Many times, I want to tell everyone about an interesting IBM i security feature or make sure everyone knows how something works or point out some quirky fact, but it really isn’t enough to write a full article on the topic. So I decided to communicate these topics via a quiz.
Test your knowledge and learn some useful facts that can you improve your organization's security posture.
Q: True or False: Once you start specifying values for the QPWDRULES system value, the other password composition rule system values are ignored.
A: True. The system values QPWDLMTAJC, QPWDLMTCHG, QPWDLMTREP, QPWDMAXLEN, QPWDMINLEN, QPWDPOSDIF, and QPWDRQDDGT are ignored when you change the QPWDRULES system value from the default of *PWDSYSVAL.
Q: When is the user class (USRCLS) specified in the user profile not considered?
- When displaying IBM i menu options
- When checking a user’s authority to an object
- When moving off of QSECURITY (security level) 20 to a higher security level
- When defaulting special authorities when creating a user profile
A: B. The user class of the user profile is never checked by the IBM i authority-checking algorithm.
Q: True or False: A user with *ALLOBJ will always be able to see all records in a database file.
A: False. When you implement Row permissions on a file, if you do not grant it permission, QSECOFR will not have access to the rows.
Q: True or False: Commands such as Change Authority (CHGAUT) and Change Owner (CHGOWN) that work on IFS objects can also be used to change the authority to and owner of objects in libraries.
A: True. For example, you can use the CHGOWN command to change the owner of all or some objects in a library. The following command changes all of the files in the library MY_LIB to the profile OWNER2:
CHGOWN OBJ('/qsys.lib/my_lib.lib/*.file') NEWOWN(owner2)
Q: True or False: The user is required to have authority to an outq to access the spooled files in it.
A: This is a bit of a trick question. If a user has been granted *SPLCTL special authority, the user needs no authority to the outq to access the spooled files using commands such as Work with Spooled Files (WRKSPLF). However, if the user does not have *SPLCTL, then yes, the user must have authority to the outq. The exact authority required depends on the action being taken on the spooled files. See the IBM i Security Reference manual, chapter 6 for details.
Q: True or False: No authority checking is performed when the system is running at QSECURITY level 20.
A: False. The same authority checking algorithm is performed regardless of the security level of the system. It appears that no authority checking occurs because, by default, users are granted *ALLOBJ special authority when the profile is created; therefore, all users have access to all objects on the system. The good news is that you can modify a profile after it’s been created to remove the *ALLOBJ special authority. My team uses this method to test an application’s security scheme using several modified profiles prior to moving the system to a higher security level where all profiles on the system will be affected. The Authority Collection feature added in V7R3 is also a helpful tool for knowing what authority users will require once the system is moved to a higher security level.
Q: Which system value does not require an IPL to take effect?
- None of the above
A: A. Changes to QAUDCTL (and all other security-related system values) do not required an IPL.
Q: True or False: When you modify the password composition system values (for example, changing the minimum or maximum length or requiring a digit), users will have to change their password the next time they sign on after you make the change.
A: False. Users will not have to adhere to the new password rules until their password expires and they are required to change it.
Q: What user profile attributes should be specified for service accounts?
- INLMNU(*SIGNOFF) and INLPGM(*NONE)
- All of the above
A: E. And if the service account isn’t being used to make a connection to another system, specify these two attributes as well: PASSWORD(*NONE) and PWDEXPITV(*SYSVAL).
Q: True or False: A user configured as Limited Capability—LMTCPB(*PARTIAL)—can enter commands on a command line.
A: True. The only restrictions on users configured as a *PARTIAL is that they are prevented from overriding the initial program, initial menu, and current library parameters on the sign-on display or changing their attention program. They can, however, run commands from a command line just as a LMTCPB(*NO).
Pass or Fail?
How did you score on this quiz? Regardless of your score, I hope this cleared up some confusion as well as helped you learn something about IBM i security that you didn’t know about previously.