Restrict access to the QSYS.LIB file system

You can use this information to restrict access to the QSYS.LIB file system.

Because the root file system is the root file system, the QSYS.LIB file system appears as a subdirectory within the root directory. Therefore, any PC user with access to your server can manipulate objects stored in server libraries (the QSYS.LIB file system) with normal PC commands and actions. A PC user can, for example, drag a QSYS.LIB object, such as the library with your critical data files, to the shredder.

The system enforces all object authority whether it is visible to the interface. Therefore, a user cannot shred (delete) an object unless the user has *OBJEXIST authority to the object. However, if your system depends on menu access security rather than object security, the PC user might very well discover objects in the QSYS.LIB file system that are available for shredding.

As you expand the uses of your system and the different methods of access that you provide, you will soon discover that menu access security is not sufficient. However, servers also provide a simple way for you to prevent access to the QSYS.LIB file system through the root file system directory structure. You can use the QPWFSERVER authorization list to control which users can access the QSYS.LIB file system through the root directory.

When a user’s authority to the QPWFSERVER authorization list is *EXCLUDE, the user cannot enter the QSYS.LIB directory from the root directory structure. When a user’s authority is *USE, the user can enter the directory. Once the user has authority to enter the directory, normal object authority applies for any action the user attempts to perform on an object within the QSYS.LIB file system. In other words, the authority to the QPWFSERVER authorization list acts like a door to the entire QSYS.LIB file system. For the user with *EXCLUDE authority, the door is locked. For the user with *USE authority, or any greater authority, the door is open.