Object Rules
IBM defines an object as a named storage space that consists of a set of characteristics that describe it and its data. Thus, an object is anything that occupies space in storage, and on which you can perform operations. Examples of objects include programs, files, libraries, folders, and IFS directories and files. Exit Point Manager allows you to define authority rules to control access at the object level.
You can set rules for libraries and the objects in them, or an IFS path. These rules can be specific to a user (or *PUBLIC) or location and contain the object library, name, and type. Using an object rule, you can define access to both the object and the data contained within the object.
Path strings must begin with a slash (/) and must not begin with any of "QSYS.LIB", "QFileSvr.400", "QOpenSys", "QOPT" or "QNTC". These values are not case sensitive, thus QOPENSYS and qopensys are similarly invalid. Also, the virtual directory names "." and ".." are not allowed in the path. Additionally, there must be at least one character between each slash in the path.
Object rules allow you to specify the operation that the rule allows (*ALL, *CREATE, *READ, *UPDATE, or *DELETE), and the action to take (*REJECT, *OS400, *SWITCH) for data access and object access. Thus, you can define an object rule for a specific user or location, for a specific object, and for a specific type of access. In addition, you can specify values for auditing, capturing transactions, and messaging in your object rules.
Setting rules at the object level provides a different measure of control than setting rules at the user or location levels. For example, you can set one object rule to restrict all users and locations from accessing a specific file (such as payroll) instead of setting multiple rules at the user or location levels to control access.
Object Rules and Exit Point Manager
There is a close relationship between rules in Exit Point Manager. Object rules need *MEMOBJ filter rules to trigger them. When you define an object rule, you select the servers and functions that will enforce the rule. This creates the *MEMOBJ Authority filter rules for the user or location object rule. The *MEMOBJ Authority filter rule tells Exit Point Manager to check memorized transactions (MTR) for authority. If no MTR authority is found, it then checks the transaction against the object rules.
Whenever any rule changes, Exit Point Manager manages the relationships between the filter rules, object rules, and memorized transactions.
If there are no filter rules with *MEMOBJ authority that refer to a particular active object rule, that object rule is set to *INACTIVE by the system.
When there are no more active object rules for a given user or location, you should remove or modify the filter rules for that user or location. When you select to deactivate (for example, by changing or deleting) the last active object rule for a user or location, Exit Point Manager asks you to select how to handle the filter rules that are in place. If you use a command (such as CHGOBJRUL or DLTOBJRUL), you must specify command parameters that define how to handle the filter rules in case they are needed at run time during command processing.
Object Rules and the Remote Command Server
The Remote Command server has some unusual properties. The server only recognizes and reports on object type *CMD, and does not supply any other object type to the server. This means Exit Point Manager cannot identify any other object type to apply to the object rule. Remote Command server Object Rules will not work unless they are for the command itself.
Example:
The following remote command issued from a DOS prompt:
RMTCMD CRTLIB TESTLIB //mysystem
will work if the object rule is for CRTLIB (type *CMD). It will not work for TESTLIB (type *LIB).
Managing Object Lists
- From the Exit Point Manager Main Menu, select option 4 to display the Work with Security by Object screen.
- To work with the object lists you want to secure, select option 1 to display the Work with Object Lists screen. It displays all object lists that have been defined.
- Here, you can add new lists and copy, change, delete, or work with existing lists. See Work with Object Lists screen for details.
- Adding an Object List. Enter a 1 in the Opt column on the first line of the Work with Object Lists screen. You can enter the object list name, type, and description in the blank lines or press Enter to display the Create Object List screen.
See Create Object List screen for more details.
- Enter a 2 next to an object list name on the Work with Object Lists screen to display the Change Object List screen.
- Enter the new type and/ or description and press Enter to save the change.
- Enter a 3 next to an object list name on the Work with Object Lists screen to display the Copy Object List screen.
- Enter a name for the new object list press Enter.
Enter a 4 next to one or more object list names on the Work with Object Lists screen. The Confirm Choices screen displays asking you to confirm that you want to delete the selected object list(s).
- Enter a 7 next to an object list name on the Work with Object Lists screen to display the Rename Object List screen.
- Enter a new name for the object list and press Enter.
Working with Object List Entries
The purpose of an object list is to group the objects in a library that you want to secure in one object list to which you then can apply Exit Point Manager Object Rules. The object list entries specify the objects that you are securing.
- Enter a 1 in the Opt column on the first line of the Work with Object List Entries screen and enter your values in the blank lines or press Enter to display the Add Object List Entry screen.
- Enter the following information to define the object list entry.
See Add Object List Entry screen for more details.
- Enter a 1 in the Opt column of the Work with Object List Entries screen and press Enter to display the Add Object List Entry screen.
NOTE: To add entries to an IFS-type object list using the web browser interface, see To add entries to an object list (web browser) above.
- Enter the path name for the directory you want to secure. Press F4 (Prompt) in the Path field to display the Select Path screen, which allows you to select a path in your IFS. The path name can contain either generic or wildcard characters.
- If the IFS path name is too long to display on the Work with Object List Entries screen, press F22 (Full Name) to display the full path name in a window.
You can subset and sort object lists or object list entries so that you see only the lists or objects that meet the criteria you specify. To display the sort screens, press F16 (Sort/Subset) on the Work with Object Lists or Work with Object List Entries screens.
Creating rules for an object list using the green screen
You can create rules to control access to the objects listed in an object list from the Work with Object Lists screen. Creating a rule adds filter rules for the user or location specified for the rule.
- Enter a 9 in the Opt column next to the object list you want to work with to display the Object Rules using Object List screen.
- On the Object Rules using Object List screen, enter a 1 in the Opt column and a Location or User name. Press Enter to display the Create Object Rule by Location or User screen.
When you've defined your rule, press Enter to display the Select Target Server Functions for Object Rule screen, which allows you to select the servers and functions that will enforce the new user or location filter rule with *MEMOBJ authority you are creating.
- Enter a 1 next to a server to select server function *ALL, which tells Exit Point Manager to enforce the rule for all functions of the selected server. To select the function *ALL for all servers, press F10. If you have previously selected individual functions for a server, pressing F10 deselects those functions and selects function *ALL for the server.
- To select individual server functions, enter a 2 next to the server to display the second Select Target Server Functions for Object rule screen, which displays a list of functions for the selected server.
- Enter a 1 next to each function that should enforce the object rule. To deselect a function, enter a 4 next to the function. To select all individual server functions, except *ALL, press F10.
- When you've completed defining your rules, they display on the Object Rules using Object List screen. To switch between the Data Access and Object Access rights, press F11 (Object View/Data View).
Example: Blocking access to a library while allowing a specific user to access a specific file within that library
In this example, we will block access to all files in the library PAYROLL but still allow user SHAASE to access the EMPLOYEE file within that library.
To block access using this method, you must change the *PUBLIC rule for *SQLSRV to *MEMOBJ. This instructs Exit Point Manager to consult Object Lists to determine access control. Additional Object Lists will need to be created to authorize access to other objects and libraries using *SQLSVR.
- Choose 1 (Work with Security by Server) from the Exit Point Manager Main Menu.
- Enter UA for *SQLSRV.
- Change the Authority for User *PUBLIC to *MEMOBJ and press Enter.
- Press F3 twice to return to the Main Menu.
-
Select 4 (Work with Security by Object).
-
Select 1 (Work with Object Lists).
- Create the Object List PAYROLL using the following values:
- Opt = 1 (Create)
- Object List = PAYROLL
- Type = Q
- Description = [*Enter description here*]
- Press Enter twice to create the PAYROLL Object List.
- Enter Opt 8 (Work with Entries) for the PAYROLL Object List.
- Add an entry for all files using the following values:
- Opt = 1 (Add)
- Library = PAYROLL
- Object = * (* indicates ALL objects)
- Type = *FILE
- Press Enter twice to add the Object List Entry to the PAYROLL Object List.
- Press F3 to return to Work with Object Lists.
- Create the Object List EMPLOYEE using the following values:
- Opt = 1 (Create)
- Object List = EMPLOYEE
- Type = Q
- Description = [*Enter description here*]
- Press Enter twice to create the EMPLOYEE Object List.
- Enter Opt 8 (Work with Entries) for the EMPLOYEE Object List.
- Add an entry using the following values:
- Opt = 1 (Add)
- Library = PAYROLL
- Object = EMPLOYEE
- Type = *FILE
- Press Enter twice to add the Object List Entry to the EMPLOYEE Object List.
- Press F3 to return to Work with Object Lists.
- Enter Opt 9 (Object Rules using Object List) next to the object list EMPLOYEE.
- Opt = 1 (Create)
- User = SHAASE
- Operation = *ALL
- Authority = *OS400
- Create a new record using the following values:
- Press Enter to review the information on the Create Object Rule by User screen.
- Press Enter again. The Select Target Server Functions for Object Rule screen appears.
- Enter Opt 1 (Select Server Function *ALL) next to the server *SQLSRV and press Enter twice.
- Press F3 to return to the Work with Object Lists.
- Enter Opt 9 (Object Rules using Object List) next to the Object List PAYROLL.
- Create a new record using the following values:
- Opt = 1 (Create)
- User = *PUBLIC
- Operation = *ALL
- Authority = *REJECT
- Create a new record using the following values:
- Press Enter to review the information on the Create Object Rule by User screen.
- Press Enter again. The Select Target Server Functions for Object Rule screen appears.
- Enter Opt 1 (Select Server Function *ALL) next to the server *SQLSRV and press Enter twice.
- Press F3 to return to the Work with Object Lists.
Now, only the user SHAASE will have access to the EMPLOYEE file in the library PAYROLL. Access to all other files in PAYROLL will be blocked.
To work with the object rules you've created, you can select from the following options. Press F23 (More Options) to see additional options.
The Create Object Rule (CRTOBJRUL) and Change Object Rule (CHGOBJRUL) commands also allow you to create or change an object rule.
The commands allow you to specify the location or user, the object list, the operation to which the rule applies, and whether it should be active or inactive. The data access and object access options are the same as on the Create or Change Object Rule by User/Location screens.
The Filter Rule creation style parameter allows you to specify how the *MEMOBJ filter rules will be created:
*ALLALL
Selects the *ALL function for all servers.
*SRVLIST
Allows you to specify which servers and functions are populated with *MEMOBJ filter rules. Use the Server List parameter to specify the servers and functions.
*NONE
If you don't specify any servers/functions and no *MEMOBJ filter rules already exist when the command is run, no *MEMOBJ filter rules are created and the object rule is placed in *INACTIVE status.
If you use the CHGOBJRUL command to inactivate the last active user or location rule, an additional set of parameters displays allowing you to specify how to handle any *MEMOBJ filter rules that exist at run time.
Use the Filter Rule deletion options to specify how you want Exit Point Manager to handle the filter rules.
When you create an object rule, it creates filter rules with *MEMOBJ authority for the user or location. When you select to delete or deactivate the last active object rule for a user or location, you should review these filter rules to determine if they are still necessary.
When you select to delete the last active object rule, the Confirm Choices screen first asks you to confirm the deletion. If you confirm that you want to delete the rule, the Specify Filter Rule Options screen displays so you can specify how you want Exit Point Manager to handle any *MEMOBJ filter rules that exist for the object rule.
You can specify the following for the filter rules depending on whether or not any memorized transactions exist for the same server, function, and user or location as the object rule you are deleting.
If Memorized Transactions exist:
This section controls what happens to the User or Location rules when memorized transactions exist.
Leave the filter rules as they are
The *MEMOBJ User or Location filter rules are not altered or removed.
Change Authority to_________Switch profile_________
Changes the Authority on the filter rules to the value you specify. You must specify a valid Authority value. If you specify *SWITCH or *MEMSWITCH, you also must enter a switch profile name.
Remove the filter rules
Deletes the *MEMOBJ User or Location filter rules.
If no Memorized Transactions exist:
This section controls what happens to the user or location rules when no memorized transactions exist.
Leave the filter rules as they are
The *MEMOBJ User or Location filter rules are not altered or removed.
Change Authority to_________ Switch profile_________
Changes the Authority on the filter rules to the value you specify. You must specify a valid Authority value. If you specify *SWITCH or *MEMSWITCH, you also must enter a switch profile name.
Remove the filter rules
Deletes the *MEMOBJ user or location filter rules.
You also can use the Delete Object Rule (DLTOBJRUL) command to delete an object rule.
The command allows you to specify the location or user, the object list, and the operation for which you are deleting an object rule. You also must specify how to handle any *MEMOBJ filter rules currently in existence at run time if the rule being deleted is the last active object rule for the user or location.
The Filter Rule deletion options, for both If Memorized Trans Exist and If no Memorized Trans Exist are:
Action to take
Specify the action to take when *MEMOBJ filter rules exist for the user or location. Valid values are:
Authority
If you specified *ALTER in the Action to take field, enter the Authority value to apply to the user or location rule. Press F4 to select from a list of possible Authority values.
Switch profile
If you entered *SWITCH or *MEMSWITCH in the Authority field, enter the name of the switch profile. If you entered any other value in the Authority field, Switch profile must be *NONE.