Q: We use OfficeVision/400 and have some sensitive documents online. I was told that an OfficeVision user can view all of the documents in the system. According to the IBM security manual, "*SECADM special authority gives the user comprehensive authority to manage OfficeVision/400 objects and users." Can an OfficeVision administrator who has *SECADM special authority view the documents of other users? Is there a way to secure sensitive documents so that OfficeVision administrators have no access?
A: You can prevent OfficeVision administrators from accessing sensitive documents. OfficeVision allows you to give an administrator full or limited *SECADM special authority. An administrator who has full *SECADM special authority is able to work with system objects, such as libraries, while using the Office-Vision program. An administrator with limited *SECADM special authority cannot work with system objects while using the OfficeVision program.
The default is to enroll administrators with limited *SECADM special authority in OfficeVision, which limits the administrator's access to documents of other users. A user with limited *SECADM special authority can be restricted from accessing documents and folders using OS/400 document library security.
You should check the enrollment for all OfficeVision administrators. You can determine if administrators have full or limited *SECADM special authority by selecting administration (option 9) from the main office menu. Select Work with Office users (option 1); then use option 2 (change) to select a user. Select Enrollment information (option 4) to display the OfficeVision administrators' access. If the administrators are restricted from object management (Allow object management is N), they are given no special access.
CAUTION: When an administrator enrolls a new user, the administrator becomes the owner of the user profile for that user. This ownership allows the administrator to submit jobs running with the user profile of the enrolled user. These jobs could grant the administrator access to sensitive documents. It is difficult to prevent this back door for administrators. The best policy would be for the QSECOFR to enroll the users who have sensitive documents.
Q: If I am the owner of an object, can I always control access to the object? What happens if I store an object that I own in a library and then my access to the library is revoked? Can I still authorize access to the object or delete the object?
A: Good question! I thought the owner of an object could always control access to an object, but I had to do some testing on the AS/400 to verify how this works. When the object owner is not authorized to the library where the object is stored, the object owner cannot use the Grant, Revoke, or Edit Object Authority (GRTOBJAUT, RVKOBJAUT, or EDTOBJAUT) commands. These commands fail with a message that the user is "not authorized to library xxx."
The owner of the object can use the Work with Objects by Owner (WRKOBJOWN) command to obtain a list of objects owned. This list includes the object in the restricted library. Attempts to use options from the WRKOBJOWN menu for objects in restricted libraries also result in "not authorized" messages. The only solution is to see your friendly security officer for assistance.