IBM Support

Reverting Changes to Object Authorities Using IBM i Audit Journal Data

How To


Summary

This document outlines a procedure for identifying and reverting changes to authorities on the IBM i system using data extracted from the Audit Journal. By leveraging the AUDIT_JOURNAL_CA service and SQL-based analysis, the procedure enables administrators to restore previous authority values for objects, stream files and directories, ensuring compliance, security, and operational consistency following unintended or unauthorized modifications.

Objective

This document outlines a procedure for identifying and reverting changes to object authorities on the IBM i system using data extracted from the Audit Journal. By leveraging the AUDIT_JOURNAL_CA service and SQL-based analysis, the procedure enables administrators to restore previous authority settings for stream files and directories, ensuring compliance, security, and operational consistency following unintended or unauthorized modifications.

Environment

IBM i 7.6 - Base,
IBM i 7.5 - SF99950 Level 1,
IBM i 7.4 - SF99704 Level 20,
IBM i 7.3 - SF99703 Level 28.

Steps

According to the Security Reference manual,  the IBM i Operating System provides the ability to track changes to authorities on the System. 
 
This document describes how to enable auditing for Change to Authorities and how to use them to rever back unintended or unauthorized changes. 

First, verify that the QAUDJRN journal exists and that you are tracking for *SECRUN or *SECURITY operations. Use the DSPSECAUD command and make sure the following settings are configured on your system:
 

Security journal QAUDJRN exists . . . . . :  YES    
Current QAUDCTL system value  . . . . . . : *AUDLVL
Current QAUDLVL system value  . . . . . . : *SECRUN *SECURITY
 
If not listed, use the CHGSECAUD command to add them to your system.  The value *SECRUN or *SECUTIRY  for the QAUDLVL system value is required to track changes to authorities. 
 

Disclaimer

The SQL code provided in this document is offered as-is, without any warranties or guarantees. IBM is not responsible for the use, performance, or results of this sample code. No updates, support, or maintenance will be provided for this example. Users are encouraged to validate and test the code in their own environments before deploying it in production.

This SQL does not restore users that were added to or removed from an object’s authority for IFS objects. The logic implemented by this SQL only reverts changes to authorities for users that already existed on the object’s authority list at the time of the audit journal entry.

 
Analyzing the Results. 
 
Method 1 for Library Objects:
 
Step 1:  Using the Run SQL Scripts tool, run the following SQL Statement:
 
WITH AuditData AS (
  SELECT
    ENTRY_TIMESTAMP,
    QUALIFIED_JOB_NAME,
    USER_PROFILE_NAME,
    OBJECT_NAME,
    OBJECT_LIBRARY,
    OBJECT_TYPE,
    TRIM(
      CASE WHEN PREV_OBJECT_EXCLUDE = 'YES' THEN '*EXCLUDE ' ELSE '' END ||
      CASE WHEN PREV_OBJECT_OPERATIONAL = 'YES' THEN '*OBJOPR ' ELSE '' END ||
      CASE WHEN PREV_OBJECT_MANAGEMENT = 'YES' THEN '*OBJMGT ' ELSE '' END ||
      CASE WHEN PREV_OBJECT_EXISTENCE = 'YES' THEN '*OBJEXIST ' ELSE '' END ||
      CASE WHEN PREV_OBJECT_ALTER = 'YES' THEN '*OBJALTER ' ELSE '' END ||
      CASE WHEN PREV_OBJECT_REFERENCE = 'YES' THEN '*OBJREF ' ELSE '' END ||
      CASE WHEN PREV_DATA_READ = 'YES' THEN '*READ ' ELSE '' END ||
      CASE WHEN PREV_DATA_ADD = 'YES' THEN '*ADD ' ELSE '' END ||
      CASE WHEN PREV_DATA_UPDATE = 'YES' THEN '*UPD ' ELSE '' END ||
      CASE WHEN PREV_DATA_DELETE = 'YES' THEN '*DLT ' ELSE '' END ||
      CASE WHEN PREV_DATA_EXECUTE = 'YES' THEN '*EXECUTE ' ELSE '' END
    ) AS Previous_Aut
  FROM TABLE (
    SYSTOOLS.AUDIT_JOURNAL_CA(STARTING_TIMESTAMP => '2025-09-23 07:00:00', ENDING_TIMESTAMP => '2025-09-23 07:10:00')
  )
)
SELECT 
  QSYS2.QCMDEXC(
    'GRTOBJAUT OBJ(' || OBJECT_LIBRARY || '/' || OBJECT_NAME || 
    ') OBJTYPE(' || OBJECT_TYPE || 
    ') USER(' || USER_PROFILE_NAME || 
    ') AUT(' || Previous_Aut || ')'
  ) AS CMD_EXEC_RESULT,
  ENTRY_TIMESTAMP,
  QUALIFIED_JOB_NAME,
  USER_PROFILE_NAME,
  OBJECT_NAME,
  OBJECT_LIBRARY,
  OBJECT_TYPE,
  Previous_Aut
FROM AuditData
WHERE Previous_Aut <> '' 
  AND OBJECT_TYPE NOT IN ('*STMF', '*DIR')
 
 
NOTES: 
  • Adjust the Time Frame.
  • The SQL in this document executes without a confirmation prompt and will programmatically revert all authority changes within the specified time range to their previous values.
  • '1' on the CMD_EXEC_RESULT column indicates that the GRTOBJAUT completed normally, a '-1' indicates that it failed.
  • The SQL procedure described in this document will revert object and data authority changes for a given object within the specified time range. If an object has experienced multiple changes during that period, only the most recent change recorded in the audit journal will be reverted. Earlier changes will not be restored. Users should carefully review the scope and impact of the reversion before executing the procedure.
  • This SQL procedure does not revert changes made to an object’s Authorization List or any PGP (Primary Group Profile) associations. It only restores direct object and data authority values recorded in the audit journal. Users should manage Authorization List and PGP changes separately, as they are not captured or processed by this logic.
  • This SQL is supported only on IBM i release R730 and above.
 
Sample Results:
 
image-20250923073459-1
 
 
Method 2 for IFS Objects:
 
Step 1:  Using the Run SQL Scripts tool, run the following SQL Statement:
 
WITH AuditData AS (
  SELECT
    ENTRY_TIMESTAMP,
    QUALIFIED_JOB_NAME,
    USER_PROFILE_NAME,
    PATH_NAME,
    OBJECT_TYPE,

    -- Valid OBJAUT values only (no quotes needed)
    TRIM(
      CASE WHEN PREV_OBJECT_EXISTENCE = 'YES' THEN '*OBJEXIST ' ELSE '' END ||
      CASE WHEN PREV_OBJECT_MANAGEMENT = 'YES' THEN '*OBJMGT ' ELSE '' END ||
      CASE WHEN PREV_OBJECT_ALTER = 'YES' THEN '*OBJALTER ' ELSE '' END ||
      CASE WHEN PREV_OBJECT_REFERENCE = 'YES' THEN '*OBJREF ' ELSE '' END
    ) AS Valid_ObjAut,

    -- Mapped Symbolic Data Authority (quoted)
    CASE
      WHEN PREV_DATA_READ = 'YES' AND PREV_DATA_ADD = 'YES' AND PREV_DATA_UPDATE = 'YES' AND PREV_DATA_DELETE = 'YES' AND PREV_DATA_EXECUTE = 'YES' THEN '*RWX'
      WHEN PREV_DATA_READ = 'YES' AND PREV_DATA_EXECUTE = 'YES' THEN '*RX'
      WHEN PREV_DATA_READ = 'YES' AND (PREV_DATA_ADD = 'YES' OR PREV_DATA_UPDATE = 'YES' OR PREV_DATA_DELETE = 'YES') THEN '*RW'
      WHEN (PREV_DATA_ADD = 'YES' OR PREV_DATA_UPDATE = 'YES' OR PREV_DATA_DELETE = 'YES') AND PREV_DATA_EXECUTE = 'YES' THEN '*WX'
      WHEN PREV_DATA_READ = 'YES' THEN '*R'
      WHEN PREV_DATA_ADD = 'YES' OR PREV_DATA_UPDATE = 'YES' OR PREV_DATA_DELETE = 'YES' THEN '*W'
      WHEN PREV_DATA_EXECUTE = 'YES' THEN '*X'
      ELSE '*NONE'
    END AS Mapped_DtaAut

  FROM TABLE (
    SYSTOOLS.AUDIT_JOURNAL_CA(
      STARTING_TIMESTAMP => '2025-09-23 07:00:00',
      ENDING_TIMESTAMP => '2025-09-23 07:10:00'
    )
  )
)
SELECT 
  QSYS2.QCMDEXC(
    'CHGAUT OBJ(''' || PATH_NAME || ''') USER(' || USER_PROFILE_NAME || ')' ||
    CASE WHEN Valid_ObjAut <> '' THEN ' OBJAUT(' || TRIM(Valid_ObjAut) || ')' ELSE '' END ||
    CASE WHEN Mapped_DtaAut <> '*NONE' THEN ' DTAAUT(''' || Mapped_DtaAut || ''')' ELSE '' END
  ) AS CMD_EXEC_RESULT,

  ENTRY_TIMESTAMP,
  QUALIFIED_JOB_NAME,
  USER_PROFILE_NAME,
  Valid_ObjAut,
  Mapped_DtaAut,
  PATH_NAME

FROM AuditData
WHERE (Valid_ObjAut <> '' OR Mapped_DtaAut <> '*NONE')
  AND PATH_NAME LIKE '%/home%'
  AND OBJECT_TYPE IN ('*STMF', '*DIR')
 
 
NOTES: 
  • Adjust the Time Frame.
  • Adjust the PATH_NAME condition in the WHERE clause to specify the directory where the authority changes occurred.
  • The SQL in this document executes without a confirmation prompt and will programmatically revert all authority changes within the specified time range to their previous values.
  • '1' on the CMD_EXEC_RESULT column indicates that the CHGAUT completed normally, a '-1' indicates that it failed.
  • The SQL procedure described in this document will revert object and data authority changes for a given object within the specified time range. If an object has experienced multiple changes during that period, only the most recent change recorded in the audit journal will be reverted. Earlier changes will not be restored. Users should carefully review the scope and impact of the reversion before executing the procedure.
  • This SQL procedure does not revert changes made to an object’s Authorization List or any PGP (Primary Group Profile) associations. It only restores direct object and data authority values recorded in the audit journal. Users should manage authorization list and PGP changes separately, as they are not captured or processed by this logic.
  • This SQL is supported only on IBM i release R730 and above.
  • This SQL does not restore users that were added to or removed from an object’s authority. The logic implemented by this SQL only reverts changes to authorities for users that already existed on the object’s authority list at the time of the audit journal entry.
 
Sample Results:
 
image-20250923074024-2
 
 

Additional Information:

 
Disclaimer: This SQL executes system-level changes to authorities and should be used with caution. It is strongly recommended to review and test the statement in a non-production environment before deployment. Improper use may result in unintended access issues or disruption to user workflows.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CHyAAM","label":"Security"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.3.0;7.4.0;7.5.0;7.6.0"}]

Document Information

Modified date:
31 March 2026

UID

ibm17245742

Page Feedback