• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • Data Needed to Debug Authority Failures, Part 2

    September 28, 2011 Patrick Botz

    In the first article in this series, I introduced the concept of debugging authority failures and described how the operating system determines whether an executing job should be allowed to access an object. Armed with this information, the topic of this second article, data needed to debug authority failures, will make much more sense. In my third article, I will describe how and where to find this information.

    Data needed for debugging authority failures can be classified into the following categories: Who, What, When, Which, and Why. Some of this information helps you find other pieces of data. All of it helps you understand why the failure occurred. Don’t worry about where to find this information just yet. We’ll cover that in the next article.

    WHO Failed?

    Under which user profiles was the job executing when the authority failure occurred?

    While many administrators might assume that this must be the user profile representing the person reporting the failing job, often this may not be the case. In the previous article, we described how a job may run under multiple profiles, including the user’s profile, one or more groups of which the user is a member, and one or more adopted user profiles. Further, applications can change the user and group profiles under which a job runs and can “drop adopted authority.”

    The message is that you have to have some knowledge of how the application works. Does it use adopted authority anywhere? Does it “swap” user profiles or use the qsy_seteuid(), qsy_setegid(), and/or the qsy_setgroups() APIs? You can’t just assume that the user who launched the job is the user profile under which the job is running.

    WHAT Failed?

    Which object was the job attempting to access when the authority failure occurred? You need to identify the fully qualified path name and type of object involved in the authority failure.

    There is no such thing as a “general” authority failure. Jobs don’t receive authority failures unless they are attempting to access an object. This is why giving a profile *ALLOBJ is almost never the best or most appropriate way to solve an authority failure. Sure, it may solve the problem. Then again, a small thermonuclear device will also rid you of gophers in your backyard, but that doesn’t mean it’s the right, most appropriate, or best way to solve the problem.

    WHEN Did It Fail?

    You can save a lot of unnecessary time hunting for information if you first verify the approximate date and time of the failure. I’ve attempted to gather information to analyze an authority failure reported in the morning that, after an hour or so of fruitless searching, turned out to have actually occurred at the end of the previous day! Knowing the approximate date and time of the authority failure can significantly reduce the amount of time needed to gather debugging data.

    WHICH Program or Command Failed?

    Knowing the fully qualified name of the program that failed can help you determine whether it was an operating system authority failure, some other operating system error, or an “application-defined” authority failure.

    A real OS authority failure occurs when the user profile(s) under which a job is running does not have enough authority to perform the intended operation on a specified object.

    Before attempting to debug any authority failure, first ensure that an authority failure actually occurred. I have talked with many customers who insisted they are receiving an authority failure when, in fact, jobs were failing for other reasons. This would not happen if those customers understood the process of debugging authority failures.

    Jobs can also fail because they lack the proper special authority. Special authority is not another kind of authority–it is really “privilege.” In addition to having authority to an object, some operations also require that you also have privileges (i.e., special authority) to perform the operation. Note that special authority/privilege is associated with an operation, and authority is associated with an object. For example, to change a user profile, you must have *CHANGE authority to the user profile object and also have *SECADM special authority (privilege), which is required to perform many security related operations.

    Technically, a failure due to a lack of special authority (privilege) is NOT an authority failure. However, the process of debugging special authority failures uses the same general process as authority failures. The biggest difference between the two types of failures is in the way failure is fixed.

    Application-defined authority failures are generated by applications that implement their own form of security (e.g., menu item access control). These failures are defined by the application itself and therefore require that the application be debugged.

    WHY Did It Fail?

    Operating system authority failures occur because the authority of the profiles under which the job was running did not have the proper authority to perform the intended operation on the specified object. Therefore, you need to identify the operation that was attempted on the object involved in the failure (i.e., the “what” information described above). Given the type of operation and the fully qualified object and type information, you can look up the authority users need in order to perform that operation on the object.

    In this article, we have discussed the Who, What, When, Which, and Why required to debug authority failures. Before making any authority configuration changes, gather this information and analyze it. Doing so will go a very long way toward keeping your data secure. Ultimately, it will also cost you less to manage authority failures over time.

    Patrick Botz is the principal consultant and founder of Botz & Associates Inc. He is also president of Valid Technologies, LLC, a biometric middleware ISV. Pat spent nearly 20 years working at IBM in various security roles including lead IBM i security architect, IBM eServer security team, and the head of IBM Lab Services Security Consulting practice. Check out his Website at www.botzandassociates.com. Send your questions or comments for Patrick to Ted Holt via the IT Jungle Contact page.

    RELATED STORY

    Learn To Debug Authority Failures, Part 1



                         Post this story to del.icio.us
                   Post this story to Digg
        Post this story to Slashdot

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags:

    Sponsored by
    WorksRight Software

    Do you need area code information?
    Do you need ZIP Code information?
    Do you need ZIP+4 information?
    Do you need city name information?
    Do you need county information?
    Do you need a nearest dealer locator system?

    We can HELP! We have affordable AS/400 software and data to do all of the above. Whether you need a simple city name retrieval system or a sophisticated CASS postal coding system, we have it for you!

    The ZIP/CITY system is based on 5-digit ZIP Codes. You can retrieve city names, state names, county names, area codes, time zones, latitude, longitude, and more just by knowing the ZIP Code. We supply information on all the latest area code changes. A nearest dealer locator function is also included. ZIP/CITY includes software, data, monthly updates, and unlimited support. The cost is $495 per year.

    PER/ZIP4 is a sophisticated CASS certified postal coding system for assigning ZIP Codes, ZIP+4, carrier route, and delivery point codes. PER/ZIP4 also provides county names and FIPS codes. PER/ZIP4 can be used interactively, in batch, and with callable programs. PER/ZIP4 includes software, data, monthly updates, and unlimited support. The cost is $3,900 for the first year, and $1,950 for renewal.

    Just call us and we’ll arrange for 30 days FREE use of either ZIP/CITY or PER/ZIP4.

    WorksRight Software, Inc.
    Phone: 601-856-8337
    Fax: 601-856-9432
    Email: software@worksright.com
    Website: www.worksright.com

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Sponsored Links

    System i Developer:  Join the Gurus at the RPG & DB2 Summit in St. Louis, October 17-19
    Connectria Hosting:  What's your IBM System i strategy? Download our FREE report
    Four Hundred Monitor Calendar:  Latest info on national conferences, local events, & Webinars

    IT Jungle Store Top Book Picks

    BACK IN STOCK: Easy Steps to Internet Programming for System i: List Price, $49.95

    The iSeries Express Web Implementer's Guide: List Price, $49.95
    The iSeries Pocket Database Guide: List Price, $59
    The iSeries Pocket SQL Guide: List Price, $59
    The iSeries Pocket WebFacing Primer: List Price, $39
    Migrating to WebSphere Express for iSeries: List Price, $49
    Getting Started with WebSphere Express for iSeries: List Price, $49
    The All-Everything Operating System: List Price, $35
    The Best Joomla! Tutorial Ever!: List Price, $19.95

    Stone Bond Hooks Up with K2 for Enterprise Integration Oracle Takes The Midrange Fight To IBM

    Leave a Reply Cancel reply

Volume 11, Number 28 -- September 28, 2011
THIS ISSUE SPONSORED BY:

WorksRight Software
SEQUEL Software
System i Developer

Table of Contents

  • Data Needed to Debug Authority Failures, Part 2
  • A Better Way To Read a Job Log
  • Checking Cache Battery Status Without STRSST

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • The IBM i Power10 Upgrade Cycle Forecast Looks Favorable
  • White Hats Completely Dismantle Menu-Based Security
  • Cloud Software To Drive Enterprise Application Growth
  • How Do You Stay In Touch With The IBM i Community?
  • IBM i PTF Guide, Volume 25, Number 6
  • Security Still Top Concern, IBM i Marketplace Study Says
  • Bob Langieri Shares IBM i Career Trends Outlook for 2023
  • Kisco Brings Native SMS Messaging to IBM i
  • Four Hundred Monitor, February 1
  • 2023 IBM i Predictions, Part 4

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2022 IT Jungle

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.