General statement
The TAA Productivity Tools are designed so that their use does not
violate any system security functions. Objects and data are read using
standard system interfaces such as system commands, system APIs, CL,
and RPG.
The tools are tested at Level 40 security. No violations exist.
Any design errors should be reported immediately to the TAA
Productivity Tools owner.
Your security responsibility
There are no known security exposures to installing the TAA
Productivity Tools on your system. The TAA Tools that are security
sensitive are controlled as described later.
Many TAA Tools exist that can assist you in evaluating and maintaining
system security.
Your responsibilities to ensure a secure system when using the TAA
Tools are:
- Use at least Level 30 Security. As on any system that is
interested in good security, Level 40 is recommended.
- Follow normal good guidelines for installation security. This
includes such things as minimizing the number of users with
special authorities (such as *ALLOBJ, *SECADM, or *SERVICE) and
properly authorizing the security sensitive TAA Tools.
You are placing complete trust in any user who is given *ALLOBJ
special authority. You should not assume that even though this
user may not have *SECADM or *SERVICE that you are protected.
- Ensure that any system commands that are changed to provide such
functions as a validation program are rigidly controlled.
- Ensure that no libraries exist before QSYS on the library list or
that you rigidly control what exists in those libraries. See the
later discussion of this.
- Several TAA Authorization Lists (*AUTL) exist. These allow you to
authorize users to certain functions and retain the authorizations
even though a new version of the tools is installed. *ALLOBJ users
are implicitly authorized to these *AUTLs.
Tools which use the *AUTLs are generally security sensitive.
The *AUTL objects are shipped with the *PUBLIC user as *EXCLUDE.
Allowing the *PUBLIC any authority except *EXCLUDE could
compromise security. Use the CHKTAAAUTL command to ensure that
*PUBLIC *EXCLUDE is still specified or you have explicit reasons
for making a change.
- If you change the source and re-create any of the tools, you are
responsible for the integrity of the tool. For most changes, you
should be able to follow the security designed into the tools.
- Consider the HELPTAA options on Backup and Disaster Recovery.
- Security is also provided by the CRTTAATOOL command which creates
the objects with the intended protection. If you intend to
re-create part of a tool, you should use CRTTAATOOL to re-create
the entire tool.
Ownership
Almost all TAA Productivity Tools libraries and objects are shipped as
owned by QSECOFR.
The TAAJOBCTL user profile is created at the time of install if it
does not already exist. One or more programs are changed so that
TAAJOBCTL becomes the owner. This allows adopting only *JOBCTL special
authority instead of all of the special authorities of QSECOFR.
At the completion of the TAA install, the profile will be:
PASSWORD(*NONE)
PWDEXP(*NO)
STATUS(*DISABLED)
INLPGM(*NONE)
INLMNU(*SIGNOFF)
LMTCPB(*YES)
SPCAUT(*JOBCTL)
The UPSMON job description (*JOBD) is shipped with a USRPRF value of
QPGMR which is required for an auto start job. The *JOBD is shipped as
*PUBLIC *EXCLUDE. See the discussion of UPSMON in this document.
You should not change the ownership of the tools.
*PUBLIC *CHANGE authority
Most TAA objects allow the *PUBLIC user *USE authority or are
specified as *EXCLUDE. A few objects allow *CHANGE authority. None of
these objects are considered to have a security or integrity issue.
The following objects allow *CHANGE authority:
- TAASTDBA and TAASTDBK *FILE objects. These are used as test data
for the DMOSUBF tool. A program exists (TAASTDBC2) that will
refresh the data.
- SAVACTRCV and SAVACTRCV2 *MSGQ objects. These message queues are
used for recovery purposes by the SAVACT tool. The queues are
cleared by the SAVALLACT or SAVCHGACT commands before submitting
the processing program to batch. Since the system must be shutdown
to the restricted state before running either SAVALLACT or
SAVCHGACT, there is little exposure to allowing *CHANGE authority.
Some *MSGQ objects appear as 'USER DEF'. The message queues allow
*PUBLIC *OBJOPR and *ADD rights in order to allow the *PUBLIC user to
send a message to the queue.
How Security is controlled
Most tools have no specific security considerations. They use normal
system security for accessing and updating objects.
There are several security sensitive tools that exist in the TAATOOL
library. These tools are controlled by one or more of the following:
- The user must be authorized to an authorization list.
For example, the INZPWD tool allows a user other than the Security
Officer to initialize a password. The user must be authorized to
the TAAINZPWD authorization list to use INZPWD.
- The user must have *ALLOBJ authority.
For example, the CHKTAAPRD tool allows a user to check against all
libraries on the system. To perform an accurate check, any private
libraries must be accessed.
- An overt act by the Security Officer is needed such as changing a
secure system value.
For example, the DSPPWD tool which displays users passwords will
not be operational unless the Security Officer changes the
QPWDVLDPGM system value to name the supplied program. The supplied
program captures the password when the user makes a change.
- Instructions exist with the tool that describe how to control
security. Some tools use objects in the TAASECURE library.
For example, the DSAUSRPRF tool will allow an Assistant Security
Officer to disable any user profile if the Assistant Security
Officer is authorized to the TAADSAPRF authorization list. QSECOFR
is never allowed to be disabled. Other profiles may be prevented
from being disabled by the Security Officer entering the names
into the DSAUSRPRF data area in TAASECURE. See the discussion with
the DSAUSRPRF tool.
Checking TAA Security
The CHKTAAAUT command may be used to check the current authority on
your system against the authority shipped with the TAA Productivity
Tools.
CHKTAAAUT (using the defaults) will check all authorities to TAA
objects in TAATOOL and TAASECURE and the TAA Authorization Lists in
QSYS. It will also check the authorities for command objects that are
outside of TAATOOL and TAASECURE. Any non *CMD TAA objects that are
outside of TAATOOL and TAASECURE will be flagged.
Deleting security sensitive tools
With proper security in place, the tools that create and change user
profiles may safely exist and be used. However, some installations may
prefer to delete these tools to avoid any possibility of their use.
To assist in this, the DLTSECTOOL is available which will delete any
significant tools that create or change user profiles. You must have
*ALLOBJ and *SECADM special authority to delete these tools or create
them if they have been deleted.
Using DLTSECTOOL will lessen security exposures, but it does not
eliminate what an *ALLOBJ special authority user might do.
Tools that adopt the authority of QSECOFR
Some tools require that the owner's profile (QSECOFR) be adopted
during the running of a program.
All of the programs that adopt the QSECOFR profile do so in a manner
that is designed to perform only the intended function and to prevent
improper use. 'Preventing improper use' means that the programs do one
or more of the following:
- Execute HLL compiler generated functions that do not invoke any
user written sub-programs. For example, the CL command CHGDTAARA
is considered safe as well as an RPG READ or CHAIN Operation.
- Execute system commands or programs (e.g. APIs).
- Execute TAA commands by library qualifying the commands to the
TAATOOL library. TAA commands use a qualified library name. The
commands executed in this manner are checked so they are
considered safe.
- Execute qualified calls to programs in TAATOOL or TAASECURE. The
sub-programs that are executed also meet these criteria. For
example, calling a sub program that is library qualified to the
TAATOOL library is considered a safe function if the sub-program
performs safe functions.
- Execute against files that are specified with an Override command
that specifies SECURE(*YES). This prevents a program higher in the
program stack from re-directing the program to a different file.
- Execute TAA commands or programs by first using a program that
'unadopts'. This means that when the sub-function is run, the user
operates with his own authority and the program adopt function is
not considered.
- All TAA Tool programs are created (by default) so there is no
observability. This prevents the user from using debug and
subverting the functions of the programs.
The reason that you must control the system portion of the library
list is that the TAA tools use system commands and APIs without using
QSYS as a library qualifier. If you allow users to have their own
version of a system function ahead of QSYS on the library list, your
security can be compromised with the TAA tools that adopt the security
officer profile (or with any of your own programs that use program
adopt).
Several TAA Archive programs adopt the Security Officers profile in a
safe manner. These programs are not described further because only the
object code is shipped.
Tool Index
The following tools have programs that adopt the owner's user profile
and must be owned by a user with special authority. Some of the tools
take their authorization from an authorization list and some must be
explicitly authorized. The 'AUT' column describes the required
authorization. Notes as to their security follows this table.
Authorization
Tool AUT Note List
---- --- ---- ------------
ACCSECLIB *USE 1 TAAACCSECL
ADDJOBSCD2 *USE 2 TAAJOBSCDE
ADPMBR *USE 3
ALCTMPMBR *USE 4
APYRMTJRN *USE 5 TAAAPYRMT
AUDLOG *USE 6 TAAAUDLOG
CAPNETA *USE 7
CAPSECINF *USE 8
CAPSYSINF *USE 9
CHGBIGPARM *USE 10 TAACHGBIGP
CHGDSTPWD2 *USE 11 TAADSTPWD2
CHGGRPPRF *USE 12
CHGSGNTXT *USE 13
CHGUSRPRF2 *USE 14 TAACHGPRF2
CHGUSRPWD *USE 15
CHKASPSTG *USE 16
CHKINACT2 *USE 17
CHKSAVDEV *USE 18
CHKSGNCNT *USE 19
CHKSPELL *USE 20
CHKSPELL2 *USE 21
CHKTAAOWN *USE 22
CHKTAATOOL *USE 23
CHKUSRGRP *USE 24 TAACHKUSRG
CLNTAATEMP *USE 25 TAACLNTEMP
CMPDBF2 *USE 26
CMPSRC3 *USE 27
CPYJOBSCDE *USE 28 TAAJOBSCDE
CPYUSRPRF2 *USE 29 TAACPYUSR2
CRTVTP *USE 30 TAAVTP
CVTAUDLOG3 *USE 31 TAAAUDLOG
CVTFRMSPLF *USE 32 TAACVTSPLF
CVTIFS *USE 33 TAACVTIFS
CVTIFSEAUT *USE 34 TAACVTIFS
CVTJOBSCDE *USE 35 TAAJOBSCDE
CVTLIBCNT *USE 36 TAADSPADP
CVTLIBDBF *USE 37 TAACVTLIBD
CVTQHST *USE 38 TAACVTQHST
DLTIFS *USE 39 TAACVTIFS
DLTJOBLOG *USE 40 TAACVTQHST
DLTQHST *USE 41 TAADLTQHST
DLTUSRPRF2 *USE 42 TAADLTUSR2
DLYCMD *USE 43
DSAUSRPRF *USE 44 TAADSAPRF
DSPADP *USE 45 TAADSPADP
DSPALLSPLF *USE 46 TAAALLSPLF
DSPCMDHLP *USE 47
DSPDSTQ *USE 48
DSPGRPPRF *USE 49
DSPJOB3 *USE 50
DSPJOBLOG4 *USE 51 TAASPLSEC
DSPJRNA *USE 52
DSPJRNRCVD *USE 53
DSPLIBSRCF *USE 54
DSPOBJD4 *USE 55 TAADSPOBJ4
DSPPWD *USE 56
DSPQHST2 *USE 57 TAACVTQHST
DSPSECRVW *USE 58 TAASECRVW
DSPSPLF2 *USE 59
DSPSYS *USE 60
DSPUSRJOB *USE 61 TAAJOBCTL
DSPUSRPRF2 *USE 62 TAADSPUSR2
DSPUSRTXT *USE 63
DSPWTR *USE 64
DTAARAARC *USE 65
DUPFILFMT2 *USE 66 TAADBOHC2
DUPSPLF *USE 67 TAADUPSPLF
DUPTAADBF *USE 68
EDTAUTL2 *USE 69
EDTDBF *USE 70 TAAEDTDBF
EDTOBJAUT2 *USE 71
ENAUSRPRF *USE 72 TAAENAUSR
ENDTAALIC *USE 73
EXCJOBCTL *USE 74 TAAJOBCTL
FRCJOBLOG *USE 75
Install *USE 76 TAAINSTALL
INZPWD *USE 77 TAAINZPWD
JOBACG Varies 78 TAAJOBACG
JOBANZ Varies 79
JOBANZ *USE 80
JOBDEP Varies 81
JOBTALK Varies 82 TAAJOBTALK
LMTDLTSPL2 *USE 83
LOCKMSG *USE 84
MTNALLJRN *USE 85 TAAMTNJRN
NAMADR *USE 86
NBRCTR *USE 87
NTEFIL *USE 88
PAGSEP *USE 89
PRTJOBSUM *USE 90 TAACVTQHST
PRTLIBCNT *USE 91 TAADSPADP
PRTSAVCNT *USE 92 TAADSPADP
PRTSAVLBL *USE 93
QRYUSE *USE 94
RCLSTG2 *USE 95 TAARCLSTG2
RMVSYSLIBE *USE 96
RSTALLCHG *USE 97 TAARSTALLC
RSTALLLIB *USE 98 TAARSTALLC
RSTANYLIB *USE 99 TAARSTANYL
RSTFIL *USE 100 TAARSTFIL
RSTMNYCHG *USE 101 TAARSTALLC
RSTMNYLIB *USE 102 TAARSTALLC
RTVHDWRSC *USE 103
RTVIFSEAUT *USE 104
RTVIFSPATH *USE 105
RTVIPLTIM *USE 106
RTVJOBAPI *USE 107
RTVJOBSCDE *USE 108 TAAJOBSCDE
RTVMSKPWD *USE 109
RTVTIMSTM2 *USE 110
RTVTRNTBL *USE 111
RTVUSRPRF2 *USE 112 TAARTVUSR2
SAVACT *USE 113
SAVALLCHG *USE 114 TAASAVALLC
SAVCHG23 *USE 115 TAASAVALLC
SAVE2 *USE 116
SAVLIBSAVF *USE 117
SBMJOB2 *USE 118 TAASBMJOB2
SETDAYLITE *USE 119
SHOUT *USE 120
SNDAUDE *USE 121
SNDGRPPRF *USE 122 TAASNDGRP
SNDTIMMSG *USE 123
SNDUSGMSG *USE 124 TAASNDUSG
SNDUSRBRK *USE 125 TAASNDBRK
SNDUSRBRK *USE 126
SPLCTL *USE 127
SPLDST *USE 128 TAASPLDST
SPLSTO *USE 129
SRCCTL *USE 130
UPSMON *USE 131
VRYCFG2 *USE 132 TAAVRYCFG
VRYCFGOFF *USE 133 TAAVRYCFGO
WHO *USE 134
WRKALLSPLF *USE 135 TAAALLSPLF
WRKDSAUSR *USE 136 TAAENAUSR
1. The user that creates ACCSECLIB must have *ALLOBJ authority. The
list of libraries that are valid to use is controlled by the
ACCSECLIB data area in TAASECURE. Use EDTCONARR to change the
list. The data area is shipped with QGPL as a sample library. This
does not make QGPL secure, but allows testing of the ACCSECLIB
command with a library that you would normally not care if a user
displayed or copied an object from. Any user of the ACCSECLIB
command, must be authorized to the TAAACCSECL authorization list.
See the implementation instructions for the tool.
2. The Job Schedule tools require use of the TAAJOBSCDE authorization
list.
3. The ADPMBR tool checks for the valid files to be used in the
ADPMBR data area in TAASECURE. The data area should be maintained
with EDTCONARR.
4. The ALCTMPMBR commands use the TAATMP* temporary files in TAATOOL.
These files are shipped with *PUBLIC *EXCLUDE Users must be
explicitly authorized to these files to add and clear members in a
controlled manner.
5. Most of the APYRMTJRN commands are *PUBLIC. STRAPYRMT, ENDAPYRMT,
SNDAPYRMTE, and CRTAPYRMTD are controlled by the TAAAPYRMT
authorization list. The STRAPYRMT, ENDAPYRMT, and SNDAPYRMTE
program adopt authority to allow operators to control the
function. Several batch jobs are submitted by STRAPYRMT and they
all adopt to allow the programs to operate on any object. The
TAAJRODC46 and TAAJRODC47 programs adopt to allow the create of a
file from the TAA Archive.
6. The CVTAUDLOG command of the AUDLOG tool adopts authority and
requires a user to be authorized to the TAAAUDLOG authorization
list. This allows an operator to be able to do the conversion from
the QAUDJRN on a regular basis. CVTAUDLOG is the only command in
AUDLOG that requires authorization to the TAAAUDLOG authorization
list. Most of the other functions are controlled by the owner of
the files created by CRTAUDLOG. CVTAUDLOG3 also requires
authorization to TAAAUDLOG. The TAASEDSC23 program adopts QSECOFR
authority to display a detail journal entry from the journal
itself (Option 7 on DSPAUDLOG). The program prevents a user who
does not have *USE authority to the AUDLOGP file from being able
to use this function.
7. The CAPNETA command is public. The current network attributes are
stored in the NETWRKATTR data area in TAASECURE. The companion
command (RTNNETA) requires a user with *ALLOBJ special authority.
8. The CAPSECINF TAASEGMC12 program adopts to access the values from
the CAPSECINF Application Value in TAASECURE.
9. The users of the CAPSYSINF commands must have *ALLOBJ authority.
The library created by CRTSYSINF is *PUBLIC *EXCLUDE.
10. The programs TAATMPAC and TAATMPAC2 of the CHGBIGPARM tool are
secured by the TAACHGBIGP authorization list.
11. CHGDSTPWD2 allows any user authorized to the TAADSTPWD2
authorization list to reset the DST password.
12. The user of the CHGGRPPRF command must be explicitly authorized to
the profile in order to change group profiles.
13. The CHGSGNTXT programs TAADSPLC and TAADSPLC3 require *JOBCTL and
adopt to update the TAAMSGF in TAATOOL.
14. The program TAASEDHC of the CHGUSRPRF2 tool is secured by the
TAACHGPRF2 authorization list.
15. The CHGUSRPWD tool requires the Security Officer to change the
QPWDVLDPGM system value in order to be operational.
16. The CHKASPSTG command uses two sub programs that adopt to access
the CHKASPSTG Application Value in TAASECURE.
17. The TAAJOEJC23 and TAAJOEJC25 programs adopt to access the
Application Value CHKINACT2 in TAASECURE. The TAAJOEJC24 program
adopts to access the user text description from the profile used
in WRKINACT2. Both programs perform read only functions and are
considered safe.
18. The CHKSAVDEV command is public, but the user must have *SAVSYS or
*ALLOBJ special authority (or adopt *ALLOBJ). Using adoption for
the sub program allows for the CHKSAVDEV data area to be saved,
restored to QTEMP, and deleted from QTEMP.
19. The CHKSGNCNT program TAASEFGC adopts authority to access objects
in TAASECURE. No changes occur.
20. The spelling RPG programs adopt to avoid a system bug requiring
special authorization.
21. The spelling RPG programs adopt to avoid a system bug requiring
special authorization.
22. The CHKTAAOWN tool is for internal use and checks critical
programs to see if they are owned by an *ALLOBJ user and still
tied to the same *AUTL used at create time.
23. The CHKTAATOOL command is public. Objects are accessed for read
only. No updates occur.
24. The CHKUSRGRP tool uses the TAASELCC program to allow a user
authorized to the TAACHKUSRG *AUTL to run the command. The program
adopts to avoid the requirement for *ALLOBJ.
25. The programs TAATMPBC and TAATMPBC3 of the CLNTAATEMP tool are
secured by the TAACLNTEMP authorization list.
26. The CMPDBF2 program TAADBLPC adopts to allow the use of the CLPDBR
tool against the file. The file is only read and compared against
a copy of the same file made at a previous time.
27. The CMPSRC3 command adopts to allow use of the work files NEWSRCP
and OLDSRCP in TAATOOL.
28. You must be authorized to the TAAJOBSCDE authorization list to use
CPYJOBSCDE.
29. The CPYUSRPRF2 command is an option on the SECOFR2 menu and
requires authorization to the TAACPYUSR2 authorization list.
30. The TAATAPNC, TAATAPNC2, TAATAPNC4, TAATAPNC5, TAATAPNC6,
TAATAPNC7, and TAATAPNC11 programs adopt to ensure access to
various functions. The user must be authorized to the TAAVTP
authorization list.
31. The program TAASEDWC of the CVTAUDLOG3 tool is secured by the
TAAAUDLOG authorization list.
32. The CVTFRMSPLF tool uses the TAACVTSPLF authorization list for the
CVTTOSPLF command. This command uses an API which requires *ALLOBJ
authority to create a spooled file. The CVTTOSPLF processing
program is controlled by the authorization list and adopts QSECOFR
authority.
33. The CVTIFS program TAAIFSAC adopts authority, but requires the
user to be authorized to the TAACVTIFS authorization list.
34. The CVTIFSEAUT program TAAIFSPC adopts authority, but requires the
user to be authorized to the TAACVTIFS authorization list.
35. The Job Schedule tools require use of the TAAJOBSCDE authorization
list.
36. The TAALICEC program of the CVTLIBCNT tool is secured by the
TAADSPADP authorization list.
37. The TAACVTLIBD authorization list is tested to allow access to
CVTLIBDBF for library special values such as *ALL. No objects are
authorized to the list. The TAADBHCC program adopts.
38. The TAAHSTAC program is secured by the TAACVTQHST authorization
list.
39. You must be authorized to the TAACVTIFS authorization list and
must have *OBJEXIST rights to the object to be deleted.
40. The TAALOGFC program of the DLTJOBLOG tool is secured by the
TAACVTQHST authorization list.
41. The command DLTQHST and the TAAHSTBC CL program are created so
they may not be executed unless a user is authorized to the
TAADLTQHST authorization list.
42. The program TAASEDTC of the DLTUSRPRF2 tool is secured by the
TAADLTUSR2 authorization list.
43. The DLYCMD program TAAJOBKC11 adopts authority to access the
DLYCMD *DTAARA information from the TAASECURE library. There are
no known exposures as this is a 'read only' access.
44. The program TAASEDFC of the DSAUSRPRF tool is secured by the
TAADSAPRF authorization list.
45. Users of all of the DSPxxxA commands of the DSPADP tool must be on
the TAADSPASP authorization list with *USE authority.
46. The DSPALLSPLF and WRKALLSPLF tools tool allow any user to display
his own spooled files. The TAAALLSPLF authorization list allows a
user to display spooled files owned by other users. Both the
TAASPMSR program (part of WRKALLSPLF), and TAASPMMR program (part
of DSPALLSPLF) adopt, but ensure that the user has *USE authority
to TAAALLSPLF if a user other than *CURRENT is specified.
47. The DSPCMDHLP command allows any user to display the help text for
any command regardless of the authorization. The command is never
run by DSPCMDHLP.
48. The DSPDSTQ tool command adopt the QSECOFR profile to provide a
public 'display only' version of WRKDSTQ.
49. The DSPGRPPRF program TAASEGWC2 adopts QSECOFR to allow the use of
the DSPUSRPRF outfile function to the TAASECKP file in TAASECURE.
CVTGRPPRF then reads this file and creates the GRPPRFP program in
QTEMP which contains the user profile records for each group
member. TAASEGWC2 ensures that the profile is a group profile and
that the user has 'all rights' to the group profile.
50. The DSPJOB3 program TAAJODCC adopts authority of the TAAJOBCTL
user profile to allow a display of any job. The user must have
*JOBCTL authority or be authorized to the TAAJOBCTL authorization
list.
51. The DSPJOBLOG4 TAASPOBC program adopts to allow *ALLOBJ and
*SPLCTL. The user of the command must be authorized to the
TAASPLSEC authorization list.
52. The DSPJRNA and DSPJRNRCVD programs (TAAJROPC and TAAJRORC) adopt
to allow a 'display only' function of the journal and receiver
directory. The user must have *OBJOPR authority to the journal.
This allows operation personnel to see the journal and the
directory without having WRK options. The journal entries are not
displayed.
53. The DSPJRNA and DSPJRNRCVD programs (TAAJROPC and TAAJRORC) adopt
to allow a 'display only' function of the journal and receiver
directory. The user must have *OBJOPR authority to the journal.
This allows operation personnel to see the journal and the
directory without having WRK options. The journal entries are not
displayed.
54. The DSPLIBSRCF CL program ensures the user has *USE authority to
the specified library. The QSECOFR profile is adopted because the
QADBXREF file cannot be used by the public.
55. The DSPLIBSRCF CL program ensures the user has *USE authority to
the specified library. The QSECOFR profile is adopted because the
QADBXREF file cannot be used by the public.
56. The DSPPWD processing program must be available for public usage
to allow any user to change his password. The secure functions
require the user be authorized to the TAASECURE library which is
created AUT(*EXCLUDE).
57. The TAAHSTEC program of the CVTQHST2 command of the DSPQHST2 tool
is secured by the TAACVTQHST authorization list.
58. The command assumes that the user profile information exists in a
file in TAASECURE. The information in the file can only be
accessed by a user with *ALLOBJ authority or if specifically
authorized to the TAASECRVW authorization list.
59. One program within the DSPSPLF2 command is used to access the
system defaults from the DSPSPLF2 user space in TAASECURE.
60. DSPSYS uses a sub program to access the last change date of QINITT
which is excluded to the public.
61. The user must have at least *USE authority to the TAAJOBCTL
authorization list.
62. The user must be authorized to the TAADSPUSR2 authorization list.
The DSPUSRPRF2 command adopts the Security Officers profile to
execute the DSPUSRPRF command. The command is intended for
Assistant Security Officers who do not have the full power of the
QSECOFR profile.
63. DSPUSRTXT displays the user's text description based on entering
the user profile name.
64. The DSPWTR tool uses the TAAPRTOC11 program to allow DSPWTRSTS.
The program adopts to avoid the requirement for *JOBCTL.
65. The DTAARAARC tool command STRARAARC adopts to allow a change of
the user attribute for the created save files. This ensures they
were created by the tool.
66. The DUPFILFMT2 tool uses the TAADBOHC2 program to allow any user
to be able to duplicate a file format (create a new file) without
being authorized to the file. The data is not copied.
67. The DUPSPLF command requires authorization to the TAADUPSPLF
authorization list. To change to a new owner requires
authorization to the TAASPLDST authorization list.
68. DUPTAADBF allows only specific files from TAATOOL to be duplicated
when outfiles are requested. This is intended for internal use by
TAA tools.
69. The program TAASEFAC5 of the EDTAUTL2 tool adopts authority of the
of QSECOFR to access Application Value data from TAASECURE. There
are no known exposures as this is a 'read only' access.
70. The EDTDBF command checks the TAAEDTDBF authorization list if the
user is not the owner of the file. No objects are authorized to
the list.
71. The EDTOBJAUT2 program TAASECFC5 adopts authority of the of
QSECOFR to access Application Value data from TAASECURE. There are
no known exposures as this is a 'read only' access.
72. To use ENAUSRPRF, a user must be authorized to the TAAENAUSR
authorization list. No user (unless he has *ALLOBJ authority) can
use ENAUSRPRF until he is granted authority to TAAENAUSR.
73. The ENDTAALIC command adopts to allow access to a data area in in
TAATOOL.
74. The Execute Using *JOBCTL tool adopts the QSECOFR *JOBCTL
authority. The command is restricted to those users authorized to
the TAAJOBCTL authorization list.
75. The FRCJOBLOG command of the SETJOBLOG tool adopts authority
because the intent is to make the SIGNOFF command private. If you
secure the SIGNOFF command, this may have implications for the use
of other TAA Tools or your own code.
76. The special install programs TAATOLUx exist in TAATOOL to allow a
subsequent install to be done by a user who is authorized to the
TAAINSTALL authorization list.
77. The Initialize Password tool is designed for Assistant Security
Officers to be able to reset a user's password. The user of
INZPWD, INZPWD2, INZPWD3 must be authorized to the TAAINZPWD
authorization list.
78. The Job Accounting tool has two commands (CVTJOBACG and
CVTJOBACG2) that adopt QSECOFR authority. Use of the commands is
restricted to users who are authorized to the TAAJOBACG
authorization list. The Print Accounting tools has the same two
commands (CVTPRTACG and CVTPRTACG) that adopt QSECOFR and also use
TAAJOBACG.
79. Only an *ALLOBJ user can use CRTJOBANZ, CRTJOBHST, DLTJOBANZ, or
DLTJOBHST. When the files are created, they are specified as
*PUBLIC *EXCLUDE. Other commands in the tool have various security
requirements restricting their use. See the command documentation
for details.
80. The JOBANZ TAAJOEAC27 program adopts to access a value from the
JOBANZ Application Value in TAASECURE.
81. The JOBDEP program TAAJODFC24 adopts to access (read only) the
JOBDEP Application Value in TAASECURE. The TAAJODFR45 program
adopts to update the Master and Detail files with start and end
information.
82. The Job Talk tool uses an authorization list for the SNDJOBTALK
command and CL program. Sub programs used by STRJOBTALK and
SNDJOBTALK and the break handling program set by STRJOBTALK use
adopted programs to access data areas in TAASECURE. CLNJOBTALK
uses adopted authority to delete unused TAAnnnnnn message queues
in the TAAWORK library. This allows the first user of the
STRJOBTALK command each day to automatically submit a batch job
for cleanup. CLNJOBTALK allows public use, but may be used at any
time by any user without harm to the Job Talk function.
83. LMTDLTSPL2 must access a data area in TAASECURE to validate
whether the spooled file should be deleted.
84. There is no known exposure with the LOCKMSG function unless you
restrict which users are allowed to send messages to other users.
The programs TAADBFFC, TAADBFFE, TAADBFFF, and TAADBFFG adopt.
85. MTNALLJRN allows the maintenance of all journals. Using an
authorization list allows the system operator to perform the
function without having excess authorization on the journals.
86. The CRTNAMEDT command requires some special authority to duplicate
the command object. It is the only function that adopts authority.
87. The RTVNBRCTR command accesses the NBRCTR user space and updates
the counter.
88. The NTEFIL MTNNTEFIL command uses a sub program that adopts to
allow clearing and writing to the backup file TAANTEAT in TAATOOL.
89. The PAGSEP tool uses TAASPMDC to access the setting of the
TAAPAGSEPn application value in TAASECURE. It provides a 'read
only' function. The TAASPMDC2 program is the sample program which
allows access to the text of a passed in user profile name.
90. The PRTJOBSUM command requires authorization to the TAACVTQHST
authorization list to allow reading the QHST files.
91. The PRTLIBCNT and PRTSAVCNT tools can operate across the entire
system for 'read only' purposes. The command and processing
programs are controlled by the TAADSPADP authorization list.
92. The PRTLIBCNT and PRTSAVCNT tools can operate across the entire
system for 'read only' purposes. The command and processing
programs are controlled by the TAADSPADP authorization list.
93. The PRTSAVLBL tool uses TAASAVQC2 to access the setting of the
PRTSAVLBL application value in TAASECURE. It provides a 'read
only' function.
94. The QRYUSE tool CVTQRYUSE command calls a sub program TAAWHRDC15
to delete a restored object in QTEMP. Only a DLTQRY command is
used and the object must be in QTEMP.
95. The RCLSTG2 command and program require authorization to the
TAARCLSTG2 authorization list.
96. The command RMVSYSLIBE is public, but the only valid libraries are
those that exist in the RMVSYSLIBE data area in TAASECURE. The
data area is shipped with no libraries entered. QSYS is always
rejected.
97. The user must be authorized to the TAARSTALLC authorization list.
This is the same authorization list used by RSTALLLIB and
RSTMNYLIB.
98. The user must be authorized to the TAARSTALLC authorization list.
This is the same authorization list used by RSTALLLIB and
RSTMNYLIB.
99. The user of the command must be authorized to the TAARSTANYL
authorization list.
100. The RSTFIL command prompts for the RSTOBJ command and requires
the use of the RSTOBJ library where only files may be restored.
101. The user must be authorized to the TAARSTALLC authorization list.
This is the same authorization list used by RSTALLLIB and
RSTMNYLIB.
102. The user must be authorized to the TAARSTALLC authorization list.
This is the same authorization list used by RSTALLLIB and
RSTMNYLIB.
103. The RTVHDWRSC tool must use an API that is shipped as
PUBLIC(*EXCLUDE). No known exposures exist by adopting the
QSECOFR profile.
104. The RTVIFSEAUT program TAAIFSNC adopts authority in order to
determine the current users authority.
105. The CHKIFSPATH command of the RTVIFSPATH tool requires the user
to be on the TAACVTIFS authorization list.
106. The command adopts the authority of QSECOFR to avoid having to
grant users explicit authority to use the system program QWCCRTEC
whose only purpose is to produce a short QPSRVDMP spooled file.
107. The Retrieve Job API tool is a program that adopts the QSECOFR
profile to allow retrieval from the QUSRJOBI API formats without
having *JOBCTL special authority. Nothing can be changed from the
program. The tool is used by other tools such as DSPACTJOB. The
program is unlikely to be used by a typical user because it
requires a complex parameter list be passed including the
internal job ID which cannot be determined without writing a
program that uses an API.
108. The Job Talk tool uses an authorization list for the SNDJOBTALK
command and CL program. Sub programs used by STRJOBTALK and
SNDJOBTALK and the break handling program set by STRJOBTALK use
adopted programs to access data areas in TAASECURE. CLNJOBTALK
uses adopted authority to delete unused TAAnnnnnn message queues
in the TAAWORK library. This allows the first user of the
STRJOBTALK command each day to automatically submit a batch job
for cleanup. CLNJOBTALK allows public use, but may be used at any
time by any user without harm to the Job Talk function.
109. The RTVMSKPWD TAASEGQC and TAASEGQC2 programs adopt security to
the MSKPWDP file in TAASECURE.
110. The RTVTRNTBL command retrieves the name of the system wide
Translate Table found in the TAATRNTBL data area in TAASECURE.
The command allows *PUBLIC use, but no known security exposures
exist.
111. The RTVTRNTBL command retrieves the name of the system wide
Translate Table found in the TAATRNTBL data area in TAASECURE.
The command allows *PUBLIC use, but no known security exposures
exist.
112. RTVUSRPRF2 allows the basic attributes of any user profile to be
retrieved if the user is authorized to the TAARTVUSR2
authorization list.
113. The SAVACT program TAASAVUC24 adopts authority to access all
libraries for EDTSAVACT to edit the TAASAVACTP file. The
TAASAVUC25 program adopts authority to access the SAVACT
Application Value in TAASECURE.
114. The TAASAVCC, TAASAVCC2, and TAASAVCC3 programs of the SAVALLCHG
tool are secured by the TAASAVALLC authorization list.
115. The SAVCHG23 program TAASAVWC adopts authority, but requires the
user to be authorized to the TAASAVALLC authorization list.
116. The SAVE2 programs TAASAVTC9 and TAASAVTC7 adopt authority to
access the SAVE2 *USRSPC information and DLYCMD *DTAARA objects
from the TAASECURE library. There are no known exposures as this
is a 'read only' access.
117. The SAVLIBSAVF TAASAWBC11 adopts only to allow the CHGOBJD tool
to be used to set the user attribute of a save file.
118. The SBMJOB2 and SBMJOB3 commands are each tied to unique
authorization lists.
119. The SETDAYLITE programs adopt to allow the job to run under the
QSECOFR profile. This avoids the potential problem of the user
profile of the job being deleted when the function is scheduled.
120. A sub program is used by SHOUT to be able to access the user
class of any user.
121. The SNDAUDE function adopts the QSECOFR profile to allow sending
an entry to the QAUDJRN journal which may be *PUBLIC *EXCLUDE.
122. SNDGRPPRF adopts to allow access to all user profiles in order to
determine the current groups and to allow break messages to be
sent.
123. Several programs adopt to allow any user to start the SNDTIMMSG
job and use SNDTIMMSG.
124. SNDUSGMSG adopts to allow break messages to be sent.
125. The SNDUSRBRK2 command requires authorization to the TAASNDBRK
authorization list.
126. The SNDUSRBRK command must adopt to allow any user to send a
break message (normally requires *JOBCTL special authority). The
command is restricted to operate only in an CL program.
127. The TAASPLIC20 program for SPLCTL adopts to allow update of the
SPLCTLRCV and SPLCTLRCV2 recovery data areas in TAATOOL.
128. The DUPSPLDST command within SPLDST is used to cause DUPSPLF.
129. The SPLSTO TAASPMRR2 and TAASPMRR25 programs adopt to allow
*CHANGE authority to the spool store files while updates are
occurring.
130. The SRCCTL tool checks the authorization to a data area in the
same library as the source control files before allowing the
CHKSRCOUT or CHKSRCIN commands to operate.
131. The UPSMON TAASYTLC13 program adopts QSECOFR to allow a display
of the UPSMON values. The TAASYTLC12 program adopts QSECOFR to
provide for an orderly powerdown. The UPSMON *JOBD is shipped
with *PUBLIC *EXCLUDE. It contains the value USRPRF = QPGMR which
is required for an auto start job. If STRUPSMON2 is run, an auto
start job entry is added to the controlling subsystem and QPGMR
is authorized to *USE for the job description.
132. The VRYCFG2 tool uses the TAAVRYCFG authorization list to allow a
user without *JOBCTL to use a simple version of VRYCFG.
133. The TAACFGGC program of the VRYCFGOFF command is secured by the
TAAVRYCFGO authorization list.
134. The WHO command accesses the TAASECURE library if the default is
taken for CPUPCTLMT. There are no known exposures as this is a
'read only' access.
135. The DSPALLSPLF and WRKALLSPLF tools tool allow any user to
display his own spooled files. The TAAALLSPLF authorization list
allows a user to display spooled files owned by other users. Both
the TAASPMSR program (part of WRKALLSPLF), and TAASPMMR program
(part of DSPALLSPLF) adopt, but ensure that the user has *USE
authority to TAAALLSPLF if a user other than *CURRENT is
specified.
136. The user of the command must have at least *USE authority to the
TAAENAUSR Authorization List. This is the same *AUTL used by the
ENAUSRPRF tool.
Program Index
The following programs adopt the owner's user profile. You can see
which tool they belong too. Notes as to their security follow this
table.
Program Tool Note
------- ---- ----
TAADBFFC LOCKMSG 1
TAADBFFE LOCKMSG 2
TAADBFFF LOCKMSG 3
TAADBFFG LOCKMSG 4
TAASEDSC23 AUDLOG 5
TAASPMDC PAGSEP 6
TAASPMDC2 PAGSEP 7
TAASAVQC2 PRTSAVLBL 8
TAASPMMR DSPALLSPLF 9
TAASPMSR WRKALLSPLF 10
TAASAVTC7 SAVE2 11
TAASAVTC9 SAVE2 12
TAAJOBKC11 DLYCMD 13
TAAJODCC DSPJOB3 14
TAASEFAC5 EDTAUTL2 15
TAASECFC5 EDTOBJAUT2 16
TAASAVUC24 SAVACT 17
TAASAVUC25 SAVACT 18
TAAIFSNC RTVIFSEAUT 19
TAAJODFC24 JOBDEP 20
TAAJODFR45 JOBDEP 21
TAADSPLC CHGSGNTXT 22
TAADSPLC3 CHGSGNTXT 23
TAASEFGC CHKSGNCNT 24
SNDAUD SNDAUDE 25
TAAJRODC46 APYRMTJRN 26
TAAJRODC47 APYRMTJRN 27
TAAIFSAC CVTIFS 28
TAAIFSPC CVTIFSEAUT 29
TAASAVWC SAVCHG23 30
TAASYTLC12 UPSMON 31
TAASYTLC13 UPSMON 32
TAASAWBC11 SAVLIBSAVF 33
TAASPMRR2 SPLSTO 34
TAASPMRR25 SPLSTO 35
TAASEGMC12 CAPSECINF 36
TAAJOEAC27 JOBANZ 37
TAASPLIC20 SPLCTL 38
TAASEGQC RTVMSKPWD 39
TAASEGQC2 RTVMSKPWD 40
TAASPOBC DSPJOBLOG4 41
TAATAPNC CRTVTP 42
TAATAPNC11 CRTVTP 43
TAATAPNC2 CRTVTP 44
TAATAPNC4 CRTVTP 45
TAASEGWC2 DSPGRPPRF 46
TAAJOEJC23 CHKINACT2 47
TAAJOEJC24 CHKINACT2 48
TAAJOEJC25 CHKINACT2 49
TAADBLPC CMPDBF2 50
TAAJROPC DSPJRNA 51
TAAJRORC DSPJRNRCVD 52
TAAWHRDC15 QRYUSE 53
TAAPRTOC11 DSPWTR 54
TAASELCC CHKUSRGRP 55
TAADBOHC2 DUPFILFMT2 56
TAADBINC CRTXREFLF 57
TAADBIUR13 TAAQRY 58
TAADBKXR2 NAMADR 59
TAADSQAC DSPDSTQ 60
TAAEMLEC21 MAILADR 61
TAAGAMAC HORSERACE 62
TAAHSTGC RTVLSTQHST 63
TAAIFSMC RTVIFSED 64
TAAIFSMC2 RTVIFSED 65
TAAIFULC CHKIFSSAV 66
TAAJBSEC2 DSPJOBSCDE 67
TAAJOBAC2 WHO 68
TAAJOCEC2 DSPSBSJOB 69
TAAJOCHC RTVJOBAPI 70
TAAJOCKC11 JOBTALK 71
TAAJOCKC14 JOBTALK 72
TAAJOCKC22 JOBTALK 73
TAAJOCKC3 JOBTALK 74
TAAJODJC11 CHKINACT 75
TAAJODZC3 DSPUSRJOB 76
TAAARARC25 DTAARAARC 77
TAACMEYC DSPCMDHLP 78
TAAJODIC2 DSPSBSJOBQ 79
TAAJRODC35 APYRMTJRN 80
TAAJRODC59 APYRMTJRN 81
TAALIBQC RMVSYSLIBE 82
TAALOGAC2 SETJOBLOG 83
TAALOGHR DSPALLJLG 84
TAAMBRJC ADPMBR 85
TAAMBRJC2 ADPMBR 86
TAAMBRJC3 ADPMBR 87
TAAMNUAC21 DYNMNU 88
TAAMSGLC2 SHOUT 89
TAAMSGSC SNDTIMMSG 90
TAAMSGSC9 SNDTIMMSG 91
TAAMSHJC SNDUSRBRK 92
TAANAMAC9 NAMADR 93
TAANETDC CAPNETA 94
TAANTEAC23 NTEFIL 95
TAAOBJRC CRTDUPPF 96
TAARPGCC RPGVALCHK 97
TAASAVNC2 CHKSAVDEV 98
TAASECCC2 DSPPWD 99
TAASECHC2 CPYUSRPRF 100
TAASECIC3 CHGUSRPWD 101
TAASECJC CHGGRPPRF 102
TAASEDBC3 SECOFR2 103
TAASEEFC CHKPGMOWN 104
TAASEFZC DSPUSRTXT 105
TAASEGDC RTVUSRTXT 106
TAASEGQC RTVMSKPWD 107
TAASEGQC2 RTVMSKPWD 108
TAASPLSC3 LMTDLTSPL2 109
TAASPLWC9 DSPSPLF2 110
TAASPMRC22 SPLSTO 111
TAASPNAC2 CPYSPLFIFS 112
TAASPNXC RTVSPLSIZ 113
TAASRCBC CMPSRC3 114
TAASRCHC SRCCTL 115
TAASRCHC2 SRCCTL 116
TAASRDJC DSPLIBSRCF 117
TAASRDKC FNDSRCMBR 118
TAASRDVC RTVLIBSRCF 119
TAASREEC10 CHKOBJSRC 120
TAASREHC3 CPYSRCHDR 121
TAASREIC2 CRTSTDSRCF 122
TAASYSKC3 DSPSYS 123
TAASYSXC RTVHDWRSC 124
TAASYTKC RTVIPLTIM 125
TAASYTMC4 CAPSYSINF 126
TAASYTPC2 CHKASPSTG 127
TAASYTPC3 CHKASPSTG 128
TAATAPNC5 CRTVTP 129
TAATAPNC7 CRTVTP 130
TAATAPNC6 CRTVTP 131
TAATCPGC RTVHOSTNAM 132
TAATIMNC11 DSPTIMZON 133
TAATMPCC ALCTMPMBR 134
TAATMPCC2 ALCTMPMBR 135
TAATOMOC CHKTAAOWN 136
TAATRNAC RTVTRNTBL 137
TAASECIC2 CHGUSRPWD 138
TAATOMHC DUPTAADBF 139
TAASEGYC2 WRKDSAUSR 140
TAAOBLKC DSPOBJD4 141
TAATOLXC CPYTAADDS 142
TAADBHCC CVTLIBDBF 143
TAAMSHWC2 SNDINTMSG 144
TAAACGBC2 JOBACG 145
TAAACGBC7 JOBACG 146
TAAACGDC CVTJOBACG3 147
TAAACGEC2 PRTACG 148
TAAACGEC7 PRTACG 149
TAAADPAC DSPADP 150
TAAADPAC10 DSPADP 151
TAAADPAC11 DSPADP 152
TAAADPAC12 DSPADP 153
TAAADPAC13 DSPADP 154
TAAADPAC14 DSPADP 155
TAAADPAC15 DSPADP 156
TAAADPAC2 DSPADP 157
TAAADPAC3 DSPADP 158
TAAADPAC4 DSPADP 159
TAAADPAC5 DSPADP 160
TAAADPAC6 DSPADP 161
TAAADPAC7 DSPADP 162
TAAADPAC8 DSPADP 163
TAAADPAC9 DSPADP 164
TAACFGEC VRYCFG2 165
TAACFGGC VRYCFGOFF 166
TAAHSTAC CVTQHST 167
TAAHSTBC DLTQHST 168
TAAHSTEC DSPQHST2 169
TAAIFSRC CVTIFSAUT 170
TAAJBSAC RTVJOBSCDE 171
TAAJBSBC CVTJOBSCDE 172
TAAJBSCC ADDJOBSCD2 173
TAAJBSDC CPYJOBSCDE 174
TAAJOCIC EXCJOBCTL 175
TAAJOCXC PRTJOBSUM 176
TAAJRODC APYRMTJRN 177
TAAJRODC2 APYRMTJRN 178
TAAJRODC9 APYRMTJRN 179
TAAJROJC MTNALLJRN 180
TAALICEC CVTLIBCNT 181
TAALICFC PRTLIBCNT 182
TAALOGFC DLTJOBLOG 183
TAAMSHDC SNDGRPPRF 184
TAAMSHEC SNDUSGMSG 185
TAARCLAC RCLSTG2 186
TAARSTAC RSTALLCHG 187
TAARSTBC RSTANYLIB 188
TAARSTCC RSTFIL 189
TAARSTDC RSTALLLIB 190
TAARSTFC RSTMNYLIB 191
TAARSTIC RSTMNYCHG 192
TAASAVCC SAVALLCHG 193
TAASAVCC2 SAVALLCHG 194
TAASAVCC3 SAVALLCHG 195
TAASAVSC PRTSAVCNT 196
TAASECBC ACCSECLIB 197
TAASECLC ENAUSRPRF 198
TAASECXC INZPWD 199
TAASECXC2 INZPWD 200
TAASECXC3 INZPWD 201
TAASEDCC DSPUSRPRF2 202
TAASEDFC DSAUSRPRF 203
TAASEDHC CHGUSRPRF2 204
TAASEDLC RTVUSRPRF2 205
TAASEDRC CPYUSRPRF2 206
TAASEDRC2 CPYUSRPRF2 207
TAASEDSC2 AUDLOG 208
TAASEDTC DLTUSRPRF2 209
TAASEDWC CVTAUDLOG3 210
TAASEFWC CHGDSTPWD2 211
TAASPLDC DUPSPLF 212
TAASPLXC4 SPLDST 213
TAASPMEC2 CVTFRMSPLF 214
TAATMPAC CHGBIGPARM 215
TAATMPAC2 CHGBIGPARM 216
TAATMPBC CLNTAATEMP 217
TAATMPBC3 CLNTAATEMP 218
TAATIMDC RTVTIMSTM 219
1. There is no known exposure with the LOCKMSG function unless you
restrict which users are allowed to send messages to other users.
The programs TAADBFFC, TAADBFFE, TAADBFFF, and TAADBFFG adopt.
2. There is no known exposure with the LOCKMSG function unless you
restrict which users are allowed to send messages to other users.
The programs TAADBFFC, TAADBFFE, TAADBFFF, and TAADBFFG adopt.
3. There is no known exposure with the LOCKMSG function unless you
restrict which users are allowed to send messages to other users.
The programs TAADBFFC, TAADBFFE, TAADBFFF, and TAADBFFG adopt.
4. There is no known exposure with the LOCKMSG function unless you
restrict which users are allowed to send messages to other users.
The programs TAADBFFC, TAADBFFE, TAADBFFF, and TAADBFFG adopt.
5. The CVTAUDLOG command of the AUDLOG tool adopts authority and
requires a user to be authorized to the TAAAUDLOG authorization
list. This allows an operator to be able to do the conversion from
the QAUDJRN on a regular basis. CVTAUDLOG is the only command in
AUDLOG that requires authorization to the TAAAUDLOG authorization
list. Most of the other functions are controlled by the owner of
the files created by CRTAUDLOG. CVTAUDLOG3 also requires
authorization to TAAAUDLOG. The TAASEDSC23 program adopts QSECOFR
authority to display a detail journal entry from the journal
itself (Option 7 on DSPAUDLOG). The program prevents a user who
does not have *USE authority to the AUDLOGP file from being able
to use this function.
6. The PAGSEP tool uses TAASPMDC to access the setting of the
TAAPAGSEPn application value in TAASECURE. It provides a 'read
only' function. The TAASPMDC2 program is the sample program which
allows access to the text of a passed in user profile name.
7. The PAGSEP tool uses TAASPMDC to access the setting of the
TAAPAGSEPn application value in TAASECURE. It provides a 'read
only' function. The TAASPMDC2 program is the sample program which
allows access to the text of a passed in user profile name.
8. The PRTSAVLBL tool uses TAASAVQC2 to access the setting of the
PRTSAVLBL application value in TAASECURE. It provides a 'read
only' function.
9. The DSPALLSPLF and WRKALLSPLF tools tool allow any user to display
his own spooled files. The TAAALLSPLF authorization list allows a
user to display spooled files owned by other users. Both the
TAASPMSR program (part of WRKALLSPLF), and TAASPMMR program (part
of DSPALLSPLF) adopt, but ensure that the user has *USE authority
to TAAALLSPLF if a user other than *CURRENT is specified.
10. The DSPALLSPLF and WRKALLSPLF tools tool allow any user to display
his own spooled files. The TAAALLSPLF authorization list allows a
user to display spooled files owned by other users. Both the
TAASPMSR program (part of WRKALLSPLF), and TAASPMMR program (part
of DSPALLSPLF) adopt, but ensure that the user has *USE authority
to TAAALLSPLF if a user other than *CURRENT is specified.
11. The SAVE2 programs TAASAVTC9 and TAASAVTC7 adopt authority to
access the SAVE2 *USRSPC information and DLYCMD *DTAARA objects
from the TAASECURE library. There are no known exposures as this
is a 'read only' access.
12. The SAVE2 programs TAASAVTC9 and TAASAVTC7 adopt authority to
access the SAVE2 *USRSPC information and DLYCMD *DTAARA objects
from the TAASECURE library. There are no known exposures as this
is a 'read only' access.
13. The DLYCMD program TAAJOBKC11 adopts authority to access the
DLYCMD *DTAARA information from the TAASECURE library. There are
no known exposures as this is a 'read only' access.
14. The DSPJOB3 program TAAJODCC adopts authority of the TAAJOBCTL
user profile to allow a display of any job. The user must have
*JOBCTL authority or be authorized to the TAAJOBCTL authorization
list.
15. The program TAASEFAC5 of the EDTAUTL2 tool adopts authority of the
of QSECOFR to access Application Value data from TAASECURE. There
are no known exposures as this is a 'read only' access.
16. The EDTOBJAUT2 program TAASECFC5 adopts authority of the of
QSECOFR to access Application Value data from TAASECURE. There are
no known exposures as this is a 'read only' access.
17. The SAVACT program TAASAVUC24 adopts authority to access all
libraries for EDTSAVACT to edit the TAASAVACTP file. The
TAASAVUC25 program adopts authority to access the SAVACT
Application Value in TAASECURE.
18. The SAVACT program TAASAVUC24 adopts authority to access all
libraries for EDTSAVACT to edit the TAASAVACTP file. The
TAASAVUC25 program adopts authority to access the SAVACT
Application Value in TAASECURE.
19. The RTVIFSEAUT program TAAIFSNC adopts authority in order to
determine the current users authority.
20. The JOBDEP program TAAJODFC24 adopts to access (read only) the
JOBDEP Application Value in TAASECURE. The TAAJODFR45 program
adopts to update the Master and Detail files with start and end
information.
21. The JOBDEP program TAAJODFC24 adopts to access (read only) the
JOBDEP Application Value in TAASECURE. The TAAJODFR45 program
adopts to update the Master and Detail files with start and end
information.
22. The CHGSGNTXT programs TAADSPLC and TAADSPLC3 require *JOBCTL and
adopt to update the TAAMSGF in TAATOOL.
23. The CHGSGNTXT programs TAADSPLC and TAADSPLC3 require *JOBCTL and
adopt to update the TAAMSGF in TAATOOL.
24. The CHKSGNCNT program TAASEFGC adopts authority to access objects
in TAASECURE. No changes occur.
25. The SNDAUDE function adopts the QSECOFR profile to allow sending
an entry to the QAUDJRN journal which may be *PUBLIC *EXCLUDE.
26. Most of the APYRMTJRN commands are *PUBLIC. STRAPYRMT, ENDAPYRMT,
SNDAPYRMTE, and CRTAPYRMTD are controlled by the TAAAPYRMT
authorization list. The STRAPYRMT, ENDAPYRMT, and SNDAPYRMTE
program adopt authority to allow operators to control the
function. Several batch jobs are submitted by STRAPYRMT and they
all adopt to allow the programs to operate on any object. The
TAAJRODC46 and TAAJRODC47 programs adopt to allow the create of a
file from the TAA Archive.
27. Most of the APYRMTJRN commands are *PUBLIC. STRAPYRMT, ENDAPYRMT,
SNDAPYRMTE, and CRTAPYRMTD are controlled by the TAAAPYRMT
authorization list. The STRAPYRMT, ENDAPYRMT, and SNDAPYRMTE
program adopt authority to allow operators to control the
function. Several batch jobs are submitted by STRAPYRMT and they
all adopt to allow the programs to operate on any object. The
TAAJRODC46 and TAAJRODC47 programs adopt to allow the create of a
file from the TAA Archive.
28. The CVTIFS program TAAIFSAC adopts authority, but requires the
user to be authorized to the TAACVTIFS authorization list.
29. The CVTIFSEAUT program TAAIFSPC adopts authority, but requires the
user to be authorized to the TAACVTIFS authorization list.
30. The SAVCHG23 program TAASAVWC adopts authority, but requires the
user to be authorized to the TAASAVALLC authorization list.
31. The UPSMON TAASYTLC13 program adopts QSECOFR to allow a display of
the UPSMON values. The TAASYTLC12 program adopts QSECOFR to
provide for an orderly powerdown. The UPSMON *JOBD is shipped with
*PUBLIC *EXCLUDE. It contains the value USRPRF = QPGMR which is
required for an auto start job. If STRUPSMON2 is run, an auto
start job entry is added to the controlling subsystem and QPGMR is
authorized to *USE for the job description.
32. The UPSMON TAASYTLC13 program adopts QSECOFR to allow a display of
the UPSMON values. The TAASYTLC12 program adopts QSECOFR to
provide for an orderly powerdown. The UPSMON *JOBD is shipped with
*PUBLIC *EXCLUDE. It contains the value USRPRF = QPGMR which is
required for an auto start job. If STRUPSMON2 is run, an auto
start job entry is added to the controlling subsystem and QPGMR is
authorized to *USE for the job description.
33. The SAVLIBSAVF TAASAWBC11 adopts only to allow the CHGOBJD tool to
be used to set the user attribute of a save file.
34. The SPLSTO TAASPMRR2 and TAASPMRR25 programs adopt to allow
*CHANGE authority to the spool store files while updates are
occurring.
35. The SPLSTO TAASPMRR2 and TAASPMRR25 programs adopt to allow
*CHANGE authority to the spool store files while updates are
occurring.
36. The CAPSECINF TAASEGMC12 program adopts to access the values from
the CAPSECINF Application Value in TAASECURE.
37. The JOBANZ TAAJOEAC27 program adopts to access a value from the
JOBANZ Application Value in TAASECURE.
38. The TAASPLIC20 program for SPLCTL adopts to allow update of the
SPLCTLRCV and SPLCTLRCV2 recovery data areas in TAATOOL.
39. The RTVMSKPWD TAASEGQC and TAASEGQC2 programs adopt security to
the MSKPWDP file in TAASECURE.
40. The RTVMSKPWD TAASEGQC and TAASEGQC2 programs adopt security to
the MSKPWDP file in TAASECURE.
41. The DSPJOBLOG4 TAASPOBC program adopts to allow *ALLOBJ and
*SPLCTL. The user of the command must be authorized to the
TAASPLSEC authorization list.
42. The TAATAPNC, TAATAPNC2, TAATAPNC4, TAATAPNC5, TAATAPNC6,
TAATAPNC7, and TAATAPNC11 programs adopt to ensure access to
various functions. The user must be authorized to the TAAVTP
authorization list.
43. The TAATAPNC, TAATAPNC2, TAATAPNC4, TAATAPNC5, TAATAPNC6,
TAATAPNC7, and TAATAPNC11 programs adopt to ensure access to
various functions. The user must be authorized to the TAAVTP
authorization list.
44. The TAATAPNC, TAATAPNC2, TAATAPNC4, TAATAPNC5, TAATAPNC6,
TAATAPNC7, and TAATAPNC11 programs adopt to ensure access to
various functions. The user must be authorized to the TAAVTP
authorization list.
45. The TAATAPNC, TAATAPNC2, TAATAPNC4, TAATAPNC5, TAATAPNC6,
TAATAPNC7, and TAATAPNC11 programs adopt to ensure access to
various functions. The user must be authorized to the TAAVTP
authorization list.
46. The DSPGRPPRF program TAASEGWC2 adopts QSECOFR to allow the use of
the DSPUSRPRF outfile function to the TAASECKP file in TAASECURE.
CVTGRPPRF then reads this file and creates the GRPPRFP program in
QTEMP which contains the user profile records for each group
member. TAASEGWC2 ensures that the profile is a group profile and
that the user has 'all rights' to the group profile.
47. The TAAJOEJC23 and TAAJOEJC25 programs adopt to access the
Application Value CHKINACT2 in TAASECURE. The TAAJOEJC24 program
adopts to access the user text description from the profile used
in WRKINACT2. Both programs perform read only functions and are
considered safe.
48. The TAAJOEJC23 and TAAJOEJC25 programs adopt to access the
Application Value CHKINACT2 in TAASECURE. The TAAJOEJC24 program
adopts to access the user text description from the profile used
in WRKINACT2. Both programs perform read only functions and are
considered safe.
49. The TAAJOEJC23 and TAAJOEJC25 programs adopt to access the
Application Value CHKINACT2 in TAASECURE. The TAAJOEJC24 program
adopts to access the user text description from the profile used
in WRKINACT2. Both programs perform read only functions and are
considered safe.
50. The CMPDBF2 program TAADBLPC adopts to allow the use of the CLPDBR
tool against the file. The file is only read and compared against
a copy of the same file made at a previous time.
51. The DSPJRNA and DSPJRNRCVD programs (TAAJROPC and TAAJRORC) adopt
to allow a 'display only' function of the journal and receiver
directory. The user must have *OBJOPR authority to the journal.
This allows operation personnel to see the journal and the
directory without having WRK options. The journal entries are not
displayed.
52. The DSPJRNA and DSPJRNRCVD programs (TAAJROPC and TAAJRORC) adopt
to allow a 'display only' function of the journal and receiver
directory. The user must have *OBJOPR authority to the journal.
This allows operation personnel to see the journal and the
directory without having WRK options. The journal entries are not
displayed.
53. The QRYUSE tool CVTQRYUSE command calls a sub program TAAWHRDC15
to delete a restored object in QTEMP. Only a DLTQRY command is
used and the object must be in QTEMP.
54. The DSPWTR tool uses the TAAPRTOC11 program to allow DSPWTRSTS.
The program adopts to avoid the requirement for *JOBCTL.
55. The CHKUSRGRP tool uses the TAASELCC program to allow a user
authorized to the TAACHKUSRG *AUTL to run the command. The program
adopts to avoid the requirement for *ALLOBJ.
56. The DUPFILFMT2 tool uses the TAADBOHC2 program to allow any user
to be able to duplicate a file format (create a new file) without
being authorized to the file. The data is not copied.
57. The CRTXREFLF tool uses the TAADBINC program to allow creation
over the QADBXREF file.
58. The TAAQRY tool uses the TAADBIUR13 program to update the QRYFILP
file with the date the query was run.
59. The CHKNAMADR command of the NAMADR tool uses the TAADBKXR2
program to read the TAADBKXP file in TAASECURE to build the arrays
needed to check.
60. The DSPDSTQ tool uses the TAADSQAC program to allow any user to
display the distribution queue.
61. The MAILADR tool uses the TAAEMLEC21 program to change the the
user attribute of TAA mail files.
62. The HORSERACE tool uses the TAAGAMAC program to change the data
area in TAATOOL.
63. The RTVLSTQHST tool uses the TAAHSTGC program to access the QHST
files.
64. The RTVIFSED tool uses the TAAIFSMC and TAAIFSMC2 programs to
access the IFS information.
65. The RTVIFSED tool uses the TAAIFSMC and TAAIFSMC2 programs to
access the IFS information.
66. The CHKIFSSAV tool uses the TAAIFULC program to access the IFS
information. It checks for *USE authority to the TAACVTIFS
authorization list.
67. The DSPJOBSCDE tool uses the TAAJBSEC2 program solely to access
the job schedule information.
68. The WHO tool uses the TAAJOBAC2 program to access the application
value in TAASECURE.
69. The DSPSBSJOB tool uses the TAAJOCEC2 program to access the
information via an API. This is a "display-only" tool and does not
allow changing any job attributes.
70. The RTVJOBAPI tool uses the TAAJOCHC program to access the
information via an API.
71. The JOBTALK tool uses these programs to execute commands within
another job.
72. The JOBTALK tool uses these programs to execute commands within
another job.
73. The JOBTALK tool uses these programs to execute commands within
another job.
74. The JOBTALK tool uses these programs to execute commands within
another job.
75. The CHKINACT tool uses the TAAJODJC11 program to retrieve an
application value in TAASECURE.
76. The DSPUSRJOB tool uses the TAAJODZC3 and is owned by TAAJOBCTL
which provides *JOBCTL authority.
77. The DTAARAARC tool uses the TAAARARC25 program to change the
object description to update information.
78. The DSPCMDHLP tool uses the TAACMEYC program to display command
help for any command.
79. The DSPSBSJOB2 command of the DSPSBSJOBQ tool uses the TAAJODIC2
to provide a display of any job queue with only display options.
The TAAJOBCTL authorization list is checked.
80. The APYRMTJRN tool uses the TAAJRODC35 and TAAJRODC59 for internal
processing.
81. The APYRMTJRN tool uses the TAAJRODC35 and TAAJRODC59 for internal
processing.
82. The RMVSYSLIBE tool uses the TAALIBQC program to remove libraries
from the system portion of the library list that have been
specified by the Security Officer.
83. The FRCJOBLOG command of the SETJOBLOG tool uses the TAALOGAC2
program with adoption to allow the SIGNOFF command to remain
private if you have made it so.
84. The DSPALLJLG tool uses the TAALOGHR program with adoption to
allow any job log to be displayed. The command is controlled by
the TAADSPJLG authorization list.
85. The ADPMBR tool uses the TAAMBRJC, TAAMBRJC2, and TAAMBRJC3
programs to allow end users to operate with member commands on
files specified by the Security Officer.
86. The ADPMBR tool uses the TAAMBRJC, TAAMBRJC2, and TAAMBRJC3
programs to allow end users to operate with member commands on
files specified by the Security Officer.
87. The ADPMBR tool uses the TAAMBRJC, TAAMBRJC2, and TAAMBRJC3
programs to allow end users to operate with member commands on
files specified by the Security Officer.
88. The DYNMNU tool uses the TAAMNUAC21 program to access an
Application Value in TAASECURE.
89. The SHOUT tool uses the TAAMSGLC2 program only to access the user
class of any user profile.
90. The SNDTIMMSG tool uses the TAAMSGSC and TAAMSGSC8 programs to
control the file for when messages are sent.
91. The SNDTIMMSG tool uses the TAAMSGSC and TAAMSGSC8 programs to
control the file for when messages are sent.
92. The SNDUSRBRK tool uses the TAAMSHJC programs to control the file
for when messages are sent.
93. The NAMADR tool uses the TAANAMAC9 program for internal
processing.
94. The CAPNETA tool uses the TAANETDC program to capture all
attributes.
95. The NTEFIL tool uses the TAANTEAC23 program to allow update of a
file.
96. The CRTDUPPF tool uses the TAAOBJRC program to allow a user with
*USE authority to a file to be able to duplicate it.
97. The RPGVALCHK tool uses the TAARPGCC program to allow internal
processing.
98. The CHKSAVDEV tool uses the TAASAVNC2 program with adopt so it can
S/R and delete the CHKSAVDEV data area.
99. The CHGSCRPWD command of the DSPPWD tool uses the TAASECCC2
program with adopt so it can access a program in TAASECURE.
100. The CPYUSRPRF2 tool uses the TAASECHC2 program with adopt so it
can use CHGUSRPRF command.
101. The CHGUSRPWD tool uses the TAASECIC3 program with adopt so it
can access an exit program in TAASECURE.
102. The CHGGRPPRF tool uses the TAASECJC program with adopt so it can
change the group profile during a job.
103. The SECOFR2 tool uses the TAASEDBC3 program with adopt so it can
access TAASECURE to retrieve application values and constant
arrays.
104. The CHKPGMOWN tool uses the TAASEEFC program with adopt so it can
determine the owner of any program.
105. The DSPUSRTXT tool uses the TAASEFZC program with adopt so it can
determine the user text of any user.
106. The RTVUSRTXT tool uses the TAASEGDC program with adopt so it can
determine only the user text of any user.
107. The CHGMSKPWD command of the RTVMSKPWD tool uses the TAASEGQC and
TAASEGQC2 programs with adopt to mask a password. The source code
is not shipped with the product.
108. The CHGMSKPWD command of the RTVMSKPWD tool uses the TAASEGQC and
TAASEGQC2 programs with adopt to mask a password. The source code
is not shipped with the product.
109. The LMTDLTSPL2 tool uses the TAASPLSC2 program with adopt to
access TAASECURE.
110. The DSPSPLF2 tool uses the TAASPLWC9 program with adopt to read
the TAASECURE/DSPSPLF2 user space.
111. The CVTSPLSTO command of the SPLSTO tool uses the TAASPMRC22
program with adopt to change a user space in the SPLSTO library.
112. The CPYSPLFIFS tool uses the TAASPNAC2 program with adopt to
check for product requirements.
113. The RTVSPLSIZ tool uses the TAASPNXC program with adopt to access
all spooled file information.
114. The CMPSRC3 tool uses the TAASRCBC program with adopt to allow
internal processing.
115. The SRCCTL tool uses the TAASRCHC and TAASRCHC2 programs with
adopt to allow updates to occur.
116. The SRCCTL tool uses the TAASRCHC and TAASRCHC2 programs with
adopt to allow updates to occur.
117. The DSPLIBSRCF tool uses the TAASRDJC program to determine the
source files in the library. The user is checked for *USE
authority to the library. The QSECOFR profile is adopted so the
QADBXREF file can be used.
118. The FNDSRCMBR tool uses the TAASRDKC program to determine the
source files in the library.
119. The RTVLIBSRCF tool uses the TAASRDVC program to determine the
source files in the library.
120. The CHKOBJSRC tool uses the TAASREEC10 program for the prompt
override of CHKOBJSRC.
121. The CPYSRCHDR tool uses the TAASREHC3 program with adopt when
copying standard source members.
122. The CRTSTDSRCF tool uses the TAASREIC2 program to adopt to access
the TAASECURE library.
123. The DSPSYS tool uses the TAASYSKC3 program to adopt while
accessing attributes system objects for display-only purposes.
124. The RTVHDWRSC tool uses the TAASYSXC program with adopt while
accessing information.
125. The RTVIPLTIM tool uses the TAASYTXC program with adopt while
accessing information.
126. The RTVSYSINF command of the CAPSYSINF tool uses the TAASYTMC4
program with adopt to access TAASECURE.
127. The CHKASPSTG tool uses the TAASYTPC2 and TAASYTPC3 programs to
access TAASECURE and internal processing.
128. The CHKASPSTG tool uses the TAASYTPC2 and TAASYTPC3 programs to
access TAASECURE and internal processing.
129. The RPLKVTP command of the CRTVTP tool uses the TAATAPNC5 program
for internal processing. The WRKVTP command uses the TAATAPNC7
program for internal processing. These programs check the TAAVTP
authorization list.
130. The RPLKVTP command of the CRTVTP tool uses the TAATAPNC5 program
for internal processing. The WRKVTP command uses the TAATAPNC7
program for internal processing. These programs check the TAAVTP
authorization list.
131. The RDYVTP command of the CRTVTP tool uses the TAATAPNC6 program
for internal processing. This program checks the TAAVTP
authorization list.
132. The RTVHOSTNAM tool uses the TAATCPGC program for internal
processing.
133. The DSPTIMZON tool uses the TAATIMNC11 program to access
TAASECURE.
134. The ALCTMPMBR tool uses the TAATMPCC program for internal
processing.
135. The DLCTMPMBR command of the ALCTMPMBR tool uses the TAATMPCC2
program for internal processing.
136. The CHKTAAOWN tool uses the TAATOMOC program to check against any
program.
137. The RTVTRNTBL tool uses the TAATRNAC program to access TAASECURE.
138. The CHGUSRPWD2 command of the CHGUSRPWD tool uses the TAASECIC2
program to access TAASECURE.
139. The DUPTAADBF tool uses the TAATOMHC program to access to allow
duplication from TAATOOL.
140. The TAASEGYC2 program adopts to allow enabling of a user profile.
The user must be authorized to the TAAENAUSR authorization list.
The check occurs using the UNADOPT tool (the objects are not
controlled by the authorization list).
141. The TAAOBLKC program adopts to allow a user who is authorized to
the TAADSPOBJ4 authorization list to display any object
attributes. Only the attributes are displayed and not data. None
of the objects are tied to the authorization list. Checking
occurs within TAAOBLKC.
142. The TAATOLXC program adopts to allow the CPYTAADDS tool to use
the CPYTAA tool to create files from DDS in the archive. Only DDS
source is accessed.
143. The TAACVTLIBD authorization list is tested to allow access to
CVTLIBDBF for library special values such as *ALL. No objects are
authorized to the list. The TAADBHCC program adopts.
144. The TAAMSHWC2 program is a short helper program that accesses
read-only data areas from the TAASECURE library.
145. The CVTJOBACG and CVTJOBACG2 commands of the JOBACG tool are
secured by the TAAJOBACG authorization list. The user must have
either have ALLOBJ special authority or USE authority to
TAAJOBACG to be able to use these commands.
146. The CVTJOBACG and CVTJOBACG2 commands of the JOBACG tool are
secured by the TAAJOBACG authorization list. The user must have
either have ALLOBJ special authority or USE authority to
TAAJOBACG to be able to use these commands.
147. The user of the CVTJOBACG3 command must be authorized to the
TAAJOBACG authorization list. This authorization list is provided
by the JOBACG tool and is also required for CVTJOBACG and
CVTJOBACG2 (and CVTPRTACG and CVTPRTACG2).
148. The user of the CVTPRTACG and CVTPRTACG2 commands of the PRTACG
tool must on the TAAJOBACG authorization list with *USE
authority. This authorization list is provided by the JOBACG
tool.
149. The user of the CVTPRTACG and CVTPRTACG2 commands of the PRTACG
tool must on the TAAJOBACG authorization list with *USE
authority. This authorization list is provided by the JOBACG
tool.
150. Users of all of the DSPxxxA commands of the DSPADP tool must be
on the TAADSPASP authorization list with *USE authority.
151. Users of all of the DSPxxxA commands of the DSPADP tool must be
on the TAADSPASP authorization list with *USE authority.
152. Users of all of the DSPxxxA commands of the DSPADP tool must be
on the TAADSPASP authorization list with *USE authority.
153. Users of all of the DSPxxxA commands of the DSPADP tool must be
on the TAADSPASP authorization list with *USE authority.
154. Users of all of the DSPxxxA commands of the DSPADP tool must be
on the TAADSPASP authorization list with *USE authority.
155. Users of all of the DSPxxxA commands of the DSPADP tool must be
on the TAADSPASP authorization list with *USE authority.
156. Users of all of the DSPxxxA commands of the DSPADP tool must be
on the TAADSPASP authorization list with *USE authority.
157. Users of all of the DSPxxxA commands of the DSPADP tool must be
on the TAADSPASP authorization list with *USE authority.
158. Users of all of the DSPxxxA commands of the DSPADP tool must be
on the TAADSPASP authorization list with *USE authority.
159. Users of all of the DSPxxxA commands of the DSPADP tool must be
on the TAADSPASP authorization list with *USE authority.
160. Users of all of the DSPxxxA commands of the DSPADP tool must be
on the TAADSPASP authorization list with *USE authority.
161. Users of all of the DSPxxxA commands of the DSPADP tool must be
on the TAADSPASP authorization list with *USE authority.
162. Users of all of the DSPxxxA commands of the DSPADP tool must be
on the TAADSPASP authorization list with *USE authority.
163. Users of all of the DSPxxxA commands of the DSPADP tool must be
on the TAADSPASP authorization list with *USE authority.
164. Users of all of the DSPxxxA commands of the DSPADP tool must be
on the TAADSPASP authorization list with *USE authority.
165. The TAACFGEC program of the VRYCFG2 command is secured by the
TAAVRYCFG authorization list.
166. The TAACFGGC program of the VRYCFGOFF command is secured by the
TAAVRYCFGO authorization list.
167. The TAAHSTAC program is secured by the TAACVTQHST authorization
list.
168. The command DLTQHST and the TAAHSTBC CL program are created so
they may not be executed unless a user is authorized to the
TAADLTQHST authorization list.
169. The TAAHSTEC program of the CVTQHST2 command of the DSPQHST2 tool
is secured by the TAACVTQHST authorization list.
170. The TAAIFSRC program of the CVTIFSAUT tool adopts QSECOFR to swap
to the user profile named on the command. The current user must
have *USE authority to that user profile.
171. You must be authorized to the TAAJOBSCDE authorization list to
use RTVJOBSCDE.
172. You must be authorized to the TAAJOBSCDE authorization list to
use CVTJOBSCDE.
173. You must be authorized to the TAAJOBSCDE authorization list to
use ADDJOBSCD2.
174. You must be authorized to the TAAJOBSCDE authorization list to
use CPYJOBSCDE.
175. The TAAJOCIC program and the EXCJOBCTL command are secured by the
TAAJOBCTL authorization list.
176. The PRTJOBSUM command and the TAAJOCXC program are secured by the
TAACVTQHST authorization list.
177. The programs TAAJRODC, TAAJRODC2, TAAJRODC3, and TAAJRODC9 of the
APYRMTJRN tool are secured by the TAAAPYRMT authorization list.
178. The programs TAAJRODC, TAAJRODC2, TAAJRODC3, and TAAJRODC9 of the
APYRMTJRN tool are secured by the TAAAPYRMT authorization list.
179. The programs TAAJRODC, TAAJRODC2, TAAJRODC3, and TAAJRODC9 of the
APYRMTJRN tool are secured by the TAAAPYRMT authorization list.
180. The program TAAJROJC of the MTNALLJRN tool is secured by the
TAAMTNJRN authorization list.
181. The TAALICEC program of the CVTLIBCNT tool is secured by the
TAADSPADP authorization list.
182. The TAALICFC program of the PRTLIBCNT tool is secured by the
TAADSPADP authorization list.
183. The TAALOGFC program of the DLTJOBLOG tool is secured by the
TAACVTQHST authorization list.
184. The TAAMSHDC program of the SNDGRPPRF tool is secured by the
TAASNDGRP authorization list.
185. The TAAMSHEC program of the SNDUSGMSG tool is secured by the
TAASNDUSG authorization list.
186. The TAARCLAC program of the RCLSTG2 tool is secured by the
TAARCLSTG2 authorization list. In addition, the system must be in
restricted state to use the tool.
187. The TAARSTAC program of the RSTALLCHG tool is secured by the
TAARSTALLC authorization list.
188. The TAARSTBC program of the RSTANYLIB tool is secured by the
TAARSTANYL authorization list.
189. The TAARSTCC program of the RSTFIL tool is secured by the
TAARSTFIL authorization list.
190. The TAARSTDC program of the RSTALLLIB tool is secured by the
TAARSTALLC authorization list.
191. The TAARSTFC program of the RSTMNYLIB tool is secured by the
TAARSTALLC authorization list.
192. The TAARSTIC program of the RSTMNYCHG tool is secured by the
TAARSTALLC authorization list.
193. The TAASAVCC, TAASAVCC2, and TAASAVCC3 programs of the SAVALLCHG
tool are secured by the TAASAVALLC authorization list.
194. The TAASAVCC, TAASAVCC2, and TAASAVCC3 programs of the SAVALLCHG
tool are secured by the TAASAVALLC authorization list.
195. The TAASAVCC, TAASAVCC2, and TAASAVCC3 programs of the SAVALLCHG
tool are secured by the TAASAVALLC authorization list.
196. The TAASAVCC, TAASAVCC2, and TAASAVCC3 programs of the SAVALLCHG
tool are secured by the TAASAVALLC authorization list.
197. The TAASECBC program of the ACCSECLIB tool is secured by the
TAAACCSECL authorization list.
198. The program TAASECLC of the ENAUSRPRF tool is secured by the
TAAENAUSR authorization list.
199. The programs TAASECXC, TAASECXC2, and TAASECXC3 of the INZPWD
tool are secured by the TAAINZPWD authorization list.
200. The programs TAASECXC, TAASECXC2, and TAASECXC3 of the INZPWD
tool are secured by the TAAINZPWD authorization list.
201. The programs TAASECXC, TAASECXC2, and TAASECXC3 of the INZPWD
tool are secured by the TAAINZPWD authorization list.
202. The program TAASEDCC of the DSPUSRPRF2 tool is secured by the
TAADSPUSR2 authorization list.
203. The program TAASEDFC of the DSAUSRPRF tool is secured by the
TAADSAPRF authorization list.
204. The program TAASEDHC of the CHGUSRPRF2 tool is secured by the
TAACHGPRF2 authorization list.
205. The program TAASEDLC of the RTVUSRPRF2 tool is secured by the
TAARTVUSR2 authorization list.
206. The programs TAASEDRC and TAASEDRC2 of the CPYUSRPRF2 tool are
secured by the TAACPYUSR2 authorization list.
207. The programs TAASEDRC and TAASEDRC2 of the CPYUSRPRF2 tool are
secured by the TAACPYUSR2 authorization list.
208. The program TAASEDSC2 of the AUDLOG tool is secured by the
TAAAUDLOG authorization list.
209. The program TAASEDTC of the DLTUSRPRF2 tool is secured by the
TAADLTUSR2 authorization list.
210. The program TAASEDWC of the CVTAUDLOG3 tool is secured by the
TAAAUDLOG authorization list.
211. The program TAASEFWC of the CHGDSTPWD2 tool is secured by the
TAADSTPWD2 authorization list.
212. The program TAASPLDC of the DUPSPLF tool is secured by the
TAADUPSPLF authorization list.
213. The program TAASPLXC4 of the SPLDST tool is secured by the
TAASPLDST authorization list.
214. The program TAASPMEC2 of the CVTFRMSPLF tool is secured by the
TAACVTSPLF authorization list.
215. The programs TAATMPAC and TAATMPAC2 of the CHGBIGPARM tool are
secured by the TAACHGBIGP authorization list.
216. The programs TAATMPAC and TAATMPAC2 of the CHGBIGPARM tool are
secured by the TAACHGBIGP authorization list.
217. The programs TAATMPBC and TAATMPBC3 of the CLNTAATEMP tool are
secured by the TAACLNTEMP authorization list.
218. The programs TAATMPBC and TAATMPBC3 of the CLNTAATEMP tool are
secured by the TAACLNTEMP authorization list.
219. The program TAATIMDC of the RTVTIMSTM tool adopts QSECOFR only to
be able to access the TAATOOL/TAATIMDS user space to provide a
unique suffix for 26 character time stamps.
Determining programs that adopt
You can determine the programs in TAATOOL that adopt authority by
using the PRTPGMA tool and specifying USRPRF(*OWNER).
Authorization lists
For certain tools, an authorization list is created in QSYS to allow a
more convenient means of authorization and to allow security to remain
in place even though you re-create a tool or install a new version of
the TAA Productivity Tools.
The authorization lists are created as part of the installation of the
TAA Productivity Tools if they do not already exist. Some
authorization lists are used by multiple tools.
The following is a list of the TAA Authorization lists, the tools that
use each list and the objects that are shipped as authorized to the
list.
Authorization
list in QSYS Tool Notes Object Type Total
------------ ---- ----- ------ ---- -----
TAAACCSECL ACCSECLIB ACCSECLIB *CMD 2
TAASECBC *PGM
TAAALLSPLF DSPALLSPLF 6 0
WRKALLSPLF 6
TAAAPYRMT APYRMTJRN STRAPYRMT *CMD 8
ENDAPYRMT *CMD
SNDAPYRMTE *CMD
CRTAPYRMTD *CMD
TAAJRODC *PGM
TAAJRODC2 *PGM
TAAJRODC3 *PGM
TAAJRODC9 *PGM
TAAAUDLOG AUDLOG CVTAUDLOG *CMD 7
TAASEDSC2 *PGM
TAASEDSR2 *PGM
CVTAUDLOG3 CVTAUDLOG3 *CMD
TAASEDWC *PGM
TAASEDWC2 *PGM
TAASEDWR *PGM
TAACHGBIGP CHGBIGPARM CHGBIGPARM *CMD 5
RTVBIGPARM *CMD
TAATMPAC *PGM
TAATMPAC2 *PGM
TAATMPAR *PGM
TAACHGOBJ2 CHGOBJD2 CHGOBJD2 *CMD 5
TAAOBJLC *PGM
TAAOBJLC2 *PGM
CHGOBJSRC CHGOBJSRC *CMD
TAAOBJUC *PGM
TAACHGPRF2 CHGUSRPRF2 CHGUSRPRF2 *CMD 2
TAASEDHC *PGM
TAACHKUSRG CHKUSRGRP CHKUSRGRP *CMD 2
TAASELCC *PGM
TAACLNTEMP CLNTAATEMP CLNTAATEMP *CMD 6
TAATMPBC *PGM
5 TAATMPBC2 *PGM
TAATMPBC3 *PGM
TAATMPBC9 *PGM
TAATMPBR *PGM
TAACPYUSR2 CPYUSRPRF2 CPYUSRPRF2 *CMD 3
TAASEDRC *PGM
TAASEDRC2 *PGM
TAACVTIFS CVTIFS CVTIFS *CMD 12
TAAIFSAC *PGM
TAAIFSAC2 *PGM
TAAIFSAR *PGM
DLTIFS *CMD
DLTIFS2 *CMD
TAAIFSQC *PGM
TAAIFSQC2 *PGM
TAAIFSQC3 *PGM
TAAIFSQC4 *PGM
TAAIFSQR *PGM
TAAIFSQR2 *PGM
TAACVTLIBD CVTLIBDBF 11 0
TAACVTQHST CVTQHST CVTQHST *CMD 22
TAAHSTAC *PGM
TAAHSTAR *PGM
DSPQHST2 CVTQHST2 *CMD
DSPQHST2 *CMD
MTNQHST2 *CMD
TAAHSTEC *PGM
TAAHSTEC2 *PGM
TAAHSTEC3 *PGM
TAAHSTEC5 *PGM
TAAHSTEC6 *PGM
TAAHSTEC7 *PGM
TAAHSTEC8 *PGM
TAAHSTEC9 *PGM
TAAHSTEC13 *PGM
TAAHSTER *PGM
TAAHSTER3 *PGM
DLTJOBLOG DLTJOBLOG *CMD
TAALOGFC *PGM
TAALOGFC2 *PGM
PRTJOBSUM PRTJOBSUM *CMD
TAAJOCXC *PGM
TAACVTSPLF CVTFRMSPLF CVTFRMSPLF *CMD 2
TAASPMEC2 *PGM
TAADLTQHST DLTQHST DLTQHST *CMD 2
TAAHSTBC *PGM
TAADLTUSR2 DLTUSRPRF2 DLTUSRPRF *CMD 2
TAASEDTC *PGM
TAADPTSEC SECOFR2 3
TAADSAPRF DSAUSRPRF DSAUSRPRF *CMD 2
TAASEDFC *PGM
TAADSPADP DSPADP 1 DSPCLSA *CMD 34
DSPCMDA *CMD
DSPDBRA *CMD
DSPFDA *CMD
DSPFFDA *CMD
DSPJOBDA *CMD
DSPLIBA *CMD
DSPOBJAUTA *CMD
DSPOBJDA *CMD
DSPPGMA *CMD
DSPPGMADPA *CMD
DSPPGMREFA *CMD
DSPSAVFA *CMD
DSPSBSDA *CMD
DSPUSRPRFA *CMD
TAAADPAC *PGM
TAAADPAC2 *PGM
TAAADPAC3 *PGM
TAAADPAC4 *PGM
TAAADPAC5 *PGM
TAAADPAC6 *PGM
TAAADPAC7 *PGM
TAAADPAC8 *PGM
TAAADPAC9 *PGM
TAAADPAC10 *PGM
TAAADPAC11 *PGM
TAAADPAC12 *PGM
TAAADPAC13 *PGM
TAAADPAC14 *PGM
TAAADPAC15 *PGM
TAAADPAC22 *PGM
CVTLIBCNT CVTLIBCNT *CMD
TAALICEC *PGM
TAALICEC11 *PGM
PRTLIBCNT PRTLIBCNT *CMD
TAALICFC *PGM
PRTSAVCNT PRTSAVCNT *CMD
TAASAVSC *PGM
TAADSPJLG DSPALLJLG None 0
TAADSPOBJ4 DSPOBJD4 None 0
TAADSPUSR2 DSPUSRPRF2 DSPUSRPRF2 *CMD 4
TAASEDCC *PGM
TAASEDCC2 *PGM
TAASEDCC3 *PGM
TAADSTPWD2 CHGDSTPWD2 CHGDSTPWD2 *CMD 2
TAASEFWC *PGM
TAADUPSPLF DUPSPLF DUPSPLF *CMD 2
TAASPLDC *PGM
TAAEDTDBF EDTDBF 9 0
TAAENAUSR ENAUSRPRF ENAUSRPRF *CMD 2
TAASECLC *PGM
TAAINSTALL Install 2 TAATOLUC *PGM 3
TAATOLUC2 *PGM
TAATOLUC3 *PGM
TAAINZPWD INZPWD INZPWD *CMD 8
INZPWD2 *CMD
TAASECXC *PGM
TAASECXC2 *PGM
TAASECXC4 *PGM
TAASECXC5 *PGM
TAASECXR *PGM
TAASECXR4 *PGM
TAAJOBACG JOBACG CVTJOBACG *CMD 14
CVTJOBACG2 *CMD
ANZJOBACG *CMD
TAAACGBC2 *PGM
TAAACGBC7 *PGM
TAAACGBR2 *PGM
PRTACG CVTPRTACG *CMD
CVTPRTACG2 *CMD
TAAACGEC2 *PGM
TAAACGEC7 *PGM
CVTJOBACG3 CVTJOBACG3 *CMD
TAAACGDC *PGM
TAAACGDR *PGM
TAAACGDR11 *PGM
TAAJOBCTL EXCJOBCTL 10 EXCJOBCTL *CMD 2
TAAJOCIC *PGM
TAAJOBSCDE RTVJOBSCDE RTVJOBSCDE *CMD 8
TAAJBSAC *PGM
CVTJOBSCDE CVTJOBSCDE *CMD
TAAJBSBC *PGM
ADDJOBSCD2 ADDJOBSCD2 *CMD
TAAJBSCC *PGM
CPYJOBSCDE CVTJOBSCDE *CMD
TAAJBSDC *PGM
DSPJOBSCDR DSPJOBSCDR *CMD
TAAJOBTALK JOBTALK SNDJOBTALK *CMD 2
TAAJOCKC4 *PGM
TAAMTNJRN MTNALLJRN MTNALLJRN *CMD 2
TAAJROJC *PGM
TAAPRDLIB CHGPRDLIB CHGPRDLIB *CMD 2
TAALIBNC *PGM
TAARCLSTG2 RCLSTG2 RCLSTG2 *CMD 4
TAARCLAC *PGM
RCLSTGBCH RCLSTGBCH *CMD
TAARCLBC *PGM
TAARSTALLC RSTALLCHG RSTALLCHG *CMD 8
RSTALLLIB *CMD
RSTMNYCHG *CMD
RSTMNYLIB *CMD
TAARSTAC *PGM
TAARSTDC *PGM
TAARSTFC *PGM
TAARSTIC *PGM
TAARSTANYL RSTANYLIB RSTANYLIB *CMD 2
TAARSTBC *PGM
TAARSTFIL RSTFIL RSTFIL *CMD 2
TAARSTCC *PGM
TAARTVUSR2 RTVUSRPRF2 RTVUSRPRF2 *CMD 2
TAASEDLC *PGM
TAASAVALLC SAVALLCHG SAVALLCHG *CMD 9
SAVALLCHG2 *CMD
SAVALLSAVF *CMD
TAASAVCC *PGM
TAASAVCC2 *PGM
TAASAVCC3 *PGM
TAASAVCC4 *PGM
SAVCHG23 SAVCHG23 *CMD
TAASAVWC *PGM
TAASBMJOB2 SBMJOB2 SBMJOB2 *CMD 1
TAASBMJOB3 SBMJOB2 SBMJOB3 *CMD 1
TAASECOFR2 SECOFR2 7 0
TAASECRVW DSPSECRVW DSPSECRVW *CMD 3
TAASECKC *PGM
TAASECKR *PGM
TAASNDBRK SNDUSRBRK SNDUSRBRK2 *CMD 1
TAASNDGRP SNDGRPPRF SNDGRPPRF *CMD 4
TAAMSHDC *PGM
TAAMSHDC9 *PGM
TAAMSHDR *PGM
TAASNDUSG SNDUSGMSG SNDUSGMSG *CMD 2
TAAMSHEC *PGM
TAASPLDST SPLDST DUPSPLDST *CMD 4
TAASPLXC4 *PGM
TAASPLXC14 *PGM
TAASPLXR *PGM
TAASRCACC TAAARC 4 CPYTAA *CMD 8
CPYTAA2 *CMD
CPYTAAALL *CMD
SCNTAA *CMD
TAAARCAC2 *PGM
TAAARCAC7 *PGM
TAAARCAC8 *PGM
TAAARCAC32 *PGM
TAAVRYCFG VRYCFG2 VRYCFG2 *CMD 2
TAACFGEC *PGM
TAAVRYCFGO VRYCFGOFF VRYCFGOFF *CMD 2
TAACFGGC *PGM
Notes
1. Several other tools use one of the DSPxxxA commands. For example,
PRTDBFEXP uses DSPOBJDA to allow a user to execute over any or all
libraries if he is authorized to TAADSPADP. See the discussion
with DSPADP.
2. The initial installation must be done by a user with *ALLOBJ
special authority. Any subsequent installs can be done by any user
who is authorized to the TAAINSTALL authorization list. See the
information member 'Installing as a Non-QSECOFR' on the HELPTAA
menu.
3. The TAADPTSEC authorization list is optional. If you want
Departmental Security Officers, use the CRTDPTSEC command of the
SECOFR2 tool to create the authorization list. If TAADPTSEC
exists, the options on the SECOFR2 menu check for the existence of
the authorization list and only allow the user profiles to be
managed if the user has all authority to the user profile . See
the discussion with the SECOFR2 tool.
4. The TAASRCACC authorization list is used for TAA Archive functions
involving source. You must have *USE authority to display, copy,
or scan any program source in the archive.
5. The TAATMPBC2 program is optional and may not exist.
6. *USE authority to the TAAALLSPLF authorization list is checked
within the TAASPMMR and TAASPMSR programs if a user other than
*CURRENT is specified.
7. *CHANGE authority to TAASECOFR2 is required to display the SECOFR2
menu without prompting for the current password. *USE authority
requires entering the current password. The authorization list is
shipped as *CHANGE.
8. *USE authority to TAAJOBACG is required to convert journal entries
for either JOBACG or PRTACG.
9. If the user is not the owner of the file, he must be authorized to
TAAEDTDBF. No objects are controlled by the authorization list.
10. The TAAJOBCTL authorization list is also used by the DSPJOB3 tool,
but no objects in the tool are authorized to TAAJOBCTL. The
program checks internally for authorization.
11. The TAACVTLIBD authorization list is used to allow access to
CVTLIBDBF for library special values such as *ALL. No objects are
authorized to the list. The TAADBHCC program adopts.
To authorize a user to a tool which is controlled by an authorization
list, you need to specify *USE authority. You may use EDTAUTL and
operate from the interactive display or the following command:
ADDAUTLE AUTL(xxxxx) USER(xxx) AUT(*USE)
The objects that use an authorization list are created so that the
*PUBLIC user accesses their authority from the authorization list. The
authorization lists are created with the *PUBLIC being *EXCLUDE. This
allows a simple change to the authorization list if you want the tool
to be usable by *PUBLIC.
Copyright TAA Tools, Inc. 1995, 2021
|
