TAA PRODUCTIVITY TOOLS SECURITY DISCUSSION
The TAA Productivity Tools are designed so that their use does not
violate any system security functions. Objects and data are read using
standard system interfaces such as system commands, system APIs, CL,
The tools are tested at Level 40 security. No violations exist.
Any design errors should be reported immediately to the TAA
Productivity Tools owner.
YOUR SECURITY RESPONSIBILITY
There are no known security exposures to installing the TAA
Productivity Tools on your system. The TAA Tools that are security
sensitive are controlled as described later.
Many TAA Tools exist that can assist you in evaluating and maintaining
Your responsibilities to ensure a secure system when using the TAA
- Use at least Level 30 Security. As on any system that is
interested in good security, Level 40 is recommended.
- Follow normal good guidelines for installation security. This
includes such things as minimizing the number of users with
special authorities (such as *ALLOBJ, *SECADM, or *SERVICE) and
properly authorizing the security sensitive TAA Tools.
You are placing complete trust in any user who is given *ALLOBJ
special authority. You should not assume that even though this
user may not have *SECADM or *SERVICE that you are protected.
- Ensure that any system commands that are changed to provide such
functions as a validation program are rigidly controlled.
- Ensure that no libraries exist before QSYS on the library list or
that you rigidly control what exists in those libraries. See the
later discussion of this.
- Several TAA Authorization Lists (*AUTL) exist. These allow you to
authorize users to certain functions and retain the authorizations
even though a new version of the tools is installed. *ALLOBJ users
are implicitly authorized to these *AUTLs.
Tools which use the *AUTLs are generally security sensitive.
The *AUTL objects are shipped with the *PUBLIC user as *EXCLUDE.
Allowing the *PUBLIC any authority except *EXCLUDE could
compromise security. Use the CHKTAAAUTL command to ensure
that *PUBLIC *EXCLUDE is still specified or you have explicit
reasons for making a change.
- If you change the source and re-create any of the tools, you are
responsible for the integrity of the tool. For most changes, you
should be able to follow the security designed into the tools.
- Consider the HELPTAA options on Backup and Disaster Recovery.
- Security is also provided by the CRTTAATOOL command which creates
the objects with the intended protection. If you intend to
re-create part of a tool, you should use CRTTAATOOL to re-create
the entire tool.
Almost all TAA Productivity Tools libraries and objects are shipped as
owned by QSECOFR.
The TAAJOBCTL user profile is created at the time of install if it
does not already exist. One or more programs are changed so that
TAAJOBCTL becomes the owner. This allows adopting only *JOBCTL special
authority instead of all of the special authorities of QSECOFR.
At the completion of the TAA install, the profile will be:
The UPSMON job description (*JOBD) is shipped with a USRPRF value of
QPGMR which is required for an auto start job. The *JOBD is shipped
as *PUBLIC *EXCLUDE. See the discussion of UPSMON in this document.
You should not change the ownership of the tools.
*PUBLIC *CHANGE AUTHORITY
Most TAA objects allow the *PUBLIC user *USE authority or are
specified as *EXCLUDE. A few objects allow *CHANGE authority. None of
these objects are considered to have a security or integrity issue.
The following objects allow *CHANGE authority:
- TAASTDBA and TAASTDBK *FILE objects. These are used as test data
for the DMOSUBF tool. A program exists (TAASTDBC2) that will
refresh the data.
- SAVACTRCV and SAVACTRCV2 *MSGQ objects. These message queues are
used for recovery purposes by the SAVACT tool. The queues are
cleared by the SAVALLACT or SAVCHGACT commands before submitting
the processing program to batch. Since the system must be shutdown
to the restricted state before running either SAVALLACT or
SAVCHGACT, there is little exposure to allowing *CHANGE authority.
Some *MSGQ objects appear as 'USER DEF'. The message queues
allow *PUBLIC *OBJOPR and *ADD rights in order to allow the *PUBLIC
user to send a message to the queue.
HOW SECURITY IS CONTROLLED
Most tools have no specific security considerations. They use normal
system security for accessing and updating objects.
There are several security sensitive tools that exist in the TAATOOL
library. These tools are controlled by one or more of the following:
- The user must be authorized to an authorization list.
For example, the INZPWD tool allows a user other than the Security
Officer to initialize a password. The user must be authorized to
the TAAINZPWD authorization list to use INZPWD.
- The user must have *ALLOBJ authority.
For example, the CHKTAAPRD tool allows a user to check against all
libraries on the system. To perform an accurate check, any private
libraries must be accessed.
- An overt act by the Security Officer is needed such as changing a
secure system value.
For example, the DSPPWD tool which displays users passwords will
not be operational unless the Security Officer changes the
QPWDVLDPGM system value to name the supplied program. The supplied
program captures the password when the user makes a change.
- Instructions exist with the tool that describe how to control
security. Some tools use objects in the TAASECURE library.
For example, the DSAUSRPRF tool will allow an Assistant Security
Officer to disable any user profile if the Assistant Security
Officer is authorized to the TAADSAPRF authorization list. QSECOFR
is never allowed to be disabled. Other profiles may be prevented
from being disabled by the Security Officer entering the names
into the DSAUSRPRF data area in TAASECURE. See the discussion with
the DSAUSRPRF tool.
CHECKING TAA SECURITY
The CHKTAAAUT command may be used to check the current authority on
your system against the authority shipped with the TAA Productivity
CHKTAAAUT (using the defaults) will check all authorities to TAA
objects in TAATOOL and TAASECURE and the TAA Authorization Lists in
QSYS. It will also check the authorities for command objects that are
outside of TAATOOL and TAASECURE. Any non *CMD TAA objects that are
outside of TAATOOL and TAASECURE will be flagged.
DELETING SECURITY SENSITIVE TOOLS
With proper security in place, the tools that create and change user
profiles may safely exist and be used. However, some installations may
prefer to delete these tools to avoid any possibility of their use.
To assist in this, the DLTSECTOOL is available which will delete any
significant tools that create or change user profiles. You must
have *ALLOBJ and *SECADM special authority to delete these tools or
create them if they have been deleted.
Using DLTSECTOOL will lessen security exposures, but it does not
eliminate what an *ALLOBJ special authority user might do.
TOOLS THAT ADOPT THE AUTHORITY OF QSECOFR
Some tools require that the owner's profile (QSECOFR) be adopted
during the running of a program.
All of the programs that adopt the QSECOFR profile do so in a manner
that is designed to perform only the intended function and to prevent
improper use. 'Preventing improper use' means that the programs do one
or more of the following:
- Execute HLL compiler generated functions that do not invoke any
user written sub-programs. For example, the CL command CHGDTAARA
is considered safe as well as an RPG READ or CHAIN Operation.
- Execute system commands or programs (e.g. APIs).
- Execute TAA commands by library qualifying the commands to the
TAATOOL library. TAA commands use a qualified library name. The
commands executed in this manner are checked so they are
- Execute qualified calls to programs in TAATOOL or TAASECURE. The
sub-programs that are executed also meet these criteria. For
example, calling a sub program that is library qualified to the
TAATOOL library is considered a safe function if the sub-program
performs safe functions.
- Execute against files that are specified with an Override command
that specifies SECURE(*YES). This prevents a program higher in the
program stack from re-directing the program to a different file.
- Execute TAA commands or programs by first using a program that
'unadopts'. This means that when the sub-function is run, the user
operates with his own authority and the program adopt function is
- All TAA Tool programs are created (by default) so there is no
observability. This prevents the user from using debug and
subverting the functions of the programs.
The reason that you must control the system portion of the library
list is that the TAA tools use system commands and APIs without using
QSYS as a library qualifier. If you allow users to have their own
version of a system function ahead of QSYS on the library list, your
security can be compromised with the TAA tools that adopt the security
officer profile (or with any of your own programs that use program
Several TAA Archive programs adopt the Security Officers profile in a
safe manner. These programs are not described further because only the
object code is shipped.
The following tools use the USRPRF(*OWNER) adopt function and must be
owned by a user with special authority. Some of the tools take their
authorization from an authorization list and some must be explicitly
authorized. The 'AUT' column describes the required authorization.
Tool AUT Notes List
---- --- ----- ------------
ACCSECLIB *USE 4
ADDJOBSCD2 *USE 38 TAAJOBSCDE
ADPMBR *USE 9
ALCTMPMBR *USE 7
APYRMTJRN *USE 67
AUDLOG *USE 33 TAAAUDLOG
CAPNETA *USE 14
CAPSECINF *USE 81
CAPSYSINF *USE 82
CHGBIGPARM *USE TAACHGBIGP
CHGDSTPWD2 *USE 71 TAADSTPWD2
CHGGRPPRF *USE 5
CHGSGNTXT *USE 65
CHGUSRPRF2 *USE TAACHGPRF2
CHGUSRPWD *USE 12
CHKASPSTG *USE 78
CHKINACT2 *USE 92
CHKSAVDEV *USE 16
CHKSGNCNT *USE 64
CHKSPELL *USE 17
CHKSPELL2 *USE 17
CHKTAAOWN *USE 97
CHKTAATOOL *USE 15
CHKUSRGRP *USE 101 TAACHKUSRG
CLNTAATEMP *USE TAACLNTEMP
CMPDBF2 *USE 94
CMPSRC3 *USE 85
CPYUSRPRF2 *USE 31 TAACPYUSR2
CRTVTP *USE 90 TAAVTP
CVTAUDLOG3 *USE TAAAUDLOG
CVTIFS *USE 73 TAACVTIFS
CVTIFSEAUT *USE 74 TAACVTIFS
CVTFRMSPLF *USE 43 TAACVTSPLF
CVTJOBSCDE *USE 38
CVTLIBCNT *USE TAADSPADP
CVTLIBDBF *USE TAACVTLIBD
CVTQHST *USE TAACVTQHST
DLTIFS *USE TAACVTIFS
DLTJOBLOG *USE TAACVTQHST
DLTQHST *USE TAADLTQHST
DLTUSRPRF2 *USE TAADLTUSR2
DLYCMD *USE 56
DSAUSRPRF *USE TAADSAPRF
DSPADP *USE TAADSPADP
DSPALLSPLF *USE 46 TAAALLSPLF
DSPCMDHLP *USE 77
DSPDSTQ *USE 99
DSPGRPPRF *USE 91
DSPJOB3 *USE 57
DSPJOBLOG4 *USE 89 TAASPLSEC
DSPJRNA *USE 95
DSPJRNRCVD *USE 95
DSPLIBSRCF *USE 18
DSPOBJD4 *USE 18 TAADSPOBJ4
DSPPWD *USE 2
DSPQHST2 *USE TAACVTQHST
DSPSECRVW *USE TAASECRVW
DSPSPLF2 *USE 28
DSPSYS *USE 19
DSPUSRJOB *USE 84 TAAJOBCTL
DSPUSRPRF2 *USE TAADSPUSR2
DSPUSRTXT *USE 72
DSPWTR *USE 100
DTAARAARC *USE 98
DUPFILFMT2 *USE 102 TAADBOHC2
DUPSPLF *USE 30 TAADUPSPLF
DUPTAADBF *USE 68
EDTAUTL2 *USE 58
EDTDBF *USE 48 TAAEDTDBF
EDTOBJAUT2 *USE 59
ENAUSRPRF *USE TAAENAUSR
ENDTAALIC *USE 86
EXCJOBCTL *USE 36 TAAJOBCTL
FRCJOBLOG *USE 3
INZPWD *USE TAAINZPWD
JOBACG Varies 35 TAAJOBACG
JOBDEP Varies 63
JOBTALK Varies 37 TAAJOBTALK
LMTDLTSPL2 *USE 22
LOCKMSG *USE 1
MTNALLJRN *USE 70 TAAMTNJRN
NBRCTR *USE 50
NAMADR *USE 26
NTEFIL *USE 79
PAGSEP *USE 41
JOBANZ *USE 83
PRTJOBSUM *USE 52 TAACVTQHST
PRTLIBCNT *USE 44 TAADSPADP
PRTSAVCNT *USE 44 TAADSPADP
PRTSAVLBL *USE 42
RCLSTG2 *USE 54 TAARCLSTG2
RMVSYSLIBE *USE 13
QRYUSE *USE 96
RSTALLCHG *USE TAARSTALLC
RSTALLLIB *USE TAARSTALLC
RSTANYLIB *USE TAARSTANYL
RSTMNYCHG *USE TAARSTALLC
RSTMNYLIB *USE TAARSTALLC
RSTFIL *USE 8 TAARSTFIL
RTVHDWRSC *USE 47
RTVIFSEAUT *USE 61
RTVJOBAPI *USE 34
RTVJOBSCDE *USE 37 TAAJOBSCDE
RTVMSKPWD *USE 88
RTVTIMSTM2 *USE 45
RTVTRNTBL *USE 45
RTVUSRPRF2 *USE 23 TAARTVUSR2
SAVACT *USE 60
SAVALLCHG *USE TAASAVALLC
SAVCHG23 *USE 75 TAASAVALLC
SAVE2 *USE 55
SAVLIBSAVF *USE 80
SBMJOB2 *USE 27 TAASBMJOB2
SETDAYLITE *USE 40
SHOUT *USE 20
SNDAUDE *USE 66
SNDUSRBRK *USE 53 TAASNDBRK
SNDGRPPRF *USE 24
SNDTIMMSG *USE 11
SNDUSGMSG *USE 25
SNDUSRBRK *USE 32
SPLCTL *USE 87
SPLDST *USE 29 TAASPLDST
SPLSTO *USE 81
SRCCTL *USE 6
UPSMON *USE 76
WHO *USE 51
VRYCFG2 *USE 39 TAAVRYCFG
VRYCFGOFF *USE TAAVRYCFGO
WRKDSAUSR *USE 93 TAAENAUSR
WRKALLSPLF *USE 46 TAAALLSPLF
Install *USE 21 TAAINSTALL
Index of programs that adopt
Program Tool Note
TAADBFFC LOCKMSG 1
TAADBFFE LOCKMSG 1
TAADBFFF LOCKMSG 1
TAADBFFG LOCKMSG 1
TAASEDSC23 CVTAUDLOG 33
TAASPMDC PAGSEP 41
TAASPMDC2 PAGSEP 41
TAASAVQC2 PRTSAVLBL 42
TAASPMSR WRKALLSPLF 46
TAASPMMR DSPALLSPLF 46
TAASAVTC9 SAVE2 55
TAASAVTC7 SAVE2 55
TAAJOBKC11 DLYCMD 56
TAAJODCC DSPJOB3 57
TAASEFAC5 EDTAUTL 58
TAASECFC5 EDTOBJAUT2 59
TAASAVUC24 SAVACT 60
TAASAVUC25 SAVACT 60
TAAIFSNC RTVIFSEAUT 61
TAAJODFC24 JOBDEP 63
TAAJODFR45 JOBDEP 63
TAADSPLC CHGSGNTXT 64
TAADSPLC3 CHGSGNTXT 64
TAASEFGC CHGSGNCNT 65
SNDAUD SNDAUDE 66
TAAJRODC46 APYRMTJRN 67
TAAJRODC47 APYRMTJRN 67
TAAIFSAC CVTIFS 73
TAAIFSPC CVTIFSEAUT 74
TAASAVWC SAVCHG23 75
TAASYTLC13 UPSMON 76
TAASYTLC12 UPSMON 76
TAASAWBC11 SAVLIBSAVF 80
TAASPMRR2 SPLSTO 81
TAASPMRR25 SPLSTO 81
TAASEGMC12 CAPSECINF 82
TAAJOEAC27 JOBANZ 83
TAASPLIC20 SPLCTL 87
TAASEGQC RTVMSKPWD 88
TAASEGQC2 RTVMSKPWD 88
TAASPOBC DSPJOBLOG4 89
TAATAPNC CRTVTP 90
TAATAPNC2 CRTVTP 90
TAATAPNC4 CRTVTP 90
TAATAPNC11 CRTVTP 90
TAASEGWC2 DSPGRPPRF 91
TAAJOEJC23 CHKINACT2 92
TAAJOEJC25 CHKINACT2 92
TAAJOEJC24 CHKINACT2 92
TAADBLPC CMPDBF2 94
TAAJROPC DSPJRNA 95
TAAJRORC DSPJRNRCVD 95
TAAWHRDC15 QRYUSE 96
TAAPRTOC11 DSPWTR 100
TAASELCC CHKUSRGRP 101
TAADBOHC2 DUPFILFMT2 102
TAADBINC CRTXREFLF 103
TAADBIUR13 TAAQRY 104
TAADBKXR2 CHKNAMADR 105
TAADSQAC DSPDSTQ 106
TAAEMLEC21 MAILADR 107
TAAGAMAC HORSERACE 108
TAAHSTGC RTVLSTQHST 109
TAAIFSMC RTVIFSED 110
TAAIFSMC2 RTVIFSED 110
TAAIFULC CHKIFSSAV 111
TAAJBSEC2 DSPJOBSCDE 112
TAAJOBAC2 WHO 113
TAAJOCEC2 DSPSBSJOB 114
TAAJOCHC RTVJOBAPI 115
TAAJOCKC3 JOBTALK 116
TAAJOCKC11 JOBTALK 116
TAAJOCKC14 JOBTALK 116
TAAJOCKC22 JOBTALK 116
TAAJODJC11 CHKINACT 117
TAAJODZC3 DSPUSRJOB 118
TAAARARC25 DTAARAARC 119
TAACMEYC DSPCMDHLP 120
TAAJODIC2 DSPSBSJOBQ 121
TAAJRODC35 APYRMTJRN 122
TAAJRODC59 APYRMTJRN 122
TAALIBQC RMVSYSLIBE 123
TAALOGAC2 FRCJOBLOG 124
TAALOGHR DSPALLJLG 125
TAAMBRJC ADPMBR 126
TAAMBRJC2 ADPMBR 126
TAAMBRJC3 ADPMBR 126
TAAMNUAC21 DYNMNU 127
TAAMSGLC2 SHOUT 128
TAAMSGSC SNDTIMMSG 129
TAAMSGSC9 SNDTIMMSG 129
TAAMSHJC SNDUSRBRK 130
TAANAMAC9 NAMADR 131
TAANETDC CAPNETA 132
TAANTEAC23 NTEFIL 133
TAAOBJRC CRTDUPOBJ 134
TAARPGCC RPGVALCHK 135
TAASAVNC2 CHKSAVDEV 136
TAASECCC2 CHGSCRPWD 137
TAASECHC2 CPYUSRPRF 138
TAASECIC3 CHGUSRPWD 139
TAASECJC CHGGRPPRF 140
TAASEDBC3 SECOFR2 141
TAASEEFC CHKPGMOWN 142
TAASEFZC DSPUSRTXT 143
TAASEGDC RTVUSRTXT 144
TAASEGQC CHGMSKPWD 145
TAASEGQC2 RTVMSKPWD 145
TAASPLSC3 LMTDLTSPL2 146
TAASPLWC9 DSPSPLF2 147
TAASPMRC22 CVTSPLSTO 148
TAASPNAC2 CPYSPLFIFS 149
TAASPNXC RTVSPLSIZ 150
TAASRCBC CMPSRC3 151
TAASRCHC SRCCTL 152
TAASRCHC2 SRCCTL 152
TAASRDJC DSPLIBSRCF 153
TAASRDKC FNDSRCMBR 154
TAASRDVC RTVLIBSRCF 155
TAASREEC10 CHKOBJSRC 156
TAASREHC3 CPYSRCHDR 157
TAASREIC2 CRTSTDSRCF 158
TAASYSKC3 DSPSYS 159
TAASYSXC RTVHDWRSC 160
TAASYTKC RTVIPLTIM 161
TAASYTMC4 RTVSYSINF 162
TAASYTPC2 CHKASPSTG 163
TAASYTPC3 CHKASPSTG 163
TAATAPNC5 RPLVTP 164
TAATAPNC7 RPLVTP 164
TAATAPNC6 RDYVTP 165
TAATCPGC RTVHOSTNAM 165
TAATIMDC DSPTIMZON 166
TAATIMNC11 DSPTIMZON 167
TAATMPCC ALCTMPMBR 168
TAATMPCC2 DLCTMPMBR 169
TAATOMOC CHKTAAOWN 170
TAATRNAC RTVTRNTBL 171
TAASECIC2 CHGUSRPWD2 172
TAATOMHC DUPTAADBF 173
TAASEGYC2 WRKDSAUSR 174
TAAOBLKC DSPOBJD4 175
TAATOLXC CPYTAADDS 176
TAADBHCC CVTLIBDBF 177
1. There is no known exposure with the LOCKMSG function unless you
restrict which users are allowed to send messages to other users.
The programs TAADBFFC, TAADBFFE, TAADBFFF, and TAADBFFG adopt.
2. The DSPPWD processing program must be available for public usage
to allow any user to change his password. The secure functions
require the user be authorized to the TAASECURE library which is
3. The FRCJOBLOG command of the SETJOBLOG tool adopts authority
because the intent is to make the SIGNOFF command private. If you
secure the SIGNOFF command, this may have implications for the use
of other TAA Tools or your own code.
4. The user that creates ACCSECLIB must have *ALLOBJ authority. The
list of libraries that are valid to use is controlled by the
ACCSECLIB data area in TAASECURE. Use EDTCONARR to change the
list. The data area is shipped with QGPL as a sample library. This
does not make QGPL secure, but allows testing of the ACCSECLIB
command with a library that you would normally not care if a user
displayed or copied an object from.
Any user of the ACCSECLIB command, must be authorized to the
TAAACCSECL authorization list. See the implementation instructions
for the tool.
5. The user of the CHGGRPPRF command must be explicitly authorized to
the profile in order to change group profiles.
6. The SRCCTL tool checks the authorization to a data area in the
same library as the source control files before allowing the
CHKSRCOUT or CHKSRCIN commands to operate.
7. The ALCTMPMBR commands use temporary files in TAATOOL. The user
must be authorized to add and clear to these members in a
8. The RSTFIL command prompts for the RSTOBJ command and requires the
use of the RSTOBJ library where only files may be restored.
9. The ADPMBR tool checks for the valid files to be used in the
ADPMBR data area in TAASECURE. The data area should be maintained
11. Several programs adopt to allow any user to start the SNDTIMMSG
job and use SNDTIMMSG.
12. The CHGUSRPWD tool requires the Security Officer to change the
QPWDVLDPGM system value in order to be operational.
13. The command RMVSYSLIBE is public, but the only valid libraries are
those that exist in the RMVSYSLIBE data area in TAASECURE. The
data area is shipped with no libraries entered. QSYS is always
14. The CAPNETA command is public. The current network attributes are
stored in the NETWRKATTR data area in TAASECURE. The companion
command (RTNNETA) requires a user with *ALLOBJ special authority.
15. The CHKTAATOOL command is public. Objects are accessed for read
only. No updates occur.
16. The CHKSAVDEV command is public, but the user must have *SAVSYS
or *ALLOBJ special authority (or adopt *ALLOBJ). Using adoption
for the sub program allows for the CHKSAVDEV data area to be
saved, restored to QTEMP, and deleted from QTEMP.
17. The spelling RPG programs adopt to avoid a system bug requiring
18. The DSPLIBSRCF CL program ensures the user has *USE authority to
the specified library. The QSECOFR profile is adopted because the
QADBXREF file cannot be used by the public.
19. DSPSYS uses a sub program to access the last change date of QINITT
which is excluded to the public.
20. A sub program is used by SHOUT to be able to access the user class
of any user.
21. The special install programs TAATOLUx exist in TAATOOL to allow a
subsequent install to be done by a user who is authorized to the
TAAINSTALL authorization list.
22. LMTDLTSPL2 must access a data area in TAASECURE to validate
whether the spooled file should be deleted.
23. RTVUSRPRF2 allows any user profile to be retrieved.
24. SNDGRPPRF adopts to allow access to all user profiles in order to
determine the current groups and to allow break messages to be
25. SNDUSGMSG adopts to allow break messages to be sent.
26. The CRTNAMEDT command requires some special authority to duplicate
the command object. It is the only function that adopts authority.
27. The SBMJOB2 and SBMJOB3 commands are each tied to unique
28. One program within the DSPSPLF2 command is used to access the
system defaults from the DSPSPLF2 user space in TAASECURE.
29. The DUPSPLDST command within SPLDST is used to cause DUPSPLF.
30. The DUPSPLF command requires authorization to the TAADUPSPLF
authorization list. To change to a new owner requires
authorization to the TAASPLDST authorization list.
31. The CPYUSRPRF2 command is an option on the SECOFR2 menu and
requires authorization to the TAACPYUSR2 authorization list.
32. The SNDUSRBRK command must adopt to allow any user to send a break
message (requires *JOBCTL special authority). The command is
restricted to operate only in an CL program.
33. The CVTAUDLOG command of the AUDLOG tool adopts authority and
requires a user to be authorized to the TAAAUDLOG authorization
list. This allows an operator to be able to do the conversion from
the QAUDJRN on a regular basis. CVTAUDLOG is the only command in
AUDLOG that requires authorization to the TAAAUDLOG authorization
list. Most of the other functions are controlled by the owner of
the files created by CRTAUDLOG. CVTAUDLOG3 also requires
authorization to TAAAUDLOG.
The TAASEDSC23 program adopts QSECOFR authority to display a
detail journal entry from the journal itself (Option 7 on
DSPAUDLOG). The program prevents a user who does not have *USE
authority to the AUDLOGP file from being able to use this
34. The Retrieve Job API tool is a program that adopts the QSECOFR
profile to allow retrieval from the QUSRJOBI API formats without
having *JOBCTL special authority. Nothing can be changed from the
program. The tool is used by other tools such as DSPACTJOB. The
program is unlikely to be used by a typical user because it
requires a complex parameter list be passed including the internal
job ID which cannot be determined without writing a program that
uses an API.
35. The Job Accounting tool has two commands (CVTJOBACG and
CVTJOBACG2) that adopt QSECOFR authority. Use of the commands is
restricted to users who are authorized to the TAAJOBACG
authorization list. The Print Accounting tools has the same two
commands (CVTPRTACG and CVTPRTACG) that adopt QSECOFR and also use
36. The Execute Using *JOBCTL tool adopts the QSECOFR *JOBCTL
authority. The command is restricted to those users authorized to
the TAAJOBCTL authorization list.
37. The Job Talk tool uses an authorization list for the SNDJOBTALK
command and CL program. Sub programs used by STRJOBTALK and
SNDJOBTALK and the break handling program set by STRJOBTALK use
adopted programs to access data areas in TAASECURE. CLNJOBTALK
uses adopted authority to delete unused TAAnnnnnn message queues
in the TAAWORK library. This allows the first user of the
STRJOBTALK command each day to automatically submit a batch job
for cleanup. CLNJOBTALK allows public use, but may be used at any
time by any user without harm to the Job Talk function.
38. The Job Schedule tools require use of the TAAJOBSCDE authorization
39. The VRYCFG2 tool uses the TAAVRYCFG authorization list to allow a
user without *JOBCTL to use a simple version of VRYCFG.
40. The SETDAYLITE programs adopt to allow the job to run under the
QSECOFR profile. This avoids the potential problem of the user
profile of the job being deleted when the function is scheduled.
41. The PAGSEP tool uses TAASPMDC to access the setting of the
TAAPAGSEPn application value in TAASECURE. It provides a 'read
only' function. The TAASPMDC2 program is the sample program which
allows access to the text of a passed in user profile name.
42. The PRTSAVLBL tool uses TAASAVQC2 to access the setting of the
PRTSAVLBL application value in TAASECURE. It provides a 'read
43. The CVTFRMSPLF tool uses the TAACVTSPLF authorization list for the
CVTTOSPLF command. This command uses an API which requires *ALLOBJ
authority to create a spooled file. The CVTTOSPLF processing
program is controlled by the authorization list and adopts QSECOFR
44. The PRTLIBCNT and PRTSAVCNT tools can operate across the entire
system for 'read only' purposes. The command and processing
programs are controlled by the TAADSPADP authorization list.
45. The RTVTRNTBL command retrieves the name of the system wide
Translate Table found in the TAATRNTBL data area in TAASECURE. The
command allows *PUBLIC use, but no known security exposures exist.
46. The DSPALLSPLF and WRKALLSPLF tools tool allow any user to display
his own spooled files. The TAAALLSPLF authorization list allows a
user to display spooled files owned by other users. Both the
TAASPMSR program (part of WRKALLSPLF), and TAASPMMR program (part
of DSPALLSPLF) adopt, but ensure that the user has *USE authority
to TAAALLSPLF if a user other than *CURRENT is specified.
47. The RTVHDWRSC tool must use an API that is shipped as
PUBLIC(*EXCLUDE). No known exposures exist by adopting the QSECOFR
48. The EDTDBF command checks the TAAEDTDBF authorization list if the
user is not the owner of the file. No objects are authorized to
49. The RTVTIMSTM2 command accesses the TAANBRCT user space and
updates the counter.
50. The RTVNBRCTR command accesses the NBRCTR user space and updates
51. The WHO command accesses the TAASECURE library if the default is
taken for CPUPCTLMT. There are no known exposures as this is a
'read only' access.
52. The PRTJOBSUM command requires authorization to the TAACVTQHST
authorization list to allow reading the QHST files.
53. The SNDUSRBRK2 command requires authorization to the TAASNDBRK
54. The RCLSTG2 command and program require authorization to the
TAARCLSTG2 authorization list.
55. The SAVE2 programs TAASAVTC9 and TAASAVTC7 adopt authority to
access the SAVE2 *USRSPC information and DLYCMD *DTAARA objects
from the TAASECURE library. There are no known exposures as this
is a 'read only' access.
56. The DLYCMD program TAAJOBKC11 adopts authority to access the
DLYCMD *DTAARA information from the TAASECURE library. There are
no known exposures as this is a 'read only' access.
57. The DSPJOB3 program TAAJODCC adopts authority of the TAAJOBCTL
user profile to allow a display of any job. The user must
have *JOBCTL authority or be authorized to the TAAJOBCTL
58. The EDTAUTL program TAASEFAC5 adopts authority of the of QSECOFR
to access Application Value data from TAASECURE. There are no
known exposures as this is a 'read only' access.
59. The EDTOBJAUT2 program TAASECFC5 adopts authority of the of
QSECOFR to access Application Value data from TAASECURE. There are
no known exposures as this is a 'read only' access.
60. The SAVACT program TAASAVUC24 adopts authority to access all
libraries for EDTSAVACT. The TAASAVUC25 program adopts authority
to access the SAVACT Application Value in TAASECURE.
61. The RTVIFSEAUT program TAAIFSNC adopts authority in order to
determine the current users authority.
63. The JOBDEP program TAAJODFC24 adopts to access (read only) the
JOBDEP Application Value in TAASECURE. The TAAJODFR45 program
adopts to update the Master and Detail files with start and end
64. The CHGSGNTXT programs TAADSPLC and TAADSPLC3 require *JOBCTL and
adopt to update the TAAMSGF in TAATOOL.
65. The CHKSGNCNT program TAASEFGC adopts authority to access objects
in TAASECURE. No changes occur.
66. The SNDAUDE function adopts the QSECOFR profile to allow sending
an entry to the QAUDJRN journal which may be *PUBLIC *EXCLUDE.
67. Most of the APYRMTJRN commands are *PUBLIC. STRAPYRMT, ENDAPYRMT,
SNDAPYRMTE, and CRTAPYRMTD are controlled by the TAAAPYRMT
authorization list. The STRAPYRMT, ENDAPYRMT, and SNDAPYRMTE
program adopt authority to allow operators to control the
function. Several batch jobs are submitted by STRAPYRMT and they
all adopt to allow the programs to operate on any object. The
TAAJRODC46 and TAAJRODC47 programs adopt to allow the create of a
file from the TAA Archive.
68. DUPTAADBF allows only specific files from TAATOOL to be duplicated
when outfiles are requested. This is intended for internal use by
69. RTVIPLTIM requires the use of the system program QWCCRTEC which
performs a dump. ending time of IPL and powerdown and is not
considered to security sensitive.
70. MTNALLJRN allows the maintenance of all journals. Using an
authorization list allows the system operator to perform the
function without having excess authorization on the journals.
71. CHGDSTPWD2 allows any user authorized to the CHGDSTPWD2
authorization list to reset the DST password.
72. DSPUSRTXT displays the user's text description based on entering
the user profile name.
73. The CVTIFS program TAAIFSAC adopts authority, but requires the
user to be authorized to the TAACVTIFS authorization list.
74. The CVTIFSEAUT program TAAIFSPC adopts authority, but requires the
user to be authorized to the TAACVTIFS authorization list.
75. The SAVCHG23 program TAASAVWC adopts authority, but requires the
user to be authorized to the TAASAVALLC authorization list.
76. The UPSMON TAASYTLC13 program adopts QSECOFR to allow a display of
the UPSMON values. The TAASYTLC12 program adopts QSECOFR to
provide for an orderly powerdown. The UPSMON *JOBD is shipped
with *PUBLIC *EXCLUDE. It contains the value USRPRF = QPGMR which
is required for an auto start job. If STRUPSMON2 is run, an auto
start job entry is added to the controlling subsystem and QPGMR is
authorized to *USE for the job description.
77. The DSPCMDHLP command allows any user to display the help text for
any command regardless of the authorization. The command is never
run by DSPCMDHLP.
78. The CHKASPSTG command uses two sub programs that adopt to access
the CHKASPSTG Application Value in TAASECURE.
79. The NTEFIL MTNNTEFIL command uses a sub program that adopts to
allow clearing and writing to the backup file TAANTEAT in TAATOOL.
80. The SAVLIBSAVF TAASAWBC11 adopts to allow the CHGOBJD tool to be
used to set the user attribute of a save file.
81. The SPLSTO TAASPMRR2 and TAASPMRR25 programs adopt to
allow *CHANGE authority to the spool store files while updates are
82. The CAPSECINF TAASEGMC12 program adopts to access the values from
the CAPSECINF Application Value in TAASECURE.
83. The JOBANZ TAAJOEAC27 program adopts to access a value from the
JOBANZ Application Value in TAASECURE.
85. The CMPSRC3 command adopts to allow use of the work files NEWSRCP
and OLDSRCP in TAATOOL.
86. The ENDTAALIC command adopts to allow access to a data area in in
87. The TAASPLIC20 program for SPLCTL adopts to allow update of the
SPLCTLRCV and SPLCTLRCV2 recovery data areas in TAATOOL.
88. The RTVMSKPWD TAASEGQC and TAASEGQC2 programs adopt security to
the MSKPWDP file in TAASECURE.
89. The DSPJOBLOG4 TAASPOBC program adopts to allow *ALLOBJ
and *SPLCTL. The user of the command must be authorized to the
TAASPLSEC authorization list.
90. The TAATAPNC, TAATAPNC2, TAATAPNC4, and TAATAPNC11 programs adopt
to ensure access to various functions. The user must be authorized
to the TAAVTP authorization list.
91. The DSPGRPPRF program TAASEGWC2 adopts QSECOFR to allow the use of
the DSPUSRPRF outfile function to the TAASECKP file in TAASECURE.
CVTGRPPRF then reads this file and creates the GRPPRFP program in
QTEMP which contains the user profile records for each group
member. TAASEGWC2 ensures that the profile is a group profile and
that the user has 'all rights' to the group profile.
92. The TAAJOEJC23 and TAAJOEJC25 programs adopt to access the
Application Value CHKINACT2 in TAASECURE. The TAAJOEJC24 program
adopts to access the user text description from the profile used
in WRKINACT2. Both programs perform read only functions and are
94. The CMPDBF2 program TAADBLPC adopts to allow the use of the CLPDBR
tool against the file. The file is only read and compared against
a copy of the same file made at a previous time.
95. The DSPJRNA and DSPJRNRCVD programs (TAAJROPC and TAAJRORC) adopt
to allow a 'display only' function of the journal and receiver
directory. The user must have *OBJOPR authority to the journal.
This allows operation personnel to see the journal and the
directory without having WRK options. The journal entries are not
96. The QRYUSE tool CVTQRYUSE command calls a sub program TAAWHRDC15
to delete a restored object in QTEMP. Only a DLTQRY command is
used and the object must be in QTEMP.
97. The CHKTAAOWN tool is for internal use and checks critical
programs to see if they are owned by an *ALLOBJ user and still
tied to the same *AUTL used at create time.
98. The DTAARAARC tool command STRARAARC adopts to allow a change of
the user attribute for the created save files. This ensures they
were created by the tool.
99. The DSPDSTQ tool command adopt the QSECOFR profile to provide a
public 'display only' version of WRKDSTQ.
100. The DSPWTR tool uses the TAAPRTOC11 program to allow DSPWTRSTS.
The program adopts to avoid the requirement for *JOBCTL.
101. The CHKUSRGRP tool uses the TAASELCC program to allow a user
authorized to the TAACHKUSRG *AUTL to run the command. The program
adopts to avoid the requirement for *ALLOBJ.
102. The DUPFILFMT2 tool uses the TAADBOHC2 program to allow any user
to be able to duplicate a file format (create a new file) without
being authorized to the file. The data is not copied.
103. The CRTXREFLF tool uses the TAADBINC program to allow creation
over the QADBXREF file.
104. The TAAQRY tool uses the TAADBIUR13 program to update the QRYFILP
file with the date the query was run.
105. The CHKNAMADR tool uses the TAADBKXR2 program to read the
TAADBKXP file in TAASECURE to build the arrays needed to check.
106. The DSPDSTQ tool uses the TAADSQAC program to allow any user to
display the distribution queue.
107. The MAILADR tool uses the TAAEMLEC21 program to change the the
user attribute of TAA mail files.
108. The HORSERACE tool uses the TAAGAMAC program to change the data
area in TAATOOL.
109. The RTVLSTQHST tool uses the TAAHSTGC program to access the QHST
110. The RTVIFSED tool uses the TAAIFSMC and TAAIFSMC2 programs to
access the IFS information.
111. The CHKIFSSAV tool uses the TAAIFULC program to access the IFS
112. The DSPJOBSCDE tool uses the TAAJBSEC2 program to access the job
113. The WHO tool uses the TAAJOBAC2 program to access the application
value in TAASECURE.
114. The DSPSBSJOB tool uses the TAAJOCEC2 program to access the
information via an API.
115. The RTVJOBAPI tool uses the TAAJOCHC program to access the
information via an API.
116. The JOBTALK tool uses these programs to execute commands within
117. The CHKINACT tool uses the TAAJODJC11 program to retrieve an
application value in TAASECURE.
118. The DSPUSRJOB tool uses the TAAJODZC3 and is owned by TAAJOBCTL
which provides *JOBCTL authority.
119. The DTAARAARC tool uses the TAAARARC25 program to change the
object description to update information.
120. The DSPCMDHLP tool uses the TAACMEYC program to display command
help for any command.
121. The DSPSBSJOBQ tool uses the TAAJODIC2 to provide a display of
any job queue with only display options.
122. The APYRMTJRN tool uses the TAAJRODC35 and TAAJRODC59 for
123. The RMVSYSLIBE tool uses the TAALIBQC program to remove libraries
from the system portion of the library list that have been
specified by the Security Officer.
124. The FRCJOBLOG tool uses the TAALOGAC2 program with adoption to
allow the SIGNOFF command to remain private.
125. The DSPALLJLG tool uses the TAALOGHR program with adoption to
allow any job log to be displayed. The command is controlled by
the TAADSPJLG authorization list.
126. The ADPMBR tool uses the TAAMBRJC, TAAMBRJC2, and TAAMBRJC3
programs to allow end users to operate with member commands on
files specified by the Security Officer.
127. The DYNMNU tool uses the TAAMNUAC21 program to access an
Application Value in TAASECURE.
128. The SHOUT tool uses the TAAMSGLC2 program to access any user
129. The SNDTIMMSG tool uses the TAAMSGSC and TAAMSGSC8 programs to
control the file for when messages are sent.
130. The SNDUSRBRK tool uses the TAAMSHJC programs to control the file
for when messages are sent.
131. The NAMADR tool uses the TAANAMAC9 program for internal
132. The CAPNETA tool uses the TAANETDC program to capture all
133. The NTEFIL tool uses the TAANTEAC23 program to allow update of a
134. The CRTDUPPF tool uses the TAAOBJRC program to allow a user
with *USE authority to a file to be able to duplicate it.
135. The RPGVALCHK tool uses the TAARPGCC program to allow internal
136. The CHKSAVDEV tool uses the TAASAVNC2 program with adopt so it
can S/R and delete the CHKSAVDEV data area.
137. The CHGSCRPWD tool uses the TAASECCC2 program with adopt so it
can access a program in TAASECURE.
138. The CPYUSRPRF2 tool uses the TAASECHC2 program with adopt so it
can use CHGUSRPRF command.
139. The CHGUSRPWD tool uses the TAASECIC3 program with adopt so it
can access an exit program in TAASECURE.
140. The CHGGRPPRF tool uses the TAASECJC program with adopt so it can
change the group profile during a job.
141. The SECOFR2 tool uses the TAASEDBC3 program with adopt so it can
142. The CHKPGMOWN tool uses the TAASEEFC program with adopt so it can
determine the owner of any program.
143. The DSPUSRTXT tool uses the TAASEFZC program with adopt so it can
determine the user text of any user.
144. The RTVUSRTXT tool uses the TAASEGDC program with adopt so it can
determine the user text of any user.
145. The CHGMSKPWD tool uses the TAASEGQC and TAASEGQC2 programs with
adopt to mask a password. The source code is not shipped with the
146. The LMTDLTSPL2 tool uses the TAASPLSC2 program with adopt to
147. The DSPSPLF2 tool uses the TAASPLWC9 program with adopt to access
148. The CVTSPLSTO tool uses the TAASPMRC22 program with adopt to
change a user space in the SPLSTO library.
149. The CPYSPLFIFS tool uses the TAASPNAC2 program with adopt to
check for product requirements.
150. The RTVSPLSIZ tool uses the TAASPNXC program with adopt to access
all spooled file information.
151. The CMPSRC3 tool uses the TAASRCBC program with adopt to allow
152. The SRCCTL tool uses the TAASRCHC and TAASRCHC2 programs with
adopt to allow updates to occur.
153. The DSPLIBSRCF tool uses the TAASRDJC program to determine the
source files in the library.
154. The FNDSRCMBR tool uses the TAASRDKC program to determine the
source files in the library.
155. The RTVLIBSRCF tool uses the TAASRDVC program to determine the
source files in the library.
156. The CHKOBJSRC tool uses the TAASREEC10 program for the prompt
override of CHKOBJSRC.
157. The CPYSRCHDR tool uses the TAASREHC3 program with adopt when
copying standard source members.
158. The CRTSTDSRCF tool uses the TAASREIC2 program to adopt to access
the TAASECURE library.
159. The DSPSYS tool uses the TAASYSKC3 program to adopt while
accessing system objects.
160. The RTVHDWRSC tool uses the TAASYSXC program with adopt while
161. The RTVIPLTIM tool uses the TAASYTXC program with adopt while
162. The RTVSYSINF tool uses the TAASYTMC4 program with adopt to
163. The CHKASPSTG tool uses the TAASYTPC2 and TAASYTPC3 programs to
access TAASECURE and internal processing.
164. The CRTVTP tool RPLVTP command uses the TAATAPNC5 program for
internal processing. The WRKVRTTAP command uses the TAATAPNC7
program for internal processing.
165. The RDYVTP tool uses the TAATAPNC6 program for internal
166. The RTVHOSTNAM tool uses the TAATCPGC program for internal
167. The DSPTIMZON tool uses the TAATIMNC11 program to access
168. The ALCTMPMBR tool uses the TAATMPCC program for internal
169. The DLCTMPMBR tool uses the TAATMPCC2 program for internal
170. The CHKTAAOWN tool uses the TAATOMOC program to check against any
171. The RTVTRNTBL tool uses the TAATRNAC program to access TAASECURE.
172. The CHGUSRPWD tool uses the TAASECIC2 program to access
173. The DUPTAADBF tool uses the TAATOMHC program to access to allow
duplication from TAATOOL.
174. The TAASEGYC2 program adopts to allow enabling of a user profile.
The user must be authorized to the TAAENAUSR authorization list.
The check occurs using the UNADOPT tool (the objects are not
controlled by the authorization list).
175. The TAAOBLKC program adopts to allow a user who is authorized to
the TAADSPOBJ4 authorization list to display any object
attributes. Only the attributes are displayed and not data. None
of the objects are tied to the authorization list. Checking occurs
176. The TAATOLXC program adopts to allow the CPYTAADDS tool to use
the CPYTAA tool to create files from DDS in the archive. Only DDS
source is accessed.
177. The TAACVTLIBD authorization list is used to allow access to
CVTLIBDBF for library special values such as *ALL. No objects are
authorized to the list. The TAADBHCC program adopts.
DETERMINING PROGRAMS THAT ADOPT
You can determine the programs in TAATOOL that adopt authority by
using the PRTPGMA tool and specifying USRPRF(*OWNER).
For certain tools, an authorization list is created in QSYS to allow a
more convenient means of authorization and to allow security to remain
in place even though you re-create a tool or install a new version of
the TAA Productivity Tools.
The authorization lists are created as part of the installation of the
TAA Productivity Tools if they do not already exist. Some
authorization lists are used by multiple tools.
The following is a list of the TAA Authorization lists, the tools that
use each list and the objects that are shipped as authorized to the
list in QSYS Tool Notes Object Type Total
------------ ---- ----- ------ ---- -----
TAAACCSECL ACCSECLIB ACCSECLIB *CMD 2
TAAALLSPLF DSPALLSPLF 6 0
TAAAPYRMT APYRMTJRN STRAPYRMT *CMD 8
TAAAUDLOG AUDLOG CVTAUDLOG *CMD 7
CVTAUDLOG3 CVTAUDLOG3 *CMD
TAACHGBIGP CHGBIGPARM CHGBIGPARM *CMD 5
TAACHGOBJ2 CHGOBJD2 CHGOBJD2 *CMD 5
CHGOBJSRC CHGOBJSRC *CMD
TAACHGPRF2 CHGUSRPRF2 CHGUSRPRF2 *CMD 2
TAACHKUSRG CHKUSRGRP CHKUSRGRP *CMD 2
TAACLNTEMP CLNTAATEMP CLNTAATEMP *CMD 6
5 TAATMPBC2 *PGM
TAACPYUSR2 CPYUSRPRF2 CPYUSRPRF2 *CMD 3
TAACVTIFS CVTIFS CVTIFS *CMD 12
TAACVTLIBD CVTLIBDBF 11 0
TAACVTQHST CVTQHST CVTQHST *CMD 22
DSPQHST2 CVTQHST2 *CMD
DLTJOBLOG DLTJOBLOG *CMD
PRTJOBSUM PRTJOBSUM *CMD
TAACVTSPLF CVTFRMSPLF CVTFRMSPLF *CMD 2
TAADLTQHST DLTQHST DLTQHST *CMD 2
TAADLTUSR2 DLTUSRPRF2 DLTUSRPRF *CMD 2
TAADPTSEC SECOFR2 3
TAADSAPRF DSAUSRPRF DSAUSRPRF *CMD 2
TAADSPADP DSPADP 1 DSPCLSA *CMD 34
CVTLIBCNT CVTLIBCNT *CMD
PRTLIBCNT PRTLIBCNT *CMD
PRTSAVCNT PRTSAVCNT *CMD
TAADSPJLG DSPALLJLG None 0
TAADSPOBJ4 DSPOBJD4 None 0
TAADSPUSR2 DSPUSRPRF2 DSPUSRPRF2 *CMD 4
TAADSTPWD2 CHGDSTPWD2 CHGDSTPWD2 *CMD 2
TAADUPSPLF DUPSPLF DUPSPLF *CMD 2
TAAEDTDBF EDTDBF 9 0
TAAENAUSR ENAUSRPRF ENAUSRPRF *CMD 2
TAAINSTALL Install 2 TAATOLUC *PGM 3
TAAINZPWD INZPWD INZPWD *CMD 8
TAAJOBACG JOBACG CVTJOBACG *CMD 14
PRTACG CVTPRTACG *CMD
CVTJOBACG3 CVTJOBACG3 *CMD
TAAJOBCTL EXCJOBCTL 10 EXCJOBCTL *CMD 2
TAAJOBSCDE RTVJOBSCDE RTVJOBSCDE *CMD 8
CVTJOBSCDE CVTJOBSCDE *CMD
ADDJOBSCD2 ADDJOBSCD2 *CMD
CPYJOBSCDE CVTJOBSCDE *CMD
DSPJOBSCDR DSPJOBSCDR *CMD
TAAJOBTALK JOBTALK SNDJOBTALK *CMD 2
TAAMTNJRN MTNALLJRN MTNALLJRN *CMD 2
TAAPRDLIB CHGPRDLIB CHGPRDLIB *CMD 2
TAARCLSTG2 RCLSTG2 RCLSTG2 *CMD 4
RCLSTGBCH RCLSTGBCH *CMD
TAARSTALLC RSTALLCHG RSTALLCHG *CMD 8
TAARSTANYL RSTANYLIB RSTANYLIB *CMD 2
TAARSTFIL RSTFIL RSTFIL *CMD 2
TAARTVUSR2 RTVUSRPRF2 RTVUSRPRF2 *CMD 2
TAASAVALLC SAVALLCHG SAVALLCHG *CMD 9
SAVCHG23 SAVCHG23 *CMD
TAASBMJOB2 SBMJOB2 SBMJOB2 *CMD 1
TAASBMJOB3 SBMJOB2 SBMJOB3 *CMD 1
TAASECOFR2 SECOFR2 7 0
TAASECRVW DSPSECRVW DSPSECRVW *CMD 3
TAASNDBRK SNDUSRBRK SNDUSRBRK2 *CMD 1
TAASNDGRP SNDGRPPRF SNDGRPPRF *CMD 4
TAASNDUSG SNDUSGMSG SNDUSGMSG *CMD 2
TAASPLDST SPLDST DUPSPLDST *CMD 4
TAASRCACC TAAARC 4 CPYTAA *CMD 8
TAAVRYCFG VRYCFG2 VRYCFG2 *CMD 2
TAAVRYCFGO VRYCFGOFF VRYCFGOFF *CMD 2
1. Several other tools use one of the DSPxxxA commands. For example,
PRTDBFEXP uses DSPOBJDA to allow a user to execute over any or all
libraries if he is authorized to TAADSPADP. See the discussion
2. The initial installation must be done by a user with *ALLOBJ
special authority. Any subsequent installs can be done by any user
who is authorized to the TAAINSTALL authorization list. See the
information member 'Installing as a Non-QSECOFR' on the HELPTAA
3. The TAADPTSEC authorization list is optional. If you want
Departmental Security Officers, use the CRTDPTSEC command of the
SECOFR2 tool to create the authorization list. If TAADPTSEC
exists, the options on the SECOFR2 menu check for the existence of
the authorization list and only allow the user profiles to be
managed if the user has all authority to the user profile . See
the discussion with the SECOFR2 tool.
4. The TAASRCACC authorization list is used for TAA Archive functions
involving source. You must have *USE authority to display, copy,
or scan any program source in the archive.
5. The TAATMPBC2 program is optional and may not exist.
6. *USE authority to the TAAALLSPLF authorization list is checked
within the TAASPMMR and TAASPMSR programs if a user other
than *CURRENT is specified.
7. *CHANGE authority to TAASECOFR2 is required to display the SECOFR2
menu without prompting for the current password. *USE authority
requires entering the current password. The authorization list is
shipped as *CHANGE.
8. *USE authority to TAAJOBACG is required to convert journal entries
for either JOBACG or PRTACG.
9. If the user is not the owner of the file, he must be authorized to
TAAEDTDBF. No objects are controlled by the authorization list.
10. The TAAJOBCTL authorization list is also used by the DSPJOB3 tool,
but no objects in the tool are authorized to TAAJOBCTL. The
program checks internally for authorization.
11. The TAACVTLIBD authorization list is used to allow access to
CVTLIBDBF for library special values such as *ALL. No objects are
authorized to the list. The TAADBHCC program adopts.
To authorize a user to a tool which is controlled by an authorization
list, you need to specify *USE authority. You may use EDTAUTL and
operate from the interactive display or the following command:
ADDAUTLE AUTL(xxxxx) USER(xxx) AUT(*USE)
The objects that use an authorization list are created so that
the *PUBLIC user accesses their authority from the authorization list.
The authorization lists are created with the *PUBLIC being *EXCLUDE.
This allows a simple change to the authorization list if you want the
tool to be usable by *PUBLIC.
Copyright TAA Tools, Inc. 1995, 2017