10
Sun, Nov
10 New Articles

Get a Handle on Object Authorities with the LSTOBJ

IBM i (OS/400, i5/OS)
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

This authorization analysis report is your ticket to easier security management.

Securing AS/400 objects is easy, versatile and sophisticated. You can authorize individual users to individual objects, specifying what operations can be performed on the object. The trouble is that it is difficult to visualize the authorities you have been maintaining, since OS/400 provides no utility tools for listing object authorities in an easy-to-use format. If you're thinking about the Display Object Authority (DSPOBJAUT) command, think again-you must run it separately for each object you want to check.

The LSTOBJAUT Command

This omission is easily resolved by creating a new command, the List Object Authority (LSTOBJAUT) command. The LSTOBJAUT command accepts a generic object name, or even *ALL, for a particular library; you can also specify an object type or *ALL. This is an enormous advantage when you're checking the authorities (and ownerships!) of many objects in the same library.

LSTOBJAUT can send the output to the printer or the display station. 1 shows what this listing looks like on paper. As you can see, the authorities for each user and each object are broken down in full detail. If an object is protected by an authorization list, the authorization list's authorities are listed immediately underneath. When an object is an authorization list, the report indicates the user(s) with authorization list management authority by placing an "X" under the Auth List Mgmt subheading. In the listing provided, object RSC001CL is protected by authorization list XYZ; the report then "explodes" the authorities contained in authorization list XYZ. This automatic explosion is highlighted in 1.

LSTOBJAUT can send the output to the printer or the display station. Figure 1 shows what this listing looks like on paper. As you can see, the authorities for each user and each object are broken down in full detail. If an object is protected by an authorization list, the authorization list's authorities are listed immediately underneath. When an object is an authorization list, the report indicates the user(s) with authorization list management authority by placing an "X" under the Auth List Mgmt subheading. In the listing provided, object RSC001CL is protected by authorization list XYZ; the report then "explodes" the authorities contained in authorization list XYZ. This automatic explosion is highlighted in Figure 1.

Using LSTOBJAUT

Take another look at 1. Notice that user MALERN has *EXCLUDE authority to program RSC001CL. The program is secured by an authorization list, and in it user MALERN has *USE authority. The net result is that MALERN has *EXCLUDE authority since authorities assigned directly to the user profile override all others (such as group profiles and authorization lists).

Take another look at Figure 1. Notice that user MALERN has *EXCLUDE authority to program RSC001CL. The program is secured by an authorization list, and in it user MALERN has *USE authority. The net result is that MALERN has *EXCLUDE authority since authorities assigned directly to the user profile override all others (such as group profiles and authorization lists).

Also notice that, although the public enjoys *CHANGE authority, user SHARIC has more authority than that through the authorization list. SHARIC's authority is shown as "USER DEF," meaning that you must refer to the detail section. In this particular case, SHARIC can perform almost all operations on the object except those that require object existence authorization. As a result, SHARIC cannot delete program RSC001CL.

What if you want to save these objects on tape to restore them on another system? The fact that program RSC001CL is protected by authorization list XYZ may give you grief unless you create the same authorization list in the new system before restoring the objects. And notice that program RSC001RG is owned by user KRUAND, while all other objects are owned by QPGMR.

1 shows all objects in library PRODLIB. If you want to restore this library on a different system, you have to create authorization list XYZ in the new system, exactly as it is in yours, and either change program RSC001RG's owner to QPGMR or make sure that KRUAND's user profile exists on the target system.

Figure 1 shows all objects in library PRODLIB. If you want to restore this library on a different system, you have to create authorization list XYZ in the new system, exactly as it is in yours, and either change program RSC001RG's owner to QPGMR or make sure that KRUAND's user profile exists on the target system.

Here's How It Works

After the user runs the LSTOBJAUT command (2), its parameters are passed to program OBJ010CL (3). If the command was requested in batch mode, OUTPUT(*PRINT) is forced.

After the user runs the LSTOBJAUT command (Figure 2), its parameters are passed to program OBJ010CL (Figure 3). If the command was requested in batch mode, OUTPUT(*PRINT) is forced.

Next, the DSPOBJD command creates an outfile (QADSPOBJ in QTEMP) which has one record per object you requested to list. So, if you entered a specific object name in the command's OBJ parameter, QADSPOBJ will have one record. If you entered a generic name or *ALL, QADSPOBJ will most likely contain more than one record.

Each record of QADSPOBJ is read in turn. For each record, we run DSPOBJAUT to outfile QAOBJAUT in QTEMP, which creates records with the authorities for each user who is authorized to the object.

A call to program OBJ010CLA (4) follows immediately; this program reads the last record written to QAOBJAUT to determine if the object just processed is protected by an authorization list. If it is, it runs DSPAUTL to the same outfile to add the detail from the authorization list.

A call to program OBJ010CLA (Figure 4) follows immediately; this program reads the last record written to QAOBJAUT to determine if the object just processed is protected by an authorization list. If it is, it runs DSPAUTL to the same outfile to add the detail from the authorization list.

Finally, we print the report by calling program OBJ010RG (5), which always sends the output to printer file OBJ010P1 (6). If the user requested OUTPUT(*), the spooled file is displayed with the DSPSPLF command and then immediately deleted with DLTSPLF.

Finally, we print the report by calling program OBJ010RG (Figure 5), which always sends the output to printer file OBJ010P1 (Figure 6). If the user requested OUTPUT(*), the spooled file is displayed with the DSPSPLF command and then immediately deleted with DLTSPLF.

The Whole Picture

Even though LSTOBJAUT presents a better picture than DSPOBJAUT, it is not yet complete. Users may have authority to objects based on their group profiles. Consider the possibility of improving on LSTOBJAUT so it "explodes" each group profile, listing its members.

Another possible enhancement to LSTOBJAUT could involve writing a second report for management which would resolve multiple authorizations (e.g., user MALERN's seemingly conflicting *USE and *EXCLUDE authorizations to a single object) and show only the final result. By incorporating these few suggestions and perhaps coming up with some refinements of your own, the LSTOBJAUT command could become exactly the comprehensive, definitive guide you need to organized maintenance of authorities.

PRIVATE AUTHORITIES EXPLAINED Users can be authorized to objects at different levels. When you run the LSTOBJAUT command, the system uses the following codes:

Users can be authorized to objects at different levels. When you run the LSTOBJAUT command, the system uses the following codes:

Exist: Authority to control the existence or ownership of the object.

Mgmt: Authority to specify authority, to move or rename the object, or to add members to a database file.

Oper: Authority to look at the object's attributes and to use the object as specified by the data authorities (Read, Add, Upd and Dlt) described immediately below.

Read: Authority to read the object (access its contents without change).

Add: Authority to add entries (records) to the object.

Upd: Authority to change existing entries (records) in the object.

Dlt: Authority to remove entries (records) from the object.

Auth List Authority to maintain other users' authorities in the Mgmt: authorization list.(for authorization list objects only)


Get a Handle on Object Authorities with the LSTOBJ

Figure 1 Sample run of LSTOBJAUT (unable to display)


Get a Handle on Object Authorities with the LSTOBJ

Figure 2 Command LSTOBJAUT

 LSTOBJAUT: CMD PROMPT('List Object Authorities') PARM KWD(OBJ) TYPE(Q1) MIN(1) PROMPT('Object name') PARM KWD(OBJTYPE) TYPE(*CHAR) LEN(8) RSTD(*YES) + DFT(*ALL) VALUES(*ALL *ALRTBL *AUTL *CFGL + *CHTFMT *CLD *CLS *CMD *COSD *CSPMAP + *CSPTBL *CTLD *DEVD *DOC *DTAARA *DTADCT + *DTAQ *EDTD *FCT *FILE *FLR *FNTRSC + *FORMDF *GSS *JOBD *JOBQ *JRN *JRNRCV + *LIB *LIND *MENU *MODD *MSGF *MSGQ *OUTQ + *OVL *PAGSEG *PDG *PGM *PNLGRP *PRDAVL + *PRDDFN *PRDLOD *QMFORM *QMQRY *QRYDFN + *RCT *SBSD *SCHIDX *SPADCT *SSND *S36 + *TBL *USRIDX *USRPRF *USRQ *USRSPC) + PROMPT('Object type') PARM KWD(OUTPUT) TYPE(*CHAR) LEN(6) RSTD(*YES) + DFT(*) VALUES(* *PRINT) PROMPT('Output') Q1: QUAL TYPE(*GENERIC) LEN(10) SPCVAL((*ALL)) MIN(1) QUAL TYPE(*NAME) LEN(10) DFT(*CURLIB) + SPCVAL((*CURLIB)) PROMPT('Library') 
Get a Handle on Object Authorities with the LSTOBJ

Figure 3 CL program OBJ010CL

 OBJ010CL: + PGM PARM(&QOBJ &OBJTYPE &OUTPUT) DCL VAR(&JOBTYPE) TYPE(*CHAR) LEN(1) DCL VAR(&LIB) TYPE(*CHAR) LEN(10) DCL VAR(&MSGDTA) TYPE(*CHAR) LEN(80) DCL VAR(&MSGF) TYPE(*CHAR) LEN(10) DCL VAR(&MSGFLIB) TYPE(*CHAR) LEN(10) DCL VAR(&MSGID) TYPE(*CHAR) LEN(7) DCL VAR(&OBJ) TYPE(*CHAR) LEN(10) DCL VAR(&OBJTYPE) TYPE(*CHAR) LEN(8) DCL VAR(&OUTPUT) TYPE(*CHAR) LEN(6) DCL VAR(&QOBJ) TYPE(*CHAR) LEN(20) DCLF FILE(QADSPOBJ) MONMSG MSGID(CPF0000) EXEC(GOTO CMDLBL(SNDERRMSG)) /* Break qualified name */ CHGVAR VAR(&OBJ) VALUE(%SST(&QOBJ 1 10)) CHGVAR VAR(&LIB) VALUE(%SST(&QOBJ 11 10)) /* Force OUTPUT(*PRINT) if running job in batch mode */ RTVJOBA TYPE(&JOBTYPE) IF COND(&JOBTYPE *EQ '0') THEN(CHGVAR VAR(&OUTPUT) VALUE('*PRINT')) /* Get names of all objects to be listed */ DSPOBJD OBJ(&LIB/&OBJ) OBJTYPE(&OBJTYPE) OUTPUT(*OUTFILE) + OUTFILE(QTEMP/QADSPOBJ) OVRDBF FILE(QADSPOBJ) TOFILE(QTEMP/QADSPOBJ) /* For each object run DSPOBJAUT to outfile */ LOOP: + RCVF MONMSG MSGID(CPF0864) EXEC(GOTO CMDLBL(ENDLOOP)) DSPOBJAUT OBJ(&ODLBNM/&ODOBNM) OBJTYPE(&ODOBTP) OUTPUT(*OUTFILE) + OUTFILE(QTEMP/QAOBJAUT) OUTMBR(*FIRST *ADD) /* Explode authorization list if necessary */ CALL PGM(OBJ010CLA) GOTO CMDLBL(LOOP) /* Print report */ ENDLOOP: + OVRDBF FILE(QAOBJAUT) TOFILE(QTEMP/QAOBJAUT) IF COND(&OUTPUT *EQ '*') THEN(OVRPRTF FILE(OBJ010P1) HOLD(*YES)) CALL PGM(OBJ010RG) IF COND(&OUTPUT *EQ '*') THEN(DO) DSPSPLF FILE(OBJ010P1) JOB(*) SPLNBR(*LAST) DLTSPLF FILE(OBJ010P1) JOB(*) SPLNBR(*LAST) ENDDO DLTOVR FILE(*ALL) CLRPFM FILE(QTEMP/QAOBJAUT) RETURN SNDERRMSG: + RCVMSG MSGTYPE(*EXCP) MSGDTA(&MSGDTA) MSGID(&MSGID) MSGF(&MSGF) + MSGFLIB(&MSGFLIB) SNDPGMMSG MSGID(&MSGID) MSGF(&MSGFLIB/&MSGF) MSGDTA(&MSGDTA) + MSGTYPE(*ESCAPE) ENDPGM 
Get a Handle on Object Authorities with the LSTOBJ

Figure 4 CL program OBJ010CLA

 OBJ010CLA: + PGM DCL VAR(&RRN) TYPE(*DEC) LEN(10 0) DCLF FILE(QAOBJAUT) /* Read last record in the file */ RTVMBRD FILE(QTEMP/QAOBJAUT) NBRCURRCD(&RRN) OVRDBF FILE(QAOBJAUT) TOFILE(QTEMP/QAOBJAUT) POSITION(*RRN &RRN) RCVF /* If object protected by authorization list, display + authorization list to same outfile */ IF COND(&OAANAM *NE '*NONE') THEN(DSPAUTL AUTL(&OAANAM) + OUTPUT(*OUTFILE) OUTFILE(QTEMP/QAOBJAUT) OUTMBR(*FIRST *ADD)) DLTOVR FILE(*ALL) ENDPGM 
Get a Handle on Object Authorities with the LSTOBJ

Figure 5 RPG program OBJ010RG

 FQAOBJAUTIP E DISK FOBJ010P1O E 99 PRINTER * IQSYDSAUT I OALIB L1 I OANAMEL1 I OATYPEL1 * C *IN99 IFEQ *ON C WRITEHEADER C MOVE *OFF *IN99 C END * C *INL1 IFEQ *ON C WRITENEWOBJ C END * C WRITEOBJAUT * CL1 WRITESPACE * C *INZSR BEGSR C WRITEHEADER C ENDSR 
Get a Handle on Object Authorities with the LSTOBJ

Figure 6 Printer file OBJ010P1

 A REF(QAOBJAUT) * A R HEADER SKIPB(3) A 1DATE EDTCDE(Y) A 11TIME EDTWRD('0 : : ') A 55'List Object Authorities' A 112'LSTOBJAUT - Page' A 129PAGNBR EDTCDE(3) A SPACEA(2) A 47'Authoriz' A 59'User' A 71'User' A 83'*-------------Detail--------------- A ---*' A 124'Auth List' A SPACEA(1) A 1'Object' A 13'Library' A 25'Type' A 35'Owner' A 49'List' A 59'Profile' A 71'Authority' A 83'Oper' A 89'Mgmt' A 95'Exist' A 102'Read' A 108'Add' A 113'Upd' A 118'Dlt' A 127'Mgmt' A SPACEA(2) * A R NEWOBJ SPACEA(0) A OANAME R O 1 A OALIB R O 13 A OATYPE R O 25 A OAOWN R O 35 A OAANAM R O 47 * A R OBJAUT SPACEA(1) A OAUSR R O 59 A OAOBJA R O 71 A OAOPR R O 84 A OAOMGT R O 90 A OAEXS R O 97 A OAREAD R O 103 A OAADD R O 109 A OAUPD R O 114 A OADLT R O 119 A OAAMGT R O 129 * A R SPACE SPACEA(2) A 1' ' 
BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: