True or False: A Pop Quiz on IBM i Security Facts

IBM i (OS/400, i5/OS)
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

It's Friday, and Carol remembers how much everyone loves a surprise test right before the weekend.


I don't know about you, but I've always hated taking tests. Hopefully, you will enjoy this True/False quiz on IBM i security facts and even learn a few things.


True or False: The authority granted to the owner of an object is considered a private authority.

False. An object owner's authority is stored in the header of the object, along with the object's *PUBLIC authority setting, and is not considered a private authority.


True or False: An object can be secured with more than one authorization list.

False. An object can only be secured by one authorization list.


True or False: The user class is ignored when IBM i checks to see if a user has sufficient authority.

True. The user class is applied only in the following cases:

  • When the profile is created or changed and the Special authority (SPCAUT) parameter is set to *USRCLS
  • When a user signs on and goes to an IBM menu, the user's user class determines which menu options are displayed.
  • When the system is IPLed between QSECURITY level 20 and a higher level. The user class is used to determine what special authorities the profile should have at the higher level.


True or False: To adopt authority, you set the Use adopted authority parameter to *YES.

False. To adopt authority, set a program's user profile attribute to *OWNER. The Use adopted authority attribute determines whether or not the program is able to use the authority adopted from programs currently in the call stack.


True or False: A password can begin with a number.

True. If, when changing the password, the password begins with the letter "Q" followed by a number, you can simply enter the number for the password (omitting the "Q" at the beginning.) Strange, but true.


True or False: Suppose you're a member of multiple groups and you have no authority to a database file. Your first group has been granted a private authority of *EXCLUDE to the database file you're trying to access, but your second group has *ALLOBJ; therefore, you will be able to access the file.

True. If you're assigned to multiple groups, the system will loop through the authority algorithm until it finds sufficient authority or runs out of groups to check. Even if one group is excluded from a file, if another group has sufficient authority, access is granted.


True or False: You have no options when you create a streamfile for setting the authorities. You're stuck with the defaults granted by the operating system.

False. As of V6R1, you have the option on both Copy to Streamfile (CPYTOSTMF) and Copy to Import File (CPYTOIMPF) commands to specify that the file's authority is to come from the file being copied or the directory into which the file is being copied.


True or False: You cannot prevent a profile from being created with or changed to have a default password when using the Create or Change User Profile (CRT/CHGUSRPRF) commands.

True…and False. The answer to this question depends on the release of the operating system you're running. At V7R2, if you include the value of *LMTPRFNAME and the new V7R2 value of *ALLCRTCHG in the QPWDRULES system value, the operating system will prevent a user profile from being created with or changed to have a default password. Prior to that release, you can always assign a user profile a default password through either CRTUSRPRF or CHGUSRPRF.


True or False: Even if the QSECOFR user profile is status of *DISABLED, you can use it to sign onto the console.

True. Assuming you know the correct password, you will be able to sign onto the console even if the QSECOFR profile is status of *DISABLED. In fact, setting QSECOFR to *DISABLED is a technique we recommend to protect against the inappropriate use of QSECOFR.


Final Thoughts

I hope you've enjoyed this short quiz and learned a few fun facts along the way.