Security levels

Security on your system is arranged in a series of levels, with each level offering a greater degree of security and protection of your data than the previous level.

You can choose how much security you want the system to enforce by setting the security level (QSECURITY) system value. IBM i supports these fully-integrated system security levels:

  • Level 10: Password security

    At security level 10, you have no security protection. Therefore, security level 10 is not recommended. Running at this security level is both a security and integrity risk as you do not have the protection of the higher security levels, 40 and 50, activated and being enforced.

  • Level 20: Password security

    At this security level, users who need to access the system must have a password and user ID that the system recognizes. The system administrator creates both the user ID and initial password for users. This level of security allows users total authority to do anything they want on the system, which means that all users can access all data, files, objects, and so on, on your system because all users have *ALLOBJ special authority. Therefore, security level 20 is not recommended. Running at this security level is both a security and integrity risk as you do not have the protection of the higher security levels, 40 and 50, activated and being enforced.

  • Level 30: Password and resource security

    Level 30 provides more security functions in addition to what is provided at level 20. Users must have specific authority to use resources on the system. Users do not have automatic access to everything on the system and the system administrator must define a valid user ID and password for them. User access is limited by the security policies of the business. Level 30 is not considered a secure level as the integrity protection features available on security level 40 and 50 are not activated at security level 30. Running at this security level is both a security and integrity risk as you do not have the protection of the higher security levels, 40 and 50, activated and being enforced.

  • Level 40: Integrity protection

    At this security level, resource security and integrity protection are enforced, and the system itself is protected against users. Integrity protection functions, such as the validation of parameters for interfaces to the operating system, help protect your system and the objects on it from tampering by experienced system users. For example, user-written programs cannot directly access the internal control blocks through pointer manipulation. Level 40 is the default security level for every new installation and is the recommended security level for most installations.

  • Level 50: Advanced integrity protection

    At this security level, advanced integrity protection is added to the resource security and level 40 integrity protection enforcement. Advanced integrity protection includes further restrictions, such as the restriction of message-handling between system state programs and user state programs. Not only is the system protected against user-written programs, but it ensures that users only have access to data on the system, rather than information about the system itself. This offers greater security against anyone attempting to learn about your system. Level 50 is the recommended level of security for most businesses, because it offers the highest level of security currently possible. Also, level 50 is the required level for C2, FIPS-140, and Common Criteria certifications.