General IBM i Security System Values

The general security-related system values provide a variety of system-level security functions.

The Allow Restoring of Security-Sensitive Objects security system value, QALWOBJRST, determines whether objects that are security-sensitive are allowed to be restored to the system. Use it to prevent anyone from restoring a system state object or an object that adopts authority. To view this value, enter the command DSPSYSVAL SYSVAL(QALWOBJRST). The default value of *ALL will let any object, including security-sensitive objects, to be restored by a user with the appropriate authority. Entering the value of *NONE will prevent restoration of either system state objects or programs that adopt authority. To allow users to restore system state objects, but not programs that adopt authority, we issue the command CHGSYSVAL SYSVAL(QALWOBJRST) VALUE(*ALWSYSSTT). To allow restoration of programs that adopt authority, but not system state objects, we run the command CHGSYSVAL SYSVAL(QALWOBJRST) VALUE(*ALWPGMADP).

The Create Authority system value, QCRTAUT, specifies the default public authority. Any new public object created with the authority set to *SYSVAL, which is the default, will reference the value set in QCRTAUT. The default value for the QCRTAUT system value is *CHANGE. To view the current value, we issue the command DSPSYSVAL SYSVAL(QCRTAUT). Security auditors may ask for the QCRTAUT value to be set to *USE, which allows users to view, but not change, newly created objects. Be aware that existing objects are unaffected by a change to the QCRTAUT value.

Setting the QALWOBJRST security system value to *NONE allows us to have maximum control over the restoration of system state objects and programs that adopt authority. Note, however, that before installing a new licensed product, applying PTFs, or recovering the system, we should change the QALWOBJRST system value to *ALL. Otherwise, those operations may fail. Setting QALWOBJRST to the *ALWPTF value would allow restoring security-sensitive objects as part of a PTF, but reports from the field indicate that this does not always work as intended.

The Remote Sign-on Value, QRMTSIGN, determines how our system handles any automatic passthrough request that it receives. The default value for QRMTSIGN is *FRCSIGNON, which requires the user to go through the normal sign on procedure when accessing the IBM i remotely. To allow the bypass signon feature for IBM’s Client Access software, we should set QRMTSIGN to *VERIFY. If the value is not set to *VERIFY, we will not be able to bypass the sign on display. Note that automatic passthrough requests must contain a valid user profile and the valid password for that profile.

The Limit Device Sessions security system value, QLMTDEVSSN, determines if a user can have more than one workstation occurring at one time. A value of 0 allows a user profile to work at more than one workstation simultaneously. The initial value for QLMTDEVSSN is 0, which allows users to sign on to more than one device. To limit users to only one session, we issue the command CHGSYSVAL SYSVAL(QLMTDEVSSN) VALUE(‘1’).

The Inactive Job Time-out Interval system value, QINACTITV, controls the inactive job time-out interval. The initial value is *NONE. We can set the value to any length of time between 5 and 300 minutes. Note that FTP jobs are not covered under this system value.

The Allow User Domain Objects in These Libraries system value, QALWUSRDMN, specifies which libraries allow user domain objects to be located in them. User domain objects include those of type User Index, *USRIDX, User Queue, *USRQ, and User Space, *USRSPC. The default value for QALWUSRDMN is *ALL; removing *ALL requires the definition of the libraries that we want to allow user domain objects to be created in, such a list must include QTMP. It might also be a good idea to include library QRPLOBJ.

The Automatic Virtual Device Creation system value, QAUTOVRT, controls the number of virtual devices configured for pass-through in a remote communications environment. A virtual device is simply a device description that does not have hardware associated with it. To allow the maximum number of virtual devices to be created, we use the special value *NOMAX and issue the command CHGSYSVAL SYSVAL(QAUTORVT) VALUE(*NOMAX).

UBD (Universal Backup Device) is a backup appliance that plugs into your IBM i and appears as a tape device

General IBM i Security System Values