Get a Handle on Object Authorities with the LSTOBJ

IBM i (OS/400, i5/OS)
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

This authorization analysis report is your ticket to easier security management.

Securing AS/400 objects is easy, versatile and sophisticated. You can authorize individual users to individual objects, specifying what operations can be performed on the object. The trouble is that it is difficult to visualize the authorities you have been maintaining, since OS/400 provides no utility tools for listing object authorities in an easy-to-use format. If you're thinking about the Display Object Authority (DSPOBJAUT) command, think again-you must run it separately for each object you want to check.

The LSTOBJAUT Command

This omission is easily resolved by creating a new command, the List Object Authority (LSTOBJAUT) command. The LSTOBJAUT command accepts a generic object name, or even *ALL, for a particular library; you can also specify an object type or *ALL. This is an enormous advantage when you're checking the authorities (and ownerships!) of many objects in the same library.

LSTOBJAUT can send the output to the printer or the display station. 1 shows what this listing looks like on paper. As you can see, the authorities for each user and each object are broken down in full detail. If an object is protected by an authorization list, the authorization list's authorities are listed immediately underneath. When an object is an authorization list, the report indicates the user(s) with authorization list management authority by placing an "X" under the Auth List Mgmt subheading. In the listing provided, object RSC001CL is protected by authorization list XYZ; the report then "explodes" the authorities contained in authorization list XYZ. This automatic explosion is highlighted in 1.

LSTOBJAUT can send the output to the printer or the display station. Figure 1 shows what this listing looks like on paper. As you can see, the authorities for each user and each object are broken down in full detail. If an object is protected by an authorization list, the authorization list's authorities are listed immediately underneath. When an object is an authorization list, the report indicates the user(s) with authorization list management authority by placing an "X" under the Auth List Mgmt subheading. In the listing provided, object RSC001CL is protected by authorization list XYZ; the report then "explodes" the authorities contained in authorization list XYZ. This automatic explosion is highlighted in Figure 1.

Using LSTOBJAUT

Take another look at 1. Notice that user MALERN has *EXCLUDE authority to program RSC001CL. The program is secured by an authorization list, and in it user MALERN has *USE authority. The net result is that MALERN has *EXCLUDE authority since authorities assigned directly to the user profile override all others (such as group profiles and authorization lists).

Take another look at Figure 1. Notice that user MALERN has *EXCLUDE authority to program RSC001CL. The program is secured by an authorization list, and in it user MALERN has *USE authority. The net result is that MALERN has *EXCLUDE authority since authorities assigned directly to the user profile override all others (such as group profiles and authorization lists).

Also notice that, although the public enjoys *CHANGE authority, user SHARIC has more authority than that through the authorization list. SHARIC's authority is shown as "USER DEF," meaning that you must refer to the detail section. In this particular case, SHARIC can perform almost all operations on the object except those that require object existence authorization. As a result, SHARIC cannot delete program RSC001CL.

What if you want to save these objects on tape to restore them on another system? The fact that program RSC001CL is protected by authorization list XYZ may give you grief unless you create the same authorization list in the new system before restoring the objects. And notice that program RSC001RG is owned by user KRUAND, while all other objects are owned by QPGMR.

1 shows all objects in library PRODLIB. If you want to restore this library on a different system, you have to create authorization list XYZ in the new system, exactly as it is in yours, and either change program RSC001RG's owner to QPGMR or make sure that KRUAND's user profile exists on the target system.

Figure 1 shows all objects in library PRODLIB. If you want to restore this library on a different system, you have to create authorization list XYZ in the new system, exactly as it is in yours, and either change program RSC001RG's owner to QPGMR or make sure that KRUAND's user profile exists on the target system.

Here's How It Works

After the user runs the LSTOBJAUT command (2), its parameters are passed to program OBJ010CL (3). If the command was requested in batch mode, OUTPUT(*PRINT) is forced.

After the user runs the LSTOBJAUT command (Figure 2), its parameters are passed to program OBJ010CL (Figure 3). If the command was requested in batch mode, OUTPUT(*PRINT) is forced.

Next, the DSPOBJD command creates an outfile (QADSPOBJ in QTEMP) which has one record per object you requested to list. So, if you entered a specific object name in the command's OBJ parameter, QADSPOBJ will have one record. If you entered a generic name or *ALL, QADSPOBJ will most likely contain more than one record.

Each record of QADSPOBJ is read in turn. For each record, we run DSPOBJAUT to outfile QAOBJAUT in QTEMP, which creates records with the authorities for each user who is authorized to the object.

A call to program OBJ010CLA (4) follows immediately; this program reads the last record written to QAOBJAUT to determine if the object just processed is protected by an authorization list. If it is, it runs DSPAUTL to the same outfile to add the detail from the authorization list.

A call to program OBJ010CLA (Figure 4) follows immediately; this program reads the last record written to QAOBJAUT to determine if the object just processed is protected by an authorization list. If it is, it runs DSPAUTL to the same outfile to add the detail from the authorization list.

Finally, we print the report by calling program OBJ010RG (5), which always sends the output to printer file OBJ010P1 (6). If the user requested OUTPUT(*), the spooled file is displayed with the DSPSPLF command and then immediately deleted with DLTSPLF.

Finally, we print the report by calling program OBJ010RG (Figure 5), which always sends the output to printer file OBJ010P1 (Figure 6). If the user requested OUTPUT(*), the spooled file is displayed with the DSPSPLF command and then immediately deleted with DLTSPLF.

The Whole Picture

Even though LSTOBJAUT presents a better picture than DSPOBJAUT, it is not yet complete. Users may have authority to objects based on their group profiles. Consider the possibility of improving on LSTOBJAUT so it "explodes" each group profile, listing its members.

Another possible enhancement to LSTOBJAUT could involve writing a second report for management which would resolve multiple authorizations (e.g., user MALERN's seemingly conflicting *USE and *EXCLUDE authorizations to a single object) and show only the final result. By incorporating these few suggestions and perhaps coming up with some refinements of your own, the LSTOBJAUT command could become exactly the comprehensive, definitive guide you need to organized maintenance of authorities.

PRIVATE AUTHORITIES EXPLAINED Users can be authorized to objects at different levels. When you run the LSTOBJAUT command, the system uses the following codes:

Users can be authorized to objects at different levels. When you run the LSTOBJAUT command, the system uses the following codes:

Exist: Authority to control the existence or ownership of the object.

Mgmt: Authority to specify authority, to move or rename the object, or to add members to a database file.

Oper: Authority to look at the object's attributes and to use the object as specified by the data authorities (Read, Add, Upd and Dlt) described immediately below.

Read: Authority to read the object (access its contents without change).

Add: Authority to add entries (records) to the object.

Upd: Authority to change existing entries (records) in the object.

Dlt: Authority to remove entries (records) from the object.

Auth List Authority to maintain other users' authorities in the Mgmt: authorization list.(for authorization list objects only)


Get a Handle on Object Authorities with the LSTOBJ

Figure 1 Sample run of LSTOBJAUT (unable to display)


Get a Handle on Object Authorities with the LSTOBJ

Figure 2 Command LSTOBJAUT

 LSTOBJAUT: CMD PROMPT('List Object Authorities') PARM KWD(OBJ) TYPE(Q1) MIN(1) PROMPT('Object name') PARM KWD(OBJTYPE) TYPE(*CHAR) LEN(8) RSTD(*YES) + DFT(*ALL) VALUES(*ALL *ALRTBL *AUTL *CFGL + *CHTFMT *CLD *CLS *CMD *COSD *CSPMAP + *CSPTBL *CTLD *DEVD *DOC *DTAARA *DTADCT + *DTAQ *EDTD *FCT *FILE *FLR *FNTRSC + *FORMDF *GSS *JOBD *JOBQ *JRN *JRNRCV + *LIB *LIND *MENU *MODD *MSGF *MSGQ *OUTQ + *OVL *PAGSEG *PDG *PGM *PNLGRP *PRDAVL + *PRDDFN *PRDLOD *QMFORM *QMQRY *QRYDFN + *RCT *SBSD *SCHIDX *SPADCT *SSND *S36 + *TBL *USRIDX *USRPRF *USRQ *USRSPC) + PROMPT('Object type') PARM KWD(OUTPUT) TYPE(*CHAR) LEN(6) RSTD(*YES) + DFT(*) VALUES(* *PRINT) PROMPT('Output') Q1: QUAL TYPE(*GENERIC) LEN(10) SPCVAL((*ALL)) MIN(1) QUAL TYPE(*NAME) LEN(10) DFT(*CURLIB) + SPCVAL((*CURLIB)) PROMPT('Library') 
Get a Handle on Object Authorities with the LSTOBJ

Figure 3 CL program OBJ010CL

 OBJ010CL: + PGM PARM(&QOBJ &OBJTYPE &OUTPUT) DCL VAR(&JOBTYPE) TYPE(*CHAR) LEN(1) DCL VAR(&LIB) TYPE(*CHAR) LEN(10) DCL VAR(&MSGDTA) TYPE(*CHAR) LEN(80) DCL VAR(&MSGF) TYPE(*CHAR) LEN(10) DCL VAR(&MSGFLIB) TYPE(*CHAR) LEN(10) DCL VAR(&MSGID) TYPE(*CHAR) LEN(7) DCL VAR(&OBJ) TYPE(*CHAR) LEN(10) DCL VAR(&OBJTYPE) TYPE(*CHAR) LEN(8) DCL VAR(&OUTPUT) TYPE(*CHAR) LEN(6) DCL VAR(&QOBJ) TYPE(*CHAR) LEN(20) DCLF FILE(QADSPOBJ) MONMSG MSGID(CPF0000) EXEC(GOTO CMDLBL(SNDERRMSG)) /* Break qualified name */ CHGVAR VAR(&OBJ) VALUE(%SST(&QOBJ 1 10)) CHGVAR VAR(&LIB) VALUE(%SST(&QOBJ 11 10)) /* Force OUTPUT(*PRINT) if running job in batch mode */ RTVJOBA TYPE(&JOBTYPE) IF COND(&JOBTYPE *EQ '0') THEN(CHGVAR VAR(&OUTPUT) VALUE('*PRINT')) /* Get names of all objects to be listed */ DSPOBJD OBJ(&LIB/&OBJ) OBJTYPE(&OBJTYPE) OUTPUT(*OUTFILE) + OUTFILE(QTEMP/QADSPOBJ) OVRDBF FILE(QADSPOBJ) TOFILE(QTEMP/QADSPOBJ) /* For each object run DSPOBJAUT to outfile */ LOOP: + RCVF MONMSG MSGID(CPF0864) EXEC(GOTO CMDLBL(ENDLOOP)) DSPOBJAUT OBJ(&ODLBNM/&ODOBNM) OBJTYPE(&ODOBTP) OUTPUT(*OUTFILE) + OUTFILE(QTEMP/QAOBJAUT) OUTMBR(*FIRST *ADD) /* Explode authorization list if necessary */ CALL PGM(OBJ010CLA) GOTO CMDLBL(LOOP) /* Print report */ ENDLOOP: + OVRDBF FILE(QAOBJAUT) TOFILE(QTEMP/QAOBJAUT) IF COND(&OUTPUT *EQ '*') THEN(OVRPRTF FILE(OBJ010P1) HOLD(*YES)) CALL PGM(OBJ010RG) IF COND(&OUTPUT *EQ '*') THEN(DO) DSPSPLF FILE(OBJ010P1) JOB(*) SPLNBR(*LAST) DLTSPLF FILE(OBJ010P1) JOB(*) SPLNBR(*LAST) ENDDO DLTOVR FILE(*ALL) CLRPFM FILE(QTEMP/QAOBJAUT) RETURN SNDERRMSG: + RCVMSG MSGTYPE(*EXCP) MSGDTA(&MSGDTA) MSGID(&MSGID) MSGF(&MSGF) + MSGFLIB(&MSGFLIB) SNDPGMMSG MSGID(&MSGID) MSGF(&MSGFLIB/&MSGF) MSGDTA(&MSGDTA) + MSGTYPE(*ESCAPE) ENDPGM 
Get a Handle on Object Authorities with the LSTOBJ

Figure 4 CL program OBJ010CLA

 OBJ010CLA: + PGM DCL VAR(&RRN) TYPE(*DEC) LEN(10 0) DCLF FILE(QAOBJAUT) /* Read last record in the file */ RTVMBRD FILE(QTEMP/QAOBJAUT) NBRCURRCD(&RRN) OVRDBF FILE(QAOBJAUT) TOFILE(QTEMP/QAOBJAUT) POSITION(*RRN &RRN) RCVF /* If object protected by authorization list, display + authorization list to same outfile */ IF COND(&OAANAM *NE '*NONE') THEN(DSPAUTL AUTL(&OAANAM) + OUTPUT(*OUTFILE) OUTFILE(QTEMP/QAOBJAUT) OUTMBR(*FIRST *ADD)) DLTOVR FILE(*ALL) ENDPGM 
Get a Handle on Object Authorities with the LSTOBJ

Figure 5 RPG program OBJ010RG

 FQAOBJAUTIP E DISK FOBJ010P1O E 99 PRINTER * IQSYDSAUT I OALIB L1 I OANAMEL1 I OATYPEL1 * C *IN99 IFEQ *ON C WRITEHEADER C MOVE *OFF *IN99 C END * C *INL1 IFEQ *ON C WRITENEWOBJ C END * C WRITEOBJAUT * CL1 WRITESPACE * C *INZSR BEGSR C WRITEHEADER C ENDSR 
Get a Handle on Object Authorities with the LSTOBJ

Figure 6 Printer file OBJ010P1

 A REF(QAOBJAUT) * A R HEADER SKIPB(3) A 1DATE EDTCDE(Y) A 11TIME EDTWRD('0 : : ') A 55'List Object Authorities' A 112'LSTOBJAUT - Page' A 129PAGNBR EDTCDE(3) A SPACEA(2) A 47'Authoriz' A 59'User' A 71'User' A 83'*-------------Detail--------------- A ---*' A 124'Auth List' A SPACEA(1) A 1'Object' A 13'Library' A 25'Type' A 35'Owner' A 49'List' A 59'Profile' A 71'Authority' A 83'Oper' A 89'Mgmt' A 95'Exist' A 102'Read' A 108'Add' A 113'Upd' A 118'Dlt' A 127'Mgmt' A SPACEA(2) * A R NEWOBJ SPACEA(0) A OANAME R O 1 A OALIB R O 13 A OATYPE R O 25 A OAOWN R O 35 A OAANAM R O 47 * A R OBJAUT SPACEA(1) A OAUSR R O 59 A OAOBJA R O 71 A OAOPR R O 84 A OAOMGT R O 90 A OAEXS R O 97 A OAREAD R O 103 A OAADD R O 109 A OAUPD R O 114 A OADLT R O 119 A OAAMGT R O 129 * A R SPACE SPACEA(2) A 1' ' 
BLOG COMMENTS POWERED BY DISQUS