System Values


System values (*SYSVAL) are AS/400 attributes that let each installation customize the machine to the organization's needs and specifications. Some system values control system performance; others define security levels; yet others simply provide defaults to command options that are unspecified.

**Note : There are total 150 system values as following in the iSeries machine.

Below are the few system values
QMODEL - Holds the system model number and can't be modified.
QSRLNBR - Contains the preloaded serial number.
QMAXSIGN  - Specifies how many invalid sign-on attempts are allowed.
QMAXSGNACN - Specifies the action to take when the QMAXSIGN limit is reached.
QSECURITY  - Indicates the security level; valid levels are 10, 20, 30, 40, and 50.

The system value QTIME contains the system time of day. It comprises three other system values, QHOUR (based on a 24-hour clock), QMINUTE, and QSECOND

The system value QCURSYM determines the currency symbol, which is country dependent; for example, the yen, lira, franc, and dollar use different symbols.

The following are complete list of system values
Click on the image to zoom

Click on the image to zoom

Click on the image to zoom

Click on the image to zoom

AS400 System Security Levels


Level 10: There is no user authentication, or resource protection. No password is required to sign on. This is no longer supported. (Discontinued in OS/400 Version 4, Release 2)

Level 20: Password - User authentication through user profile and password checking; no resource protection. 


(Resource security means object security that provides protection for system objects like programs, files, and libraries, and the data within these objects.)

Level 30: Password and Resource - User authentication and resource protection. Users require authority to access objects.

Level 40: Password, Resource and Operating System Integrity - User authentication, resource protection, and machine interface protection.

Level 50: Password, Resource and enhanced Operating System Integrity - User authentication, resource protection,and machine interface protection. Security level 50 is intended for AS/400 systems with high security requirements and to meet C2 security requirements.


The iSeries are shipped with a default setting of 40. The system can only be set to one level for all users at any given time. The recommended setting for a secure iSeries machine is 40. This level of security is highly recommended for those locations that have complex processing that includes non-IBM system interfaces, network connectivity and processing of external tapes. One may think using 50 would be even better because it would be even more secure. This statement is true, however, there is a 5 to 15 percent performance decrease in going from level 40 to 50 and also a level of 40 provides an adequate level of security for typical companies.

User Classes


There are five user classes which are hierarchical in authority. The classes represent different roles in the AS400 environment. These are convenient ways to assign the special authorities listed above to different types of users. A higher class can perform all the functions of a lower class; for example, *SECOFR includes the privileges of *SECADM by default. The following are the five user classes.

1. *SECOFR     Security Officer

Security officer: Create and manage user profiles, manage and monitor system security configuration, monitor past security-relevant events. Security Officer has full access to the system.

2. *SECADM     Security Administrator

Security Administrator: Performance tuning, perform system upgrades, install and configure third-party applications, manage third-party job scheduler, TCP/IP configuration, WebSphere configuration, perform LPAR configuration and management  

3. *PGMR     Programmer
Programmer: Write and update application code, test code, debug production issues, fix programming defects  

4. *SYSOPR     System Operator

Operator: Perform back-ups, submit routine batch jobs, run nightly processing jobs, restore libraries as necessary, monitor for system messages, work with printed output 

5. *USER    End User

Authorities

In AS/400 terminology, an authority is the permission to access an object. The object owner and the security officer (or other *ALLOBJ users) can grant or revoke authority to an object. 

 Special Authorities
All security systems have special user privileges for certain security and system administration functions. Special authorities allow certain users to administer AS/400 security and system tasks. There are eight special authorities. These special authorities are not hierarchical.

*ALLOBJ     All object authority is granted for accessing any system resource

*AUDIT     Allows the user to perform auditing functions

*JOBCTL     Allows to manage spool files, job queues, output queues, jobs, writers, stop subsystems, perform IPL

*SAVSYS     Used for saving and restoring the system and data without having explicit authority to objects queues and subsystems

*SECADM     Allows administration of User Profiles and Office

*SERVICE     Allows access to special service functions (such as SST) for problem diagnosis

*SPLCTL     Allows control of spool functions

*IOSYSCFG Allows change of system configuration

Specific authorities     
Specific authorities are further divided into 2 types.   
1.    Object Authorities
2.    Data Authorities

It is important to understand the difference between authority to an object and authority to the data in the object. Operations such as moving, renaming, saving, or deleting apply to the object as such. It is possible to have authority for these operations without having access to the data stored in the object. Likewise, one can have full access (read, write, update, delete, execute) to the data in an object without having full authority to manipulate the whole object.


1.    Object Authorities :
There are 6 object authorities used in AS/400.Those are as follows.
a.    *OBJOPR        ( Object Operational )
b.    *OBJEXIST        ( Object  Existence )
c.    *OBJMGT        ( Object Management )
d.    *OBJALTER        ( Object Alteration )
e.    *AUTLMGT        ( Authorization List Authority )
f.    *OBJREF        ( Object Reference )

2.    Data Authorities :
There are 5 data authorities used in AS/400.Those are as follows.
a.    *READ        ( Read Data )
b.    *ADD            ( Add Data )
c.    *DLT            ( Delete Data )
d.    *UPD            ( Change Data )
e.    *EXECUTE        ( Run a Program )

The following authorities are independent (not hierarchical). For some operations a combination of authorities is required:

*OBJOPR:     The object operational authority controls the use of an object and the capability to look at the description of the object. It is needed to open a file andtherefore usually assigned in combination with the desired data rights.

*OBJMGT:     The object management authority controls the move, rename, and change attribute functions for object, and the grant and revoke authority
functions for other users or groups.

*OBJEXIST: The object existence authority controls the delete, save, restore, or transfer ownership operations of an object.

*AUTLMGT: This authority is needed to manage the contents of an authorization list associated with the object. This is a specialized security authorization that is not usually grouped with the other seven object authorities.

*OBJALTER: This authority is needed to alter the attributes of data base files
 and change the attributes of SQL packages.

*OBJREF:     This authority is needed to specify a data base file as the first level in a referential constraint.

*READ:     Controls the ability to read data from the object.

*ADD:     Controls the ability to insert a new entry (such as a new record in a file)
into the object.

*UPDATE:     Controls the ability to modify existing entries in the object.

*DELETE:     Controls the ability to remove existing entries (for example, records) in the object. To delete the whole object requires *OBJEXIST authority.

*EXECUTE:     Controls the ability to run a program, service program, or SQL package, and to locate an object in a library or a directory. Some common
combinations of authorities have been given special names as an
abbreviated form. For example, *USE is the combination of *OBJOPR, *READ, and *EXECUTE.

*ALL         Allows unlimited access to the object and its data

*CHANGE     Allows unlimited access to the data in the object

*USE         Allows data in the object to be read

*EXCLUDE     Allows no access to the object or its data

*PUBLIC Authority 
Public authority is the default authority for an object. It is used if users do not have any specific (private) authority to an object, are not on the authorization list (if one is specified) for the object, or their group(s) has no specific authority to the object.