IBM Support

Restoring Authorization to Objects Secured by Authorization Lists in QSYS

Troubleshooting


Problem

This document shows how to restore authorization to objects secured by authorization lists in QSYS.

Resolving The Problem

During a recent disaster recovery test at our host site, users lost authority to commands that are stored in library QSYS. Why did this happen?

You may use an authorization list to secure IBM-supplied objects in library QSYS. For example, you may want to restrict the use of certain commands to a few users. However, when you perform a complete system recovery, the links between your authorization list and the objects in QSYS are lost.

The only way to restore authorization lists is to restore all user profiles by using the RSTUSRPRF USRPRF(*ALL) command. However, this command will not automatically restore associations between authorization lists and objects in library QSYS because during a complete system recovery, the QSYS library objects are restored before the authorization lists. Each object contains the name of the authorization list it is associated with, but the actual authorization lists are stored with the user profiles. Because the authorization lists are not yet on the system when library QSYS is restored, the associations remain lost.

To re-establish an association between an IBM-supplied object and an authorization list after you recover your system, use the Edit Object Authority (EDTOBJAUT) or Grant Object Authority (GRTOBJAUT) command.

Note: Starting in R730, the links to objects secured with authorization lists in QSYS are preserved and a user will no longer have to run the programs in this document to link the objects in library QSYS to the authorization lists.

The enhancements in R730 are as follows:

oAuthorization list links preserved for objects in QSYS.
oThe Save System, SAVSYS, and Save Security Data, SAVSECDTA, commands will now save an internal list of objects in library QSYS that are linked to authorization lists. This will increase the duration of the SAVSYS and SAVSECDTA commands.
oThe Restore User Profile RSTUSRPRF USRPRF(*ALL) and RSTUSRPRF USRPRF(*NEW) commands will restore the internal list.
oThe Restore Authority (RSTAUT) command will link the objects in library QSYS to the authorization lists if they are not already linked.

Limitations of Authorization Lists

Authorization lists can be used for objects stored in library QSYS, but special considerations are needed for a total system recovery for these objects. In the event the system must be reloaded, the objects in library QSYS are not attached to an authorization list. The objects are restored with the installation, but the authorization lists are not restored until later when you perform a Restore User Profiles (RSTUSRPRF). Because the objects in library QSYS are restored before the authorization lists, the objects are not associated with the authorization lists.



Special planning is required as part of the system backup procedure to reattach objects in QSYS. Prior to the system backup, a database file that lists all the objects on authorization lists must be produced. This can be done using the program ALLAUTL1 described below.

If you need to perform a total system restore, the objects in library QSYS can be reattached to their authorization list after the authorization lists have been restored (RSTUSRPRF). The information in the file can be used to attach objects back to the authorization lists. The program FIXAUTL1 illustrates the use of this file to reattach objects to authorization lists.

The following programs can be used to attach authorizations lists when objects are restored on a different system or when objects are restored in library QSYS because of a total system rebuild. The security officer runs the command ALLAUTL before the save operation which will create a database file for all objects on all authorization lists. The database file is then saved and restored to the target system. The command FIXAUTL will attach objects to authorization lists.

Caution: This document contains code made available by IBM Corporation on an as is basis. Anyone receiving this document is considered to be licensed under IBM copyrights to use the IBM-provided source code in any way he or she deems fit, including copying it, compiling it, modifying it, and redistributing it, with or without modifications. No license under any IBM patents or patent applications is to be implied from this copyright license.

A save file containing the programs ALLAUTL1 and FIXAUTL1 as well as the commands ALLAUTL and FIXAUTL has been included with this document. You should FTP the attached save file in binary mode to your system and then restore the objects with the following command.

RSTOBJ OBJ(*ALL) SAVLIB(QGPL) DEV(*SAVF) SAVF(QGPL/FIXAUTL)

After restoring these objects, you can then use the ALLAUTL and FIXAUTL commands to reattach objects to authorization lists.

Message CPF9898 - 00025 Objects not attached 04715 Objects attached to authorization list, may be received after running the FIXAUTL command.

Note: It is the responsibility of the customer to investigate the objects not attached, if any, by reviewing the joblog.


fixautl

The source for the ALLAUTL1 and FIXAUTL1 can be found below.

ALLAUTL1 - List All Objects on AUTL

        *************** Beginning of data **************************************
0001.00              PGM        PARM(&PARM1)                                    
0002.00 /**********************************************************************/
0003.00 /* ALLAUTL1-- This program created a database file with all of the    */
0004.00 /*            authorization list objects name.  This database file    */
0005.00 /*            can be as input to the FIXAUTL1 program to associate    */
0006.00 /*            objects on an authorization list when restored on a     */
0007.00 /*            system that was not the same system used to save the    */
0008.00 /*            objects.                                                */
0009.00 /* INPUT  --  Name of the OUTFILE                                     */
0010.00 /* OUTPUT --  Name of the file containing lists of objects and their  */
0011.00 /*            associated authorization list                           */
0012.00 /* NOTE   --  Program MUST be run by a user with *ALLOBJ authority    */
0013.00 /**********************************************************************/
0014.00              DCL        VAR(&MSGID) TYPE(*CHAR) LEN(7)                  
0015.00              DCL        VAR(&MSGDTA) TYPE(*CHAR) LEN(50)                
0016.00              DCL        VAR(&MSGF) TYPE(*CHAR) LEN(10)                  
0017.00              DCL        VAR(&MSGLIB) TYPE(*CHAR) LEN(10)                
0018.00              DCL        VAR(&RTNTYPE) TYPE(*CHAR) LEN(2)                
0019.00              DCL        VAR(&ERROR) TYPE(*LGL)                          
0020.00              DCL        VAR(&PARM1) TYPE(*CHAR) LEN(20)              
0021.00              DCL        VAR(&OUTFILE) TYPE(*CHAR) LEN(10)            
0022.00              DCL        VAR(&OUTLIB) TYPE(*CHAR) LEN(10)              
0023.00              DCL        VAR(&MBROPT) TYPE(*CHAR) LEN(10) +            
0024.00                           VALUE(*REPLACE)                            
0025.00              DCLF       FILE(QADSPOBJ)                                
0026.00        /************** START OF PROGRAM **************/              
0027.00              MONMSG     MSGID(CPF0000) EXEC(GOTO CMDLBL(ERROR))      
0028.00              CHGVAR     VAR(&OUTFILE) VALUE(%SST(&PARM1 1 10))        
0029.00              CHGVAR     VAR(&OUTLIB) VALUE(%SST(&PARM1 11 10))        
0030.00              DSPOBJD    OBJ(QSYS/*ALL) OBJTYPE(*AUTL) +              
0031.00                           OUTPUT(*OUTFILE) OUTFILE(QTEMP/AUTL)        
0032.00              OVRDBF     FILE(QADSPOBJ) TOFILE(QTEMP/AUTL)            
0033.00 READ:        RCVF                                                    
0034.00              MONMSG     MSGID(CPF0864) EXEC(GOTO CMDLBL(EOF))        
0035.00              DSPAUTLOBJ AUTL(&ODOBNM) OUTPUT(*OUTFILE) +              
0036.00                           OUTFILE(&OUTLIB/&OUTFILE) OUTMBR(*FIRST +  
0037.00                                           &MBROPT)              
0038.00              MONMSG     MSGID(CPF6250 CPF9800) EXEC(GOTO CMDLBL(READ))
0039.00              CHGVAR     VAR(&MBROPT) VALUE('*ADD')                    
0040.00              GOTO       CMDLBL(READ)                                
0041.00 EOF:         GOTO       CMDLBL(EXIT)                                
0042.00 ERROR:  /******************* ERROR HANDLING ROUTINE ************/    
0043.00              IF         COND(&ERROR) THEN(GOTO CMDLBL(EXIT))        
0044.00              CHGVAR     VAR(&ERROR) VALUE('1')                      
0045.00 RECEIVE:     RCVMSG     MSGTYPE(*ANY) MSGDTA(&MSGDTA) MSGID(&MSGID) +
0046.00                           RTNTYPE(&RTNTYPE) MSGF(&MSGF) +            
0047.00                           MSGFLIB(&MSGLIB)                          
0048.00              IF         COND(&RTNTYPE *NE '15') THEN(DO)  /* NOT +  
0049.00                                ESCAPE MESSAGE       */                
0050.00              SNDPGMMSG  MSGID(&MSGID) MSGF(&MSGF) MSGDTA(&MSGDTA) +  
0051.00                           MSGTYPE(*DIAG)                            
0052.00              GOTO       CMDLBL(RECEIVE)                              
0053.00              ENDDO                                                  
0054.00              SNDPGMMSG  MSGID(&MSGID) MSGF(&MSGF) MSGDTA(&MSGDTA) +  
0055.00                                               MSGTYPE(*ESCAPE)  
0056.00 EXIT:        ENDPGM                                            
        ****************** End of data **************************************


FIXAUTL1 - Add Objects to AUTL

        *************** Beginning of data **************************************
0001.00              PGM        PARM(&PARM1)                                    
0002.00 /**********************************************************************/
0003.00 /* FIXAUTL1-- This program reads the database file with all of the    */
0004.00 /*            object names on the authorization lists.  This program  */
0005.00 /*            will grant the objects to the specified authorization   */
0006.00 /*            list.                                                   */
0007.00 /* INPUT   -- Name of the file containing list of objects and their   */
0008.00 /*            associated authorization list                           */
0009.00 /* NOTE    -- Program MUST be run by user with *ALLOBJ authority      */
0010.00 /**********************************************************************/
0011.00              DCL        VAR(&MSGID) TYPE(*CHAR) LEN(7)                  
0012.00              DCL        VAR(&MSGDTA) TYPE(*CHAR) LEN(50)                
0013.00              DCL        VAR(&MSGF) TYPE(*CHAR) LEN(10)                  
0014.00              DCL        VAR(&MSGLIB) TYPE(*CHAR) LEN(10)                
0015.00              DCL        VAR(&RTNTYPE) TYPE(*CHAR) LEN(2)                
0016.00              DCL        VAR(&ERROR) TYPE(*LGL)                          
0017.00              DCL        VAR(&PARM1) TYPE(*CHAR) LEN(20)                
0018.00              DCL        VAR(&OUTFILE) TYPE(*CHAR) LEN(10)              
0019.00              DCL        VAR(&OUTLIB) TYPE(*CHAR) LEN(10)                
0020.00              DCL        VAR(&TOTAL) TYPE(*DEC) LEN(5 0) VALUE(0)
0021.00              DCL        VAR(&FAIL) TYPE(*DEC) LEN(5 0) VALUE(0)
0022.00              DCL        VAR(&TOTALC) TYPE(*CHAR) LEN(5)        
0023.00              DCL        VAR(&FAILC) TYPE(*CHAR) LEN(5)          
0024.00              DCLF       FILE(QADALO)                            
0025.00       /*******  START OF PROGRAM  ***************/              
0026.00              MONMSG     MSGID(CPF0000) EXEC(GOTO CMDLBL(ERROR))
0027.00              CHGVAR     VAR(&OUTFILE) VALUE(%SST(&PARM1 1 10))  
0028.00              CHGVAR     VAR(&OUTLIB) VALUE(%SST(&PARM1 11 10))  
0029.00              OVRDBF     FILE(QADALO) TOFILE(&OUTLIB/&OUTFILE)  
0030.00 READ:        RCVF                                              
0031.00              MONMSG     MSGID(CPF0864) EXEC(GOTO CMDLBL(EOF))  
0032.00              CHGVAR     VAR(&TOTAL) VALUE(&TOTAL + 1.0)        
0033.00              GRTOBJAUT  OBJ(&AOLIB/&AONAME) OBJTYPE(&AOTYPE) +  
0034.00                           AUTL(&AOANAM)                        
0035.00              MONMSG     MSGID(CPF0000) EXEC(DO)                
0036.00              CHGVAR     VAR(&FAIL) VALUE(&FAIL + 1.0)          
0037.00              GOTO       CMDLBL(READ)                            
0038.00              ENDDO                                              
0039.00              GRTOBJAUT  OBJ(&AOLIB/&AONAME) OBJTYPE(&AOTYPE) +
0040.00                           USER(*PUBLIC) AUT(*AUTL)                  
0041.00              GOTO       CMDLBL(READ)                                
0042.00 EOF:         GOTO       CMDLBL(EXIT)                                
0043.00 ERROR: /*********  ERROR HANDLIG ROUTINE  *******************/      
0044.00              IF         COND(&ERROR) THEN(GOTO CMDLBL(EXIT))        
0045.00              CHGVAR     VAR(&ERROR) VALUE('1')                      
0046.00 RECEIVE:     RCVMSG     MSGTYPE(*ANY) MSGDTA(&MSGDTA) MSGID(&MSGID) +
0047.00                           RTNTYPE(&RTNTYPE) MSGF(&MSGF) +            
0048.00                           MSGFLIB(&MSGLIB)                          
0049.00              IF         COND(&RTNTYPE *NE '15') THEN(DO)  /* NOT +  
0050.00                           ESCAPE MESSAGE       */                    
0051.00              SNDPGMMSG  MSGID(&MSGID) MSGF(&MSGF) MSGDTA(&MSGDTA) +  
0052.00                                               MSGTYPE(*DIAG)  
0053.00              GOTO       CMDLBL(RECEIVE)                              
0054.00              ENDDO                                                  
0055.00              SNDPGMMSG  MSGID(&MSGID) MSGF(&MSGF) MSGDTA(&MSGDTA) +  
0056.00                                              MSGTYPE(*ESCAPE)  
0057.00 EXIT:    CHGVAR     VAR(&TOTAL) VALUE(&TOTAL - &FAIL)            
0058.00              CHGVAR     VAR(&TOTALC) VALUE(&TOTAL)                  
0059.00              IF         COND(&FAIL *NE 0) THEN(DO)                  
0060.00              CHGVAR     VAR(&FAILC) VALUE(&FAIL)                    
0061.00              SNDPGMMSG  MSGID(CPF9898) MSGF(QCPFMSG) MSGDTA(&FAILC +
0062.00                         || ' Objects not attached ' || &TOTALC +  
0063.00                         || ' Objects attached to authorization +  
0064.00                              list') MSGTYPE(*ESCAPE)                    
0065.00              ENDDO                                                  
0066.00              SNDPGMMSG  MSGID(CPF9898) MSGF(QCPFMSG) MSGDTA(&TOTALC +
0067.00                         || ' Objects attached to authorization +  
0068.00                              list') MSGTYPE(*COMP)  
0069.00              ENDPGM                                                  
        ****************** End of data **************************************


ALLAUTL -- Build List of Objects on Authorization Lists

CRTCMD ALLAUTL PGM(ALLAUTL1)


        *************** Beginning of data ***************************************
0001.00       CMD       PROMPT('List All Objects on AUTL')    
0002.00       PARM      KWD(OUTFILE) TYPE(Q1) MIN(1) PROMPT('Output +    
0003.00                 File Name')                        
0004.00 Q1:   QUAL      TYPE(*NAME) LEN(10)                              
0005.00       QUAL      TYPE(*NAME) LEN(10) DFT(*CURLIB) +              
0006.00                 SPCVAL((*CURLIB) (*LIBL)) PROMPT('Library')    
        ****************** End of data ******************************************

FIXAUTL -- Attach Objects to Authorization Lists

CRTCMD FIXAUTL PGM(FIXAUTL1)


        *************** Beginning of data ****************************************
0001.00       CMD        PROMPT('Fix Authorization List')                  
0002.00       PARM       KWD(FILE) TYPE(Q1) MIN(1) PROMPT('File')          
0003.00 Q1:   QUAL       TYPE(*NAME) LEN(10)                              
0004.00       QUAL       TYPE(*NAME) LEN(10) DFT(*LIBL) +                  
0005.00                  SPCVAL((*CURLIB) (*LIBL)) PROMPT('Library')      
        ****************** End of data *******************************************

[{"Product":{"code":"SWG60","label":"IBM i"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"Save\/Restore","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.3;7.2.0;7.2;7.1.0;7.1;6.1.1;6.1.0;6.1;5.4.5;5.4.0;5.3.5;5.3.0;5.2.0;5.1.0;4.5.0","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}},{"Product":{"code":"SSTS2D","label":"IBM i 7.3"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SSC5L9","label":"IBM i 7.2"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SSC52E","label":"IBM i 7.1"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SSC3X7","label":"IBM i 6.1"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}}]

Historical Number

19810209

Document Information

Modified date:
18 December 2019

UID

nas8N1017745