Data Authorities :

1. Object Authorities :

There are 6 object authorities used in AS/400.Those are as follows.

a. *OBJOPR ( Object Operational )

b. *OBJEXIST ( Object Existence )

c. *OBJMGT ( Object Management )

d. *OBJALTER ( Object Alteration )

e. *AUTLMGT ( Authorization List Authority )

f. *OBJREF ( Object Reference )

2. Data Authorities :

There are 5 data authorities used in AS/400.Those are as follows.

a. *READ ( Read Data )

b. *ADD ( Add Data )

c. *DLT ( Delete Data )

d. *UPD ( Change Data )

e. *EXECUTE ( Run a Program )

The following authorities are independent (not hierarchical). For some operations a combination of authorities is required:

*OBJOPR: The object operational authority controls the use of an object and the capability to look at the description of the object. It is needed to open a file andtherefore usually assigned in combination with the desired data rights.

*OBJMGT: The object management authority controls the move, rename, and change attribute functions for object, and the grant and revoke authority functions for other users or groups.

*OBJEXIST: The object existence authority controls the delete, save, restore, or transfer ownership operations of an object.

*AUTLMGT: This authority is needed to manage the contents of an authorization list associated with the object. This is a specialized security authorization that is not usually grouped with the other seven object authorities.

*OBJALTER: This authority is needed to alter the attributes of data base files and change the attributes of SQL packages.

*OBJREF: This authority is needed to specify a data base file as the first level in a referential constraint.

*READ: Controls the ability to read data from the object.

*ADD: Controls the ability to insert a new entry (such as a new record in a file) into the object.

*UPDATE: Controls the ability to modify existing entries in the object.

*DELETE: Controls the ability to remove existing entries (for example, records) in the object. To delete the whole object requires *OBJEXIST authority.

*EXECUTE: Controls the ability to run a program, service program, or SQL package,

abbreviated form. For example, *USE is the combination of *OBJOPR,

*READ, and *EXECUTE.

*ALL Allows unlimited access to the object and its data

*CHANGE Allows unlimited access to the data in the object

*USE Allows data in the object to be read

*EXCLUDE Allows no access to the object or its data

*PUBLIC Authority

Public authority is the default authority for an object. It is used if users do not have any specific (private) authority to an object, are not on the authorization list (if one is specified) for the object, or their group(s) has no specific authority to the object.

Authorization Lists

An authorization list is an important and commonly used security structure. It is used to authorize a user or a group of users to different types of objects (such as

files or programs) secured by the authorization list. An object may have only one authorization list associated with it. An authorization list may secure more than one object. A user can appear on many different authorization lists. Authorization lists are not affected when objects secured by the authorization list are deleted. If an object is deleted and then restored to the same system, it is automatically linked to an existing authorization list for the object. This is an important advantage of authorization lists.

Adopted Authority

Certain programs or commands called by a user may require a higher level of

authority (for the duration of the command) than is normally available to that user.

Adopted authority provides a means for handling this situation. Adopted authority allows a user to temporarily gain the authority of the owner of a program (in addition to the user¢s own authorities) while that program is running. This provides a method to give a user additional access to objects, without requiring direct authority to objects.

Audit Journal

The Security Audit Journal is a facility that allows security-related events to be logged in a controlled way that cannot be bypassed. The following are some of the events that may be logged:

· Authorization failures

· Object creations

· Object deletions

· Changes to jobs

· Move or rename of objects

· Changes to system distribution directory or office mail actions

· Obtaining authority from programs which adopt

· System security violations

· Printing actions, both spooled and direct print

· Actions on spooled file data

· Restore operations

· Changes to user profiles, system values or network attributes

· Use of service tools

· System management functions

· Users¢ access to audited objects

· CL command strings

Information from the audit journal can be extracted into a database file, then examined by an auditor using a tool such as Query/400 to locate security violations or exposures.

Authority Holder

An authority holder is an object that specifies and reserves an authority to a program-described database file before the file is created. When the file is created, the authority specified in the holder is linked to the file. The authority holder is for use mainly in the System/36 Environment.

Physical Security

Physical and procedural security controls provide the basis on which other controls such as software security are built. In addition to physical access control and output distribution procedures, which are necessary controls in any computing environment and therefore not mentioned here, the AS/400 has two unique hardware features, which are important for physical security:

· System Keylock - to enable or disable certain system service functions

· Display Station functions - keylock, and play/record keys The History Log (QHST)

The history log (QHST) contains a subset of messages that are sent about system operational events to the system operator message queue. Some messages relating to system security are written in the system history log. However, this function is now

User Profiles contain information describing a system user, that user¢s privileges and limitations when using the system, and lists of objects the user owns or is authorized to use. For objects owned by a user, the profile also contains lists ofother users¢

authorizations to those objects.