Object Rules

IBM defines an object as a named storage space that consists of a set of characteristics that describe it and its data. Thus, an object is anything that occupies space in storage, and on which you can perform operations. Examples of objects include programs, files, libraries, folders, and IFS directories and files. Powertech Exit Point Manager for IBM i allows you to define authority rules to control access at the object level.

You can set rules for libraries and the objects in them, or an IFS path. These rules can be specific to a user (or *PUBLIC) or location and contain the object library, name, and type. Using an object rule, you can define access to both the object and the data contained within the object.

NOTE:
Path strings must begin with a slash (/) and must not begin with any of "QSYS.LIB", "QFileSvr.400", "QOpenSys", "QOPT" or "QNTC". These values are not case sensitive, thus QOPENSYS and qopensys are similarly invalid. Also, the virtual directory names "." and ".." are not allowed in the path. Additionally, there must be at least one character between each slash in the path.

Object rules allow you to specify the operation that the rule allows (*ALL, *CREATE, *READ, *UPDATE, or *DELETE), and the action to take (*REJECT, *ALLOW, *SWITCH) for data access and object access. Thus, you can define an object rule for a specific user or location, for a specific object, and for a specific type of access. In addition, you can specify values for auditing, capturing transactions, and messaging in your object rules.

Setting rules at the object level provides a different measure of control than setting rules at the user or location levels. For example, you can set one object rule to restrict all users and locations from accessing a specific file (such as payroll) instead of setting multiple rules at the user or location levels to control access.

Object Rules and Powertech Exit Point Manager for IBM i

There is a close relationship between rules in Powertech Exit Point Manager for IBM i. Object rules need *MEMOBJ filter rules to trigger them. When you define an object rule, you select the servers and functions that will enforce the rule. This creates the *MEMOBJ Authority filter rules for the user or location object rule. The *MEMOBJ Authority filter rule tells Powertech Exit Point Manager for IBM i to check Memorized Transactions (MTR) for authority. If no MTR authority is found, it then checks the transaction against the object rules.

Whenever any rule changes, Powertech Exit Point Manager for IBM i manages the relationships between the filter rules, object rules, and memorized transactions.

If there are no filter rules with *MEMOBJ authority that refer to a particular active object rule, that object rule is set to *INACTIVE by the system.

NOTE:
When there are no more active object rules for a given user or location, you should remove or modify the filter rules for that user or location. When you select to deactivate (for example, by changing or deleting) the last active object rule for a user or location, Powertech Exit Point Manager for IBM i asks you to select how to handle the filter rules that are in place. If you use a command (such as CHGOBJRUL or DLTOBJRUL), you must specify command parameters that define how to handle the filter rules in case they are needed at run time during command processing.

Object Rules and the Remote Command Server

The Remote Command server has some unusual properties. The server only recognizes and reports on object type *CMD, and does not supply any other object type to the server. This means Powertech Exit Point Manager for IBM i cannot identify any other object type to apply to the object rule. Remote Command server Object Rules will not work unless they are for the command itself.

Example:

The following remote command issued from a DOS prompt:

RMTCMD CRTLIB TESTLIB //mysystem

will work if the object rule is for CRTLIB (type *CMD). It will not work for TESTLIB (type *LIB).

Managing Object Lists

  1. From the Security Configuration Menu, choose option 4. The Work with Object Lists panel appears. All object lists that have been defined appear.

    Work with Object Lists panel

  2. Here, you can add new lists and copy, change, delete, or work with existing lists.
  3. Adding an Object List. Select F6 to display the Create Object List panel.

    Create Object List panel

See Create Object List.

  1. Enter a 2 next to an object list name on the Work with Object Lists screen to display the Change Object List panel.
  2. Enter the new type and/or description and press Enter to save the change.

    Change Object List panel

See Change Object List panel.

  1. Enter a 3 next to an object list name on the Work with Object Lists screen to display the Copy Object List panel.
  2. Enter a name for the new object list press Enter.

    Copy Object List panel

See Copy Object List screen.

Enter a 4 next to one or more object list names on the Work with Object Lists screen. The Confirm Choices screen displays asking you to confirm that you want to delete the selected object list(s).

Delete object List panel

See Confirm Choices screen.

  1. Enter a 7 next to an object list name on the Work with Object Lists screen to display the Rename Object List screen.
  2. Enter a new name for the object list and press Enter .

Working with Object List Entries

The purpose of an object list is to group the objects in a library that you want to secure in one object list to which you then can apply Powertech Exit Point Manager for IBM i Object Rules. The object list entries specify the objects that you are securing.

  1. Enter F6 Work with Object List Entries screen to display the Add Object List Entry screen.
  2. Enter the following information to define the object list entry.

    Add Object List Entry panel

See Add Object List Entry screen for more details.

  1. Enter F6 the Work with Object List Entries screen to display the Add Object List Entry screen.
  2. Enter the path name for the directory you want to secure. Press F4 (Prompt) in the Path field to display the Select Path screen, which allows you to select a path in your IFS. The path name can contain either generic or wildcard characters.

     

  3. If the IFS path name is too long to display on the Work with Object List Entries screen, press F22 (Full Name) to display the full path name in a window.

You can subset and sort object lists or object list entries so that you see only the lists or objects that meet the criteria you specify. To display the sort screens, press F16 (Sort/Subset) on the Work with Object Lists or Work with Object List Entries screens. See Sort and Subset Object Lists screen and Sort and Subset Object List Entries screen.

Creating rules for an object list using the green screen

You can create rules to control access to the objects listed in an object list from the Work with Object Lists screen. Creating a rule adds filter rules for the user or location specified for the rule.

  1. Enter option 9 next to the object list you want to work with to display the Object Rules using Object List screen.

    Object Rules Using Object List panel

  2. On the Object Rules using Object List screen, press F6 to display the Create Object Rule by Location or Create Object Rule by User screen.
NOTE: Although you can enter your rule directly on the Object Rules using Object Lists screen, the Create Object Rule by Location or Create Object Rule by User screen makes it easier to see all the fields you need to complete. This example shows how to create a rule by user; creating a rule by location follows the same process.

Create Object Rule by User panel

See Create Object Rule by User screen.

When you've defined your rule, press Enter to display the Select Target Server Functions for Object Rule screen, which allows you to select the servers and functions that will enforce the new user or location filter rule with *MEMOBJ authority you are creating.

  1. Enter a 1 next to a server to select server function *ALL, which tells Powertech Exit Point Manager for IBM i to enforce the rule for all functions of the selected server. To select the function *ALL for all servers, press F10. If you have previously selected individual functions for a server, pressing F10 deselects those functions and selects function *ALL for the server.
  2. To select individual server functions, enter a 2 next to the server to display the second Select Target Server Functions for Object rule screen, which displays a list of functions for the selected server.
  3. Enter a 1 next to each function that should enforce the object rule. To deselect a function, enter a 4 next to the function. To select all individual server functions, except *ALL, press F10.
NOTE: If you've previously set filter rules with *MEMOBJ authority for the user or location and don't want to create a new filter rule, you can press Enter without making any selections on the Select Target Server Function for Object Rule screens.
  1. When you've completed defining your rules, they display on the Object Rules using Object List screen. To switch between data access and object access, press F11 (Object View/Data View).

    Object Rules using Object List panel

Example: Blocking access to a library while allowing a specific user to access a specific file within that library

In this example, we will block access to all files in the library PAYROLL but still allow user SHAASE to access the EMPLOYEE file within that library.

To block access using this method, you must change the *PUBLIC rule for *SQLSRV to *MEMOBJ. This instructs Powertech Exit Point Manager for IBM i to consult Object Lists to determine access control. Additional Object Lists will need to be created to authorize access to other objects and libraries using *SQLSVR.

  1. In the Security Configuration Menu, choose 1 (Security by Server).
  2. Enter 3 next to *SQLSRV.

    Work with Server User Authorities.

  3. Change the Authority for User *PUBLIC to *MEMOBJ and press Enter.
  4. Press F3 twice to return to the Main Menu.

  1. On the Work with Object Lists panel, press F6 to create an Object List.

  2. Create the Object List PAYROLL using the following values:
    • Object List = PAYROLL
    • Type = Q
    • Description = [*Enter description here*]
  3. Press Enter twice to create the PAYROLL Object List.
  4. Enter Opt 8 (Work with Entries) next to the PAYROLL Object List.
  5. Press F6 to add an entry for all files using the following values:
    • Library = PAYROLL
    • Object = * (* indicates ALL objects)
    • Type = *FILE

Work with Object List Entries panel

  1. Press Enter twice to add the Object List Entry to the PAYROLL Object List.
  2. Press F3 to return to Work with Object Lists.
  1. On the Work with Object Lists panel, press F6 to create an Object List.
  2. Create the Object List EMPLOYEE using the following values:
    • Object List = EMPLOYEE
    • Type = Q
    • Description = [*Enter description here*]
  3. Press Enter twice to create the EMPLOYEE Object List.
  4. Enter Opt 8 (Work with Entries) for the EMPLOYEE Object List.
  5. Press F6 to add an entry using the following values:
    • Library = PAYROLL
    • Object = EMPLOYEE
    • Type = *FILE
  6. Press Enter twice to add the Object List Entry to the EMPLOYEE Object List.
  7. Press F3 to return to Work with Object Lists.
  1. Enter Opt 9 (Object Rules using Object List) next to the object list EMPLOYEE.
  2. Press F6. Create a new record using the following values: 
    • User = SHAASE
    • Operation = *ALL
    • Authority = *ALLOW
  3. Create a new record using the following values:
  4. Press Enter to review the information on the Create Object Rule by User screen.
  5. Press Enter again. The Select Target Server Functions for Object Rule screen appears.
  6. Enter Opt 1 (Select Server Function *ALL) next to the server *SQLSRV and press Enter twice.
  7. Press F3 to return to the Work with Object Lists.
  1. Enter Opt 9 (Object Rules using Object List) next to the Object List PAYROLL.
  2. Press F6. Create a new record using the following values:
    • User = *PUBLIC
    • Operation = *ALL
    • Authority = *REJECT
  3. Create a new record using the following values:
  4. Press Enter to review the information on the Create Object Rule by User screen.
  5. Press Enter again. The Select Target Server Functions for Object Rule screen appears.
  6. Enter Opt 1 (Select Server Function *ALL) next to the server *SQLSRV and press Enter twice.
  7. Press F3 to return to the Work with Object Lists.

Now, only the user SHAASE will have access to the EMPLOYEE file in the library PAYROLL. Access to all other files in PAYROLL will be blocked.

To work with the object rules you've created, you can select from the following options. Press F23 (More Options) to see additional options.

Object Rules using Object List panel

The Create Object Rule (CRTOBJRUL) and Change Object Rule (CHGOBJRUL) commands also allow you to create or change an object rule.

Create Object Rule panel

The commands allow you to specify the location or user, the object list, the operation to which the rule applies, and whether it should be active or inactive. The data access and object access options are the same as on the Create or Change Object Rule by User/Location screens.

The Filter Rule creation style parameter allows you to specify how the *MEMOBJ filter rules will be created:

*ALLALL
Selects the *ALL function for all servers.

*SRVLIST
Allows you to specify which servers and functions are populated with *MEMOBJ filter rules. Use the Server List parameter to specify the servers and functions.

*NONE
If you don't specify any servers/functions and no *MEMOBJ filter rules already exist when the command is run, no *MEMOBJ filter rules are created and the object rule is placed in *INACTIVE status.

If you use the CHGOBJRUL command to inactivate the last active user or location rule, an additional set of parameters displays allowing you to specify how to handle any *MEMOBJ filter rules that exist at run time.

Change Object Rule panel

Use the Filter Rule deletion options to specify how you want Powertech Exit Point Manager for IBM i to handle the filter rules.

When you create an object rule, it creates filter rules with *MEMOBJ authority for the user or location. When you select to delete or deactivate the last active object rule for a user or location, you should review these filter rules to determine if they are still necessary.

When you select to delete the last active object rule, the Confirm Choices screen first asks you to confirm the deletion. If you confirm that you want to delete the rule, the Specify Filter Rule Options screen displays so you can specify how you want Powertech Exit Point Manager for IBM i to handle any *MEMOBJ filter rules that exist for the object rule.

Specify Filter Rule Options panel

You can specify the following for the filter rules depending on whether or not any memorized transactions exist for the same server, function, and user or location as the object rule you are deleting.

If Memorized Transactions exist:

This section controls what happens to the User or Location rules when memorized transactions exist.

Leave the filter rules as they are

The *MEMOBJ User or Location filter rules are not altered or removed.

Change Authority to_________Switch profile_________                    

Changes the Authority on the filter rules to the value you specify. You must specify a valid Authority value. If you specify *SWITCH or *MEMSWITCH, you also must enter a Switch profile name.

Remove the filter rules

Deletes the *MEMOBJ User or Location filter rules.

If no Memorized Transactions exist:

This section controls what happens to the user or location rules when no memorized transactions exist.

Leave the filter rules as they are

The *MEMOBJ User or Location filter rules are not altered or removed.

Change Authority to_________ Switch profile_________               

Changes the Authority on the filter rules to the value you specify. You must specify a valid Authority value. If you specify *SWITCH or *MEMSWITCH, you also must enter a Switch profile name.

Remove the filter rules

Deletes the *MEMOBJ user or location filter rules.

You also can use the Delete Object Rule (DLTOBJRUL) command to delete an object rule.

Delete Object Rule panel

The command allows you to specify the location or user, the object list, and the operation for which you are deleting an object rule. You also must specify how to handle any *MEMOBJ filter rules currently in existence at run time if the rule being deleted is the last active object rule for the user or location.

The Filter Rule deletion options, for both If Memorized Trans Exist and If no Memorized Trans Exist are:

Action to take

Specify the action to take when *MEMOBJ filter rules exist for the user or location. Valid values are:

*LEAVE Leaves the existing filter rules as they are.
*ALTER Changes the authority on existing filter rules to the value you specify in the Authority field.
*DELETE Deletes the *MEMOBJ user or location filter rules.
Authority

If you specified *ALTER in the Action to take field, enter the Authority value to apply to the user or location rule. Press F4 to select from a list of possible Authority values.

Switch Profile

If you entered *SWITCH or *MEMSWITCH in the Authority field, enter the name of the Switch profile. If you entered any other value in the Authority field, Switch profile must be *NONE.