Tweet
Hello guys !
My name is Math!
I am trying to learn more about critical security aspects of AS/400.
I have important questions that I'd like to get your input on.
I am still learning, 20 years old, and if I understand that your time is very valuable and although maybe short, I will benefit a lot from your answers.
Thanks a million in advance!
Please note that I ask those questions having already read pages and articles and hundreds of pages on AS/400 and IBM security...
1. Let's say command XYZ has PUBLIC set to *EXCLUDE. If I have access to command line and not *ALLOBJ, I cannot access that command, right? If I have *ALLOBJ or belong to the authorization list, then I can launch it?
2. Second question: if a user have full access to command line (Limit cap = *NO), but does not have *ALLOBJ or *SECADM, can that user still create profiles or change security? What can that user do with the command line that would be risky?
3. Third question: a lot of people argue usually on this: if the user only has *SECADM and not *ALLOBJ, that user cannot create profiles or modify security. I don't agree, but I wanna make sure I obtain the right answer. User with *ALLOBJ and not *SECADM cannot CHGUSRPRF, but he could ultimately find the way to obtain *SECADM?
4. Let's say you have 3 libraries which contain the source data and financial files and programs. You have a tool call Turnover to put changes in production. Only IBM can have level 40 + and put in production the changes. However, when I look at the authorities on those 3 libraries, I see PUBLIC set to *CHANGE and other groups. Does that mean anybody can access those libraries and change the data (source and financial)? Is the tool then useless? What's the nuance here in terms of authority at the library level vs. the changes Tool Turnover or Implementer.
5. Say I have a financial system that is the G/L application resides on that AS/400 server. If I want to look at the authorities on the financial data, does that mean I have to look at the source libraries? Are those the same libraries as the financial data or the source is purely changing the application code only?
6. If I have users with *ALLOBJ, but no access to command line, how does the user access those *any* objects on the server or app? Do you agree that that user could also manage to get a CL ? If I look at a client's screen and they say " yeah I have allobj but see? I dont have a CL and my menu shows only 2-3 options.. so how do you think I'd access all of the objects on the server eventhough I have *ALLOBJ? "
THANKS SO MUCH IN ADVANCE !
Truly appreciate it
My name is Math!
I am trying to learn more about critical security aspects of AS/400.
I have important questions that I'd like to get your input on.
I am still learning, 20 years old, and if I understand that your time is very valuable and although maybe short, I will benefit a lot from your answers.
Thanks a million in advance!
Please note that I ask those questions having already read pages and articles and hundreds of pages on AS/400 and IBM security...
1. Let's say command XYZ has PUBLIC set to *EXCLUDE. If I have access to command line and not *ALLOBJ, I cannot access that command, right? If I have *ALLOBJ or belong to the authorization list, then I can launch it?
2. Second question: if a user have full access to command line (Limit cap = *NO), but does not have *ALLOBJ or *SECADM, can that user still create profiles or change security? What can that user do with the command line that would be risky?
3. Third question: a lot of people argue usually on this: if the user only has *SECADM and not *ALLOBJ, that user cannot create profiles or modify security. I don't agree, but I wanna make sure I obtain the right answer. User with *ALLOBJ and not *SECADM cannot CHGUSRPRF, but he could ultimately find the way to obtain *SECADM?
4. Let's say you have 3 libraries which contain the source data and financial files and programs. You have a tool call Turnover to put changes in production. Only IBM can have level 40 + and put in production the changes. However, when I look at the authorities on those 3 libraries, I see PUBLIC set to *CHANGE and other groups. Does that mean anybody can access those libraries and change the data (source and financial)? Is the tool then useless? What's the nuance here in terms of authority at the library level vs. the changes Tool Turnover or Implementer.
5. Say I have a financial system that is the G/L application resides on that AS/400 server. If I want to look at the authorities on the financial data, does that mean I have to look at the source libraries? Are those the same libraries as the financial data or the source is purely changing the application code only?
6. If I have users with *ALLOBJ, but no access to command line, how does the user access those *any* objects on the server or app? Do you agree that that user could also manage to get a CL ? If I look at a client's screen and they say " yeah I have allobj but see? I dont have a CL and my menu shows only 2-3 options.. so how do you think I'd access all of the objects on the server eventhough I have *ALLOBJ? "
THANKS SO MUCH IN ADVANCE !
Truly appreciate it