distribution lists
Adding, changing, renaming, or deleting distribution lists
ENDDIRSHD
End Directory Shadowing
List
Displaying or printing a list of directory entries that does not include

directory entry details, such as using the WRKDIRE command or using
F4 to select entries for sending a note.
Locations
Adding, changing, deleting, or displaying directory location data
Nickname
Adding, changing, renaming or deleting nicknames
Search
Searching for directory entries
STRDIRSHD
Start Directory Shadowing
Operations for Document Library Object (*DOC or *FLR):
v Read operation
CHKDOC
Check document spelling
CPYDOC
Copy Document
DMPDLO
Dump DLO
DSPDLOAUD
Display DLO Auditing
Note: If auditing information is displayed for all documents in a folder,
and object auditing is specified for the folder, an audit record is
written. Displaying object auditing for individual documents does
not result in an audit record.
DSPDLOAUT
Display DLO Authority
DSPDOC
Display Document
DSPHLPDOC
Display Help Document
EDTDLOAUT
Edit DLO Authority
458
Object Auditing
MRGDOC
Merge Document
PRTDOC
Print Document
QHFCPYSF
Copy Stream File API
QHFGETSZ
Get Stream File Size API
QHFRDDR
Read Directory Entry API
QHFRDSF
Read Stream File API
RTVDOC
Retrieve Document
SAVDLO
Save DLO
SAVSHF
Save bookshelf
SNDDOC
Send Document
SNDDST
Send Distribution
WRKDOC
Work with Document
Note: A read entry is written for the folder containing the documents.
v Change operation
ADDDLOAUT
Add DLO Authority
ADDOFCENR
Add Office Enrollment
CHGDLOAUD
Change DLO Auditing
CHGDLOAUT
Change DLO Authority
CHGDLOOWN
Change DLO Ownership
CHGDLOPGP
Change DLO Primary Group
CHGDOCD
Change Document Description
CHGDSTD
Change Distribution Description
CPYDOC 4
Copy Document
459
Object Auditing
Note: A change entry is written if the target document already exists.
CRTFLR
Create Folder
CVTTOFLR 4
Convert to Folder
DLTDLO 4
Delete DLO
DLTSHF
Delete Bookshelf
DTLDOCL 4
Delete Document List
DLTDST 4
Delete Distribution
EDTDLOAUT
Edit DLO Authority
EDTDOC
Edit Document
FILDOC 4
File Document
GRTACCAUT
Grant Access Code Authority
GRTUSRPMN
MOVDOC 4
Move Document
MRGDOC 4
Merge Document
PAGDOC
Paginate Document
QHFCHGAT
Change Directory Entry Attributes API
QHFSETSZ
Set Stream File Size API
QHFWRTSF
Write Stream File API
QRYDOCLIB 4
Query Document Library
Note: A change entry is written if an existing document resulting from a
search is replaced.
RCVDST 4
Receive Distribution
4. A change entry is written for both the document and the folder if the target of the operation is in a folder.
460
Object Auditing
RGZDLO
Reorganize DLO
RMVACC
Remove access code, for any DLO to which the access code is attached
RMVDLOAUT
Remove DLO authority
RNMDLO 4
Rename DLO
RPLDOC
Replace Document
RSTDLO 4
Restore DLO
RSTSHF
Restore Bookshelf
RTVDOC
Retrieve Document (check out)
RVKACCAUT
Revoke Access Code Authority
RVKUSRPMN
SAVDLO 4
Save DLO
ADDACC
Add Access Code
DSPACC
Display Access Code
DSPUSRPMN
Display User Permission
QHFCHGFP
Change File Pointer API
QHFCLODR
Close Directory API
QHFCLOSF
Close Stream File API
QHFFRCSF
Force Buffered Data API
QHFLULSF
Lock/Unlock Stream File Range API
QHFRTVAT
Retrieve Directory Entry Attributes API
RCLDLO
Reclaim DLO (*ALL or *INT)
WRKDOCLIB
Work with Document Library
461
Object Auditing
WRKDOCPRTQ
Work with Document Print Queue
Operations for Data Area (*DTAARA):
v Read operation
DSPDTAARA
Display Data Area
RCVDTAARA
Receive Data Area (S/38 command)
RTVDTAARA
Retrieve Data Area
QWCRDTAA
Retrieve Data Area API
v Change operation
CHGDTAARA
Change Data Area
SNDDTAARA
Send Data Area
Data Areas
Local Data Area, Group Data Area, PIP (Program Initialization
Parameter) Data Area
WRKDTAARA
Work with Data Area
Operations for Interactive Data Definition Utility (*DTADCT):
v Read operation
None
v Change operation
Create Data dictionary and data definitions
Change
Data dictionary and data definitions
Copy
Data definitions (recorded as create)
Delete Data dictionary and data definitions

Rename
Data definitions
Display
Data dictionary and data definitions
LNKDTADFN
Linking and unlinking file definitions
Print
Data dictionary, data definitions, and where-used information for data

definitions
Operations for Data Queue (*DTAQ):

v Read operation
462
Object Auditing
QMHRDQM
Retrieve Data Queue Message API
v Change operation
QRCVDTAQ
Receive Data Queue API
QSNDDTAQ
Send Data Queue API
QCLRDTAQ
Clear Data Queue API
WRKDTAQ
Work with Data Queue
QMHQRDQD
Retrieve Data Queue Description API
Operations for Edit Description (*EDTD):
v Read operation
DSPEDTD
Display Edit Description
QECCVTEC
Edit code expansion API (via routine QECEDITU)
v Change operation
None
WRKEDTD
Work with Edit Descriptions
QECEDT
Edit API
QECCVTEW
API for translating Edit Work into Edit Mask
Operations for Exit Registration (*EXITRG):
v Read operation
QUSRTVEI
Retrieve Exit Information API
QusRetrieveExitInformation
Retrieve Exit Information API
v Change operation
ADDEXITPGM
Add Exit Program
QUSADDEP
Add Exit Program API
QusAddExitProgram
Add Exit Program API
QUSDRGPT
Deregister Exit Point API
463
Object Auditing
QusDeregisterExitPoint
Deregister Exit Point API
QUSRGPT
Register Exit Point API
QusRegisterExitPoint
Register Exit Point API
QUSRMVEP
Remove Exit Program API
QusRemoveExitProgram
Remove Exit Program API
RMVEXITPGM
Remove Exit Program
WRKREGINF
Work with Registration Information
None
Operations for Forms Control Table (*FCT):
v No Read or Change operations are audited for the *FCT object type.
Operations for File (*FILE):
v Read operation
CPYF
Copy File (uses open operation)
Open
Open of a file for read
DSPPFM
Display Physical File Member (uses open operation)
Open
Open of MRTs after the initial open
CRTBSCF
Create BSC File (uses open operation)
CRTCMNF
Create Communications File (uses open operation)
CRTDSPF
Create Display File (uses open operation)
CRTICFF
Create ICF File (uses open operation)
CRTMXDF
Create MXD File (uses open operation)
CRTPRTF
Create Printer File (uses open operation)
CRTPF
Create Physical File (uses open operation)
CRTLF
Create Logical File (uses open operation)
DSPMODSRC
Display Module Source (uses open operation)
464
Object Auditing
STRDBG
Start Debug (uses open operation)
QTEDBGS
Retrieve View Text API
v Change operation
Open
Open a file for modification
ADDBSCDEVE
(S/38E) Add Bisync Device Entry to a mixed device file
ADDCMNDEVE
(S/38E) Add Communications Device Entry to a mixed device file
ADDDSPDEVE
(S/38E) Add Display Device Entry to a mixed device file
ADDICFDEVE
(S/38E) Add ICF Device Entry to a mixed device file
ADDLFM
Add Logical File Member
ADDPFCST
Add Physical File Constraint
ADDPFM
Add Physical File Member
ADDPFTRG
Add Physical File Trigger
ADDPFVLM
Add Physical File Variable Length Member
CHGBSCF
Change Bisync function
CHGCMNF
(S/38E) Change Communications File
CHGDDMF
Change DDM File
CHGDKTF
Change Diskette File
CHGDSPF
Change Display File
CHGICFDEVE
Change ICF Device File Entry
CHGICFF
Change ICF File
CHGMXDF
(S/38E) Change Mixed Device File
CHGLF
Change Logical File
CHGLFM
Change Logical File Member
465
Object Auditing
CHGPF
Change Physical File
CHGPFCST
Change Physical File Constraint
CHGPFM
Change Physical File Member
CHGPRTF
Change Printer Device GQle
CHGSAVF
Change Save File
CHGS36PRCA
Change S/36 Procedure Attributes
CHGS36SRCA
Change S/36 Source Attributes
CHGTAPF
Change Tape Device File
CLRPFM
Clear Physical File Member
CPYF
Copy File (open file for modification, such as adding records, clearing a
member, or saving a member
EDTS36PRCA
Edit S/36 Procedure Attributes
EDTS36SRCA
Edit S/36 Source Attributes
INZPFM
Initialize Physical File Member
JRNAP
(S/38E) Start Journal Access Path (entry per file)
JRNPF
(S/38E) Start Journal Physical File (entry per file)
RGZPFM
Reorganize Physical File Member
RMVBSCDEVE
(S/38E) Remove BSC Device Entry from a mixed dev file
RMVCMNDEVE
(S/38E) Remove CMN Device Entry from a mixed dev file
RMVDSPDEVE
(S/38E) Remove DSP Device Entry from a mixed dev file
RMVICFDEVE
(S/38E) Remove ICF Device Entry from an ICM dev file
RMVM
Remove Member
RMVPFCST
Remove Physical File Constraint
466
Object Auditing
RMVPFTGR
Remove Physical File Trigger
RNMM
Rename Member
WRKS36PRCA
Work with S/36 Procedure Attributes
WRKS36SRCA
Work with S/36 Source Attributes
DSPCPCST
Display Check Pending Constraints
DSPFD
Display File Description
DSPFFD
Display File Field Description
DSPDBR
Display Database Relations
DSPPGMREF
Display Program File References
EDTCPCST
Edit Check Pending Constraints
OVRxxx
Override file
RTVMBRD
Retrieve Member Description
WRKPFCST
Work with Physical File Constraints
WRKF
Work with File
|
|
Operations for First-in First-out Files (*FIFO):

v See Operations for Stream File (*STMF) for the *FIFO auditing.
Operations for Folder (*FLR):
v See operations for Document Library Object (*DOC or *FLR)
Operations for Font Resource (*FNTRSC):
v Read operation
Print Printing a spooled file that refers to the font resource
v Change operation
None
WRKFNTRSC
Work with Font Resource
Print
Referring to the font resource when creating a spooled file
467
Object Auditing
Operations for Form Definition (*FORMDF):
v Read operation
Print Printing a spooled file that refers to the form definition
v Change operation
None
WRKFORMDF
Work with Form Definition
Print
Referring to the form definition when creating a spooled file
Operations for Filter Object (*FTR):

v Read operation
None
v Change operation
ADDALRACNE
Add Alert Action Entry
ADDALRSLTE
Add Alert Selection Entry
ADDPRBACNE
Add Problem Action Entry
ADDPRBSLTE
Add Problem Selection Entry
CHGALRACNE
Change Alert Action Entry
CHGALRSLTE
Change Alert Selection Entry
CHGPRBACNE
Change Problem Action Entry
CHGPRBSLTE
Change Problem Selection Entry
CHGFTR
Change Filter
RMVFTRACNE
Remove Alert Action Entry
RMVFTRSLTE
Remove Alert Selection Entry
WRKFTRACNE
Work with Alert Action Entry
WRKFTRSLTE
Work with Alert Selection Entry
WRKFTR
Work with Filter
468
Object Auditing
WRKFTRACNE
Work with Filter Action Entries
WRKFTRSLTE
Work with Filter Selection Entries
Operations for Graphics Symbols Set (*GSS):
v Read operation
Loaded
When it is loaded
Font
When it is used as a font in an externally described printer file
v Change operation
None.
WRKGSS
Work with Graphic Symbol Set
Operations for Double-Byte Character Set Dictionary (*IGCDCT):
v Read operation
DSPIGCDCT
Display IGC Dictionary
v Change operation
EDTIGCDCT
Edit IGC Dictionary
Operations for Double-Byte Character Set Sort (*IGCSRT):
v Read operation
CPYIGCSRT
Copy IGC Sort (from-*ICGSRT-object)
Conversion
Conversion to V3R1 format, if necessary
Print
Print character to register in sort table (option 1 from CGU menu)

Print before deleting character from sort table (option 2 from CGU
menu)
v Change operation
CPYIGCSRT
Copy IGC Sort (to-*ICGSRT-object)
Conversion
Conversion to V3R1 format, if necessary
Create Create a user-defined character (option 1 from CGU menu)
Delete Delete a user-defined character (option 2 from CGU menu)
Update
Update the active sort table (option 5 from CGU menu)
FMTDTA
Sort records or fields in a file
469
Object Auditing
Operations for Double-Byte Character Set Table (*IGCTBL):
v Read operation
CPYIGCTBL
Copy IGC Table
STRFMA
Start Font Management Aid
v Change operation
STRFMA
Start Font Management Aid
CHKIGCTBL
Check IGC Table
Operations for Job Description (*JOBD):
v Read operation
None
v Change operation
CHGJOBD
Change Job Description
DSPJOBD
Display Job Description
WRKJOBD
Work with Job Description
QWDRJOBD
Retrieve Job Description API
Batch job
When used to establish a job
Operations for Job Queue (*JOBQ):
v Read operation
None
v Change operation
Entry
When an entry is placed on or removed from the queue
CLRJOBQ
Clear Job Queue
HLDJOBQ
Hold Job Queue
RLSJOBQ
Release Job Queue
ADDJOBQE Subsystem Descriptions on page 191
Add Job Queue Entry
5. An audit record is written if object auditing is specified for the subsystem description (*SBSD).
470
Object Auditing
CHGJOB
Change Job from one JOBQ to another JOBQ
CHGJOBQE Subsystem Descriptions on page 191
Change Job Queue Entry
QSPRJOBQ
Retrieve job queue information
RMVJOBQE Subsystem Descriptions on page 191
Remove Job Queue Entry
TFRJOB
Transfer Job
TFRBCHJOB
Transfer Batch Job
WRKJOBQ
Work with Job Queue for a specific job queue
WRKJOBQ
Work with Job Queue for all job queues
Operations for Job Scheduler Object (*JOBSCD):
v Read operation
None
v Change operation
ADDJOBSCDE
Add Job Schedule Entry
CHGJOBSCDE
Change Job Schedule Entry
RMVJOBSCDE
Remove Job Schedule Entry
HLDJOBSCDE
Hold Job Schedule Entry
RLSJOBSCDE
Release Job Schedule Entry
Display
Display details of scheduled job entry
WRKJOBSCDE
Work with Job Schedule Entries
Work with ...
Work with previously submitted jobs from job schedule entry
QWCLSCDE
List job schedule entry API
Operations for Journal (*JRN):
v Read operation
CMPJRNIMG
Compare Journal Images
471
Object Auditing
DSPJRN
Display Journal Entry for user journals
QJORJIDI
Retrieve Journal Identifier (JID) Information
QjoRetrieveJournalEntries
Retrieve Journal Entries
RCVJRNE
Receive Journal Entry
RTVJRNE
Retrieve Journal Entry
v Change operation
ADDRMTJRN
Add Remote Journal
APYJRNCHG
Apply Journaled Changes
CHGJRN
Change Journal
CHGRMTJRN
Change Remote Journal
ENDJRNxxx
End Journaling
JRNAP
(S/38E) Start Journal Access Path
JRNPF
(S/38E) Start Journal Physical File
QjoAddRemoteJournal
Add Remote Journal API
QjoChangeJournalState
Change Journal State API
QjoEndJournal
End Journaling API
QjoRemoveRemoteJournal
Remove Remote Journal API
QJOSJRNE
Send Journal Entry API (user entries only via QJOSJRNE API)
QjoStartJournal
Start Journaling API
RMVJRNCHG
Remove Journaled Changes
RMVRMTJRN
Remove Remote Journal
SNDJRNE
Send Journal Entry (user entries only via SNDJRNE command)
STRJRNxxx
Start Journaling
472
Object Auditing
DSPJRN
Display Journal Entry for internal system journals, JRN(*INTSYSJRN)
DSPJRNA
(S/38E) Work with Journal Attributes
DSPJRNMNU
(S/38E) Work with Journal
QjoRetrieveJournalInformation
Retrieve Journal Information API
WRKJRN
Work with Journal (DSPJRNMNU in S/38 environment)
WRKJRNA
Work with Journal Attributes (DSPJRNA in S/38 environment)
Operations for Journal Receiver (*JRNRCV):
v Read operation
None
v Change operation
CHGJRN
Change Journal (when attaching new receivers)
DSPJRNRCVA
Display Journal Receiver Attributes
QjoRtvJrnReceiverInformation
Retrieve Journal Receiver Information API
WRKJRNRCV
Work with Journal Receiver
Operations for Library (*LIB):
v Read operation
DSPLIB
Display Library (when not empty. If library is empty, no audit is
performed.)
Locate When a library is accessed to find an object
Notes:
1. Several audit entries may be written for a library for a single
command. For example, when you open a file, a ZR audit journal
entry for the library is written when the system locates the file and
each member in the file.
2. No audit entry is written if the locate function is not successful. For
example, you run a command using a generic parameter, such as:
DSPOBJD OBJECT(AR*/*ALL) +
OBJTYPE(*FILE)
If a library whose name begins with AR does not have any file
names beginning with WRK, no audit record is written for that
library.
473
Object Auditing
v Change operation
Library list
Adding library to a library list
CHGLIB
Change Library
CLRLIB
Clear Library
MOVOBJ
Move Object
RNMOBJ
Rename Object
Add
Add object to library
Delete Delete object from library

None
Operations for Line Description (*LIND):
v Read operation
SAVCFG
Save Configuration
RUNLPDA
Run LPDA-2 operational commands
VFYCMN
Link test
VFYLNKLPDA
LPDA-2 link test
v Change operation
CHGLINxxx
Change Line Description
VRYCFG
Vary on/off line description
ANSLIN
Answer Line
Copy
Option 3 from WRKLIND
DSPLIND
Display Line Description
ENDLINRCY
End Line Recovery
RLSCMNDEV
Release Communications Device
RSMLINRCY
Resume Line Recovery
474
Object Auditing
RTVCFGSRC
Retrieve Source of line description
RTVCFGSTS
Retrieve line description status
WRKLIND
Work with Line Description
WRKCFGSTS
Work with line description status
Operations for Mail Services:
Note: Mail services actions are audited if the action auditing (QAUDLVL) system
value or the action auditing (AUDLVL) parameter in the user profile
includes *OFCSRV.
Change
Changes to the system distribution directory
On behalf
Working on behalf of another user
Note: Working on behalf of another user is audited if the AUDLVL in
the user profile or the QAUDLVL system value includes
*SECURITY.
Open
An audit record is written when the mail log is opened

Change
Change details of a mail item
Delete Delete a mail item
File
File a mail item into a document or folder

Note: When a mail item is filed, it becomes a document library object
(DLO). Object auditing can be specified for a DLO.
Forward
Forward a mail item
Print
Print a mail item

Note: Printing of mail items can be audited using the *SPLFDTA or
*PRTDTA audit level.
Receive
Receive a mail item
Reply Reply to a mail item
Send
Send a mail item
View
View a mail item
Operations for Menu (*MENU):

v Read operation
475
Object Auditing
Display
Displaying a menu through the GO MENU command or UIM dialog
command
v Change operation
CHGMNU
Change Menu
Return
Returning to a menu in the menu stack that has already been displayed
DSPMNUA
Display Menu Attributes
WRKMNU
Work with Menu
Operations for Mode Description (*MODD):
v Read operation
None
v Change operation
CHGMODD
Change Mode Description
CHGSSNMAX
Change session maximum
DSPMODD
Display Mode Description
ENDMOD
End Mode
STRMOD
Start Mode
WRKMODD
Work with Mode Descriptions
Operations for Module Object (*MODULE):
v Read operation
CRTPGM
An audit entry for each module object used during a CRTPGM.
CRTSRVPGM
An audit entry for each module object used during a CRTSRVPGM
UPDPGM
An audit entry for each module object used during an UPDPGM
UPDSRVPGM
An audit entry for each module object used during an UPDSRVPGM
v Change operation
CHGMOD
Change Module
476
Object Auditing
DSPMOD
Display Module
RTVBNDSRC
WRKMOD
Work with Module
Operations for Message File (*MSGF):
v Read operation
DSPMSGD
Display Message Description
MRGMSGF
Merge Message File from-file
Print
Print message description
RTVMSG
Retrieve information from a message file
QMHRTVM
Retrieve Message API
WRKMSGD
Work with Message Description
v Change operation
ADDMSGD
Add Message Description
CHGMSGD
Change Message Description
CHGMSGF
Change Message File
MRGMSGF
Merge Message File (to-file and replace MSGF)
RMVMSGD
Remove Message Description
OVRMSGF
Override Message File
WRKMSGF
Work with Message File
QMHRMFAT
Retrieve Message File Attributes API
Operations for Message Queue (*MSGQ):
v Read operation
QMHLSTM
List Nonprogram Messages API
QMHRMQAT
Retrieve Nonprogram Message Queue Attributes API
477
Object Auditing
DSPLOG
Display Log
DSPMSG
Display Message
Print
Print Messages
RCVMSG
Receive Message RMV(*NO)
QMHRCVM
Receive Nonprogram Messages API when message action is not
*REMOVE.
v Change operation
CHGMSGQ
Change Message Queue
CLRMSGQ
Clear Message Queue
RCVMSG
Receive Message RMV(*YES)
QMHRCVM
Receive Nonprogram Messages API when message action is *REMOVE.
RMVMSG
Remove Message
QMHRMVM
Remove Nonprogram Messages API
SNDxxxMSG
Send a Message to a message queue
QMHSNDBM
Send Break Message API
QMHSNDM
Send Nonprogram Message API
QMHSNDRM
Send Reply Message API
SNDRPY
Send Reply
WRKMSG
Work with Message
WRKMSGQ
Work with Message Queue
Program
Program message queue operations
Operations for Node Group (*NODGRP):
v Read operation
DSPNODGRP
Display Node Group
478
Object Auditing
v Change operation
CHGNODGRPA
Change Node Group
Operations for Node List (*NODL):
v Read operation
QFVLSTNL
List node list entries
v Change operation
ADDNODLE
Add Node List Entry
RMVNODLE
Remove Node List Entry
WRKNODL
Work with Node List
WRKNODLE
Work with Node List Entries
Operations for NetBIOS Description (*NTBD):
v Read operation
SAVCFG
Save Configuration
v Change operation
CHGNTBD
Change NetBIOS Description
Copy
Option 3 of WRKNTBD
DSPNTBD
Display NetBIOS Description
RTVCFGSRC
Retrieve Configuration Source of NetBIOS description
WRKNTBD
Work with NetBIOS Description
Operations for Network Interface (*NWID):
v Read operation
SAVCFG
Save Configuration
v Change operation
CHGNWIISDN
Change Network Interface Description
VRYCFG
Vary network interface description on or off
Copy
Option 3 of WRKNWID
479
Object Auditing
DSPNWID
Display Network Interface Description
ENDNWIRCY
End Network Interface Recovery
RSMNWIRCY
Resume Network Interface Recovery
RTVCFGSRC
Retrieve Source of Network Interface Description
RTVCFGSTS
Retrieve Status of Network Interface Description
WRKNWID
Work with Network Interface Description
WRKCFGSTS
Work with network interface description status
Operations for Network Server Description (*NWSD):
v Read operation
SAVCFG
Save Configuration
v Change operation
CHGNWSD
Change Network Server Description
VRYCFG
Vary Configuration
Copy
Option 3 of WRKNWSD
DSPNWSD
Display Network Server Description
RTVCFGSRC
Retrieve Configuration Source for *NWSD
RTVCFGSTS
Retrieve Configuration Status for *NWSD
WRKNWSD
Work with Network Server Description
Operations for Output Queue (*OUTQ):
v Read operation
STRPRTWTR
Start a Printer Writer to an OUTQ
STRRMTWTR
Start a Remote Writer to an OUTQ
v Change operation
Placement
When an entry is placed on or removed from the queue
CHGOUTQ
Change Output Queue
480
Object Auditing
CHGSPLFA 6
Change Spooled File Attributes, if moved to a different output queue
and either output queue is audited
CLROUTQ
Clear Output Queue
DLTSPLF 6
Delete Spooled File
HLDOUTQ
Hold Output Queue
RLSOUTQ
Release Output Queue
CHGSPLFA 6
Change Spooled File Attributes
CPYSPLF 6
Copy Spooled File
Create
Create a spooled file

DSPSPLF 6
Display Spooled File
HLDSPLF 6
Hold Spooled File
QSPROUTQ
Retrieve output queue information
RLSSPLF 6
Release Spooled File
SNDNETSPLF 6
Send Network Spooled File
WRKOUTQ
Work with Output Queue
WRKOUTQD
Work with Output Queue Description
WRKSPLF
Work with Spooled File
WRKSPLFA
Work with Spooled File Attributes
Operations for Overlay (*OVL):
v Read operation
Print Printing a spooled file that refers to the overlay
v Change operation
None
6. This is also audited if action auditing (QAUDLVL system value or AUDLVL user profile value) includes *SPLFDTA.
481
Object Auditing
WRKOVL
Work with overlay
Print
Referring to the overlay when creating a spooled file
Operations for Page Definition (*PAGDFN):

v Read operation
Print Printing a spooled file that refers to the page definition
v Change operation
None
WRKPAGDFN
Work with Page Definition
Print
Referring to the form definition when creating a spooled file
Operations for Page Segment (*PAGSEG):

v Read operation
Print Printing a spooled file that refers to the page segment
v Change operation
None
WRKPAGSEG
Work with Page Segment
Print
Referring to the page segment when creating a spooled file
Operations for Print Descriptor Group (*PDG):

v Read operation
When the page descriptor group is opened for read access by a
PrintManager API or CPI verb.
v Change operation
Open
When the page descriptor group is opened for change access by a

PrintManager* API or CPI verb.
Open
CHGPDGPRF
Change Print Descriptor Group Profile
WRKPDG
Work with Print Descriptor Group
Operations for Program (*PGM):
v Read operation
Activation
Program activation
Call
Call program that is not already activated
ADDPGM
Add program to debug
482
Object Auditing
QTEDBGS
Qte Register Debug View API
QTEDBGS
Qte Retrieve Module Views API
// RUN
Run program in S/36 environment
RTVCLSRC
Retrieve CL Source
STRDBG
Start Debug
v Create operation
CRTPGM
Create Program
UPDPGM
Update Program
v Change operation
CHGCSPPGM
Change CSP/AE Program
CHGPGM
Change Program
CHGS36PGMA
Change S/36 Program Attributes
EDTS36PGMA
Edit S/36 Program Attributes
WRKS36PGMA
Work with S/36 Program Attributes
ANZPGM
Analyze Program
DMPCLPGM
Dump CL Program
DSPCSPOBJ
Display CSP Object
DSPPGM
Display Program
PRTCMDUSG
Print Command Usage
PRTCSPAPP
Print CSP Application
PRTSQLINF
Print SQL Information
QBNLPGMI
List ILE Program Information API
QCLRPGMI
Retrieve Program Information API
483
Object Auditing
STRCSP
Start CSP Utilities
TRCCSP
Trace CSP Application
WRKOBJCSP
WRKPGM
Work with Program
Operations for Panel Group (*PNLGRP):
v Read operation
ADDSCHIDXE
Add Search Index Entry
QUIOPNDA
Open Panel Group for Display API
QUIOPNPA
Open Panel Group for Print API
QUHDSPH
Display Help API
v Change operation
None
WRKPNLGRP
Work with Panel Group
Operations for Product Availability (*PRDAVL):
v Change operation
WRKSPTPRD
Work with Supported Products, when support is added or removed
Read
No read operations are audited
Operations for Product Definition (*PRDDFN):

v Change operation
ADDPRDLICI
Add Product License Information
WRKSPTPRD
Work with Supported Products, when support is added or removed
Read
Operations for Product Load (*PRDLOD):

v Change operation
Change
Product load state, product load library list, product load folder list,
primary language
484
Object Auditing
Read
Operations for Query Manager Form (*QMFORM):

v Read operation
STRQMQRY
Start Query Management Query
RTVQMFORM
Retrieve Query Management Form
Run
Run a query
Export Export a Query Management form

Print
Print a Query Management form

Print a Query Management report using the form
Access the form using option 2, 5, 6, or 9 or function F13 from the

SQL/400 Query Manager menu.
v Change operation
Use
CRTQMFORM
Create Query Management Form
IMPORT
Import Query Management form
Save
Save the form using a menu option or a command
Copy Option 3 from the Work with Query Manager Forms function
Work with
When *QMFORMs are listed in a Work with display
Active Any form operation that is done against the active form.
Operations for Query Manager Query (*QMQRY):
v Read operation
RTVQMQRY
Retrieve Query Manager Query
Run
Run Query Manager Query
STRQMQRY
Start Query Manager Query
Export Export Query Manager query
Print
Print Query Manager query
Access the query using function F13 or option 2, 5, 6, or 9 from the

Work with Query Manager queries function
v Change operation
Use
CRTQMQRY
Create Query Management Query
Convert
Option 10 (Convert to SQL) from the Work with Query Manager Queries
function
485
Object Auditing
Copy
Option 3 from the Work with Query Manager Queries function
Save Save the query using a menu or command

Work with
When *QMQRYs are listed in a Work with display
Active Any query operation that is done against the active query.
Operations for Query Definition (*QRYDFN):
v Read operation
ANZQRY
Analyze Query
Change
Change a query using a prompt display presented by WRKQRY or QRY.
Display
Display a query using WRKQRY prompt display
Export Export form using Query Manager
Export Export query using Query Manager
Print
Print query definition using WRKQRY prompt display

Print Query Management form
Print Query Management query
Print Query Management report
QRYRUN
Run Query
RTVQMFORM
Retrieve Query Management Form
RTVQMQRY
Retrieve Query Management Query
Run
Run query using WRKQRY prompt display

Run (Query Management command)
RUNQRY
Run Query
STRQMQRY
Start Query Management Query
Submit
Submit a query (run request) to batch using WRKQRY prompt display
or Exit This Query prompt display
v Change operation
Change
Save a changed query using the Query/400 licensed program
Copy
Copy a query using option 3 on the Work with Queries display
Create Create a query using option 1 on the Work with Queries display
Delete Delete a query using option 4 on the Work with Queries display
486
Object Auditing
Run
Run a query using option 1 on the Exit this Query display when
creating or changing a query using the Query/400 licensed program;
Run a query interactively using PF5 while creating, displaying, or
changing a query using the Query/400 licensed program
DLTQRY
Delete a query
Operations for Reference Code Translate Table (*RCT):
v Read operation
None
v Change operation
None
None
Operations for Reply List:
Note: Reply list actions are audited if the action auditing (QAUDLVL) system
includes *SYSMGT.
ADDRPYLE
Add Reply List Entry
CHGRPYLE
Change Reply List Entry
RMVRPYLE
Remove Reply List Entry
WRKRPYLE
Work with Reply List Entry
None
Operations for Subsystem Description (*SBSD):
v Read operation
ENDSBS
End Subsystem
STRSBS
Start Subsystem
v Change operation
ADDAJE
Add Autostart Job Entry
ADDCMNE
Add Communications Entry
ADDJOBQE
Add Job Queue Entry
ADDPJE
Add Prestart Job Entry
487
Object Auditing
ADDRTGE
Add Routing Entry
ADDWSE
Add Workstation Entry
CHGAJE
Change Autostart Job Entry
CHGCMNE
Change Communications Entry
CHGJOBQE
Change Job Queue Entry
CHGPJE
Change Prestart Job Entry
CHGRTGE
Change Routing Entry
CHGSBSD
Change Subsystem Description
CHGWSE
Change Workstation Entry
RMVAJE
Remove Autostart Job Entry
RMVCMNE
Remove Communications Entry
RMVJOBQE
Remove Job Queue Entry
RMVPJE
Remove Prestart Job Entry
RMVRTGE
Remove Routing Entry
RMVWSE
Remove Workstation Entry
DSPSBSD
Display Subsystem Description
QWCLASBS
List Active Subsystem API
QWDLSJBQ
List Subsystem Job Queue API
QWDRSBSD
Retrieve Subsystem Description API
WRKSBSD
Work with Subsystem Description
WRKSBS
Work with Subsystem
WRKSBSJOB
Work with Subsystem Job
488
Object Auditing
Operations for Information Search Index (*SCHIDX):
v Read operation
STRSCHIDX
Start Index Search
WRKSCHIDXE
Work with Search Index Entry
v Change operation (audited if OBJAUD is *CHANGE or *ALL)
ADDSCHIDXE
Add Search Index Entry
CHGSCHIDX
Change Search Index
RMVSCHIDXE
Remove Search Index Entry
WRKSCHIDX
Work with Search Index
Operations for Local Socket (*SOCKET):
v Read operation
connect
Bind a permanent destination to a socket and establish a connection.
DSPLNK
Display Links
givedescriptor
Qp0lGetPathFromFileID
Get Path Name of Object from File ID API
Qp0lRenameKeep
Rename File or Directory, Keep New API
Qp0lRenameUnlink
Rename File or Directory, Unlink New API
sendmsg
Send a datagram in connectionless mode. Can use multiple buffers.
sendto
Send a datagram in connectionless mode.
WRKLNK
Work with Links
v Change operation
ADDLNK
Add Link
bind
Establish a local address for a socket.
CHGAUD
Change Auditing
CHGAUT
Change Authority
489
Object Auditing
CHGOWN
Change Owner
CHGPGP
CHKIN
Check In
CHKOUT
Check Out
chmod
Change File Authorizations API
chown
Change Owner and Group API
givedescriptor
link
Create Link to File API
Qp0lRenameKeep
Rename File or Directory, Keep New API
Qp0lRenameUnlink
Rename File or Directory, Unlink New API
RMVLNK
Remove Link
RNM
Rename
RST
Restore
unlink
Remove Link to File API
utime Set File Access and Modifcation Times API
WRKAUT
Work with Authority
WRKLNK
Work with Links
v Operations that are not audited:
close
Close File API
DSPAUT
Display Authority
dup
dup2
fcntl
fstat
Get File Information by Descriptor API
fsync
Synchronize Changes to File API
ioctl
lstat
Get File or Link Information API
pathconf
Get Configurable Path Name Variables API
490
Object Auditing
read
Read from File API
readv
Read from File (Vector) API
select
stat
Get File Information API
takedescriptor
write
Write to File API
writev Write to File (Vector) API

Operations for Spelling Aid Dictionary (*SPADCT):
v Read operation
Verify Spell verify function
Aid
Spell aid function
Hyphenation
Hyphenation function
Dehyphenation
Dehyphenation function
Synonyms
Synonym function
Base
Using dictionary as base when creating another dictionary
Verify Using as verify dictionary when creating another dictionary

Retrieve
Retrieve Stop Word List Source
Print Print Stop Word List Source
v Change operation
CRTSPADCT
Create Spelling Aid Dictionary with REPLACE(*YES)
None
Operations for Spooled Files:
Note: Spooled file actions are audited if the action auditing (QAUDLVL) system
includes *SPLFDTA.
Access
Each access by any user that is not the owner of the spooled file,
including:
CPYSPLF
DSPSPLF
SNDNETSPLF
SNDTCPSPLF
STRRMTWTR
491
Object Auditing
QSPOPNSP API
Change
Changing any of the following spooled file attributes:
COPIES
DEV
FORMTYPE
RESTART
PAGERANGE
Create Creating a spooled file using print operations
Creating a spooled file using the QSPCRTSP API
Delete Deleting a spooled file using any of the following:
Printing a spooled file by a printer or diskette writer
Clearing the output queue (CLROUTQ)
Deleting the spooled file using the DLTSPLF command or the delete
option from a spooled files display
Deleting spooled files when a job ends (ENDJOB SPLFILE(*YES))
Deleting spooled files when a print job ends (ENDPJ SPLFILE(*YES))
Sending a spooled file to a remote system by a remote writer
Hold
Holding a spooled file by any of the following:

Using the HLDSPLF command
Using the hold option from a spooled files display
Printing a spooled file that specifies SAVE(*YES)
Sending a spooled file to a remote system by a remote writer when
the spooled file specifies SAVE(*YES)
Having a writer hold a spooled file after an error occurs when
processing the spooled file
Read
Reading a spooled file by a printer or diskette writer
Release
Releasing a spooled file
Operations for SQL Package (*SQLPKG):
v Read operation
Run
When *SQLPKG object is run
v Change operation
None
PRTSQLINF
Operations for Service Program (*SRVPGM):
v Read operation
CRTPGM
An audit entry for each service program used during a CRTPGM
command
492
Object Auditing
CRTSRVPGM
An audit entry for each service program used during a CRTSRVPGM
command
QTEDBGS
Register Debug View API
QTEDBGS
Retrieve Module Views API
|
|
RTVBNDSRC
UPDPGM
An audit entry for each service program used during a UPDPGM
command.
UPDSRVPGM
An audit entry for each service program used during a UPDSRVPGM
command.
v Create operation
CRTSRVPGM
Create Service Program
UPDSRVPGM
Update Service Program
v Change operation
CHGSRVPGM
Change Service Program
DSPSRVPGM
Display Service Program
PRTSQLINF
QBNLSPGM
List Service Program Information API
QBNRSPGM
Retrieve Service Program Information API
WRKSRVPGM
Work with Service Program
Operations for Session Description (*SSND):
v No Read or Change operations are audited for the *SSND object type.
Operations for Server Storage Space (*SVRSTG):
v No Read or Change operations are audited for the *SVRSTG object type.
Operations for Stream File (*STMF):
v Read operation
CPY
Copy
DSPLNK
Display Links
493
Object Auditing
givedescriptor
MOV Move
Open File APIs
|
|
SAV
Save
WRKLNK
Work with Links
v Change operation
ADDLNK
Add Link
CHGAUD
Change Auditing
CHGAUT
Change Authority
CHGOWN
Change Owner
CHGPGP
CHKIN
Check In
CHKOUT
Check Out
chmod, QlgChmod
Change File Authorizations APIs
|
|
chown, QlgChown
Change Owner and Group APIs
CPY
Copy
creat, creat64, QlgCreat, QlgCreat64

Create New File or Rewrite Existing File APIs
|
|
fchmod
Change File Authorizations by Descriptor API
fchown
Change Owner and Group of File by Descriptor API
givedescriptor
link
Create Link to File API
MOV Move
|
|

When opened for write APIs
|
|
Qp0lGetPathFromFileID, QlgGetPathFromFileID
Get Path Name of Object from File ID APIs
|
|
494
Object Auditing
|
|
RMVLNK
Remove Link
RNM
Rename
RST
Restore
|
|
unlink, QlgUnlink
Remove Link to File APIs
|
|
utime, QlgUtime
Set File Access and Modifcation Times APIs
WRKAUT
Work with Authority
WRKLNK
Work with Links
close
Close File API
DSPAUT
Display Authority
|
|
dup
dup2
faccessx
Determine file accessibility
fcntl
fpathconf
Get Configurable Path Name Variables by Descriptor API
|
|
fstat, fstat64
Get File Information by Descriptor APIs
fsync
|
|
Synchronize Changes to File API
ftruncate, ftruncate64
Truncate File APIs
ioctl
|
|
lseek, lseek64
Set File Read/Write Offset APIs
|
|
lstat, lstat64
Get File or Link Information APIs
|
|
pathconf, QlgPathconf
Get Configurable Path Name Variables APIs
|
|
pread, pread64
Read from Descriptor with Offset APIs
|
|
pwrite, pwrite64
Write to Descriptor with Offset APIs
read
Read from File API
readv
Read from File (Vector) API

495
Object Auditing
select
stat, stat64, QlgStat, QlgStat64

Get File Information APIs
|
|
takedescriptor
write
Write to File API
writev Write to File (Vector) API

Operations for Symbolic Link (*SYMLNK):
v Read operation
CPY
Copy
DSPLNK
Display Links
MOV Move
readlink
Read Value of Symbolic Link API
SAV
Save
WRKLNK
Work with Links
v Change operation
CHGOWN
Change Owner
CHGPGP
CPY
Copy
MOV Move
|
|
|
|
RMVLNK
Remove Link
RNM
Rename
RST
Restore
|
|
symlink, QlgSymlink
Make Symbolic Link APIs
|
|
unlink, QlgUnlink
Remove Link to File APIs
WRKLNK
Work with Links
lstat, lstat64, QlgLstat, QlgLstat64
Link Status APIs
|
|
496
Object Auditing
Operations for S/36 Machine Description (*S36):
v Read operation
None
v Change operation
CHGS36
Change S/36 configuration
CHGS36A
Change S/36 configuration attributes
SET SET procedure
CRTDEVXXX
When a device is added to the configuration table
DLTDEVD
When a device is deleted from the configuration table
RNMOBJ
Rename device description
DSPS36
Display S/36 configuration
RTVS36A
Retrieve S/36 Configuration Attributes
STRS36
Start S/36
ENDS36
End S/36
Operations for Table (*TBL):
v Read operation
QDCXLATE
Translate character string
QTBXLATE
Translate character string
QLGRTVSS
Retrieve sort sequence table
CRTLF
Translation Table during CRTLF command
Read
Use of Sort Sequence Table when running any command that can specify
a sort sequence
v Change operation
None
WRKTBL
Work with table
Operations for User Index (*USRIDX):
v Read operation
497
Object Auditing
QUSRTVUI
Retrieve user index entries API
v Change operation
QUSADDUI
Add User Index Entries API
QUSRMVUI
Remove User Index Entries API
Access
Direct access to a user index using MI instructions (only allowed for a
user domain user index in a library specified in the QALWUSRDMN
system value.
QUSRUIAT
Retrieve User Index Attributes API
Operations for User Profile (*USRPRF):
v Read operation
None
v Change operation
CHGPRF
Change Profile
CHGPWD
Change Password
CHGUSRPRF
Change User Profile
CHKPWD
Check Password
DLTUSRPRF
Delete User Profile
GRTUSRAUT
Grant User Authority (to-user-profile)
QSYCHGPW
Change Password API
RSTUSRPRF
Restore User Profile
DSPPGMADP
Display Programs that Adopt
DSPUSRPRF
Display User Profile
GRTUSRAUT
Grant User Authority (from-user-profile)
PRTPRFINT
Print Profile Internals
PRTUSRPRF
Print User Profile
498
Object Auditing
QSYCUSRS
Check User Special Authorities API
QSYLOBJA
List Authorized Objects API
QSYLOBJP
List Objects That Adopt API
QSYRUSRI
Retrieve User Information API
RTVUSRPRF
WRKOBJOWN
Work with Owned Objects
WRKUSRPRF
Operations for User Queue (*USRQ):
v No Read or Change operations are audited for the *USRQ object type.
Access
Direct access to user queues using MI instructions (only allowed for a
user domain user queue in a library specified in the QALWUSRDMN
system value.
Operations for User Space (*USRSPC):
v Read operation
QUSRTVUS
Retrieve User Space API
v Change operation
QUSCHGUS
Change User Space API
QUSCUSAT
Change User Space Attributes API
Access
Direct access to user space using MI instructions (only allowed for user
domain user spaces in libraries specified in the QALWUSRDMN system
value.
QUSRUSAT
Retrieve User Space Attributes API
Operations for Validation List (*VLDL):
v Read operation
QSYFDVLE
Find Validation List Entry API
v Change operation
QSYADVLE
Add Validation List Entry API
499
Object Auditing
QSYCHVLE
Change Validation List Entry API
QSYRMVLE
Remove Validation List Entry API
Access
Direct access to user space using MI instructions (only allowed for user
domain user spaces in libraries specified in the QALWUSRDMN system
value.)
QUSRUSAT
Retrieve User Space Attributes API
Operations for Workstation Customizing Object (*WSCST):
v Read operation
Vary
When a customized device is varied on
RTVWSCST
Retrieve Workstation Customizing Object Source (only when
*TRANSFORM is specified for the device type)
SNDTCPSPLF
Send TCP/IP Spooled File (only when TRANSFORM(*YES) is specified)
STRPRTWTR
Start Printer Writer (only for spooled files that are printed to a
customized printer using the host print transform function)
STRRMTWTR
Start Remote Writer (only when output queue is configured with
CNNTYPE(*IP) and TRANSFORM(*YES))
When output is printed directly (not spooled) to a customized printer
using the host print transform function
v Change operation
Print
None
None
500
Appendix F. Layout of Audit Journal Entries

This appendix contains layout information for all entry types with journal code T
in the audit (QAUDJRN) journal. These entries are controlled by the action and
object auditing you define. The system writes additional entries to the audit
journal for such events as a system IPL or saving the journal receiver. The layouts
for these entry types can be found in the Backup and Recovery book.
Table 143 on page 504 contains the layout for fields that are common to all entry
types when OUTFILFMT(*TYPE2) is specified on the DSPJRN command. This
layout, which is called QJORDJE2, is defined in the QADSPJR2 file in the QSYS
library.
Note: TYPE2 and *TYPE 4 output formats are no longer updated; therefore, IBM
recommends that you stop using *TYPE2 and *TYPE4 formats and use only
*TYPE5 formats.
|
|
|
Table 142 on page 503 contains the layout for fields that are common to all entry
types when OUTFILFMT(*TYPE4) is specified on the DSPJRN command. This
layout, which is called QJORDJE4, is defined in the QADSPJR4 file in the QSYS
library. The *TYPE4 output includes all of the *TYPE2 information, plus
information about journal identifiers, triggers, and referential constraints.
Table 145 on page 506 through Table 217 on page 596 contain layouts for the model
database outfiles provided to define entry-specific data. You can use the
CRTDUPOBJ command to create any empty output file with the same layout as
one of the model database outfiles. You can use the DSPJRN command to copy
selected entries from the audit journal to the output file for analysis. Analyzing
Audit Journal Entries with Query or a Program on page 274 provides examples of
using the model database outfiles. See also the Journal Entry Information Appendix
in the Backup and Recovery book for detailed descriptions for these fields.
Table 141 contains the layout for fields that are common to all entry types when
OUTFILFMT(*TYPE5) is specified on the DSPJRN command. This layout, which is
called QJORDJE5, is defined in the QADSPJR5 file in the QSYS library. The *TYPE5
output includes all of the *TYPE4 information, plus information about the program
library, program ASP device name, program ASP device number, receiver, receiver
library, receiver ASP device name, receiver ASP device number, arm number,
thread id, address family, remote port, and remote address.
|
|
|
|
|
|
|
Table 141. Standard Heading Fields for Audit Journal Entries. QJORDJE5 Record Format (*TYPE5)
Offset
Field
Format
Description
1
6
Length of Entry
Sequence
Number
Journal Code
Entry Type
Timestamp of
Entry
Name of Job
User Name
Job Number
Zoned(5,0)
Char(20)
Char(1)
Char(2)
Char(26)
Total length of the journal entry including the entry length field.
Applied to each journal entry. Initially set to 1 for each new or restored
journal. Optionally, reset to 1 when a new receiver is attached.
Always T.
See Table 144 on page 504 for a list of entry types and descriptions.
Date and time that the entry was made in SAA timestamp format.
Char(10)
Char(10)
Zoned(6,0)
The name of the job that caused the entry to be generated.

The user profile name associated with the job1.
The job number.
26
27
29
55
65
75
501
Audit Journal Entries

Table 141. Standard Heading Fields for Audit Journal Entries (continued). QJORDJE5 Record Format (*TYPE5)
Offset
Field
Format
Description
81
Program Name
Char(10)
The name of the program that made the journal entry. This can also be
the name of a service program or the partial name of a class file used in
a compiled Java program. If an application program or CL program did
not cause the entry, the field contains the name of a system-supplied
program such as QCMD. The field has the value *NONE if one of the
following is true:
v The program name does not apply to this entry type.
91
Program library
101
Program ASP
Char(10)
device
Program ASP
Zoned(5,0)
number
Name of object
Char(10)
Objects Library
Char(10)
Member Name
Char(10)
Count/RRN
Char(20)
Flag
Char(1)
Commit Cycle
Char(20)
identifier
User Profile
Char(10)
System Name
Char(8)
Journal identifier Char(10)
Referential
Char(1)
Constraint
Trigger
Char(1)
Incomplete Data Char(1)
Ignored by
Char(1)
APY/RMVJRNCHG
Minimized ESD
Char(1)
Object indicator
Char(1)
System sequence Char(20)
Receiver
Char(10)
Receiver library
Char(10)
Receiver ASP
Char(10)
device
Receiver ASP
Zoned(5,0)
number
Arm number
Zoned(5,0)
Thread identifier Hex(8)
Thread identifier Char(16)
hex
Address family
Char(1)
Remote port
Zoned(5,0)
Remote address
Char(46)
Logical unit of
Char(39)
work
Transaction ID
Char(140)
Reserved
Char(20)
Null value
Char(50)
indicators
111
116
126
136
146
166
167
187
197
205
215
216
217
218
219
220
221
241
251
261
271
276
281
289
305
306
311
357
396
536
556
502
Char(10)
v The program name was not available.

Name of the library that contains the program that added the journal
entry.
Name of ASP device that contains the program that added the journal
entry.
Number of the ASP that contains the program that added the journal
entry.
Used for journaled objects. Not used for audit journal entries.
The name of the current user profile1.
The name of the system.
Used for file journaling. Not used for audit journal entries.
A number assigned by the system to each journal entry.
The name of the receiver holding the journal entry.
The name of the library containing the receiver holding the journal entry.
Name of ASP device that contains the receiver.
Number of the ASP that contains the receiver holding the journal entry.
The number of the disk arm that contains the journal entry.
Identifies the thread within the process that added the journal entry.
Displayable hex version of the thread identifier.
The format of the remote address for this journal entry.
The port number of the remote address associated with the journal entry.
The remote address associated with the journal entry.

Table 141. Standard Heading Fields for Audit Journal Entries (continued). QJORDJE5 Record Format (*TYPE5)
Offset
Field
Format
Description
606
|
|
|
|
|
Entry specific
Binary(5)
Length of the entry specific data.
data length
Note: The three fields beginning at offset 55 make up the system job name. In most cases, the User name field at
offset 65 and the User profile name field at offset 187 have the same value. For prestarted jobs, the User profile name
field contains the name of the user starting the transaction. For some jobs, both these fields contain QSYS as the user
name. The User profile name field in the entry-specific data contains the actual user who caused the entry. If an API
is used to swap user profiles, the User profile name field contains the name of the new (swapped) user profile.
Offset
Field
Format
Description
1
6
Length of Entry
Sequence
Number
Journal Code
Entry Type
Timestamp of
Entry
Name of Job
User Name
Job Number
Program Name
Zoned(5,0)
Zoned(10,0)
Always T.
See Table 144 on page 504 for a list of entry types and descriptions.
Date and time that the entry was made in SAA timestamp format.
16
17
19
45
55
65
71
Char(1)
Char(2)
Char(26)
Char(10)
Char(10)
Zoned(6,0)
Char(10)

The job number.
following is true:
81
91
101
111
121
122
132
142
150
160
161
162
170
220
Object Name
Library Name
Member Name
Count/RRN
Flag
Commit Cycle ID
User Profile
System Name
Reserved
Referential
Constraint
Trigger
(Reserved Area)
Null Value
Indicators
Entry Specific
Data Length
Char(10)
Char(10)
Char(10)
Zoned(10)
Char(1)
Zoned(10)
Char(10)
Char(8)
Char(10)
Char(1)

Char(1)
Char(8)
Char(50)
Binary (4)
Length of the entry specific data.
Note: The three fields beginning at offset 45 make up the system job name. In most cases, the User name
field at offset 55 and the User profile name field at offset 132 have the same value. For prestarted jobs, the
User profile name field contains the name of the user starting the transaction. For some jobs, both these
fields contain QSYS as the user name. The User profile name field in the entry-specific data contains the
actual user who caused the entry. If an API is used to swap user profiles, the User profile name field
contains the name of the new (swapped) user profile.
503

Offset
Field
Format
Description
1
6
Length of Entry
Sequence
Number
Journal Code
Entry Type
Timestamp
Time of entry
Name of Job
User Name
Job Number
Program Name
Zoned(5,0)
Zoned(10,0)
Always T.
See Table 144 for a list of entry types and descriptions.
The system date that the entry was made.
The system time that the entry was made.
The job number.
following is true:
16
17
19
25
31
41
51
57
Char(1)
Char(2)
Char(6)
Zoned(6,0)
Char(10)
Char(10)
Zoned(6,0)
Char(10)

67
77
87
97
107
108
118
128
136
1
Object Name
Library Name
Member Name
Count/RRN
Flag
Commit Cycle ID
User Profile
System Name
(Reserved Area)
Char(10)
Char(10)
Char(10)
Zoned(10)
Char(1)
Zoned(10)
Char(10)
Char(8)
Char(20)

Used for journaled objects. Not used for
Entry
Type
Description
AD
AF
AP
AU
CA
CD
CO
CP
CQ
CU
CV
CY
DI
DO
Auditing changes
Authority failure
Obtaining adopted authority
Attribute changes
Authority changes
Command string audit
Create object
User profile changed, created, or restored
Change of *CRQD object
Cluster Operations
Connection verification
Cryptographic Configuration
Directory Services
Delete object
504
journal
journal
journal
journal
journal
journal
entries.
entries.
entries.
entries.
entries.
entries.
The three fields beginning at offset 31 make up the system job name. In most cases, the User name field at
offset 41 and the User profile name field at offset 118 have the same value. For prestarted jobs, the User profile
name field contains the name of the user starting the transaction. For some jobs, both these fields contain
QSYS as the user name. The User profile name field in the entry-specific data contains the actual user who
caused the entry. If an API is used to swap user profiles, the User profile name field contains the name of the
new (swapped) user profile.
Table 144. Audit Journal (QAUDJRN) Entry Types.
audit
audit
audit
audit
audit
audit

Table 144. Audit Journal (QAUDJRN) Entry Types. (continued)
Entry
Type
Description
DS
EV
GR
GS
IP
IR
IS
JD
JS
KF
LD
ML
NA
ND
NE
OM
OR
OW
O1
O2
O3
PA
PG
PO
PS
PW
RA
RJ
RO
RP
RQ
RU
RZ
SD
SE
SF
SG
SK
SM
SO
ST
SV
VA
VC
VF
VL
VN
VO
VP
VR
VS
DST security password reset

System environment variables
Generic record
Socket description was given to another job
Interprocess Communication
IP Rules Actions
Internet security management
Change to user parameter of a job description
Actions that affect jobs
Key ring file
Link, unlink, or look up directory entry
Office services mail actions
Network attribute changed
APPN directory search filter violation
APPN end point filter violation
Object move or rename
Object restore
Object ownership changed
(Optical Access) Single File or Directory
(Optical Access) Dual File or Directory
(Optical Access) Volume
Program changed to adopt authority
Change of an objects primary group
Printed output
Profile swap
Invalid password
Authority change during restore
Restoring job description with user profile specified
Change of object owner during restore
Restoring adopted authority program
Restoring a *CRQD object
Restoring user profile authority
Changing a primary group during restore
Changes to system distribution directory
Subsystem routing entry changed
Actions to spooled files
Asynchronous Signals
Secure sockets connections
System management changes
Server security user information actions
Use of service tools
System value changed
Changing an access control list
Starting or ending a connection
Closing server files
Account limit exceeded
Logging on and off the network
Validation list actions
Network password error
Network resource access
Starting or ending a server session
505

Table 144. Audit Journal (QAUDJRN) Entry Types. (continued)
Entry
Type
Description
VU
VV
X0
YC
YR
ZC
ZM
ZR
Changing a network profile

Changing service status
Network Authentication
DLO object accessed (change)
DLO object accessed (read)
Object accessed (change)
SOM method access
Object accessed (read)
| Table 145. AD (Auditing Change) Journal Entries. QASYADJE/J4/J5 Field Description File
|
Offset
JE
J4
J5
|
|
|
|
|
156
224
610
Field
Format
Heading fields common to all entry types. See

Table 141 on page 501,Table 142 on page 503, and
Table 143 on page 504 for field listing.
Entry Type
Char(1)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
157
225
611
Object Name
Char(10)
167
177
185
235
245
253
621
631
639
Char(10)
Char(8)
Char(10)
195
263
649
196
264
650
197
265
651
198
266
652
199
267
653
200
268
654
201
269
655
202
270
656
203
271
657
204
272
658
205
273
659
206
274
660
Library Name
Object Type
Object Audit
Value
CHGUSRAUD
*CMD
CHGUSRAUD
*CREATE
CHGUSRAUD
*DELETE
CHGUSRAUD
*JOBDTA
CHGUSRAUD
*OBJMGT
CHGUSRAUD
*OFCSRV
CHGUSRAUD
*PGMADP
CHGUSRAUD
*SAVRST
CHGUSRAUD
*SECURITY
CHGUSRAUD
*SERVICE
CHGUSRAUD
*SPLFDTA
CHGUSRAUD
*SYSMGT
506
Description
Char(1)
Char(1)
Char(1)
Char(1)
Char(1)
Char(1)
Char(1)
Char(1)
Char(1)
Char(1)
Char(1)
Char(1)
CHGDLOAUD command
CHGOBJAUD command
U
CHGUSRAUD command
Name of the object for which auditing was
changed.
Name of the library for the object.
The type of object.
The new value specified on the CHGOBJAUD
command.
Y = Audit commands for this user.
Y = Write an audit record when this user
an object.
an object.
changes a job.
or renames an object.
performs office functions.
authority through adopted authority.
or restores objects.
performs security-relevant actions.
performs service functions.
manipulates spooled files.
system management changes.
creates
deletes
moves
obtains
saves
makes

| Table 145. AD (Auditing Change) Journal Entries (continued). QASYADJE/J4/J5 Field Description File
|
Offset
JE
J4
J5
Field
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
207
275
661
208
276
662
227
295
681
CHGUSRAUD Char (1)

*OPTICAL
(Reserved
Char(19)
Area)
DLO Name
Char(12)
239
307
693
247
310
315
701
378
764
396
782
330
398
784
334
402
788
336
404
790
339
407
793
342
410
796
358
426
812
374
442
954
970
980
985
828
1340
1356
1366
1371
989
1375
991
1377
994
1380
996
1382
|
|
|
|
|
|
|
(Reserved
Area)
Folder Path
(Reserved
Area)
(Reserved
Area)
Object Name
Length 1
Object Name
CCSID1
Object Name
Country or
Region ID1
Object Name
Language ID1
(Reserved
area)
Parent File
ID1,2
Object File
ID1,2
Object Name1
Object File ID
ASP Name5
ASP Number5
Path Name
CCSID
Path Name
Country or
Region ID
Path Name
Language ID
Path Name
Length
Path Name
Indicator
Format
Description
accesses optical devices.
Name of the DLO object for which auditing was

changed.
Char(8)
Char(63)
Char(20)
Path of the folder.
Char(18)
Binary(4)
The length of the object name.
Binary(5)
Char(2)
The coded character set identifier for the object

name.
The Country or Region ID for the object name.
Char(3)
The language ID for the object name.
Char(3)
Char(16)
The file ID of the parent directory.
Char(16)
The file ID of the object.
Char(512)
Char(16)
Char(10)
Char(5)
Binary(5)
The name of the object.

The name of the ASP device.
The number of the ASP device.
The coded character set identifier for the
absolute path name.
The Country or Region ID for the absolute path
name.
Char(2)
Char(3)
The language ID for the absolute path name.
Binary(4)
The length of the absolute path name.
Char(1)
The absolute path name indicator:

Y
The Absolute Path Name field contains

an absolute path name for the object.
Char(16)
The Absolute Path Name field does not

contain an absolute path name for the
object.
The relative file ID of the absolute path name.
Char(5002)
The absolute path name of the object.
997
1383
1013
1399
Relative File
ID3
Absolute Path
Name4
507

| Table 145. AD (Auditing Change) Journal Entries (continued). QASYADJE/J4/J5 Field Description File
|
Offset
JE
These fields are used only for objects in the QOpenSys, "root" file systems, and user-defined file systems.
An ID that has the left-most bit set and the rest of the bits zero indicates that the ID is NOT set.
|
|
When the absolute path name indicator (offset 996) is N, this field will contain the relative field ID of the
path name. When the absolute path name indicator is Y, this field will contain 16 bytes of hex zeroes.
This is a variable length field. The first two bytes contain the length of the path name.
|
|
|
If the object is in a library, this is the ASP information of the objects library. If the object is not in a library,
this is the ASP information of the object.
J4
J5
Field
Format
Description
| Table 146. AF (Authority Failure) Journal Entries. QASYAFJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
| 1
|
|
508
Field
Format
Description

| Table 146. AF (Authority Failure) Journal Entries (continued). QASYAFJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
Field
| 156
|
224
610
Violation Type1 Char(1)
Format
Description
A
Not authorized to object
Restricted instruction
Validation failure (see offset 185)
|
|
Use of unsupported interface, object

domain failure
|
|
Hardware storage protection error,

program constant space violation
ICAPI authorization error
ICAPI authentication error
I7
System Java inheritance not allowed
Submit job profile error
Profile token not a regenerable token
Optical Object Authority Failure
Profile swap error
Hardware protection error
Default sign-on attempt
Not authorized to TCP/IP port
User permission request not valid
|
|
Profile token not valid for generating

new profile token
Profile token not valid for swap
|
|
System violation see offset 337 for

violation codes
|
|
Not authorized to the current JUID field

during a clear JUID operation.
|
|
| 157
|
| 167
| 177
Z
225
611
Object Name
1,
Char(10)
Not authorized to the current JUID field

during a set JUID operation.
Char(10)
Char(8)
The name of the library the object is in.

The type of object.
235
245
621
631
Library Name
Object Type
509

|
Offset
JE
J4
J5
Field
Format
Description
|
|
185
253
639
Validation
Error Action
Char(1)
Action taken after validation error detected, set

only if the violation type (offset 156) is C.
|
|
|
|
|
|
|
|
|
The translation of the object was not

attempted or it failed. The
QALWOBJRST system value setting
allowed the object to be restored. The
user doing the restore did not have
*ALLOBJ special authority and the
system security level is set to 10, 20, or
30. Therefore, all authorities to the object
were retained.
|
|
|
|
|
|
|
|
|

user doing the restore did not have
*ALLOBJ special authority and the
system security level is set to 40 or
above. Therefore, all authorities to the
object were revoked.
|
|
|
The translation of the object was

successful. The translated copy was
restored on the system.
|
|
|
|
|
|
|

user doing the restore had *ALLOBJ
special authority. Therefore, all
authorities to the object were retained.
System install time error detected.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Zoned(7,0)
The object was not restored because the

signature is not OS/400 format.
The name of the job.
The job user name.
The job number.
The name of the program.
The name of the library where the program is
found.
The name of the user that caused the authority
failure.
The name of the work station or work station
type.
The instruction number of the program.
Char(10)
The name of the field.
186
196
206
212
222
254
264
274
280
290
640
650
660
666
676
232
300
686
242
310
696
252
320
706
259
327
713
510
Job Name
User Name
Job Number
Program Name
Program
Library
User Profile 2
Work Station
Name
Program
Instruction
Number
Field name
Char(10)
Char(10)
Zoned(6,0)
Char(10)
Char(10)
Char(10)
Char(10)

|
Offset
| JE
J4
J5
Field
| 269
|
337
723
Operation
Char(3)
Violation Code
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Format
Description
The type of operation violation that occurred, set
only if the violation type (offset 224) is X.
Service tool user profile not authorized
to perform hardware configuration
operation (QYHCHCOP).
The name of the office user.
The name of the document library object.
HCA
272
282
294
340
350
362
726
736
748
302
365
370
433
756
819
375
443
829
461
847
395
463
849
399
467
853
401
469
855
404
472
858
407
475
861
423
491
877
439
507
1019
1035
1045
1050
893
1405
1421
1431
1436
1054
1440
1056
1442
1059
1445
1061
1447
Office User
DLO Name
(Reserved
Area)
Folder Path
Office on
Behalf of User
(Reserved
Area)
(Reserved
Area)
Object Name
Length3
Object Name
CCSID3
Object Name
Country or
Region ID3
Object Name
Language ID3
(Reserved
area)
Parent File
ID3,4
Object File
ID3,4
Object Name3,6
Object File ID
ASP Name10
ASP Number10
Path Name
CCSID
Path Name
Country or
Region ID
Path Name
Language ID
Path Name
Length
Path Name
Indicator
Char(10)
Char(12)
Char(8)
Char(63)
Char(10)
The path of the folder.

User working on behalf of another user.
Char(20)
Char(18)
Binary(4)
Binary(5)
Char(2)

name.
Char(3)
Char(3)
Char(16)
Char(16)
Char(512)
Char(16)
Char(10)
Char(5)
Binary(5)

The coded character set identifier for the absolute
path name.
name.
Char(2)
Char(3)
The language ID for the the absolute path name.
Binary(4)
Char(1)

Y


object.
511

|
|
Offset
JE
|
|
|
|
|
|
|
|
J4
J5
Field
Format
Description
1062
1448
Char(16)
1078
1464
Relative File
ID8
Absolute Path
Name9
ASP program
library name
ASP program
library number
Char(5002)
Char(10)
ASP name for program library
Char(5)
ASP number for program library
6466
6476
|
|
|
When the violation type is for description G, the object name contains the name of the *SRVPGM that
contained the exit that detected the error. For more information about the violation types, see Table 117 on
page 255.
|
|
|
|
This field contains the name of the user that caused the entry. QSYS may be the user for the following:
|
|
These fields are used only for objects in the QOpenSys file system, the "root" file system, user-defined file
systems, and QFileSvr.400.
|
|
When the violation type is T, the object name contains the TCP/IP port the user is not authorized to use.
The value is left justified and blank filled. The object library and object type fields will be blank.
|
|
When the violation type is O, the optical object name is contained in the IFS object name field. The Country
or Region ID, language ID, parent file ID, and object file ID fields will all contain blanks.
|
|
The Java class object being created may not extend its base class because the base class has system Java
attributes.
|
|
When the absolute path name indicator (offset 1061) is N, this field will contain the relative file ID of the
path name. When the absolute path name indicator is Y, this field will contain 16 bytes of hex zeroes.
This is a variable length field. The first 2 bytes contain the length of the path name.
|
|
|
10
v offsets 41 and 118 for *TYPE2 records

| Table 147. AP (Adopted Authority) Journal Entries. QASYAPJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
| 1
|
|
| 156
|
224
610
Field
Format
Description
Entry Type
Char(1)
Start
End
|
|
| 157
|
| 167
| 177
512
225
611
Object Name
Char(10)
235
245
621
631
Library name
Object Type
Char(10)
Char(8)
Adopted authority used during program

activation
The name of the program, service program, or
SQL package
The name of the library.
The type of object.

| Table 147. AP (Adopted Authority) Journal Entries (continued). QASYAPJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
Field
Format
Description
| 185
|
| 195
|
|
253
639
Char(10)
263
279
289
649
665
675
Owning User
Profile
Object File ID
ASP Name1
ASP Number1
The name of the user profile whose authority is

adopted.
|
|
|
Char(16)
Char(10)
Char(5)
| Table 148. AU (Attribute Changes) Journal Entries. QASYAUJ5 Field Description File
|
Offset
| J5
Field
Format
Description
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Entry type
Action
Name
New value length
New value CCSID
New value Country
or Region ID
New value
language ID
New value
Old value length
Old value CCSID
Old value Country
or Region ID
Old value language
ID
Old value
Char(1)
Char(3)
Char(100)
Binary(4)
Binary(5)
Char(2)
Type of entry
Action
Name
New value length
New value CCSID
New value Country or Region ID
Char(3)
New value language ID
610
611
614
714
716
720
722
725
2727
2729
2733
2735
2738
| 1
|
Char(2002)
Binary(4)
Binary(5)
Char(2)
Char(3)
Char(2002)
New value
Old value length
Old value CCSID
Old value Country or Region ID
Old value language ID
Old value
This is a variable length field. The first 2 bytes contain the length of the field.
| Table 149. CA (Authority Changes) Journal Entries. QASYCAJE/J4/J5 Field Description File
|
Offset
JE
J4
J5
|
|
|
|
156
224
610
157
167
177
185
225
235
245
253
195
263
|
|
|
|
|
|
|
|
|
Field
Format
Description
Entry Type
Char(1)

The type of entry.
611
621
631
639
Object Name
Library Name
Object Type
User Name
Char(10)
Char(10)
Char(8)
Char(10)
649
Authorization
List Name
Char(10)
A
Changes to authority
The type of object.
The name of the user profile whose authority is
being granted or revoked.
The name of the authorization list.
Authorities granted or removed:
513

| Table 149. CA (Authority Changes) Journal Entries (continued). QASYCAJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
Field
Format
| 205
||
| 206
||
| 207
||
| 208
||
|
| 209
||
| 210
|
| 211
|
| 212
||
| 213
||
| 214
||
| 215
||
| 216
||
| 217
||
|
| 218
|
| 222
|
|
273
659
Char(1)
274
660
275
661
276
662
277
663
278
664
Object
Existence
Object
Management
Object
Operational
Authorization
List
Management
Authorization
List
Read Authority
279
665
Add Authority Char(1)
280
666
281
667
282
668
283
669
284
670
285
671
286
672
290
676
Update
Authority
Delete
Authority
Exclude
Authority
Execute
Authority
Object Alter
Authority
Object
Reference
Authority
(Reserved
Area)
Command
Type
Char(1)
Char(1)
Char(1)
Char(1)
Char(1)
Char(1)
Char(1)
Char(1)
Char(1)
Char(1)
Char(1)
Description
Y
*OBJEXIST
*OBJMGT
*OBJOPR
*AUTLMGT
*AUTL public authority
*READ
*ADD
*UPD
*DLT
*EXCLUDE
*EXECUTE
*OBJALTER
*OBJREF
Char(4)
Char(3)
The type of command used.

GRT
Grant
RPL
Grant with replace
RVK
Revoke
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
225
235
293
303
679
689
245
255
267
313
323
335
699
709
721
275
338
343
406
729
792
348
416
349
350
514
Char(10)
Char(10)
802
Field name
(Reserved
Area)
Office User
DLO Name
(Reserved
Area)
Folder Path
Office on
Behalf of User
Personal Status
417
803
Access Code
Char(1)
418
804
Access Code
Char(4)
USR
GRTUSRAUT operation
The name of the field.
Char(10)
Char(12)
Char(8)

The name of the DLO.
Char(63)
Char(10)

Char(1)
Personal status changed
Access code added
R
Access code removed
Access code.

| Table 149. CA (Authority Changes) Journal Entries (continued). QASYCAJE/J4/J5 Field Description File
|
Offset
| JE
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
J4
J5
354
422
808
440
826
374
442
828
378
446
832
380
448
834
383
386
451
454
837
840
402
470
856
418
486
998
1014
1024
1029
872
1384
1400
1410
1415
1033
1419
1035
1421
1038
1424
1040
1426
|
|
|
|
|
|
|
Field
Format
(Reserved
Area)
(Reserved
Area)
Object Name
Length 1
Object Name
CCSID1
Object Name
Country or
Region ID1
Object Name
Language ID1
(Reserved area)
Parent File
ID1,2
Object File
ID1,2
Object Name1
Object File ID
ASP Name5
ASP Number5
Path Name
CCSID
Path Name
Country or
Region ID
Path Name
Language ID
Path Name
Length
Path Name
Indicator
Char(20)
Description
Char(18)
Binary(4)
Binary(5)
Char(2)

name.
Char(3)
Char(3)
Char(16)
Char(16)
Char(512)
Char(16)
Char(10)
Char(5)
Binary(5)

path name.
name.
Char(2)
Char(3)
Binary(4)
Char(1)

Y

Char(16)

object.
Char(5002)
1041
1427
1057
1443
Relative File
ID3
Absolute Path
Name4
|
|
These fields are used only for objects in the QOpenSys file system, the "root" file system, user-defined file
systems, and QFileSvr.400.
|
|
When the path name indicator (offset 1040) is N, this field will contain the relative file ID of the path
name. When the path name indicator is Y, this field will contain 16 bytes of hex zeroes.
|
|
|
515

| Table 150. CD (Command String) Journal Entries. QASYCDJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
| 1
|
|
| 156
224
610
Field
Entry Type
Format
Description
Char(1)

Table 141 on page 501,Table 142 on page 503,
and Table 143 on page 504 for field listing.
The type of entry.
Command run
OCL statement
Operator control command
S/36 procedure
|
|
Command run after command

substitution took place
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
U
Utility control statement
The type of object.
157
167
177
185
225
235
245
253
611
621
631
639
Object Name
Library Name
Object Type
Run from a CL
program
Char(10)
Char(10)
Char(8)
Char(1)
186
254
640
Command
string
ASP name for
command
library
ASP number
for command
library
Char(6000)
N
No
The command that was run, with parameters.
Char(10)
ASP name for command library
Char(5)
ASP number for command library
6640
6650
Yes
| Table 151. CO (Create Object) Journal Entries. QASYCOJE/J4/J5 Field Description File
|
Offset
JE
J4
J5
|
|
|
|
156
224
610
Field
Entry Type
Format
Description
Char(1)

The type of entry.
|
|
|
|
|
|
|
|
|
|
|
|
N
157
167
177
185
225
235
245
253
611
621
631
639
205
215
227
273
283
295
659
669
681
235
303
689
516
Object Name
Library Name
Object Type
(Reserved
Area)
Office User
DLO Name
(Reserved
Area)
Folder Path
Char(10)
Char(10)
Char(8)
Char(20)
Create of new object
R
Replacement of existing object
The type of object.
Char(10)
Char(12)
Char(8)

The name of the document library object created.
Char(63)

| Table 151. CO (Create Object) Journal Entries (continued). QASYCOJE/J4/J5 Field Description File
|
Offset
JE
J4
J5
Field
Format
Description
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
298
366
752
Office on
Behalf of User
(Reserved
Area)
(Reserved
Area)
Object Name
Length
Object Name
CCSID1
Object Name
Country or
Region ID1
Object Name
Language ID1
(Reserved
area)
Parent File
ID1,2
Object File
ID1,2
Object Name1
Object File ID
ASP Name5
ASP Number5
Path Name
CCSID
Path Name
Country or
Region ID
Path Name
Language ID
Path Name
Length
Path Name
Indicator
Char(10)
|
|
|
|
|
|
|
308
376
762
394
780
328
396
782
332
400
786
334
402
788
337
405
791
340
408
794
356
424
810
372
440
952
968
978
983
826
1338
1354
1364
1369
987
1373
989
1375
992
1378
994
1380
Char(20)
Char(18)
Binary(4)
Binary(5)
Char(2)

name.
Char(3)
Char(3)
Char(16)
Char(16)
Char(512)
Char(16)
Char(10)
Char(5)
Binary(5)

absolute path name.
name.
Char(2)
Char(3)
Binary(4)
Char(1)

Y

Char(16)

object.
Char(5002)
995
1381
1011
1397
Relative File
ID3
Absolute Path
Name4
517

| Table 151. CO (Create Object) Journal Entries (continued). QASYCOJE/J4/J5 Field Description File
|
Offset
JE
|
|
When the path name indicator (offset 994) is N, this field will contain the relative file ID of the path name.
When the path name indicator is Y, this field will contain 16 bytes of hex zeroes..
|
|
|
J4
J5
Field
Format
Description
| Table 152. CP (User Profile Changes) Journal Entries. QASYCPJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
| 1
|
|
| 156
224
610
225
611
235
245
256
621
631
639
|
| 157
|
| 167
| 177
| 185
|
|
Field
Format
Description
Entry Type
Char(1)

The type of entry.
User Profile
Name
Library Name
Object Type
Command
Name
Char(10)
A
Change to a user profile
The name of the user profile that was changed.
Char(10)
Char(8)
Char(3)

The type of object.
CRT
CRTUSRPRF
CHG
CHGUSRPRF
RST
RSTUSRPRF
DST
QSECOFR password reset using DST
Password changed
Password is *NONE.
Password expired is *YES
Password expired is *NO
*ALLOBJ special authority
*JOBCTL special authority
*SAVSYS special authority
*SECADM special authority
|
|
||
|
||
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
188
256
642
189
257
643
190
258
644
191
259
645
192
260
646
193
261
647
194
262
648
518
Password
Changed
Password
*NONE
Password
Expired
Char(1)
All Object
Special
Authority
Job Control
Special
Authority
Save System
Special
Authority
Security
Administrator
Special
Authority
Char(1)
Char(1)
Char(1)
Char(1)
Char(1)
Char(1)

| Table 152. CP (User Profile Changes) Journal Entries (continued). QASYCPJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
Field
Format
|
||
|
|
||
|
||
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
195
263
649
Char(1)
196
264
650
197
265
651
198
266
652
199
267
653
212
222
280
290
666
676
Spool Control
Special
Authority
Service Special
Authority
Audit Special
Authority
System
Configuration
Special
Authority
(Reserved
Area)
Group Profile
Owner
232
300
686
Char(10)
242
252
310
320
696
706
262
272
330
340
716
726
282
350
736
292
360
746
302
312
313
323
370
380
381
391
756
766
767
777
333
401
787
483
551
937
493
561
947
Group
Authority
Initial Program
Initial Program
Library
Initial Menu
Initial Menu
Library
Current
Library
Limited
Capabilities
User Class
Priority Limit
Profile Status
Group
Authority Type
Supplemental
Group Profiles
User
Identification
Group
Identification
Char(1)
Char(1)
Char(1)
Description
Y
*SPLCTL special authority
*SERVICE special authority
*AUDIT special authority
*IOSYSCFG special authority
Char(13)
Char(10)
Char(10)
Char(10)
Char(10)
The name of a group profile.

Owner of objects created as a member of a group
profile.
Group profile authority.
Char(10)
The name
The name
is found.
The name
The name
found.
The name
Char(10)
The value of limited capabilities parameter.
Char(10)
Char(1)
Char(10)
Char(10)
The user class of the user.

The value of the priority limit parameter.
User profile status.
The value of the GRPAUTTYP parameter.
Char(150)
Char(10)
The names of up to 15 supplemental group

profiles for the user.
The uid for the user.
Char(10)
The gid for the user.
Char(10)
Char(10)
of the users initial program.

of the library where the initial program
of the users initial menu.
of the library where the initial menu is
of the users current library.
| Table 153. CQ (*CRQD Changes) Journal Entries. QASYCQJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
| 1
|
|
| 156
224
610
225
235
611
621
|
| 157
| 167
Field
Format
Description
Entry Type
Char(1)

The type of entry.
Object Name
Library Name
Char(10)
Char(10)
A
Change to a *CRQD object
The name of the object that was changed.
The name of the object library.
519

| Table 153. CQ (*CRQD Changes) Journal Entries (continued). QASYCQJE/J4/J5 Field Description File
|
Offset
JE
J4
J5
Field
Format
Description
|
|
|
|
177
245
631
639
649
Object Type
ASP name
ASP number
Char(8)
Char(10)
Char(5)
The type of object.

ASP name for CRQD library
ASP number for CRQD library
| Table 154. CU (Cluster Operations) Journal Entries. QASYCUJ4/J5 Field Description File
|
Offset
| JE
J4
J5
|
|
|
|
224
610
Field
Entry Type
Format
Description
Char(1)

Table 141 on page 501 and Table 142 on page 503
for field listing.
The type of entry.
|
|
|
R
225
611
Entry Action
Char(3)
Cluster control operation
Cluster Resource Group (*GRP)

management operation
The type of action.
Add
Add
CRT
Create
DLT
Delete
DST
Distribute
END
End
FLO
Fail over
LST
List information
RMV
Remove
STR
Start
SWT
Switch
|
|
228
614
Status
Char(3)
UPC
Update attributes
The status of the request.
ABN
The request ended abnormally
|
|
AUT
Authority Failure, *IOSYSCFG is

required
END
The request ended successfully
|
|
|
|
|
|
|
|
|
|
|
231
241
251
261
520
617
627
637
647
CRG Object
Name
Char(10)
CRG Library
Name
Char(10)
Cluster Name
Node ID
Char(10)
Char(8)
STR
The request was started
The Cluster Resource Group object name.
This value is filled in when the entry
type is R.
The Cluster Resource Group object library.
Note:
This value is filled in when the entry

type is R.
The name of the cluster.
The node ID.
Note:

| Table 154. CU (Cluster Operations) Journal Entries (continued). QASYCUJ4/J5 Field Description File
|
Offset
| JE
J4
J5
Field
Format
Description
|
|
|
|
|
|
|
|
|
|
|
269
655
Char(8)
The source node ID.
277
663
Char(10)
287
673
297
683
Source Node
ID
Source User
Name
User Queue
Name
User Queue
Library
ASP name
ASP number
Char(10)
Name of the source system user that initiated

the request.
Name of the user queue where responses are
sent.
The user queue library.
Char(10)
Char(5)
ASP name for user queue library

ASP number for user queue library
693
703
Char(10)
| Table 155. CV (Connection Verification) Journal Entries. QASYCVJ4/J5 Field Description File
|
|
|
|
|
|
Offset
JE
J4
J5
224
610
Field
Entry Type
Format
Description
Char(1)

for field listing.
The type of entry.
Connection established
Connection ended
|
|
225
611
Action
Char(1)
R
Connection rejected
Action taken for the connection type.
|
|
Connection established or ended

normally. Used for Entry Type C or E.
|
|
Peer was not authenticated. Used for

Entry Type E or R.
|
|
No response from the authentication

server. Used for Entry Type R.
|
|
LCP configuration error. Used for Entry

Type R.
|
|
NCP configuration error. Used for Entry

Type R.
|
|
Password is not valid. Used for Entry

Type E or R.
|
|
Authentication was rejected by peer.

Used for Entry Type R.
|
|
L2TP configuration error. Used for

Entry Type E or R.
|
|
|
|
U
226
612
Point to Point
Profile Name
Char(10)
User is not valid. Used for Entry Type E

or R.
The point to point profile name.
521

| Table 155. CV (Connection Verification) Journal Entries (continued). QASYCVJ4/J5 Field Description File
|
|
Offset
JE
J4
J5
Field
Format
Description
236
622
Protocol
Char(10)
The type of entry.
L2TP
Layer 2 Tunneling protocol
PPP
Point to Point protocol.
|
|
|
||
|
246
632
Local
Char(10)
Authentication
Method
SLIP
Serial Line Internet Protocol.
The type of entry.
CHAP
Challenge Handshake Authentication

Protocol.
PAP
Password Authentication Protocol.
|
|
|
|
||
|
SCRIPT
256
642
Remote
Char(10)
Authentication
Method
Script method.
The type of entry.
CHAP
Challenge Handshake Authentication

Protocol.
PAP
Password Authentication Protocol.
|
|
RADIUS
Radius method.
|
|
|
|
|
|
|
|
|
|
|
SCRIPT
266
276
286
652
662
672
386
772
426
812
466
852
Object Name
Library Name
*VLDL User
Name
Local IP
Address
Remote IP
Address
IP forwarding
Char(10)
Char(10)
Char(100)
Script method.
The *VLDL object name.
The *VLDL object library name.
The *VLDL user name.
Char(40)
The local IP address.
Char(40)
The remote IP address.
Char(1)
The type of entry.
IP forwarding is on.
IP forwarding is off.
522

| Table 155. CV (Connection Verification) Journal Entries (continued). QASYCVJ4/J5 Field Description File
|
|
Offset
JE
J4
J5
Field
Format
Description
467
853
Proxy ARP
Char(1)
The type of entry.
|
|
|
|
|
|
|
|
|
|
|
|
|
Y
468
478
854
864
518
904
532
918
546
932
548
934
Radius Name
Authenticating
IP Address
Account Sesion
ID
Account
Multi-Session
ID
Account Link
Count
Tunnel Type
Proxy ARP is enabled.
Char(10)
Char(40)
N
Proxy ARP is not enabled.
The AAA profile name.
The authenticating IP address.
Char(14)
The account session ID.
Char(14)
The account multi-session ID.
Binary(4)
The account link count.
Char(1)
The tunnel type:
Not tunneled
L2TP
AH
|
|
|
|
|
|
|
|
|
|
|
|
|
549
935
589
975
629
1015
637
1023
1025
1035
Tunnel Client
Endpoint
Tunnel Server
Endpoint
Account
Session Time
Account
Terminate
Cause
ASP name
ASP number
Char(40)
9
ESP
Tunnel client endpoint.
Char(40)
Tunnel server endpoint.
Char(8)
The account session time. Used for Entry Type E

or R.
The account terminate cause. Used for Entry
Type E or R.
Binary(4)
Char(10)
Char(5)
ASP name for validation list library

ASP number for validation list library
| Table 156. CY (Cryptographic Configuration) Journal Entries. QASYCYJ4/J5 Field Description File
|
Offset
| JE
J4
J5
|
|
|
|
224
610
Field
Entry Type
Format
Description
Char(1)

The type of entry.
Access Control function
Facility Control function
Master Key function
523

| Table 156. CY (Cryptographic Configuration) Journal Entries (continued). QASYCYJ4/J5 Field Description File
|
Offset
| JE
J4
J5
Field
Format
Description
|
|
225
611
Action
Char(3)
The cryptographic configuration function

performed:
CCP
Define a card profile.
CCR
Define a card role.
CLK
Set clock.
CLR
Clear master keys.
CRT
Create master keys.
DCP
Delete a card profile.
DCR
Delete a card role.
DST
Distribute master keys.
EID
Set environment ID.
FCV
Load/clear FCV.
INI
Reinitialize card..
QRY
Query role or profile information.
RCP
Replace a card profile.
RCR
Replace a card role.
RCV
Receive master keys.
SET
Set master keys.
|
|
|
|
|
228
236
244
614
622
630
Card profile
Card Role
Device Name
Char(8)
Char(8)
Char(10)
SHR
Cloning shares.
The name of the card profile..
The role of the card profile.
The name of the cryptographic device.
| Table 157. DI (Directory Services) Journal Entries. QASYDIJ4/J5 Field Description File
|
Offset
| JE
J4
J5
|
|
|
|
224
610
Field
Entry Type
Format
Description
Char(1)

The type of entry.
L
524
LDAP Operation

| Table 157. DI (Directory Services) Journal Entries (continued). QASYDIJ4/J5 Field Description File
|
|
|
|
|
Offset
JE
J4
J5
Field
Format
Description
225
611
Operation
Type
Char(2)
The type of LDAP operation:

AD
Audit attribute change.
AF
Authority failure.
BN
Successful bind.
CA
Object authority change.
CF
Configuration change.
CO
Object create.
CP
Password change.
DO
Object delete.
EX
LDAP directory export.
IM
LDAP directory import.
OM
Object management (rename).
OW
Ownership change.
PW
Password fail.
UB
Successful unbind.
ZC
Object change.
|
|
|
227
613
Authority
Failure Code
Char(1)
ZR
Object read.
Code for authority failures. This field is used
only if the operation type (offset 225) is AF.
|
|
Unauthorized attempt to change audit

value.
Unauthorized bind attempt.
Unauthorized object create attempt.
Unauthorized object delete attempt.
Unauthorized export attempt.
|
|
|
Unauthorized configuration change

(administrator, change log, backend
library, replicas replicas, publishing)
Unauthorized import attempt.
Unauthorized modify attempt.
|
|
|
228
614
Configuration
Change
Char(1)
R
Unauthorized read (search) attempt.
Configuration changes. This field is only used if
the operation type (offset 225) is CF.
Administrator ND change
Change log on/off
Backend library name change
Publishing agent change
Replica server change
525

|
|
Offset
JE
|
|
J4
J5
Field
Format
Description
229
615
Configuration
Change Code
Char(1)
Code for configuration changes. This field is

used only if the operation type (offset 225) is CF.
Item added to configuration
Item deleted from configuration
|
|
|
|
230
616
Propagate Flag Char(1)
M
Item modified
Indicates the new setting of the owner or ACL
propagate value. This field is used only if the
operation type (offset 225) is CA or OW.
T
|
|
|
|
|
|
|
231
617
251
637
Bind
Char(20)
Authentication
Choice
LDAP Version Char(4)
F
False
The bind authentication choice. This field is used
only if the operation type (offset 225) is BN.
Version of client making request. This field is
used only if the operation was done through the
LDAP server.
2
|
|
|
|
255
641
SSL Indicator
Char(1)
|
256
642
Request Type
Char(1)
LDAP Version 2
3
LDAP Version 3
Indicates if SSL was used on the request. This
field is used ony if the operation was done
through the LDAP server.
0
|
|
|
True
No
1
Yes
The type of request. This field is used only if the
operation was done through the LDAP server.
Authenticated
Anonymous
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
526
257
643
Connection ID
Char(20)
277
663
Client IP
Address
Char(50)
327
713
Bin(5)
331
717
333
2335
719
2721
2339
2725
2341
4343
2727
4729
User Name
CCSID
User Name
Length
User Name1
Object Name
CCSID
Object Name
Length
Object Name1
Owner Name
CCSID
Bin(4)
Char(2002)
Bin(5)
Bin(4)
Char(2002)
Bin(5)
U
Unauthenticated
Connection ID of the request. This field is used
only if the operation was done through the
LDAP server.
IP address and port number of the client request.
This field is used only if the operation was done
through the LDAP server.
The coded character set identifier of the user
name.
The length of the user name.
The name of the LDAP user.
The coded character set identifier of the object
name.
The name of the LDAP object.
The coded character set identifier of the owner
name. This field is used only if the operation
type (offset 225) is OW.

|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Offset
JE
J4
J5
Field
Format
Description
4347
4733
Bin(4)
4349
4735
Owner Name
Length
Owner Name1
6351
6737
The length of the owner name. This field is used

only if the operation type is OW.
The name of the owner. This field is used only if
the operation type (offset 225) is OW.
The coded character set identifier of the new
name. This field is used only if the operation
type (offset 225) is OM, OW, ZC, or AF+M.
New Name
CCSID
Char(2002)
Bin(5)
v For operation type OM, this field will contain

the CCSID of the new object name.
v For operation type OW, this field will contain
the CCSID of the new owner name.
6355
6741
New Name
Length
Bin(4)
v For operation types ZC or AF+M, this field

will contain the CCSID of the list of changed
attribute types in the New Name field.
The length of the new name. This field is used
only if the operation type (offset 225) is OM,
OW, ZC, or AF+M.
the length of the new object name.
the length of the new owner name.
6357
6743
New Name1
Char(2002)

will contain the length of the list of changed
attribute types in the New Name field.
The new name. This field is used only if the
operation type (offset 225) is OM, OW, ZC, or
AF+M.
the new object name.
the new owner name.
8359
8375
8385
8390
8745
8761
8771
8776
8394
8780
8396
8782
8399
8785
8401
8787
Object File ID2

ASP Name2
ASP Number2
Path Name
CCSID2
Path Name
Country or
Region ID2
Path Name
Language ID2
Path Name
Length2
Path Name
Indicator2
Char(16)
Char(10)
Char(5)
Bin(5)
Char(2)

will contain a list of changed attribute types.
The file ID of the object for export.
The coded character set identifier of the absolute
path name.
The Country or Region ID of the absolute path
name.
Char(3)
The language ID of the absolute path name.
Bin(4)
Char(1)
The absolute path name indicator.

Y


object.
527

|
|
Offset
JE
|
|
|
|
J4
J5
Field
Format
Description
8402
8788
Char(16)
8418
8804
Relative File
ID2,3
Absolute Path
Name1,2
Char(5002)
This is a variable length field. The first 2 bytes contain the length of the value in the field.
These fields are used only if the operation type (offset 225) is EX or IM.
|
|
|
When the path name indicator (offset 8401) is N, this field will contain the relative file ID of the path
name. When the path name indicator is Y, this field will contain 16 bytes of hex zeroes.
| Table 158. DO (Delete Operation) Journal Entries. QASYDOJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
| 1
|
|
| 156
224
610
Field
Entry Type
Format
Description
Char(1)

The type of entry.
|
|
Object was deleted not under

commitment control)
|
|
A pending object delete was

committed
|
|
A pending object create was rolled

back
|
|
|
The object delete is pending (the delete

was performed under commitment
control)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
R
157
167
177
185
225
235
245
253
611
621
631
639
205
215
227
273
283
295
659
669
681
235
298
303
366
689
752
308
328
528
376
762
394
780
396
782
Object Name
Library Name
Object Type
(Reserved
Area)
Office User
DLO Name
(Reserved
Area)
Folder Path
Office on
Behalf of User
(Reserved
Area)
(Reserved
Area)
Object Name
Length 1
Object Name
CCSID1
Char(10)
Char(10)
Char(8)
Char(20)
A pending object delete was rolled

back
The type of object.
Char(10)
Char(12)
Char(8)

Char(63)
Char(10)

Char(20)
Char(18)
Binary(4)
Binary(5)

name.

| Table 158. DO (Delete Operation) Journal Entries (continued). QASYDOJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
Field
Format
Description
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
332
400
786
Char(2)
334
402
788
Char(3)
337
405
791
340
408
794
356
424
810
372
440
952
968
978
983
826
1338
1354
1364
1369
987
1373
989
1375
992
1378
994
1380
Object Name
Country or
Region ID1
Object Name
Language ID1
(Reserved
area)
Parent File
ID1,2
Object File
ID1,2
Object Name1
Object File ID
ASP Name5
ASP Number5
Path Name
CCSID
Path Name
Country or
Region ID
Path Name
Language ID
Path Name
Length
Path Name
Indicator
|
|
|
|
|
|
|
Char(3)
Char(16)
Char(16)
Char(512)
Char(16)
Char(10)
Char(5)
Binary5)

absolute path name.
name.
Char(2)
Char(3)
Binary(4)
Char(1)

Char(16)
The Absolute Path Name field does

not contain an absolute path name for
the object.
Char(5002)
995
1381
1011
1397
Relative File
ID3
Absolute Path
Name4
|
|
When the path name indicator (offset 994) is N, this field will contain the relative file ID of the path name.
When the path name indicator is Y, this field will contain 16 bytes of hex zeroes.
|
|
|
529

| Table 159. DS (IBM-Supplied Service Tools User ID Reset) Journal Entries. QASYDSJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
| 1
|
|
| 156
224
610
Field
Entry Type
Format
Description
Char(1)

The type of entry.
|
|
Reset of a service tools user ID

password.
Changed to a service tools user ID.
|
|
| 157
||
||
| 158
|
|
Service tools user ID password was

changed.
Request to reset an IBM-supplied service

tools user ID.
225
611
226
612
IBM-Supplied
Service Tools
User ID Reset
Service Tools
User ID Type
Char(1)
Char(10)
The type of service tools user ID

*SECURITY
*FULL
|
|
| 168
|
|
| 176
|
|
||
|
|
|
|
|
|
|
|
|
*BASIC
236
622
244
630
245
631
255
641
Service Tools
User ID New
Name
Service Tools
User ID
Password
Change
Char(8)
The name of the service tools user ID.
Char(1)
Request to change the service tools user ID

password.
Service Tools
User ID New
Name
Service Tools
User ID
Requesting
Profile
Char(10)
Request to change service tools user ID

password.
The name of the service tools user ID.
Char(10)
The name of the service tools user ID that

requested the change.
| Table 160. EV (Environment Variable) Journal Entries. QASYEVJ4/J5 Field Description File
|
Offset
| JE
J4
J5
|
|
|
|
224
610
Field
Entry Type
Format
Description
Char(1)

The type of entry.
Add
Change
Delete
530

| Table 160. EV (Environment Variable) Journal Entries (continued). QASYEVJ4/J5 Field Description File
|
Offset
| JE
J4
J5
Field
Format
Description
|
|
225
611
Name
Truncated
Char(1)
Indicates whether the environment variable name

(offset 232), is truncated.
|
|
|
|
|
|
|
|
N
226
230
232
612
616
618
1234
1620
CCSID
Length
Environment
Variable Name2
New Name
Truncated1
Binary(5)
Binary(4)
Char(1002)
Char(1)
Environment variable name truncated.
Environment variable name not

truncated.
The CCSID of the environment variable name.
The length of the environment variable name.
The name of the environment variable.
Indicates whether the new environment variable

name (offset 1241), is truncated.
|
|
|
|
|
|
|
|
|
|
N
1235
1621
1239
1625
1241
1627
New Name
CCSID1
New Name
Length1
New
Environment
Variable
Name1,2
Binary(5)
Binary(4)
Char (1002)
Environment variable value truncated.
Environment variable value not

truncated.
The CCSID of the new environment variable
name.
The length of the new environment variable
name.
The new environment variable name.
These fields are used when the entry type is C.
|
|
This is a variable length field. The first two bytes contain the length of the environment variable name.
| Table 161. GR (Generic Record) Journal Entries. QASYGRJ4/J5 Field Description File
|
Offset
| JE
J4
J5
|
|
|
|
224
610
Field
Entry Type
Format
Description
Char(1)

for field listing.
The type of entry.
Exit program added
Exit program removed
Function registration operations
|
|
225
611
Action
Char(2)
|
|
|
|
|
|
|
R
Exit program replaced
The action performed.
ZC
227
237
613
623
User Name
Field 1 CCSID
Change
Char(10)
ZR
Read
User profile name
Binary (5)
For entry type F, this field contains the name of

the user the function registration operation was
performed against.
The CCSID value for field 1.
531

| Table 161. GR (Generic Record) Journal Entries (continued). QASYGRJ4/J5 Field Description File
|
Offset
| JE
J4
J5
Field
Format
Description
|
|
241
243
627
629
Field 1 Length
Field 1
Binary (4)
Char(102)1
The length of the data in field 1.

Field 1 data
|
|
|
For entry type F, this field contains the

description of the function registration operation
that was performed. The possible values are:
|
|
*REGISTER:
Function has been registered
|
|
*REREGISTER:
Function has been updated
|
|
*DEREGISTER:
Function has been de-registered
|
|
|
*CHGUSAGE:
Function usage information has
changed
|
|
|
*CHKUSAGE:
Function usage was checked for a user
and the check passed
|
|
|
|
|
|
|
|
|
Binary (5)
Binary (4)
Char (102)1
*USAGEFAILURE:
Function usage was checked for a user
and the check failed
For entry types A, D, and R, this field will
contain the exit program information for the
specific function that was performed.
Field 2 data
Binary (5)
Binary (4)
For entry type F, this field contains the name of

the function that was operated on.
345
349
351
|
|
|
|
453
457
532
731
735
737
839
843
Field 2 CCSID
Field 2 Length
Field 2
Field 3 CCSID
Field 3 Length

| Table 161. GR (Generic Record) Journal Entries (continued). QASYGRJ4/J5 Field Description File
|
Offset
| JE
J4
J5
Field
Format
Description
459
845
Field 3
Char(102)1
Field 3 data.
|
|
|
|
For entry type F, this field contains the usage

setting for a user. There is a value for this field
only if the function registration operation is one
of the following:
|
|
|
|
*REGISTER:
When the operation is *REGISTER, this
field contains the default usage value.
The user name will be *DEFAULT.
|
|
|
|
|
*REREGISTER:
When the operation is *REREGISTER,
this field contains the default usage
value. The user name will be
*DEFAULT.
|
|
|
|
|
|
|
|
*CHGUSAGE:
When the operation is *CHGUSAGE,
this field contains the usage value for
the user specified in the user name
field.
Field 4 data.
561
565
567
947
951
953
Field 4 CCSID
Field 4 Length
Field 4
Binary (5)
Binary (4)
Char(102)1
|
|
|
|
For entry type F, this field contains the allow

*ALLOBJ setting for the function. There is a
value for this field only if the function
registration operation is one of the following:
*REGISTER
|
|
*REREGISTER
|
|
| Table 162. GS (Give Descriptor) Journal Entries. QASYGSJE/J4/J5 Field Description File
|
|
|
|
|
|
Offset
JE
156
J4
J5
224
610
Field
Entry Type
Format
Description
Char(1)

The type of entry.
Give descriptor
Received descriptor
|
|
|
|
157
167
177
225
235
245
611
621
631
Job Name
User Name
Job Number
Char(10)
Char(10)
Zoned (6,0)
U
Unable to use descriptor
The name of the job.
The name of the user.
The number of the job.
533

| Table 162. GS (Give Descriptor) Journal Entries (continued). QASYGSJE/J4/J5 Field Description File
|
Offset
JE
J4
J5
Field
Format
Description
|
|
|
|
|
183
251
637
Char (10)
The name of the user profile.
261
647
User Profile
Name
JUID
Char (10)
The Job User IDentity of the target job. (This

value applies only to subtype G audit records.)
| Table 163. IP (Interprocess Communication) Journal Entries. QASYIPJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
| 1
|
|
| 156
224
610
Field
Entry Type
Format
Description
Char(1)

The type of entry.
Ownership and/or authority changes
create
Delete
Authority failure
Get
Shared memory attach
|
|
| 157
Z
225
611
IPC Type
Char(1)
Normal semaphore close or shared

memory detach
IPC Type
Shared memory
Normal semaphore
Message queue
|
|
|
|
|
|
|
158
162
172
182
226
230
240
250
612
616
626
636
IPC Handle
New Owner
Old Owner
Owner
Authority
Binary(5)
Char(10)
Char(10)
Char(3)
|
|
|
|
|
|
|
185
195
205
253
263
273
639
649
659
New Group
Old Group
Group
Authority
Char(10)
Char(10)
Char(3)
S
Semaphore
IPC handle ID
New owner of IPC entity
Old owner of IPC entity
Owners authority to IPC entity
*R
read
*W
write
*RW
read and write
Group associated with IPC entity
Previous group associated with IPC entity
Groups authority to IPC entity
*R
read
*W
write
*RW
read and write
534

| Table 163. IP (Interprocess Communication) Journal Entries (continued). QASYIPJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
Field
Format
Description
| 208
|
|
276
662
Public
Authority
Char(3)
Publics authority to IPC entity
|
|
|
|
|
|
|
|
|
|
|
|
|
|
211
279
665
216
283
669
218
285
671
CCSID
Semaphore
Name
Length
Semaphore
Name
Semaphore
Name
*R
read
*W
write
Binary(5)
*RW
read and write
The CCSID of the semaphore name.
Binary(4)
The length of the semaphore name.
Char(2050)
The semaphore name.

Note:
This is a variable length field. The first 2

characters contain the length of the
semaphore name.
| Table 164. IR (IP Rules Actions) Journal Entries. QASYIRJ4/J5 Field Description File
|
Offset
| JE
J4
J5
|
|
|
|
224
610
Field
Entry Type
Format
Description
Char(1)

Table 141 on page 501 andTable 142 on page 503
for field listing.
The type of entry.
IP rules have been loaded from a file.
|
|
IP rules have been unloaded for an IP

Security connection
|
|
IP rules have been loaded for an IP

Security connection
|
|
IP rules have been read and copied to a

file.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
225
611
235
245
263
621
631
649
265
651
269
655
271
657
274
660
File Name
File Library
Reserved
File Name
Length
File Name
CCSID1
File Country
or Region ID1
File Language
ID1
Reserved
Char(10)
Char(10)
Char(18)
Binary (4)
Binary (5)
U
IP rules have been unloaded (removed).
The name of the QSYS file used to load or
receive the IP rules.
This value is blank if the file used was
not in the QSYS file system.
The name of the QSYS file library.
The length of the file name.
Char(2)
The coded character set identifier for the file

name.
The Country or Region ID for the file name.
Char(3)
The language ID for the file name.
Char(3)
535

| Table 164. IR (IP Rules Actions) Journal Entries (continued). QASYIRJ4/J5 Field Description File
|
|
Offset
JE
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
J4
J5
Field
Format
277
663
Parent File ID1, Char(16)
Description
293
Object File ID1, Char(16)
679
The file ID of the file.
|
|
|
|
|
|
|
309
821
695
1207
861
877
887
892
1247
1263
1273
1278
896
1282
898
1284
901
1287
903
1289
File Name1
Connection
sequence
Object File ID
ASP Name
ASP Number5
Path Name
CCSID
Path Name
Country or
Region ID
Path Name
Language ID
Path Name
Length
Path Name
Indicator
Char(512)
Char(40)
The name of the file.

The connection name.
Char(16)
Char(10)
Char(5)
Binary(5)

absolute path name.
name.
Char(2)
Char(3)
Binary(4)
Char(1)

Y

Char(16)

object.
Char(5002)
904
1290
920
1306
Relative File
ID3
Absolute Path
Name4
These fields are used only for objects in the QOpenSys file system and the root file system.
If the ID has the left-most bit set and the rest of the bits zero, the ID is not set.
|
|
When the path name indicator (offset 903) is N this field will contain the relative file ID of the path name.
When the path name indicator is Y, this field will contain 16 bytes of hex zeroes..
This is a variable length field. The first two bytes contain the length of the field.
|
|
|
| Table 165. IS (Internet Security Management) Journal Entries. QASYISJ4/J5 Field Description File
|
Offset
| JE
J4
J5
|
|
|
536
Field
Format
Description
for field listing.

| Table 165. IS (Internet Security Management) Journal Entries (continued). QASYISJ4/J5 Field Description File
|
Offset
| JE
J4
J5
Field
Format
Description
224
610
Entry Type
Char(1)
The type of entry.
Fail (this type no longer used)
Normal (this type no longer used)
Mobile User (this type no longer used)
IKE Phase 1 SA Negotiation
|
|
|
|
|
|
|
|
|
|
|
225
611
240
626
245
631
260
646
265
521
651
907
Local IP
Address
Local Client ID
Port
Remote IP
Address
Remote Client
ID Port
Mobile ID
Result Code
Char(15)
2
IKE Phase 2 SA Negotiation
Local IP Address.
Char(5)
Local Client ID port.
Char (15)
Remote IP address.
Char (5)
Remote Client ID Port (valid for phase 2).
Char (256)
Char(4)
Mobile ID. This field no longer used.

Negotiation Result:
Successful
|
|
|
130
Protocol specific errors (documented in

ISAKMP RFC2408, found at:
http://www.ietf.org)
|
|
|
|
|
|
|
|
|
|
|
525
911
CCSID
Bin(5)
82xx
iSeries VPN Key Manager specific errors
following fields:
v Local ID
v Local Client ID Value
v Remote ID
529
785
915
1171
Local ID
Char(256)
Local Client ID Char(2)
Type
v Remote Client ID Value

Local IKE identifier
Type of client ID (valid for phase 2):
1
IP version 4 address
Fully qualified domain name
User fully qualified domain name
IP version 4 subnet
IP version 4 address range
Distinguished name
|
|
|
|
|
|
787
1173
1043
1429
1047
1433

Value
Protocol
Remote ID
Char(256)
11
Key identifier
Local client ID (valid for phase 2)
Local client ID protocol (valid for phase 2)
Remote IKE identifier
537

| Table 165. IS (Internet Security Management) Journal Entries (continued). QASYISJ4/J5 Field Description File
|
Offset
| JE
J4
J5
Field
Format
Description
|
|
|
1303
1689
Remote Client
ID Type
Char(2)
Type of client ID (valid for phase 2)

1
IP version 4 address
Fully qualified domain name
User fully qualified domain name
IP version 4 subnet
IP version 4 address range
Distinguished name
|
|
|
|
|
|
|
1305
1691
1561
1947
Remote Client
ID Value
Remote Client
ID Protocol
Char(256)
11
Key identifier
Remote client ID (valid for phase 2)
Char(4)
Remote client ID protocol (valid for phase 2)
| Table 166. JD (Job Description Change) Journal Entries. QASYJDJE/J4/J5 Field Description File
|
Offset
JE
J4
J5
|
|
|
|
156
224
610
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Field
Entry Type
Format
Description
Char(1)

The type of entry.
User profile specified for the USER
parameter of a job description
The name of the job description that had the
USER parameter changed.
The type of object.
A
157
225
611
Job Description Char(10)
167
177
185
235
245
253
621
631
639
Library Name
Object Type
Command
Type
Char(10)
Char(8)
Char(3)
CHG
Create Job Description (CRTJOBD)

command.
The name of the user profile specified for the
USER parameter before the job description was
changed.
The name of the user profile specified for the
user parameter when the job description was
changed.
ASP name for JOBD library
ASP number for JOBD library
CRT
188
256
642
Old User
Char(10)
198
266
652
New User
Char(10)
662
672
ASP name
ASP number
Char(10)
Char(5)
538
Change Job Description (CHGJOBD)

command.

| Table 167. JS (Job Change) Journal Entries. QASYJSJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
| 1
|
|
| 156
224
610
Field
Entry Type
Format
Description
Char(1)

The type of entry.
ENDJOBABN command
Submit
Change
End
Hold
Disconnect
Modify profile or group profile
ENDJOB command
Attach prestart or batch immediate job
Change query attributes
Release
Start
|
|
Modify profile or group profile using a

profile token.
CHGUSRTRC
|
|
| 157
V
225
611
Job Type
Char(1)
Virtual device changed by QWSACCDS

API.
The type of job.
Autostart
Batch
Interactive
Subsystem monitor
Reader
System
Writer
SCPF
539

| Table 167. JS (Job Change) Journal Entries (continued). QASYJSJE/J4/J5 Field Description File
|
Offset
JE
J4
J5
Field
Format
Description
158
226
612
Job Subtype
Char(1)
The subtype of the job.
' '
No subtype
Batch immediate
Procedure start request
Prestart
Print driver
Query
MRT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Char(10)
U
Alternate spool user
The first part of the qualified job name being
operated on
The second part of the qualified job name being
operated on
The third part of the qualified job name being
operated on
The name of the device
The name of the effective user profile for the
thread
The name of the job description for the job
Char(10)
The name of the library for the job description
Char(10)
The name of the job queue for the job
Char(10)
The name of the library for the job queue
Char(10)
The name of the output queue for the job
Char(10)
The name of the library for the output queue
Char(10)
Char(430)
Char(10)
The name of the printer device for the job

The library list for the job
The name of the effective group profile for the
thread
The names of the supplemental group profiles for
the thread.
Describes the meaning of the JUID field:
159
227
613
Job Name
Char(10)
169
237
623
Job User Name
Char(10)
179
247
633
Job Number
Char(6)
185
195
253
263
639
649
Char(10)
Char(10)
205
273
659
215
283
669
225
293
679
235
303
689
245
313
699
255
323
709
265
275
705
333
343
773
719
729
1159
715
783
1169
933
1319
Device Name
Effective User
Profile2
Job Description
Name
Job Description
Library
Job Queue
Name
Job Queue
Library
Output Queue
Name
Output Queue
Library
Printer Device
Library List2
Effective Group
Profile Name2
Supplemental
Group Profiles2
JUID
Description
Char(150)
Char(1)
' '
The JUID field contains the value for the

JOB.
|
|
The clear JUID API was called. The JUID

field contains the new value.
|
|
|
|
|
|
|
540
934
944
1320
1330
954
1340
JUID Field
Real User
Profile
Saved User
Profile
Char(10)
Char(10)
The set JUID API was called. The JUID

field contains the new value.
Contains the JUID value
The name of the real user profile for the thread.
Char(10)
The name of the saved user profile for the thread.

| Table 167. JS (Job Change) Journal Entries (continued). QASYJSJE/J4/J5 Field Description File
|
|
Offset
JE
|
|
|
|
|
|
|
J4
J5
Field
Format
Description
964
1350
Char(10)
974
1360
984
1370
Real Group
Profile
Saved Group
Profile
Real User
Changed3
The name of the real group profile profile for the

thread.
The name of the saved group profile profile for
the thread.
The real user profile was changed.
|
|
|
|
985
|
|
|
|
986
|
|
|
|
987
|
|
|
|
988
|
|
|
|
989
|
|
|
||
|
|
|
|
|
|
|
|
|
990
1371
1372
1373
1374
1375
1376
991
1377
993
1379
3631
3641
3651
Char(10)
Char(1)
Yes
Effective User
Changed3
Char(1)
Saved User
Changed3
Char(1)
Real Group
Changed3
Char(1)
Effective Group
Changed3
Char(1)
Saved Group
Changed3
Char(1)
Supplemental
Groups
Changed3
Char(1)
Library list
Number4
Library List
Extension4,5
Library ASP
group
ASP name
ASP number
Bin(4)
N
No
The effective user profile was changed.
Yes
N
No
The saved user profile was changed
Yes
N
No
The real group profile was changed.
Yes
N
No
The effective group profile was changed
Yes
N
No
The saved group profile was changed.
Yes
N
No
The supplemental group profiles were changed.
Yes
Char(2252)
N
No
The number of libraries in the library list
extension field (offset 993).
The extension to the library list for the job.
Char(10)
Library ASP group
Char(10)
Char(5)

This field is blank if the job is on the job queue and has not run.
|
|
|
When the JS audit record is generated because one job performs an operation on another job then this field
will contain data from the initial thread of the job that is being operated on. In all other cases, the field will
contain data from the thread that performed the operation.
This field is used only when entry type (offset 224) is M or T.
This field is used only if the number of libraries in the library list exceeds the size of the field at offset 343.
|
|
This is a variable length field. The first two bytes contain the length of the data in the field.
541

| Table 168. KF (Key Ring File) Journal Entries. QASYKFJ4/J5 Field Description File
|
Offset
| JE
J4
J5
|
|
|
|
224
610
Field
Entry Type
Format
Description
Char(1)

for field listing.
The type of entry.
Certificate operation
Key ring file operation
Password incorrect
|
|
|
|
225
611
Certificate
Operation
Char(3)
T
Trusted root operation
Type of action4.
ADK
Certificate with private key added
ADD
Certificate added
REQ
Certificate requested
|
|
|
|
228
614
Key Ring
Operation
Char(3)
SGN
Certificate signed
Type of action5.
ADD
Key ring pair added
DFT
Key ring pair designated as default.
EXP
Key ring pair exported
IMP
Key ring pair imported
LST
List the key ring pair labels in a file
PWD
Change key ring file password
RMV
Key ring pair removed
INF
Key ring pair information retrieval
|
|
2DB
Key ring file converted to key

database file format
|
|
|
|
|
|
2YR
231
617
Trusted Root
Operation
Char(3)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
542
234
252
620
638
254
640
258
644
260
646
263
266
649
652
Reserved
Object Name
Length
Object Name
CCSID
Object Name
Country or
Region ID
Object Name
Language ID
Reserved
Parent File ID
Key database file converted to key

ring file
Type of action6.
TRS
Key ring pair designated as trusted

root
RMV
Trusted root designation removed
LST
List trusted roots
Char(18)
Binary(4)
Key ring file name length.
Binary(5)
Key ring file name CCSID.
Char(2)
Key ring file name Country or Region ID.
Char(3)
Key ring file name language ID.
Char(3)
Char(16)
Key ring parent directory file ID.

| Table 168. KF (Key Ring File) Journal Entries (continued). QASYKFJ4/J5 Field Description File
|
Offset
| JE
J4
J5
Field
Format
Description
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
282
298
810
828
668
684
1196
1214
Char(16)
Char(512)
Char(18)
Binary(4)
Key ring directory file name.

Key ring file name.
830
1216
Binary(5)
Source or target file name CCSID.
834
1220
Char(2)
Source or target file name Country or Region

ID.
836
1222
Char(3)
Source or target file name language ID.
839
842
858
874
1386
1225
1228
1244
1260
1772
Char(3)
Char(16)
Char(16)
Char(512)
Binary(4)
Source or target parent directory file ID.

Source or target directory file ID.
Source or target file name.
The length of the certificate label.
1388
1774
Char(1026)
The certificate label.
2414
2430
2440
2445
2800
2816
2826
2831
Char(16)
Char(10)
Char(5)
Binary(5)
2449
2835
The file ID of the key ring file.

absolute path name.
The Country or Region ID for the absolute
path name.
2451
2837
2454
2840
2456
2842
Object File ID
Object Name
Reserved
Object Name
length
Object Name
CCSID
Object Name
Country or
Region ID
Object Name
Language ID
Reserved
Parent File ID
Object File ID
Object Name
Certificate
Label Length
Certificate
Label1
Object File ID
ASP Name
ASP Number
Path Name
CCSID
Path Name
Country or
Region ID
Path Name
Language ID
Path Name
Length
Path Name
Indicator
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Char(2)
Source or target file name length.
Char(3)
Binary(4)
Char(1)

Y
The Absolute Path Name field

contains an absolute path name for
the key ring file.
Char(16)

the key ring file.
Char(5002)
The absolute path name of the key ring file.
Char(16)
Char(10)
Char(5)
Binary(5)
The file ID of the source or target file.

Source or target file ASP name
Source or target file ASP number
absolute path name.
path name
2457
2843
2473
2859
7475
7491
7501
7506
7861
7877
7887
7892
7510
7896
Relative File
ID2
Absolute Path
Name1
Object File ID
ASP Name
ASP Number
Path Name
CCSID
Path name
Country or
Region ID
Char(2)
543

| Table 168. KF (Key Ring File) Journal Entries (continued). QASYKFJ4/J5 Field Description File
|
Offset
| JE
J4
J5
Field
Format
Description
|
|
|
|
|
|
|
|
|
7512
7898
Char(3)
7515
7901
Binary(4)
7517
7903
Path Name
Language ID
Path Name
Length
Path Name
Indicator
Char(1)
|
|
|
|
|
|
|

the source or target file.

the source or target file.
7518
7904
7534
7920
Relative File
Char(16)
ID3
Absolute Path Char(5002)
Name1
The absolute path name of the source or target

file.
|
|
When the path name indicator (offset 2456) is N, this field will contain the relative file ID of the absolute
path name at offset 2473. When the path name indicator is Y, this field will contain 16 bytes of hex zeroes.
|
|
The field will be blanks when it is not a certificate operation.
The field will be blanks when it is not a key ring file operation.
|
|
The field will be blanks when it is not a trusted root operation.
| Table 169. LD (Link, Unlink, Search Directory) Journal Entries. QASYLDJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
| 1
|
|
|
| 156
224
610
Field
Entry Type
Format
Description
Char(1)

See Table 141 on page 501,Table 142 on
page 503, and Table 143 on page 504 for field
listing.
The type of entry.
Link directory
Unlink directory
Search directory
|
| 157
|
|
|
|
|
| 177
|
544
225
611
243
629
245
631
(Reserved
area)
(Reserved
area)
Object Name
Length 1
Object Name
CCSID1
Char(20)
Char(18)
Binary (4)
Binary(5)

object name.

| Table 169. LD (Link, Unlink, Search Directory) Journal Entries (continued). QASYLDJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
Field
Format
Description
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
181
249
635
Char(2)
183
251
637
Char(3)
186
254
640
189
257
643
205
273
659
221
289
801
817
827
832
675
1187
1203
1213
1218
836
1222
838
1224
841
1227
843
1229
Object Name
Country or
Region ID1
Object Name
Language ID1
(Reserved
area)
Parent File
ID1,2
Object File
ID1,2
Object Name1
Object File ID
ASP Name
ASP Number
Path Name
CCSID
Path Name
Country or
Region ID
Path Name
Language ID
Path Name
Length
Path Name
Indicator
|
|
|
|
|
|
|
Char(3)
Char(16)
Char(16)
Char(512)
Char(16)
Char(10)
Char(5)
Binary(5)

absolute path name.
path name
Char(2)
Char(3)
Binary(4)
Char(1)

Y

the object.
Char(16)

the object.
Char(5002)
844
1230
860
1246
Relative File
ID1
Absolute Path
Name2
|
|
path name. When the path name indicator is Y, this field will contain 16 bytes of hex zeroes.
|
|
| Table 170. ML (Mail Actions) Journal Entries. QASYMLJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
| 1
|
|
| 156
224
610
225
611
|
| 157
Field
Format
Description
Entry Type
Char(1)

The type of entry.
User Profile
Char(10)
O
Mail log opened
User profile name.
545

| Table 170. ML (Mail Actions) Journal Entries (continued). QASYMLJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
Field
Format
Description
| 167
| 175
|
235
243
621
629
User ID
Address
Char(8)
Char(8)
User identifier
User address
| Table 171. NA (Attribute Change) Journal Entries. QASYNAJE/J4/J5 Field Description File
|
Offset
JE
J4
J5
|
|
|
|
156
224
610
Field
Entry Type
Format
Description
Char(1)

The type of entry.
|
| 157
| 167
|
| 417
|
|
225
235
611
621
485
871
Attribute
New Attribute
Value
Old Attribute
Value
Char(10)
Char(250)
Char(250)
Change to network attribute.
T
Change to TCP/IP attribute.
The name of the attribute.
The value of the attribute after it was changed.
The value of the attribute before it was
changed.
| Table 172. ND (APPN Directory Search Filter) Journal Entries. QASYNDJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
| 1
|
|
| 156
224
610
157
225
611
165
233
619
173
241
627
181
249
635
189
257
643
197
265
651
205
273
659
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
546
Field
Format
Description
Entry Type
Char(1)

The type of entry.
Filtered control
point name
Filtered control
point NETID.
Filtered CP
location name
Filtered CP
location
NETID
Partner
location name
Partner
location
NETID
Inbound
session
Char(8)
A
Directory search filter violation
Filtered control point name
Char(8)
Filtered control point NETID.
Char(8)
Filtered CP location name.
Char(8)
Filtered CP location NETID.
Char(8)
Partner location name.
Char(8)
Partner location NETID.
Char(1)
Inbound session.
Y
This is an inbound session
This is not an inbound session

| Table 172. ND (APPN Directory Search Filter) Journal Entries (continued). QASYNDJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
Field
Format
Description
| 206
|
|
274
660
Outbound
session
Char(1)
Outbound session.
|
|
This is an outbound session
This is not an outbound session
For more information about APPN Directory Search Filter and APPN End point,
see the Information Center (see Prerequisite and related information on page xvi
for details).
| Table 173. NE (APPN End Point Filter) Journal Entries. QASYNEJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
| 1
|
|
| 156
224
610
157
225
611
165
233
619
173
181
241
249
627
635
|
|
|
|
|
|
|
|
|
|
| 182
|
|
250
636
Field
Format
Description
Entry Type
Char(1)

The type of entry.
Local location
name
Remote
location name
Remote NETID
Inbound
session
Char(8)
A
End point filter violation
Local location name.
Char(8)
Remote location name.
Char(8)
Char(1)
Remote NETID.
Inbound session.
Outbound
session
Char(1)
This is an inbound session
|
|
N
This is not an inbound session
Outbound session.
Y
This is an outbound session
This is not an outbound session
For more information about APPN Directory Search Filter and APPN End point,
see the Information Center (see Prerequisite and related information on page xvi
for details).
| Table 174. OM (Object Management Change) Journal Entries. QASYOMJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
| 1
|
|
| 156
224
610
Field
Entry Type
Format
Description
Char(1)

The type of entry.
|
|
| 157
|
M
225
611
Old Object
Name
Char(10)
Object moved to a different library.
R
Object renamed.
The old name of the object.
547

| Table 174. OM (Object Management Change) Journal Entries (continued). QASYOMJE/J4/J5 Field Description File
|
Offset
JE
J4
J5
Field
Format
Description
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
167
235
621
Char(10)
The name of the library the old object is in.
177
185
245
253
631
639
Char(8)
Char(10)
The type of object.

The new name of the object.
195
263
649
Char(10)
The name of the library the object was moved

to.
205
273
659
225
235
293
303
679
689
247
315
701
255
323
709
318
386
772
330
398
784
338
406
792
401
469
855
Old Library
Name
Object Type
New Object
Name
New Library
Name
(Reserved
Area)
Office User
Old Folder or
Document
Name
(Reserved
Area)
Old Folder
Path
New Folder or
Document
Name
(Reserved
Area)
New Folder
Path
Office on
Behalf of User
(Reserved
Area)
(Reserved
Area)
Object Name
Length
Object Name
CCSID1
Object Name
Country or
Region ID1
Object Name
Language ID1
(Reserved area)
Old Parent File
ID1,2
Old Object File
ID1,2
Old Object
Name1
New Parent
File ID1,2
New Object
1, 2 ,6
Name
Object File
ID1,2
ASP Name7
411
479
865
497
883
431
499
885
435
503
889
437
505
891
440
443
508
511
894
897
459
527
913
475
543
929
987
1055
1441
1003
1071
1457
1583
1969
1599
1985
548
Char(20)
Char(10)
Char(12)

The old name of the folder or document.
Char(8)
Char(63)
The old path of the folder.
Char(12)
The new name of the folder or document.
Char(8)
Char(63)
The new path of the folder.
Char(10)
Char(20)
Char (18)
Binary (4)
The length of the old object name field.
Binary(5)
Char(2)

name.
Char(3)
Char(3)
Char(16)
The file ID of the old parent directory.
Char(16)
The file ID of the old object.
Char(512)
The name of the old object.
Char(16)
The file ID of the new parent directory.
Char(512)
The new name of the object.
Char(16)
Char(10)

|
Offset
| JE
J4
J5
Field
Format
Description
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1609
1614
1995
2000
Char(5)
Binary(5)
1618
2004

absolute path name.
name
1620
2006
1623
2009
1625
2011
ASP Number7
Path Name
CCSID
Path Name
Country or
Region ID
Path Name
Language ID
Path Name
Length
Path Name
Indicator
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Char(2)
Char(3)
Binary(4)
Char(1)

Y

Char(16)

object.
Char(5002)
The old absolute path name of the object.
Char(16)
Char(10)
Char(5)
Binary(5)

absolute path name.
name
1626
2012
1642
2028
6644
6660
6670
6675
7030
7046
7056
7061
6679
7065
6681
7067
6684
7070
6686
7072
Relative File
ID3
Absolute Path
Name5
Object File ID
ASP Name8
ASP Number8
Path Name
CCSID
Path Name
Country or
Region ID
Path Name
Language ID
Path Name
Length
Path Name
Indicator
Char(2)
Char(3)
Binary(4)
Char(1)

Y

Char(16)

object.
Char(5002)
The new absolute path name of the object.
6687
7073
6703
7089
Relative File
ID4
Absolute Path
Name5
549

|
Offset
JE
|
|
|
|
|
|
There is no associated length field for this value. The string is null padded unless it is the full 512 characters
long.
|
|
If the old object is in a library, this is the ASP information of the objects library. If the old object is not in a
library, this is the ASP information of the object.
|
|
|
If the new object is in a library, this is the ASP information of the objects library. If the new object is not in a
library, this is the ASP information of the object.
J4
J5
Field
Format
Description
| Table 175. OR (Object Restore) Journal Entries. QASYORJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
| 1
|
|
| 156
224
610
Field
Entry Type
Format
Description
Char(1)

The type of entry.
|
|
|
|
| 157
|
| 167
|
| 177
| 185
|
| 195
|
| 205
|
|
E
225
611
235
621
245
253
631
639
263
649
273
659
Restored
Object Name
Restored
Library Name
Object Type.
Save Object
Name
Save Library
Name
Program State1
Char(10)
An existing object was restored to the

system.
The name of the restored object.
Char(10)
The name of the library of the restored object.
Char(8)
Char(10)
The type of object.

The name of the save object.
Char(10)
The name of the library from which the object

was saved.
Char(1)
|
|
| 206
||
|
| 207
|
550
274
660
System
Command
(Reserved
Area)
A new object was restored to the

system.
Char(1)
2
Char(18)
An inherit state program was

restored.
A system state program was restored.
A user state program was restored.
A system command was restored.
A user state command was restored.

| Table 175. OR (Object Restore) Journal Entries (continued). QASYORJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
Field
Format
Description
275
661
SETUID Mode
Char(1)
The SETUID mode indicator.
|
|
|
|
|
N
276
662
SETGID Mode
Char(1)
The SETUID mode bit for the restored

object is not on.
The SETGID mode indicator.
|
|
|
|
|
|
|
N
277
663
Signature
Status
Char(1)
The SETUID mode bit for the restored

object is on.
The SETGID mode bit for the restored

object is on.
The SETGID mode bit for the restored

object is not on.
The signature status of the restored object.
Signature was not in OS/400 format
Signature exists but is not verified
|
|
Signature does not match object

content
Signature ignored
Unsignable object
Object unsigned
Signature is valid
|
|
| 225
| 235
|
| 247
|
| 255
|
| 318
|
| 330
|
| 338
|
| 401
|
| 411
|
|
|
|
|
| 431
|
| 435
|
|
| 437
|
278
293
303
664
679
689
315
701
323
709
386
772
398
784
406
792
469
855
479
865
497
883
499
885
503
889
505
891
Reserved
Office User
Restore DLO
Name
(Reserved
Area)
Restore Folder
Path
Save DLO
Name
(Reserved
Area)
Save Folder
Path
Office on
Behalf of User
(Reserved
Area)
(Reserved
Area)
Object Name
Length
Object Name
CCSID3
Object Name
Country or
Region ID3
Object Name
Language ID3
Char(15)
Char(10)
Char(12)

The document library object name of the
restored object.
Char(8)
Char(63)
The folder into which the DLO was restored.
Char(12)
The DLO name of the saved object.
Char(8)
Char(63)
The folder from which the DLO was saved.
Char(10)
Char(20)
Char(18)
Binary (4)
The length of the Old Object Name field.
Binary(5)
Char(2)

object name.
Char(3)
551

| Table 175. OR (Object Restore) Journal Entries (continued). QASYORJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
Field
Format
| 440
|
| 443
|
| 459
|
| 475
|
|
|
508
894
Char(3)
511
897
527
913
543
1055
1071
929
1441
1457
(Reserved
area)
Parent File
ID3,4
Object File
ID3,4
Object Name3
Old File ID
Media File ID
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Description
Char(16)
Char(16)
Char(512)
Char(16)
Char(16)

The file ID for the old object.
The file ID (FID) that was stored on the media
file.
The FID stored on the media is the
FID the object had on the source
system.
absolute path name.
path name
Note:
|
|
|
|
|
|
|
1087
1103
1113
1118
1473
1489
1499
1504
1122
1508
1124
1510
1127
1513
1129
1515
Object File ID
ASP Name7
ASP Number7
Path Name
CCSID
Path Name
Country or
Region ID
Path Name
Language ID
Path Name
Length
Path Name
Indicator
Char(16)
Char(10)
Char(5)
Binary(5)
Char(2)
Char(3)
Binary(4)
Char(1)

Y

the object.
Char(16)

the object.
Char(5002)
1130
1516
1146
1532
Relative File
ID5
Absolute Path
Name6
This field has an entry only if the object being restored is a program.
This field has an entry only if the object being restored is a command.
These fields are used only for objects in the QOpenSys file system and the "root" file system.
|
|
|
|
|
552

| Table 176. OW (Ownership Change) Journal Entries. QASYOWJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
| 1
|
|
| 156
224
610
157
167
177
185
195
205
225
235
245
253
263
273
611
621
631
639
649
659
225
235
247
293
303
315
679
689
701
255
318
323
386
709
772
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
328
396
782
414
800
348
416
802
352
420
806
354
422
808
357
360
425
428
811
814
376
444
830
392
460
972
988
998
1003
846
1358
1374
1384
1389
1007
1393
1009
1395
1012
1398
Field
Format
Description
Entry Type
Char(1)

The type of entry.
Object Name
Library Name
Object Type
Old Owner
New Owner
(Reserved
Area)
Office User
DLO Name
(Reserved
Area)
Folder Path
Office on
Behalf of User
(Reserved
Area)
(Reserved
Area)
Object Name
Length
Object Name
CCSID1
Object Name
Country or
Region ID1
Object Name
Language ID1
(Reserved area)
Parent File
ID1,2
Object File
ID1,2
Object Name1
Object File ID
ASP Name5
ASP Number5
Path Name
CCSID
Path Name
Country or
Region ID
Path Name
Language ID
Path Name
Length
Char(10)
Char(10)
Char(8)
Char(10)
Char(10)
Char(20)
A
Change of object owner
The type of object.
Old owner of the object.
New owner of the object.
Char(10)
Char(12)
Char(8)

Char(63)
Char(10)

Char(20)
Char(18)
Binary (4)
The length of the new object name.
Binary(5)
Char(2)

name.
Char(3)
Char(3)
Char(16)
Char(16)
Char(512)
Char(16)
Char(10)
Char(5)
Binary(5)

absolute path name.
name
Char(2)
Char(3)
Binary(4)
553

| Table 176. OW (Ownership Change) Journal Entries (continued). QASYOWJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
Field
Format
Description
|
|
|
|
1014
1400
Path Name
Indicator
Char(1)
|
|
|
|
|
|
|

Char(16)

object.
Char(5002)
1015
1401
1031
1417
Relative File
ID3
Absolute Path
Name4
These fields are used only for objects in the QOpenSys file system and the "root" file system.
|
|
|
|
|
| Table 177. O1 (Optical Access) Journal Entries. QASY01JE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
| 1
|
|
| 156
|
224
610
Field
Format
Description
Entry Type
Char(1)
R-Read
U-Update
D-Delete
C-Create Dir
|
| 157
|
225
611
Object Type
Char(1)
|
| 158
|
226
612
Access Type
Char(1)
227
237
245
255
287
613
623
631
641
673
929
939
Device Name
CSI Name
CSI Library
Volume Name
Object Name
ASP name
ASP number
Char(10)
Char(8)
Char(10)
Char(32)
Char(256)
Char(10)
Char(5)
|
|
|
|
|
|
|
|
159
169
177
187
219
554
X-Release Held File

F-File
D-Directory End
D-File Data
A-File Directory Attributes
Library LUD name
Side Object Name
Side Object Library
Optical volume name
Optical directory/file name
ASP name for CSI library
ASP number for CSI library

| Table 177. O1 (Optical Access) Journal Entries (continued). QASY01JE/J4/J5 Field Description File
|
Offset
JE
|
|
|
|
|
|
|
Note: This entry is used to audit the following optical functions:
J4
J5
Field
Format
Description
Open File or Directory

Create Directory
Delete File Directory
Change or Retrieve Attributes
Release Held Optical File
|
Offset
| JE
J4
J5
| 1
|
|
| 156
|
224
610
Field
Format
Description
Entry Type
Char(1)
C-Copy
R-Rename
B-Backup Dir or File
S-Save Held File
|
| 157
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
M-Move File
225
611
Object Type
Char(1)
158
226
612
Char(10)
D-Directory
Source library LUD name
168
176
236
244
622
630
Char(8)
Char(10)
Source Side Object Name

Source Side Object Library
186
254
640
Char(32)
Source Optical volume name
218
474
286
542
672
928
Char(256)
Char(10)
Source Optical directory/file name

Target library LUD name
484
492
552
560
938
946
Char(8)
Char(10)
Target Side Object Name

Target Side Object Library
502
570
956
Char(32)
Target Optical volume name
534
602
988
1244
1254
1259
Src Device
Name
Src CSI Name
Src CSI
Library
Src Volume
Name
Src Obj Name
Tgt Device
Name
Tgt CSI Name
Tgt CSI
Library
Tgt Volume
Name
Tgt Obj Name
ASP name
ASP number
ASP name for
target CSI
library
ASP number
for target CSI
library
Char(256)
Char(10)
Char(5)
Char(10)
Target Optical directory/file name

ASP name for source CSI library
ASP number for source CSI library
ASP name for target CSI library
Char(5)
ASP number for target CSI library
1269
F-File
555

|
Offset
| JE
J4
J5
| 1
|
|
| 156
|
224
610
Field
Format
Description
Entry Type
Char(1)
I-Initialize
N-Rename
B-Backup Volume
|
|
C-Convert Backup Volume to

Primary
M-Import
E-Export
L-Change Auth. List
A-Change Volume Attributes
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
157
167
175
185
225
235
243
253
611
621
629
639
217
285
671
249
317
703
Device Name
CSI Name
CSI Library
Old Volume
Name
New Volume
Name 1
Old Auth List
Char(10)
Char(8)
Char(10)
Char(32)
R-Absolute Read
Library LUD name
Side Object Name
Side Object Library
Old Optical voulume name
Char(32)
New Optical volume name
Char(10)
Old Authorization List
Char(10)
New Authorization List
Binary(5)
Binary(5)
Char(10)
Char(5)
Starting Block
Length read
ASP name for CSI library
ASP number for CSI library
259
327
713
269
273
337
341
723
727
731
741
New Auth
List 3
Address 4
Length 4
ASP name
ASP number
|
|
|
This field contains the new volume name for Initialize, Rename, and Convert functions; it contains the
backup bolume name for Backup functions. It contains volume name for Import, Export, Change
Authorization List, Change Volume Attributes, and Sector Read.
Used for Import, Export, and Change Authorization List only.
Used for Change Authorization List only.
|
|
Used for Sector Read only.
| Table 180. PA (Program Adopt) Journal Entries. QASYPAJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
| 1
|
|
556
Field
Format
Description

| Table 180. PA (Program Adopt) Journal Entries (continued). QASYPAJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
Field
Format
Description
| 156
224
610
Entry Type
Char(1)
The type of entry.
|
|
Change program to adopt owners

authority.
Java program adopts owners authority.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Modify objects SETUID or SETGID

mode indicator.
The name of the program.
The name of the library where the program is
found.
The type of object.
The name of the owner.
M
157
167
225
235
611
621
177
185
245
253
263
281
631
639
649
667
283
669
287
673
289
675
292
295
311
327
839
678
681
697
713
1225
Program Name3
Program
Library3
Object Type
Owner
Reserved
Object Name
Length1
Object Name
CCSID1
Object Name
Country or
Region ID
Object Name
Language ID1
Reserved
Parent ID1, 2, 3
Object File ID 3
Object Name1
SETUID Mode
Char(10)
Char(10)
Char(8)
Char(10)
Char(18)
Binary (4)
Binary(5)
Char(2)

name.
Char(3)
Char(3)
Char(16)
Char(16)
Char(512)
Char(1)
Parent File ID.

File ID for the object
Object name for the object.
The SETUID mode indicator.
|
|
|
|
|
N
840
1226
SETGID Mode
Char(1)
The SETUID mode bit is not on for the

object.
The SETGID mode indicator.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
N
841
1227
851
867
877
882
1237
1253
1263
1268
886
1272
888
1274
891
1277
Primary Group
Owner
Object File ID
ASP Name6
ASP Number6
Path Name
CCSID
Path Name
Country or
Region ID
Path Name
Language ID
Path Name
Length
Char(10)
Char(16)
Char(10)
Char(5)
Binary(5)
Char(2)
The SETUID mode bit is on for the

object.
The SETGID mode bit is on for the

object.
The SETGID mode bit is not on for the

object.
The name of the primary group owner.

path name.
name
Char(3)
Binary(4)
557

| Table 180. PA (Program Adopt) Journal Entries (continued). QASYPAJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
Field
Format
Description
|
|
|
|
893
1279
Path Name
Indicator
Char(1)
|
|
|
|
|
|


object.
894
910
1280
1296
Relative File ID4 Char(16)

Absolute Path
Char(5002)
Name5
These fields are used only for objects in the QOpenSys and "root" file systems.
|
|
When the entry type is J, the program name and the library name fields will contain *N. In addition, the
parent file ID and the object file ID fields will contain binary zeroes.
|
|
|
|
|
| Table 181. PG (Primary Group Change) Journal Entries. QASYPGJE/J4/J5 Field Description File
|
Offset
JE
J4
J5
|
|
|
|
156
224
610
157
167
177
185
225
235
245
253
611
621
631
639
195
263
649
205
273
659
Object Existence Char(1)
206
274
660
207
275
661
208
276
662
Object
Management
Object
Operational
Object Alter
209
277
663
210
278
664
|
|
|
|
|
|
|
|
|
|
|
|
||
|
||
|
|
|
||
|
Field
Format
Description
Entry Type
Char(1)

The type of entry.
Object Name
Object Library
Object Type
Old Primary
Group
New Primary
Group
Char(10)
Char(10)
Char(8)
Char(10)
A
The
The
The
The
Char(10)
The new primary group for the object.
Change primary group.

name of the object.
name of the library where the object is found.
type of object.
previous primary group for the object.5
Authorities for new primary group:
558
Char(1)
Char(1)
Char(1)
Object
Char(1)
Reference
(Reserved Area) Char(10)
*OBJEXIST
*OBJMGT
*OBJOPR
*OBJALTER
*OBJREF

| Table 181. PG (Primary Group Change) Journal Entries (continued). QASYPGJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
Field
Format
|
||
|
|
|
|
|
|
||
|
||
|
||
|
|
||
|
||
|
220
288
674
Char(1)
221
289
675
Authorization
List
Management
Read Authority
222
290
676
Add Authority
Char(1)
223
291
677
Char(1)
224
292
678
225
293
679
226
236
294
304
680
690
237
305
691
Update
Authority
Delete
Authority
Execute
Authority
(Reserved Area)
Exclude
Authority
Revoke Old
Primary Group
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Char(1)
Char(1)
Char(1)
Char(10)
Char(1)
Char(1)
238
258
268
306
326
336
692
712
722
(Reserved Area) Char (20)

Office User
Char(10)
DLO Name
Char(12)
280
288
351
348
356
419
734
742
805
429
447
815
833
381
449
835
385
453
839
387
455
841
390
393
409
425
458
461
477
493
1005
1035
844
847
863
879
1391
1407
1417
1422
1040
1426
(Reserved Area)
Folder Path
Office on Behalf
of User
(Reserved Area)
(Reserved Area)
Object Name
Length1
Object Name
CCSID1
Object Name
Country or
Region ID1
Object Name
Language ID1
(Reserved area)
Parent File ID1,2
Object File ID1,2
Object Name1
Object File ID
ASP Name6
ASP Number6
Path Name
CCSID
Path Name
Country or
Region ID
361
Description
Y
*AUTLMGT
*READ
*ADD
*UPD
*DLT
*EXECUTE
*EXCLUDE
Revoke authority for previous primary

group.
Do not revoke authority for previous

primary group.

The name of the document library object or
folder.
Char(8)
Char(63)
Char(10)

Char(20)
Char(18)
Binary (4)
Binary(5)
Char(2)

name.
Char(3)
Char(3)
Char(16)
Char(16)
Char(512)
Char(16)
Char(10)
Char(5)
Binary(5)
Char(2)

path name.
name
559

| Table 181. PG (Primary Group Change) Journal Entries (continued). QASYPGJE/J4/J5 Field Description File
|
|
Offset
JE
|
|
|
|
|
|
|
|
|
|
|
|
|
|
J4
J5
Field
Format
Description
1042
1428
Char(3)
1045
1431
Binary(4)
1047
1433
Path Name
Language ID
Path Name
Length
Path Name
Indicator
Char(1)


object.
1048
1064
1434
1450

Absolute Path
Char(5002)
Name4
|
|
A value of *N implies the value of the Old Primary Group was not available.
|
|
|
| Table 182. PO (Printer Output) Journal Entries. QASYPOJE/J4/J5 Field Description File
|
Offset
JE
`J4
J5
|
|
|
|
156
224
610
Field
Output Type
Format
Description
Char(1)

The type of output.
Direct print
Sent to remote system for printing
Spooled file printed
Deleted after printed
Held after printed
Saved after printed
|
| 157
||
|
225
611
Status After
Printing
Char(1)
|
|
|
|
|
|
|
|
|
158
168
178
184
194
204
560
226
236
246
252
262
272
612
622
632
638
648
658
Job Name
Job User Name
Job Number
User Profile
Output Queue
Output Queue
Library Name
Char(10)
Char(10)
Zoned(6,0)
Char(10)
Char(10)
Char(10)
' '
Direct print
The first part of the qualified job name.
The second part of the qualified job name.
The third part of the qualified job name.
The user profile that created the output.
The output queue containing the spooled file.1
The name of the library containing the output
queue.1

| Table 182. PO (Printer Output) Journal Entries (continued). QASYPOJE/J4/J5 Field Description File
|
Offset
| JE
`J4
J5
Field
Format
Description
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
214
224
228
232
282
292
296
300
668
678
682
686
Char(10)
Char(4)
Char(4)
Char(10)
242
310
696
Char(10)
The device where the output was printed2.

The type of printer device2.
The model of the printer device2.
The name of the device file used to access the
printer.
The name of the library for the device file.
252
320
706
Char(10)
The name of the spooled file
262
330
716
Char(4)
266
276
286
334
344
720
730
The number of the spooled file 1. Set to blank if too

long.
The form type of the spooled file.
The user data associated with the spooled file 1.
354
740
306
360
374
746
760
Device Name
Device Type
Device Model
Device File
Name
Device File
Library
Spooled File
Name
Short Spooled
File Number
Form Type
User Data
(Reserved area)
Spooled File
Number
Reserved Area
Remote System
561
629
1015
757
1143
765
1151
772
1158
1164
1174
Remote System
Print Queue
Spooled File
Job system
Name
Spooled File
Create Date
Spooled File
Create Time
ASP Name
ASP number
Char(10)
Char(10)
Char(20)
Char(6)
Char(14)
Char(255)
Char(128)
The number of the spooled file.
Name of the remote system to which printing was

sent.
The name of the output queue on the remote system.
Char (8)
The name of the system on which the spooled file

resides.
Char (7)
The spooled file create date (CYYMMDD)
Char(6)
The spooled file create time (HHMMSS).
Char(10)
Char(5)
ASP name for the device library

ASP number for device file library
This field is blank if the type of output is direct print.
|
|
This field is blank if the type of output is remote print.
| Table 183. PS (Profile Swap) Journal Entries. QASYPSJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
| 1
|
|
Field
Format
Description
561

| Table 183. PS (Profile Swap) Journal Entries (continued). QASYPSJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
Field
Format
Description
| 156
224
610
Entry Type
Char(1)
The type of entry.
Profile swap during pass-through.
End work on behalf of relationship.
|
|
Profile handle generated by the

QSYGETPH API.
All profile tokens were invalidated
|
|
Maximum number of profile tokens have

been generated.
Profile token generated for user.
|
|
All profile tokens for a user have been

removed.
Start work on behalf of relationship
|
| 157
| 167
|
| 175
|
| 185
|
| 195
|
| 205
|
| 215
|
|
225
235
611
621
243
629
253
639
263
649
273
659
283
669
User Profile
Source
Location
Original Target
User Profile
New Target
User Profile
Office User
Char(10)
Char(8)
V
User profile authenticated
User profile name.
Pass-through source location.
Char(10)
Original pass-through target user profile.
Char(10)
New pass-through target user profile.
Char(10)
On Behalf of
User
Profile Token
Type
Char(10)
Office user starting or ending on behalf of

relationship.
User on behalf of whom the office user is
working.
The type of the profile token that was generated.
Char(1)
|
|
|
|
|
216
284
670
Profile Token
Timeout
Binary(4)
Multiple-use profile token
Multiple-use regenerated profile token
S
Single-use profile token
The number of seconds the profile token is valid.
| Table 184. PW (Password) Journal Entries. QASYPWJE/J4/J5 Field Description File

|
Offset
Description
JE
J4
J5
|
|
|
562
Field
Format

| Table 184. PW (Password) Journal Entries (continued). QASYPWJE/J4/J5 Field Description File
|
Offset
Description
JE
J4
J5
Field
|
|
|
156
224
610
Violation Entry Char(1)

Type
Format
The type of violation
A
APPC bind failure
Service tools user ID name not valid
|
|
Service tools user ID password not

valid
Password not valid
User name not valid
Service tools user ID is disabled
Service tools user ID not valid
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Z
157
225
611
User Name
Char(10)
167
235
621
Device name
Char(40)
207
275
661
215
283
669
223
291
677
Remote
Char(8)
Location Name
Local Location Char(8)
Name
Network ID
Char(8)
Service tools user ID password not

valid
The job user name or the service tools user ID
name.
The name of the device or communications
device on which the password or user ID was
entered. If the entry type is X, Y, or Z, this field
will contain the name of the service tool being
accessed.
Name of the remote location for the APPC bind.
Name of the local location for the APPC bind.
Network ID for the APPC bind.
| Table 185. RA (Authority Change for Restored Object) Journal Entries. QASYRAJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
| 1
|
|
| 156
224
610
|
|
|
|
|
|
|
|
||
|
||
|
||
|
|
|
Field
Entry Type
Format
Description
Char(1)

The type of entry.
A
157
167
177
185
225
235
245
253
611
621
631
639
195
263
649
196
264
650
197
265
651
198
266
652
Object Name
Library Name
Object Type
Authorization
List Name
Public
Authority
Private
Authority
AUTL
Removed
Char(10)
Char(10)
Char(8)
Char(10)
(Reserved
Area)
Char(20)
Char(1)
Char(1)
Char(1)
The
The
The
The
Changes to authority for object

restored
name of the object.
name of the library the object is in.
type of object.
name of the authorization list.
Public authority set to *EXCLUDE.
Private authority removed.
Authorization list removed from

object.
563

| Table 185. RA (Authority Change for Restored Object) Journal Entries (continued). QASYRAJE/J4/J5 Field
| Description File
|
Offset
| JE
J4
J5
Field
Format
Description
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
218
230
286
298
672
684
Char(12)
Char(8)
238
306
692
DLO Name
(Reserved
Area)
Folder Path
Char(63)
The folder containing the document library

object.
(Reserved
Area)
(Reserved
Area)
Object Name
Length
Object Name
CCSID1
Object Name
Country or
Region ID1
Object Name
Language ID1
(Reserved
area)
Parent File
ID1,2
Object File
ID1,2
Object Name1
Object File ID
ASP Name5
ASP Number5
Path Name
CCSID
Path Name
Country or
Region ID
Path Name
Language ID
Path Name
Length
Path Name
Indicator
Char(20)
301
369
755
387
773
321
389
775
325
393
779
327
395
781
330
398
784
333
401
787
349
417
803
365
433
945
961
971
976
819
1331
1347
1357
1362
980
1366
982
1368
985
1371
987
1373
|
|
|
|
|
|
|
Char(18)
Binary(4)
Binary(5)
Char(2)

object name.
Char(3)
Char(3)
Char(16)
Char(16)
Char(512)
Char(16)
Char(10)
Char(5)
Binary(5)

absolute path name.
path name
Char(2)
Char(3)
Binary(4)
Char(1)

Y

the object.
Char(16)

the object.
Char(5002)
564
988
1374
1004
1390
Relative File
ID3
Absolute Path
Name4

| Table 185. RA (Authority Change for Restored Object) Journal Entries (continued). QASYRAJE/J4/J5 Field
| Description File
|
Offset
| JE
J4
J5
Field
Format
Description
|
|
|
|
|
| Table 186. RJ (Restoring Job Description) Journal Entries. QASYRJJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
| 1
|
|
| 156
224
610
|
|
|
|
|
|
|
|
|
|
|
|
|
Field
Entry Type
Format
Description
Char(1)

The type of entry.
Restoring a job description that had a
user profile specified in the USER
parameter.
The name of the job description restored.
157
225
611
167
235
621
Job Description Char(10)

Name
Library Name Char(10)
177
185
245
253
631
639
Object Type
User Name
Char(8)
Char(10)
649
659
ASP name
ASP number
Char(10)
Char(5)
The name of the library the job description

was restored to.
The type of object.
The name of the user profile specified in the
job description.
| Table 187. RO (Ownership Change for Restored Object) Journal Entries. QASYROJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
| 1
|
|
| 156
224
610
|
|
|
|
|
|
|
Field
Entry Type
Format
Description
Char(1)

The type of entry.
Restoring objects that had ownership
changed when restored
The type of object.
The name of the owner before ownership was
changed.
A
157
167
177
185
225
235
245
253
611
621
631
639
Object Name
Library Name
Object Type
Old Owner
Char(10)
Char(10)
Char(8)
Char(10)
565

| Table 187. RO (Ownership Change for Restored Object) Journal Entries (continued). QASYROJE/J4/J5 Field
| Description File
|
Offset
JE
J4
J5
Field
Format
Description
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
195
263
649
New Owner
Char(10)
The name of the owner after ownership was

changed.
205
273
659
Char(20)
225
237
293
305
679
691
245
308
313
699
376
762
394
780
328
396
782
332
400
786
334
402
788
337
405
791
340
408
794
356
424
810
372
440
952
968
978
983
826
1338
1354
1364
1369
987
1373
989
1375
992
1378
994
1380
(Reserved
Area)
DLO Name
(Reserved
Area)
Folder Path
(Reserved
Area)
(Reserved
Area)
Object Name
Length1
Object Name
CCSID1
Object Name
Country or
Region ID1
Object Name
Language ID1
(Reserved
area)
Parent File
ID1,2
Object File
ID1,2
Object Name1
Object File ID
ASP Name5
ASP Number5
Path Name
CCSID
Path Name
Country or
Region ID
Path Name
Language ID
Path Name
Length
Path Name
Indicator
|
|
|
|
|
|
|
Char(12)
Char(8)
Char(63)
Char(20)
The folder into which the object was restored.
Char(18)
Binary(4)
Binary(5)
Char(2)

name.
Char(3)
Char(3)
Char(16)
Char(16)
Char(512)
Char(16)
Char(10)
Char(5)
Binary(5)

absolute path name.
name
Char(2)
Char(3)
Binary(4)
Char(1)

Y

Char(16)

object.
Char(5002)
566
995
1381
1011
1397
Relative File
ID3
Absolute Path
Name4

| Table 187. RO (Ownership Change for Restored Object) Journal Entries (continued). QASYROJE/J4/J5 Field
| Description File
|
Offset
JE
|
|
|
|
|
J4
J5
Field
Format
Description
| Table 188. RP (Restoring Programs that Adopt Authority) Journal Entries. QASYRPJE/J4/J5 Field Description File
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Offset
JE
1
J4
1
J5
1
Field
Format
156
224
610
Entry Type
Char(1)
Description
The type of entry.
Restoring programs that adopt the
owners authority
The name of the program
The name of the library in which the program is
located
The type of object
Name of the owner
A
157
167
225
235
611
621
177
185
245
253
263
281
631
639
649
667
283
669
287
673
289
675
292
295
311
327
839
855
865
870
678
681
697
713
1225
1241
1251
1256
874
1260
876
1262
Program Name
Program
Library
Object Type
Owner Name
(Reserved Area)
Object Name
Length1
Object Name
CCSID1
Object Name
Country or
Region ID1
Object name
Language ID1
(Reserved Area)
Parent File ID1,2
Object File ID1,2
Object Name1
Object File ID
ASP Name5
ASP Number5
Path Name
CCSID
Path Name
Country or
Region ID
Path Name
Language ID
Char(10)
Char(10)
Char(8)
Char(10)
Char(18)
Binary (4)
Binary (5)
Char (2)

name.
Char (3)
Char (3)
Char (16)
Char (16)
Char (512)
Char(16)
Char(10)
Char(5)
Binary(5)
Char(2)
Char(3)

path name.
name
567

| Table 188. RP (Restoring Programs that Adopt Authority) Journal Entries (continued). QASYRPJE/J4/J5 Field
| Description File
|
Offset
| JE
|
|
|
|
|
|
|
|
|
|
|
|
J4
879
J5
1265
881
1267
Field
Path Name
Length
Path Name
Indicator
Format
Binary(4)
Description
Char(1)

Y


object.
882
898
1268
1284

Absolute Path
Char(5002)
Name4
These fields are used only for objects in the QOpenSys and the root file system.
If an ID that has the left-most bit set and the rest of the bits are zero, the ID is not set.
|
|
|
|
|
| Table 189. RQ (Restoring Change Request Descriptor Object) Journal Entries. QASYRQJE/J4/J5 Field Description
| File
|
Offset
| JE
J4
J5
| 1
|
|
| 156
224
610
|
|
| 157
| 167
|
| 177
|
|
|
Field
Entry Type
Format
Description
Char(1)

The type of entry.
Restore *CRQD object that adopts
authority.
The name of the change request descriptor.
The name of the library where the change request
descriptor is found.
The type of object.
ASP name for CRQD library
ASP number for CRQD library
A
225
235
611
621
Object Name
Object Library
Char(10)
Char(10)
245
631
639
649
Object Type
ASP name
ASP number
Char(8)
Char(10)
Char(5)
| Table 190. RU (Restore Authority for User Profile) Journal Entries. QASYRUJE/J4/J5 Field Description File
|
Offset
JE
J4
J5
|
|
|
|
156
224
610
Field
Entry Type
Format
Description
Char(1)

The type of entry.
A
568
Restoring authority to user profiles

| Table 190. RU (Restore Authority for User Profile) Journal Entries (continued). QASYRUJE/J4/J5 Field Description
| File
|
Offset
| JE
J4
J5
Field
Format
Description
| 157
|
| 167
| 177
|
|
225
611
User Name
Char(10)
235
245
253
621
631
639
Library Name
Object Type
Authority
Restored
Char(10)
Char(8)
Char(1)
The name of the user profile whose authority was

restored.
The type of object.
Indicates whether all authorities were restored for
the user.
All authorities were restored
|
|
Some authorities not restored
| Table 191. RZ (Primary Group Change for Restored Object) Journal Entries. QASYRZJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
| 1
|
|
| 156
224
610
157
167
225
235
177
185
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Field
Format
Description
Entry Type
Char(1)

The type of entry.
611
621
Object Name
Object Library
Char(10)
Char(10)
245
253
631
639
Char(8)
Char(10)
195
263
649
Char(10)
The new primary group for the object.
205
273
659
225
237
293
305
679
691
245
308
313
699
376
762
394
780
328
396
782
332
400
786
334
402
788
337
405
791
340
408
794
Object Type
Old Primary
Group
New Primary
Group
(Reserved
Area)
DLO Name
(Reserved
Area)
Folder Path
(Reserved
Area)
(Reserved
Area)
Object Name
Length1
Object Name
CCSID1
Object Name
Country or
Region ID1
Object Name
Language ID1
(Reserved
area)
Parent File
ID1,2
A
Primary group changed.
The name of the library where the object is
found.
The type of object.
The previous primary group for the object.
Char(20)
Char(12)
Char(8)
Char(63)
Char(20)
The folder into which the object was restored.
Char(18)
Binary(4)
Binary(5)
Char(2)

name.
Char(3)
Char(3)
Char(16)
569

| Table 191. RZ (Primary Group Change for Restored Object) Journal Entries (continued). QASYRZJE/J4/J5 Field
| Description File
|
|
Offset
JE
| 356
|
| 372
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
J4
J5
Field
Format
Description
424
810
Char(16)
440
952
968
978
983
826
1338
1354
1364
1369
Char(512)
Char(16)
Char(10)
Char(5)
Binary(5)
987
1373

absolute path name.
name
989
1375
992
1378
994
1380
Object File
ID1,2
Object Name1
Object File ID
ASP Name
ASP Number
Path Name
CCSID
Path Name
Country or
Region ID
Path Name
Language ID
Path Name
Length
Path Name
Indicator
Char(2)
Char(3)
Binary(4)
Char(1)

Y

Char(16)

the object.
Char(5002)
995
1381
1011
1397
Relative File
ID3
Absolute Path
Name4
|
|
|
|
| Table 192. SD (Change System Distribution Directory) Journal Entries. QASYSDJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
| 1
|
|
| 156
224
610
Field
Entry Type
Format
Description
Char(1)

The type of entry.
S
570
System directory change

| Table 192. SD (Change System Distribution Directory) Journal Entries (continued). QASYSDJE/J4/J5 Field
| Description File
|
Offset
| JE
J4
J5
Field
Format
| 157
||
|
225
611
Type of
Change
Char(3)
Description
ADD
Add directory entry
CHG
Change directory entry
COL
Collector entry
DSP
Display directory entry
OUT
Output file request
PRT
Print directory entry
RMV
Remove directory entry
RNM
Rename directory entry
RTV
Retrieve details
SUP
Supplier entry
DIRE
Directory
DPTD
Department details
SHDW Directory shadow
|
| 160
|
|
| 164
|
| 172
| 182
|
| 190
||
|
|
228
614
232
618
240
250
626
636
258
644
Type of record
Originating
System
User Profile
Requesting
system
Function
Requested
Char(4)
Char(8)
SRCH Directory search

The system originating the change
Char(10)
Char(8)
The user profile making the change

The system requesting the change
Char(6)
INIT
Initialization
OFFLIN
Offline initialization
|
|
REINIT
|
|
SHADOW
Normal shadowing
|
|
|
|
|
|
|
STPSHD
Stop shadowing
The user ID being changed
The address being changed
The network user ID being changed
Reinitialization
196
204
212
264
272
280
650
658
666
User ID
Address
Network User
ID
Char(8)
Char(8)
Char(47)
| Table 193. SE (Change of Subsystem Routing Entry) Journal Entries. QASYSEJE/J4/J5 Field Description File
|
Offset
JE
J4
J5
|
|
|
Field
Format
Description
571

| Table 193. SE (Change of Subsystem Routing Entry) Journal Entries (continued). QASYSEJE/J4/J5 Field Description
| File
|
Offset
JE
J4
J5
Field
Format
Description
156
224
610
Entry Type
Char(1)
The type of entry.
157
225
611
Char(10)
A
Subsystem routing entry changed
The name of the object
167
177
185
235
245
253
621
631
639
Subsystem
Name
Library Name
Object Type
Program Name
195
205
263
273
649
659
Char(10)
Char(4)
209
277
663
Library Name
Sequence
Number
Command
Name
The name of the library the object is in

The type of object.
The name of the program that changed the
routing entry
The name of the library for the program
The sequence number
Char(3)
The type of command used
|
|
|
|
|
|
|
|
|
|
|
|
|
Char(10)
Char(8)
Char(10)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
666
ASP name for

SBSD library
ASP number
for SBSD
library
ASP name for
program
library
ASP number
for program
library
676
681
691
ADD
ADDRTGE
CHG
CHGRTGE
Char(10)
RMV RMVRTGE
ASP name for SBSD library
Char(5)
ASP number for SBSD library
Char(10)
ASP name for program library
Char(5)
ASP number for program library
| Table 194. SF (Action to Spooled File) Journal Entries. QASYSFJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
| 1
|
|
| 156
224
610
Field
Access Type
Format
Description
Char(1)

The type of entry
Spooled file read.
Spooled file created.
Spooled file deleted.
Spooled file held.
Create of inline file.
Spooled file released.
|
|
Security-relevant spooled file changed.

See footnote 2.
|
|
Only nonsecurity-relevant spooled file

attributes changed.
572

| Table 194. SF (Action to Spooled File) Journal Entries (continued). QASYSFJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
Field
Format
Description
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
157
225
611
Char(10)
167
177
185
195
205
235
245
253
263
273
621
631
639
649
659
The name of the database file containing the

spooled file
The name of the library for the database file
The object type of the database file
215
283
669
Database File
Name
Library Name
Object Type
Reserved area
Member Name
Spooled File
Name
Short Spooled
File Number
219
287
673
229
297
683
307
693
259
262
265
275
285
313
327
330
333
343
353
699
713
716
719
729
739
295
363
749
305
315
373
383
759
769
325
393
779
333
401
787
341
409
795
349
417
803
357
425
811
365
433
819
441
827
451
837
461
847
467
475
853
861
239
Output Queue
Name
Output Queue
Library
Reserved area
Spooled File
Number
Reserved Area
Old Copies
New Copies
Old Printer
New Printer
New Output
Queue
New Output
Queue Library
Old Form Type
New Form
Type
Old Restart
Page
New Restart
Page
Old Page
Range Start
New Page
Range Start
Old Page
Range End
New Page
Range End
Spooled File
Job Name
Spooled File
Job User
Spooled File
Job Number
Old Drawer
New Drawer
Char(10)
Char(8)
Char(10)
Char(10)
Char(10)
The name of the file member.

The name of the spooled file 1.
Char(10)
The number of the spooled file 1. If the spooled

file number is larger than 4 bytes, this field will
be blank and the Spooled File Number field
(offset 307) will be used.
The name of the output queue containing the
spooled file.
The name of the library for the output queue.
Char(20)
Char(6)
The number of the spooled file.
Char(14)
Char(3)
Char(3)
Char(10)
Char(10)
Char(10)
Number of old copies of the spooled file

Number of new copies of the spooled file
Old printer for the spooled file
New printer for the spooled file
New output queue for the spooled file
Char(10)
Library for the new output queue
Char(10)
Char(10)
Old form type of the spooled file

New form type of the spooled file
Char(8)
Old restart page for the spooled file
Char(8)
New restart page for the spooled file
Char(8)
Old page range start of the spooled file
Char(8)
New page range start of the spooled file
Char(8)
Old page range end of the spooled file
Char(8)
New page range end of the spooled file
Char(10)
The name of the spooled file job.
Char(10)
The user for the spooled file job.
Char(6)
The number for the spooled file job.
Char(8)
Char(8)
Old source drawer.

New source drawer.
Char(4)
Char(10)
573

|
Offset
| JE
J4
J5
Field
Format
Description
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
483
869
Char(10)
Old page definition name.
493
879
Char(10)
Old page definition library name.
503
889
Char(10)
New page definition name.
513
899
Char(10)
New page definition library.
523
909
Char(10)
Old form definition name.
533
919
Char(10)
Old form definition library name.
543
929
Char(10)
Name of new form definition
553
939
Char(10)
New form definition library name.
563
949
Char(10)
Old user-defined option 1.
573
959
Char(10)
583
969
Char(10)
593
979
Char(10)
603
989
Char(10)
New user-defined option 1.
613
999
Char(10)
623
1009
Char(10)
633
1019
Char(10)
643
1029
Char(10)
Old user-defined object name.
653
1039
Old Page
Definition
Name
Old Page
Definition
Library
New Page
Definition
Name
New Page
Definition
Library
Old Form
Definition
Name
Old Form
Definition
library
Name of new
form definition
New Form
Definition
Library
Old User
Defined Option
1
Old User
Defined Option
2
Old User
Defined Option
3
Old User
Defined Option
4
New User
Defined Option
1
New User
Defined Option
2
New User
Defined Option
3
New User
Defined Option
4
Old User
Defined Object
Old User
Defined Object
Library
Char(10)
Old user-defined library name.
574

|
Offset
| JE
J4
J5
Field
Format
Description
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
663
1049
Char(10)
Old user-defined object type.
673
1059
Char(10)
New user-defined object.
683
1069
Char(10)
New user-defined object library name.
693
1079
Char(10)
New user-defined object type.
703
1089
Char(8)
The name of the system on which the spooled file

resides.
711
1097
Char(7)
The spooled file create date (CYYMMDD).
718
1104
Old User
Defined Object
Type
New User
Defined Object
New User
Defined Object
Library
New User
Defined Object
Type
Spooled File
Job System
Name
Spooled File
Create Date
Spooled File
Create Time
Name of old
user defined
data
Name of new
user defined
data
Char(6)
The spooled file create time (HHMMSS).
Char(255)
Name of old user defined data
Char(255)
Name of new user defined data
|
|
1110
1365
This field is blank when the type of entry is I (inline print).
| Table 195. SG (Asychronous Signals) Journal Entries. QASYSGJ4/J5 Field Description File
|
Offset
| JE
J4
J5
|
|
|
|
224
610
Field
Entry Type
Format
Description
Char(1)

for field listing.
The type of entry.
|
|
|
|
P
225
229
611
615
Signal Number Char(4)

Handle action Char(1)
Asynchronous iSeries signal processed
Asynchronous Private Address Space

Environment (PASE) signal processed
The signal number that was processed.
The action taken on this signal.
Continue the process
Signal exception
|
|
Handle by invoking the signal catching

function
Stop the process
Terminate the process
Terminate the request
575

| Table 195. SG (Asychronous Signals) Journal Entries (continued). QASYSGJ4/J5 Field Description File
|
Offset
| JE
J4
J5
Field
Format
Description
230
616
Signal Source
Char(1)
The source of the signal.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
P
Process source
Note: When the signal source value is machine,
the source job values are blank.
The first part of the source jobs qualified name.
231
617
241
627
251
637
257
643
267
653
Source Job
Name
Source Job
User Name
Source Job
Number
Source Job
Current User
Generation
Timestamp
Char(10)
Char(10)
Char(6)
Char(10)
Char(8)
Machine source
The second part of the source jobs qualified

name.
The third part of the source jobss qualified
name.
The current user profile for the source job.
The *DTS format of the time that the signal was
generated.
Note: The QWCCVTDT API can be used to
convert a *DTS time stamp to other formats.
| Table 196. SK (Secure Sockets Connections) Journal Entries. QASYSKJ4/J5 Field Description File
|
Offset
| JE
J4
J5
|
|
|
|
|
224
610
Field
Format
Description
for field listing.
Entry type
Char(1)
Accept
Connect
DHCP address assigned
Filtered mail
Port unavailable
Reject mail
|
|
|
|
|
|
|
|
|
|
|
|
|
|
576
225
611
240
245
626
631
260
265
646
651
269
655
279
665
281
667
Local IP
Address
Local port
Remote IP
Address
Remote port
Socket
Descriptor
Filter
Description
Filter Data
Length
Filter Data1
Char(15)
U
DHCP address denied
Char(5)
Char(15)
The local port.

The remote IP address.
Char(5)
Bin(5)
The remote port.

The socket descriptor.
Char(10)
The mail filter specified.
Bin(4)
The length of the filter data.
Char(514)
The filter data.

| Table 196. SK (Secure Sockets Connections) Journal Entries (continued). QASYSKJ4/J5 Field Description File
|
Offset
| JE
J4
J5
Field
Format
Description
|
|
|
795
1181
Address
Family
Char(10)
The address family.
Local IP
address
Remote IP
address 2
MAC address
Host name
Char(46)
*IPV6 Internet Protocol Version 6

Char(46)
The remote IP address
Char(32)
Char(255)
The MAC address of the requesting client.

The host name of the requesting client.
|
|
|
|
|
|
|
805
1191
851
1237
897
929
1283
1315
*IPV4
Internet Protocol Version 4
This is a variable length field. The first two bytes contain the length of the field.
|
|
When the entry type is D, this field contains the IP address the DHCP server assigned the requesting client.
| Table 197. SM (System Management Change) Journal Entries. QASYSMJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
| 1
|
|
| 156
224
610
Field
Entry Type
Format
Description
Char(1)

Function accessed
Backup list changed
Automatic cleanup options
DRDA
HFS file system
Network file operation
Backup options changed
Power on/off schedule
System reply list
Access path recovery times changed
Add
Change
Delete
Remove
Display
|
| 157
|
|
| 158
|
| 162
| 169
|
|
225
611
226
612
230
237
616
623
Access Type
Sequence
Number
Message ID
Relational
Database
Name
Char(1)
Char(4)
T
Retrieve or receive
Sequence number of the action
Char(7)
Char(18)
Message ID associated with the action

Name of the relational database
577

| Table 197. SM (System Management Change) Journal Entries (continued). QASYSMJE/J4/J5 Field Description File
|
Offset
JE
J4
J5
Field
Format
Description
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
187
255
641
Char(10)
Name of the file system
197
265
651
Char(10)
The backup option that was changed
207
275
661
Char(10)
The name of the backup list that was changed
217
285
671
Char(10)
The name of the network file that was used
227
295
681
Char(10)
The name of the member of the network file
237
305
691
Zoned(6,0)
The number of the network file
243
311
697
Char(10)
253
321
707
The name of the user profile that owns the

network file
The name of the user profile that originated the
network file
261
329
715
File System
Name
Backup Option
Changed
Backup List
Change
Network File
Name
Network File
Member
Network File
Number
Network File
Owner
Network File
Originating
User
Network File
Originating
Address
Char(8)
Char(8)
The address that originated the network file
| Table 198. SO (Server Security User Information Actions) Journal Entries. QASYSOJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
| 1
|
|
| 156
224
610
Field
Entry Type
Format
Description
Char(1)

The type of entry
Add entry
Change entry
|
| 157
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
578
225
235
611
621
236
622
237
437
623
823
440
826
442
828
462
848
User Profile
Char(10)
Server
Char(1)
Authentication
Entry
Password
Char(1)
Stored
Server Name
(Reserved
Area)
User ID
Length
(Reserved
Area)
User ID
Char(200)
Char(3)
Binary (4)
R
Remove entry
The name of the user profile.
Y = Entry is a server authentication entry.
Password not stored
No change
Y
Password is stored.
The name of the server.
The length of the user ID.
Char(20)
Char(1002)1
The ID for the user.

|
| Table 199. ST (Service Tools Action) Journal Entries. QASYSTJE/J4/J5 Field Description File
|
Offset
JE
J4
J5
|
|
|
|
156
224
610
157
225
611
|
|
Field
Format
Description
Entry Type
Char(1)

The type of entry
Service Tool
Char(2)
A
Service record
The type of entry.
CS
STRCPYSCN
CD
QTACTLDV
CE
QWTCTLTR
CT
DMPCLUTRC
DC
DLTCMNTRC
DD
DMPDLO
DO
DMPOBJ
DS
DMPSYSOBJ, QTADMPTS
EC
ENDCMNTRC
ER
ENDRMTSPT
HD
QYHCHCOP (DASD)
HL
QYHCHCOP (LPAR)
PC
PRTCMNTRC
PE
PRTERRLOG
PI
PRTINTDTA
SE
QWTSETTR
SC
STRCMNTRC
SJ
STRSRVJOB
SR
STRRMTSPT
ST
STRSST
TA
TRCTCPAPP
TC
TRCCNN (*FORMAT specified)
TE
ENDTRC, ENDPEX
|
|
TI
TRCINT or TRCCNN (*ON, *OFF, or

*END specified)
|
|
|
|
|
|
|
|
159
169
179
187
197
207
213
227
237
247
255
265
275
281
613
623
633
641
651
661
667
Object Name
Library Name
Object Type
Job Name
Job User Name
Job Number
Object Name
Char(10)
Char(10)
Char(8)
Char(10)
Char(10)
Zoned(6,0)
Char(30)
TS
STRTRC, STRPEX
Name of the object accessed
Name of the library for the object
Type of object
The first part of the qualified job name
The second part of the qualified job name
The third part of the qualified job name
Name of the object for DMPSYSOBJ
579

| Table 199. ST (Service Tools Action) Journal Entries (continued). QASYSTJE/J4/J5 Field Description File
|
Offset
JE
J4
J5
Field
Format
Description
|
|
|
|
|
|
|
|
|
|
|
|
243
311
697
Library Name
Char(30)
273
281
293
341
349
361
727
735
747
Char(8)
Char(12)
Char(8)
301
369
755
Object Type
DLO Name
(Reserved
Area)
Folder Path
Name of the library for the object for

DMPSYSOBJ
Type of the object
Name of the document library object
432
442
818
828
JUID Field
Early Trace
Action1
Char(10)
Char(10)
Char(63)

object
The JUID of the target job.
The action requested for early job tracing
*ON
Early tracing turned on
*OFF
Early tracing turned off
|
|
|
|
|
|
*RESET
452
838
Application
Trace Option2
Char(1)
Early tracing turned off and trace

information deleted.
The trace option specified on TRCTCPAPP.
Y
Collection of trace information started
|
|
|
Collection of trace information stopped

and trace information written to
spooled file
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
453
839
463
849
859
867
877
887
892
902
Application
Traced2
Service Tools
Profile3
Source node
ID
Source user
ASP name for
object library
ASP number
for object
library
ASP name for
DMPSYSOBJ
object library
ASP number
for
DMPSYSOBJ
object library
Char(10)
Char(10)
Collection of trace information ended

and all trace information purged (no
output created)
The name of the application being traced.
Char(8)
The name of the service tools profile used for

STRSST.
Source node ID
Char(10)
Char(10)
Source user
ASP name for object library
Char(5)
ASP number for object library
Char(10)
ASP name for DMPSYSOBJ object library
Char(5)
ASP number for DMPSYSOBJ object library
This field is used only when the entry type (offset 225) is CE.
This field is used only when the entry type (offset 225) is TA.
|
|
This field is used only when the entry type (offset 225) is ST.
580

| Table 200. SV (Action to System Value) Journal Entries. QASYSVJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
| 1
|
|
| 156
224
610
Field
Entry Type
Format
Description
Char(1)

The type of entry.
Change to system values
Change to service attributes
|
|
|
|
|
|
|
|
|
|
|
|
|
157
225
611
Char(10)
621
System Value
or Service
Attribute
New Value
167
235
417
485
871
Old Value
Char(250)
667
735
1121
Char(250)
917
985
1371
New Value
Continued
Old Value
Continued
Char(250)
Char(250)
C
Change to system clock
The name of the system value or service attribute
The value to which the system value or service

attribute was changed
The value of the system value or service attribute
before it was changed
Continuation of the value to which the system
value or service attribute was changed.
Continuation of the value of the system value or
service attribute was changed.
| Table 201. VA (Change of Access Control List) Journal Entries. QASYVAJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
| 1
|
|
| 156
224
610
Field
Status
Format
Description
Char(1)

Status of request.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
S
157
225
611
Server Name
Char(10)
167
235
621
Server Date
Char(6)
173
241
627
Server Time
Zoned(6,0)
179
247
633
Char(8)
187
255
641
197
265
651
Computer
Name
Requester
Name
Action
Performed
Char(10)
Char(1)
Successful
F
Failed
The name of the network server description that
registered the event.
The date the event was logged on the network
server.
The time the event was logged on the network
server.
The name of the computer issuing the request to
change the access control list.
The name of the user issuing the request.
The action performed on the access control
profile:
Addition
Modification
|
|
|
|
198
266
652
Resource
Name
Char(260)
D
Deletion
The name of the resource to be changed.
581

| Table 202. VC (Connection Start and End) Journal Entries. QASYVCJE/J4/J5 Field Description File
|
Offset
JE
J4
J5
|
|
|
|
|
|
156
224
610
Field
Connect
Action.
Format
Description
Char(1)

The connection action that occurred.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
157
225
611
Server Name
Char(10)
167
235
621
Server Date
Char(6)
173
241
627
Server Time
Zoned(6,0)
179
247
633
Char(8)
187
255
641
197
202
265
270
651
656
Computer
Name
Connection
User
Connect ID
Rejection
Reason
Char(10)
Char(5)
Char(1)
Start
End
R
Reject
server.
server.
The name of the computer associated with the
connection request.
The name of the user associated with the
connection request.
The start or stop connection ID.
The reason the connection was rejected:
A
Automatic disconnect (timeout), share

removed, or administrative permissions
lacking
|
|
Error, session disconnect, or incorrect

password
|
|
Normal disconnection or user name

limit
|
|
|
|
203
271
657
Network
Name
Char(12)
P
No access permission to shared resource
The network name associated with the
connection.
| Table 203. VF (Close of Server Files) Journal Entries. QASYVFJE/J4/J5 Field Description File
|
Offset
JE
J4
J5
|
|
|
|
156
224
610
Field
Close Reason
Format
Description
Char(1)

The reason the file was closed.
Administrative disconnection
Normal client disconnection
|
|
|
|
|
|
|
157
225
611
Server Name
Char(10)
167
235
621
Server Date
Char(6)
173
241
627
Server Time
Zoned(6,0)
582
S
Session disconnection
server.
server.

| Table 203. VF (Close of Server Files) Journal Entries (continued). QASYVFJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
Field
Format
Description
|
|
|
|
|
|
|
|
|
179
247
633
Char(8)
The name of the computer requesting the close.
187
255
641
Char(10)
The name of the user requesting the close.
197
202
208
265
270
276
651
656
662
Computer
Name
Connection
User
File ID
Duration
Resource
Name
Char(5)
Char(6)
Char(260)
The ID of the file being closed.

The number of seconds the file was open.
The name of the resource owning the accessed
file.
| Table 204. VL (Account Limit Exceeded) Journal Entries. QASYVLJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
| 1
|
|
| 156
224
610
Field
Reason
Format
Description
Char(1)

The reason the limit was exceeded.
Account expired
Account disabled
Logon hours exceeded
Unknown or unavailable
|
|
|
|
|
|
|
|
|
|
|
|
|
157
225
611
Server Name
Char(10)
167
235
621
Server Date
Char(6)
173
241
627
Server Time
Zoned(6,0)
179
247
633
Char(8)
187
255
641
Computer
Name
User
197
265
651
Resource Name Char(260)
Char(10)
W
Workstation not valid
server.
server.
The name of the computer with the account limit
violation.
The name of the user with the account limit
violation.
The name of the resource being used.
| Table 205. VN (Network Log On and Off) Journal Entries. QASYVNJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
| 1
|
|
| 156
224
610
Field
Log Type
Format
Description
Char(1)

The type of event that occurred:
Logoff requested
Logon requested
Logon rejected
583

| Table 205. VN (Network Log On and Off) Journal Entries (continued). QASYVNJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
Field
Format
Description
|
|
|
|
|
|
|
|
|
|
157
225
611
Server Name
Char(10)
167
235
621
Server Date
Char(6)
173
241
627
Server Time
Zoned(6,0)
179
247
633
Char(8)
187
197
255
265
641
651
Computer
Name
User
User Privilege

server.
server.
The name of the computer for the event.
Char(10)
Char(1)
The user who logged on or off.

Privilege of user logging on:
Administrator
Guest
|
| 198
266
652
Reject Reason
Char(1)
U
User
The reason the log on attempt was rejected:
Access denied
Forced off due to logon limit
|
| 199
|
|
267
653
Additional
Reason
Char(1)
P
Incorrect password
Details of why access was denied:
A
Account expired
Account disabled
Logon hours not valid
Requester ID not valid
|
|
Unknown or unavailable
| Table 206. VO (Validation List) Journal Entries. QASYVOJ4/J5 Field Description File
|
Offset
| JE
J4
J5
|
|
|
|
224
610
Field
Entry Type
Format
Description
Char(1)

for field listing.
The type of entry.
Add validation list entry
Change validation list entry
Find validation list entry
Remove validation list entry
|
|
Unsuccessful verify of a validation list

entry
Successful verify of a validation list entry
584

| Table 206. VO (Validation List) Journal Entries (continued). QASYVOJ4/J5 Field Description File
|
Offset
| JE
J4
J5
Field
Format
Description
|
|
|
225
611
Unsuccessful
Type
Char(1)
Type of unsuccessful verify.
|
|
|
|
|
|
|
|
|
|
|
226
236
246
612
622
632
Validation List
Library Name
Encrypted
Data
Char(10)
Char(10)
Char(1)
Encrypted data is incorrect
Entry ID was not found
V
Validation list was not found
The name of the validation list.
The name of the library the validation list is in.
Data value to be encrypted.
Y
Data to be encrypted was specified on

the request.
Data to be encrypted was not specified

on the request
Entry data value.
N
247
633
Entry Data
Char(1)
|
|
|
|
|
|
|
|
|
N
248
634
250
252
636
638
Entry ID
Length
Data length
Encrypted
Data Attribute
Entry data was specified on the request.
Binary(4)
Entry data was not specified on the

request.
The length of the entry ID.
Binary(4)
Char (1)
The length of the entry data.

Encrypted data.
An encrypted data attribute was not

specified.
|
|
|
The data to be encrypted can only be

used to verify an entry. This is the
default.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The data to be encrypted can be used to

verify an entry and the data can be
returned on a find operation.
X.509 Certificate.
1
253
639
254
640
282
382
668
768
1768
1778
X.509
Certificate
attribute
(Reserved
Area)
Entry ID
Entry Data
ASP name for
validation list
library
ASP number
for validation
list library
Char (1)
Char (28)
Byte(100)
Byte(1000)
Char(10)
The entry ID.

The entry data.
ASP name for validation list library
Char(5)
ASP number for validation list library
585

| Table 207. VP (Network Password Error) Journal Entries. QASYVPJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
| 1
|
|
| 156
224
610
157
225
167
|
|
|
|
|
|
|
|
|
|
|
Field
Format
Description
Error Type
Char(1)

The type of error that occurred.
611
Server Name
Char(10)
235
621
Server Date
Char(6)
173
241
627
Server Time
Zoned(6,0)
179
247
633
Char(8)
187
255
641
Computer
Name
User
P
Password error
server.
server.
The name of the computer initiating the request.
Char(10)
The name of the user who attempted to log on.
| Table 208. VR (Network Resource Access) Journal Entries. QASYVRJE/J4/J5 Field Description File
|
Offset
JE
J4
J5
|
|
|
|
156
224
610
Field
Status
Format
Description
Char(1)

The status of the access.
|
| 157
|
| 167
|
| 173
|
| 179
|
| 187
| 197
225
611
Server Name
Char(10)
235
621
Server Date
Char(6)
241
627
Server Time
Zoned(6,0)
247
633
Char(8)
255
265
641
651
Computer
Name
User
Operation Type
Char(10)
Char(1)
Resource access failed
S
Resource access succeeded
server.
server.
The name of the computer requesting the
resource.
The name of the user requesting the resource.
The type of operation being performed:
Resource attributes modified
Instance of the resource created
Resource deleted
Resource permissions modified
Data read or run from a resource
Data written to resource
|
| 198
|
| 202
| 206
586
266
652
Return Code
Char(4)
270
274
656
660
Server Message
File ID
Char(4)
Char(5)
X
Resource was run
The return code received if resource access is
granted.
The message code sent when access is granted.
The ID of the file being accessed.

| Table 208. VR (Network Resource Access) Journal Entries (continued). QASYVRJE/J4/J5 Field Description File
|
Offset
JE
J4
J5
Field
Format
Description
|
|
211
279
665
Resource Name
Char(260)
Name of the resource being used.
| Table 209. VS (Server Session) Journal Entries. QASYVSJE/J4/J5 field Description File
|
Offset
| JE
J4
J5
| 1
|
|
| 156
224
610
Field
Session Action
Format
Description
Char(1)

The session action that occurred.
|
|
|
|
|
|
|
|
|
|
|
|
End session
157
225
611
Server Name
Char(10)
167
235
621
Server Date
Char(6)
173
241
627
Server Time
Zoned(6,0)
179
247
633
Char(8)
187
197
255
265
641
651
Computer
Name
User
User Privilege
S
Start session
server.
server.
The name of the computer requesting the session.
Char(10)
Char(1)
The name of the user requesting the session.

The privilege level of the user for session start:
Administrator
Guest
|
| 198
266
652
Reason Code
Char(1)
U
User
The reason code for ending the session.
Administrator disconnect
|
|
|
Automatic disconnect (timeout), share

removed, or administrative permissions
lacking
|
|
Error, session disconnect, or incorrect

password
Normal disconnection or user name limit
|
|
Account restriction
| Table 210. VU (Network Profile Change) Journal Entries. QASYVUJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
| 1
|
|
Field
Format
Description
587

| Table 210. VU (Network Profile Change) Journal Entries (continued). QASYVUJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
Field
Format
Description
| 156
224
610
Type
Char(1)
The type of record that was changed.
Group record
User record
|
|
|
|
|
|
|
|
|
|
|
|
157
225
611
Server Name
Char(10)
167
235
621
Server Date
Char(6)
173
241
627
Server Time
Zoned(6,0)
179
247
633
Char(8)
187
255
641
Computer
Name
User
197
265
651
Action
Char(1)
Char(10)
M
User profile global information
server.
server.
The name of the computer requesting the user
profile change.
The name of the user requesting the user profile
change.
Action requested:
Addition
Change
Deletion
|
| 198
|
266
652
Resource Name
Char(260)
P
Incorrect password
Name of the resource.
| Table 211. VV (Service Status Change) Journal Entries. QASYVVJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
| 1
|
|
| 156
224
610
Field
Entry Type
Format
Description
Char(1)

The type of entry:
Service status changed
Server stopped
Server paused
Server restarted
|
|
|
|
|
|
|
|
|
|
157
225
611
Server Name
Char(10)
167
235
621
Server Date
Char(6)
173
241
627
Server Time
Zoned(6,0)
179
247
633
Char(8)
187
255
641
Computer
Name
User
S
Server started
server.
server.
The name of the computer requesting the change.
Char(10)
The name of the user requesting the change.
588

| Table 211. VV (Service Status Change) Journal Entries (continued). QASYVVJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
Field
Format
Description
| 197
265
651
Status
Char(1)
Status of the service request:
Service active
Start service pending
Continue paused service
Stop pending for service
Service pausing
Service paused
|
|
|
|
|
|
198
206
286
290
266
274
354
358
652
660
740
744
Service Code
Text Set
Return Value
Service
Char(8)
Char(80)
Char(4)
Char(20)
S
The
The
The
The
Service stopped
code of the service requested.
text being set by the service request.
return value from the change operation.
service that was changed.
| Table 212. X0 (Network Authentication) Journal Entries. QASYX0JE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
| 1
|
|
Field
Format
Description
589

| Table 212. X0 (Network Authentication) Journal Entries (continued). QASYX0JE/J4/J5 Field Description File
|
Offset
JE
J4
J5
Field
Format
Description
156
224
610
Entry Type
Char(1)
The type of entry:
Service ticket valid
Service principals do not match
Client principals do not match
Ticket IP address mismatch
Decryption of the ticket failed
Decryption of authenticator failed
Realm is not within client local realms
Ticket is a replay attempt
Ticket not yet valid
|
|
Decrypt of KRB_AP_PRIV or
KRB_AP_SAFE checksum error
Remote IP address mismatch
Local IP address mismatch
|
|
timestamp error
|
|
KRB_AP_PRIV or KRB_AP_SAFE replay

error
|
|
sequence order error
GSS accept expired credential
GSS accept checksum error
GSS accept channel bindingst
|
|
GSS unwrap or GSS verify expired

context
|
|
GSS unwrap or GSS verify

decrypt/decode
|
|
GSS unwrap or GSS verify checksum

error
|
|
|
|
|
|
|
|
|
|
|
590
225
233
611
619
241
627
262
648
283
669
Status Code
GSS Status
Value
Remote IP
Address
Local IP
Address
Encrypted
Addresses
Char(8)
Char(8)
GSS unwrap or GSS verify sequence

error
The status of the request
GSS status value
Char(21)
Remote IP address
Char(21)
Local IP address
Char(256)
Encrypted IP addresses

|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Offset
JE
J4
J5
Field
Format
Description
539
925
Encrypted
Addresses
Indicator
Char(1)
Encrypted IP addresses indicator
540
548
926
934
556
942
564
572
950
958
580
966
588
974
596
982
600
986
602
988
Ticket flags
Ticket
Authentication
Time
Ticket Start
Time
Ticket End Time
Ticket Renew
Time
Message Time
Stamp
GSS Expiration
Time Stamp
Server Principal
CCSID
Server Principal
Length
Server Principal
Indicator
|
|
|
|
|
|
|
|
|
|
603
1115
989
1501
1119
1505
1121
1507
1122
1508
1634
2020
1638
2024
1640
2026
Server Principal
Server Principal
Parameter
CCSID
Server Principal
Parameter
Length
Server Principal
Parameter
Indicator
Server Principal
Parameter
Client Principal
CCSID
Client Principal
Length
Client Principal
Indicator
1641
2027
Client Principal
not all addresses included
X
not provided
Ticket flags
Ticket authentication time
Char(8)
Ticket start time
Char(8)
Char(8)
Ticket end time

Ticket renew until time
Char(8)
X0E time stamp
Char(8)
Binary(5)
GSS credential expiration time stamp or context

expiration time stamp
Server principal (from ticket) CCSID
Binary(4)
Server principal (from ticket) length
Char(1)
Server principal (from ticket) indicator

Y
server principal complete
server principal not complete
Char(512)
Binary(5)
X
not provided
Server principal (from ticket)
Server principal (from ticket) parameter CCSID
Binary(4)
Server principal (from ticket) parameter length
Char(1)
Server principal (from ticket) parameter indicator

Y
Char(512)
X
not provided
Server principal parameter that ticket must match
Binary(5)
Client principal (from authenticator) CCSID
Binary(4)
Client principal (from authenticator) length
Char(1)
Client principal (from authenticator) indicator
|
|
|
all addresses included
Char(8)
Char(8)
|
|
|
|
|
|
|
|
|
|
|
||
|
Char(512)
client principal complete
client principal not complete
X
not provided
Client principal from authenticator
591

|
|
Offset
JE
|
|
|
|
|
|
|
J4
J5
Field
Format
Description
2153
2539
Binary(5)
Client principal (from ticket) CCSID
2157
2543
Binary(4)
Client principal (from ticket) length
2159
2545
Client Principal
CCSID
Client Principal
Length
Client Principal
Indicator
Char(1)
Client principal (from ticket) indicator
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
2160
2672
2546
3058
2676
3062
2678
3064
2679
3065
3191
3577
3195
3581
3197
3583
3198
3584
3710
4096
3714
4100
3716
4102
3717
592
4103
Client Principal
GSS Server
Principal CCSID
GSS Server
Principal
Length
GSS Server
Principal
Indicator
GSS Server
Principal
GSS Local
Principal CCSID
GSS Local
Principal
Length
GSS Local
Principal
Indicator
GSS Local
Principal
GSS Remote
Principal CCSID
GSS Remote
Principal
Length
GSS Remote
Principal
Indicator
GSS Remote
Principal
client principal complete
client principal not complete
Char(512)
Binary(5)
X
not provided
Client principal from ticket
Server principal (from GSS credential) CCSID
Binary(4)
Server principal (from GSS credential) length
Char(1)
Server principal (from GSS credential) indicator

Y
Char(512)
X
not provided
Server principal from GSS credential
Binary(5)
GSS local principal name CCSID
Binary(4)
GSS local principal name length
Char(1)
GSS local principal name indicator

Y
local principal complete
local principal not complete
Char(512)
X
not provided
GSS local principal
Binary(5)
GSS remote principal name CCSID
Binary(4)
GSS remote principal name length
Char(1)
GSS remote principal name indicator
Char(512)
remote principal complete
remote principal not complete
X
not provided
GSS remote principal

| Table 213. YC (Change to DLO Object) Journal Entries. QASYYCJE/J4/J5 Field Description File
|
Offset
JE
J4
J5
|
|
|
|
156
224
610
157
167
177
185
195
225
235
245
253
263
611
621
631
639
649
207
275
661
215
283
669
278
346
732
288
356
742
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Field
Format
Description
Entry Type
Char(1)

Object access
Object Name
Library Name
Object Type
Office User
Folder or
Document
Name
(Reserved
Area)
Folder Path
Char(10)
Char(10)
Char(8)
Char(10)
Char(12)
C
Change of a DLO object
Name of the object
Name of the library
Type of object
User profile of the office user
Name of the document or folder
On Behalf of
User
Access Type
Char(10)

object
User working on behalf of another user
Packed(5,0)
Type of access
Char(8)
Char(63)
See Table 218 on page 597 for a list of the codes for access types.
| Table 214. YR (Read of DLO Object) Journal Entries. QASYYRJE/J4/J5 Field Description File
|
Offstes
| JE
J4
J5
| 1
|
|
| 156
224
610
157
167
177
185
195
225
235
245
253
263
611
621
631
639
649
207
215
278
275
283
346
661
669
732
288
356
742
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Field
Format
Description
Entry Type
Char(1)

Object access
Object Name
Library Name
Object Type
Office User
Folder or
Document
Name
(Reserved Area)
Folder Path
On Behalf of
User
Access Type
Char(10)
Char(10)
Char(8)
Char(10)
Char(12)
R
Read of a DLO object
Name of the object
Name of the library
Type of object
User profile of the office user
Name of the document library object
Char(8)
Char(63)
Char(10)
The folder containing the document library object

User working on behalf of another user
Packed(5,0)
Type of access
593

| Table 215. ZC (Change to Object) Journal Entries. QASYZCJE/J4/J5 Field Description File
|
Offset
| JE
J4
J5
| 1
|
|
| 156
224
610
157
167
225
235
177
185
188
245
253
256
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Format
Description
Entry Type
Char(1)

Object access
611
621
Object Name
Library Name
Char(10)
Char(10)
631
639
642
Object Type
Access Type
Access Specific
Data
(Reserved
Area)
(Reserved
Area)
Object Name
Length 2
Object Name
CCSID2
Object Name
Country or
Region ID2
Object Name
Language ID2
(Reserved
area)
Parent File ID2,
Char(8)
Packed(5,0)
Char(50)
238
306
692
324
710
258
326
712
262
330
716
264
332
718
267
335
721
270
338
724
Field
C
Change of an object
Name of the object
Name of the library in which the object is
located
Type of object
Type of access 1
Specific data about the access
Char(20)
Char(18)
Binary (4)
Binary(5)
Char(2)

name.
Char(3)
Char(3)
Char(16)
286
354
740
Object File ID2, Char(16)
302
370
882
898
908
913
756
1268
1284
1294
1299
917
1303
919
1305
922
1308
924
1310
|
|
|
594
Object Name2
Object File ID
ASP Name6
ASP Number6
Path Name
CCSID
Path Name
Country or
Region ID
Path Name
Language ID
Path Name
Length
Path Name
Indicator
Char(512)
Char(16)
Char(10)
Char(5)
Binary(5)
Char(2)

absolute path name.
name
Char(3)
Binary(4)
Char(1)

Y


object.

| Table 215. ZC (Change to Object) Journal Entries (continued). QASYZCJE/J4/J5 Field Description File
|
|
Offset
JE
|
|
|
|
J4
J5
Field
Format
Description
925
1311
Char(16)
941
1327
Relative File
ID4
Absolute Path
Name5
Char(5002)
|
|
|
|
|
| Table 216. ZM (SOM Method Access) Journal Entries. QASYZMJE/J4/J5 Field Description File
|
Offset
| JE
J4
| 1
|
|
| 156
| 157
|
| 158
|
| 159
|
| 160
| 161
|
| 162
| 172
|
| 173
| 174
| 175
| 176
| 177
| 178
| 188
| 204
| 220
|
224
225
226
227
228
229
230
240
241
242
243
244
245
246
256
272
288
J5
Field
Access Type
Object
Existence
Object
Management
Object
Operational
Object Alter
Object
Reference
Reserved
List
Management
Read
Add
Update
Delete
Execute
Reserved
Class File ID
Object FIle ID
Method Name
Format
Description
Char(1)
Char(1)

Type of access
Y Object existence
Char(1)
Y Object management
Char(1)
Y Object operational
Char(1)
Char(1)
Y Object alter
Y Object reference
Char(10)
Char(1)
Reserved field
Y Authorization list management
Char(1)
Char(1)
Char(1)
Char(1)
Char(1)
Char(10)
Char(16)
Char(16)
Char(4096)
Y Read
Y Add
Y Update
Y Delete
Y Execute
Reserved field
File ID of class
File ID of object
Name of Method
595

Table 217. ZR (Read of Object) Journal Entries. QASYZRJE/J4/J5 Field Description File
Offset
JE
J4
J5
156
224
610
157
167
177
185
188
225
235
245
253
256
611
621
631
639
642
306
324
692
710
258
326
712
262
330
716
264
332
718
267
270
286
302
335
338
354
370
882
898
908
913
721
724
740
756
1268
1284
1294
1299
917
1303
919
1305
922
1308
924
1310
238
Field
Format
Description
Entry Type
Char(1)

Object access
Object Name
Library Name
Object Type
Access Type
Access Specific
Data
(Reserved Area)
(Reserved Area)
Object Name
Length 2
Object Name
CCSID2
Object Name
Country or
Region ID2
Object Name
Language ID2
(Reserved area)
Parent File ID2,3
Object File ID2,3
Object Name2
Object File ID
ASP Name
ASP Number
Path Name
CCSID
Path Name
Country or
Region ID
Path Name
Language ID
Path Name
Length
Path Name
Indicator
Char(10)
Char(10)
Char(8)
Packed(5,0)
Char(50)
R
Read of an object
Name of the object
Name of the library in which the object is located
Type of object
Type of access 1
Specific data about the access
Char(20)
Char(18)
Binary(4)
Binary(5)
Char(2)

name.
Char(3)
Char(3)
Char(16)
Char(16)
Char(512)
Char(16)
Char(10)
Char(5)
Binary(5)
Char(2)

path name.
name
Char(3)
Binary(4)
Char(1)

Y

object.
925
941
596
1311
1327

Absolute Path
Char(5002)
Name5
The Absolute Path Name field contains an

absolute path name for the object.

Table 217. ZR (Read of Object) Journal Entries (continued). QASYZRJE/J4/J5 Field Description File
Offset
JE
J4
J5
Field
Format
Description
See Table 218 for a list of the codes for access types.
Table 218 lists the access codes used for object auditing journal entries in files
QASYYCJE, QASYYRJE, QASYZCJE, and QASYZRJE.
Table 218. Numeric Codes for Access Types
Code
Access Type
Code
Access Type
Code
Access Type
Add
24
Hold
47
2
3
4
5
6
7
8
9
10
11
12
Activate Program
Analyze
Apply
Call or TFRCTL
Configure
Change
Check
Close
Clear
Compare
Cancel
25
26
27
28
29
30
31
32
33
34
35
Initialize
Load
List
Move
Merge
Open
Print
Query
Reclaim
Receive
Read
48
49
50
51
52
53
54
55
56
57
58
13
Copy
36
Reorganize
59
14
Create
37
Release
60
15
Convert
38
Remove
61
16
17
Debug
Delete
39
40
Rename
Replace
62
63
18
Dump
41
Resume
64
19
20
Display
Edit
42
43
Restore
Retrieve
65
66
21
22
End
File
44
45
Run
Revoke
67
68
23
Grant
46
Save
69
Save with Storage

Free
Save and Delete
Submit
Set
Send
Start
Transfer
Trace
Verify
Vary
Work
Read/Change
DLO Attribute
Read/Change
DLO Security
Read/Change
DLO Content
Read/Change
DLO all parts
Add Constraint
Change
Constraint
Remove
Constraint
Start Procedure
Get Access on
**OOPOOL
Sign object
Remove all
signatures
Clear a signed
object
597
598
Appendix G. Commands and Menus for Security Commands

This appendix describes the commands and menus for security tools. Examples of
how to use the commands are included throughout this manual.
Two menus are available for security tools:
v The SECTOOLS (Security Tools) menu to run commands interactively.
v The SECBATCH (Submit or Schedule Security Reports to Batch) menu to run the
report commands in batch. The SECBATCH menu has two parts. The first part
of the menu uses the Submit Job (SBMJOB) command to submit reports for
immediate processing in batch.
The second part of the menu uses the Add Job Schedule Entry (ADDJOBSCDE)
command. You use it to schedule security reports to be run regularly at a
specified day and time.
Options on the Security Tools Menu

Following is the part of the SECTOOLS menu that relates to user profiles. To access
this menu, type GO SECTOOLS
SECTOOLS
Security Tools
Select one of the following:

Work with profiles
1. Analyze default passwords
2. Display active profile list
3. Change active profile list
4. Analyze profile activity
5. Display activation schedule
6. Change activation schedule entry
7. Display expiration schedule
8. Change expiration schedule entry
Table 219 describes these menu options and the associated commands:
Table 219. Tool Commands for User Profiles
Menu1 Option
Command Name
Description
Database File Used
ANZDFTPWD
Use the Analyze Default Passwords command

to report on and take action on user profiles
that have a password equal to the user profile
name.
QASECPWD2
DSPACTPRFL
Use the Display Active Profile List command

to display or print the list of user profiles that
are exempt from ANZPRFACT processing.
QASECIDL2
599
Table 219. Tool Commands for User Profiles (continued)

Menu1 Option
Command Name
Description
CHGACTPRFL
QASECIDL2
Use the Change Active Profile List command
to add and remove user profiles from the
exemption list for the ANZPRFACT command.
A user profile that is on the active profile list
is permanently active (until you remove the
profile from the list). The ANZPRFACT
command does not disable a profile that is on
the active profile list, no matter how long the
profile has been inactive.
ANZPRFACT
Use the Analyze Profile Activity command to

disable user profiles that have not been used
for a specified number of days. After you use
the ANZPRFACT command to specify the
number of days, the system runs the
ANZPRFACT job nightly.
Database File Used
QASECIDL2
You can use the CHGACTPRFL command to

exempt user profiles from being disabled.
5
DSPACTSCD
Use the Display Profile Activation Schedule

command to display or print information
about the schedule for enabling and disabling
specific user profiles. You create the schedule
with the CHGACTSCDE command.
QASECACT2
CHGACTSCDE
Use the Change Activation Schedule Entry

command to make a user profile available for
sign on only at certain times of the day or
week. For each user profile that you schedule,
the system creates job schedule entries for the
enable and disable times.
QASECACT2
DSPEXPSCDE
Use the Display Expiration Schedule command QASECEXP2

to display or print the list of user profiles that
are scheduled to be disabled or removed from
the system in the future. You use the
CHGEXPSCDE command to set up user
profiles to expire.
CHGEXPSCDE
QASECEXP2
Use the Change Expiration Schedule Entry
command to schedule a user profile for
removal. You can remove it temporarily (by
disabling it) or you can delete it from the
system. This command uses a job schedule
entry that runs every day at 00:01 (1 minute
after midnight). The job looks at the
QASECEXP file to determine whether any user
profiles are set up to expire on that day.
Use the DSPEXPSCD command to display the
user profiles that are scheduled to expire.
PRTPRFINT
Use the Print Profile Internals command to

print a report of internal information on the
number of entries in a user profile (*USRPRF)
object.
Notes:
1. Options are from the SECTOOLS menu.
2. This file is in the QUSRSYS library.
600
You can page down on the menu to see additional options. Table 220 describes the
menu options and associated commands for security auditing:
Table 220. Tool Commands for Security Auditing
Menu1 Option
Command Name
Description
10
CHGSECAUD
Use the Change Security Auditing command

to set up security auditing and to change the
system values that control security auditing.
When you run the CHGSECAUD command,
the system creates the security audit
(QAUDJRN) journal if it does not exist.
Database File Used
The CHGSECAUD command provides options

that make it simpler to set the QAUDLVL
(audit level) system value. You can specify
*ALL to activate all of the possible audit level
settings. Or, you can specify *DFTSET to
activate the most commonly used settings
(*AUTFAIL, *CREATE, *DELETE, *SECURITY,
and *SAVRST).
Note: If you use the security tools to set up
auditing, be sure to plan for management of
your audit journal receivers. Otherwise, you
might quickly encounter problems with disk
utilization.
11
DSPSECAUD
Use the Display Security Auditing command

to display information about the security audit
journal and the system values that control
security auditing.
Notes:
How to Use the Security Batch Menu

Following is the first part of the SECBATCH menu:
SECBATCH
Submit or Schedule Security Reports To Batch
System:
Submit Reports to Batch

1. Adopting objects
2. Audit journal entries
3. Authorization list authorities
4. Command authority
5. Command private authorities
6. Communications security
7. Directory authority
8. Directory private authority
9. Document authority
10. Document private authority
11. File authority
12. File private authority
13. Folder authority
When you select an option from this menu, you see the Submit Job (SBMJOB)
display, such as the following:
601
Submit Job (SBMJOB)
Command to run . . . . . . . . . > PRTADPOBJ USRPRF(*ALL
Job name . . . . . . . . .
Job description . . . . .
Library . . . . . . . .
Job queue . . . . . . . .
Library . . . . . . . .
Job priority (on JOBQ) . .
Output priority (on OUTQ)
Print device . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
*JOBD
*USRPRF
*JOBD
*JOBD
*JOBD
*CURRENT
...
Name, *JOBD
Name, *USRPRF
Name, *LIBL, *CURLIB
Name, *JOBD
Name, *LIBL, *CURLIB
1-9, *JOBD
1-9, *JOBD
Name, *CURRENT, *USRPRF...
If you want to change the default options for the command, you can press F4
(Prompt) on the Command to run line.
To see the Schedule Batch Reports, page down on the SECBATCH menu. By using
the options on this part of the menu, you can, for example, set up your system to
run changed versions of reports regularly.
SECBATCH
Submit or Schedule Security Reports To Batch

28.
29.
30.
31.
System:
User objects
User profile information
User profile internals
Check object integrity
Schedule Batch Reports

40. Adopting objects
41. Audit journal entries
42. Authorization list authorities
43. Command authority
44. Command private authority
45. Communications security
46. Directory authority
You can page down for additional menu options. When you select an option from
this part of the menu, you see the Add Job Schedule Entry (ADDJOBSCDE)
display:
Add Job Schedule Entry (ADDJOBSCDE)
Job name . . . . . . . . . . . .
Name, *JOBD
Command to run . . . . . . . . . > PRTADPOBJ USRPRF(*ALL)
Frequency . . . .
Schedule date, or
Schedule day . . .
+ for more values
Schedule time . .
. . . . . . .
. . . . . . .
. . . . . . .
...
*ONCE, *WEEKLY, *MONTHLY
*CURRENT
Date, *CURRENT, *MONTHST
*NONE
*NONE, *ALL, *MON, *TUE.
. . . . . . .
*CURRENT
Time, *CURRENT
You can position your cursor on the Command to run line and press F4 (Prompt) to
choose different settings for the report. You should assign a meaningful job name
so that you can recognize the entry when you display the job schedule entries.
602
Options on the Security Batch Menu

Table 221 describes the menu options and associated commands for security
reports.
When you run security reports, the system prints only information that meets both
the selection criteria that you specify and the selection criteria for the tool. For
example, job descriptions that specify a user profile name are security-relevant.
Therefore, the job description (PRTJOBDAUT) report prints job descriptions in the
specified library only if the public authority for the job description is not
*EXCLUDE and if the job description specifies a user profile name in the USER
parameter.
Similarly, when you print subsystem information (PRTSBSDAUT command), the
system prints information about a subsystem only when the subsystem description
has a communications entry that specifies a user profile.
If a particular report prints less information than you expect, consult the online
help information to find out the selection criteria for the report.
Table 221. Commands for Security Reports
Menu1
Option
Command Name
Description
1, 40
PRTADPOBJ
QSECADPOLD2
Use the Print Adopting Objects command to
print a list of objects that adopt the authority of
the specified user profile. You can specify a single
profile, a generic profile name (such as all
profiles that begin with Q), or all user profiles on
the system.
Database File Used
This report has two versions. The full report lists

all adopted objects that meet the selection
criteria. The changed report lists differences
between adopted objects that are currently on the
system and adopted objects that were on the
system the last time that you ran the report.
2, 41
DSPAUDJRNE
Use the Display Audit Journal Entries command

to display or print information about entries in
the security audit journal. You can select specific
entry types, specific users, and a time period.
QASYxxJE3
603
Table 221. Commands for Security Reports (continued)

Menu1
Option
Command Name
Description
3, 42
PRTPVTAUT *AUTL
QSECATLOLD2
When you use the Print Private Authorities
command for *AUTL objects, you receive a list of
all the authorization lists on the system. The
report includes the users who are authorized to
each list and what authority the users have to the
list. Use this information to help you analyze
sources of object authority on your system.
Database File Used
This report has three versions. The full report

lists all authorization lists on the system. The
changed report lists additions and changes to
authorization since you last ran the report. The
deleted report lists users whose authority to the
authorization list has been deleted since you last
ran the report.
When you print the full report, you have the
option to print a list of objects that each
authorization list secures. The system will create
a separate report for each authorization list.
6, 45
PRTCMNSEC
Use the Print Communications Security

command to print the security-relevant settings
for objects that affect communications on your
system. These settings affect how users and jobs
can enter your system.
QSECCMNOLD2
This command produces two reports: a report

that displays the settings for configuration lists
on the system and a report that lists
security-relevant parameters for line descriptions,
controllers, and device descriptions. Each of these
reports has a full version and a changed version.
15, 54
PRTJOBDAUT
Use the Print Job Description Authority

command to print a list of job descriptions that
specify a user profile and have public authority
that is not *EXCLUDE. The report shows the
special authorities for the user profile that is
specified in the job description.
all job description objects that meet the selection
criteria. The changed report lists differences
between job description objects that are currently
on the system and job description objects that
were on the system the last time that you ran the
report.
604
QSECJBDOLD2

Menu1
Option
Command Name
Description
Database File Used
See note 4
PRTPUBAUT
Use the Print Publicly Authorized Objects

command to print a list of objects whose public
authority is not *EXCLUDE. When you run the
command, you specify the type of object and the
library or libraries for the report. Use the
PRTPUBAUT command to print information
about objects that every user on the system can
access.
QPBxxxxxx5

all objects that meet the selection criteria. The
changed report lists differences between the
specified objects that are currently on the system
and objects (of the same type in the same library)
that were on the system the last time that you
ran the report.
See note 4.
PRTPVTAUT
Use the Print Private Authorities command to

print a list of the private authorities to objects of
the specified type in the specified library. Use
this report to help you determine the sources of
authority to objects.
QPVxxxxxx5
This report has three versions. The full report

lists all objects that meet the selection criteria.
The changed report lists differences between the
specified objects that are currently on the system
and objects (of the same type in the same library)
that were on the system the last time that you
ran the report. The deleted report lists users
whose authority to an object has been deleted
since you last printed the report.
24, 63
PRTQAUT
Use the Print Queue Report to print the security QSECQOLD2

settings for output queues and job queues on
your system. These settings control who can view
and change entries in the output queue or job
queue.
all output queue and job queue objects that meet
the selection criteria. The changed report lists
differences between output queue and job queue
objects that are currently on the system and
output queue and job queue objects that were on
the system the last time that you ran the report.
605

Menu1
Option
Command Name
Description
25, 64
PRTSBSDAUT
Use the Print Subsystem Description command to QSECSBDOLD2

print the security-relevant communications
entries for subsystem descriptions on your
system. These settings control how work can
enter your system and how jobs run. The report
prints a subsystem description only if it has
communications entries that specify a user profile
name.
Database File Used

all subsystem description objects that meet the
selection criteria. The changed report lists
differences between subsystem description objects
that are currently on the system and subsystem
description objects that were on the system the
last time that you ran the report.
26, 65
PRTSYSSECA
Use the Print System Security Attributes

command to print a list of security-relevant
system values and network attributes. The report
shows the current value and the recommended
value.
27, 66
PRTTRGPGM
QSECTRGOLD2
Use the Print Trigger Programs command to
print a list of trigger programs that are associated
with database files on your system.
every trigger program that is assigned and meets
your selection criteria. The changed report lists
trigger programs that have been assigned since
the last time that you ran the report.
28, 67
PRTUSROBJ
Use the Print User Objects command to print a

list of the user objects (objects not supplied by
IBM) that are in a library. You might use this
report to print a list of user objects that are in a
library (such as QSYS) that is in the system
portion of the library list.
all user objects that meet the selection criteria.
The changed report lists differences between user
objects that are currently on the system and user
objects that were on the system the last time that
you ran the report.
29, 68
PRTUSRPRF
Use the Print User Profile command to analyze

user profiles that meet specified criteria. You can
select user profiles based on special authorities,
user class, or a mismatch between special
authorities and user class. You can print
authority information, environment information,
or password information.
30, 69
PRTPRFINT
Use the Print Profile Internals command to print

a report of internal information on the number of
entries contained in a user profile (*USRPRF)
object.
606
QSECPUOLD2

Menu1
Option
Command Name
Description
31, 70
CHKOBJITG
Use the Check Object Integrity command to

determine whether operable objects (such as
programs) have been changed without using a
compiler. This command can help you to detect
attempts to introduce a virus program on your
system or to change a program to perform
unauthorized instructions.
Database File Used
Notes:
1. Options are from the SECBATCH menu.
2. This file is in the QUSRSYS library.
3. xx is the two-character journal entry type. For example, the model output file for AE journal entries is
QSYS/QASYAEJE. The model output files are described in Appendix F of this book.
4. The SECTOOLS menu contains options for the object types that are typically of concern to security
administrators. For example, use options 11 or 50 to run the PRTPUBAUT command against *FILE objects. Use
the general options (18 and 57) to specify the object type. Use options 12 and 51 to run the PRTPVTAUT
command against *FILE objects. Use the general options (19 and 58) to specify the object type.
5. The xxxxxx in the name of the file is the object type. For example, the file for program objects is called QPBPGM
for public authorities and QPVPGM for private authorities. The files are in the QUSRSYS library.
The file contains a member for each library for which you have printed the report. The member name is the
same as the library name.
Commands for Customizing Security

Table 222 describes the commands that you can use to customize the security on
your system. These commands are on the SECTOOLS menu:
Table 222. Commands for Customizing Your System
Menu1
Option
Command Name
Description
60
CFGSYSSEC
Use the Configure System Security command to set

security-relevant system values to their recommended
settings. The command also sets up security auditing
on your system. Values That Are Set by the
Configure System Security Command describes what
the command does.
61
RVKPUBAUT
Use the Revoke Public Authority command to set the

public authority to *EXCLUDE for a set of
security-sensitive commands on your system. What
the Revoke Public Authority Command Does on
page 609 lists the actions that the RVKPUBAUT
command performs.
Database File Used
Notes:
Values That Are Set by the Configure System Security Command

Table 223 on page 608 lists the system values that are set when you run the
CFGSYSSEC command. The CFGSYSSEC command runs a program that is called
QSYS/QSECCFGS.
607
Table 223. Values Set by the CFGSYSSEC Command

System Value Name
Setting
System Value Description
QAUTOCFG
0 (No)
Automatic configuration of new devices
QAUTOVRT
The number of virtual device descriptions that the system will

automatically create if no device is available for use.
QALWOBJRST
*NONE
Whether system state programs and programs that adopt

authority can be restored
QDEVRCYACN
*DSCMSG (Disconnect
with message)
System action when communications is re-established
QDSCJOBITV
120
Time period before the system takes action on a disconnected job
QDSPSGNINF
1 (Yes)
Whether users see the sign-on information display
QINACTITV
60
Time period before the system takes action on an inactive

interactive job
QINACTMSGQ
*ENDJOB
Action that the system takes for an inactive job
QLMTDEVSSN
1 (Yes)
Whether users are limited to signing on at one device at a time
QLMTSECOFR
1 (Yes)
Whether *ALLOBJ and *SERVICE users are limited to specific

devices
QMAXSIGN
How many consecutive, unsuccessful sign-on attempts are allowed
QMAXSGNACN
3 (Both)
Whether the system disables the workstation or the user profile

when the QMAXSIGN limit is reached.
QRMTSIGN
*FRCSIGNON
How the system handles a remote (pass-through or TELNET)

sign-on attempt.
0 (Off)
Allows the system to be analyzed remotely.
50
The level of security that is enforced
QPWDEXPITV
60
How often users must change their passwords
QPWDMINLEN
Minimum length for passwords
QPWDMAXLEN
Maximum length for passwords
QPWDPOSDIF
1 (Yes)
Whether every position in a new password must differ from the

same position in the last password
QPWDLMTCHR
See note 2
Characters that are not allowed in passwords
QPWDLMTAJC
1 (Yes)
Whether adjacent numbers are prohibited in passwords
QPWDLMTREP
2 (Cannot be repeated
consecutively)
Whether repeating characters in are prohibited in passwords
QPWDRQDDGT
1 (Yes)
Whether passwords must have at least one number
QPWDRQDDIF
1 (32 unique passwords) How many unique passwords are required before a password can
be repeated
QPWDVLDPGM
*NONE
QRMTSVRATR
QSECURITY
The user exit program that the system calls to validate passwords
Notes:
1. If you are currently running with a QSECURITY value of 30 or lower, be sure to review the information in
Chapter 2 of this book before you change to a higher security level.
2. The restricted characters are stored in message ID CPXB302 in the message file QSYS/QCPFMSG. They are
shipped as AEIOU@$#. You can use the Change Message Description (CHGMSGD) command to change the
restricted characters.
The CFGSYSSEC command also sets the password to *NONE for the following
IBM-supplied user profiles:
608
QSYSOPR
QPGMR
QUSER
QSRV
QSRVBAS
Finally, the CFGSYSSEC command sets up security auditing according to the
values that you have specified by using the Change Security Auditing
(CHGSECAUD) command.
Changing the Program

If some of these settings are not appropriate for your installation, you can create
your own version of the program that processes the command. Do the following:
__ Step 1. Use the Retrieve CL Source (RTVCLSRC) command to copy the source
for the program that runs when you use the CFGSYSSEC command.
The program to retrieve is QSYS/QSECCFGS. When you retrieve it,
give it a different name.
__ Step 2. Edit the program to make your changes. Then compile it. When you
compile it, make sure that you do not replace the IBM-supplied
QSYS/QSECCFGS program. Your program should have a different
name.
__ Step 3. Use the Change Command (CHGCMD) command to change the
program to process command (PGM) parameter for the CFGSYSSEC
command. Set the PGM value to the name of your program. For
example, if you create a program in the QGPL library that is called
MYSECCFG, you would type the following:
CHGCMD CMD(QSYS/CFGSYSSEC) PGM(QGPL/MYSECCFG)
Note: If you change the QSYS/QSECCFGS program, IBM cannot

guarantee or imply reliability, serviceability, performance or
function of the program. The implied warranties of
merchantability and fitness for a particular purpose are expressly
disclaimed.
What the Revoke Public Authority Command Does

You can use the Revoke Public Authority (RVKPUBAUT) command to set the
public authority to *EXCLUDE for a set of commands and programs. The
RVKPUBAUT command runs a program that is called QSYS/QSECRVKP. As it is
shipped, the QSECRVKP revokes public authority (by setting public authority to
*EXCLUDE) for the commands that are listed in Table 224 on page 610 and the
application programming interfaces (APIs) that are listed in Table 225 on page 610.
When your system arrives, these commands and APIs have their public authority
set to *USE.
The commands that are listed in Table 224 on page 610 and the APIs that are listed
in Table 225 on page 610 all perform functions on your system that may provide an
opportunity for mischief. As security administrator, you should explicitly authorize
users to run these commands and programs rather than make them available to all
system users.
When you run the RVKPUBAUT command, you specify the library that contains
the commands. The default is the QSYS library. If you have more than one national
609
language on your system, you need to run the command for each QSYSxxx library.
Table 224. Commands Whose Public Authority Is Set by the RVKPUBAUT Command
ADDAJE
ADDCFGLE
ADDCMNE
ADDJOBQE
ADDPJE
ADDRTGE
ADDWSE
CHGAJE
CHGCFGL
CHGCFGLE
CHGCMNE
CHGCTLAPPC
CHGDEVAPPC
CHGJOBQE
CHGPJE
CHGRTGE
CHGSBSD
CHGWSE
CPYCFGL
CRTCFGL
CRTCTLAPPC
CRTDEVAPPC
CRTSBSD
ENDRMTSPT
RMVAJE
RMVCFGLE
RMVCMNE
RMVJOBQE
RMVPJE
RMVRTGE
RMVWSE
RSTLIB
RSTOBJ
RSTS36F
RSTS36FLR
RSTS36LIBM
STRRMTSPT
STRSBS
WRKCFGL
The APIs in Table 225 are all in the QSYS library:

Table 225. Programs Whose Public Authority Is Set by the RVKPUBAUT Command
QTIENDSUP
QTISTRSUP
QWTCTLTR
QWTSETTR
QY2FTML
On V3R7, when you run the RVKPUBAUT command, the system sets the public
authority for the root directory to *USE (unless it is already *USE or less).
Changing the Program

If some of these settings are not appropriate for your installation, you can create
your own version of the program that processes the command. Do the following:
__ Step 1. Use the Retrieve CL Source (RTVCLSRC) command to copy the source
for the program that runs when you use the RVKPUBAUT command.
The program to retrieve is QSYS/QSECRVKP. When you retrieve it,
give it a different name.
__ Step 2. Edit the program to make your changes. Then compile it. When you
compile it, make sure that you do not replace the IBM-supplied
QSYS/QSECRVKP program. Your program should have a different
name.
__ Step 3. Use the Change Command (CHGCMD) command to change the
program to process command (PGM) parameter for the RVKPUBAUT
command. Set the PGM value to the name of your program. For
example, if you create a program in the QGPL library that is called
MYRVKPGM, you would type the following:
CHGCMD CMD(QSYS/RVKPUBAUT) PGM(QGPL/MYRVKPGM)
Note: If you change the QSYS/QSECRVKP program, IBM cannot

guarantee or imply reliability, serviceability, performance or
function of the program. The implied warranties of
merchantability and fitness for a particular purpose are expressly
disclaimed.
610
Appendix H. Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the users responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not give you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
500 Columbus Avenue
Thornwood, NY 10594
U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM
Intellectual Property Department in your country or region or send inquiries, in
writing, to:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106-0032, Japan
The following paragraph does not apply to the United Kingdom or any other
country or region where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or
implied warranties in certain transactions, therefore, this statement may not apply
to you.
This information could include technical inaccuracies or typographical errors.
Changes are periodically made to the information herein; these changes will be
incorporated in new editions of the publication. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this IBM
product and use of those Web sites is at your own risk.
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
611
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged, should contact:
IBM Corporation
Software Interoperability Coordinator
3605 Highway 52 N
Rochester, MN 55901-7829
U.S.A.
Such information may be available, subject to appropriate terms and conditions,
including in some cases, payment of a fee.
The licensed program described in this information and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement, or any equivalent agreement
between us.
Any performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating environments may
vary significantly. Some measurements may have been made on development-level
systems and there is no guarantee that these measurements will be the same on
generally available systems. Furthermore, some measurement may have been
estimated through extrapolation. Actual results may vary. Users of this document
should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of
those products, their published announcements or other publicly available sources.
IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
All statements regarding IBMs future direction or intent are subject to change or
withdrawal without notice, and represent goals and objectives only.
This information contains examples of data and reports used in daily business
operations. To illustrate them as completely as possible, the examples include the
names of individuals, companies, brands, and products. All of these names are
fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which
illustrates programming techniques on various operating platforms. You may copy,
modify, and distribute these sample programs in any form without payment to
IBM, for the purposes of developing, using, marketing or distributing application
programs conforming to the application programming interface for the operating
platform for which the sample programs are written. These examples have not
been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or
imply reliability, serviceability, or function of these programs. You may copy,
modify, and distribute these sample programs in any form without payment to
IBM for the purposes of developing, using, marketing, or distributing application
programs conforming to IBMs application programming interfaces.
If you are viewing this information softcopy, the photographs and color
illustrations may not appear.
612
Trademarks
The following terms are trademarks of International Business Machines
Corporation in the United States, or other countries, or both:
Advanced Function Printing
APPN
Application System/400
AS/400
AS/400e
C/400
CallPath/400
DB2 for OS/400
DRDA
e (Stylized)
FFST
IBM
Integrated Language Environment
iSeriesLotus
Lotus Domino
LPDA
Operating System/400
Operational Assistant
OS/2
OS/400
PrintManager
Print Service Facility
RPG/400
SecureWay
SQL/400
SystemView
System/36
System/38
400
C-bus is a trademark of Corollary, Inc.
Microsoft, Windows, Windows NT, and the Windows 95 logo are registered
trademarks of Microsoft Corporation.
Java and HotJava are trademarks of Sun Microsystems, Inc.
UNIX is a registered trademark in the United States and other countries licensed
exclusively through X/Open Company Limited.
PC Direct is a trademark of Ziff Communications Company and is used by IBM
Corporation under license.
Other company, product, and service names may be trademarks or service marks
of others.
Appendix H. Notices
613
614
Related information
You may need to refer to other IBM books for
more specific information about a particular topic.
The following IBM iSeries books contain
information that you may need.
Advanced Security
v Tips and Tools for Securing Your iSeries,
SC41-5300-06, provides a set of practical
suggestions for using the security features of
iSeries and for establishing operating
procedures that are securityconscious. This
book also describes how to set up and use
security and use security tools that are part of
OS/400. See the iSeries: Information Center
Supplemental Manuals CD-ROM.
v Implementing iSeries 400 Security, 3rd Edition by
Wayne Madden and Carol Woodbury.
Loveland, Colorado: 29th Street Press, a
division of Duke Communication International,
1998. Provides guidance and practical
suggestions for planning, setting up, and
managing your iSeries security.
ISBN Order Number
1882419782
Backup and Recovery

v Backup and Recovery, SC41-5304-06, provides
information about planning a backup and
recovery strategy, saving information from your
system, and recovering your system, how to
use journaling, commitment control, auxiliary
storage pools, and disk protection options. See
the iSeries: Information Center Supplemental
Manuals CD-ROM.
v Additional backup and recovery information
can be found in the Information Center. See
Prerequisite and related information on
page xvi for more information.
Basic Security Information and

Physical Security
v The Basic System Security and Planning topic
in the Information Center explains why security
is necessary, defines major concepts, and
provides information on planning,
implementing, and monitoring basic security on
the system. See Prerequisite and related

iSeries Access for Windows

Licensed Program
v The iSeries Access for Windows topic in the
Information Center provides technical
information about the iSeries Access for
Windows programs for all versions of iSeries
Access for Windows. See Prerequisite and
related information on page xvi for details.
Communications and Networking

v SNA Distribution Services, SC41-5410-01,
provides information about configuring a
network for Systems Network Architecture
distribution services (SNADS) and the Virtual
Machine/Multiple Virtual Storage (VM/MVS)
bridge. In addition, object distribution
functions, document library services, and
system distribution directory services are
discussed.
v Remote Work Station Support, SC41-5402-00,
provides information on how to set up and use
remote work station support, such as display
station pass-through, distributed host command
facility, and 3270 remote attachment. See the
iSeries: Information Center Supplemental
Manuals CD-ROM.
v The Information Center provides information
about remote file processing. It describes how
to define a remote file to OS/400 distributed
data management (DDM), how to create a
DDM file, what file utilities are supported
through DDM, and the requirements of OS/400
DDM as related to other systems. See
page xvi for details.
that describes how to use and configure
TCP/IP and the several TCP/IP applications,
such as FTP, SMTP, and TELNET. See
615
Cryptography
v Cryptographic Support/400, SC41-3342-00,
describes the data security capabilities of the
Cryptographic Facility licensed program
product. It explains how to use the facility and
provides reference information for
programmers. See the iSeries: Information
Center Supplemental Manuals CD-ROM.
General System Operations

v Basic system operations in the Information
Center provides information about how to start
and stop the system and work with system
problems. See Prerequisite and related
information on page xvi for more details.
IBM-Supplied Program
Installation and System
Configuration
v Local Device Configuration, SC41-5121-00,
provides information about how to do an initial
configuration and how to change that
configuration. It also contains conceptual
information about device configuration. See the
iSeries: Information Center Supplemental
Manuals CD-ROM.
v Software Installation, SC41-5120-06, provides
step-by-step procedures for initial install,
installing licensed programs, program
temporary fixes (PTFs), and secondary
languages from IBM. See the iSeries:
Information Center Supplemental Manuals
CD-ROM.
v iSeries and the Internet, G3256321, helps you

address potential security concerns you may
have when connecting your iSeries to the
Internet. For more information, visit the
following IBM I/T (Information Technology)
Security home page:
http://www.ibm.com/security
v Cool Title About the AS/400 and Internet,

SG244815, can help you understand and then
use the Internet (or your own intranet) from
your iSeries. It helps you to understand how to
use the functions and features. This book helps
you to get started quickly using e-mail, file
transfer, terminal emulation, gopher, HTTP, and
5250 to HTML Gateway.
IBM Lotus Domino

v The URL, http://notes.net/notesua.nsf,
provides information on Lotus Notes, Domino,
and IBM Domino for iSeries. From this web
site, you can download information in Domino
database (.NSF) and Adobe Acrobat (.PDF)
format, search databases, and find out how to
obtain printed manuals.
Migration and System/36

Environment
v System/38 Migration Planning, SC41-4153-00,
provides information to help migrate products
and applications using the System/38
Migration Aid (program 5714-MG1). It includes
information for planning the details of
migration and an overview of the functions on
the System/38 to iSeries Migration Aid.
Integrated File System
Optical Support
v The File Systems and Management topic in the

Information Center provides an overview of the
integrated file system, including what it is, how
it might be used, and what interfaces are
available. See Prerequisite and related
v Optical Support, SC41-5310-03, provides

information on functions that are unique for
Optical Support. It also contains helpful
information for the use and understanding of;
CD-Devices, Directly attached Optical Media
Library Devices, and LAN attached Optical
Media Library Devices. See the iSeries:
CD-ROM.
The Internet
v AS/400 Internet Security: Protecting Your AS/400
from HARM on the Internet SG244929 discusses
the security issues and the risk associated with
connecting your iSeries to the Internet. It
provides examples, recommendations, tips, and
techniques for applications.
616
Printing
on printing elements and concepts of the
system, printer file and print spooling support
for printing operation, and printer connectivity.
See Prerequisite and related information on
Programming
v CL Programming, SC41-5721-05, provides a
wide-ranging discussion of programming
topics, including a general discussion of objects
and libraries, CL programming, controlling
flow and communicating between programs,
working with objects in CL programs, and
creating CL programs. Other topics include
predefined and impromptu messages and
message handling, defining and creating
user-defined commands and menus, application
testing, including debug mode, breakpoints,
traces, and display functions. See the iSeries:
CD-ROM.
v The CL topic in the Information Center (see
page xvi for details) provides a description of
all the iSeries control language (CL) and its
OS/400 commands. The OS/400 commands are
used to request functions of the Operating
System/400 (5738-SS1) licensed program. All
the non-OS/400 CL commandsthose
associated with the other licensed programs,
including all the various languages and
utilitiesare described in other books that
support those licensed programs.
v The Programming topic in the Information
Center provides information about many of the
languages and utilities available on the iSeries.
It contains summaries of:
All iSeries CL commands (in OS/400
program and in all other licensed programs),
in various forms.
Information related to CL commands, such
as the error messages that can be monitored
by each command, and the IBM-supplied
files that are used by some commands.
IBM-supplied objects, including libraries.
IBM-supplied system values.
DDS keywords for physical, logical, display,
printer, and ICF files.
REXX instructions and built-in functions.
Other languages (like RPG) and utilities (like

SEU and SDA).
v The Information Center contains several topics
regarding System Management and Work
Management on the iSeries. Some of these
topics include performance data collection,
system values management, and storage
management. For details on accessing the
Information Center, see Prerequisite and
related information on page xvi.
v Work Management, SC41-5306-03, provides
information about how to create and change a
work management environment. See the iSeries:
CD-ROM.
v The API topic in the Information Center (see
page xvi for details) provides information on
how to create, use, and delete objects that help
manage system performance, use spooling
efficiently, and maintain database files
efficiently. This book also includes information
on creating and maintaining the programs for
system objects and retrieving OS/400
information by working with objects, database
files, jobs, and spooling.
Utilities
v WebSphere Development Studio: Application
Development Manager Users Guide,
SC09-2133-02, provides information about using
the Application Development Tools
programming development manager (PDM) to
work with lists of libraries, objects, members,
and user-defined options to easily do such
operations as copy, delete, and rename.
This book contains activities and reference
material to help the user learn PDM. The most
commonly used operations and function keys
are explained in detail using examples.
v ADTS for AS/400: Source Entry Utility,
SC09-2605-00, provides information about using
the Application Development Tools source
entry utility (SEU) to create and edit source
members. The book explains how to start and
end an SEU session and how to use the many
features of this full-screen text editor. The book
contains examples to help both new and
experienced users accomplish various editing
tasks, from the simplest line commands to
using pre-defined prompts for high-level
languages and data formats.See the iSeries:
CD-ROM.
Related information
617
v The DB2 Universal Database for iSeries topic in

the Information Center provides an overview of
how to design, write, run, and test SQL/400*
statements. It also describes interactive
Structured Query Language (SQL), and
provides examples of how to write SQL
statements in COBOL, RPG, C, FORTRAN, and
PL/I programs. See Prerequisite and related
v The DB2 Universal Database for iSeries topic in
the Information Center provides information on
how to:
Build, maintain, and run SQL queries
Create reports ranging from simple to
complex
Build, update, manage, query, and report on
database tables using a forms-based interface
Define and prototype SQL queries and
reports for inclusion in application programs
See Prerequisite and related information on
618
Index
Special Characters
(*Mgt) Management authority 120
(*Ref) Reference authority 120
(Display Link) command
object authority required 351
(Move) command
(user identification number) parameter
user profile 99
*ADD (add) authority 120, 309
*ADOPTED (adopted) authority 142
*ADVANCED (advanced) assistance
level 71
*ALL (all) authority 121, 310
*ALLOBJ 79
user class authority 10
*ALLOBJ (all object) special authority
added by system
changing security levels 13
auditing 250
failed sign-on 187
functions allowed 76
removed by system
restoring profile 238
risks 76
*ALRTBL (alert table) object
auditing 446
*ASSIST Attention-key-handling
program 95
*AUDIT (audit) special authority
risks 79
*AUTFAIL (authority failure) audit
level 255
*AUTHLR (authority holder) object
auditing 447
*AUTL (authorization list) object
auditing 446
*AUTLMGT (authorization list
management) authority 120, 309
*BASIC (basic) assistance level 71
*BNDDIR (binding directory) object
auditing 447
*BREAK (break) delivery mode
user profile 92
*CFGL (configuration list) object
auditing 448
*CHANGE (change) authority 121, 310
*CHRSF (Special Files) object
auditing 448
*CHTFMT (chart format) object
auditing 448
*CLD (C locale description) object
auditing 450
*CLKWD (CL keyword) user option 97,
98
*CLS (Class) object auditing 450
*CMD (command string) audit level 255
*CMD (Command) object auditing 450
*CNNL (connection list) object

auditing 451
*COSD (class-of-service description)
object auditing 451
*CREATE (create) audit level 255
*CRQD
restoring
audit journal (QAUDJRN)
entry 255
*CRQD (change request description)
object auditing 449
*CRQD change (CQ) file layout 519
*CSI (communications side information)
object auditing 452
*CSPMAP (cross system product map)
object auditing 452
*CSPTBL (cross system product table)
object auditing 452
*CTLD (controller description) object
auditing 452
*DELETE (delete) audit level 255
*DEVD (device description) object
auditing 453
*DFT (default) delivery mode
user profile 92
*DIR (directory) object auditing 454
*DISABLED (disabled) user profile status
description 69
QSECOFR (security officer) user
profile 69
*DLT (delete) authority 120, 309
*DOC (document) object auditing 458
*DTAARA (data area) object
auditing 462
*DTADCT (data dictionary) object
auditing 462
*DTAQ (data queue) object auditing 462
*EDTD (edit description) object
auditing 463
*ENABLED (enabled) user profile
status 69
*EXCLUDE (exclude) authority 121
*EXECUTE (execute) authority 120, 309
*EXITRG (exit registration) object
auditing 463
*EXPERT (expert) user option 97, 98,
147
*FCT (forms control table) object
auditing 464
*FILE (file) object auditing 464
*FNTRSC (font resource) object
auditing 467
*FORMDF (form definition) object
auditing 468
*FTR (filter) object auditing 468
*GROUP (group) authority 142
*GSS (graphic symbols set) object
auditing 469
*HLPFULL (full-screen help) user
option 98
*HOLD (hold) delivery mode

user profile 92
*IGCDCT (double-byte character set
dictionary) object auditing 469
*IGCSRT (double-byte character set sort)
object auditing 469
*IGCTBL (double-byte character set table)
object auditing 470
*INTERMED (intermediate) assistance
level 71
*IOSYSCFG (system configuration)
special authority
risks 79
*JOBCTL (job control) special authority
output queue parameters 198
priority limit (PTYLMT) 85
risks 77
*JOBD (job description) object
auditing 470
*JOBDTA (job change) audit level 255
*JOBQ (job queue) object auditing 470
*JOBSCD (job scheduler) object
auditing 471
*JRN (journal) object auditing 471
*JRNRCV (journal receiver) object
auditing 473
*LIB (library) object auditing 473
*LIND (line description) object
auditing 474
*MENU (menu) object auditing 475
*Mgt (Management) authority 120
*MODD (mode description) object
auditing 476
*MODULE (module) object auditing 476
*MSGF (message file) object
auditing 477
*MSGQ (message queue) object
auditing 477
*NODGRP (node group) object
auditing 478
*NODL (node list) object auditing 479
*NOSTSMSG (no status message) user
option 98
*NOTIFY (notify) delivery mode
user profile 92
*NTBD (NetBIOS description) object
auditing 479
*NWID (network interface) object
auditing 479
*NWSD (network server description)
object auditing 480
*OBJALTER (object alter) authority 120,
309
*OBJEXIST (object existence)
authority 120, 309
*OBJMGT (object management) audit
level 255
*OBJMGT (object management)
authority 120, 309
619
*OBJOPR (object operational)

authority 120, 309
*OBJREF (object reference)
authority 120, 309
*OFCSRV (office services) audit
level 255, 457, 475
*OUTQ (output queue) object
auditing 480
*OVL (overlay) object auditing 481
*PAGDFN (page definition) object
auditing 482
*PAGSEG (page segment) object
auditing 482
*PARTIAL (partial) limit capabilities 74
*PDG (print descriptor group) object
auditing 482
*PGM (program) object 482
*PGMADP (adopted authority) audit
level 255
*PGMFAIL (program failure) audit
level 255
*PNLGRP (panel group) object
auditing 484
*PRDAVL (product availability) object
auditing 484
*PRDDFN (product definition) object
auditing 484
*PRDLOD (product load) object
auditing 484
*PRTDTA (printer output) audit
level 255
*PRTMSG (printing message) user
option 98
*QMFORM (query manager form) object
auditing 485
*QMQRY (query manager query) object
auditing 485
*QRYDFN (query definition) object
auditing 486
*R (read) 122, 310
*RCT (reference code table) object
auditing 487
*READ (read) authority 120, 309
*Ref (Reference) authority 120
*ROLLKEY (roll key) user option 98
*RW (read, write) 122, 310
*RWX (read, write, execute) 122, 310
*RX (read, execute) 122, 310
*S36 (S/36 machine description) object
auditing 497
*S36 (System/36) special
environment 80
*SAVRST (save/restore) audit level 255
*SAVSYS 79
*SAVSYS (save system) special authority
*OBJEXIST authority 120, 309
description 244
removed by system
risks 77
*SBSD (subsystem description) object
auditing 487
*SCHIDX (search index) object
auditing 489
*SECADM (security administrator)
special authority 76
620

special authority (continued)
*SECURITY (security) audit level 255
*SERVICE (service tools) audit level 255
*SERVICE (service) special authority
failed sign-on 187
risks 77
*SIGNOFF initial menu 73
*SOCKET (local socket) object
auditing 489
*SPADCT (spelling aid dictionary) object
auditing 491
*SPLCTL (spool control) special authority
risks 77
*SPLFDTA (spooled file changes) audit
level 255, 491
*SQLPKG (SQL package) object
auditing 492
*SRVPGM (service program) object
auditing 492
*SSND (session description) object
auditing 493
*STMF (stream file) object auditing 493
*STSMSG (status message) user
option 98
*SVRSTG (server storage space)
object 493
*SYNLNK (symbolic link) object
auditing 496
*SYSMGT (system management) audit
level 255
*SYSTEM (system) domain 15
*SYSTEM (system) state 16
*TBL (table) object auditing 497
*TYPEAHEAD (type-ahead) keyboard
buffering 84
*UPD (update) authority 120, 309
*USE (use) authority 121, 310
*USER (user) domain 15
*USER (user) state 16
*USRIDX (user index) object 19
*USRIDX (user index) object
auditing 497
*USRPRF (user profile) object
auditing 498
*USRQ (user queue) object 19
*USRQ (user queue) object auditing 499
*USRSPC (user space) object 19
*USRSPC (user space) object
auditing 499
*VLDL (validation list) object
auditing 499
*W (write) 122, 310
*WX (write, execute) 122, 310
*X (execute) 122, 310
A
access
preventing
unauthorized 251
unsupported interface 15
access (continued)
restricting
console 248
workstations 248
unauthorized
audit journal entry 255
access code
object authority required for
commands 399
access command (Determine File
Accessibility)
object auditing 454
access control list
changing
entry 255
access control list change (VA) journal
entry type 255
access path recovery
action auditing 446
commands 319
accessx command (Determine File
Accessibility)
object auditing 454
account limit
exceeded
entry 255
account limit exceeded (VL) file
layout 583
account limit exceeded (VL) journal entry
type 255
accounting code (ACGCDE) parameter
changing 90
user profile 90
Accumulating Special Authorities 230
ACGCDE (accounting code) parameter
changing 90
user profile 90
action auditing
access path recovery 446
definition 253
directory services 457
mail services 475
office services 475
planning 253
reply list 487
spooled files 491
action auditing (AUDLVL) parameter
user profile 102
action to spooled file (SF) file layout 572
action to system value (SV) file
layout 581
action when sign-on attempts reached
(QMAXSGNACN) system value
description 31
value set by CFGSYSSEC
command 607
activating
security auditing function 267
user profile 599
active profile list
changing 599
AD (auditing change) file layout 506
AD (auditing change) journal entry
type 255
add (*ADD) authority 120, 309

(ADDAUTLE) command 154, 283
Add Directory Entry (ADDDIRE)
command 288
Add Document Library Object Authority
(ADDDLOAUT) command 287
Add Job Schedule Entry (ADDJOBSCDE)
command
SECBATCH menu 602
Add Library List Entry (ADDLIBLE)
command 193, 196
Add User display
sample 106
ADDACC (Add Access Code) command
authorized IBM-supplied user
profiles 299
object auditing 461
ADDAJE (Add Autostart Job Entry)
command
object auditing 487
ADDALRACNE (Add Alert Action Entry)
command
object auditing 468
ADDALRD (Add Alert Description)
command
object auditing 446
ADDALRSLTE (Add Alert Selection
Entry) command
object auditing 468
ADDAUTLE (Add Authorization List
Entry) command
description 283
object auditing 447
using 154
ADDBESTMDL () command
profiles 299
ADDBKP (Add Breakpoint) command
ADDBNDDIRE (Add Binding Directory
Entry) command
object auditing 448
ADDBSCDEVE (Add BSC Device Entry)
command
object auditing 465
ADDCFGLE (Add Configuration List
Entries) command
object auditing 448
ADDCMDCRQA (Add Command
Change Request Activity) command
profiles 299
object auditing 449
ADDCMNDEVE (Add Communications
Device Entry) command
object auditing 465
ADDCMNE (Add Communications

Entry) command
object auditing 487
ADDCNNLE (Add Connection List
Entry) command
object auditing 451
ADDCOMSNMP (Add Community for
SNMP) command
ADDCRSDMNK (Add Cross Domain
Key) command
profiles 299
ADDDIRE (Add Directory Entry)
command
description 288
ADDDIRSHD (Add Directory Shadow
System) command
ADDDLOAUT (Add Document Library
Object Authority) command
description 287
object auditing 459
ADDDSPDEVE (Add Display Device
Entry) command
object auditing 465
ADDDSTLE (Add Distribution List Entry)
command
ADDDSTQ (Add Distribution Queue)
command
profiles 299
ADDDSTRTE (Add Distribution Route)
command
profiles 299
ADDDSTSYSN (Add Distribution
Secondary System Name) command
profiles 299
ADDDTADFN (Add Data Definition)
command
ADDEMLCFGE (Add Emulation
Configuration Entry) command
ADDENVVAR (Add Environment
Variable) command
ADDEWCBCDE (Add Extended Wireless
Controller Bar Code Entry) command
ADDEWCM (Add Extended Wireless
Controller Member) command
ADDEWCPTCE (Add Extended Wireless
Controller PTC Entry) command
ADDEWLM (Add Extended Wireless

Line Member) command
ADDEXITPGM (Add Exit Program)
command
profiles 299
object auditing 463
ADDFCTE (Add Forms Control Table
Entry) command
ADDFNTTBLE (Add Font Table Entry)
commands 319
ADDICFDEVE (Add Intersystem
Communications Function Program
object auditing 465
adding
authorization list
entries 154, 283
objects 155
users 154, 283
directory entry 288
document library object (DLO)
authority 287
library list entry 193, 196
server authentication entry 288
user authority 148
user profiles 106
ADDIPSIFC (Add IP over SNA Interface)
command
ADDIPSLOC (Add IP over SNA Location
Entry) command
ADDIPSRTE (Add IP over SNA Route)
command
ADDJOBQE (Add Job Queue Entry)
command
object auditing 470, 487
ADDJOBSCDE (Add Job Schedule Entry)
command
object auditing 471
SECBATCH menu 602
ADDLANADPI (Add LAN Adapter
Information) command
ADDLFM (Add Logical File Member)
command
object auditing 465
ADDLIBLE (Add Library List Entry)
command 193, 196
ADDLICKEY (Add License Key)
command
ADDLNK (Add Link) command
Index
621
ADDMFS (Add Mounted File System)

command
profiles 299
ADDMFS (Add Mounted File System)
command) command
ADDMSGD (Add Message Description)
command
object auditing 477
ADDNETJOBE (Add Network Job Entry)
command
profiles 299
ADDNETTBLE (Add Network Table
Entry) command
ADDNODLE (Add Node List Entry)
command
object auditing 479
ADDNWSSTGL (Add Network Server
Storage Link) command
ADDOBJCRQA (Add Object Change
Request Activity) command
profiles 299
object auditing 449
ADDOFCENR (Add Office Enrollment)
command
object auditing 459
ADDOPTCTG (Add Optical Cartridge)
command
profiles 299
ADDOPTSVR (Add Optical Server)
command
profiles 299
ADDPCST (Add Physical File Constraint)
command
ADDPEXDFN () command
profiles 299
ADDPEXDFN (Add Performance
Explorer Definition) command
ADDPEXFTR () command
profiles 299
ADDPFCST (Add Physical File
Constraint) command
object auditing 465
ADDPFM (Add Physical File Member)
command
object auditing 465
622
ADDPFTFG (Add Physical File Trigger)

command
ADDPFTRG (Add Physical File Trigger)
command
object auditing 465
ADDPFVLM (Add Physical File
Variable-Length Member) command
object auditing 465
ADDPGM (Add Program) command
ADDPJE (Add Prestart Job Entry)
command
object auditing 487
ADDPRBACNE (Add Problem Action
Entry) command
object auditing 468
object authority required 349, 411
ADDPRBSLTE (Add Problem Selection
Entry) command
object auditing 468
ADDPRDCRQA (Add Product Change
profiles 299
object auditing 449
ADDPRDLICI (Add Product License
object auditing 484
ADDPTFCRQA (Add PTF Change
profiles 299
object auditing 449
ADDRDBDIRE (Add Relational Database
Directory Entry) command
ADDRJECMNE (Add RJE
Communications Entry) command
ADDRJERDRE (Add RJE Reader Entry)
command
ADDRJEWTRE (Add RJE Writer Entry)
command
ADDRMTJRN (Add Remote Journal)
command
object auditing 472
ADDRMTSVR (Add Remote Server)
command
ADDRPYLE (Add Reply List Entry)
command
profiles 299
object auditing 487
ADDRSCCRQA (Add Resource Change
profiles 299
object auditing 449
ADDRSCCRQA (Add Resource Change

Request Activity) command (continued)
ADDRTGE (Add Routing Entry)
command
object auditing 488
ADDSCHIDXE (Add Search Index Entry)
command
ADDSOCE (Add Sphere of Control
Entry) command
ADDSRVTBLE (Add Service Table Entry)
command
ADDSVRAUTE (Add Server
Authentication Entry) command
ADDTAPCTG (Add Tape Cartridge)
command
ADDTCPHTE (Add TCP/IP Host Table
Entry) command
ADDTCPIFC (Add TCP/IP Interface)
command
ADDTCPPORT (Add TCP/IP Port Entry)
command
ADDTCPRSI (Add TCP/IP Remote
System Information) command
ADDTCPRTE (Add TCP/IP Route)
command
ADDTRC (Add Trace) command
ADDWSE (Add Work Station Entry)
command
object auditing 488
adopted
authority
displaying 142
adopted (*ADOPTED) authority 142
adopted authority
*PGMADP (program adopt) audit
level 255
AP (adopted authority) file
layout 512
AP (adopted authority) journal entry
type 255
application design 218, 220, 222
Attention (ATTN) key 137
audit journal (QAUDJRN) entry 255,
512
auditing 251
authority checking example 176, 178
bound programs 138
break-message-handling
program 137
changing
entry 255
adopted authority (continued)

changing (continued)
authority required 137
job 137
creating program 137
debug functions 137
definition 135
displaying
command description 287
critical files 224
programs that adopt a profile 138
USRPRF parameter 138
example 218, 220, 222
flowchart 169
group authority 136
ignoring 139, 220
job initiation 187
library security 123
object ownership 137
printing list of objects 603
purpose 135
recommendations 138
restoring programs
changes to ownership and
authority 242
risks 138
service programs 138
system request function 137
transferring to group job 137
adopting owners authority
See adopted authority
ADSM (QADSM) user profile 293
advanced (*ADVANCED) assistance
level 64, 71
advanced function printing (AFP)
commands 319
advantages
authorization list 228
AF (authority failure) file layout 508
AF (authority failure) journal entry type
default sign-on violation 16
description 255
hardware protection violation 17
job description violation 16
program validation 17, 18
restricted instruction 18
unsupported interface 16, 18
AF_INET sockets over SNA
commands 320
AFDFTUSR (QAFDFTUSR) user
profile 293
AFOWN (QAFOWN) user profile 293
AFP (Advanced Function Printing)
commands 319
AFUSR (QAFUSR) user profile 293
ALCOBJ (Allocate Object) command
object auditing 445
alert
commands 320
alert description
commands 320
alert table
commands 320
alert table (*ALRTBL) object
auditing 446
all (*ALL) authority 121, 310
all object (*ALLOBJ) special authority
added by system
auditing 250
failed sign-on 187
removed by system
restoring profile 238
risks 76
all-numeric password 66
allow limited user (ALWLMTUSR)
parameter
Change Command (CHGCMD)
command 74
Create Command (CRTCMD)
command 74
limit capabilities 74
allow object difference (ALWOBJDIF)
parameter 239
allow object restore (QALWOBJRST)
system value
command 607
allow object restore option
(QALWOBJRST) system value 43
allow remote sign-on (QRMTSIGN)
system value
command 607
allow user objects (QALWUSRDMN)
system value 20, 25
allowed function
limit capabilities (LMTCPB) 74
allowing
users to change passwords 249
alter service function
*SERVICE (service) special
authority 77
ALWLMTUSR (allow limited user)
parameter
command 74
command 74
ALWOBJDIF (allow object difference)
parameter 239
Analyze Default Passwords
(ANZDFTPWD) command
description 599
Analyze Profile Activity (ANZPRFACT)
command
creating exempt users 599
description 599
analyzing
audit journal entries, methods 272
object authority 279
analyzing (continued)
program failure 279
user profile
by special authorities 603
by user class 603
user profiles 277
ANSLIN (Answer Line) command
object auditing 474
ANSQST (Answer Questions) command
profiles 299
ANZACCGRP (Analyze Access Group)
command
ANZBESTMDL (Analyze BEST/1 Model)
command
ANZDBF (Analyze Database File)
command
ANZDBFKEY (Analyze Database File
Keys) command
ANZDFTPWD (Analyze Default
Password) command
Passwords) command
profiles 299
description 599
ANZPFRDT2 (Analyze Performance
Data) command
ANZPFRDTA (Analyze Performance
Data) command
ANZPGM (Analyze Program) command
object auditing 483
ANZPRB (Analyze Problem) command
profiles 299
ANZPRFACT (Analyze Profile Activity)
command
profiles 299
description 599
ANZQRY (Analyze Query) command
object auditing 486
ANZS34OCL (Analyze System/34 OCL)
command
profiles 299
command
command
profiles 299
Index
623
AP (adopted authority) file layout 512

AP (adopted authority) journal entry
type 255
API (application programming interface)
security level 40 15
application design
adopted authority 218, 222
general security
recommendations 208
ignoring adopted authority 220
libraries 213
library lists 215
menus 217
profiles 214
application programming interface (API)
APPN directory (ND) file layout 546
APPN end point (NE) file layout 547
approval program, password 53, 54, 55
approving password 53
APYJRNCHG (Apply Journaled Changes)
command
profiles 299
APYPTF (Apply Program Temporary Fix)
command
profiles 299
APYRMTPTF (Apply Remote Program
Temporary Fix) command
profiles 299
ASKQST (Ask Question) command
assistance level
advanced 64, 71
basic 64, 71
definition 64
example of changing 71
intermediate 64, 71
stored with user profile 71
user profile 70
ASTLVL (assistance level) parameter
user profile 70
ATNPGM (Attention-key-handling
program) parameter
user profile 94
Attention (ATTN) key
adopted authority 137
Attention (ATTN) key buffering 83
*ASSIST 95
changing 95
initial program 94
job initiation 186
QATNPGM system value 95
QCMD command processor 94
QEZMAIN program 95
setting 94
user profile 94
attribute change (AU) file layout 513
AU (attribute change) file layout 513
audit (*AUDIT) special authority
624
audit (*AUDIT) special authority

(continued)
risks 79
audit (QAUDJRN) journal 556
See also object auditing
AD (auditing change) entry type 255
AF (authority failure) entry type 255
description 255
program validation 18
restricted instruction violation 18
unsupported interface 16
unsupported interface
violation 18
analyzing
with query 274
AP (adopted authority) entry
type 255
layout 512
auditing level (QAUDLVL) system
value 61
automatic cleanup 270
CA (authority change) entry type 255
CA (authority change) file layout 513
CD (command string) entry type 255
CD (command string) file layout 516
changing receiver 271
CO (create object) entry type 130,
255
CO (create object) file layout 516
CP (user profile change) entry
type 255
CP (user profile change) file
layout 518
CQ (*CRQD change) file layout 519
CQ (change *CRQD object) entry
type 255
creating 268
CU(Cluster Operations file
layout 520
CV(connection verification) file
layout 521
CY(cryptographic configuration) file
layout 523
damaged 269
detaching receiver 270, 271
DI(directory services) file layout 524
displaying entries 252, 272
DO (delete operation) entry type 255
DO (delete operation) file layout 528
DS (DST password reset) entry
type 255
DS (IBM-Supplied Service Tools User
ID Reset) file layout 530
error conditions 59
EV (Environment variable) file
layout 530
force level 60
GR(generic record) file layout 531
GS (give descriptor) entry type 255
GS (give descriptor) file layout 533
audit (QAUDJRN) journal (continued)

introduction 252
IP (change ownership) entry
type 255
IP (interprocess communication
actions) file layout 534
IP (interprocess communications)
entry type 255
IR(IP rules actions) file layout 535
IS (Internet security management) file
layout 536
JD (job description change) entry
type 255
JD (job description change) file
layout 538
JS (job change) entry type 255
JS (job change) file layout 539
KF (key ring file) file layout 542
LD (link, unlink, search directory) file
layout 544
managing 269
methods for analyzing 272
ML (mail actions) entry type 255
ML (mail actions) file layout 545
NA (network attribute change) entry
type 255
NA (network attribute change) file
layout 546
ND (APPN directory) file layout 546
NE (APPN end point) file layout 547
O1 (optical access) file layout 554,
555
O3 (optical access) file layout 556
OM (object management) entry
type 255
OM (object management) file
layout 547
OR (object restore) entry type 255
OR (object restore) file layout 550
OW (ownership change) entry
type 255
OW (ownership change) file
layout 553
PA (program adopt) entry type 255
PG (primary group change) entry
type 255
PG (primary group change) file
layout 558
PO (printed output) entry type 255
PO (printer output) file layout 560
PS (profile swap) entry type 255
PS (profile swap) file layout 561
PW (password) entry type 255
PW (password) file layout 562
RA (authority change for restored
object) entry type 255
object) file layout 563
receiver storage threshold 270
RJ (restoring job description) entry
type 255
RJ (restoring job description) file
layout 565
RO (ownership change for restored

RP (restoring programs that adopt
authority) entry type 255
authority) file layout 567
RQ (restoring *CRQD object that
adopts authority) file layout 568
RQ (restoring *CRQD object) entry
type 255
RU (restore authority for user profile)
entry type 255
file layout 568
RZ (primary group change for
restored object) entry type 255
restored object) file layout 569
SD (change system distribution
directory) entry type 255
directory) file layout 570
SE (change of subsystem routing
entry) entry type 255
entry) file layout 571
SF (action to spooled file) file
layout 572
SF (change to spooled file) entry
type 255
SG file layout 575, 576
SM (system management change)
entry type 255
SM (system management change) file
layout 577
SO (server security user information
ST (service tools action) entry
type 255
ST (service tools action) file
layout 579
stopping 272
SV (action to system value) entry
type 255
SV (action to system value) file
layout 581
system entries 269
VA (access control list change) entry
type 255
VA (changing access control list) file
layout 581
VC (connection start and end) file
layout 582
VC (connection start or end) entry
type 255
VF (close of server files) file
layout 582
VL (account limit exceeded) entry
type 255
VL (account limit exceeded) file
layout 583
VN (network log on and off) file
layout 583
VN (network log on or off) entry
type 255
VO (validation list) file layout 584
VP (network password error) entry
type 255

VP (network password error) file
layout 586
VR (network resource access) file
layout 586
VS (server session) entry type 255
VS (server session) file layout 587
VU (network profile change) entry
type 255
VU (network profile change) file
layout 587
VV (service status change) entry
type 255
VV (service status change) file
layout 588
X0 (kerberos authentication) file
layout 589
YC (change to DLO object) file
layout 593
YR (read of DLO object) file
layout 593
ZC (change to object) file layout 594
ZM (change to object) file layout 595
ZR (read of object) file layout 596
audit control (QAUDCTL) system value
changing 289, 601
displaying 289, 601
audit function
activating 267
starting 267
stopping 272
audit journal
displaying entries 289
printing entries 603
working with 271
audit journal receiver
creating 268
deleting 272
naming 268
saving 271
audit level (AUDLVL) parameter
*AUTFAIL (authority failure)
value 255
*CMD (command string) value 255
*CREATE (create) value 255
*DELETE (delete) value 255
*JOBDTA (job change) value 255
value 255
*OFCSRV (office services) value 255
*PGMADP (adopted authority)
value 255
*PGMFAIL (program failure)
value 255
*SAVRST (save/restore) value 255
*SECURITY (security) value 255
*SERVICE (service tools) value 255
*SPLFDTA (spooled file changes)
value 255
*SYSMGT (system management)
value 255
changing 115
audit level (QAUDLVL) system value
value 255
audit level (QAUDLVL) system value

(continued)
value 255
value 255
value 255
*PRTDTA (printer output) value 255
value 255
value 255
changing 268, 289, 601
displaying 289, 601
purpose 253
user profile 102
auditing
*ALLOBJ (all object) special
authority 250
*AUDIT (audit) special authority 78
See also audit (QAUDJRN) journal
abnormal end 59
actions 253
activating 267
authority
user profiles 250
authorization 250
changing
command description 284, 287
checklist for 247
communications 252
controlling 58
directory services 457
encryption of sensitive data 252
ending 58
error conditions 59
group profile
authority 250
membership 250
password 249
IBM-supplied user profiles 248
inactive users 250
job descriptions 251
library lists 251
mail services 475
methods 275
network attributes 252
object
default 265
planning 263
object integrity 280
office services 475
overview 247
password controls 249
physical security 248
Index
625
auditing (continued)
planning
overview 253
system values 265
program failure 279
programmer authorities 250
QTEMP objects 267
remote sign-on 252
reply list 487
save operations 245
security officer 280
sensitive data
authority 250
encrypting 252
setting up 267
sign-on without user ID and
password 251
spooled files 491
starting 267
steps to start 267
stopping 58, 272
system values 58, 248, 265
unauthorized access 251
unauthorized programs 252
unsupported interfaces 252
user profile
authority 250
administration 250
using
journals 276
QHST (history) log 276
QSYSMSG message queue 252
working on behalf 475
working with user 115
auditing change (AD) file layout 506
auditing change (AD) journal entry
type 255
auditing control (QAUDCTL) system
value
overview 58
auditing end action (QAUDENDACN)
system value 59, 266
auditing force level (QAUDFRCLVL)
value 61
AUDLVL (audit level) parameter
*CMD (command string) value 255
user profile 102
AUT (authority) parameter
creating libraries 144
creating objects 145
specifying authorization list
(*AUTL) 154
user profile 100
AUTCHK (authority to check)
parameter 198
authentication
digital ID 103
Authorities, Accumulating Special 230
authorities, field 123
Authorities, Special 230
authority
*ADD (add) 120, 309
*ALL (all) 121, 310
626
authority (continued)
authority 76
*AUTLMGT (authorization list
management) 120, 127, 309
*CHANGE (change) 121, 310
*DLT (delete) 120, 309
*EXCLUDE (exclude) 121
*EXECUTE (execute) 120, 309
*JOBCTL (job control) special
authority 76
*Mgt 120
*OBJALTER (object alter) 120, 309
*OBJEXIST (object existence) 120, 309
*OBJMGT (object management) 120,
309
*OBJOPR (object operational) 120,
309
*OBJREF (object reference) 120, 309
*R (read) 122, 310
*READ (read) 120, 309
*Ref (Reference) 120
*RW (read, write) 122, 310
*RWX (read, write, execute) 122, 310
*RX (read, execute) 122, 310
*SAVSYS (save system) special
authority 77
authority 77
*SPLCTL (spool control) special
authority 77
*UPD (update) 120, 309
*USE (use) 121, 310
*W (write) 122, 310
*WX (write, execute) 122, 310
*X (execute) 122, 310
See also authority checking
adding users 148
adopted 512
application design 218, 220, 222
entry 255
auditing 279
authority checking example 176,
178
displaying 142, 224
ignoring 220
purpose 135
assigning to new object 131
authorization for changing 146
authorization list
format on save media 237
management (*AUTLMGT) 120,
309
stored on save media 237
storing 236
changing 513
entry 255
procedures 146
checking 156
batch job initiation 186
interactive job initiation 185
sign-on process 185
commonly used subsets 121
copying
example 109
recommendations 153
renaming profile 115
data
definition 120
definition 120
deleting user 148
detail, displaying (*EXPERT user
option) 97, 98
directory 5
displaying
displaying detail (*EXPERT user
option) 97, 98
displays 141
field
definition 120
group
displaying 142
example 173, 177
holding when deleting file 139
ignoring adopted 139
introduction 5
library 5
Management authority
*Mgt(*) 120
multiple objects 149
new object
CRTAUT (create authority)
parameter 127, 144
example 131
GRPAUT (group authority)
parameter 88, 129
GRPAUTTYP (group authority
type) parameter 89
QCRTAUT (create authority)
system value 25
QUSEADPAUT (use adopted
authority) system value 34
object
*ADD (add) 120, 309
*DLT (delete) 120, 309
*EXECUTE (execute) 120, 309
*OBJEXIST (object existence) 120,
309
*OBJMGT (object
management) 120, 309
*OBJOPR (object operational) 120,
309
*READ (read) 120, 309
*Ref (Reference) 120
*UPD (update) 120, 309
definition 120
exclude (*EXCLUDE) 121
storing 236
object alter (*OBJALTER) 120, 309
object reference (*OBJREF) 120, 309
primary group 119, 130
example 174
working with 112
private
definition 119
restoring 235, 240
saving 235
public
definition 119
example 175, 178
restoring 235, 239
saving 235
referenced object
using 153
removing user 148
restoring
entry 255
description of process 241
overview of commands 235
procedure 240
special (SPCAUT) authority
parameter 75
storing
with object 236
with user profile 236
system-defined subsets 121
user profile
storing 236
user-defined 147
using generic to grant 149
working with
authority (AUT) parameter
creating libraries 144
creating objects 145
specifying authorization list
(*AUTL) 154
user profile 100
authority cache
private authorities 184
authority change (CA) file layout 513
authority change (CA) journal entry
type 255
authority change for restored object (RA)
file layout 563
authority change for restored object (RA)
journal entry type 255
authority checking
See also authority
adopted authority
example 176, 178
flowchart 169
authorization list
example 179
group authority
example 173, 177
owner authority
flowchart 162
primary group
example 174
private authority
flowchart 161
authority checking (continued)

public authority
example 175, 178
flowchart 168
sequence 156
authority failure
audit journal (QAUDJRN) entry 255
device description 187
job initiation 185
program validation 17, 18
sign-on process 185
authority failure (*AUTFAIL) audit
level 255
authority failure (AF) file layout 508
authority failure (AF) journal entry
type 255
description 255
authority holder
automatically created 140
commands for working with 283,
288
creating 139, 283, 288
deleting 140, 283
description 139
displaying 139, 283
maximum storage limit exceeded 130
object auditing 447
commands 322
printing 289
restoring 235
risks 140
saving 235
System/36 migration 140
authority profile (QAUTPROF) user
profile 293
authority table 237
authority, object
See object authority
authorization
auditing 250
authorization list
adding
entries 154, 283
objects 155
users 154
advantages 228
authority
changing 154
storing 237
authority checking
example 179
changing
entry 283
comparison
group profile 230
creating 153, 283
damaged 243
deleting 155, 283
description 126
authorization list (continued)

displaying
document library objects
(DLO) 287
objects 155, 283
users 283
displaying 287
editing 154, 283
entry
adding 154
group profile
comparison 230
introduction 5
management (*AUTLMGT)
authority 120, 127, 309
object auditing 446
commands 323
printing authority information 603
QRCLAUTL (reclaim storage) 244
reclaim storage (QRCLAUTL) 244
recovering damaged 243
removing
entries 283
objects 155
users 154, 283
restoring
association with object 239
retrieving entries 283
saving 235
securing IBM-supplied objects 127
securing objects 155
storing
authority 236, 237
user
adding 154
working with 283
Authorization lists
advantages 227
planning 227
authorization methods
combining
example 181
profiles 299
authorized user
displaying 286
AUTOCFG (automatic device
configuration) value 36
automatic configuration (QAUTOCFG)
system value
command 607
automatic configuration of virtual devices
(QAUTOVRT) system value 36
automatic creation
user profile 63
automatic device configuration
(AUTOCFG) value 36
(QAUTOCFG) system value
overview 36
automatic install (QLPAUTO) user profile
default values 293
Index
627
automatic virtual-device configuration

(QAUTOVRT) system value
command 607
availability 1
B
backing up
security information 235
backup
commands 400
backup media
protecting 248
basic (*BASIC) assistance level 64, 71
basic service (QSRVBAS) user profile
authority to console 189
default values 293
batch
restricting jobs 205
batch job
authority 77
priority 85
security when starting 185, 186
BCHJOB (Batch Job) command
binding directory
commands 323
binding directory object auditing 447
bound program
definition 138
break (*BREAK) delivery mode
user profile 92
break-message-handling program
BRM (QBRMS) user profile 293
buffering
Attention key 83
keyboard 83
C
C locale description (*CLD) auditing 450
C2 security
description 6
CA (authority change) journal entry
type 255
CALL (Call Program) command
transferring adopted authority 136
Call Program (CALL) command
call-level interface
calling
program
transferring adopted
authority 136
canceling
audit function 272
628
cartridge
commands 390
CCSID (coded character set identifier)
parameter
user profile 96
CD (command string) journal entry
type 255
CFGDSTSRV (Configure Distribution
Services) command
profiles 299
CFGIPS (Configure IP over SNA
Interface) command
CFGRPDS (Configure VM/MVS Bridge)
command
profiles 299
CFGSYSSEC (Configure System Security)
command
profiles 299
description 290, 607
CFGTCP (Configure TCP/IP) command
CFGTCPAPP (Configure TCP/IP
Applications) command
CFGTCPLPD (Configure TCP/IP LPD)
command
CFGTCPSMTP (Configure TCP/IP SMTP)
command
CFGTCPTELN (Change TCP/IP
TELNET) command
change (*CHANGE) authority 121, 310
change *CRQD object (CQ) journal entry
type 255
Change Accounting Code
(CHGACGCDE) command 90
Change Activation Schedule Entry
(CHGACTSCDE) command
description 599
Change Active Profile List
(CHGACTPRFL) command
description 599
Change Auditing (CHGAUD) command
using 115
Change Authority (CHGAUT)
command 147, 284
(CHGAUTLE) command
description 283
using 154
Change Command (CHGCMD) command
parameter 74
PRDLIB (product library)
parameter 196

command (continued)
security risks 196
(CHGCMDDFT) command 224
Change Current Library (CHGCURLIB)
command
restricting 196
Password (CHGDSTPWD)
command 285
Change Directory Entry (CHGDIRE)
command 288
Auditing (CHGDLOAUD) command
description 287
QAUDCTL (Auditing Control) system
value 58
Authority (CHGDLOAUT)
command 287
Change Document Library Object Owner
(CHGDLOOWN) command 287
Primary (CHGDLOPGP) command
description 287
Change Expiration Schedule Entry
(CHGEXPSCDE) command
description 599
Change Job (CHGJOB) command
Change Journal (CHGJRN)
command 270, 271
Change Library List (CHGLIBL)
command 193
Change Library Owner (CHGLIBOWN)
tool 232
Change Menu (CHGMNU) command
parameter 196
security risks 196
Change Network Attributes (CHGNETA)
command 200
Change Node Group Attributes (Change
Node Group Attributes) command
object auditing 479
command
value 58
Change Object Owner (CHGOBJOWN)
command 151, 284
(CHGOBJPGP) command 130, 152, 284
change of subsystem routing entry (SE)
file layout 571
change of subsystem routing entry (SE)
change of system value (SV) journal entry
type 255
Change Output Queue (CHGOUTQ)
command 197
Change Owner (CHGOWN)
command 151, 284
change ownership (IP) journal entry

type 255
Change Password (CHGPWD) command
auditing 249
description 285
enforcing password system values 45
setting password equal to profile
name 67
Change Primary Group (CHGPGP)
command 152, 284
Change Profile (CHGPRF)
command 109, 286
Change Program (CHGPGM) command
specifying USEADPAUT
parameter 139
change request description
commands 324
change request description (*CRQD)
object auditing 449
(CHGSECAUD)
auditing
one-step 267
(CHGSECAUD) command
Change Service Program (CHGSRVPGM)
command
parameter 139
(CHGSPLFA) command 198
change system distribution directory (SD)
file layout 570
change system distribution directory (SD)
Change System Library List
(CHGSYSLIBL) command 193, 216
change to DLO object (YC) file
layout 593
change to object (ZC) file layout 594
change to object (ZM) file layout 595
change to spooled file (SF) journal entry
type 255
Change User Audit (CHGUSRAUD)
command 286
description 287
value 59
using 115
Change User Audit display 115
Change User Profile (CHGUSRPRF)
command 286
description 285
password composition system
values 45
name 67
using 109
changing
access control list
entry 255
accounting code 90
active profile list 599
adopted authority
audit journal receiver 270, 271
auditing
authority
entry 255
procedures 146
authorization list
entry 283
user authority 154
changing
entry 255
command
parameter 74
defaults 224
current library 193, 196
device description
owner 189
directory entry 288
authority 287
owner 287
primary group 287
document library object auditing
DST (dedicated service tools)
password 117
DST (dedicated service tools) user
ID 117
IBM-supplied user profile
passwords 117
IPC object
entry 255
job
entry 255
job description
entry 255
library list 193
menu
parameter 196
security risks 196
network attribute
entry 255
security-related 200
network profile
entry 255
object auditing 78, 284, 287
object owner 151, 284
object ownership
moving application to
production 231
output queue 197
ownership
password
description 285
DST (dedicated service tools) 117,
285
enforcing password system
values 45
name 67
entry 255
primary group during restore
entry 255
profile
See changing user profile
program
parameter 139
program adopt
entry 255
QAUDCTL (audit control) system
value 289
QAUDLVL (audit level) system
value 289
routing entry
entry 255
security auditing 289, 601
security level (QSECURITY) system
value
level 10 to level 20 12
level 50 to level 30 or 40 21
spooled file
entry 255
system directory
entry 255
system library list 193, 216
system management
entry 255
system value
entry 255
user auditing 78, 286, 287
user authority
user ID
DST (dedicated service tools) 117
Index
629
user profile
entry 255
command descriptions 285, 286
methods 109
values 45
name 67
changing access control list (VA) file
layout 581
chart format
commands 324
chart format (*CHTFMT) auditing 448
Check Object Integrity (CHKOBJITG)
command
auditing use 252
description 280, 286, 603
Check Password (CHKPWD)
command 116, 285
checking
See also authority checking
altered objects 280
default passwords 599
auditing use 252
password 116, 285
checklist
auditing security 247
planning security 247
CHGACGCDE (Change Accounting
Code) command
relationship to user profile 90
CHGACTPRFL (Change Active Profile
List) command
description 599
CHGACTSCDE (Change Activation
Schedule Entry) command
description 599
CHGACTSCDE (Change Activity
CHGAJE (Change Autostart Job Entry)
command
object auditing 488
CHGALRACNE (Change Alert Action
Entry) command
object auditing 468
CHGALRD (Change Alert Description)
command
object auditing 446
CHGALRSLTE (Change Alert Selection
Entry) command
object auditing 468
CHGALRTBL (Change Alert Table)
command
object auditing 446
630
CHGATR (Change Attribute) command

object auditing 454
CHGATR (Change Attributes) command
object auditing 455
CHGAUD (Change Audit) command
using 115
CHGAUD (Change Auditing) command
CHGAUT (Change Authority)
command 147
description 284
CHGAUTLE (Change Authorization List
Entry) command
description 283
object auditing 447
using 154
CHGBCKUP (Change Backup Options)
command
CHGCDEFNT (Change Coded Font)
commands 319
CHGCFGL (Change Configuration List)
command
object auditing 448
CHGCFGLE (Change Configuration List
Entry) command
object auditing 448
CHGCLNUP (Change Cleanup)
command
CHGCLS (Change Class) command
object auditing 450
CHGCMD (Change Command) command
parameter 74
object auditing 450
parameter 196
security risks 196
CHGCMDCRQA (Change Command
profiles 299
object auditing 449
CHGCMDDFT (Change Command
Default) command
object auditing 450
using 224
CHGCMNE (Change Communications
Entry) command
object auditing 488
CHGCNNL (Change Connection List)
command
object auditing 451
CHGCNNL (Change Connection List)

command (continued)
CHGCNNLE (Change Connection List
Entry) command
object auditing 451
CHGCOMSNMP (Change Community
for SNMP) command
CHGCOSD (Change Class-of-Service
Description) command
object auditing 451
CHGCRQD (Change Change Request
object auditing 449
CHGCRSDMNK (Change Cross Domain
Key) command
profiles 299
CHGCSI (Change Communications Side
object auditing 452
CHGCSPPGM (Change CSP/AE
Program) command
object auditing 483
CHGCTLAPPC (Change Controller
Description (APPC)) command
CHGCTLASC (Change Controller
Description (Async)) command
CHGCTLBSC (Change Controller
Description (BSC)) command
CHGCTLFNC (Change Controller
Description (Finance)) command
CHGCTLHOST (Change Controller
Description (SNA Host)) command
CHGCTLLWS (Change Controller
Description (Local Work Station))
command
CHGCTLNET (Change Controller
Description (Network)) command
CHGCTLRTL (Change Controller
Description (Retail)) command
CHGCTLRWS (Change Controller
Description (Remote Work Station))
command
CHGCTLTAP (Change Controller
Description (TAPE)) command
CHGCTLVWS (Change Controller
Description (Virtual Work Station))
command
CHGCURDIR (Change Current Directory)

command
object auditing 456
CHGCURLIB (Change Current Library)
command
restricting 196
CHGDBG (Change Debug) command
CHGDDMF (Change Distributed Data
Management File) command
object auditing 465
CHGDEVAPPC (Change Device
CHGDEVASC (Change Device
CHGDEVASP (Change Device
Description for Auxiliary Storage Pool)
command
CHGDEVBSC (Change Device
CHGDEVDKT (Change Device
Description (Diskette)) command
CHGDEVDSP (Change Device
Description (Display)) command
CHGDEVFNC (Change Device
CHGDEVHOST (Change Device
CHGDEVINTR (Change Device
Description (Intrasystem)) command
CHGDEVNET (Change Device
CHGDEVOPT (Change Device
Description (Optical) command
CHGDEVOPT (Change Device
Description (Optical)) command
CHGDEVPRT (Change Device
Description (Printer)) command
CHGDEVRTL (Change Device
CHGDEVSNPT (Change Device
Description (SNPT)) command
CHGDEVSNUF (Change Device
Description (SNUF)) command
CHGDEVTAP (Change Device
Description (Tape)) command
CHGDIR (Change Directory) command
CHGDIRE (Change Directory Entry)

command
description 288
CHGDIRSHD (Change Directory Shadow
System) command
CHGDKTF (Change Diskette File)
command
object auditing 465
CHGDLOAUD (Change Document
Library Object Auditing command
Library Object Auditing) command
description 287
object auditing 459
value 58
CHGDLOAUT (Change Document
Library Object Authority) command
description 287
object auditing 459
CHGDLOOWN (Change Document
Library Object Owner) command
description 287
object auditing 459
CHGDLOPGP (Change Document
Library Object Primary Group)
command
object auditing 459
Library Object Primary) command 287
description 287
CHGDLOUAD (Change Document
description 287
CHGDOCD (Change Document
object auditing 459
CHGDSPF (Change Display File)
command
object auditing 465
CHGDSTD (Change Distribution
object auditing 459
CHGDSTL (Change Distribution List)
command
CHGDSTPWD (Change Dedicated
Service Tools Password) command
profiles 299
description 285
CHGDSTQ (Change Distribution Queue)

command
profiles 299
CHGDSTRTE (Change Distribution
Route) command
profiles 299
CHGDTA (Change Data) command
CHGDTAARA (Change Data Area)
command
object auditing 462
CHGEMLCFGE (Change Emulation
CHGENVVAR (Change Environment
Variable) command
CHGEWCBCDE (Change Extended
Wireless Controller Bar Code Entry)
command
CHGEWCM (Change Extended Wireless
CHGEWCPTCE (Change Extended
Wireless Controller PTC Entry)
command
CHGEWLM (Change Extended Wireless
CHGEXPSCDE (Change Expiration
profiles 299
description 599
CHGFCT (Change Forms Control Table)
command
CHGFCTE (Change Forms Control Table
Entry) command
CHGFNTTBLE (Change Font Table Entry)
commands 319
CHGFTR (Change Filter) command
object auditing 468
CHGGPHFMT (Change Graph Format)
command
CHGGPHPKG (Change Graph Package)
command
profiles 299
CHGGRPA (Change Group Attributes)
command
Index
631
CHGHLLPTR (Change High-Level

Language Pointer) command
CHGICFDEVE (Change Intersystem
CHGICFF (Change Intersystem
Communications Function File)
command
CHGIPLA 368
CHGIPSIFC (Change IP over SNA
Interface) command
CHGIPSLOC (Change IP over SNA
Location Entry) command
CHGIPSTOS (Change IP over SNA Type
of Service) command
CHGJOB (Change Job) command
object auditing 471
CHGJOBD (Change Job Description)
command
object auditing 470
CHGJOBQE (Change Job Queue Entry)
command
CHGJOBSCDE (Change Job Schedule
Entry) command
object auditing 471
CHGJOBTYP (Change Job Type)
command
profiles 299
CHGJRN (Change Journal) command
profiles 299
CHGLANADPI (Change LAN Adapter
CHGLF (Change Logical File) command
object auditing 465
CHGLFM (Change Logical File Member)
command
object auditing 465
CHGLIB (Change Library) command
object auditing 474
CHGLIBL (Change Library List)
command
using 193
CHGLIBOWN (Change Library Owner)
tool 232
632
CHGLICINF (Change License

profiles 299
CHGLINASC (Change Line Description
(Async)) command
CHGLINBSC (Change Line Description
(BSC)) command
CHGLINETH (Change Line Description
(Ethernet)) command
CHGLINFAX (Change Line Description
(FAX)) command
CHGLINFR (Change Line Description
(Frame Relay Network)) command
CHGLINIDD (Change Line Description
(DDI Network)) command
CHGLINIDLC (Change Line Description
(IDLC)) command
CHGLINNET (Change Line Description
(Network)) command
CHGLINSDLC (Change Line Description
(SDLC)) command
CHGLINTDLC (Change Line Description
(TDLC)) command
CHGLINTRN (Change Line Description
(Token-Ring Network)) command
CHGLINWLS (Change Line Description
(Wireless)) command
CHGLINX25 (Change Line Description
(X.25)) command
CHGLPDA (Change LPD Attributes)
command
CHGMGDSYSA (Change Managed
System Attributes) command
profiles 299
CHGMGRSRVA (Change Manager
Service Attributes) command
profiles 299
CHGMNU (Change Menu) command
object auditing 476
parameter 196
security risks 196
CHGMOD (Change Module) command
object auditing 476
CHGMODD (Change Mode Description)
command
object auditing 476
CHGMODD (Change Mode Description)

command (continued)
CHGMSGD (Change Message
object auditing 477
CHGMSGF (Change Message File)
command
object auditing 477
CHGMSGQ (Change Message Queue)
command
object auditing 478
CHGMSTK (Change Master Key)
command
profiles 299
CHGMWSD (Change Network Server
object auditing 480
CHGNETA (Change Network Attributes)
command
profiles 299
using 200
CHGNETJOBE (Change Network Job
Entry) command
profiles 299
CHGNFSEXP (Change Network File
System Export) command
profiles 299
CHGNTBD (Change NetBIOS
object auditing 479
CHGNWIFR (Change Network Interface
Description (Frame Relay Network))
command
CHGNWIISDN (Change Network
Interface Description (ISDN)) command
CHGNWIISDN (Change Network
Interface Description for ISDN)
command
object auditing 479
CHGNWSA (Change Network Server
Attribute) command
CHGNWSA (Change Network Server
Attributes) command
profiles 299
CHGNWSALS (Change Network Server
Alias) command
CHGNWSD (Change Network Server
CHGNWSVRA (Create Network Server

Attribute) command
CHGOBJAUD (Change Object Audit)
command
CHGOBJAUD (Change Object Auditing
command
CHGOBJAUD (Change Object Auditing)
command
description 284
value 58
CHGOBJCRQA (Change Object Change
profiles 299
object auditing 449
CHGOBJD (Change Object Description)
command
object auditing 444
CHGOBJOWN (Change Object Owner)
command
description 284
object auditing 444
using 151
CHGOBJPGP (Change Object Primary
Group) command 130, 152
description 284
CHGOBJPGP (Change Object Primary)
command
CHGOBJUAD (Change Object Auditing)
command
description 287
CHGOPTA (Change Optical Attributes)
command
profiles 299
CHGOPTVOL (Change Optical Volume)
command
CHGOUTQ (Change Output Queue)
command
object auditing 480
using 197
CHGOWN (Change Owner)
command 151
description 284
object auditing 455, 490, 494, 496
CHGPCST (Change Physical File
Constraint) command
CHGPDGPRF (Change Print Descriptor
Group Profile) command
object auditing 482
CHGPEXDFN (Change Performance

profiles 299
CHGPF (Change Physical File) command
object auditing 466
CHGPFCNARA Change Functional Area)
command
CHGPFCST (Change Physical File
Constraint) command
object auditing 466
CHGPFM (Change Physical File Member)
command
object auditing 466
CHGPFTRG (Change Physical File
Trigger) command
CHGPGM (Change Program) command
object auditing 483
parameter 139
CHGPGMVAR (Change Program
Variable) command
CHGPGP (Change Primary Group)
command 152
description 284
CHGPJ (Change Prestart Job) command
CHGPJE (Change Prestart Job Entry)
command
object auditing 488
CHGPRB (Change Problem) command
profiles 299
CHGPRBACNE (Change Problem Action
Entry) command
object auditing 468
CHGPRBSLTE (Change Problem Selection
Entry) command
object auditing 468
CHGPRDCRQA (Change Product Change
profiles 299
object auditing 449
CHGPRF (Change Profile) command
description 286
object auditing 498
using 109
CHGPRTF (Change Printer File)
command
object auditing 466
CHGPSFCFG (Change Print Services

Facility Configuration) command
CHGPTFCRQA (Change PTF Change
profiles 299
object auditing 449
CHGPTR (Change Pointer) command
profiles 299
CHGPWD (Change Password) command
auditing 249
description 285
enforcing password system values 45
object auditing 498
name 67
CHGPWRSCD (Change Power On/Off
Schedule) command
CHGPWRSCDE (Change Power On/Off
CHGQRYA (Change Query Attribute)
command
CHGQSTDB (Change
Question-and-Answer Database)
command
profiles 299
CHGRCYAP (Change Recovery for
Access Paths) command
profiles 299
object auditing 446
CHGRDBDIRE (Change Relational
Database Directory Entry) command
CHGRJECMNE (Change RJE
CHGRJERDRE (Change RJE Reader
Entry) command
CHGRJEWTRE (Change RJE Writer
Entry) command
CHGRMTJRN (Change Remote Journal)
command
object auditing 472
CHGRPYLE (Change Reply List Entry)
command
profiles 299
object auditing 487
CHGRSCCRQA (Change Resource
profiles 299
Index
633
CHGRSCCRQA (Change Resource

(continued)
object auditing 449
CHGRTGE (Change Routing Entry)
command
object auditing 488
CHGS34LIBM (Change System/34
Library Members) command
profiles 299
CHGS36 (Change System/36) command
object auditing 497
CHGS36A (Change System/36 Attributes)
command
object auditing 497
CHGS36PGMA (Change System/36
Program Attributes) command
object auditing 483
CHGS36PRCA (Change System/36
Procedure Attributes) command
object auditing 466
CHGS36SRCA (Change System/36 Source
Attributes) command
CHGSAVF (Change Save File) command
object auditing 466
CHGSBSD (Change Subsystem
object auditing 488
CHGSCHIDX (Change Search Index)
command
object auditing 489
CHGSECA (Change Security Attributes)
command
CHGSECAUD (Change Security Audit)
command
CHGSECAUD (Change Security
Auditing)
security auditing function 267
Auditing) command
CHGSHRPOOL (Change Shared Storage
Pool) command
CHGSNMPA (Change SNMP Attributes)
command
CHGSPLFA (Change Spooled File
Attributes) command
action auditing 492
DSPDTA parameter of output
queue 198
object auditing 481
634

Attributes) command (continued)
CHGSRCPF (Change Source Physical
File) command
CHGSRVA (Change Service Attributes)
command
CHGSRVPGM (Change Service Program)
command
object auditing 493
parameter 139
CHGSSND (Change Session Description)
command
CHGSSNMAX (Change Session
Maximum) command
object auditing 476
CHGSVRAUTE (Change Server
CHGSYSDIRA (Change System Directory
Attributes) command
object auditing 458
CHGSYSJOB (Change System Job)
command
CHGSYSLIBL (Change System Library
List) command
profiles 299
programming example 216
using 193
CHGSYSVAL (Change System Value)
command
profiles 299
CHGTAPCTG (Change Tape Cartridge)
command
CHGTAPF (Change Tape File) command
object auditing 466
CHGTCPA (Change TCP/IP Attributes)
command
CHGTCPHTE (Change TCP/IP Host
Table Entry) command
CHGTCPIFC (Change TCP/IP Interface)
command
CHGTCPRTE (Change TCP/IP Route
Entry) command
CHGTELNA (Change TELNET
Attributes) command
CHGUSRAUD (Change User Audit)

command
value 59
using 115
CHGUSRPRF (Change User Profile)
command
object auditing 498
values 45
name 67
using 109
CHGUSRTRC (Change User Trace)
command
CHGVTMAP (Change VT100 Keyboard
Map) command
CHGWSE (Change Work Station Entry)
command
object auditing 488
CHGWTR (Change Writer) command
CHKCMNTRC (Check Communications
Trace) command
profiles 299
CHKDKT (Check Diskette) command
CHKDLO (Check Document Library
Object) command
CHKDOC (Check Document) command
object auditing 458
CHKIGCTBL (Check DBCS Font Table)
command
object auditing 470
CHKIN (Check In) command
CHKOBJ (Check Object) command
object auditing 445
CHKOBJITG (Check Object Integrity)
command 3
auditing use 252
CHKOUT (Check Out) command
CHKPRDOPT (Check Product Option)
command
profiles 299
CHKPWD (Check Password) command
description 285
CHKPWD (Check Password) command

(continued)
object auditing 498
using 116
CHKTAP (Check Tape) command
CHRIDCTL (user options) parameter
user profile 97
CL keyword (*CLKWD) user option 97,
98
class
commands 324
relationship to security 204
Class (*CLS) auditing 450
class-of-service description
commands 325
class-of-service description (*COSD)
auditing 451
class, user
See user class (USRCLS) parameter
cleanup
commands 400
client request access (PCSACC) network
attribute 201
close of server files (VF) file layout 582
CLP38 programs 125
CLRDKT (Clear Diskette) command
CLRJOBQ (Clear Job Queue) command
object auditing 470
CLRLIB (Clear Library) command
object auditing 474
CLRMSGQ (Clear Message Queue)
command
object auditing 478
CLROUTQ (Clear Output Queue)
command
action auditing 492
object auditing 481
CLRPFM (Clear Physical File Member)
command
object auditing 466
CLRSAVF (Clear Save File) command
CLRTRCDTA (Clear Trace Data)
command
Cluster Operations(CU) file layout 520
CMPJRNIMG (Compare Journal Images)
command
object auditing 471
CMPPTFLVL (Compare PTF Level)
command
CNLRJERDR (Cancel RJE Reader)
command
CNLRJEWTR (Cancel RJE Writer)

command
CNTRYID (country or region identifier)
parameter
user profile 96
CO (create object) journal entry
type 130, 255
coded character set identifier
CCSID user profile parameter 96
QCCSID system value 96
combining authorization methods
example 181
command
auditing
entry 255
changing
parameter 74
defaults 224
parameter 196
security risks 196
creating
parameter 74
parameter 196
security risks 196
NLV (national language version)
security 224
revoking public authority 290, 607
System/38
security 224
command (*CMD object type)
commands 325
Command (*CMD) auditing 450
command capability
listing users 278
command string
audit journal (QAUDJRN) file
layout 516
command string (*CMD) audit level 255
command string (CD) file layout 516
command string (CD) journal entry
type 255
command, CL
activation schedule 599
(ADDAUTLE) 154, 283
Add Directory Entry
(ADDDIRE) 288
Add Document Library Object
Authority (ADDDLOAUT) 287
Add Library List Entry
(ADDLIBLE) 193, 196
Add Server Authentication Entry
(ADDSVRAUTE) 288
ADDAUTLE (Add Authorization List
Entry) 154, 283
ADDDIRE (Add Directory
Entry) 288
command, CL (continued)
ADDDLOAUT (Add Document
Library Object Authority) 287
ADDJOBSCDE (Add Job Schedule
Entry)
SECBATCH menu 602
ADDLIBLE (Add Library List
Entry) 193, 196
ADDSVRAUTE (Add Server
Authentication Entry) 288
allowed for limit capabilities user 74
parameter 74
Passwords)
description 599
ANZPRFACT (Analyze Profile
Activity)
description 599
authority holders, table 283, 288
authorization lists 283
CALL (Call Program)
authority 136
Call Program (CALL)
authority 136
CFGSYSSEC (Configure System
Security)
Change Accounting Code
(CHGACGCDE) 90
(CHGAUTLE)
description 283
using 154
parameter 74
parameter 196
security risks 196
(CHGCMDDFT) 224
Change Current Library
(CHGCURLIB)
restricting 196
Password (CHGDSTPWD) 285
Change Directory Entry
(CHGDIRE) 288
Auditing (CHGDLOAUD) 287
*AUDIT (audit) special
authority 78
description 287
QAUDCTL (Auditing Control)
system value 58
Authority (CHGDLOAUT) 287
Owner (CHGDLOOWN) 287
Primary (CHGDLOPGP) 287
Change Job (CHGJOB)
Index
635
Change Journal (CHGJRN) 270, 271
Change Library List (CHGLIBL) 193
Change Menu (CHGMNU)
parameter 196
security risks 196
Change Network Attributes
(CHGNETA) 200
(CHGOBJAUD) 284
authority 78
description 287
system value 58
Change Object Owner
(CHGOBJOWN) 151, 284
(CHGOBJPGP) 130, 152, 284
Change Output Queue
(CHGOUTQ) 197
Change Password (CHGPWD)
auditing 249
description 285
values 45
name 67
Change Profile (CHGPRF) 109, 286
Change Program (CHGPGM)
parameter 139
(CHGSECAUD)
description 289
Change Server Authentication Entry
(CHGSVRAUTE) 288
Change Service Program
(CHGSRVPGM)
parameter 139
(CHGSPLFA) 198
Change System Library List
(CHGSYSLIBL) 193, 216
Change User Audit
(CHGUSRAUD) 286
authority 78
description 287
system value 59
using 115
Change User Profile
(CHGUSRPRF) 286
description 285
values 45
name 67
using 109
Check Object Integrity (CHKOBJITG)
auditing use 252
Check Password (CHKPWD) 116,
285
636
CHGACGCDE (Change Accounting
Code) 90
CHGACTPRFL (Change Active Profile
List)
description 599
CHGACTSCDE (Change Activation
Schedule Entry)
description 599
CHGAUTLE (Change Authorization
List Entry)
description 283
using 154
CHGCMD (Change Command)
parameter 74
parameter 196
security risks 196
CHGCMDDFT (Change Command
Default) 224
CHGCURLIB (Change Current
Library)
restricting 196
CHGDIRE (Change Directory
Entry) 288
Library Object Auditing) 287
authority 78
system value 58
CHGDLOOWN (Change Document
Library Object Owner) 287
Library Object Primary) 287
CHGDLOUAD (Change Document
Library Object Auditing)
description 287
CHGDSTPWD (Change Dedicated
Service Tools Password) 285
CHGEXPSCDE (Change Expiration
Schedule Entry)
description 599
CHGJOB (Change Job)
CHGJRN (Change Journal) 270, 271
CHGLIBL (Change Library List) 193
CHGMNU (Change Menu)
parameter 196
security risks 196
CHGNETA (Change Network
Attributes) 200
CHGOBJAUD (Change Object
Auditing) 284
authority 78
description 287
system value 58
CHGOBJOWN (Change Object
Owner) 151, 284
CHGOBJPGP (Change Object Primary
Group) 130, 152, 284
CHGOUTQ (Change Output
Queue) 197
CHGPGM (Change Program)
parameter 139
CHGPRF (Change Profile) 109, 286
CHGPWD (Change Password)
auditing 249
description 285
values 45
name 67
Auditing)
Attributes) 198
CHGSRVPGM (Change Service
Program)
parameter 139
CHGSVRAUTE (Change Server
CHGSYSLIBL (Change System Library
List) 193, 216
CHGUSRAUD (Change User
Audit) 286
authority 78
description 287
system value 59
using 115
CHGUSRPRF (Change User
Profile) 286
description 285
values 45
name 67
using 109
CHKOBJITG (Check Object Integrity)
auditing use 252
CHKPWD (Check Password) 116,
285
Configure System Security
(CFGSYSSEC)
description 290
Copy Spooled File (CPYSPLF) 198
CPYSPLF (Copy Spooled File) 198
Create Authority Holder
(CRTAUTHLR) 139, 283, 288
Create Authorization List
(CRTAUTL) 153, 283
parameter 74
parameter 196
security risks 196
Create Journal (CRTJRN) 268
Create Journal Receiver
(CRTJRNRCV) 268
Create Library (CRTLIB) 144
Create Menu (CRTMNU)
parameter 196
security risks 196
Create Output Queue
(CRTOUTQ) 197, 200
CRTAUTHLR (Create Authority
Holder) 139, 283, 288
CRTAUTL (Create Authorization
List) 153, 283
CRTCMD (Create Command)
parameter 74
parameter 196
security risks 196
CRTJRN (Create Journal) 268
CRTJRNRCV (Create Journal
Receiver) 268
CRTLIB (Create Library) 144
CRTMNU (Create Menu)
parameter 196
security risks 196
CRTOUTQ (Create Output
Queue) 197, 200
CRTUSRPRF (Create User Profile)
Delete Authority Holder
(DLTAUTHLR) 140, 283
Delete Authorization List
(DLTAUTL) 155, 283
Delete Journal Receiver
(DLTJRNRCV) 272
description 286
example 110
(DSPAUDJRNE)
description 289
(DSPAUTHLR) 139, 283
(DSPAUTL) 283
Display Authorization List Document
Library Objects
(DSPAUTLDLO) 287
(DSPAUTLOBJ) 155, 283
(DSPAUTUSR)
auditing 277
description 286
example 113
Auditing (DSPDLOAUD) 265, 287
Authority (DSPDLOAUT) 287
Display Job Description
(DSPJOBD) 251
Display Journal (DSPJRN)
audit (QAUDJRN) journal
example 272, 273
Display Journal (DSPJRN) (continued)
auditing file activity 224, 277
creating output file 274
displaying QAUDJRN (audit)
journal 252
Display Library (DSPLIB) 279
Display Library Description
(DSPLIBD)
CRTAUT parameter 145
(DSPOBJAUT) 279, 284
(DSPOBJD) 265, 284
created by 130
object domain 15
program state 16
using output file 278
Display Program (DSPPGM)
program state 16
(DSPPGMADP)
auditing 279
description 287
using 138, 224
Display Security Auditing
(DSPSECAUD Values)
description 289
Display Service Program
(DSPSRVPGM)
Display Spooled File (DSPSPLF) 198
Display User Profile (DSPUSRPRF)
description 286
using 113
displaying keywords (*CLKWD user
option) 97, 98
DLTAUTHLR (Delete Authority
Holder) 140, 283
DLTAUTL (Delete Authorization
List) 155, 283
DLTJRNRCV (Delete Journal
Receiver) 272
DLTUSRPRF (Delete User Profile)
description 286
example 110
table 287
DSPACTPRFL (Display Active Profile
List)
description 599
DSPACTSCD (Display Activation
Schedule)
description 599
DSPAUDJRNE (Display Audit Journal
Entries)
DSPAUTHLR (Display Authority
Holder) 139, 283
DSPAUTL (Display Authorization
List) 283
DSPAUTLDLO (Display Authorization
List Document Library Objects) 287
DSPAUTLOBJ (Display Authorization
List Objects) 155, 283
DSPAUTUSR (Display Authorized
Users)
auditing 277
description 286
example 113
DSPDLOAUD (Display Document
Library Object Auditing) 265, 287
DSPDLOAUT (Display Document
DSPEXPSCD (Display Expiration
Schedule)
description 599
DSPJOBD (Display Job
Description) 251
DSPJRN (Display Journal)
example 272, 273
journal 252
DSPLIB (Display Library) 279
DSPLIBD (Display Library
Description)
DSPOBJAUT (Display Object
Authority) 279, 284
DSPOBJD (Display Object
Description) 265, 284
created by 130
object domain 15
program state 16
DSPPGM (Display Program)
program state 16
DSPPGMADP (Display Programs That
Adopt)
auditing 279
description 287
using 138, 224
DSPSECAUD (Display Security
Auditing Values)
description 289
DSPSECAUD (Display Security
Auditing)
description 601
DSPSPLF (Display Spooled File) 198
DSPSRVPGM (Display Service
Program)
DSPUSRPRF (Display User Profile)
description 286
using 113
(EDTAUTL) 154, 283
Edit Document Library Object
Authority (EDTDLOAUT) 287
Edit Library List (EDTLIBL) 193
(EDTOBJAUT) 146, 284
EDTAUTL (Edit Authorization
List) 154, 283
Index
637
EDTDLOAUT (Edit Document Library
Object Authority) 287
EDTLIBL (Edit Library List) 193
EDTOBJAUT (Edit Object
Authority) 146, 284
End Job (ENDJOB)
QINACTMSGQ system value 28
ENDJOB (End Job)
(GRTOBJAUT) 284
affect on previous authority 150
Grant User Authority (GRTUSRAUT)
copying authority 109
description 286
recommendations 153
(GRTUSRPMN) 287
GRTOBJAUT (Grant Object
Authority) 284
GRTUSRAUT (Grant User Authority)
description 286
recommendations 153
GRTUSRPMN (Grant User
Permission) 287
keywords, displaying (*CLKWD user
option) 97, 98
object authority, table 284
parameter names, displaying
(*CLKWD user option) 97, 98
passwords, table 285
Attributes (PRTCMNSEC)
description 290
(PRTJOBDAUT) 289
Print Private Authorities
(PRTPVTAUT) 289
(PRTPUBAUT) 289
Print Queue Authority (PRTQAUT)
description 289
Print Subsystem Description Authority
(PRTSBSDAUT)
description 289
(PRTSYSSECA)
description 290
Print Trigger Programs
(PRTTRGPGM)
description 289
Print User Objects (PRTUSROBJ)
description 289
PRTADPOBJ (Print Adopting Objects)
description 603
PRTCMNSEC (Print Communications
Security)
PRTJOBDAUT (Print Job Description
Authority) 289
638
description 603
PRTPUBAUT (Print Publicly
Authorized Objects) 289
description 603
PRTPVTAUT (Print Private
Authorities) 289
description 605
PRTQAUT (Print Queue Authority)
PRTSBSDAUT (Print Subsystem
Description Authority)
description 289
Description)
description 603
PRTSYSSECA (Print System Security
Attributes)
PRTTRGPGM (Print Trigger
Programs)
PRTUSROBJ (Print User Objects)
PRTUSRPRF (Print User Profile)
description 603
RCLSTG (Reclaim Storage) 20, 25,
130, 244
Reclaim Storage (RCLSTG) 20, 25,
130, 244
(RMVAUTLE) 154, 283
Remove Directory Entry
(RMVDIRE) 288
Authority (RMVDLOAUT) 287
Remove Library List Entry
(RMVLIBLE) 193
Remove Server Authentication Entry
(RMVSVRAUTE) 288
Restore Authority (RSTAUT)
entry 255
description 287
procedure 241
role in restoring security 235
using 240
Restore Document Library Object
(RSTDLO) 235
Restore Library (RSTLIB) 235
Restore Licensed Program
(RSTLICPGM)
recommendations 242
security risks 242
Restore Object (RSTOBJ)
using 235
Restore User Profiles
(RSTUSRPRF) 235, 287
(RTVAUTLE) 283
(RTVUSRPRF) 116, 286
(RVKOBJAUT) 155, 284
Revoke Public Authority
(RVKPUBAUT)
description 290
(RVKUSRPMN) 287
RMVAUTLE (Remove Authorization
List Entry) 154, 283
RMVDIRE (Remove Directory
Entry) 288
RMVDLOAUT (Remove Document
RMVLIBLE (Remove Library List
Entry) 193
RMVSVRAUTE (Remove Server
RSTAUT (Restore Authority)
entry 255
description 287
procedure 241
using 240
RSTDLO (Restore Document Library
Object) 235
RSTLIB (Restore Library) 235
RSTLICPGM (Restore Licensed
Program)
recommendations 242
security risks 242
RSTOBJ (Restore Object)
using 235
RSTUSRPRF (Restore User
Profiles) 235, 287
RTVAUTLE (Retrieve Authorization
List Entry) 283
RTVUSRPRF (Retrieve User
Profile) 116, 286
RVKOBJAUT (Revoke Object
Authority) 155, 284
RVKPUBAUT (Revoke Public
Authority)
details 609
RVKUSRPMN (Revoke User
Permission) 287
SAVDLO (Save Document Library
Object) 235
Save Document Library Object
(SAVDLO) 235
Save Library (SAVLIB) 235
Save Object (SAVOBJ) 235, 271
Save Security Data
(SAVSECDTA) 235, 287
Save System (SAVSYS) 235, 287
SAVLIB (Save Library) 235
SAVOBJ (Save Object) 235, 271
SAVSECDTA (Save Security
Data) 235, 287
SAVSYS (Save System) 235, 287
SBMJOB (Submit Job) 186
SECBATCH menu 601
security tools 289, 599
security, list 283
Send Journal Entry (SNDJRNE) 269
(SNDNETSPLF) 198
Set Attention Program
(SETATNPGM) 94
SETATNPGM (Set Attention
Program) 94
setting QALWUSRDMN (allow user
objects) system value 25
SNDJRNE (Send Journal Entry) 269
SNDNETSPLF (Send Network
Spooled File) 198
Start System/36 (STRS36)
user profile, special
environment 80
STRS36 (Start System/36)
user profile, special
environment 80
Submit Job (SBMJOB) 186
system distribution directory,
table 288
TFRCTL (Transfer Control)
authority 136
TFRGRPJOB (Transfer to Group Job)
Transfer Control (TFRCTL)
authority 136
Transfer to Group Job (TFRGRPJOB)
user profiles (related), table 287
user profiles (working with),
table 286
(WRKAUTL) 283
Work with Directory
(WRKDIRE) 288
Work with Journal (WRKJRN) 271,
277
Work with Journal Attributes
(WRKJRNA) 271, 277
Work with Objects (WRKOBJ) 284
(WRKOBJOWN)
auditing 250
description 284
using 151
(WRKOBJPGP) 130, 152
description 284
(WRKOUTQD) 197
Work with Spooled Files
(WRKSPLF) 197
Work with System Status
(WRKSYSSTS) 204
Work with System Values
(WRKSYSVAL) 248
(WRKUSRPRF) 104, 286
WRKAUTL (Work with Authorization
Lists) 283
WRKDIRE (Work with
Directory) 288
WRKJRN (Work with Journal) 271,
277
WRKJRNA (Work with Journal
Attributes) 271, 277
WRKOBJ (Work with Objects) 284
WRKOBJOWN (Work with Objects by
Owner)
auditing 250
description 284
using 151
WRKOBJPGP (Work with Objects by
Primary Group) 130, 152
description 284
WRKOUTQD (Work with Output
Queue Description) 197
WRKSPLF (Work with Spooled
Files) 197
WRKSYSSTS (Work with System
Status) 204
WRKSYSVAL (Work with System
Values) 248
WRKUSRPRF (Work with User
Profiles) 104, 286
command, generic
Change Authority (CHGAUT) 147
Change Owner (CHGOWN) 151
(CHGPGP) 152
CHGAUT (Change Authority) 147
CHGOWN (Change Owner) 151
CHGPGP (Change Primary
Group) 152
(GRTOBJAUT) 147
GRTOBJAUT (Grant Object
Authority) 147
(RVKOBJAUT) 147
RVKOBJAUT (Revoke Object
Authority) 147
Work with Authority
(WRKAUT) 147
WRKAUT (Work with
Authority) 147
command, generic object
Change Auditing (CHGAUD) 284
description 287
Change Authority (CHGAUT) 284
Change Owner (CHGOWN) 284
(CHGPGP) 284
CHGAUD (Change Auditing) 284
description 287
CHGAUT (Change Authority) 284
CHGOWN (Change Owner) 284
CHGPGP (Change Primary
Group) 284
Display Authority (DSPAUT) 284
DSPAUT (Display Authority) 284
Work with Authority
(WRKAUT) 284
WRKAUT (Work with
Authority) 284
command, integrated file system
Change Auditing (CHGAUD)
using 115
CHGAUD (Change Auditing)
using 115
COMMIT (Commit) command
commitment control
commands 326
communications
monitoring 252
communications entry
job description 192
communications side information
commands 326
communications side information (*CSI)
auditing 452
comparison
group profile and authorization
list 230
complete change of password 52
complex
authority
example 181
confidential data
protecting 250
confidentiality 1
configuration
automatic
virtual devices (QAUTOVRT
system value) 36
commands 326
configuration list
commands 327
configuration list object auditing 448
Configure System Security (CFGSYSSEC)
command
connection
ending
entry 255
starting
entry 255
connection list
commands 328
connection list (*CNNL) auditing 451
connection start and end (VC) file
layout 582
connection start or end (VC) journal entry
type 255
connection verification (CV) file
layout 521
console
authority needed to sign on 189
QCONSOLE system value 189
profile 189
QSRV (service) user profile 189
QSRVBAS (basic service) user
profile 189
restricting access 248
contents
security tools 289, 599
controller description
commands 328
Index
639
controller description (continued)

printing security-relevant
parameters 603
controller description (*CTLD)
auditing 452
controlling
access
DDM request (DDM) 202
iSeries Access 201
objects 15
system programs 15
auditing 58
remote
job submission 200
sign-on (QRMTSIGN system
value) 32
restore operations 203
save operations 203
user library list 215
Copy Spooled File (CPYSPLF)
command 198
copy to database file
general authority rules 311
Copy User display 108
copying
spooled file 198
user authority
example 109
recommendations 153
user profile 107
country or region dentifier
QCNTRYID system value 96
countryor region identifier
CNTRYID user profile parameter 96
CP (user profile change) file layout 518
CP (user profile change) journal entry
type 255
CPHDTA (Cipher Data) command
profiles 299
CPROBJ (Compress Object) command
object auditing 445
CPY (Copy Object) command
object auditing 454
CPY (Copy) command
CPYCFGL (Copy Configuration List)
command
object auditing 448
CPYCNARA (Copy Functional Area)
command
CPYDOC (Copy Document) command
CPYF (Copy File) command
CPYFRMDIR (Copy from Directory)
command
640
CPYFRMDKT (Copy from Diskette)

command
CPYFRMIMPF (Copy from Import File)
command
CPYFRMQRYF (Copy from Query File)
command
CPYFRMSTMF (Copy from Stream File)
command
CPYFRMTAP (Copy from Tape)
command
CPYGPHFMT (Copy Graph Format)
command
CPYGPHPKG (Copy Graph Package)
command
CPYIGCSRT (Copy DBCS Sort Table)
command
object auditing 469
CPYIGCTBL (Copy DBCS Font Table)
command
object auditing 470
CPYLIB (Copy Library) command
CPYOPT (Copy Optical) command
CPYPFRDTA (Copy Performance Data)
command
CPYPTF (Copy Program Temporary Fix)
command
profiles 299
CPYPTFGRP (Copy Program Temporary
Fix Group) 299
CPYPTFGRP (Copy PTF Group)
command
CPYSPLF (Copy Spooled File) command
action auditing 491
queue 198
object auditing 481
CPYSRCF (Copy Source File) command
CPYTODIR (Copy to Directory)
command
CPYTODKT (Copy to Diskette) command
CPYTOIMPF (Copy to Import File)
command
CPYTOSTMF (Copy to Stream File)
command
CPYTOTAP (Copy to Tape) command
CQ (change *CRQD object) journal entry

type 255
create (*CREATE) audit level 255
create authority (CRTAUT) parameter
description 127
displaying 145
risks 128
create authority (QCRTAUT) system
value
description 25
risk of changing 26
using 128
Create Authority Holder (CRTAUTHLR)
command 139, 283, 288
Create Authorization List (CRTAUTL)
command 153, 283
Create Command (CRTCMD) command
parameter 74
parameter 196
security risks 196
Create Journal (CRTJRN) command 268
Create Journal Receiver (CRTJRNRCV)
command 268
Create Library (CRTLIB) command 144
Create Menu (CRTMNU) command
parameter 196
security risks 196
create object (CO) file layout 516
create object (CO) journal entry
type 130, 255
create object auditing (CRTOBJAUD)
value 61
create object auditing (QCRTOBJAUD)
system value
overview 61
Create Output Queue (CRTOUTQ)
command 197, 200
command
using 105
Create User Profile display 105
Create Validation Lists (CRTVLDL) 232
creating
audit journal 268
audit journal receiver 268
authority holder 139, 283, 288
authorization list 153, 283
command
parameter 74
parameter 196
security risks 196
library 144
menu
parameter 196
security risks 196
object
entry 130, 255
output queue 197, 200
creating (continued)
program
user profile
entry 255
example 105
methods 104
creating object
object auditing 444
cross system product map (*CSPMAP)
auditing 452
cross system product table (*CSPTBL)
auditing 452
CRTALRTBL (Create Alert Table)
command
CRTAUT (create authority) parameter
description 127
displaying 145
risks 128
CRTAUTHLR (Create Authority Holder)
command
profiles 299
considerations 139
CRTAUTL (Create Authorization List)
command
description 283
using 153
CRTBESTMDL (Create BEST/1 Model)
command
profiles 299
CRTBESTMDL (Create Best/1-400 Model)
command
CRTBNDC (Create Bound C Program)
command
CRTBNDCBL (Create Bound COBOL
Program) command
CRTBNDCL
CRTBNDCPP (Create Bound CPP
Program) command
CRTBNDDIR (Create Binding Directory)
command
CRTBNDRPG (Create Bound RPG
Program) command
CRTBSCF (Create Bisync File) command
object auditing 464
CRTCBLMOD (Create COBOL Module)
command
CRTCBLPGM (Create COBOL Program)
command
CRTCFGL (Create Configuration List)

command
CRTCLD (Create C Locale Description)
command
CRTCLMOD
CRTCLPGM (Create Control Language
Program) command
CRTCLS (Create Class) command
profiles 299
CRTCMD (Create Command) command
parameter 74
parameter 196
security risks 196
CRTCMNF (Create Communications File)
command
object auditing 464
CRTCMOD (Create C Module) command
CRTCNNL (Create Connection List)
command
CRTCOSD (Create Class-of-Service
CRTCPPMOD (Create Bound CPP
Module) command
CRTCRQD (Create Change Request
CRTCSI (Create Communications Side
CRTCTLAPPC (Create Controller
CRTCTLASC (Create Controller
CRTCTLBSC (Create Controller
CRTCTLFNC (Create Controller
CRTCTLHOST (Create Controller
CRTCTLLWS (Create Controller
Description (Local Work Station))
command
CRTCTLNET (Create Controller
CRTCTLRTL (Create Controller
CRTCTLRWS (Create Controller

Description (Remote Work Station))
command
CRTCTLTAP (Create Controller
Description (Tape)) command
CRTCTLVWS (Create Controller
Description (Virtual Work Station))
command
CRTDDMF (Create Distributed Data
CRTDEVAPPC (Create Device
CRTDEVASC (Create Device Description
(Async)) command
CRTDEVASP (Create Device Description
for Auxiliary Storage Pool) command
CRTDEVBSC (Create Device Description
(BSC)) command
CRTDEVDKT (Create Device Description
(Diskette)) command
CRTDEVDSP (Create Device Description
(Display)) command
CRTDEVFNC (Create Device Description
(Finance)) command
CRTDEVHOST (Create Device
CRTDEVINTR (Create Device Description
(Intrasystem)) command
CRTDEVNET (Create Device Description
(Network)) command
CRTDEVOPT (Create Device Description
(Optical) command
CRTDEVOPT (Create Device Description
(Optical)) command
CRTDEVPRT (Create Device Description
(Printer)) command
CRTDEVRTL (Create Device Description
(Retail)) command
CRTDEVSNPT (Create Device
Description (SNPT)) command
CRTDEVSNUF (Create Device
Description (SNUF)) command
CRTDEVTAP (Create Device Description
(Tape)) command
CRTDIR (Create Directory) command
object auditing 455
Index
641
CRTDKTF (Create Diskette File)

command
CRTDOC (Create Document) command
CRTDSPF (Create Display File) command
object auditing 464
CRTDSTL (Create Distribution List)
command
CRTDTAARA (Create Data Area)
command
CRTDTADCT (Create a Data Dictionary)
command
CRTDTAQ (Create Data Queue)
command
CRTDUPOBJ (Create Duplicate Object)
command
object auditing 443
CRTEDTD (Create Edit Description)
command
CRTFCNARA (Create Functional Area)
command
CRTFCT (Create Forms Control Table)
command
CRTFLR (Create Folder) command
object auditing 460
CRTFNTRSC (Create Font Resources)
command
CRTFNTTBL (Create Font Table)
commands 319
CRTFORMDF (Create Form Definition)
command
CRTFTR (Create Filter) command
CRTGDF (Create Graphics Data File)
command
object auditing 448
CRTGPHPKG (Create Graph Package)
command
CRTGSS (Create Graphics Symbol Set)
command
CRTHSTDTA (Create Historical Data)
command
CRTICFF (Create ICF File) command
object auditing 464
CRTICFF (Create Intersystem
Communications Function File)
command
642
CRTIGCDCT (Create DBCS Conversion

Dictionary) command
CRTJOBD (Create Job Description)
command
profiles 299
CRTJOBQ (Create Job Queue) command
CRTJRN (Create Journal) command
creating audit (QAUDJRN)
journal 268
CRTJRNRCV (Create Journal Receiver)
command
creating audit (QAUDJRN) journal
receiver 268
CRTLASREP (Create Local Abstract
Syntax) command
profiles 299
CRTLF (Create Logical File) command
CRTLIB (Create Library) command 144
CRTLINASC (Create Line Description
(Async)) command
CRTLINBSC (Create Line Description
(BSC)) command
CRTLINDDI (Create Line Description
(DDI Network)) command
CRTLINETH (Create Line Description
(Ethernet)) command
CRTLINFAX (Create Line Description
(FAX)) command
CRTLINFR (Create Line Description
(Frame Relay Network)) command
CRTLINIDLC (Create Line Description
for IDLC) command
CRTLINNET (Create Line Description
(Network)) command
CRTLINSDLC (Create Line Description
(SDLC)) command
CRTLINTDLC (Create Line Description
(TDLC)) command
CRTLINTRN (Create Line Description
(Token-Ring Network)) command
CRTLINWLS (Create Line Description
(Wireless)) command
CRTLINX25 (Create Line Description
(X.25)) command
CRTLOCALE (Create Locale) command

CRTMNU (Create Menu) command
parameter 196
security risks 196
CRTMODD (Create Mode Description)
command
CRTMSDF (Create Mixed Device File)
command
object auditing 464
CRTMSGF (Create Message File)
command
CRTMSGFMNU (Create Message File
Menu) command
CRTMSGQ (Create Message Queue)
command
CRTNODL (Create Node List) command
CRTNTBD (Create NetBIOS Description)
command
CRTNWIFR (Create Network Interface
Description (Frame Relay Network))
command
CRTNWIISDN (Create Network Interface
for ISDN) command
CRTNWSALS (Create Network Server
Alias) command
CRTNWSD (Create Network Server
CRTNWSSTG (Create Network Server
Storage Space) command
CRTOBJAUD (create object auditing)
value 61, 265
CRTOUTQ (Create Output Queue)
command
examples 200
using 197
CRTOVL (Create Overlay) command
CRTPAGDFN (Create Page Definition)
command
CRTPAGSEG (Create Page Segment)
command
CRTPDG (Create Print Descriptor Group)
command
CRTPEXDTA (Create Performance
Explorer Data) command
profiles 299
CRTPF (Create Physical File) command
object auditing 464
CRTPF (Create Physical File) command

(continued)
CRTPFRDTA (Create Performance Data)
command
profiles 299
CRTPGM (Create Program) command
CRTPNLGRP (Create Panel Group)
command
CRTPRTF (Create Printer File) command
object auditing 464
CRTPSFCFG (Create Print Services
CRTQMFORM (Create Query
Management Form) command
object auditing 485
CRTQMQRY (Create Query Management
Query) command
object auditing 485
CRTQSTDB (Create Question and Answer
Database) command
profiles 299
CRTQSTLOD (Create
Question-and-Answer Load) command
profiles 299
CRTRJEBSCF (Create RJE BSC File)
command
CRTRJECFG (Create RJE Configuration)
command
CRTRJECMNF (Create RJE
Communications File) command
CRTRPGMOD (Create RPG Module)
command
CRTRPGPGM (Create RPG/400 Program)
command
CRTRPTPGM (Create Auto Report
Program) command
CRTS36CBL (Create System/36 COBOL)
command
CRTS36DSPF (Create System/36 Display
File) command
CRTS36MNU (Create System/36 Menu)
command
CRTS36MSGF (Create System/36
Message File) command
CRTS36RPG (Create System/36 RPG)

command
CRTS36RPGR (Create System/36 RPGR)
command
CRTS36RPT (Create System/36 Auto
Report) command
CRTSAVF (Create Save File) command
CRTSBSD (Create Subsystem Description)
command
profiles 299
CRTSCHIDX (Create Search Index)
command
CRTSPADCT (Create Spelling Aid
Dictionary) command
object auditing 491
CRTSQLC (Create Structured Query
Language C) command
CRTSQLCBL (Create Structured Query
Language COBOL) command
CRTSQLCBLI (Create Structured Query
Language ILE COBOL Object)
command
CRTSQLCI (Create Structured Query
Language ILE C Object) command
CRTSQLCPPI (Create SQL ILE C++
Object) command
CRTSQLFTN (Create Structured Query
Language FORTRAN) command
CRTSQLPKG (Create Structured Query
Language Package) command
CRTSQLPLI (Create Structured Query
Language PL/I) command
CRTSQLRPG (Create Structured Query
Language RPG) command
CRTSQLRPGI (Create Structured Query
Language ILE RPG Object) command
CRTSRCPF (Create Source Physical File)
command
CRTSRVPGM (Create Service Program)
command
CRTSSND (Create Session Description)
command
CRTTAPF (Create Tape File) command
CRTTBL (Create Table) command

CRTUDFS (Create User-Defined File
System) command
profiles 299
CRTUSRPRF (Create User Profile)
command
using 105
CRTVLDL (Create Validation List)
command
profiles 299
CRTWSCST (Create Work Station
Customizing Object) command
cryptographic configuration (CY) file
layout 523
cryptography
commands 330
CU (Cluster Operations) file layout 520
CURLIB (current library) parameter
user profile 71
current library
changing
methods 193
recommendations 196
definition 71
library list 193, 196
recommendations 196
user profile 71
current library (CURLIB) parameter
user profile 71
customizing
security values 607
CV (connection verification) file
layout 521
CVTBASSTR (Convert BASIC Stream
Files) command
profiles 299
CVTBASUNF (Convert BASIC
Unformatted Files) command
profiles 299
CVTBGUDTA (Convert BGU Data)
command
profiles 299
CVTCLSRC (Convert CL Source)
command
CVTDIR (Convert Directory) command
CVTEDU (Convert Education) command
Index
643
CVTIPSIFC (Convert IP over SNA

Interface) command
CVTIPSLOC (Convert IP over SNA
CVTOPTBKU (Convert Optical Backup)
command
CVTPFRDTA (Convert Performance Data)
command
CVTPFRTHD (Convert Performance
Thread Data) command
CVTRJEDTA (Convert RJE Data)
command
CVTRPGSRC (Convert RPG Source)
command
CVTS36CFG (Convert System/36
Configuration) command
profiles 299
CVTS36FCT (Convert System/36 Forms
Control Table) command
profiles 299
CVTS36JOB (Convert System/36 Job)
command
profiles 299
CVTS36QRY (Convert System/36 Query)
command
profiles 299
CVTS38JOB (Convert System/38 Job)
command
profiles 299
CVTSQLCPP (Converte SQL C++ Source)
command
CVTTCPCL (Convert TCP/IP CL)
command
CVTTCPCL (Convert TCP/IP Control
Language) command
profiles 299
CVTTOFLR (Convert to Folder)
command
object auditing 460
layout 523
D
damaged audit journal 269
damaged authorization list
recovering 243
644
data area
commands 331
data authority
definition 120
data queue
commands 332
database share (QDBSHR) user
profile 293
DCEADM (QDCEADM) user profile 293
DCPOBJ (Decompress Object) command
object auditing 445
DDM (distributed data management)
security 202
DDM request access (DDMACC) network
attribute 202
DDMACC (DDM request access) network
attribute 202
DDMACC (distributed data management
access) network attribute 252
debug functions
dedicated service tools (DST)
auditing passwords 248
changing passwords 117
changing user ID 117
resetting password
entry 255
Dedicated Service Tools (DST)
users 116
default 293
*DFT delivery mode
user profile 92
job description (QDFTJOBD) 86
object
auditing 265
owner (QDFTOWN) user profile
entry 255
default values 293
description 130
restoring programs 242
sign-on
entry 255
subsystem description 191
value
IBM-supplied user profile 291
user profile 291
delete (*DELETE) audit level 255
delete (*DLT) authority 120, 309
Delete Authority Holder (DLTAUTHLR)
command 140, 283, 288
Delete Authorization List (DLTAUTL)
command 155, 283
Delete Journal Receiver (DLTJRNRCV)
command 272
delete operation (DO) file layout 528
delete operation (DO) journal entry
type 255

command
description 286
example 110
Delete User Profile display 110
Delete Validation Lists (DLTVLDL) 232
deleting
authority for user 148
authority holder 140, 283
object
entry 255
object owner profile 129
user profile
directory entry 110
distribution lists 110
message queue 110
owned objects 109
primary group 109
spooled files 112
users authority 148
deleting object
object auditing 444
delivery (DLVRY) parameter
user profile 92
describing
library security requirements 216
menu security 222
description (TEXT) parameter
user profile 75
descriptor
giving
entry 255
designing
libraries 213
security 207
detaching
audit journal receiver 270, 271
journal receiver 270
DEV (print device) parameter
user profile 93
device
authority to sign-on 187
securing 187
virtual
automatic configuration
(QAUTOVRT system value) 36
definition 36
device description
authority to use 187
creating
public authority 128
system value 128
definition 187
commands 332
ownership
changing 189
default owner 189
owned by QPGMR (programmer)
profile 189
device description (continued)

ownership (continued)
owned by QSECOFR (security
officer) user profile 189
parameters 603
securing 187
device description (*DEVD)
auditing 453
device recovery action (QDEVRCYACN)
system value 37
command 607
device session
limiting
LMTDEVSSN user profile
parameter 83
QLMTDEVSSN system value 29
digital ID
if private authorization is not
found. 103
directory
authority 5
new objects 128
commands 335, 351
security 126
working with 288
directory (*DIR) auditing 454
directory entry
adding 288
changing 288
deleting user profile 110
removing 288
directory services
auditing 457
directory services (DI) file layout 524
directory, system distribution
commands for working with 288
disabled (*DISABLED) user profile status
description 69
profile 69
disabling
audit function 272
user profile 69
automatically 599
disconnected job time-out interval
(QDSCJOBITV) system value 38
command 607
disk
limiting use (MAXSTG)
parameter 84
diskette
commands 390
Display Activation Schedule
(DSPACTSCD) command
description 599
(DSPAUDJRNE) command
Display Audit Log (DSPAUDLOG) tool

messages used 255
Display Authority (DSPAUT)
command 284
Display Authority Holder (DSPAUTHLR)
command 139, 283
Display Authorization List (DSPAUTL)
command 283
Display Authorization List display
option) 97, 98
Display Authorization List Document
Library Objects (DSPAUTLDLO)
command 287
(DSPAUTLOBJ) command 155, 283
Display Authorized Users (DSPAUTUSR)
command
auditing 277
description 286
example 113
Display Authorized Users (DSPAUTUSR)
display 113, 277
Auditing (DSPDLOAUD)
command 287
using 265
Authority (DSPDLOAUT)
command 287
Display Expiration Schedule
(DSPEXPSCD) command
description 599
Display Job Description (DSPJOBD)
command 251
Display Journal (DSPJRN) command
example 272, 273
journal 252
Display Library (DSPLIB) command 279
Display Library Description (DSPLIBD)
command
Display Object Authority (DSPOBJAUT)
command 279, 284
Display Object Authority display
option) 97, 98
example 144, 146
Display Object Description (DSPOBJD)
command 284
created by 130
object domain 15
program state 16
using 265
Display Program (DSPPGM) command
program state 16
(DSPPGMADP) command
auditing 279
description 287
using 138, 224
Display Security Auditing (DSPSECAUD)

command
description 601
Display Security Auditing
Values(DSPSECAUD) command
description 289
display service function
authority 77
Display Service Program (DSPSRVPGM)
command
display sign-on information
(QDSPSGNINF) system value
command 607
Display Spooled File (DSPSPLF)
command 198
display station pass-through
commands 335
target profile change
entry 255
Display User Profile (DSPUSRPRF)
command
description 286
using 113
displaying
adopted authority
critical files 224
programs that adopt a profile 138
USRPRF parameter 138
all user profiles 113
entries 252, 272
audit journal entries 289
authority 141, 284
authority holders 139
authorization list
document library objects
(DLO) 287
users 283
authorization list objects 155, 283
authorized users 277, 286
parameter 145
document library object
authority 287
job description 251
journal
object
originator 130
object auditing 265
object authority 279, 284
object description 284
object domain 15
path name 152
program adopt 138
program state 16
Display Program (DSPPGM)
command 16
programs that adopt 138, 279
Index
645
displaying (continued)
QAUDCTL (audit control) system
value 289, 601
QAUDLVL (audit level) system
value 289, 601
sign-on information
DSPSGNINF user profile
parameter 82
QDSPSGNINF system value 26
recommendations 82
spooled file 198
user profile
activation schedule 599
active profile list 599
expiration schedule 599
individual 113
summary list 113
distributed data management access
(DDMACC) network attribute 252
distributed systems node executive
(QDSNX) user profile 293
distribution
commands 336
distribution directory
changing
entry 255
distribution directory, system
distribution list
commands 336
DLCOBJ (Deallocate Object) command
object auditing 445
DLO (document library object)
authority
command descriptions 287
DLTALR (Delete Alert) command
DLTALRTBL (Delete Alert Table)
command
DLTAPARDTA (Delete APAR Data)
command
profiles 299
DLTAUTHLR (Delete Authority Holder)
command
using 140
DLTAUTL (Delete Authorization List)
command
description 283
using 155
DLTBESTMDL (Delete BEST/1 Model)
command
profiles 299
646
DLTBESTMDL (Delete Best/1-400 Model)

command
DLTBNDDIR (Delete Binding Directory)
command
DLTCFGL (Delete Configuration List)
command
DLTCHTFMT (Delete Chart Format)
command
DLTCLD (Delete C Locale Description)
command
DLTCLS (Delete Class) command
DLTCMD (Delete Command) command
DLTCMNTRC (Delete Communications
Trace) command
profiles 299
DLTCNNL (Delete Connection List)
command
DLTCOSD (Delete Class-of Service
DLTCRQD (Delete Change Request
DLTCSI (Delete Communications Side
DLTCTLD (Delete Controller Description)
command
DLTDEVD (Delete Device Description)
command
object auditing 497
DLTDFUPGM (Delete DFU Program)
command
DLTDKTLBL (Delete Diskette Label)
command
DLTDLO (Delete Document Library
Object) command
object auditing 460
DLTDOCL (Delete Document List)
command
object auditing 460
DLTDST (Delete Distribution) command
object auditing 460
DLTDSTL (Delete Distribution List)
command
DLTDTAARA (Delete Data Area)
command
DLTDTADCT (Delete Data Dictionary)

command
DLTDTAQ (Delete Data Queue)
command
DLTEDTD (Delete Edit Description)
command
DLTEXDTA (Delete Performance Explorer
Data) command
profiles 299
DLTF (Delete File) command
DLTFCNARA (Delete Functional Area)
command
DLTFCT (Delete Forms Control Table)
command
DLTFNTRSC (Delete Font Resources)
command
DLTFNTTBL (Delete Font Table)
commands 319
DLTFORMDF (Delete Form Definition)
command
DLTFTR (Delete Filter) command
DLTGPHFMT (Delete Graph Format)
command
DLTGPHPKG (Delete Graph Package)
command
DLTGSS (Delete Graphics Symbol Set)
command
DLTHSTDTA (Delete Historical Data)
command
DLTIGCDCT (Delete DBCS Conversion
Dictionary) command
DLTIGCSRT (Delete IGC Sort) command
DLTIGCTBL (Delete DBCS Font Table)
command
DLTIPXD 368
DLTJOBD (Delete Job Description)
command
DLTJOBQ (Delete Job Queue) command
DLTJRN (Delete Journal) command
DLTJRNRCV (Delete Journal Receiver)
command
stopping auditing function 272
DLTLIB (Delete Library) command
DLTLICPGM (Delete Licensed Program)

command
profiles 299
DLTLIND (Delete Line Description)
command
DLTLOCALE (Create Locale) command
DLTMNU (Delete Menu) command
DLTMOD (Delete Module) command
DLTMODD (Delete Mode Description)
command
DLTMSGF (Delete Message File)
command
DLTMSGQ (Delete Message Queue)
command
DLTNETF (Delete Network File)
command
DLTNODL (Delete Node List) command
DLTNTBD (Delete NetBIOS Description)
command
DLTNWID (Delete Network Interface
DLTNWSALS (Delete Network Server
Alias) command
DLTNWSD (Delete Network Server
DLTNWSSTG (Delete Network Server
DLTOUTQ (Delete Output Queue)
command
DLTOVL (Delete Overlay) command
DLTPAGDFN (Delete Page Definition)
command
DLTPAGSEG (Delete Page Segment)
command
DLTPDG (Delete Print Descriptor Group)
command
DLTPEXDTA (Delete Performance
Explorer Data) command
DLTPFRDTA (Delete Performance Data)
command
DLTPGM (Delete Program) command
DLTPNLGRP (Delete Panel Group)

command
DLTPRB (Delete Problem) command
profiles 299
DLTPSFCFG (Delete Print Services
DLTPTF (Delete PTF) command
profiles 299
DLTQMFORM (Delete Query
DLTQMQRY (Delete Query Management
Query) command
DLTQRY (Delete Query) command
object auditing 487
DLTQST (Delete Question) command
profiles 299
DLTQSTDB (Delete Question-and-Answer
Database) command
profiles 299
DLTRJECFG (Delete RJE Configuration)
command
DLTRMTPTF (Delete Remote PTF)
command
profiles 299
DLTSBSD (Delete Subsystem Description)
command
DLTSCHIDX (Delete Search Index)
command
DLTSHF (Delete Bookshelf) command
object auditing 460
DLTSMGOBJ (Delete System
Management Object) command
profiles 299
DLTSPADCT (Delete Spelling Aid
Dictionary) command
DLTSPLF (Delete Spooled File) command
action auditing 492
object auditing 481
DLTSQLPKG (Delete Structured Query
Language Package) command
DLTSRVPGM (Delete Service Program)
command
DLTSSND (Delete Session Description)
command
DLTTBL (Delete Table) command

DLTTRC (Delete Trace) command
DLTUDFS (Delete User-Defined File
System) command
profiles 299
DLTUSRIDX (Delete User Index)
command
DLTUSRPRF (Delete User Profile)
command
description 286
example 110
object auditing 498
DLTUSRQ (Delete User Queue) command
DLTUSRSPC (Delete User Space)
command
DLTUSRTRC (Delete User Trace)
command
DLTVLDL (Delete Validation List)
command
profiles 299
DLTWSCST (Delete Work Station
DLVRY (message queue delivery)
parameter
user profile 92
DLYJOB (Delay Job) command
DMPCLPGM (Dump CL Program)
command
object auditing 483
DMPDLO (Dump Document Library
Object) command
profiles 299
object auditing 458
DMPJOB (Dump Job) command
profiles 299
DMPJOBINT (Dump Job Internal)
command
profiles 299
DMPOBJ (Dump Object) command
profiles 299
object auditing 443
Index
647
DMPSYSOBJ (Dump System Object)

command
profiles 299
object auditing 443
DMPTAP (Dump Tape) command
DMPTRC (Dump Trace) command
profiles 299
DMPUSRTRC (Dump User Trace)
command
DO (delete operation) journal entry
type 255
DOCPWD (document password)
parameter
user profile 91
document
library object (DLO) 235
commands 337
password
changes when restoring
profile 237
password (DOCPWD user profile
parameter) 91
QDOC profile 293
restoring 235
saving 235
object auditing 458
adding authority 287
changing authority 287
changing owner 287
changing primary group 287
commands 287
displaying authority 287
displaying authorization list 287
editing authority 287
commands 337
removing authority 287
document library object auditing
changing
domain attribute, object
description 15
displaying 15
double byte-character set dictionary
(*IGCDCT) object auditing 469
double byte-character set sort (*IGCSRT)
object auditing 469
double byte-character set table (*IGCTBL)
object auditing 470
double-byte character set (DBCS)
commands 340
DS (DST password reset) journal entry
type 255
DS (IBM-Supplied Service Tools User ID
Reset) file layout 530
648
DSCJOB (Disconnect Job) command

DSPACC (Display Access Code)
command
object auditing 461
DSPACCAUT (Display Access Code
Authority) command
DSPACCGRP (Display Access Group)
command
DSPACTPJ (Display Active Prestart Jobs)
command
DSPACTPRFL (Display Active Profile
List) command
description 599
DSPACTSCD (Display Activation
Schedule) command
description 599
DSPAPPNINF (Display APPN*
DSPAUDJRNE (Display Audit Journal
Entries) command
profiles 299
DSPAUDLOG (Display Audit Log) tool
messages used 255
DSPAUT (Display Authority) command
description 284
DSPAUTHLR (Display Authority Holder)
command
description 283
object auditing 447
using 139
DSPAUTL (Display Authorization List)
command
description 283
object auditing 447
DSPAUTLDLO (Display Authorization
List Document Library Objects)
command
description 287
object auditing 447
DSPAUTLOBJ (Display Authorization List
Objects) command
description 283
object auditing 447
using 155
DSPAUTUSR (Display Authorized Users)
command
auditing 277
description 286
example 113
DSPBCKSTS (Display Backup Status)

command
DSPBCKUP (Display Backup Options)
command
DSPBCKUPL (Display Backup List)
command
DSPBKP (Display Breakpoints) command
DSPBNDDIR (Display Binding Directory)
command
DSPBNDDIRE (Display Binding
Directory) command
object auditing 448
DSPCDEFNT (Display Coded Font)
commands 319
DSPCFGL (Display Configuration List)
command
object auditing 448
DSPCHT (Display Chart) command
object auditing 448
DSPCLS (Display Class) command
object auditing 450
DSPCMD (Display Command) command
object auditing 450
DSPCNNL (Display Connection List)
command
object auditing 451
DSPCNNSTS (Display Connection Status)
command
DSPCOSD (Display Class-of-Service
object auditing 451
DSPCPCST (Display Check Pending
Constraint) command
DSPCPCST (Display Check Pending
Constraints) command
object auditing 467
DSPCSI (Display Communications Side
object auditing 452
DSPCSPOBJ (Display CSP/AE Object)
command
DSPCTLD (Display Controller
object auditing 453
DSPCURDIR (Display Current Directory)
command
object auditing 454
DSPDBG (Display Debug) command
DSPDBGWCH (Display Debug Watches)

command
DSPDBR (Display Database Relations)
command
object auditing 467
DSPDDMF (Display Distributed Data
DSPDEVD (Display Device Description)
command
object auditing 454
DSPDIRE (Display Directory Entry)
command
DSPDKT (Display Diskette) command
DSPDLOAUD (Display Document
description 287
object auditing 458
using 265
DSPDLOAUT (Display Document Library
description 287
object auditing 458
DSPDLONAM (Display Document
Library Object Name) command
DSPDOC (Display Document) command
object auditing 458
DSPDSTL (Display Distribution List)
command
DSPDSTLOG (Display Distribution Log)
command
profiles 299
DSPDSTSRV (Display Distribution
Services) command
DSPDTA (Display Data) command
DSPDTA (display data) parameter 198
DSPDTAARA (Display Data Area)
command
object auditing 462
DSPDTADCT (Display Data Dictionary)
command
DSPEDTD (Display Edit Description)
command
object auditing 463
DSPEWCBCDE (Display Extended
command
DSPEWCM (Display Extended Wireless

DSPEWCPTCE (Display Extended
command
DSPEWLM (Display Extended Wireless
DSPEXPSCD (Display Expiration
Schedule) command
description 599
DSPEXPSCD (Display Expriation
Schedule) command
DSPFD (Display File Description)
command
object auditing 467
DSPFFD (Display File Field Description)
command
object auditing 467
DSPFLR (Display Folder) command
DSPFNTRSCA (Display Font Resource
Attributes) command
DSPFNTTBL (Display Font Table)
commands 319
DSPGDF (Display Graphics Data File)
command
DSPHDWRSC (Display Hardware
Resources) command
DSPHLPDOC (Display Help Document)
command
object auditing 458
DSPHSTGPH (Display Historical Graph)
command
DSPIDXSTS (Display Text Index Status)
command
DSPIGCDCT (Display DBCS Conversion
Dictionary) command
object auditing 469
DSPIPXD 368
DSPJOB (Display Job) command
DSPJOBD (Display Job Description)
command
object auditing 470
using 251
DSPJOBLOG (Display Job Log) command
DSPJRN (Display Journal) command
example 272, 273
DSPJRN (Display Journal) command

(continued)
journal 252
DSPJRNA (S/38E) Work with Journal
Attributes
object auditing 473
DSPJRNMNU (S/38E) Work with Journal
object auditing 473
DSPJRNRCVA (Display Journal Receiver
Attributes) command
object auditing 473
DSPLANADPP (Display LAN Adapter
Profile) command
DSPLANSTS (Display LAN Status)
command
DSPLIB (Display Library) command
object auditing 473
using 279
DSPLIBD (Display Library Description)
command
DSPLICKEY (Display License Key)
command
DSPLIND (Display Line Description)
command
object auditing 474
DSPLNK
DSPLNK (Display Links) command
DSPLOG (Display Log) command
object auditing 478
DSPMFSINF (Display Mounted File
profiles 299
DSPMGDSYSA (Display Managed System
Attributes) command
profiles 299
DSPMNUA (Display Menu Attributes)
command
object auditing 476
DSPMOD (Display Module) command
object auditing 477
DSPMODD (Display Mode Description)
command
object auditing 476
DSPMODSRC (Display Module Source)
command
object auditing 464
Index
649
DSPMODSTS (Display Mode Status)

command
object auditing 454
DSPMSG (Display Messages) command
object auditing 478
DSPMSGD (Display Message
Descriptions) command
object auditing 477
DSPNETA (Display Network Attributes)
command
DSPNTBD (Display NetBIOS Description)
command
object auditing 479
DSPNWID (Display Network Interface
object auditing 480
DSPNWSA (Display Network Server
Attribute) command
DSPNWSALS (Display Network Server
Alias) command
DSPNWSD (Display Network Server
object auditing 480
DSPNWSSSN (Display Network Server
Session) command
DSPNWSSTC (Display Network Server
Statistics) command
DSPNWSSTG (Display Network Server
DSPNWSUSR (Display Network Server
User) command
DSPNWSUSRA (Display Network Server
User Attribute) command
DSPOBJAUT (Display Object Authority)
command
description 284
object auditing 445
using 279
DSPOBJD (Display Object Description)
command
created by 130
description 284
object auditing 445
using 265
DSPOPT (Display Optical) command
DSPOPTLCK (Display Optical Lock)
command
650
DSPOPTSVR (Display Optical Server)

command
DSPPDGPRF (Display Print Descriptor
DSPPFM (Display Physical File Member)
command
object auditing 464
DSPPFRDTA (Display Performance Data)
command
DSPPFRGPH (Display Performance
Graph) command
DSPPGM (Display Program) command
object auditing 483
program state 16
DSPPGMADP (Display Program Adopt)
command
DSPPGMADP (Display Programs that
Adopt) command
object auditing 498
DSPPGMADP (Display Programs That
Adopt) command
auditing 279
description 287
using 138, 224
DSPPGMREF (Display Program
References) command
object auditing 467
DSPPGMVAR (Display Program Variable)
command
DSPPRB (Display Problem) command
DSPPTF (Display Program Temporary
Fix) command
profiles 299
DSPPWRSCD (Display Power On/Off
Schedule) command
DSPRCYAP (Dipslay Recovery for Access
Paths) command
DSPRCYAP (Display Recovery for Access
Paths) command
object auditing 446
DSPRDBDIRE (Display Relational
DSPRJECFG (Display RJE Configuration)
command
DSPS36 (Display System/36) command
object auditing 497
DSPSAVF (Display Save File) command
DSPSBSD (Display Subsystem

object auditing 488
DSPSECA (Display Security Attributes)
command
DSPSECAUD (Display Security Auditing
Values) command
description 289
DSPSECAUD (Display Security Auditing)
command
description 601
DSPSFWRSC (Display Software
Resources) command
DSPSGNINF (display sign-on
information) parameter
user profile 82
DSPSOCSTS (Display Sphere of Control
Status) command
DSPSPLF (Display Spooled File)
command
action auditing 491
queue 198
object auditing 481
DSPSRVA (Display Service Attributes)
command
DSPSRVPGM (Display Service Program)
command
object auditing 493
DSPSRVSTS (Display Service Status)
command
profiles 299
DSPSYSSTS (Display System Status)
command
DSPSYSVAL (Display System Value)
command
DSPTAP (Display Tape) command
DSPTAPCTG (Display Tape Cartridge)
command
DSPTRC (Display Trace) command
DSPTRCDTA (Display Trace Data)
command
DSPUDFS (Display User-Defined File
System) command
profiles 299
DSPUSRPMN (Display User Permission)
command
object auditing 461
DSPUSRPMN (Display User Permission)

command (continued)
DSPUSRPRF (Display User Profile)
command
description 286
object auditing 498
using 113
DSPVTMAP (Display VT100 Keyboard
Map) command
auditing passwords 248
changing passwords 117
changing user ID 117
resetting password
entry 255
DST password reset (DS) journal entry
type 255
dump function
authority 77
DUPDKT (Duplicate Diskette) command
duplicate password (QPWDRQDDIF)
system value 49
DUPOPT (Duplicate Optical) command
DUPTAP (Duplicate Tape) command
E
Edit Authorization List (EDTAUTL)
command 154, 283
Edit Authorization List display
option) 97, 98
edit description
commands 341
Edit Document Library Object Authority
(EDTDLOAUT) command 287
Edit Library List (EDTLIBL)
command 193
Edit Object Authority (EDTOBJAUT)
command 146, 284
Edit Object Authority display
option) 97, 98
editing
authority 287
library list 193
object authority 146, 284
EDTAUTL (Edit Authorization List)
command
description 283
object auditing 447
using 154
EDTBCKUPL (Edit Backup List)

command
EDTCPCST (Edit Check Pending
profiles 299
object auditing 467
EDTDEVRSC (Edit Device Resources)
command
EDTDLOAUT (Edit Document Library
description 287
EDTDOC (Edit Document) command
object auditing 460
EDTIGCDCT (Edit DBCS Conversion
Dictionary) command
object auditing 469
EDTLIBL (Edit Library List) command
using 193
EDTOBJAUT (Edit Object Authority)
command
description 284
object auditing 445
using 146
EDTQST (Edit Questions and Answers)
command
profiles 299
EDTRBDAP (Edit Rebuild Of Access
Paths) command
profiles 299
EDTRCYAP (Edit Recovery for Access
Paths) command
profiles 299
object auditing 446
EDTS36PGMA (Edit System/36 Program
Attributes) command
object auditing 483
EDTS36PRCA (Edit System/36 Procedure
Attributes) command
object auditing 466
EDTS36SRCA (Edit System/36 Source
Attributes) command
object auditing 466
EDTWSOAUT (Edit Workstation Object
Authoriy) command
EJTEMLOUT (Eject Emulation Output)
command
EML3270 (Emulate 3270 Display)

command
EMLPRTKEY (Emulate Printer Key)
command
emulation
commands 334
enabled (*ENABLED) user profile
status 69
enabling
profile 69
user profile
automatically 599
sample program 112
ENCCPHK (Encipher Cipher Key)
command
profiles 299
ENCFRMMSTK (Encipher from Master
Key) command
profiles 299
encrypting
password 67
ENCTOMSTK (Encipher to Master Key)
command
profiles 299
End Job (ENDJOB) command
ENDCBLDBG (End COBOL Debug)
command
ENDCHTSVR (End Clustered Hash Table
Server) command
profiles 299
ENDCLNUP (End Cleanup) command
ENDCMNTRC (End Communications
Trace) command
ENDCMTCTL (End Commitment
Control) command
ENDCPYSCN (End Copy Screen)
command
ENDCTLRCY (End Controller Recovery)
command
object auditing 453
ENDDBG (End Debug) command
ENDDBGSVR (End Debug Server)
command
profiles 299
ENDDBMON (End Database Monitor)
command
Index
651
ENDDEVRCY (End Device Recovery)

command
object auditing 454
ENDDIRSHD (End Directory Shadow
System) command
ENDDIRSHD (End Directory Shadowing)
command
object auditing 458
ENDDSKRGZ (End Disk Reorganization)
command
ENDGRPJOB (End Group Job) command
ENDHOSTSVR (End Host Server)
command
ENDIDXMON (End Index Monitor)
command
profiles 299
ending
audit function 272
auditing 58, 59
connection
entry 255
disconnected job 38, 39
inactive job 27
ENDIPSIFC (End IP over SNA Interface)
command
profiles 299
ENDJOB (End Job) command
action auditing 492
ENDJOBABN (End Job Abnormal)
command
profiles 299
ENDJOBTRC (End Job Trace) command
ENDJRN (End Journal) command
ENDJRN (End Journaling) command
object auditing 444
ENDJRNAP (End Journal Access Path)
command
ENDJRNPF (End Journal Physical File
Changes) command
ENDJRNxxx (End Journaling) command
object auditing 472
ENDLINRCY (End Line Recovery)
command
object auditing 474
ENDMGDSYS (End Managed System)
command
profiles 299
652
ENDMGRSRV (End Manager Services)

command
profiles 299
ENDMOD (End Mode) command
object auditing 476
ENDMSF (End Mail Server Framework)
command
profiles 299
ENDNFSSVR (End Network File System
Server) command
profiles 299
ENDNWIRCY (End Network Interface
Recovery) command
object auditing 480
ENDPASTHR (End Pass-Through)
command
ENDPEX (End Performance Explorer)
command
profiles 299
ENDPFRMON (End Performance
Monitor) command
ENDPFRTRC (End Performance Trace)
command
profiles 299
ENDPJ (End Prestart Jobs) command
action auditing 492
ENDPRTEML (End Printer Emulation)
command
ENDRDR (End Reader) command
ENDRJESSN (End RJE Session) command
ENDRQS (End Request) command
ENDS36 (End System/36) command
object auditing 497
ENDSBS (End Subsystem) command
object auditing 487
ENDSRVJOB (End Service Job) command
profiles 299
ENDSYS (End System) command
ENDSYSMGR (End System Manager)
command
profiles 299
ENDTCP (End TCP/IP) command
profiles 299
ENDTCPCNN (End TCP/IP Connection)

command
profiles 299
ENDTCPIFC (End TCP/IP Interface)
command
ENDTCPPTP (End Point-to-Point
TCP/IP) command
ENDTCPSRV (End TCP/IP Service)
command
ENDTCPSVR (End TCP/IP Server)
command
profiles 299
ENDTRC (End Trace) command
ENDWTR (End Writer) command
enhanced hardware storage protection
enrolling
users 106
ENTCBLDBG (Enter COBOL Debug)
command
layout 530
example
adopted authority
application design 218, 222
authority checking process 176,
178
assistance level
changing 71
authority checking
group authority 173
ignoring group authority 177
primary group 174
public authority 175, 178
changing
assistance levels 71
system portion of library list 216
controlling
user library list 215
describing
library security 216
menu security 222
enabling user profile 112
ignoring adopted authority 220
JKL Toy Company applications 207
library list
changing system portion 216
controlling user portion 215
program 215
security risk 194
library security
describing 216
planning 213
menu security
describing 222
example (continued)
password validation exit program 55
password validation program 54
public authority
creating new objects 127
restricting save and restore
commands 203
Program) command 242
securing output queues 200
exceeding
account limit
entry 255
exclude (*EXCLUDE) authority 121
execute (*EXECUTE) authority 120, 309
existence (*OBJEXIST) authority 120, 309
exit 55
exit points
user profile 116
expert (*EXPERT) user option 97, 98,
147
expiration
password (QPWDEXPITV system
value) 46
user profile
displaying schedule 599
setting schedule 599
EXPPART (Export Part) command
extended wireless LAN configuration
commands 341
EXTPGMINF (Extract Program
F
faccessx (Determine file accessibility for a
class of users by descriptor) command
object auditing 454
faccessx (Determine File Accessibility)
command
object auditing 495
failure
authority failure
entry 255
sign-on
authority 187
authority 187
profile 187
field authorities 123
field authority
definition 120
field-level security 224
FILDOC (File Document) command
object auditing 460
file
journaling
security tool 224
file (continued)
commands 342
program-described
holding authority when
deleted 139
securing
critical 224
fields 224
records 224
source
securing 232
file (*FILE) object auditing 464
file layout 506
file security
SQL 227
file transfer
securing 202
filter
commands 349
filter (*FTR) object auditing 468
finance
commands 350
finance (QFNC) user profile 293
flowchart
authority checking 156
determining special environment 80
device description authority 187
FNDSTRPDM (Find String Using PDM)
command
folder
security shared 202
font resource (*FNTRSC) object
auditing 467
force conversion on restore
(QFRCCVNRST)
system value 42
force level
audit records 60
form definition (*FORMDF) object
auditing 468
forms control table
commands 419
FTP (File Transfer Protocol) command
full
receiver 270
full-screen help (*HLPFULL) user
option 98
G
GENCAT (Merge Message Catalogue)
command
GENCPHK (Generate Cipher Key)
command
profiles 299
GENCRSDMNK (Generate Cross Domain

Key) command
profiles 299
general rules for object authority 311
generic name
example 150
generic record(CV) file layout 531
GENMAC (Generate Message
Authentication Code) command
profiles 299
GENPIN (Generate Personal
Identification Number) command
profiles 299
GENS36RPT (Generate System/36
Report) command
profiles 299
GENS38RPT (Generate System/38
Report) command
profiles 299
gid (group identification number)
restoring 238
give descriptor (GS) file layout 533
give descriptor (GS) journal entry
type 255
giving
descriptor
entry 255
socket
entry 255
GO (Go to Menu) command
GR (generic record) file layout 531
command 147, 284
Grant User Authority (GRTUSRAUT)
command
description 286
recommendations 153
Grant User Permission (GRTUSRPMN)
command 287
granting
authority using referenced object 153
user authority
user permission 287
graphic symbols set (*GSS) object
auditing 469
Index
653
graphical operations
commands 350
graphics symbol set
commands 351
group
authority
displaying 142
primary
introduction 5
group (*GROUP) authority 142
group authority
description 119
GRPAUT user profile parameter 88,
129, 131
GRPAUTTYP user profile
parameter 89, 131
group authority type
GRPAUTTYP user profile
parameter 89
group identification number (gid))
restoring 238
group job
group profile
auditing
*ALLOBJ special authority 250
membership 250
password 249
authorization list
comparison 230
comparison
GRPPRF user profile parameter
profile 237
description 87
introduction 5, 63
multiple
planning 229
naming 66
password 66
planning 229
primary 130
planning 229
resource security 5, 119
supplemental
SUPGRPPRF (supplemental
groups) parameter 89
user profile
description 87
user profile parameter
profile 237
GRPAUT (group authority) parameter
user profile 88, 129, 131
GRPAUTTYP (group authority type)
parameter
user profile 89, 131
GRPPRF (group profile) parameter
user profile
description 87
example 131
654
GRTACCAUT (Grant Access Code

Authority) command
profiles 299
object auditing 460
GRTOBJAUT (Grant Object Authority)
command 147
description 284
object auditing 444
GRTUSRAUT (Grant User Authority)
command
description 286
object auditing 498
recommendations 153
GRTUSRPMN (Grant User Permission)
command
description 287
object auditing 460
GRTWSOAUT (Grant Workstation Object
Authoriy) command
GS (give descriptor) journal entry
type 255
H
hardware
enhanced storage protection 16
commands 418
help full screen (*HLPFULL) user
option 98
help information
displaying full screen (*HLPFULL
user option) 98
history (QHST) log
using to monitor security 276
HLDCMNDEV (Hold Communications
Device) command
profiles 299
object auditing 454
HLDDSTQ (Hold Distribution Queue)
command
profiles 299
HLDJOB (Hold Job) command
HLDJOBQ (Hold Job Queue) command
object auditing 470
HLDJOBSCDE (Hold Job Schedule Entry)
command
object auditing 471
HLDOUTQ (Hold Output Queue)

command
object auditing 481
HLDRDR (Hold Reader) command
HLDSPLF (Hold Spooled File) command
action auditing 492
object auditing 481
HLDWTR (Hold Writer) command
hold (*HOLD) delivery mode
user profile 92
home directory (HOMEDIR) parameter
user profile 100
HOMEDIR (home directory) parameter
user profile 100
host server
commands 351
I
IBM-supplied objects
securing with authorization list 127
IBM-Supplied Service Tools User ID Reset
(DS) file layout 530
ADSM (QADSM) 293
AFDFTUSR (QAFDFTUSR) 293
AFOWN (QAFOWN) 293
AFUSR (QAFUSR) 293
auditing 248
authority profile (QAUTPROF) 293
automatic install (QLPAUTO) 293
basic service (QSRVBAS) 293
BRM (QBRMS) 293
BRM user profile (QBRMS) 293
changing password 117
database share (QDBSHR) 293
DCEADM (QDCEADM) 293
default owner (QDFTOWN)
default values 293
description 130
default values table 291
(QDSNX) 293
document (QDOC) 293
finance (QFNC) 293
IBM authority profile
(QAUTPROF) 293
install licensed programs
(QLPINSTALL) 293
mail server framework (QMSF) 293
NFS user profile (QNFSANON) 293
programmer (QPGMR) 293
purpose 116
QADSM (ADSM) 293
QAFDFTUSR (AFDFTUSR) 293
QAFOWN (AFOWN) 293
QAFUSR (AFUSR) 293
QAUTPROF (database share) 293
QAUTPROF (IBM authority
profile) 293
QBRMS (BRM user profile) 293
QBRMS (BRM) 293
IBM-supplied user profile (continued)

QDBSHR (database share) 293
QDCEADM (DCEADM) 293
QDFTOWN (default owner)
default values 293
description 130
QDOC (document) 293
QDSNX (distributed systems node
executive) 293
QFNC (finance) 293
QGATE (VM/MVS bridge) 293
QLPAUTO (licensed program
automatic install) 293
QLPINSTALL (licensed program
install) 293
QMSF (mail server framework) 293
QNFSANON (NFS user profile) 293
QPGMR (programmer) 293
QRJE (remote job entry) 293
QSECOFR (security officer) 293
QSNADS (Systems Network
Architecture distribution
services) 293
QSPL (spool) 293
QSPLJOB (spool job) 293
QSRV (service) 293
QSRVBAS (service basic) 293
QSYS (system) 293
QSYSOPR (system operator) 293
QTCP (TCP/IP) 293
QTMPLPD (TCP/IP printing
support) 293
QTSTRQS (test request) 293
QUSER (workstation user) 293
remote job entry (QRJE) 293
restoring 238
restricted commands 299
security officer (QSECOFR) 293
service (QSRV) 293
service basic (QSRVBAS) 293
SNA distribution services
(QSNADS) 293
spool (QSPL) 293
spool job (QSPLJOB) 293
system (QSYS) 293
system operator (QSYSOPR) 293
TCP/IP (QTCP) 293
TCP/IP printing support
(QTMPLPD) 293
test request (QTSTRQS) 293
VM/MVS bridge (QGATE) 293
workstation user (QUSER) 293
ignoring
IMPPART (Import Part) command
inactive
job
message queue (QINACTMSGQ)
system value 28
time-out interval (QINACTITV)
system value 27
user
listing 278
inactive job
message (CPI1126) 28
inactive job message queue

(QINACTMSGQ) system value
command 607
inactive job time-out interval
(QINACTITV) system value
command 607
incorrect password
incorrect user ID
information search index
initial library list
current library 71
job description (JOBD)
user profile 86
recommendations 196
relationship to library list for job 193
risks 196
initial menu
*SIGNOFF 73
changing 73
preventing display 73
recommendation 74
user profile 73
initial menu (INLMNU) parameter
user profile 73
initial program (INLPGM) parameter
changing 72
user profile 72
initial program load (IPL)
authority 76
INLMNU (initial menu) parameter
user profile 73
INLPGM (initial program) parameter
changing 72
user profile 72
INSPTF (Install Program Temporary Fix)
command
profiles 299
INSRMTPRD (Install Remote Product)
command
profiles 299
install licensed program (QLPINSTALL)
user profile
default values 293
restoring 238
install licensed program automatic
(QLPAUTO) user profile
restoring 238
installing
operating system 244
integrated file system
commands 351
integrity 1
checking
auditing use 252
interactive data definition

commands 367
interactive data definition utility (IDDU)
object auditing 462
interactive job
routing
SPCENV (special environment)
parameter 80
security when starting 185
intermediate assistance level 64, 71
internal control block
preventing modification 20
Internet security management (GS) file
layout 536
Internet user
validation lists 232
interprocess communication actions (IP)
file layout 534
interprocess communications
incorrect
entry 255
interprocess communications (IP) journal
entry type 255
INZDKT (Initialize Diskette) command
INZDSTQ (Initialize Distribution Queue)
command
profiles 299
INZOPT (Initialize Optical) command
INZPFM (Initialize Physical File Member)
command
object auditing 466
INZSYS (Initialize System) command
profiles 299
INZTAP (Initialize Tape) command
IP (change ownership) journal entry
type 255
IP (interprocess communication actions)
file layout 534
IP (interprocess communications) journal
entry type 255
IP rules actions (IR) file layout 535
IPC object
changing
entry 255
IPL (initial program load)
authority 76
IR (IP rules actions) file layout 535
layout 536
iSeries Access
controlling sign-on 32
file transfer security 202
message function security 202
shared folder security 202
virtual printer security 202
Index
655
J
layout 538
JD (job description change) journal entry
type 255
JKL Toy Company
diagram of applications 207
job
authority 76
automatic cancelation 38, 39
changing
entry 255
disconnected job interval
(QDSCJOBITV) system value 38
inactive
time-out interval (QINACTITV)
system value 27
commands 368
restricting to batch 205
scheduling 204
security when starting 185
verify object on restore
(QVFYOBJRST) system value 39
job accounting
user profile 90
job action (JOBACN) network
attribute 200, 252
job change (*JOBDTA) audit level 255
job change (JS) file layout 539
job change (JS) journal entry type 255
job control (*JOBCTL) special authority
risks 77
job description
changing
entry 255
communications entry 192
default (QDFTJOBD) 86
displaying 251
monitoring 251
commands 371
parameters 603
protecting 16
protecting system resources 204
QDFTJOBD (default) 86
recommendations 87
restoring
entry 255
security issues 192
USER parameter 192
user profile 86
workstation entry 192
job description (*JOBD) object
auditing 470
656
job description (JOBD) parameter

user profile 86
job description change (JD) file
layout 538
job description change (JD) journal entry
type 255
job description violation
job initiation
Attention-key-handling program 186
job queue
authority 76
*OPRCTL (operator control)
parameter 77
authority 77
commands 372
parameters 289, 605
job queue (*JOBQ) auditing 470
job schedule
commands 372
job scheduler (*JOBSCD) auditing 471
JOBACN (job action) network
attribute 200, 252
JOBD (job description) parameter
user profile 86
journal
audit (QAUDJRN)
introduction 252
displaying
managing 270
commands 373
working with 277
journal (*JRN) auditing 471
journal attributes
working with 277
journal entry
sending 269
journal entry type
QAUDJRN (audit) journal 255
journal receiver
changing 271
deleting 272
detaching 270, 271
managing 270
maximum storage (MAXSTG) 84
commands 376
storage needed 84
journal receiver (*JRNRCV) auditing 473
journal receiver, audit
creating 268
naming 268
saving 271
storage threshold 270
journal, audit
See also audit (QAUDJRN) journal
working with 271
journaling
security tool 224
JRNAP (Journal Access Path) command
JRNAP (Start Journal Access Path)
command
object auditing 472
JRNOBJ (Journal Object) command
JRNPF (Journal Physical File) command
JRNPF (Start Journal Physical File)
command
object auditing 472
JS (job change) journal entry type 255
K
kerberos authentication (X0) file
layout 589
keyboard buffering
KBDBUF user profile parameter 83
QKBDBUF system value 84
keylock security 2
keylock switch
auditing 248
L
LAN Server
special authorities 79
LAN Server/400 79
LANGID (language identifier) parameter
SRTSEQ user profile parameter 95
user profile 96
language identifier
LANGID user profile parameter 96
QLANGID system value 96
SRTSEQ user profile parameter 95
language, programming
commands 376
large profiles
planning applications 214
large user profile 278
layout 544
length of password 48, 49
level 10
QSECURITY (security level) system
value 12
level 20
value 12
level 30
value 13
level 40
internal control blocks 20
value 14
level 50
message handling 20
level 50 (continued)
value 19
QTEMP (temporary) library 20
validating parameters 17
level of security (QSECURITY) system
value
comparison of levels 9
level 20 12
level 30 13
level 40 14
level 50 19
overview 9
recommendations 11
user class 11
library
authority
definition 5
description 123
new objects 127
AUTOCFG (automatic device
configuration) value 36
(AUTOCFG) value 36
create authority (CRTAUT) parameter
description 127
example 131
risks 128
specifying 144
create object auditing (CRTOBJAUD)
value 61
creating 144
CRTAUT (create authority) parameter
description 127
example 131
risks 128
specifying 144
CRTOBJAUD (create object auditing)
value 61
current 71
designing 213
listing
all libraries 279
contents 279
commands 383
planning 213
printing list of subsystem
descriptions 289
public authority
specifying 144
QRETSVRSEC (retain server security)
value 32
QTEMP (temporary)
restoring 235
retain server security (QRETSVRSEC)
value 32
saving 235
security
description 123
designing 213
example 213
guidelines 214
library (continued)
security (continued)
risks 123
library (*LIB) auditing 473
library list
adding entries 193, 196
changing 193
current library
description 193
recommendations 196
user profile 71
definition 193
editing 193
job description (JOBD)
user profile 86
monitoring 251
product library
description 193
recommendations 195
recommendations 195
removing entries 193
security risks 193, 194
system portion
changing 216
description 193
recommendations 195
user portion
controlling 215
description 193
recommendations 196
licensed program
automatic install (QLPAUTO) user
profile
description 293
install (QLPINSTALL) user profile
default values 293
commands 386
restoring
recommendations 242
security risks 242
licensed program automatic install
(QLPAUTO) user profile
restoring 238
licensed program install (QLPINSTALL)
user profile
restoring 238
limit capabilities (LMTCPB) parameter
user profile 73
limit characters (QPWDLMTCHR) system
value 50
limit repeated characters
(QPWDLMTREP) system value 51
limit security officer (QLMTSECOFR)
system value
command 607
limiting
capabilities 73
changing Attention-key-handling
program 95
changing current library 72, 196
changing initial menu 73
changing initial program 72
commands allowed 74
limiting (continued)
capabilities (continued)
listing users 278
LMTCPB user profile
parameter 73
command line use 73
device sessions
auditing 250
parameter 83
recommendations 83
device sessions (QLMTDEVSSN)
system value
description 29
disk usage (MAXSTG) 84
security officer (QLMTSECOFR)
security officer (QLMTSECOFR)
system value
auditing 248
authority to device
descriptions 187
description 29
sign-on process 189
sign-on
attempts (QMAXSGNACN) system
value 31
attempts (QMAXSIGN) system
value 30
multiple devices 29
sign-on attempts
auditing 248, 252
use of system resources
priority limit (PTYLMT)
parameter 85
line description
commands 387
line description (*LIND) auditing 474
link
commands 351
listing
all libraries 279
library contents 279
selected user profiles 278
system values 248
user profile
individual 113
summary list 113
Lists, Create Validation 232
Lists, Delete Validation 232
LMTDEVSSN (limit device sessions)
parameter
user profile 83
LNKDTADFN (Link Data Definition)
command
object auditing 462
local socket (*SOCKET) auditing 489
locale
commands 389
LOCALE (user options) parameter
user profile 98
Index
657
LODPTF (Load Program Temporary Fix)

command
profiles 299
LODQSTDB (Load Question-and-Answer
Database) command
profiles 299
logging off
network
entry 255
logging on
network
entry 255
logical file
securing
fields 224
records 224
LPR (Line Printer Requester) command
M
mail
handling
entry 255
mail actions (ML) file layout 545
mail actions (ML) journal entry type 255
mail server framework
commands 389
mail server framework (QMSF) user
profile 293
mail services
action auditing 475
management (*OBJMGT) authority
object 120, 309
managing
audit journal 269
maximum
auditing 248
length of password (QPWDMAXLEN
system value) 49
sign-on attempts (QMAXSIGN)
system value 248
description 30
size
receiver 270
storage (MAXSTG) parameter
authority holder 130
group ownership of objects 129
journal receiver 84
restore operation 84
user profile 84
maximum sign-on attempts
(QMAXSIGN) system value
command 607
658
maximum storage (MAXSTG) parameter

authority holder
transferred to QDFTOWN (default
owner) 130
journal receiver 84
user profile 84
MAXSTG (maximum storage) parameter
authority holder
transferred to QDFTOWN (default
owner) 130
journal receiver 84
user profile 84
media
commands 390
memory
sharing control
QSHRMEMCTL (share memory
control) system value 33
menu
changing
parameter 196
security risks 196
creating
parameter 196
security risks 196
designing for security 217
initial 73
commands 391
security tools 599
user profile 73
menu (*MENU) auditing 475
Merge Source (Merge Source) command
message
associated with QAUDJRN
entries 255
inactive timer (CPI1126) 28
commands 392
print notification (*PRTMSG user
option) 98
printing completion (*PRTMSG user
option) 98
restricting content 20
security
monitoring 276
security violations 255
status
displaying (*STSMSG user
option) 98
not displaying (*NOSTSMSG user
option) 98
used by DSPAUDLOG command 255
message description
commands 392
message file
commands 393
message file (*MSGF) auditing 477

message function (iSeries Access)
securing 202
message queue
*BREAK (break) delivery mode 92
*DFT (default) delivery mode 92
*HOLD (hold) delivery mode 92
*NOTIFY (notify) delivery mode 92
automatic creation 91
default responses 92
inactive job (QINACTMSGQ) system
value 28
commands 393
QSYSMSG 276
QMAXSGNACN (action when
attempts reached) system
value 31
QMAXSIGN (maximum sign-on
attempts) system value 30
recommendation
MSGQ user profile parameter 92
restricting 193
severity (SEV) parameter 92
user profile
deleting 110
delivery (DLVRY) parameter 92
recommendations 92
severity (SEV) parameter 92
message queue (*MSGQ) auditing 477
message queue (MSGQ) parameter
user profile 91
MGRS36 (Migrate System/36) command
profiles 299
MGRS36ITM (Migrate System/36 Item)
command
profiles 299
MGRS38OBJ (Migrate System/38 Objects)
command
profiles 299
MGRTCPHT (Merge TCP/IP Host Table)
command
migrating
value
migration
commands 393
minimum length of password
(QPWDMINLEN) system value 48
ML (mail actions) journal entry type 255
mode description
commands 394
mode description (*MODD)
auditing 476
mode of access
definition 120
module
binding directory 394
commands 394
module (*MODULE) auditing 476
monitoring
authority 250
authority
user profiles 250
authorization 250
checklist for 247
communications 252
encryption of sensitive data 252
group profile
membership 250
password 249
inactive users 250
job descriptions 251
library lists 251
message
security 276
methods 275
network attributes 252
overview 247
program failure 279
programmer authorities 250
remote sign-on 252
security officer 280
sensitive data
authority 250
encrypting 252
password 251
system values 248
unsupported interfaces 252
user profile
administration 250
using
journals 276
QHST (history) log 276
QSYSMSG message queue 252
MOUNT (Add Mounted File System)
command
MOUNT (Add Mounted File System)
command) command
MOV
MOV (Move) command

MOVDOC (Move Document) command
object auditing 460
moving
object
entry 255
spooled file 198
MOVOBJ (Move Object) command
MRGDOC (Merge Document) command
MRGFORMD (Merge Form Description)
command
MRGMSGF (Merge Message File)
command
object auditing 477
MSGQ (message queue) parameter
user profile 91
multiple group
example 180
planning 229
N
layout 546
NA (network attribute change) journal
entry type 255
naming
group profile 65, 66
user profile 65
national language version (NLV)
command security 224
netBIOS description
commands 395
NetBIOS description (*NTBD)
auditing 479
NETSTAT (Network Status) command
network
logging off
entry 255
logging on
entry 255
password
entry 255
network attribute
changing
entry 255
command 200
network attribute (continued)

client request access (PCSACC) 201
command for setting 290, 607
DDM request access (DDMACC) 202
DDMACC (DDM request access) 202
DDMACC (distributed data
management access) 252
distributed data management access
(DDMACC) 252
job action (JOBACN) 200, 252
JOBACN (job action) 200, 252
commands 395
PC Support (PCSACC) 252
PCSACC (client request access) 201
PCSACC (PC Support access) 252
printing security-relevant 603
network attribute change (NA) file
layout 546
network attribute change (NA) journal
entry type 255
network attributes
printing securitycommunications 290
printing security-relevant 290
network interface (*NWID) auditing 479
network interface description
commands 397
network log on and off (VN) file
layout 583
network log on or off (VN) journal entry
type 255
network password error (VP) file
layout 586
network password error (VP) journal
entry type 255
network profile
changing
entry 255
network profile change (VU) file
layout 587
network profile change (VU) journal
entry type 255
network resource access (VR) file
layout 586
Network Server
commands 398
network server description
commands 399
network server description (*NWSD)
auditing 480
network spooled file
sending 198
new object
authority
parameter 127, 144
GRPAUT (group authority)
parameter 88, 129
type) parameter 89
authority (QCRTAUT system
value) 25
Index
659
new object (continued)

authority (QUSEADPAUT system
value) 34
authority example 131
ownership example 131
NLV (national language version)
node group (*NODGRP) auditing 478
node list
commands 399
node list (*NODL) auditing 479
Notices 611
notification, message
DLVRY (message queue delivery)
parameter
user profile 92
no status message (*NOSTSMSG) user
option 98
notify (*NOTIFY) delivery mode
user profile 92
number required in password 52
numeric character required in
password 52
numeric password 66
numeric user ID 65
O
OBJAUD (object auditing) parameter
user profile 101
object
(*Mgt) authority 120
(*Ref) authority 120
add (*ADD) authority 120, 309
altered
checking 280
assigning authority and
ownership 131
auditing
changing 78
default 265
authority
*ALL (all) 121, 310
*CHANGE (change) 121, 310
*USE (use) 121, 310
changing 146
commonly used subsets 121
new 128
new object 127
storing 237
system-defined subsets 121
using referenced 153
authority required for
commands 313
controlling access 15
default owner (QDFTOWN) user
profile 130
delete (*DLT) authority 120, 309
displaying
originator 130
domain attribute 15
execute (*EXECUTE) authority 120,
309
existence (*OBJEXIST) authority 120,
309
failure of unsupported interface 15
660
object (continued)
management (*OBJMGT)
authority 120, 309
non-IBM
printing list 289
operational (*OBJOPR) authority 120,
309
ownership
introduction 5
printing
authority source 603
non-IBM 603
read (*READ) authority 120, 309
restoring 235, 238
saving 235
securing with authorization list 155
state attribute 15
storing
authority 236, 237
update (*UPD) authority 120, 309
user domain
restricting 19
security exposure 19
working with 284
object alter (*OBJALTER) authority 120,
309
object auditing
*ALRTBL (alert table) object 446
*AUTHLR (authority holder)
object 447
*AUTL (authorization list) object 446
*BNDDIR (binding directory)
object 447
*CFGL (configuration list) object 448
*CHTFMT (chart format) object 448
*CLD (C locale description)
object 450
*CLS (Class) object 450
*CMD (Command) object 450
*CNNL (connection list) object 451
*COSD (class-of-service description)
object 451
*CRQD (change request description)
object 449
*CSI (communications side
information) object 452
*CSPMAP (cross system product map)
object 452
*CSPTBL (cross system product table)
object 452
*CTLD (controller description)
object 452
*DEVD (device description)
object 453
*DIR (directory) object 454
*DOC (document) object 458
*DTAARA (data area) object 462
*DTADCT (data dictionary)
object 462
*DTAQ (data queue) object 462
*EDTD (edit description) object 463
*EXITRG (exit registration) object 463
*FCT (forms control table) object 464
*FILE (file) object 464
*FLR (folder) object 458
object auditing (continued)

*FNTRSC (font resource) object 467
*FORMDF (form definition)
object 468
*FTR (filter) object 468
*GSS (graphic symbols set)
object 469
*IGCDCT (double-byte character set
dictionary) object 469
*IGCSRT (double-byte character set
sort) object 469
*IGCTBL (double-byte character set
table) object 470
*JOBD (job description) object 470
*JOBQ (job queue) object 470
*JOBSCD (job scheduler) object 471
*JRN (journal) object 471
*JRNRCV (journal receiver)
object 473
*LIB (library) object 473
*LIND (line description) object 474
*MENU (menu) object 475
*MODD (mode description)
object 476
*MODULE (module) object 476
*MSGF (message file) object 477
*MSGQ (message queue) object 477
*NODGRP (node group) object 478
*NODL (node list) object 479
*NTBD (NetBIOS description)
object 479
*NWID (network interface)
object 479
*NWSD (network server description)
object 480
*OUTQ (output queue) object 480
*OVL (overlay) object 481
*PAGDFN (page definition)
object 482
*PAGSEG (page segment) object 482
*PDG (print descriptor group)
object 482
*PGM (program) object 482
*PNLGRP (panel group) object 484
*PRDAVL (product availability)
object 484
*PRDDFN (product definition)
object 484
*PRDLOD (product load) object 484
*QMFORM (query manager form)
object 485
*QMQRY (query manager query)
object 485
*QRYDFN (query definition)
object 486
*RCT (reference code table)
object 487
*S36 (S/36 machine description)
object 497
*SBSD (subsystem description)
object 487
*SCHIDX (search index) object 489
*SOCKET (local socket) object 489
*SPADCT (spelling aid dictionary)
object 491
*SQLPKG (SQL package) object 492

*SRVPGM (service program)
object 492
*SSND (session description)
object 493
*STMF (stream file) object 493
*SVRSTG (server storage space)
object 493
*SYMLNK (symbolic link) object 496
*TBL (table) object 497
*USRIDX (user index) object 497
*USRPRF (user profile) object 498
*USRQ (user queue) object 499
*USRSPC (user space) object 499
*VLDL (validation list) object 499
alert table (*ALRTBL) object 446
authority holder (*AUTHLR)
object 447
authorization list (*AUTL) object 446
binding directory (*BDNDIR)
object 447
C locale description (*CLD)
object 450
change request description (*CRQD)
object 449
changing
chart format (*CHTFMT) object 448
Class (*CLS) object 450
class-of-service description (*COSD)
object 451
Command (*CMD) object 450
common operations 443
(*CSI) object 452
configuration list (*CFGL) object 448
connection list (*CNNL) object 451
controller description (*CTLD)
object 452
cross system product map (*CSPMAP)
object 452
cross system product table (*CSPTBL)
object 452
data area (*DTAARA) object 462
data dictionary (*DTADCT)
object 462
data queue (*DTAQ) object 462
definition 263
device description (*DEVD)
object 453
directory (*DIR) object 454
displaying 265
document (*DOC) object 458
double byte-character set dictionary
(*IGCDCT) object 469
double byte-character set sort
(*IGCSRT) object 469
double byte-character set table
(*IGCTBL) object 470
edit description (*EDTD) object 463
exit registration (*EXITRG) object 463
file (*FILE) object 464
filter (*FTR) object 468
folder (*FLR) object 458
font resource (*FNTRSC) object 467
form definition (*FORMDF)
object 468

forms control table (*FCT) object 464
graphic symbols set (*GSS)
object 469
job description (*JOBD) object 470
job queue (*JOBQ) object 470
job scheduler (*JOBSCD) object 471
journal (*JRN) object 471
journal receiver (*JRNRCV)
object 473
library (*LIB) object 473
line description (*LIND) object 474
local socket (*SOCKET) object 489
menu (*MENU) object 475
message file (*MSGF) object 477
message queue (*MSGQ) object 477
mode description (*MODD)
object 476
module (*MODULE) object 476
NetBIOS description (*NTBD)
object 479
network interface (*NWID)
object 479
network server description (*NWSD)
object 480
node group (*NODGRP) object 478
node list (*NODL) object 479
output queue (*OUTQ) object 480
overlay (*OVL) object 481
page definition (*PAGDFN)
object 482
page segment (*PAGSEG) object 482
panel group (*PNLGRP) object 484
planning 263
print descriptor group (*PDG)
object 482
product availability (*PRDAVL)
object 484
product definition (*PRDDFN)
object 484
product load (*PRDLOD) object 484
program (*PGM) object 482
query definition (*QRYDFN)
object 486
query manager form (*QMFORM)
object 485
query manager query (*QMQRY)
object 485
reference code table (*RCT)
object 487
S/36 machine description (*S36)
object 497
search index (*SCHIDX) object 489
server storage space (*SVRSTG)
object 493
service program (*SRVPGM)
object 492
session description (*SSND)
object 493
spelling aid dictionary (*SPADCT)
object 491
SQL package (*SQLPCK) object 492
stream file (*STMF) object 493
subsystem description (*SBSD)
object 487
symbolic link (*SYMLNK) object 496
table (*TBL) object 497

user index (*USRIDX) object 497
user profile (*USRPRF) object 498
user queue (*USRQ) object 499
user space (*USRSPC) object 499
validation list (*VLDL) object 499
object auditing (OBJAUD) parameter
user profile 101
object authority
authority 76
authority 77
access code commands 399
Advanced Function Printing
commands 319
AF_INET sockets over SNA 320
alert commands 320
alert description commands 320
alert table commands 320
analyzing 279
authority holder commands 322
authorization list commands 323
backup commands 400
binding directory 323
change request description
commands 324
changing
entry 255
procedures 146
chart format commands 324
class commands 324
class-of-service description
commands 325
cleanup commands 400
commands 284
commitment control commands 326
common object commands 313
commands 326
configuration commands 326
configuration list commands 327
connection list commands 328
controller description commands 328
cryptography commands 330
data area commands 331
data queue commands 332
definition 120
detail, displaying (*EXPERT user
option) 97, 98
device description commands 332
directory commands 335
display station pass-through
commands 335
displaying 279, 284
option) 97, 98
distribution commands 336
distribution list commands 336
document commands 337
commands 337
double-byte character set
commands 340
edit description commands 341
Index
661
object authority (continued)

editing 146, 284
emulation commands 334
extended wireless LAN configuration
commands 341
file commands 342
filter commands 349
finance commands 350
forms control table commands 419
general rules for commands 311
granting 284
graphical operations 350
graphics symbol set commands 351
hardware commands 418
host server 351
information search index
commands 368
interactive data definition 367
job commands 368
job description commands 371
job queue commands 372
job schedule commands 372
journal commands 373
journal receiver commands 376
language commands 376
library commands 383
licensed program commands 386
line description commands 387
locale commands 389
commands 389
media commands 390
menu commands 391
message commands 392
message description commands 392
message file commands 393
message queue commands 393
migration commands 393
mode description commands 394
netBIOS description commands 395
network attribute commands 395
network interface description
commands 397
Network Server commands 398
network server description
commands 399
node list commands 399
online education commands 400
Operational Assistant commands 400
optical commands 401
output file
(OUTPUT(*OUTFILE)) 311
output queue commands 404
package commands 405
panel group commands 391
performance commands 405
printer output commands 427
printer writer commands 440
problem commands 411
program commands 412
program temporary fix (PTF)
commands 423
programming development manager
(PDM) commands 321
662
object authority (continued)

programming language
commands 376
PTF (program temporary fix)
commands 423
Query Management/400
commands 415
question and answer commands 416
reader commands 417
relational database directory
commands 418
reply list commands 431
required for *CMD commands 325
resource commands 418
revoking 284
RJE (remote job entry)
commands 419
search index commands 368
security attributes commands 423
security audit commands 423
server authentication 423
service commands 423
session commands 419
spelling aid dictionary
commands 426
sphere of control commands 427
spooled file commands 427
storing 236, 237
subsystem commands 428
system commands 430
system reply list commands 431
system value commands 431
System/36 environment
commands 431
table commands 433
TCP/IP (Transmission Control
Protocol/Internet Protocol)
commands 434
text index commands 399
token-ring commands 389
upgrade order information
commands 435
user permission commands 399
user profile commands 436
utilities commands 321
validation list 439
workstation customizing object
commands 440
writer commands 440
object description
displaying 284
object domain
definition 15
displaying 15
object integrity
auditing 280
object management (*OBJMGT) audit
level 255
object management (OM) journal entry
type 255
object ownership
ALWOBJDIF (allow object differences)
parameter 239
changes when restoring 239
object ownership (continued)

changing
entry 255
methods 151
moving application to
production 231
deleting
owner profile 109, 129
description 128
flowchart 162
group profile 129
managing
owner profile size 129
private authority 119
responsibilities 250
restoring 235, 239
saving 235
working with 151, 284
object reference (*OBJREF)
authority 120, 309
object restore (OR) journal entry
type 255
object signing 3
objective
availability 1
confidentiality 1
integrity 1
objects by primary group
working with 130
office services
action auditing 475
office services (*OFCSRV) audit
level 255, 457, 475
OM (object management) journal entry
type 255
on behalf
auditing 475
online education
commands 400
online help information
displaying full screen (*HLPFULL
user option) 98
operating system
security installation 244
operational (*OBJOPR) authority 120,
309
Operational Assistant Attention Program
Operational Assistant commands
commands 400
OPNDBF (Open Database File) command
OPNQRYF (Open Query File) command
OPRCTL (operator control)
parameter 198
optical
commands 401
OR (object restore) journal entry
type 255
output
commands 427
output file (OUTPUT(*OUTFILE))
output priority 204
output queue
authority 76
*OPRCTL (operator control)
parameter 76, 77
authority 77
AUTCHK (authority to check)
parameter 198
authority to check (AUTCHK)
parameter 198
changing 197
creating 197, 200
display data (DSPDTA)
parameter 198
DSPDTA (display data)
parameter 198
commands 404
operator control (OPRCTL)
parameter 198
OPRCTL (operator control)
parameter 198
parameters 289, 605
securing 197, 200
user profile 93
working with description 197
output queue (*OUTQ) auditing 480
output queue (OUTQ) parameter
user profile 93
OUTQ (output queue) parameter
user profile 93
overlay (*OVL) auditing 481
Override commands 227
OVRMSGF (Override with Message File)
command
object auditing 477
OW (ownership change) file layout 553
OW (ownership change) journal entry
type 255
owner
See also ownership
OWNER user profile parameter
description 129
OWNER (owner) parameter
user profile 131
owner authority
flowchart 162
ownership
parameter 239
assigning to new object 131
change when restoring
entry 255
changing
entry 255
ownership (continued)
methods 151
default (QDFTOWN) user profile 130
deleting
owner profile 109, 129
description 128
flowchart 162
group profile 129
introduction 5
managing
owner profile size 129
new object 131
object
managing 232
OWNER user profile parameter
description 88
printer output 197
restoring 235, 239
saving 235
spooled file 197
working with 151
workstation 189
ownership change (OW) file layout 553
ownership change (OW) journal entry
type 255
ownership change for restored object
(RO) file layout 565
ownership change for restored object
(RO) journal entry type 255
ownership, object
responsibilities 250
P
PA (program adopt) file layout 556
PA (program adopt) journal entry
type 255
package
commands 405
PAGDOC (Paginate Document) command
object auditing 460
page definition (*PAGDFN) auditing 482
page down key
reversing (*ROLLKEY user
option) 98
page segment (*PAGSEG) auditing 482
page up key
option) 98
panel group
commands 391
panel group (*PNLGRP) auditing 484
parameter
validating 17
partial (*PARTIAL) limit capabilities 74
pass-through
controlling sign-on 32
target profile change
entry 255
password
all-numeric 66
allowing users to change 249
approval program
example 54, 55
QPWDVLDPGM system value 53
requirements 53
security risk 54
auditing
user 249
changes when restoring profile 237
changing
description 285
values 45
name 67
checking 116, 285
checking for default 599
communications 49
document
DOCPWD user profile
parameter 91
auditing 248
changing 117
encrypting 67
equal to user profile name 45, 67
expiration interval
auditing 249
PWDEXPITV user profile
parameter 82
QPWDEXPITV system value 46
expiration interval (QPWDEXPITV)
system value
command 607
expired (PWDEXP) parameter 68
auditing 248
changing 117
immediate expiration 46
incorrect
entry 255
length
maximum (QPWDMAXLEN)
system value 49
minimum (QPWDMINLEN)
system value 48
(QPWDLMTREP) system value
command 607
lost 67
maximum length (QPWDMAXLEN
system value) 49
maximum length (QPWDMAXLEN)
system value
command 607
minimum length (QPWDMINLEN
system value) 48
Index
663
password (continued)
minimum length (QPWDMINLEN)
system value
command 607
network
entry 255
position characters (QPWDPOSDIF)
system value 52
possible values 67
preventing
adjacent digits (QPWDLMTAJC
system value) 51
repeated characters 51
trivial 45, 249
use of words 50
PWDEXP (set password to
expired) 68
QPGMR (programmer) user
profile 609
QSRV (service) user profile 609
QSRVBAS (basic service) user
profile 609
QSYSOPR (system operator) user
profile 609
QUSER (user) user profile 609
recommendations 67, 68
require numeric character
(QPWDRQDDGT) system value
command 607
require position difference
(QPWDPOSDIF) system value
command 607
required difference (QPWDRQDDIF)
system value
command 607
requiring
change (PWDEXPITV
parameter) 82
change (QPWDEXPITV system
value) 46
complete change 52
different (QPWDRQDDIF system
value) 49
numeric character 52
resetting
user 67
restrict adjacent characters
(QPWDLMTAJC) system value
command 607
restrict characters (QPWDLMTCHR)
system value
command 607
restricting
adjacent digits (QPWDLMTAJC
system value) 51
characters 50
repeated characters 51
rules 67
setting to expired (PWDEXP) 68
664
system 118
system values
overview 44
trivial
preventing 45, 249
user profile 66
validation exit program
example 55
validation program
example 54
requirements 53
security risk 54
validation program (QPWDVLDPGM)
system value
command 607
password (PW) journal entry type 255
password expiration interval
(PWDEXPITV)
recommendations 83
(QPWDEXPITV) system value
auditing 249
Password Level (QPWDLVL)
description 46
Password Level (QPWDLVL) system
value
description 46
password required difference
(QPWDRQDDIF) system value
command 607
password validation program
(QPWDVLDPGM) system value 53
passwords
password levels 278
Passwords 46
path name
displaying 152
PC (personal computer)
preventing access 201
PC Organizer
allowing for limit capabilities user 74
disconnecting (QINACTMSGQ system
value) 28
PC Support access (PCSACC) network
attribute 252
PC text-assist function (PCTA)
disconnecting (QINACTMSGQ system
value) 28
PCSACC (client request access) network
attribute 201
PCSACC (PC Support access) network
attribute 252
PDM (programming development
manager)
object authority for commands 321
performance
class 204
job description 204
job scheduling 204
commands 405
output priority 204
pool 204
performance (continued)
priority limit 204
restricting jobs to batch 205
routing entry 204
run priority 204
storage
pool 204
time slice 204
performance tuning
security 204
permission
definition 122
layout 558
PG (primary group change) journal entry
type 255
physical security 2
auditing 248
planning 248
PING (Verify TCP/IP Connection)
command
PKGPRDDST (Package Product
Distribution) command
profiles 299
planning
application programmer security 231
audit
system values 265
auditing
actions 253
objects 263
overview 253
checklist for 247
file security 224
group profiles 229
library design 213
menu security 217
multiple groups 229
primary group 229
security 1
system programmer security 232
planning password level changes
changing assword levels (0 to 1) 209
changing password level from 1to
0 213
changing password level from 2 to
1 212
changing password level from 2to
0 213
0 212
1 212
2 212
changing password levels
planning level changes 209, 210
decreasing password levels 212, 213
planning password level changes

(continued)
increasing password level 209, 210
QPWDLVL changes 209, 210
PO (printer output) journal entry
type 255
pool 204
position characters (QPWDPOSDIF)
system value 52
preventing
access
iSeries Access 201
modification of internal control
blocks 20
performance abuses 204
remote job submission 200
password 251
trivial passwords 45, 249
preventing large profiles
primary group
changing 130
entry 255
changing during restore
entry 255
definition 119
deleting
profile 109
description 130
introduction 5
new object 131
planning 229
restoring 235, 239
saving 235
working with objects 284
primary group authority
authority checking example 174
primary group change (PG) file
layout 558
primary group change (PG) journal entry
type 255
primary group change for restored object
(RZ) file layout 569
primary group change for restored object
(RZ) journal entry type 255
Print Adopting Objects (PRTADPOBJ)
command
description 603
(PRTCMNSEC) command
print descriptor group (*PDG)
auditing 482
print device (DEV) parameter
user profile 93
(PRTJOBDAUT) command 289

(PRTJOBDAUT) command (continued)
description 603
Print Private Authorities (PRTPVTAUT)
command 289
description 605
(PRTPUBAUT) command 289
description 605
Print Queue Authority (PRTQAUT)
command
Print Subsystem Description
(PRTSBSDAUT) command
description 603
Print Subsystem Description Authority
(PRTSBSDAUT) command
description 289
(PRTSYSSECA) command
Print Trigger Programs (PRTTRGPGM)
command
Print User Objects (PRTUSROBJ)
command
Print User Profile (PRTUSRPRF)
command
description 603
printed output (*PRTDTA) audit
level 255
printer
user profile 93
virtual
securing 202
printer output
authority 76
authority 77
commands 427
owner 197
securing 197
printer output (PO) file layout 560
printer output (PO) journal entry
type 255
printer writer
commands 440
printing
See also printer output
adopted object information 603
authorization list information 603
communications 290
list of non-IBM objects 289, 603
list of subsystem descriptions 289
network attributes 290, 603
notification (*PRTMSG user
option) 98
publicly authorized objects 605
security 197
printing (continued)
security-relevant communications
settings 603
security-relevant job queue
parameters 289, 605
security-relevant output queue
parameters 289, 605
security-relevant subsystem
description values 603
sending message (*PRTMSG user
option) 98
system values 248, 290, 603
trigger programs 289, 603
printing message (*PRTMSG) user
option 98
priority 204
priority limit (PTYLMT) parameter
recommendations 86
user profile 85
private authorities
authority cache 184
private authority
definition 119
flowchart 161
restoring 235, 240
saving 235
privilege
definition 119
problem
commands 411
problem analysis
remote service attribute
(QRMTSRVATR) system value 38
processor keylock 248
processor password 118
product availability (*PRDAVL)
auditing 484
product definition (*PRDDFN)
auditing 484
product library
library list 195
description 193
recommendations 195
product load (*PRDLOD) auditing 484
profile
action auditing (AUDLVL) 102
analyzing with query 277
auditing
auditing membership 250
auditing password 249
AUDLVL (action auditing) 102
changing 286
group 250
See also group profile
auditing 250
introduction 5, 63
naming 66
password 66
planning 229
resource security 5
Index
665
profile (continued)
handle
entry 255
IBM-supplied
auditing 248
authority profile
(QAUTPROF) 293
automatic install (QLPAUTO) 293
basic service (QSRVBAS) 293
BRM user profile (QBRMS) 293
database share (QDBSHR) 293
default owner (QDFTOWN) 293
(QDSNX) 293
document (QDOC) 293
finance (QFNC) 293
IBM authority profile
(QAUTPROF) 293
install licensed programs
(QLPINSTALL) 293
(QMSF) 293
network file system (QNFS) 293
programmer (QPGMR) 293
QAUTPROF (IBM authority
profile) 293
QBRMS (BRM user profile) 293
QDBSHR (database share) 293
QDFTOWN (default owner) 293
QDOC (document) 293
executive) 293
QFNC (finance) 293
QGATE (VM/MVS bridge) 293
QLPAUTO (licensed program
automatic install) 293
QLPINSTALL (licensed program
install) 293
QMSF (mail server
framework) 293
QNFSANON (network file
system) 293
QPGMR (programmer) 293
QRJE (remote job entry) 293
QSECOFR (security officer) 293
QSNADS (Systems Network
Architecture distribution
services) 293
QSPL (spool) 293
QSPLJOB (spool job) 293
QSRV (service) 293
QSRVBAS (service basic) 293
QSYS (system) 293
QSYSOPR (system operator) 293
QTCP (TCP/IP) 293
QTMPLPD (TCP/IP printing
support) 293
QTSTRQS (test request) 293
QUSER (workstation user) 293
remote job entry (QRJE) 293
restricted commands 299
security officer (QSECOFR) 293
service (QSRV) 293
service basic (QSRVBAS) 293
SNA distribution services
(QSNADS) 293
666
profile (continued)
IBM-supplied (continued)
spool (QSPL) 293
spool job (QSPLJOB) 293
system (QSYS) 293
system operator (QSYSOPR) 293
TCP/IP (QTCP) 293
TCP/IP printing support
(QTMPLPD) 293
test request (QTSTRQS) 293
VM/MVS bridge (QGATE) 293
workstation user (QUSER) 293
OBJAUD (object auditing) 101
object auditing (OBJAUD) 101
swap
entry 255
user 101, 102, 277
accounting code (ACGCDE) 90
ACGCDE (accounting code) 90
assistance level (ASTLVL) 70
ASTLVL (assistance level) 70
program) 94
(ATNPGM) 94
auditing 250
authority (AUT) 100
CCSID (coded character set
identifier) 96
changing 109
CHRIDCTL (user options) 97
CNTRYID (country or region
identifier) 96
(CCSID) 96
(CNTRYID) 96
CURLIB (current library) 71
current library (CURLIB) 71
delivery (DLVRY) 92
description (TEXT) 75
DEV (print device) 93
(DSPSGNINF) 82
DLVRY (message queue
delivery) 92
DOCPWD (document
password) 91
document password
(DOCPWD) 91
information) 82
group (GRPPRF) 87
group authority (GRPAUT) 88,
129
(GRPAUTTYP) 89
group identification number(gid
) 99
GRPAUT (group authority) 88,
129
type) 89
profile (continued)
user (continued)
GRPPRF (group) 87
home directory (HOMEDIR) 100
IBM-supplied 116
initial menu (INLMNU) 73
initial program (INLPGM) 72
INLMNU (initial menu) 73
INLPGM (initial program) 72
introduction 4
job description (JOBD) 86
JOBD (job description) 86
KBDBUF (keyboard buffering) 83
keyboard buffering (KBDBUF) 83
LANGID (language identifier) 96
language identifier (LANGID) 96
large, examining 278
limit capabilities 73, 250
limit device sessions
(LMTDEVSSN) 83
listing inactive 278
listing selected 278
listing users with command
capability 278
listing users with special
authorities 278
LMTCPB (limit capabilities) 73
LMTDEVSSN (limit device
sessions) 83
LOCALE (user options) 98
MAXSTG (maximum storage) 84
message queue (MSGQ) 91
message queue delivery
(DLVRY) 92
message queue severity (SEV) 92
MSGQ (message queue) 91
name (USRPRF) 65
naming 65
output queue (OUTQ) 93
OUTQ (output queue) 93
owner of objects created
(OWNER) 88, 129
password 66
(PWDEXPITV) 82
print device (DEV) 93
PTYLMT (priority limit) 85
public authority (AUT) 100
expired) 68
PWDEXPITV (password expiration
interval) 82
renaming 114
retrieving 116
roles 63
set password to expired
(PWDEXP) 68
SETJOBATR (user options) 97
SEV (message queue severity) 92
severity (SEV) 92
sort sequence (SRTSEQ) 95
SPCAUT (special authority) 75
SPCENV (special
environment) 80
special authority (SPCAUT) 75
profile (continued)
user (continued)
special environment
(SPCENV) 80
SRTSEQ (sort sequence) 95
status (STATUS) 69
groups) 89
supplemental groups
(SUPGRPPRF) 89
System/36 environment 80
text (TEXT) 75
user class (USRCLS) 69
user identification number( ) 99
user options (CHRIDCTL) 97
user options (LOCALE) 98
user options (SETJOBATR) 97
user options (USROPT) 97, 98
USRCLS (user class) 69
USROPT (user options) 97, 98
USRPRF (name) 65
profile swap (PS) file layout 561
profile swap (PS) journal entry type 255
program
adopt authority function
auditing 279
adopted authority
entry 255
auditing 251
creating 137
displaying 138
ignoring 139
purpose 135
restoring 242
transferring 136
bound
changing
parameter 139
creating
displaying
ignoring
commands 412
password validation
example 54
requirements 53
password validation exit
example 55
preventing
unauthorized 252
program failure
entry 255
restoring
risks 241
validation value 17
service
program (continued)
transferring
translation 17
trigger
listing all 289
unauthorized 252
working with user profiles 116
program (*PGM) auditing 482
program adopt (PA) file layout 556
program adopt (PA) journal entry
type 255
program adopt function
See adopted authority
program failure
auditing 279
restoring programs
entry 255
program failure (*PGMFAIL) audit
level 255
program state
definition 16
displaying 16
program temporary fix (PTF)
commands 423
program validation
definition 17
program-described file
holding authority when deleted 139
programmer
application
auditing access to production
libraries 250
system
programmer (QPGMR) user profile
default values 293
device description owner 189
programming development manager
(PDM)
programming language
commands 376
programs that adopt
displaying 279
protecting
backup media 248
protection
enhanced hardware storage 16
PRTACTRPT (Print Activity Report)
command
PRTADPOBJ (Print Adopted Object)
command
PRTADPOBJ (Print Adopting Object)
command
profiles 299
PRTADPOBJ (Print Adopting Objects)
command
description 603
PRTCMDUSG (Print Command Usage)

command
PRTCMNSEC (Print Communication
Security) command
Security Report) command
profiles 299
Security) command
PRTCMNTRC (Print Communications
Trace) command
profiles 299
PRTCPTRPT (Print Component Report)
command
PRTCSPAPP (Print CSP/AE Application)
command
object auditing 483
PRTDEVADR (Print Device Addresses)
command
object auditing 453
PRTDOC (Print Document) command
object auditing 459
PRTDSKINF (Print Disk Activity
profiles 299
PRTERRLOG (Print Error Log) command
profiles 299
PRTINTDTA (Print Internal Data)
command
profiles 299
PRTIPSCFG (Print IP over SNA
PRTJOBDAUT (Print Job Description
Authority) command
profiles 299
PRTJOBRPT (Print Job Report) command
PRTJOBTRC (Print Job Trace) command
PRTLCKRPT (Print Lock Report)
command
PRTPEXRPT (Print Performance Explorer
Report) command
Index
667
PRTPOLRPT (Print Pool Report)

command
PRTPRFINT (Print Profile Internals)
command
profiles 299
PRTPUBAUT (Print Public Authorities)
command
PRTPUBAUT (Print Publicly Authorized
Objects) command
profiles 299
PRTPVTAUT (Print Private Authorities)
command
profiles 299
PRTQAUT (Print Queue Authorities)
command
PRTQAUT (Print Queue Authority)
command
profiles 299
PRTRSCRPT (Print Resource Report)
command
Description Authority) command
profiles 299
description 289
description 603
PRTSQLINF (Print SQL Information)
command
PRTSQLINF (Print Structured Query
Language Information) command
PRTSYSRPT (Print System Report)
command
Attribute Report) command
profiles 299
Attribute) command
Attributes) command
PRTTNSRPT (Print Transaction Report)
command
PRTTRC (Print Trace) command
668
PRTTRGPGM (Print Trigger Program)

command
PRTTRGPGM (Print Trigger Programs)
command
profiles 299
PRTUSROBJ (Print User Object)
command
profiles 299
PRTUSROBJ (Print User Objects)
command
PRTUSRPRF (Print User Profile)
command
profiles 299
description 603
PS (profile swap) journal entry type 255
PTF (program temporary fix)
commands 423
PTYLMT (priority limit) parameter
recommendations 86
user profile 85
public authority
definition 119
flowchart 168
library 144
new objects
description 127
specifying 144
printing 605
restoring 235, 239
revoking 290, 607
revoking with RVKPUBAUT
command 609
saving 235
user profile
recommendation 101
PW (password) journal entry type 255
PWDEXP (set password to expired)
parameter 68
interval) parameter 82
PWRDWNSYS (Power Down System)
command
profiles 299
Q
QADSM (ADSM) user profile 293
QAFDFTUSR (AFDFTUSR) user
profile 293
QAFOWN (AFOWN) user profile 293
QAFUSR (AFUSR) user profile 293
QALWOBJRST (allow object restore
option) system value 43
QALWOBJRST (allow object restore)

system value
command 607
QALWUSRDMN (allow user objects)
system value 20, 25
QASYADJE (auditing change) file
layout 506
QASYAFJE (authority failure) file
layout 508
QASYAPJE (adopted authority) file
layout 512
QASYAUJ5 (attribute change) file
layout 513
QASYCAJE (authority change) file
layout 513
QASYCDJE (command string) file
layout 516
QASYCOJE (create object) file
layout 516
QASYCPJE (user profile change) file
layout 518
QASYCQJE (*CRQD change) file
layout 519
QASYCUJ4 (Cluster Operations) file
layout 520
QASYCVJ4 (connection verification) file
layout 521
QASYCYJ4 (cryptographic configuration)
file layout 523
QASYCYJ4 (directory services) file
layout 524
QASYDOJE (delete operation) file
layout 528
QASYDSJE (IBM-Supplied Service Tools
User ID Reset) file layout 530
QASYEVJE (EV) file layout 530
QASYGRJ4 (generic record) file
layout 531
QASYGSJE (give descriptor) file
layout 533
QASYGSJE (Internet security
management) file layout 536
QASYGSJE (interprocess communication
QASYIRJ4 (IP rules actions) file
layout 535
QASYJDJE (job description change) file
layout 538
QASYJSJE (job change) file layout 539
QASYKFJ4 (key ring file) file layout 542
QASYLDJE (link, unlink, search
QASYMLJE (mail actions) file
layout 545
QASYNAJE (network attribute change)
file layout 546
QASYNDJE (APPN directory) file
layout 546
QASYNEJE (APPN end point) file
layout 547
QASYO1JE (optical access) file
layout 554, 555
QASYO3JE (optical access) file
layout 556
QASYOMJE (object management) file
layout 547
QASYORJE (object restore) file

layout 550
QASYOWJE (ownership change) file
layout 553
QASYPAJE (program adopt) file
layout 556
QASYPGJE (primary group change) file
layout 558
QASYPOJE (printer output) file
layout 560
QASYPSJE (profile swap) file layout 561
QASYPWJE (password) file layout 562
QASYRAJE (authority change for restored
QASYRJJE (restoring job description) file
layout 565
QASYROJE (ownership change for object
program) file layout 565
QASYRPJE (restoring programs that
adopt authority) file layout 567
QASYRQJE (restoring *CRQD that adopts
QASYRUJE (restore authority for user
profile) file layout 568
QASYRZJE (primary group change for
QASYSDJE (change system distribution
QASYSEJE (change of subsystem routing
QASYSFJE (action to spooled file) file
layout 572
QASYSGJ4() file layout 575, 576
QASYSMJE (system management change)
file layout 577
QASYSOJ4 (server security user
information actions) file layout 578
QASYSTJE (service tools action) file
layout 579
QASYSVJE (action to system value) file
layout 581
QASYVAJE (changing access control list)
file layout 581
QASYVCJE (connection start and end)
file layout 582
QASYVFJE (close of server files) file
layout 582
QASYVLJE (account limit exceeded) file
layout 583
QASYVNJE (network log on and off) file
layout 583
QASYVOJ4 (validation list) file
layout 584
QASYVPJE (network password error) file
layout 586
QASYVRJE (network resource access) file
layout 586
QASYVSJE (server session) file
layout 587
QASYVUJE (network profile change) file
layout 587
QASYVVJE (service status change) file
layout 588
QASYX0JE (kerberos authentication) file
layout 589
QASYYCJE (change to DLO object) file
layout 593
QASYYRJE (read of DLO object) file

layout 593
QASYZCJE (change to object) file
layout 594
QASYZMJE (change to object) file
layout 595
QASYZRJE (read of object) file
layout 596
QATNPGM (Attention-key-handling
program) system value 95
QAUDCTL (audit control) system value
changing 289, 601
displaying 289, 601
QAUDCTL (auditing control) system
value
overview 58
QAUDENDACN (auditing end action)
QAUDFRCLVL (auditing force level)
QAUDJRN (audit) journal 255
AD (auditing change) entry type 255
AF (authority failure) entry type 255
description 255
analyzing
with query 274
AP (adopted authority) entry
type 255
layout 512
value 61
automatic cleanup 270
CA (authority change) entry type 255
CD (command string) entry type 255
changing receiver 271
CO (create object) entry type 130,
255
CP (user profile change) entry
type 255
CP (user profile change) file
layout 518
CQ (change *CRQD object) entry
type 255
creating 268
CU(Cluster Operations) file
layout 520
CV(connection verification) file
layout 521
layout 523
damaged 269
QAUDJRN (audit) journal (continued)

displaying entries 252, 272
DO (delete operation) entry type 255
DS (DST password reset) entry
type 255
DS (IBM-Supplied Service Tools User
ID Reset) file layout 530
error conditions 59
layout 530
force level 60
GR(generic record) file layout 531
introduction 252
IP (Interprocess Communication
IP (interprocess communications)
entry type 255
IR(IP rules actions) file layout 535
layout 536
JD (job description change) entry
type 255
layout 538
JS (job change) entry type 255
layout 544
managing 269
methods for analyzing 272
ML (mail actions) entry type 255
NA (network attribute change) entry
type 255
layout 546
O1 (optical access) file layout 554,
555
O3 (optical access) file layout 556
OM (object management) entry
type 255
OM (object management) file
layout 547
OR (object restore) entry type 255
OR (object restore) file layout 550
OW (ownership change) entry
type 255
OW (ownership change) file
layout 553
PA (program adopt) entry type 255
PA (program adopt) file layout 556
PG (primary group change) entry
type 255
layout 558
PO (printer output) entry type 255
PS (profile swap) entry type 255
PW (password) entry type 255
PW (password) file layout 562
Index
669

receiver storage threshold 270
RJ (restoring job description) entry
type 255
layout 565
authority) entry type 255
RQ (restoring *CRQD object that
adopts authority) file layout 568
RQ (restoring *CRQD object) entry
type 255
entry type 255
file layout 568
restored object) entry type 255
directory) entry type 255
entry) entry type 255
SF (action to spooled file) file
layout 572
SF (change to spooled file) entry
type 255
SG file layout 575, 576
SM (system management change)
entry type 255
layout 577
ST (service tools action) entry
type 255
ST (service tools action) file
layout 579
stopping 272
SV (action to system value) entry
type 255
layout 581
system entries 269
VA (access control list change) entry
type 255
layout 581
layout 582
VC (connection start or end) entry
type 255
670

VF (close of server files) file
layout 582
layout 583
layout 583
VN (network log on or off) entry
type 255
VP (network password error) entry
type 255
layout 586
layout 586
VS (server session) entry type 255
VU (network profile change) entry
type 255
layout 587
VV (service status change) entry
type 255
layout 588
layout 589
layout 593
YR (read of DLO object) file
layout 593
QAUDLVL (audit level) system value
*AUTFAIL value 255
value 255
value 255
value 255
*PRTDTA (printer output) value 255
value 255
value 255
changing 268, 289, 601
displaying 289, 601
purpose 253
user profile 102
QAUDLVL (auditing level) system value
overview 61
QAUTOCFG (automatic configuration)
system value
command 607
QAUTOCFG (automatic device
configuration) system value 36
QAUTOVRT (automatic configuration of

virtual devices) system value 36
QAUTOVRT (automatic virtual-device
configuration) system value
command 607
QAUTPROF (authority profile) user
profile 293
QBRMS (BRM) user profile 293
QCCSID (coded character set identifier)
system value 96
QCL program 125
QCMD command processor
special environment (SPCENV) 80
QCNTRYID (country or region identifier)
system value 96
QCONSOLE (console) system value 189
QCRTAUT (create authority) system
value
description 25
risk of changing 26
using 128
QCRTOBJAUD (create object auditing)
system value 61
QDBSHRDO (database share) user
profile 293
QDCEADM (DCEADM) user profile 293
QDEVRCYACN (device recovery action)
system value 37
command 607
QDFTJOBD (default) job description 86
QDFTOWN (default owner) user profile
default values 293
description 130
QDOC (document) user profile 293
QDSCJOBITV (disconnected job time-out
interval) system value 38
command 607
executive) user profile 293
QDSPSGNINF (display sign-on
information) system value 26, 82
command 607
QEZMAIN program 95
QFNC (finance) user profile 293
QGATE (VM/MVS bridge) user
profile 293
QHST (history) log
QINACTITV (inactive job time-out
interval) system value 27
command 607
QINACTMSGQ (inactive job message
queue) system value 28
command 607
QjoAddRemoteJournal (Add Remote
Journal) API
object auditing 472
QjoChangeJournal State(Change Journal

State) API
object auditing 472
QjoEndJournal (End journaling) API
object auditing 444
QjoEndJournal (End Journaling) API
object auditing 472
QJORDJE2 record format 501
QjoRemoveRemoteJournal (Remove
Remote Journal) API
object auditing 472
QjoRetrieveJournalEntries (Retrieve
Journal Entries) API
object auditing 472
QjoRetrieveJournalInformation (Retrieve
Journal Information) API
object auditing 473
QJORJIDI (Retrieve Journal Identifier
(JID) Information) API
object auditing 472
QjoSJRNE (Send Journal Entry) API
object auditing 472
QjoStartJournal (Start Journaling) API
QKBDBUF (keyboard buffering) system
value 84
QLANGID (language identifier) system
value 96
QlgAccess command (Detremine File
Accessibility)
object auditing 454
QlgAccessx command (Determine File
Accessibility)
object auditing 454
QLMTDEVSSN (limit device sessions)
system value
auditing 250
description 29
parameter 83
QLMTSECOFR (limit security officer)
system value
auditing 248
authority to device descriptions 187
description 29
sign-on process 189
command 607
QLPAUTO (licensed program automatic
install) user profile
default values 293
restoring 238
QLPINSTALL (licensed program install)
user profile
default values 293
restoring 238
QMAXSGNACN (action when sign-on
attempts reached) system value
description 31
user profile status 69
command 607
attempts) system value
auditing 248, 252
description 30

attempts) system value (continued)
command 607
QMSF (mail server framework) user
profile 293
QPGMR (programmer) user profile
default values 293
password set by CFGSYSSEC
command 609
QPRTDEV (print device) system
value 93
QPWDEXPITV (password expiration
interval) system value
auditing 249
description 46
parameter 83
command 607
QPWDLMTAJC (password limit adjacent)
system value 51
QPWDLMTAJC (password restrict
adjacent characters) system value
command 607
QPWDLMTCHR (limit characters) system
value 50
QPWDLMTCHR (password restrict
characters) system value
command 607
QPWDLMTCHR command 68
QPWDLMTREP (limit repeated
characters) system value 51
QPWDLVL
case sensitive passwords 52, 66
Password levels (maximum
length) 49
Password levels (minimum
length) 48
Password levels (QPWDLVL) 48, 49,
50
QPWDLVL (case sensitive)
case sensitive passwords
QPWDLVL case sensitive 51
Password levels (case sensitive) 51
QPWDLVL (current or pending value)
and program name 53
QPWDMAXLEN (password maximum
length) system value 49
command 607
QPWDMINLEN (password minimum
length) system value 48
command 607
QPWDPOSDIF (password require
position difference) system value
command 607
QPWDPOSDIF (position characters)
system value 52
QPWDRQDDGT (password require

numeric character) system value
command 607
QPWDRQDDGT (required password
digits) system value 52
QPWDRQDDIF (duplicate password)
system value 49
QPWDRQDDIF (password required
difference) system value
command 607
QPWDVLDPGM (password validation
program) system value 53
command 607
QRCL (reclaim storage) library
QRCLAUTL (reclaim storage)
system value 32
value 32
QRJE (remote job entry) user profile 293
QRMTSIGN (allow remote sign-on)
system value
command 607
QRMTSIGN (remote sign-on) system
value 32, 252
QRMTSRVATR (remote service attribute)
system value 2, 38
QRYDOCLIB (Query Document Library)
command
object auditing 460
QRYDST (Query Distribution) command
QRYPRBSTS (Query Problem Status)
command
QSECOFR (security officer) user profile
default values 293
disabled status 69
enabling 69
restoring 238
QSECURITY (security level) system value
auditing 248
automatic user profile creation 63
changing, 20 from higher level 13
changing, level 10 to level 20 12
changing, level 20 to 30 13
changing, to level 40 18
disabling level 40 19
enforcing QLMTSECOFR system
value 189
introduction 2
level 10 12
level 20 12
Index
671

value (continued)
level 30 13
level 40 14
level 50 19
message handling 20
overview 9
recommendations 11
user class 11
command 607
QSH (Start QSH) command
alias for STRQSH 416
QSHRMEMCTL (share memory control)
system value
description 33
possible values 33
QSNADS (Systems Network Architecture
distribution services) user profile 293
QSPCENV (special environment) system
value 80
QSPL (spool) user profile 293
QSPLJOB (spool job) user profile 293
QSPRJOBQ (Retrieve job queue
information) API
object auditing 471
QSRTSEQ (sort sequence) system
value 95
QSRV (service) user profile
default values 293
command 609
QSRVBAS (basic service) user profile
default values 293
command 609
QSYS (system) library
QSYS (system) user profile
default values 293
restoring 238
QSYSLIBL (system library list) system
value 193
QSYSMSG message queue
auditing 252, 276
QMAXSGNACN (action when
attempts reached) system value 31
attempts) system value 30
QSYSOPR (system operator) message
queue
restricting 193
QSYSOPR (system operator) user
profile 293
command 609
QTCP (TCP/IP) user profile 293
QTEMP (temporary) library
QTMPLPD (TCP/IP printing support)
user profile 293
QTSTRQS (test request) user profile 293
672
query
analyzing audit journal entries 274
query definition (*QRYDFN)
auditing 486
Query Management/400
commands 415
query manager form (*QMFORM)
auditing 485
query manager query (*QMQRY)
auditing 485
question and answer
commands 416
QUSEADPAUT (use adopted authority)
system value
description 34
risk of changing 35
QUSER (user) user profile
command 609
QUSER (workstation user) user
profile 293
QUSER38 library 125
QUSRLIBL (user library list) system
value 87
QUSRTOOL library
Display Audit Log (DSPAUDLOG)
messages used 255
DSPAUDLOG (Display Audit Log)
messages used 255
QVFYOBJRST (verify object on restore)
system value 39
QVFYOBJRST (Verify Object Restore)
system value 3
QWCLSCDE (List job schedule entry) API
object auditing 471
R
RA (authority change for restored object)
RCLACTGRP (Reclaim Activation Group)
command
RCLDLO (Reclaim Document Library
Object) command
object auditing 461
RCLOPT (Reclaim Optical) command
profiles 299
RCLRSC (Reclaim Resources) command
RCLSPLSTG (Reclaim Spool Storage)
command
profiles 299
RCLSTG (Reclaim Storage) command
profiles 299
damaged authorization list 244
object auditing 444
RCLSTG (Reclaim Storage) command

(continued)
profile 130
RCLTMPSTG (Reclaim Temporary
Storage) command
profiles 299
object auditing 445
RCVDST (Receive Distribution) command
object auditing 460
RCVJRNE (Receive Journal Entry)
command
object auditing 472
RCVMGRDTA (Receive Migration Data)
command
RCVMSG (Receive Message) command
object auditing 478
RCVNETF (Receive Network File)
command
read (*READ) authority 120, 309
read of DLO object (YR) file layout 593
read of object (ZR) file layout 596
reader
commands 417
receiver
changing 271
deleting 272
detaching 270, 271
saving 271
reclaim storage (QRCL) library
reclaim storage (QRCLAUTL)
Reclaim Storage (RCLSTG)
command 20, 130, 244
reclaiming
storage 20, 130, 244
setting QALWUSRDMN (allow
user objects) system value 25
recommendation
application design 214
(DSPSGNINF) 82
initial library list 87
job descriptions 87
library design 213
library list
current library 196
product library portion 195
system portion 195
recommendation (continued)
library list (continued)
user portion 196
limit capabilities (LMTCPB) 74
limiting
device sessions 83
message queue 92
naming
group profile 66
user profiles 65
(PWDEXPITV) 83
passwords 67
parameter 86
public authority
user profiles 101
QUSRLIBL system value 87
security design 208
value 11
(PWDEXP) 68
summary 208
record-level security 224
recovering
damaged audit journal 269
damaged authorization list 243
user profiles 235
reference code table (*RCT) auditing 487
referenced object 153
rejecting
access
iSeries Access access 201
remote job submission 200
relational database directory
commands 418
remote job entry (QRJE) user profile 293
remote job entry (RJE)
commands 419
remote job submission
securing 200
remote service attribute (QRMTSRVATR)
system value 38
remote sign-on
QRMTSIGN system value 32
remote sign-on (QRMTSIGN) system
value 32, 252
(RMVAUTLE) command 154, 283
Remove Directory Entry (RMVDIRE)
command 288

Authority (RMVDLOAUT)
command 287
Remove Library List Entry (RMVLIBLE)
command 193
Remove User display 111
removing
authority for user 148
authorization list
object 155
user authority 154, 283
directory entry 288
authority 287
employees who no longer need
access 250
library list entry 193
user authority
object 148
user profile
automatically 599
directory entry 110
message queue 110
owned objects 109
primary group 109
renaming
object
entry 255
user profile 114
repeated characters (QPWDLMTREP)
system value 51
repeating passwords 49
reply list
action auditing 487
commands 431
required password digits
(QPWDRQDDGT) system value 52
resetting
password
entry 255
RESMGRNAM (Resolve Duplicate and
Incorrect Office Object Names)
command
profiles 299
resource
commands 418
resource security
definition 119
introduction 5
limit access 233
restore
security risks 203
Restore Authority (RSTAUT) command
description 287
Restore Authority (RSTAUT) command

(continued)
procedure 241
using 240
restore authority for user profile (RU) file
layout 568
restore authority for user profile (RU)
Restore Document Library Object
(RSTDLO) command 235
Restore Library (RSTLIB) command 235
Restore Licensed Program (RSTLICPGM)
command
recommendations 242
security risks 242
Restore Object (RSTOBJ) command
using 235
restore operation
storage needed 84
restore system value
security-related
overview 39
Restore User Profiles (RSTUSRPRF)
command 235, 287
restoring
*ALLOBJ (all object) special authority
all object (*ALLOBJ) special
authority 238
*CRQD object
entry 255
*CRQD object that adopts authority
(RQ) file layout 568
adopted authority
changes to ownership and
authority 242
allow object differences (ALWOBJDIF)
parameter 239
parameter 239
authority
entry 255
procedure 240
authority changed by system
entry 255
authorization list
association with object 239
document library object (DLO) 235
gid (group identification
number) 238
job description
entry 255
library 235
licensed program
recommendations 242
security risks 242
Index
673
restoring (continued)
object
entry 255
commands 235
ownership 235, 239
security issues 238
operating system 244
ownership change
entry 255
private authority 235, 240
program failure
entry 255
programs 241
QDFTOWN (default) owner
entry 255
restricting 203
storage needed 84
uid (user identification number) 238
user profile
entry 255
procedures 235, 237
restoring *CRQD (RQ) file layout 569
restoring *CRQD object (RQ) journal
entry type 255
restoring job description (RJ) file
layout 565
restoring job description (RJ) journal
entry type 255
restoring programs that adopt authority
(RP) file layout 567
restoring programs that adopt authority
(RP) journal entry type 255
restricted instruction
restricting
access
console 248
workstations 248
adjacent digits in passwords
(QPWDLMTAJC system value) 51
capabilities 73
characters in passwords 50
command line use 73
commands (ALWLMTUSR) 74
consecutive digits in passwords
(QPWDLMTAJC system value) 51
messages 20
QSYSOPR (system operator) message
queue 193
repeated characters in passwords 51
restore operations 203
save operations 203
security officer (QLMTSECOFR
system value) 248
674

system value
overview 32
value 32
(RTVAUTLE) command 283
Retrieve Journal Receiver Information
API
object auditing 473
Retrieve User Profile (RTVUSRPRF)
command 116, 286
retrieving
authorization list entry 283
user profile 116, 286
RETURN (Return) command
reversing
page down (*ROLLKEY user
option) 98
page up (*ROLLKEY user option) 98
Revoke Object Authority (RVKOBJAUT)
command 147, 155, 284
Revoke Public Authority (RVKPUBAUT)
command
details 609
Revoke User Permission (RVKUSRPMN)
command 287
revoking
user permission 287
RGZDLO (Reorganize Document Library
Object) command
object auditing 461
RGZPFM (Reorganize Physical File
Member) command
object auditing 466
risk
authority 76
authority 77
authority 77
authority 77
authority 77
create authority (CRTAUT)
parameter 128
library list 194
password validation program 54
restore commands 203
restoring programs that adopt
authority 242
restoring programs with restricted
instructions 241
risk (continued)
save commands 203
special authorities 76
layout 565
RJ (restoring job description) journal
entry type 255
RJE (remote job entry)
commands 419
RLSCMNDEV (Release Communications
Device) command
profiles 299
RLSDSTQ (Release Distribution Queue)
command
profiles 299
RLSIFSLCK (Release IFS Lock) command
profiles 299
RLSIFSLCK (Release IFS Lock) command)
command
RLSJOB (Release Job) command
RLSJOBQ (Release Job Queue) command
object auditing 470
RLSJOBSCDE (Release Job Schedule
Entry) command
object auditing 471
RLSOUTQ (Release Output Queue)
command
object auditing 481
RLSRDR (Release Reader) command
RLSRMTPHS (Release Remote Phase)
command
profiles 299
RLSSPLF (Release Spooled File)
command
object auditing 481
RLSWTR (Release Writer) command
RMVACC (Remove Access Code)
command
profiles 299
object auditing 461
RMVAJE (Remove Autostart Job Entry)
command
object auditing 488
RMVALRD (Remove Alert Description)
command
object auditing 446
RMVALRD (Remove Alert Description)

command (continued)
RMVAUTLE (Remove Authorization List
Entry) command
description 283
object auditing 447
using 154
RMVBKP (Remove Breakpoint) command
RMVBNDDIRE (Remove Binding
object auditing 448
RMVCFGLE (Remove Configuration List
Entries) command
RMVCFGLE (Remove Configuration List
Entry) command
object auditing 448
RMVCMNE (Remove Communications
Entry) command
object auditing 488
RMVCNNLE (Remove Connection List
Entry) command
object auditing 451
RMVCOMSNMP (Remove Community
for SNMP) command
RMVCRQD (Remove Change Request
Description Activity) command
object auditing 449
RMVCRQDA (Remove Change Request
Description Activity) command
RMVCRSDMNK (Remove Cross Domain
Key) command
profiles 299
RMVDIR (Remove Directory) command
object auditing 456
RMVDIRE (Remove Directory Entry)
command
description 288
RMVDIRSHD (Remove Directory Shadow
System) command
RMVDLOAUT (Remove Document
Library Object Authority) command
description 287
object auditing 461
RMVDSTLE (Remove Distribution List
Entry) command
RMVDSTQ (Remove Distribution Queue)
command
profiles 299
RMVDSTRTE (Remove Distribution

Route) command
profiles 299
RMVDSTSYSN (Remove Distribution
Secondary System Name) command
profiles 299
RMVEMLCFGE (Remove Emulation
RMVENVVAR (Remove Environment
Variable) command
RMVEWCBCDE (Remove Extended
command
RMVEWCPTCE (Remove Extended
command
RMVEXITPGM (Add Exit Program)
command
object auditing 464
RMVEXITPGM (Remove Exit Program)
command
profiles 299
RMVFCTE (Remove Forms Control Table
Entry) command
RMVFNTTBLE (Remove Font Table
Entry)
commands 319
RMVFTRACNE (Remove Filter Action
Entry) command
object auditing 468
RMVFTRSLTE (Remove Filter Selection
Entry) command
object auditing 468
RMVICFDEVE (Remove Intersystem
RMVIPSIFC (Remove IP over SNA
Interface) command
RMVIPSLOC (Remove IP over SNA
RMVIPSRTE (Remove IP over SNA
Route) command
RMVJOBQE (Remove Job Queue Entry)
command
RMVJOBSCDE (Remove Job Schedule
Entry) command
object auditing 471
RMVJOBSCDE (Remove Job Schedule

Entry) command (continued)
RMVJRNCHG (Remove Journaled
Changes) command
profiles 299
RMVLANADP (Remove LAN Adapter)
command
profiles 299
RMVLANADPI (Remove LAN Adapter
RMVLANADPT (Remove LAN Adapter)
command
RMVLIBLE (Remove Library List Entry)
command
using 193
RMVLICKEY (Remove License Key)
command
RMVLNK (Remove Link) command
RMVM (Remove Member) command
object auditing 466
RMVMFS (Remove Mounted File System)
RMVMFS (Remove Mounted File System)
command
profiles 299
RMVMSG (Remove Message) command
object auditing 478
RMVMSGD (Remove Message
object auditing 477
RMVNETJOBE (Remove Network Job
Entry) command
profiles 299
RMVNETTBLE (Remove Network Table
Entry) command
RMVNODLE (Remove Node List Entry)
command
object auditing 479
RMVNWSSTGL (Remove Network Server
Storage Link) command
RMVOPTCTG (Remove Optical
Cartridge) command
profiles 299
Index
675
RMVOPTSVR (Remove Optical Server)

command
profiles 299
RMVPEXDFN (Remove Performance
profiles 299
RMVPEXFTR command
profiles 299
RMVPFCST (Remove Physical File
Constraint) command
object auditing 466
RMVPFTGR (Remove Physical File
Trigger) command
object auditing 467
RMVPFTRG (Remove Physical File
Trigger) command
RMVPGM (Remove Program) command
RMVPJE (Remove Prestart Job Entry)
command
object auditing 488
RMVPTF (Remove Program Temporary
Fix) command
profiles 299
RMVRDBDIRE (Remove Relational
RMVRJECMNE (Remove RJE
RMVRJERDRE (Remove RJE Reader
Entry) command
RMVRJEWTRE (Remove RJE Writer
Entry) command
RMVRMTJRN (Remove Remote Journal)
command
object auditing 472
RMVRMTPTF (Remove Remote Program
Temporary Fix) command
profiles 299
RMVRPYLE (Remove Reply List Entry)
command
profiles 299
object auditing 487
RMVRTGE (Remove Routing Entry)
command
object auditing 488
RMVSCHIDXE (Remove Search Index
Entry) command
object auditing 489
676
RMVSOCE (Remove Sphere of Control

Entry) command
RMVSVRAUTE (Remove Server
RMVTAPCTG (Remove Tape Cartridge)
command
RMVTCPHTE (Remove TCP/IP Host
RMVTCPIFC (Remove TCP/IP Interface)
command
RMVTCPPORT (Remove TCP/IP Port
Entry) command
RMVTCPRSI (Remove TCP/IP Remote
RMVTCPRTE (Remove TCP/IP Route)
command
RMVTRC (Remove Trace) command
RMVWSE (Remove Work Station Entry)
command
object auditing 488
RNM (Rename) command
RNMCNNLE (Rename Connection List
Entry) command
object auditing 451
RNMDIRE (Rename Directory Entry)
command
RNMDKT (Rename Diskette) command
RNMDLO (Rename Document Library
Object) command
object auditing 461
RNMDSTL (Rename Distribution List)
command
RNMM (Rename Member) command
object auditing 467
RNMOBJ (Rename Object) command
RNMTCPHTE (Rename TCP/IP Host
object) journal entry type 255
roll key (*ROLLKEY) user option 98
ROLLBACK (Rollback) command
routing entry
authority to program 186
routing entry (continued)

changing
entry 255
performance 204
authority) journal entry type 255
RPLDOC (Replace Document) command
object auditing 461
RQ (restoring *CRQD object that adopts
RQ (restoring *CRQD object) journal
entry type 255
RRTJOB (Reroute Job) command
RSMBKP (Resume Breakpoint) command
RSMCTLRCY (Resume Controller
Recovery) command
object auditing 453
RSMDEVRCY (Resume Device Recovery)
command
object auditing 454
RSMLINRCY (Resume Line Recovery)
command
object auditing 474
RSMNWIRCY (Resume Network
Interface Recovery) command
object auditing 480
RST (Restore) command
profiles 299
object auditing 444, 456, 490, 495,
496
RSTAUT (Restore Authority) command
profiles 299
description 287
procedure 241
using 240
RSTCAL (Restore Calendar) command
profiles 299
RSTCFG (Restore Configuration)
command
profiles 299
object auditing 444
RSTDLO (Restore Document Library
Object) command 235
profiles 299
object auditing 461
RSTLIB (Restore Library) command 235
RSTLIB (Restore Library) command

(continued)
profiles 299
object auditing 445
RSTLICPGM (Restore Licensed Program)
command
profiles 299
object auditing 445
recommendations 242
security risks 242
RSTOBJ (Restore Object) command
profiles 299
object auditing 445
using 235
RSTS36F (Restore System/36 File)
command
profiles 299
RSTS36FLR (Restore System/36 Folder)
command
profiles 299
RSTS36LIBM (Restore System/36 Library
Members) command
profiles 299
RSTS38AUT (Restore System/38
Authority) command
profiles 299
RSTSHF (Restore Bookshelf) command
object auditing 461
RSTUSFCNR (Restore USF Container)
command
profiles 299
RSTUSRPRF (Restore User Profiles)
command
profiles 299
object auditing 498
RTVAUTLE (Retrieve Authorization List
Entry) command
description 283
object auditing 447
RTVBCKUP (Retrieve Backup Options)
command
RTVBNDSRC (Retrieve Binder Source)
command
*SRVPGM, retrieving exports
from 394
RTVCFGSRC (Retrieve Configuration

Source) command
475, 479, 480
RTVCFGSTS (Retrieve Configuration
Status) command
RTVCLDSRC (Retrieve C Locale Source)
command
object auditing 450
RTVCLNUP (Retrieve Cleanup)
command
RTVCLSRC (Retrieve CL Source)
command
object auditing 483
RTVCURDIR (Retrieve Current Directory)
command
object auditing 455
RTVDLONAM (Retrieve Document
Library Object Name) command
RTVDOC (Retrieve Document) command
RTVDSKINF (Retrieve Disk Activity
profiles 299
RTVDTAARA (Retrieve Data Area)
command
object auditing 462
RTVGRPA (Retrieve Group Attributes)
command
RTVJOBA (Retrieve Job Attributes)
command
RTVJRNE (Retrieve Journal Entry)
command
object auditing 472
RTVLIBD (Retrieve Library Description)
command
RTVMBRD (Retrieve Member
object auditing 467
RTVMSG (Retrieve Message) command
object auditing 477
RTVNETA (Retrieve Network Attributes)
command
RTVOBJD (Retrieve Object Description)
command
object auditing 446
RTVPDGPRF (Retrieve Print Descriptor
RTVPRD (Retrieve Product) command

profiles 299
RTVPTF (Retrieve PTF) command
profiles 299
RTVPWRSCDE (Retrieve Power On/Off
RTVQMFORM (Retrieve Query
object auditing 486
RTVQMQRY (Retrieve Query
Management Query) command
RTVS36A (Retrieve System/36 Attributes)
command
object auditing 497
RTVSMGOBJ (Retrieve System
Management Object) command
profiles 299
RTVSYSVAL (Retrieve System Value)
command
RTVUSRPRF (Retrieve User Profile)
command
description 286
object auditing 499
using 116
RTVWSCST (Retrieve Work Station
object auditing 500
RU (restore authority for user profile) file
layout 568
run priority 204
RUNBCKUP (Run Backup) command
RUNLPDA (Run LPDA-2) command
profiles 299
object auditing 474
RUNQRY (Run Query) command
object auditing 486
RUNSMGCMD (Run System
Management Command) command
profiles 299
RUNSMGOBJ (Run System Management
Object) command
profiles 299
RUNSQLSTM (Run Structured Query
Language Statement) command
RVKACCAUT (Revoke Access Code
Authority) command
object auditing 461
Index
677
RVKACCAUT (Revoke Access Code

Authority) command (continued)
RVKOBJAUT (Revoke Object Authority)
command 147
description 284
object auditing 445
using 155
RVKPUBAUT (Revoke Public Authority)
command
profiles 299
details 609
RVKUSRPMN (Revoke User Permission)
command
description 287
object auditing 461
RVKWSOAUT (Revoke Workstation
Object Authoriy) command
RZ (primary group change for restored
RZ (primary group change for restored
object) journal entry type 255
S
S/36 machine description (*S36)
auditing 497
SAV (Save) command
SAVAPARDTA (Save APAR Data)
command
profiles 299
SAVCFG (Save Configuration) command
SAVCHGOBJ (Save Changed Object)
command
object auditing 443
SAVDLO (Save Document Library Object)
command
using 235
Save Document Library Object (SAVDLO)
command 235
Save Library (SAVLIB) command 235
Save Object (SAVOBJ) command 235,
271
Save Security Data (SAVSECDTA)
command 235, 287
save system (*SAVSYS) special authority
description 244
removed by system
risks 77
678
Save System (SAVSYS) command 235,

287
save/restore (*SAVRST) audit level 255
saving
auditing 245
document library object (DLO) 235
library 235
object 235
primary group 235
restricting 203
security data 235, 287
security risks 203
system 235, 287
user profile
commands 235
SAVLIB (Save Library) command
object auditing 443
using 235
SAVLICPGM (Save Licensed Program)
command
profiles 299
object auditing 443
SAVOBJ (Save Object) command
object auditing 443
saving audit journal receiver 271
using 235
SAVRSOBJ (Save Restore Object)
command
SAVRSTCFG (Save Restore
SAVRSTCHG (Save Restore Change)
command
SAVRSTDLO (Save Resorte Document
Library Object) command
SAVRSTLIB (Save Restore Library)
command
SAVS36F (Save System/36 File) command
SAVS36LIBM (Save System/36 Library
Members) command
SAVSAVFDTA (Save Save File Data)
command
object auditing 443
SAVSECDTA (Save Security Data)
command
description 287
using 235
SAVSHF (Save Bookshelf) command

SAVSTG (Save Storage) command
object auditing 446
SAVSYS (Save System) command
description 287
using 235
SBMCRQ (Submit Change Request)
command
object auditing 449
SBMDBJOB (Submit Database Jobs)
command
SBMDKTJOB (Submit Diskette Jobs)
command
SBMFNCJOB (Submit Finance Job)
command
profiles 299
SBMJOB (Submit Job) command
authority checking 186
SECBATCH menu 601
SBMNETJOB (Submit Network Job)
command
SBMNWSCMD (Submit Network Server
Command) command
profiles 299
SBMRJEJOB (Submit RJE Job) command
SBMRMTCMD (Submit Remote
Command) command
scan
object alterations 252, 280, 286
scheduling
security reports 602
user profile
activation 599
expiration 599
scheduling priority
limiting 85
scrolling
option) 98
SD (change system distribution directory)
file layout 570
SD (change system distribution directory)
SE (change of subsystem routing entry)
file layout 571
SE (change of subsystem routing entry)
search index
search index (*SCHIDX) auditing 489
SECBATCH (Submit Batch Reports) menu
scheduling reports 602
submitting reports 601
SECTOOLS (Security Tools) menu 599
security
C2
description 6
critical files 224
designing 207
job description 192
keylock 2
library lists 193
objective
availability 1
confidentiality 1
integrity 1
output queue 197
overall recommendations 208
physical 2
planning 1
printer output 197
source files 232
spooled file 197
starting
batch job 186
interactive job 185
jobs 185
system values 3
tools 289
why needed 1
security (*SECURITY) audit level 255
security administrator (*SECADM)
special authority
security attribute
commands 423
security audit
commands 423
security audit journal
displaying entries 289
printing entries 603
security auditing
displaying 289, 601
setting up 289, 601
security auditing function
activating 267
CHGSECAUD 267
stopping 272
security command
list 283
security data
saving 235, 287
security information
backup 235
format on system 236
recovery 235
restoring 235
saving 235
stored on system 236
security level (QSECURITY) system value
auditing 248
changing

value (continued)
level 30 to 20 13
level 40 to 20 13
level 50 to level 30 or 40 21
value 189
introduction 2
level 10 12
level 20 12
level 30 13
level 40 14
level 50
message handling 20
overview 19
QTEMP (temporary) library 20
overview 9
recommendations 11
user class 11
command 607
security officer
limiting workstation access 29
monitoring actions 280
restricting to certain
workstations 248
security officer (QSECOFR) user profile
default values 293
disabled status 69
enabling 69
restoring 238
security tools
commands 289, 599
contents 289, 599
menus 599
Security Tools (SECTOOLS) menu 599
security value
setting 607
Send Journal Entry (SNDJRNE)
command 269
(SNDNETSPLF) command 198
sending
journal entry 269
network spooled file 198
sensitive data
encrypting 252
protecting 250
server authentication
commands 423
server authentication entry
adding 288
changing 288
server authentication entry (continued)

removing 288
server security user information actions
(SO) file layout 578
server session
server session (VS) file layout 587
server session VS) journal entry
type 255
server storage space (*SVRSTG)
object 493
service
commands 423
service (*SERVICE) special authority
failed sign-on 187
risks 77
service (QSRV) user profile
default values 293
service basic (QSRVBAS) user
profile 293
service program
service program (*SRVPGM)
auditing 492
service status change (VV) file
layout 588
service status change (VV) journal entry
type 255
service tools (*SPLFDTA) audit level 255
service tools action (ST) file layout 579
service tools action (ST) journal entry
type 255
session
commands 419
session description (*SSND)
auditing 493
Set Attention Program (SETATNPGM)
command 94
set password to expired (PWDEXP)
parameter 68
SETATNPGM (Set Attention Program)
command
job initiation 94
SETCSTDTA (Set Customization Data)
command
SETJOBATR (user options) parameter
user profile 97
SETMSTK (Set Master Key) command
profiles 299
SETOBJACC (Set Object Access)
command
SETPGMINF (Set Program Information)
command
SETTAPCGY (Set Tape Category)
command
Index
679
setting
(ATNPGM) 94
network attributes 290, 607
security values 607
system values 290, 607
setting up
auditing function 267
SETVTMAP (Set VT100 Keyboard Map)
command
SETVTTBL (Set VT Translation Tables)
command
SEV (message queue severity) parameter
user profile 92
severity (SEV) parameter
user profile 92
SF (action to spooled file) file layout 572
SF (change to spooled file) journal entry
type 255
share memory control (QSHRMEMCTL)
system value
description 33
possible values 33
shared folder
securing 202
sign-on
action when attempts reached
(QMAXSGNACN system value) 31
authorities required 185
authority failures 185
console 189
default
entry 255
incorrect password
entry 255
incorrect user ID
entry 255
limiting attempts 30
preventing default 251
remote (QRMTSIGN system
value) 32
restricting security officer 187
security checking 185
security officer fails 187
service user fails 187
user with *ALLOBJ special authority
fails 187
user with *SERVICE special authority
fails 187
without user ID 191
without user ID and password 16
workstation authority needed 187
sign-on information
displaying
parameter 82
QDSPSGNINF system value 26
Sign-on Information display
parameter 82
example 26
680
Sign-on Information display (continued)

expired password message 46, 68
signing
integrity 3
object 3
SIGNOFF (Sign Off) command
Signon screen
changing 190
displaying source for 190
Signon screen display file 190
size of password 48, 49
SLTCMD (Select Command) command
layout 577
SM (system management change) journal
entry type 255
SNA distribution services (QSNADS) user
profile 293
SNADS (Systems Network Architecture
distribution services)
QSNADS user profile 293
SNDBRKMSG (Send Break Message)
command
SNDDOC (Send Document) command
object auditing 459
SNDDST (Send Distribution) command
object auditing 459
SNDDSTQ (Send Distribution Queue)
command
profiles 299
SNDDTAARA (Send Data Area)
command
object auditing 462
SNDEMLIGC (Send DBCS 3270PC
Emulation Code) command
SNDFNCIMG (Send Finance Diskette
Image) command
SNDJRNE (Send Journal Entry)
command 269
object auditing 472
SNDMGRDTA (Send Migration Data)
command
SNDMSG (Send Message) command
SNDNETF (Send Network File) command
SNDNETMSG (Send Network Message)
command
SNDNETSPLF (Send Network Spooled
File) command
action auditing 491
object auditing 481
SNDNWSMSG (Send Network Server

Message) command
SNDPGMMSG (Send Program Message)
command
SNDPRD (Send Product) command
profiles 299
SNDPTF (Send PTF) command
profiles 299
SNDPTFORD (Send Program Temporary
Fix Order) command
profiles 299
SNDRJECMD (Send RJE Command)
command
SNDRJECMD (Send RJE) command
SNDRPY (Send Reply) command
object auditing 478
SNDSMGOBJ (Send System Management
Object) command
profiles 299
SNDSRVRQS (Send Service Request)
command
profiles 299
SNDTCPSPLF (Send TCP/IP Spooled
File) command
action auditing 491
object auditing 500
SNDUSRMSG (Send User Message)
command
socket
giving
entry 255
sockets
commands 320
sort sequence
QSRTSEQ system value 95
shared weight 95
unique weight 95
user profile 95
source file
securing 232
SPCAUT (special authority) parameter
recommendations 79
user profile 75
SPCENV (special environment) parameter
recommendations 80
routing interactive job 80
Special Authorities
authorities, special 230
Special Authorities, Accumulating 230
special authority
*ALLOBJ (all object)
auditing 250
automatically added 13
automatically removed 13
failed sign-on 187
risks 76
*AUDIT (audit)
risks 79
risks 79
*JOBCTL (job control)
parameter 85
risks 77
*SAVSYS (save system)
description 244
risks 77
*SERVICE (service)
failed sign-on 187
risks 77
*SPLCTL (spool control)
risks 77
added by system
changing security level 13
analyzing assignment 603
definition 75
LAN Server 79
listing users 278
recommendations 79
removed by system
user profile 75
special authority (SPCAUT) parameter
recommendations 79
user profile 75
special environment (QSPCENV) system
value 80
special environment (SPCENV) parameter
recommendations 80
routing interactive job 80
Special Files (*CHRSF) auditing 448
spelling aid dictionary
commands 426
spelling aid dictionary (*SPADCT)
auditing 491
sphere of control
commands 427
spool (QSPL) user profile 293
spool control (*SPLCTL) special authority

risks 77
spool job (QSPLJOB) user profile 293
spooled file
authority 76
authority 77
action auditing 491
changing
entry 255
copying 198
displaying 198
moving 198
commands 427
owner 197
securing 197
working with 197
spooled file changes (*SPLFDTA) audit
level 255, 491
SQL
file security 227
SQL catalog 227
SQL package (*SQLPKG) auditing 492
SRC (system reference code)
B900 3D10 (auditing error) 59
SRTSEQ (sort sequence) parameter
user profile 95
ST (service tools action) file layout 579
ST (service tools action) journal entry
type 255
Start QSH (STRQSH) command
object authority required
alias, QSH 416
Start System/36 (STRS36) command
user profile
special environment 80
starting
auditing function 267
connection
entry 255
state
program 16
state attribute
object 15
state attribute, program
displaying 16
STATFS (Display Mounted File System
status (STATUS) parameter
user profile 69
status message
displaying (*STSMSG user option) 98
not displaying (*NOSTSMSG user
option) 98
stopping
audit function 272
auditing 58
storage
enhanced hardware protection 16
storage (continued)
maximum (MAXSTG) parameter 84
reclaiming 20, 130, 244
setting QALWUSRDMN (allow
user objects) system value 25
threshold
receiver 270
user profile 84
storage pool 204
STRAPF (Start Advanced Printer
Function) command
STRBEST (Start Best/1-400 Capacity
Planner) command
STRBEST (Start BEST/1) command
profiles 299
STRBGU (Start Business Graphics Utility)
command
STRCBLDBG (Start COBOL Debug)
command
STRCGU (Start CGU) command
STRCHTSVR (Start Clustered Hash Table
Server
profiles 299
STRCLNUP (Start Cleanup) command
STRCMNTRC (Start Communications
Trace) command
profiles 299
STRCMTCTL (Start Commitment Control)
command
STRCPYSCN (Start Copy Screen)
command
STRCSP (Start CSP/AE Utilities)
command
object auditing 484
STRDBG (Start Debug) command
profiles 299
STRDBGSVR (Start Debug Server)
command
profiles 299
STRDBMON (Start Database Monitor)
command
STRDBRDR (Start Database Reader)
command
STRDFU (Start DFU) command
STRDIRSHD (Start Directory Shadow
System) command
Index
681
STRDIRSHD (Start Directory Shadowing)

command
object auditing 458
STRDKTRDR (Start Diskette Reader)
command
STRDKTWTR (Start Diskette Writer)
command
STRDSKRGZ (Start Disk Reorganization)
command
stream file (*STMF) auditing 493
STREDU (Start Education) command
STREML3270 (Start 3270 Display
Emulation) command
STRFMA (Start Font Management Aid)
command
object auditing 470
STRHOSTSVR (Start Host Server)
command
STRIDD (Start Interactive Data Definition
Utility) command
STRIDXMON (Start Index Monitor)
command
profiles 299
STRIPSIFC (Start IP over SNA Interface)
command
profiles 299
STRJOBTRC (Start Job Trace) command
profiles 299
STRJRN (Start Journal) command
STRJRN (Start Journaling) command
object auditing 445
STRJRNAP (Start Journal Access Path)
command
STRJRNOBJ (Start Journal Object)
command
STRJRNPF (Start Journal Physical File)
command
STRJRNxxx (Start Journaling) command
object auditing 472
STRMGDSYS (Start Managed System)
command
profiles 299
STRMGRSRV (Start Manager Services)
command
profiles 299
STRMOD (Start Mode) command
object auditing 476
682
STRMOD (Start Mode) command

(continued)
STRMSF (Start Mail Server Framework)
command
profiles 299
STRNFSSVR (Start Network File System
Server) command
profiles 299
STRNFSSVR (Start Network File System
Server) command) command
STRPASTHR (Start Pass-Through)
command
object auditing 453
STRPDM (Start Programming
Development Manager) command
STRPEX (Start Performance Explorer)
command
profiles 299
STRPFRG (Start Performance Graphics)
command
STRPFRT (Start Performance Tools)
command
STRPFRTRC (Start Performance Trace)
command
profiles 299
STRPJ (Start Prestart Jobs) command
STRPRTEML (Start Printer Emulation)
command
STRPRTWTR (Start Printer Writer)
command
STRQMQRY (Start Query Management
Query) command
STRQRY (Start Query) command
STRQSH (Start QSH) command
object authority required
alias, QSH 416
STRQST (Start Question and Answer)
command
STRREXPRC (Start REXX Procedure)
command
STRRGZIDX (Start Reorganization of
Index) command
profiles 299
STRRJECSL (Start RJE Console) command

STRRJERDR (Start RJE Reader) command
STRRJESSN (Start RJE Session) command
STRRJEWTR (Start RJE Writer) command
STRRLU (Start Report Layout Utility)
command
STRRMTWTR (Start Remote Writer)
command
action auditing 491, 500
object auditing 480
STRS36 (Start System/36) command
object auditing 497
user profile
special environment 80
STRS36MGR (Start System/36 Migration)
command
profiles 299
STRS38MGR (Start System/38 Migration)
command
profiles 299
STRSBS (Start Subsystem) command
object auditing 487
STRSCHIDX (Start Search Index)
command
object auditing 489
STRSDA (Start SDA) command
STRSEU (Start SEU) command
STRSQL (Start Structured Query
Language) command
STRSRVJOB (Start Service Job) command
profiles 299
STRSST (Start System Service Tools)
command
profiles 299
STRSSYSMGR (Start System Manager)
command
profiles 299
STRTCP (Start TCP/IP) command
profiles 299
STRTCPFTP (Start TCP/IP File Transfer
Protocol) command
STRTCPIFC (Start TCP/IP Interface)

command
profiles 299
STRTCPPTP (Start Point-to-Point TCP/IP)
command
STRTCPSVR (Start TCP/IP Server)
command
profiles 299
STRTCPTELN (Start TCP/IP TELNET)
command
STRTRC (Start Trace) command
STRUPDIDX (Start Update of Index)
command
profiles 299
Submit Job (SBMJOB) command 186
SECBATCH menu 601
submitting
security reports 601
subset
authority 121
subsystem
authority 76
commands 428
sign on without user ID and
password 16
subsystem description
authority 289
communications entry 192
default user 289
entry 289
performance 204
printing list of descriptions 289
parameters 603
routing entry change
entry 255
security 191
subsystem description (*SBSD)
auditing 487
SUPGRPPRF (supplemental groups)
parameter
user profile 89
supplemental group
planning 229
supplemental groups
SUPGRPPRF user profile
parameter 89
layout 581
SV (action to system value) journal entry
type 255
symbolic link (*SYMLNK) auditing 496
system
commands 430
system (continued)
saving 235, 287
system (*SYSTEM) domain 15
system (*SYSTEM) state 16
system (QSYS) library
system (QSYS) user profile
default values 293
restoring 238
system change-journal management
support 270
system configuration
system configuration (*IOSYSCFG)
special authority
risks 79
system console
See also console
QCONSOLE system value 189
system directory
changing
entry 255
system distribution directory
system library list
changing 193, 216
QSYSLIBL system value 193
system management
changing
entry 255
system management (*SYSMGT) audit
level 255
system management change (SM) file
layout 577
system management change (SM) journal
entry type 255
system operations
special authority (SPCAUT)
parameter 75
system operator (QSYSOPR) user
profile 293
system password 118
system portion
library list
changing 216
description 193
recommendations 195
system program
calling directly 15
system reference code (SRC)
B900 3D10 (auditing error) 59
system reply list
commands 431
system request function
System request menu
options and commands 222
using 222
System Request menu

(LMTDEVSSN) 83
system resources
limiting use
parameter 85
preventing abuse 204
system signing 3
system status
working with 204
system value
action when sign-on attempts reached
(QMAXSGNACN)
description 31
allow object restore option
(QALWOBJRST) 43
allow user objects
(QALWUSRDMN) 20, 25
(QATNPGM) 95
audit
planning 265
audit control (QAUDCTL)
changing 289
displaying 289
audit level (QAUDLVL)
description 255
value 255
*OFCSRV (office services)
value 255
value 255
value 255
*PRTDTA (printer output)
value 255
*SERVICE (service tools)
value 255
value 255
value 255
changing 268, 289
displaying 289
purpose 253
user profile 102
auditing 248
overview 58
auditing control (QAUDCTL)
overview 58
auditing end action
(QAUDENDACN) 59, 266
auditing force level
(QAUDFRCLVL) 60, 265
auditing level (QAUDLVL)
overview 61
automatic configuration of virtual
devices (QAUTOVRT) 36
Index
683
system value (continued)

(QAUTOCFG) 36
changing
entry 255
(QCCSID) 96
command for setting 290, 607
console (QCONSOLE) 189
(QCNTRYID) 96
create authority (QCRTAUT)
description 25
risk of changing 26
using 128
create object auditing
(QCRTOBJAUD) 61
disconnected job time-out interval
(QDSCJOBITV) 38
(QDSPSGNINF) 26, 82
inactive job
message queue
(QINACTMSGQ) 28
time-out interval
(QINACTITV) 27
keyboard buffering (QKBDBUF) 84
language identifier (QLANGID) 96
limit device sessions (QLMTDEVSSN)
auditing 250
description 29
parameter 83
limit security officer (QLMTSECOFR)
authority to device
descriptions 187
description 29
sign-on process 189
listing 248
maximum sign-on attempts
(QMAXSIGN)
auditing 248, 252
description 30
commands 431
password
approval program
(QPWDVLDPGM) 53
auditing expiration 249
duplicate (QPWDRQDDIF) 49
expiration interval
(QPWDEXPITV) 46, 83
limit adjacent
(QPWDLMTAJC) 51
limit characters
(QPWDLMTCHR) 50
(QPWDLMTREP) 51
maximum length
(QPWDMAXLEN) 49
minimum length
(QPWDMINLEN) 48
684

overview 44
position characters
(QPWDPOSDIF) 52
preventing trivial 249
required password digits
(QPWDRQDDGT) 52
restriction of consecutive digits
(QPWDLMTAJC) 51
validation program
(QPWDVLDPGM) 53
(QPWDEXPITV)
parameter 83
print device (QPRTDEV) 93
printing 248
printing securitycommunications 290
printing security-relevant 290, 603
QALWOBJRST (allow object restore
option) 43
QALWOBJRST (allow object restore)
command 607
QALWUSRDMN (allow user
objects) 20, 25
QATNPGM (Attention-key-handling
program) 95
QAUDCTL (audit control)
changing 289, 601
displaying 289, 601
QAUDCTL (auditing control)
overview 58
QAUDENDACN (auditing end
action) 59, 266
QAUDFRCLVL (auditing force
level) 60, 265
QAUDLVL (audit level)
description 255
value 255
*OFCSRV (office services)
value 255
value 255
value 255
*PRTDTA (printed output)
value 255
*SERVICE (service tools)
value 255
value 255
value 255
changing 268, 289, 601
displaying 289, 601
purpose 253
user profile 102

QAUDLVL (auditing level)
overview 61
QAUTOCFG (automatic configuration)
command 607
QAUTOCFG (automatic device
configuration) 36
QAUTOVRT (automatic configuration
of virtual devices) 36
QAUTOVRT (automatic virtual-device
configuration)
command 607
QCCSID (coded character set
identifier) 96
QCNTRYID (country or region
identifier) 96
QCONSOLE (console) 189
description 25
risk of changing 26
using 128
QCRTOBJAUD (create object
auditing) 61
QDEVRCYACN (device recovery
action)
command 607
QDSCJOBITV (disconnected job
time-out interval) 38
command 607
QDSPSGNINF (display sign-on
information) 26, 82
command 607
QFRCCVNRST (force conversion on
restore) 42
QINACTITV (inactive job time-out
interval) 27
command 607
QINACTMSGQ (inactive job message
queue) 28
command 607
QKBDBUF (keyboard buffering) 84
QLANGID (language identifier) 96
QLMTDEVSSN (limit device sessions)
auditing 250
description 29
parameter 83
QLMTSECOFR (limit security officer)
auditing 248
authority to device
descriptions 187
description 29
sign-on process 189
command 607
attempts reached)
description 31

attempts reached) (continued)
command 607
attempts)
auditing 248, 252
description 30
command 607
QPRTDEV (print device) 93
QPWDEXPITV (password expiration
interval)
auditing 249
description 46
parameter 83
command 607
QPWDLMTAJC (password limit
adjacent) 51
QPWDLMTAJC (password restrict
adjacent characters)
command 607
QPWDLMTCHR (limit characters) 50
QPWDLMTCHR (password restrict
characters)
command 607
QPWDLMTREP (limit repeated
characters) 51
QPWDLMTREP (password limit
repeated characters)
command 607
QPWDLMTREP (password require
position difference)
command 607
QPWDMAXLEN (password maximum
length) 49
command 607
QPWDMINLEN (password minimum
length) 48
command 607
QPWDPOSDIF (position
characters) 52
QPWDRQDDGT (password require
numeric character)
command 607
QPWDRQDDGT (required password
digits) 52
QPWDRQDDIF (duplicate
password) 49
QPWDRQDDIF (password required
difference)
command 607
QPWDVLDPGM (password validation
program) 53

command 607
QRETSVRSEC (retain server
security) 32
QRMTSIGN (allow remote sign-on)
command 607
QRMTSIGN (remote sign-on) 32, 252
QRMTSRVATR (remote service
attribute) 38
QSECURITY (security level)
auditing 248
value 189
introduction 2
level 10 12
level 20 12
level 30 13
level 40 14
level 50 19
message handling 20
overview 9
recommendations 11
user class 11
command 607
QSHRMEMCTL (share memory
control)
description 33
possible values 33
QSPCENV (special environment) 80
QSRTSEQ (sort sequence) 95
QSYSLIBL (system library list) 193
QUSEADPAUT (use adopted
authority)
description 34
risk of changing 35
QUSRLIBL (user library list) 87
QVFYOBJRST (verify object on
restore) 39
remote service attribute
(QRMTSRVATR) 38
remote sign-on (QRMTSIGN) 32, 252
retain server security
(QRETSVRSEC) 32
security
introduction 3
overview 23
setting 607
security level (QSECURITY)
auditing 248

security level (QSECURITY)
(continued)
value 189
introduction 2
level 10 12
level 20 12
level 30 13
level 40 14
level 50 19
overview 9
recommendations 11
user class 11
security-related
overview 35
share memory control
(QSHRMEMCTL)
description 33
possible values 33
sign-on 46
action when attempts reached
(QMAXSGNACN) 31, 69
maximum attempts
(QMAXSIGN) 30, 69, 248, 252
remote (QRMTSIGN) 32, 252
sort sequence (QSRTSEQ) 95
special environment (QSPCENV) 80
system library list (QSYSLIBL) 193
use adopted authority
(QUSEADPAUT)
description 34
risk of changing 35
user library list (QUSRLIBL) 87
verify object on restore
(QVFYOBJRST) 39
working with 248
system-defined authority 121
System/36
authority for deleted files 139
migration
System/36 environment
commands 431
user profile 80
System/38
System/38 Environment 125
Systems Network Architecture (SNA)
distribution services (QSNADS) user
profile 293
Systems Network Architecture
distribution services (SNADS)
QSNADS user profile 293
Index
685
T
TAA (tips and techniques) tool
Display Audit Log (DSPAUDLOG)
messages used 255
DSPAUDLOG (Display Audit Log)
messages used 255
table
commands 433
table (*TBL) auditing 497
tape
commands 390
protecting 248
tape cartridge
commands 390
TCP/IP (QTCP) user profile 293
TCP/IP (Transmission Control
Protocol/Internet Protocol)
commands 434
TCP/IP printing support (QTMPLPD)
user profile 293
TELNET (Start TCP/IP TELNET)
command
temporary (QTEMP) library
test request (QTSTRQS) user profile 293
text (TEXT) parameter
user profile 75
text index
commands 399
TFRBCHJOB (Transfer Batch Job)
command
object auditing 471
TFRCTL (Transfer Control) command
TFRGRPJOB (Transfer to Group Job)
command
TFRJOB (Transfer Job) command
object auditing 471
TFRPASTHR (Transfer Pass-Through)
command
TFRSECJOB (Transfer Secondary Job)
command
time slice 204
time-out interval
inactive jobs (QINACTITV) system
value 27
message queue (QINACTMSGQ)
system value 28
token-ring
commands 389
total change of password 52
Transfer Control (TFRCTL) command
686
Transfer to Group Job (TFRGRPJOB)

command
transferring
to group job 137
translation of programs 17
Transmission Control Protocol/Internet
Protocol (TCP/IP)
commands 434
TRCCNN (Trace Connection) command
TRCCPIC (Trace CPI Communications)
command
profiles 299
TRCCSP (Trace CSP/AE Application)
command
object auditing 484
TRCICF (Trace ICF) command
profiles 299
TRCINT (Trace Internal) command
profiles 299
TRCJOB (Trace Job) command
profiles 299
TRCS (Trace Cryptographic Services)
command
profiles 299
trigger program
listing all 289, 603
trivial password
preventing 45, 249
TRMPRTEML (Terminate Printer
Emulation) command
TRNPIN (Translate Personal Identification
Number) command
profiles 299
type-ahead (*TYPEAHEAD) keyboard
buffering 84
U
uid (user identification number)
restoring 238
unauthorized
access
entry 255
programs 252
UNMOUNT (Remove Mounted File
System)
UNMOUNT (Remove Mounted File
System) command
unsupported interface
audit journal (QAUDJRN) entry 16,
255
update (*UPD) authority 120, 309
UPDDTA (Update Data) command
UPDPGM (Update Program) command
UPDSRVPGM (Create Service Program)
command
object auditing 476
UPDSRVPGM (Update Service Program)
command
upgrade order information
commands 435
use (*USE) authority 121, 310
use adopted authority (QUSEADPAUT)
system value
description 34
risk of changing 35
use adopted authority (USEADPAUT)
parameter 139
USEADPAUT (use adopted authority)
parameter 139
user
adding 106
auditing
changing 78
working with 115
enrolling 106
user (*USER) domain 15
user (*USER) state 16
user auditing
changing
user authority
adding 148
copying
example 109
recommendations 153
user class
analyzing assignment 603
user class (USRCLS) parameter
description 69
recommendations 70
USER DEF (user-defined) authority 147
user domain object
restricting 19
security exposure 19
user ID
changing 117
incorrect
entry 255
user identification number (uid)
restoring 238
user identification number( ) parameter
user profile 99
user index (*USRIDX) auditing 497
user index (*USRIDX) object 19

user option (CHRIDCTL) parameter
user profile 97
user option (LOCALE) parameter
user profile 98
user option (SETJOBATR) parameter
user profile 97
user option (USROPT) parameter
*CLKWD (CL keyword) 97, 98
*EXPERT (expert) 97, 98, 147
*HLPFULL (help full screen) 98
*NOSTSMSG (no status message) 98
*PRTMSG (printing message) 98
*ROLLKEY (roll key) 98
*STSMSG (status message) 98
user profile 97, 98
USER parameter on job description 192
user permission
granting 287
commands 399
revoking 287
user portion
library list
controlling 215
description 193
recommendations 196
user profile
(gid) group identification number 99
(user identification number) 99
authority 76
authority 76
authority 77
authority 77
authority 77
accounting code (ACGCDE) 90
ACGCDE (accounting code) 90
action auditing (AUDLVL) 102
all numeric user ID 65
all object (*ALLOBJ) special
authority 76
analyzing
by special authorities 603
by user class 603
analyzing with query 277
assistance level (ASTLVL) 70
ASTLVL (assistance level) 70
program) 94
(ATNPGM) 94
audit (*AUDIT) special authority 78
audit level (AUDLVL)
*CMD (command string)
value 255
auditing
user profile (continued)

auditing (continued)
authorized users 277
AUDLVL (action auditing) 102
AUDLVL (audit level)
*CMD (command string)
value 255
AUT (authority) 100
authority
storing 237
authority (AUT) 100
CCSID (coded character set
identifier) 96
changing
entry 255
methods 109
password 285
values 45
name 67
checking for default password 599
CNTRYID (country or region
identifier) 96
(CCSID) 96
copying 107
countryor region identifier
(CNTRYID) 96
creating
entry 255
example description 105
methods 104
CURLIB (current library) 71
current library (CURLIB) 71
deleting
directory entry 110
message queue 110
spooled files 112
delivery (DLVRY) 92
description (TEXT) 75
DEV (print device) 93
displaying
individual 113
programs that adopt 138
sign-on information
(DSPSGNINF) 82
DLVRY (message queue delivery) 92
DOCPWD (document password) 91
document password (DOCPWD) 91
information) 82
enabling
sample program 112
exit points 116

group authority (GRPAUT) 88, 129,
131
(GRPAUTTYP) 89, 131
group identification number (gid
) 99
group profile (GRPPRF) 131
profile 237
description 87
GRPAUT (group authority) 88, 129,
131
type) 89, 131
GRPPRF (group profile) 131
profile 237
description 87
home directory (HOMEDIR) 100
HOMEDIR (home directory) 100
IBM-supplied
auditing 248
purpose 116
INLMNU (initial menu) 73
INLPGM (initial program) 72
introduction 4
job control (*JOBCTL) special
authority 76
job description (JOBD) 86
JOBD (job description) 86
KBDBUF (keyboard buffering) 83
keyboard buffering (KBDBUF) 83
LANGID (language identifier) 96
language identifier (LANGID) 96
large, examining 278
limit capabilities
auditing 250
description 73
library list 196
(LMTDEVSSN) 83
list of permanently active
changing 599
listing
all users 113
inactive 278
selected 278
users with command
capability 278
users with special authorities 278
listing all 113
LMTCPB (limit capabilities) 73, 196
LMTDEVSSN (limit device
sessions) 83
LOCALE (locale) 98
LOCALE (user options) 98
maximum storage (MAXSTG)
description 84
MAXSTG (maximum storage)
description 84
message queue (MSGQ) 91
Index
687

message queue delivery (DLVRY) 92
message queue severity (SEV) 92
MSGQ (message queue) 91
name (USRPRF) 65
naming 65
OBJAUD (object auditing) 101
object auditing (OBJAUD) 101
commands 436
object owner
deleting 129
output queue (OUTQ) 93
OUTQ (output queue) 93
owned object information 103
OWNER (owner of objects
created) 88, 129
owner (OWNER) 131
OWNER (owner) 131
owner of objects created
(OWNER) 88, 129
password 66
(PWDEXPITV) 82
performance
save and restore 103
primary group 112
print device (DEV) 93
printing
See listing
private authorities 103
PTYLMT (priority limit) 85
public authority (AUT) 100
expired) 68
interval) 82
related commands for working
with 287
renaming 114
restoring
entry 255
commands 235
procedures 237
restoring authority
entry 255
retrieving 116, 286
roles 63
save system (*SAVSYS) special
authority 77
saving 235
security administrator (*SECADM)
service (*SERVICE) special
authority 77
set job attribute (user options) 97
(PWDEXP) 68
SEV (message queue severity) 92
severity (SEV) 92
sort sequence (SRTSEQ) 95
SPCAUT (special authority) 75
SPCENV (special environment) 80
688

spool control (*SPLCTL) special
authority 77
SRTSEQ (sort sequence) 95
status (STATUS) 69
storing
authority 236, 237
groups) 89
supplemental groups
(SUPGRPPRF) 89
system configuration (*IOSYSCFG)
text (TEXT) 75
types of displays 114
types of reports 114
used in job description 16
user identification number( ) 99
user options (CHRIDCTL) 97
user options (LOCALE) 98
user options (SETJOBATR) 97
user options (USROPT) 97, 98
USRCLS (user class) 69
USROPT (user options) 97, 98
USRPRF (name) 65
user profile (*USRPRF) auditing 498
user profile change (CP) file layout 518
user profile change (CP) journal entry
type 255
user profile parameter
group identification number(gid) 99
user queue (*USRQ) auditing 499
user queue (*USRQ) object 19
user space (*USRSPC) auditing 499
user space (*USRSPC) object 19
user-defined (USER DEF) authority 147
USRCLS (user class) parameter
description 69
recommendations 70
USROPT (user option) parameter
*CLKWD (CL keyword) 97, 98
*EXPERT (expert) 97, 98, 147
*HLPFULL (help full screen) 98
*NOSTSMSG (no status message) 98
*PRTMSG (printing message) 98
*ROLLKEY (roll key) 98
*STSMSG (status message) 98
USROPT (user options) parameter
user profile 97, 98
USRPRF (name) parameter 65
utility
V
VA (access control list change) journal
entry type 255
layout 581
validating
restored programs 17
validating password 53
validation list
commands 439
validation list (*VLDL) auditing 499
validation list (VO) file layout 584
validation lists
Internet user 232
Validation Lists, Create 232
Validation Lists, Delete 232
validation program, password 53, 54, 55
validation value
definition 17
layout 582
VC (connection start or end) journal entry
type 255
verify object on restore (QVFYOBJRST)
system value 39
VF (close of server files) file layout 582
VFYCMN (Verify Communications)
command
profiles 299
VFYLNKLPDA (Verify Link supporting
LPDA-2) command
profiles 299
VFYLNKLPDA (Verify Link Supporting
LPDA-2) command
object auditing 474
VFYMSTK (Verify Master Key) command
profiles 299
VFYPIN (Verify Personal Identification
Number) command
profiles 299
VFYPRT (Verify Printer) command
profiles 299
VFYTAP (Verify Tape) command
profiles 299
VFYTCPCNN (Verify TCP/IP
Connection) command
viewing
virtual device
automatic configuration (QAUTOVRT
system value) 36
definition 36
virtual printer
securing 202
virus
detecting 252, 280, 286
scanning 280

layout 583
VL (account limit exceeded) journal entry
type 255
VM/MVS bridge (QGATE) user
profile 293
layout 583
VN (network log on or off) journal entry
type 255
layout 586
VP (network password error) journal
entry type 255
layout 586
VRYCFG (Vary Configuration) command
480
VS (server session) journal entry
type 255
layout 587
VU (network profile change) journal
entry type 255
layout 588
VV (service status change) journal entry
type 255
W
wireless LAN configuration
commands 341
Work with Authority (WRKAUT)
command 147, 284
(WRKAUTL) command 283
Work with Database Files Using IDDU
(WRKDBFIDD) command
Work with Directory (WRKDIRE)
command 288
Work with Journal (WRKJRN)
command 271, 277
Work with Journal Attributes
(WRKJRNA) command 271, 277
Work with Objects (WRKOBJ)
command 284
(WRKOBJOWN) command
auditing 250
description 284
using 151
display 110, 151
(WRKOBJPGP) command 130, 152
description 284
(WRKOUTQD) command 197
Work with Spooled Files (WRKSPLF)
command 197
Work with System Status (WRKSYSSTS)

command 204
Work with System Values (WRKSYSVAL)
command 248
Work with User Enrollment display 106
Work with User Profiles (WRKUSRPRF)
command 104, 286
Work with User Profiles display 105
working on behalf
auditing 475
working with
authority 284
authority holders 283, 288
directory 288
document library objects (DLO) 287
journal 277
journal attributes 271, 277
objects 284
objects by owner 284
objects by primary group 130, 284
output queue description 197
password 285
primary group 152
spooled files 197
system directory 288
system status 204
user auditing 115
user profiles 104, 286, 287
workstation
authority to sign-on 187
limiting user to one at a time 29
restricting access 248
securing 187
security officer access 29
workstation customizing object
commands 440
workstation entry
job description 192
sign on without user ID and
password 16
workstation user (QUSER) user
profile 293
writer
authority 76
commands 440
WRKACTJOB (Work with Active Jobs)
command
WRKALR (Work with Alerts) command
WRKALRD (Work with Alert
object auditing 446
WRKALRD (Work with Alert
WRKALRTBL (Work with Alert Table)
command
object auditing 446
WRKALRTBL (Work with Alert Tables)

command
WRKAUT (Work with Authority
Directory) command
WRKAUT (Work with Authority)
command 147
description 284
List) command
object auditing 447
Lists) command
description 283
WRKBNDDIR (Work with Binding
Directory) command
object auditing 448
WRKBNDDIRE (Work with Binding
object auditing 448
WRKCFGL (Work with Configuration
List) command
object auditing 448
WRKCFGL (Work with Configuration
Lists) command
WRKCFGSTS (Work with Configuration
Status) command
WRKCHTFMT (Work with Chart
Formats) command
WRKCLS (Work with Class) command
object auditing 450
WRKCLS (Work with Classes) command
WRKCMD (Work with Command)
command
object auditing 450
WRKCMD (Work with Commands)
command
WRKCMTDFN (Work with Commitment
Definition) command
WRKCNNL (Work with Connection Lists)
command
object auditing 451
WRKCNNLE (Work with Connection List
Entries) command
object auditing 451
WRKCNTINF (Work with Contact
profiles 299
WRKCOSD (Work with Class-of-Service
object auditing 452
Index
689
WRKCOSD (Work with Class-of-Service

Descriptions) command (continued)
WRKCRQD (Work with Change Request
WRKCRQD (Work with Change Request
object auditing 449
WRKCSI (Work with Communications
Side Information) command
object auditing 452
WRKCTLD (Work with Controller
object auditing 453
WRKDBFIDD (Work with Database Files
Using IDDU) command
WRKDDMF (Work with Distributed Data
Management Files) command
WRKDEVD (Work with Device
object auditing 454
WRKDEVTBL (Work with Device Tables)
command
profiles 299
WRKDIRE (Work with Directory Entry)
command
WRKDIRE (Work with Directory)
command
description 288
WRKDIRLOC (Work with Directory
Locations) command
WRKDIRSHD (Work with Directory
Shadow Systems) command
WRKDOC (Work with Documents)
command
object auditing 459
WRKDOCLIB (Work with Document
Libraries) command
object auditing 461
WRKDOCPRTQ (Work with Document
Print Queue) command
object auditing 462
WRKDPCQ (Work with DSNX/PC
Distribution Queues) command
profiles 299
WRKDSKSTS (Work with Disk Status)
command
WRKDSTL (Work with Distribution Lists)
command
690
WRKDSTQ (Work with Distribution

Queue) command
profiles 299
WRKDTAARA (Work with Data Areas)
command
object auditing 462
WRKDTADCT (Work with Data
Dictionaries) command
WRKDTADFN (Work with Data
Definitions) command
WRKDTAQ (Work with Data Queues)
command
object auditing 463
WRKEDTD (Work with Edit
object auditing 463
WRKENVVAR (Work with Environment
Variable) command
WRKF (Work with Files) command
object auditing 467
WRKFCNARA (Work with Functional
Areas) command
WRKFCT (Work with Forms Control
Table) command
WRKFLR (Work with Folders) command
WRKFNTRSC (Work with Font
Resources) command
object auditing 467
WRKFORMDF (Work with Form
object auditing 468
WRKFSTAF (Work with FFST Alert
Feature) command
WRKFSTPCT (Work with FFST Probe
Control Table) command
WRKFTR (Work with Filters) command
object auditing 468
WRKFTRACNE (Work with Filter Action
Entries) command
WRKFTRSLTE (Work with Filter Selection
Entries) command
WRKGRPPDM (Work with Group Using
PDM) command
WRKGSS (Work with Graphics Symbol

Sets) command
object auditing 469
WRKHDWRSC (Work with Hardware
Resources) command
WRKHLDOPTF (Work with Help Optical
Files) command
WRKIPXD 368
WRKJOB (Work with Job) command
WRKJOBD (Work with Job Descriptions)
command
object auditing 470
WRKJOBQ (Work with Job Queue)
command
object auditing 471
WRKJOBSCDE (Work with Job Schedule
Entries) command
object auditing 471
WRKJRN (Work with Journal) command
profiles 299
object auditing 473
using 271, 277
WRKJRNA (Work with Journal
Attributes) command
object auditing 473
using 271, 277
WRKJRNRCV (Work with Journal
Receivers) command
object auditing 473
WRKLANADPT (Work with LAN
Adapters) command
WRKLIB (Work with Libraries) command
WRKLIBPDM (Work with Libraries Using
PDM) command
WRKLICINF (Work with License
profiles 299
WRKLIND (Work with Line Descriptions)
command
object auditing 475
WRKLNK (Work with Links) command
494, 495, 496
WRKMBRPDM (Work with Members
Using PDM) command
WRKMNU (Work with Menus) command
object auditing 476
WRKMOD (Work with Module)

command
WRKMOD (Work with Modules)
command
object auditing 477
WRKMODD (Work with Mode
object auditing 476
WRKMSG (Work with Messages)
command
object auditing 478
WRKMSGD (Work with Message
object auditing 477
WRKMSGF (Work with Message Files)
command
object auditing 477
WRKMSGQ (Work with Message
Queues) command
object auditing 478
WRKNAMSMTP (Work with Names for
SMTP) command
WRKNETF (Work with Network Files)
command
WRKNETJOBE (Work with Network Job
Entries) command
WRKNETTBLE (Work with Network
Table Entries) command
WRKNODL (Work with Node List)
command
object auditing 479
WRKNODLE (Work with Node List
Entries) command
object auditing 479
WRKNTBD (Work with NetBIOS
object auditing 479
WRKNWID (Work with Network
Interface Description Command)
command
WRKNWID (Work with Network
Interface Description) command
object auditing 480
WRKNWSALS (Work with Network
Server Alias) command
WRKNWSD (Work with Network Server
object auditing 480
WRKNWSENR (Work with Network
Server User Enrollment) command
WRKNWSSSN (Work with Network

Server Session) command
WRKNWSSTG (Work with Network
Server Storage Space) command
WRKNWSSTS (Work with Network
Server Status) command
WRKOBJ (Work with Objects) command
description 284
WRKOBJCSP (Work with Objects for
CSP/AE) command
WRKOBJLCK (Work with Object Lock)
command
object auditing 446
WRKOBJLCK (Work with Object Locks)
command
WRKOBJOWN (Work with Objects by
Owner) command
auditing 250
description 284
using 151
WRKOBJPDM (Work with Objects Using
PDM) command
Primary Group) command 130, 152
Primary) command
description 284
WRKOPTDIR (Work with Optical
Directories) command
WRKOPTF (Work with Optical Files)
command
WRKOPTVOL (Work with Optical
Volumes) command
WRKORDINF (Work with Order
profiles 299
WRKOUTQ (Work with Output Queue)
command
object auditing 481
WRKOUTQD (Work with Output Queue
object auditing 481
security parameters 197
WRKOVL (Work with Overlays)
command
object auditing 482
WRKPAGDFN (Work with Page
object auditing 482
WRKPAGDFN (Work with Page

Definitions) command (continued)
WRKPAGSEG (Work with Page
Segments) command
object auditing 482
WRKPARTPDM (Work with Parts Using
PDM) command
WRKPCLTBLE (Work with Protocol Table
Entries) command
WRKPDG (Work with Print Descriptor
Group) command
object auditing 482
WRKPDGPRF (Work with Print
Descriptor Group Profile) command
WRKPEXDFN command
profiles 299
WRKPEXFTR command
profiles 299
WRKPFCST (Work with Physical File
object auditing 467
WRKPGM (Work with Programs)
command
object auditing 484
WRKPGMTBL (Work with Program
Tables) command
profiles 299
WRKPNLGRP (Work with Panel Groups)
command
object auditing 484
WRKPRB (Work with Problem) command
profiles 299
WRKPRJPDM (Work with Project Using
PDM) command
WRKPTFGRP (Work with Program
Temporary Fix Groups) 299
WRKPTFGRP (Work with PTF Group)
command
WRKQMFORM (Work with Query
object auditing 485
WRKQMQRY (Work with Query
Management Query) command
WRKQRY (Work with Query) command
WRKQST (Work with Questions)
command
Index
691
WRKRDBDIRE (Work with Relational

Database Directory Entries) command
WRKREGINF (Work with Registration
object auditing 464
WRKREGINF (Work with Registration)
command
WRKRJESSN (Work with RJE Session)
command
WRKRPYLE (Work with System Reply
List Entries) command
object auditing 487
WRKS36PGMA (Work with System/36
Program Attributes) command
object auditing 483
WRKS36PRCA (Work with System/36
Procedure Attributes) command
object auditing 467
WRKS36SRCA (Work with System/36
Source Attributes) command
object auditing 467
WRKSBMJOB (Work with Submitted
Jobs) command
WRKSBS (Work with Subsystems)
command
object auditing 488
WRKSBSD (Work with Subsystem
object auditing 488
WRKSBSJOB (Work with Subsystem Jobs)
command
object auditing 488
WRKSCHIDX (Work with Search
Indexes) command
object auditing 489
WRKSCHIDXE (Work with Search Index
Entries) command
object auditing 489
WRKSHRPOOL (Work with Shared
Storage Pools) command
WRKSOC (Work with Sphere of Control)
command
WRKSPADCT (Work with Spelling Aid
Dictionaries) command
WRKSPLF (Work with Spooled Files)
command 197
object auditing 481
WRKSPLFA (Work with Spooled File
Attributes) command
object auditing 481
692
WRKSPTPRD (Work with Supported

Products) command
object auditing 484
WRKSRVPGM (Work with Service
Programs) command
object auditing 493
WRKSRVPVD (Work with Service
Providers) command
profiles 299
WRKSRVTBLE (Work with Service Table
Entries) command
WRKSSND (Work with Session
WRKSYSACT (Work with System
Activity) command
WRKSYSSTS (Work with System Status)
command 204
WRKSYSVAL (Work with System Values)
command
using 248
WRKTAPCTG (Work with Tape
Cartridge) command
WRKTBL (Work with Tables) command
object auditing 497
WRKTCPSTS (Work with TCP/IP
Network Status) command
WRKTXTIDX (Work with Text Index)
command
profiles 299
WRKUSRJOB (Work with User Jobs)
command
WRKUSRPRF (Work with User Profiles)
command
description 286
object auditing 499
using 104
WRKUSRTBL (Work with User Tables)
command
profiles 299
WRKWTR (Work with Writers) command
X
layout 589
Y
layout 593
YR (read of DLO object) file layout
593
Z
Readers Comments Wed Like to Hear from You

iSeries
Security Reference
Version 5
Publication No. SC41-5302-06
Overall, how satisfied are you with the information in this book?
Overall satisfaction
Very Satisfied
Satisfied
Neutral
Dissatisfied
Very
Dissatisfied
h
How satisfied are you that the information in this book is:
Accurate
Complete
Easy to find
Easy to understand
Well organized
Applicable to your tasks
Very Satisfied
Satisfied
Neutral
Dissatisfied
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
Very
Dissatisfied
h
h
h
h
h
h
Please tell us how we can improve this book:
Thank you for your responses. May we contact you?
h Yes
h No
When you send comments to IBM, you grant IBM a nonexclusive right to use or distribute your comments in any
way it believes appropriate without incurring any obligation to you.
Name
Company or Organization
Phone No.
Address
SC41-5302-06
___________________________________________________________________________________________________
Readers Comments Wed Like to Hear from You
Cut or Fold
Along Line
_ _ _ _ _ _ _Fold
_ _ _and
_ _ _Tape
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _Please
_ _ _ _ _do
_ _not
_ _ staple
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _Fold
_ _ _and
_ _ Tape
______
NO POSTAGE
NECESSARY
IF MAILED IN THE
UNITED STATES
BUSINESS REPLY MAIL

FIRST-CLASS MAIL PERMIT NO. 40 ARMONK, NEW YORK
POSTAGE WILL BE PAID BY ADDRESSEE
IBM CORPORATION
ATTN DEPT 542 IDCLERK
3605 HWY 52 N
ROCHESTER MN 55901-7829
_________________________________________________________________________________________
Fold and Tape
Please do not staple
Fold and Tape
SC41-5302-06
Cut or Fold
Along Line

Printed in U.S.A.
SC41-5302-06

IBM Security

Uploaded by

Copyright:

Available Formats

IBM Security

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IBM Security

Uploaded by

Copyright:

Available Formats

Seventh Edition (September 2002)

| Whats new for V5R2 . . . . . . . . xix

Chapter 1. Introduction to iSeries

Chapter 2. Using System Security

Chapter 3. Security System Values. . . 23

General Security System Values. . . . . . . .

Chapter 4. User Profiles . . . . . . . 63

Roles of the User Profile . . . . . . . .

OS/400 Security Reference V5R2

Deleting User Profiles . . . . . .

Chapter 5. Resource Security . . . . 119

Chapter 6. Work Management Security 185

Changing the signon screen display . . . . .

Chapter 7. Designing Security . . . . 207

Comparison of Group Profiles and Authorization

Chapter 8. Backup and Recovery of

Chapter 9. Auditing Security on the

Appendix A. Security Commands . . . 283

| Appendix C. Commands Shipped with

Appendix D. Authority Required for

OS/400 Security Reference V5R2

Journal Receiver Commands . . . . . . .

Validation List Commands . . . . .

Appendix E. Object Operations and

Related information. . . . . . . . . 615

Appendix H. Notices . . . . . . . . 611

OS/400 Security Reference V5R2

Password Expiration Message . . . . . . 68

Copyright IBM Corp. 1996, 2002

Flowchart 5: Fast Path for User Authority

OS/400 Security Reference V5R2

1. Security Levels: Function Comparison . . . . 9

Copyright IBM Corp. 1996, 2002

31. Possible Values for the QPWDRQDDIF System

Possible Values for OWNER: . . . . . .

124. Related User Profile Commands . . . . .

172. ND (APPN Directory Search Filter) Journal

198. SO (Server Security User Information Actions)

OS/400 Security Reference V5R2

About Security - Reference (SC41-5302)

Who should read this book

Conventions and terminology used in this book

Prerequisite and related information

v On CD-ROM: SK3T409000, iSeries Information Center. This package also

How to send your comments

OS/400 Security Reference V5R2

About Security - Reference (SC41-5302)

OS/400 Security Reference V5R2

Whats new for V5R2

System service tools (SST)

Audit file enhancements

Independent Disk Pool (IASP) security considerations

Copyright IBM Corp. 1996, 2002

New values for QFRCCVNRST system value

Allow change of security related system values

Finding commonly-used topics:

OS/400 Security Reference V5R2

Chapter 1. Introduction to iSeries Security

OS/400 Security Reference V5R2

How many sign-on attempts you allow at a device.