April 4

2 comments

IBM i Authority Adoption in Programs – Good or Bad?

By NickLitten

April 4, 2024

IBM i

IBM i Authority

In the IBM i environment, you can encounter situations where different users require varying levels of authority to access objects or applications.

IBM i authority settings can seem a little daunting to new admins, but they grounded in decades of real world usage and were so well designed they really have changed very little.

These same authority rules worked on the IBM iSeries and AS400 systems 30 years ago.

A quick Overview:

IBM i authority refers to the permissions and privileges granted to users and applications within the IBM® i operating system. Let’s delve into this topic:

Ibm i authority adoption in programs - good or bad
  1. Authority Collection:
    • Authority collection is a built-in capability provided by the base operating system. It captures data associated with runtime authority checking in IBM i.
    • When an application runs, the system checks whether the user or program has the necessary authority to perform specific actions (such as reading, writing, or executing).
    • The collected data helps security administrators and application providers secure objects (files, programs, etc.) with the minimum required authority for successful operation.
    • By analyzing this data, excess authority can be identified and removed, enhancing overall security.
    • For example, some applications grant excessive authority to objects, even beyond what’s necessary. The public authority (*PUBLIC) might be set higher than needed, posing security risks.
  2. Object Authority:
    • In IBM i, various types of authority can be granted to users for files (objects).
    • SQL GRANT and REVOKE statements allow assigning and removing authorities to SQL tables and individual columns within those tables.
    • Object authority determines what actions a user can perform on an object (e.g., read, write, delete).
    • It’s essential to manage authorities carefully to prevent unauthorized access and maintain data integrity.

Remember, understanding and managing authorities play a crucial role in maintaining a secure and well-functioning IBM i system.

Using PGM *OWNER to elevate Authority Rights

For instance, a user might need to modify customer information when using specific application programs, but only view that information when using a decision support tool like SQL.

To address this, adopted authority comes into play. Let me explain:

  1. Adopted Authority:
    • When an object (such as a program) uses the owner’s authority, it’s referred to as adopted authority.
    • Objects of types PGM, SRVPGM, and SQLPKG can adopt authority.
    • When you create a program, you specify a user profile (USRPRF) parameter on the CRTxxxPGM command. This parameter determines whether the program uses the authority of the program’s owner in addition to the authority of the user running the program.
    • Adopted authority is added to any other authority found for the user.
    • It is checked only if the user’s existing authority to an object is insufficient for the requested operation.
    • The special authorities (such as ALLOBJ) in the owner’s profile are used.
    • If the owner profile is a member of a group profile, the group’s authority is not used for adopted authority.
    • Public authority is not used for adopted authority.
    • For example, if a user runs a program that requires *USE authority to a customer file, adopted authority allows the program to use the owner’s authority to modify the file while querying it with SQL.
  2. Active Duration of Adopted Authority:
    • Adopted authority remains active as long as the program using it remains in the call stack.
    • For instance, if program A (PGMA) uses adopted authority and calls program B (PGMB), PGMB will also use the adopted authority of PGMA.
    • However, once PGMA is removed from the call stack, PGMB no longer has access to the adopted authority.
  3. Security Considerations:
    • While adopted authority provides flexibility, it’s essential to consider security implications.
    • The USEADPAUT parameter can be used to control adopted authority behavior when using SQL packages.

Adopted authority allows programs to leverage the owner’s authority, but it’s crucial to strike a balance between flexibility and security.

If you need to find programs that adopt a specific user profile, you can explore tools like DSPPGMADP or APIs like QCLRPGMI to retrieve program information.

  • Hello Nick
    I am a follower of your posts, thank you for sharing such good knowledge.
    You can use the following IBM i service to find out which programs adopt authorization: QSYS2.PROGRAM_INFO.

  • {"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

    Join the IBM i Community for FREE Presentations, Lessons, Hints and Tips

    >