QIBM_RUN_UNDER_USER_NO_AUTH function usage ID

Edit online

The Run under a user without authentication (QIBM_RUN_UNDER_USER_NO_AUTH) function usage ID prevents a user profile from being the target of an operation initiated by another user profile which did not have to authenticate as the target user.

The default access for the function usage ID is *ALLOWED for all users and that cannot be changed to *DENIED. When a user profile is added to the list as *DENIED, operations with that user profile as the target will fail. This function ID is unique in that it is not the user profile on the list as *DENIED whose actions are restricted, it is other user profiles that are restricted from using that user profile as a target. This protects the integrity of actions performed by the user on the list by preventing another user with *ALLOBJ special authority from running as them.

The protections provided by QIBM_RUN_UNDER_USER_NO_AUTH are intended for interactive user profiles that require credentials for authentication. Administrators should not restrict batch only user profiles from having access to the function ID.

The interfaces that do not work when denied access to the QIBM_RUN_UNDER_USER_NO_AUTH function id, can be found here: IBM-supplied function IDs. Search for QIBM_RUN_UNDER_USER_NO_AUTH.

To deny users access to the QIBM_RUN_UNDER_USER_NO_AUTH function usage ID, use one of the following interfaces:
  • Change Function Usage (CHGFCNUSG) command.
  • In IBM Navigator for i, expand Security > MFA Configuration, click Users.
    • Clear the filter value from the MFA Key Exists filter and select Apply.
    • Users that have already been denied access to the function ID will have DENIED in the Impersonation column. Users that are using the default access will have ALLOWED in the column.
    • To change the access for a user, right click on the user and select Properties.
    • Check the box for Restrict the ability to impersonate this user profile without first doing authentication by setting the function usage ID QIBM_RUN_UNDER_USER_NO_AUTH to DENIED for this profile.
    • Click OK.
Note: The QIBM_RUN_UNDER_USER_NO_AUTH function ID does not require that MFA be enabled or used on the system. It is recommended to be used in conjunction with user profiles that have an authentication method of *TOTP, however any interactive user profile can be protected.

Example 1

User profile JILL is on the QIBM_RUN_UNDER_USER_NO_AUTH function usage list with a value of *DENIED.

User SAM has *ALLOBJ special authority and is trying to get a profile handle for JILL using the QSYGETPH API specifying *NOPWD for the password parameter. Since a special value is used for the password, no authentication for the target user profile, JILL, is performed. Therefore, JILL, having a value of *DENIED on the QIBM_RUN_UNDER_USER_NO_AUTH function usage list, causes the operation to fail with error message CPF4AF1 – Operation not allowed for user profile JILL.

Example 2

User profile MIKE is on the QIBM_RUN_UNDER_USER_NO_AUTH function usage list with a value of *DENIED.

User SAM is trying to submit a job to run as user MIKE by specifying USER(MIKE) on the SBMJOB command. There is no authentication performed for user MIKE since a password is not needed. MIKE has a value of *DENIED on the QIBM_RUN_UNDER_USER_NO_AUTH function usage list so the operation will fail with error message CPF4AF1 – Operation not allowed for user profile MIKE.