Appendix E: Controlling Access using Authorization Lists

Powertech Encryption for IBM i includes authorization lists that allow you to control access to the product. This feature is off by default.

The following instructions describe how to activate and configure Powertech Encryption for IBM i's authorization lists so that only authorized users are granted access to Powertech Encryption for IBM i.

PCRADMIN

Most Powertech Encryption for IBM i commands are protected by the PCRADMIN authorization list. This authorization list controls access to the product menus and commands. It is shipped with *PUBLIC *USE.

To use the PCRADMIN authorization list protection:
  1. Use the command WRKAUTL PCRADMIN to display the Work with Authorization Lists panel.
  2. Enter option 2 (Edit) for PCRADMIN to open the Edit Authorization List panel.
  3. Change the Object Authority of the *PUBLIC user to *EXCLUDE.
  4. Press F6 and specify the user profile(s) to be granted access. Set added users to at least *USE authority.
NOTE: If you set up PCRADMIN with *PUBLIC as *EXCLUDE, when a user is added as a Key Officer, the user profile is automatically added to the PCRADMIN authorization list with *USE authority. When the user is removed from the Key Officers, the profile is removed from the PCRADMIN authorization list.

To manually add a user to the PCRADMIN authorization list, use the command:

ADDAUTLE AUTL(PCRADMIN) USER(MYUSER) AUT(*USE)

NOTE: In addition to being authorized to the PCRADMIN authorization list, product administrators must also have either *SECADM special authority or be entered as a Key Officer within Powertech Encryption for IBM i.
NOTE: The backup encryption commands are not controlled by the use of an authorization list.

PCRREPORT

The commands to print reports in Powertech Encryption for IBM i are protected by the PCRREPORT authorization list.

NOTE: A user with *ALLOBJ authority is able to run the reports without special authorization.
To use the PCRREPORT authorization list to control access to the print commands:
  1. Use the command WRKAUTL PCRREPORT to display the Work with Authorization List panel.
  2. Enter option 2 (Edit) for PCRREPORT to open the Edit Authorization List panel.
  3. Change the Object Authority of the *PUBLIC user to *EXCLUDE.
  4. Press F6 and specify the user profile(s) to be granted access. Set added users to *USE and Object operational authority.

To manually add a user to the PCRREPORT authorization list, use the command:

ADDAUTLE AUTL(PCRREPORT) USER(MYUSER) AUT(*USE)

Users may also need ‘Object Exists’ Object Authority. To grant this:

  1. Use the WRKAUTL PCCRREPORT command to display the Work with Authorization List panel.
  2. Enter option 2 (Edit) for PCRREPORT to open the Edit Authorization List panel.
  3. Use F11 to display the object authority options.
  4. Mark the ‘Exist’ column with an ‘X’ to select it.