Test Your IBM i Security Knowledge

Analytics & Cognitive
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Several of the magazines that I read publish a knowledge test each month. That, combined with the questions I receive on a regular basis, made me think that you may enjoy an IBM i security quiz.

By Carol Woodbury

Do you think you have a solid grasp of IBM i security concepts? Take this short test and find out how much you really know. The answers are at the end of this article.

#1: What special characters are allowed in a password at password level 0 and 1?

A. Any special character

B. No special characters

C. Ampersand (&) and question mark (?)

D. Pound (#), dollar ($), underline (_), at (@)

#2: What authority is required to change a user profile?

A. *SECADM special authority and *USE to the profile

B. *SECADM special authority

C. *ALLOBJ special authority

D. *SECADM and *ALLOBJ special authorities

#3: What authority is required to create a file share?

A. *ALLOBJ special authority

B. Ownership of the directory

C. *ALL authority to the directory

D. Ownership or *IOSYSCFG special authority

#4: True or false? You need *SAVSYS special authority to save an object.

#5: True or false? No authority checking is performed at security level (QSECURITY) 20.

#6: A profile can be a member of how many group profiles?

A. 1

B. 2

C. 8

D. 16

#7: True or false? A group can be a member of another group.

#8: What's the value of the QSECURITY system value as shipped by IBM?

A. 10

B. 30

C. 40

D. 60

#9: True or false? If you grant a user with *ALLOBJ special authority a private authority of *EXCLUDE, the user will not be able to access the object.

#10: What is saved when the Save Security Data (SAVSECDTA) command is run?

A. User profiles

B. Private authorities

C. Private authorities and user profiles

D. Private authorities, user profiles, and authorization lists

#11: True or false? QSECOFR and the QSECOFR service ID are two separate entities.

#12: True or false? The User profile attribute of a program is what configures a program to adopt its owner's authority.

#13: True or false? You can secure a user profile with an authorization list.

#14: *IOSYSCFG special authority allows you to:

A. Work with user profiles

B. Create file shares

C. Configure output queues

D. Create job descriptions

#15: What system value can be used to prevent default passwords?





Answer Key

#1: Answer: D

#2: Answer: A. You may think that D is also correct. While that authority combination would allow you to change a profile, *ALLOBJ is not required; only *USE authority to the profile is required.

#3: Answer: The combination of A and D is correct. You need to own the directory and have *ALLOBJ or *IOSYSCFG authority to create a file share.

#4: Answer: False. As long as you have *OBJEXIST to the object, you can save it.

#5: Answer: False. The same authority-checking algorithm is in effect at all security levels. But since all profiles are created with *ALLOBJ special authority, it appears that no authority checking is performed. And since the authority-checking algorithm is run at all security levels, if you re-work your security configuration, you can test it by removing profiles' *ALLOBJ prior to changing the security level and IPLing the system.

#6: Answer: D

#7: Answer: False. Attempting to make a group a member of another group will fail.

#8: Answer: C

#9: Answer: False. The security-checking algorithm first checks to see if the user has *ALLOBJ. If it does, access is granted because the private authority is not checked.

#10: Answer: D

#11: Answer: True. The QSECOFR user profile is not the same entity as the QSECOFR service ID that is used to sign in to Dedicated Service Tools (DST) or System Service Tools (STRSST).

#12: Answer: True. You may think it's the Use adopted authority that makes the program adopt, but that determines whether the program will use adopted authority from programs higher in the call stack.

#13: Answer: False

#14: Answer: B

#15: Answer: A. Specifying *LMTPRFNAME and *ALLCRTCHG (available starting in V7R2) prevents profiles from being created or changed to have a default password. And once you put one password rule in place, the operating system prevents end users from setting their password to a default password.


I hope that you've enjoyed this quiz. If you didn't get them all correct, then maybe you've learned some new facts about IBM i security.