IBM Support

Reverting Object Ownership Changes Using IBM i Audit Journal

How To


Summary

This document describes a procedure for identifying and reverting changes to object ownership on IBM i systems using data from the Audit Journal. By leveraging the AUDIT_JOURNAL_OW service and SQL-based analysis, administrators can restore previous owners for library objects, stream files, and directories.

Objective

This document describes a procedure for identifying and reversing changes to object ownership on the IBM i system using data from the Audit Journal. By leveraging the AUDIT_JOURNAL_OW service and SQL-based analysis, administrators can restore previous owners for library objects, stream files, and directories efficiently.

Environment

IBM i 7.6 - Base,
IBM i 7.5 - SF99950 Level 1,
IBM i 7.4 - SF99704 Level 20,
IBM i 7.3 - SF99703 Level 28.

Steps

According to the Security Reference manual,  the IBM i Operating System provides the ability to track changes to authorities on the System. 
 
This document describes how to enable auditing for to track changes to object ownership and how to use them to rever back unintended or unauthorized changes. 

First, verify that the QAUDJRN journal exists and that you are tracking for *SECRUN or *SECURITY operations. Use the DSPSECAUD command and make sure the following settings are configured on your system:
 

Security journal QAUDJRN exists . . . . . :  YES    
Current QAUDCTL system value  . . . . . . : *AUDLVL
Current QAUDLVL system value  . . . . . . : *SECRUN *SECURITY
If not listed, use the CHGSECAUD command to add them to your system.  The value *SECRUN or *SECUTIRY  for the QAUDLVL system value is required to track changes to authorities. 
 
 

Disclaimer

The SQL code provided in this document is offered as-is, without any warranties or guarantees. IBM is not responsible for the use, performance, or results of this sample code. No updates, support, or maintenance will be provided for this example. Users are encouraged to validate and test the code in their own environments before deploying it in production.

 

Analyzing the Results. 

 

Method 1 for Library Objects:
 
Step 1:  Using the Run SQL Scripts tool, run the following SQL Statement:
 
WITH TEMPOWN AS (
  SELECT
      TRIM(PREVIOUS_OWNER)       AS PREV_OWNER,     -- new owner to set
      TRIM(NEW_OWNER)            AS NEW_OWNER,      -- current new owner per audit (kept for reference)
      TRIM(OBJECT_LIBRARY)       AS OBJLIB,
      TRIM(OBJECT_NAME)          AS OBJNAME,
      TRIM(OBJECT_TYPE)          AS OBJTYPE
  FROM TABLE (
         SYSTOOLS.AUDIT_JOURNAL_OW(
           STARTING_TIMESTAMP => TIMESTAMP('2025-10-31 07:00:00'),
           ENDING_TIMESTAMP   => TIMESTAMP('2025-10-31 09:00:00')
         )
       )
  WHERE PATH_NAME IS NULL                  -- exclude IFS; process only library objects
)
SELECT
    PREV_OWNER  AS PREVIOUS_OWNER,
    NEW_OWNER,
    OBJLIB      AS OBJECT_LIBRARY,
    OBJNAME     AS OBJECT_NAME,
    OBJTYPE     AS OBJECT_TYPE,
    /* QSYS2.QCMDEXC scalar function returns 1 on success, -1 on failure */
    QSYS2.QCMDEXC(
      'CHGOBJOWN OBJ('
      || OBJLIB || '/' || OBJNAME
      || ') OBJTYPE(' || OBJTYPE || ') NEWOWN(' || PREV_OWNER || ')'
    ) AS "Success?"
FROM TEMPOWN;
 
 
NOTES: 
  • Adjust the Time Frame.
  • The SQL in this document executes without a confirmation prompt and will programmatically revert all object ownership changes within the specified time range to the previous owner.
  • '1' on the Success column indicates that the CHGOBJOWN completed normally, a '-1' indicates that it failed.
  • This document describes an SQL procedure that restores an object’s ownership to its previous owner using IBM i Audit Journal data. Before executing the procedure, users should carefully review its scope and assess the potential impact of reverting ownership changes.
  • This SQL is supported only on IBM i release R730 and above.

Sample Results:
 
PREVIOUS_OWNERNEW_OWNEROBJECT_LIBRARYOBJECT_NAMEOBJECT_TYPESuccess?
V6CASTILHUGOV6CASTILQAUDITPW*FILE1
V6CASTILHUGOV6CASTILQAUDITCA*FILE1
V6CASTILHUGOV6CASTILQAUDITJS*FILE1

 

Method 2 for IFS Objects:
 
Step 1:  Using the Run SQL Scripts tool, run the following SQL Statement:
 
WITH TEMPOWN AS (
        SELECT TRIM(PREVIOUS_OWNER) AS PREV_OWNER,
               TRIM(NEW_OWNER) AS NEW_OWNER,
               PATH_NAME,
               PATH_NAME_INDICATOR
            FROM TABLE (
                    SYSTOOLS.AUDIT_JOURNAL_OW(
                        STARTING_TIMESTAMP => TIMESTAMP('2025-10-30 07:00:00'), ENDING_TIMESTAMP => TIMESTAMP(
                            '2025-10-30 09:00:00'))
                )
            WHERE PATH_NAME_INDICATOR = 'YES' -- process only absolute IFS paths
    )
    SELECT PREV_OWNER AS PREVIOUS_OWNER,
           NEW_OWNER,
           PATH_NAME,
           /* returns 1 on success, -1 on failure */
           QSYS2.QCMDEXC('CHGOWN OBJ(''' || REPLACE(PATH_NAME, '''', '''''') || -- escape embedded quotes
                   ''') NEWOWN(' || PREV_OWNER || ')') AS "Success?"
        FROM TEMPOWN;

 

NOTES: 
  • Adjust the Time Frame.
  • The SQL in this document executes without a confirmation prompt and will programmatically revert all object ownership changes within the specified time range to the previous owner.
  • '1' on the Success column indicates that the CHGOWN completed normally, a '-1' indicates that it failed.
  • This document describes an SQL procedure that restores an object’s ownership to its previous owner using IBM i Audit Journal data. Before executing the procedure, users should carefully review its scope and assess the potential impact of reverting ownership changes.
  • This SQL is supported only on IBM i release R730 and above.

 

Sample Results:

PREVIOUS_OWNERNEW_OWNERPATH_NAMESuccess?
V6CASTILHUGO/home/v6castil1
V6CASTILHUGO/home/v6castil/test.txt1
V6CASTILHUGO/home/v6castil/.cache/javasharedresources1
V6CASTILHUGO/home/v6castil/.cache1
V6CASTILHUGO/home/v6castil/sales invoice.txt1
V6CASTILHUGO/home/v6castil/sales invoice feb.txt1
V6CASTILHUGO/home/v6castil/sales invoice mar.txt1

 

Additional Information:

AUDIT_JOURNAL_OW (Ownership Change) table function

 
Disclaimer: This SQL executes system-level changes to object ownership and should be used with caution. It is strongly recommended to review and test the statement in a non-production environment before deployment. Improper use may result in unintended access issues or disruption to user workflows.

 

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CHyAAM","label":"Security"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"and future releases;7.3.0;7.4.0;7.5.0;7.6.0"}]

Document Information

Modified date:
26 November 2025

UID

ibm17249838

Page Feedback