Programs that adopt the authority of a user with *ALLOBJ special
authority represent a security exposure. You can analyze these programs to
audit the security of the system.
The following method can be used to find and inspect those programs
that adopt authority:
- For each user with *ALLOBJ special authority, use the Display Programs
That Adopt (DSPPGMADP) command to list the programs that adopt that user’s
authority:
DSPPGMADP USRPRF(user-profile-name) +
OUTPUT(*PRINT)
- Use the DSPOBJAUT command to determine who is authorized to use
each adopting program and what the public authority is to the program:
DSPOBJAUT OBJ(library-name/program-name) +
OBJTYPE(*PGM) ASPDEV(asp-device-name) OUTPUT(*PRINT)
Note: The
object type parameter might need to be *PGM, *SQLPKG, or *SRVPGM as indicated
by the DSPPGMADP report.
- Inspect the source code and program description to evaluate:
- Whether the user of the program is prevented from excess function, such
as using a command line, while running under the adopted profile.
- Whether the program adopts the minimum authority level needed for the
intended function. Applications that use program failure adopted authority
can be designed using the same owner profile for objects and programs. When
the authority of the program owner is adopted, the user has *ALL authority
to application objects. In many cases, the owner profile does not need any
special authorities.
- Verify when the program was last changed, using the DSPOBJD command:
DSPOBJD OBJ(library-name/program-name) +
OBJTYPE(*PGM) ASPDEV(asp-device-name) DETAIL(*FULL)
Note: The
object type parameter might need to be *PGM, *SQLPKG, or *SRVPGM
as indicated by the DSPPGMADP report.