Troubleshooting
Problem
This document explains the security levels (QSECURITY system value).
Resolving The Problem
The system provides the following levels of security:
Security Level 10
At security level 10, you have minimal security protection. When a new user signs on, the system creates a user profile with the profile name equal to the user ID specified on the sign-on display. If the same user signs on later with a different user ID, a new user profile is created.
The system performs authority checking at all levels of security. Because all user profiles created at security level 10 are given *ALLOBJ special authority, users pass every authority check and have access to all resources. To test the effect of moving to a higher security level, remove *ALLOBJ special authority from user profiles and grant those profiles the authority to use specific resources. However, this does not provide security protection. Anyone can sign on with a new user ID, and a new profile is created with *ALLOBJ special authority. This cannot be prevented this at security level 10.
Security Level 20
In addition to the functions provided at security level 10, security level 20 provides the following additional security functions:
Security Level 30
In addition to the functions provided at security level 20, security level 30 provides the following additional security functions:
Security Level 40
Security level 40 prevents potential integrity or security risks from programs that could circumvent security in special cases. Security functions at level 40 include:
Security Level 50
Security level 50 is designed to meet some of the requirements defined by the Controlled Access Protection Profile (CAPP) for Common Criteria (CC) compliance. Security level 50 provides enhanced integrity protection, in addition to what is provided by security level 40, for installations with strict security requirements.
See the Security Reference manual for a more detailed description of the Security Levels.
|
10 |
No system-enforced security Note: For V4R3, IBM is dropping support for security level 10. IBM will not accept APARs for problems that cannot be re-created at security level 20 or higher. In addition, you can no longer set the QSECURITY system value to 10. |
| 20 | Sign-on security |
| 30 | Sign-on and resource security |
| 40 | Sign-on and resource security; integrity protection |
| 50 | Sign-on and resource security; enhanced integrity protection |
Security Level 10
At security level 10, you have minimal security protection. When a new user signs on, the system creates a user profile with the profile name equal to the user ID specified on the sign-on display. If the same user signs on later with a different user ID, a new user profile is created.
The system performs authority checking at all levels of security. Because all user profiles created at security level 10 are given *ALLOBJ special authority, users pass every authority check and have access to all resources. To test the effect of moving to a higher security level, remove *ALLOBJ special authority from user profiles and grant those profiles the authority to use specific resources. However, this does not provide security protection. Anyone can sign on with a new user ID, and a new profile is created with *ALLOBJ special authority. This cannot be prevented this at security level 10.
Security Level 20
In addition to the functions provided at security level 10, security level 20 provides the following additional security functions:
| o | Both user ID and password are required to sign on. |
| o | Only a security officer or someone with *SECADM special authority can create user profiles. |
| o | The limit capabilities value specified in the user profile is enforced. |
Security Level 30
In addition to the functions provided at security level 20, security level 30 provides the following additional security functions:
| o | Users must be specifically given authority to use resources on the system. |
| o | Only user profiles created with the *SECOFR security class are given *ALLOBJ special authority automatically. |
Security Level 40
Security level 40 prevents potential integrity or security risks from programs that could circumvent security in special cases. Security functions at level 40 include:
| o | Preventing the use of unsupported interfaces |
| o | Preventing the use of restricted instructions |
| o | Protecting job descriptions |
| o | Preventing signing on without password |
| o | Enhanced hardware storage protection |
| o | Protecting a program's associated space |
| o | Protecting a job's address space |
Security Level 50
Security level 50 is designed to meet some of the requirements defined by the Controlled Access Protection Profile (CAPP) for Common Criteria (CC) compliance. Security level 50 provides enhanced integrity protection, in addition to what is provided by security level 40, for installations with strict security requirements.
See the Security Reference manual for a more detailed description of the Security Levels.
[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"6.1.0"}]
Historical Number
4300035
Was this topic helpful?
Document Information
Modified date:
16 September 2020
UID
nas8N1014714