• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • Limiting All-Object Authority

    February 9, 2005 Hey, Wayne O.

    Is there a way to minimize the access to a file that contains salaries, for the user profiles that have *ALLOBJ authority? Can we give them access to the object but not to the content (data)? Is our only option to audit these user profiles and the files containing the salaries?

    –Marc-André

    People frequently ask me how to block access to an object for users with *ALLOBJ special authority. When the system determines a user’s authority to an object, the first check made is whether the user has *ALLOBJ authority. If the answer is yes, the system allows the user access. So the answer is that there is no way to block a user who has *ALLOBJ authority. When I teach about special authority, I describe *ALLOBJ as equivalent to *GOD. There is no way to limit the access of God, so you want to be very careful what users you allow *ALLOBJ special authority.

    Are you sure that the user needs *ALLOBJ authority? Restricting access to files and adopting authority in specific applications is a much better solution.

    You can’t hide individual fields like salary from the users who have *ALLOBJ authority. The only way to hide the content of specific fields is to encrypt either the complete file or the individual field. I recommend simply encrypting the salary field. The data could be stored in encrypted form and would only need to be decrypted in the programs that operate on the salary data. I suspect there are many programs that access the personnel data file but don’t need access to the salary. These programs would not need to be modified. I am not aware of any software that performs this function.

    You can audit the actions of individual users. However the OS/400 audit journal data simply records that an audited user opened the audited file. The audit record does not provide information on what fields were changed or retrieved. These are the steps to auditing a specific file for access by *ALLOBJ users:

    1. Use the Change User Audit (CHGUSRAUD) command to activate auditing for profiles with *ALLOBJ special authority.
    2. CHGOBJAUT   USRPRF(all-object-user)   OBJAUT(*ALL)
      
    3. Use the Change User Audit (CHGUSRAUD) command to turn on auditing for the files that contain sensitive data. The OBJAUD option of *USRPRF will audit access for users identified in step 1.
    4. CHGOBJAUD OBJ(PAYROLL) OBJTYPE(*FILE)   OBJAUD(*USRPRF) 
      
    5. Activate object auditing by setting the system value QAUDCTL to *OBJAUD.

    6. CHGSYSVAL SYSVAL(QAUDCTL) VALUE(*OBJAUD)
      

    The system will write an audit record whenever a user accesses the payroll file, but the audit record will not tell which records in the file, nor which fields, were referenced or changed.


    OS/400 journaling will show the records that were accessed. The journal will collect information for all users, not just specific users. However, you can process the audit data and select transactions for specific user profiles.

    The other alternative I can think of is to define a trigger program for the files that contain sensitive data. The trigger program is called each time the file is accessed and can audit the actions of selected users. However, this option can have a marked increase in CPU use if the file with the trigger is accessed frequently. I do not recommend this option unless you have an overwhelming business need to audit the access.

    –Wayne O. Evans

    For more information on audit journals and *ALLOBJ users, see “Auditing Users with All-Object Authority.”

    Security articles authored by Wayne O. Evans can be found on his Web site, www.woevans.com. Click here to contact Wayne O. Evans by e-mail.

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags:

    Sponsored by
    WorksRight Software

    Do you need area code information?
    Do you need ZIP Code information?
    Do you need ZIP+4 information?
    Do you need city name information?
    Do you need county information?
    Do you need a nearest dealer locator system?

    We can HELP! We have affordable AS/400 software and data to do all of the above. Whether you need a simple city name retrieval system or a sophisticated CASS postal coding system, we have it for you!

    The ZIP/CITY system is based on 5-digit ZIP Codes. You can retrieve city names, state names, county names, area codes, time zones, latitude, longitude, and more just by knowing the ZIP Code. We supply information on all the latest area code changes. A nearest dealer locator function is also included. ZIP/CITY includes software, data, monthly updates, and unlimited support. The cost is $495 per year.

    PER/ZIP4 is a sophisticated CASS certified postal coding system for assigning ZIP Codes, ZIP+4, carrier route, and delivery point codes. PER/ZIP4 also provides county names and FIPS codes. PER/ZIP4 can be used interactively, in batch, and with callable programs. PER/ZIP4 includes software, data, monthly updates, and unlimited support. The cost is $3,900 for the first year, and $1,950 for renewal.

    Just call us and we’ll arrange for 30 days FREE use of either ZIP/CITY or PER/ZIP4.

    WorksRight Software, Inc.
    Phone: 601-856-8337
    Fax: 601-856-9432
    Email: software@worksright.com
    Website: www.worksright.com

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Linoma Serves Up Better-Looking Screens with aXes Service Packs Put a Crimp in Third Party Maintenance Plans

    Leave a Reply Cancel reply

Volume 5, Number 6 -- February 9, 2005
THIS ISSUE
SPONSORED BY:

T.L. Ashford
WorksRight Software
COMMON

Table of Contents

  • The Integrated File System for Intelligent People
  • Limiting All-Object Authority
  • Running Query Without Adopted Authority

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • IBM Pulls The Curtain Back A Smidge On Project Bob
  • IBM Just Killed Merlin. Here’s Why
  • Guru: Playing Sounds From An RPG Program
  • A Bit More Insight Into IBM’s “Spyre” AI Accelerator For Power
  • IBM i PTF Guide, Volume 27, Number 42
  • What You Will Find In IBM i 7.6 TR1 and IBM i 7.5 TR7
  • Three Things For IBM i Shops To Consider About DevSecOps
  • Big Blue Converges IBM i RPG And System Z COBOL Code Assistants Into “Project Bob”
  • As I See It: Retirement Challenges
  • IBM i PTF Guide, Volume 27, Number 41

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2025 IT Jungle