Object Rules

IBM defines an object as a named storage space that consists of a set of characteristics that describe it and its data. Thus, an object is anything that occupies space in storage, and on which you can perform operations. Examples of objects include programs, files, libraries, folders, and IFS directories and files. Network Security allows you to define authority rules to control access at the object level.

You can set rules for libraries and the objects in them, or an IFS path. These rules can be specific to a user (or *PUBLIC) or location and contain the object library, name, and type. Using an object rule, you can define access to both the object and the data contained within the object.

Object rules allow you to specify the operation that the rule allows (*ALL, *CREATE, *READ, *UPDATE, or *DELETE), and the action to take (*REJECT, *OS400, *SWITCH) for data access and object access. Thus, you can define an object rule for a specific user or location, for a specific object, and for a specific type of access. In addition, you can specify values for auditing, capturing transactions, and messaging in your object rules.

Setting rules at the object level provides a different measure of control than setting rules at the user or location levels. For example, you can set one object rule to restrict all users and locations from accessing a specific file (such as payroll) instead of setting multiple rules at the user or location levels to control access.

Object Rules and Network Security

There is a close relationship between rules in Network Security. Object rules need *MEMOBJ filter rules to trigger them. When you define an object rule, you select the servers and functions that will enforce the rule. This creates the *MEMOBJ Authority filter rules for the user or location object rule. The *MEMOBJ Authority filter rule tells Network Security to check memorized transactions (MTR) for authority. If no MTR authority is found, it then checks the transaction against the object rules.

Whenever any rule changes, Network Security manages the relationships between the filter rules, object rules, and memorized transactions.

If there are no filter rules with *MEMOBJ authority that refer to a particular active object rule, that object rule is set to *INACTIVE by the system.

NOTE: When there are no more active object rules for a given user or location, you should remove or modify the filter rules for that user or location. When you select to deactivate (for example, by changing or deleting) the last active object rule for a user or location, Network Security asks you to select how to handle the filter rules that are in place. If you use a command (such as CHGOBJRUL or DLTOBJRUL), you must specify command parameters that define how to handle the filter rules in case they are needed at run time during command processing.

Object Rules and the Remote Command Server

The Remote Command server has some unusual properties. The server only recognizes and reports on object type *CMD, and does not supply any other object type to the server. This means Network Security cannot identify any other object type to apply to the object rule. Remote Command server Object Rules will not work unless they are for the command itself.

Example:

The following remote command issued from a DOS prompt:

RMTCMD CRTLIB TESTLIB //mysystem

will work if the object rule is for CRTLIB (type *CMD). It will not work for TESTLIB (type *LIB).

Managing object lists

ClosedTo create an object list
  1. From the Navigation Pane, click Object Lists.
  2. Choose Add. The New Object List screen appears.
  3. Enter the Name and Description, then, for Select Object Type, select whether you want to create a list of IFS objects (ISF Path) or native objects (Native Objects).
  4. Enter the IFS Path or Native Object Library, Name, and Type (see New Object List screen for more details).
  5. If you would like to add an additional IFS Path or Native Object to the list, click Add IFS Path or Add Native Object, respectively, and enter the object's path or library/name/type. Repeat for additional objects.
  6. Choose Save to create the Object List. You can now specify this Object List in an Object Rule.
ClosedTo rename an object List
  1. On the Object Lists screen, select an Object List.
  2. Change the Name and Description as desired and clickSave.

Creating Rules for Object Lists

You can create rules to control access to the objects listed in an object list from the Object Rules screen. Creating a rule adds filter rules for the user or location specified for the rule.

ClosedTo create rules for an object list
  1. From the Navigation Pane, click Object Rules.
  2. Choose Add. The New Object Rule screen appears.
  3. Specify the User/Location, Object List, Operation, and Data/Object authority. See New Object Rule screen for details.

    New Object Rule screen

    In this example of a User Object Rule, Bob is restricted from performing all operations on objects in the PAYROLL object list.

  4. For Active, choose Yes to activate the Object Rule.
  5. Next, specify which systems should enforce this rule. After "Select which systems to save to", check the desired systems. Or, choose Select All to enforce the Object Rule on all managed systems.
  6. Click Add Server > Function if you would like the Object Rule to apply to specific functions. Choose the server and function, then repeat for any additional server functions.
  7. Choose Save to create the object rule. *MEMOBJ rules are generated based on your selections. 

    Existing *MEMOBJ are listed at the bottom of the Edit Object Rules screen.

    On the Rules Screen, object rules are indicated with the authority *MEMOBJ.

Example: Blocking access to a library while allowing a specific user to access a specific file within that library

In this example, we will block access to all files in the library PAYROLL but still allow user SHAASE to access the EMPLOYEE file within that library.

To block access using this method, you must change the *PUBLIC rule for *SQLSRV to *MEMOBJ. This instructs Network Security to consult Object Lists to determine access control. Additional Object Lists will need to be created to authorize access to other objects and libraries using *SQLSVR.

ClosedTo change the *PUBLIC rule for *SQLSRV to *MEMOBJ:
  1. Select Rules on the Navigation Pane.
  2. Click  and select the following filter options:
    • Sort By: User/Location
    • Filter By: User Rules
  3. Click to dismiss the sort/search/filter options.
  4. In the search box, type "*SQLSRV" and open the existing *SQLSRV > *ALL *PUBLIC rule.
  5. Click Select for Authority and choose *MEMOBJ.
  6. Select Save.
ClosedCreate an Object List to block access to all files in the library.
  1. Select Object Lists on the Navigation Pane.
  2. Choose Add.
  3. Create the Object List PAYROLL that includes the object PAYROLL using the following values:
    • Name = PAYROLL
    • Description = [*Enter description here*]
    • Select Object Type = Native Object

      Objects

    • Native Object Library = PAYROLL
    • Native Object Name = PAYROLL
    • Native Object Type = *FILE

  4. Choose the systems this Object List should be added to.

  5. Click Save to return to the Object List page.
ClosedCreate another Object List to allow user access to the file EMPLOYEE.

  1. Choose Add.

  2. Create the Object List EMPLOYEE that includes the object EMPLOYEE using the following values:

    • Name = EMPLOYEE
    • Description = [*Enter description here*]
    • Select Object Type = Native Object

      Objects

    • Native Object Library = PAYROLL
    • Native Object Name = EMPLOYEE
    • Native Object Type = *FILE

  3. Click Save to return to the Object List page.

ClosedGive user SHAASE access to the EMPLOYEE Object List.
  1. Select Object Rules on the Navigation Pane.
  2. Choose Add.
  3. Create a new User Object Rule using the following values:
    • Rule Type: User
    • User = SHAASE
    • Object List = EMPLOYEE
    • Operation = *ALL
    • Object Authority = *OS400
    • Data Authority = *OS400
    NOTE: Make sure Active is set to Yes checked before saving.
  4. Specify which systems you would like this rule enforced.
  5. Choose Add Server > Function and select *SQLSRV, then *ALL.
  6. Click Save to return to the Object Rules page.
ClosedBlock user *PUBLIC access to the PAYROLL Object List.

  1. Click Add > New User Object Rule.

  2. Create a new User Object Rule using the following values:

    • User = *PUBLIC
    • Object List Name = PAYROLL
    • Operation = *ALL
    • Object Authority = *OS400
    • Data Authority = *REJECT
    NOTE: Make sure Active is checked before saving.

  3. Choose Continue.

  4. Select *SQLSRV, then *ALL.

  5. Click Save to return to the Object Rules page.

Now, only the user SHAASE will have access to the EMPLOYEE file in the library PAYROLL. Access to all other files in PAYROLL will be blocked.

 

Copyright © HelpSystems, LLC.
All trademarks and registered trademarks are the property of their respective owners.
7.15 | 201709140431