Securing the integrated file system

The integrated file system provides you with multiple ways to store and view information on the system. Your security plan needs to include how users will be allowed to access and manipulate files on the system.

The integrated file system is a part of the IBM i operating system that supports stream input and output operations. It provides storage management methods that are similar to, and compatible with, personal computer operating systems and UNIX operating systems.

With the integrated file system, all objects on the system can be viewed from the perspective of a hierarchical directory structure. However, in most cases, users view objects in the way that is most common for a particular file system. For example, standard system objects are in the QSYS.LIB file system. Typically, users view these objects from the perspective of libraries. Users typically view objects in the QDLS file system from the perspective of documents within folders. The root (/), QOpenSys, and user-defined file systems present a structure of hierarchical directories.

As a security administrator, you need to understand:
  • Which file systems are used on your system
  • The unique security characteristics of each file system

The root (/) file system acts as a foundation for all other file systems on IBM Systems. At a high level, it provides an integrated view of all of the objects on the system. Other file systems that can exist on IBM Systems provide varying approaches to object management and integration, depending on the underlying purpose of each file system. The QOPT (optical) file system, for example, allows system applications and servers to access the CD-ROM drive on the system. Similarly, the QFileSvr.400 file system allows applications to access integrated file system data on remote systems.

The security approach for each file system depends on the data that the file system makes available. The QOPT file system, for example, does not provide object-level security because no technology exists to write authority information to a CD-ROM. For the QFileSvr.400 file system, access control occurs at the remote system, where the files are physically stored and managed. Despite the differing security models, many file systems support consistent management of access control through the integrated file system commands, such as Change Authority (CHGAUT) and Change Owner (CHGOWN).