Working With IFS Security

By Rich Loeber,

For years, IBM’s i/OS provided robust security for its native file system.  For some of us who’ve been around for a while, this has been all we’ve known on our systems.  But, these days, more and more applications and users are working with the other non-native file systems that are collectively known as the Integrated File System, or IFS.  IBM’s i/OS provides the same level of security in the IFS, but the commands to review items in the IFS and a lot of the terminology is different from what the “natives” may expect to see.  This article will attempt to scratch the surface of this issue by explaining how you can view the IFS directories and files from your i/OS command line and how to interpret the security settings used in the IFS.

The main command that you need to start with is the “Work with Object Links” command (WRKLNK).  These “links” can take several different types, the most common of which are directories (DIR) and stream files (SMTF).  If you thought about this from a PC perspective, these would correspond to disk directories and files.

If you use the WRKLNK command with no parameters, a complete list of all of the top level directories in the IFS (the root) will be displayed.  This display will let you explore the entire IFS on your system, including the “native” file system which will be included under the QSYS.LIB file system.  If you want to go directly to a specific directory, you can do so with a qualified OBJ selection parameter.  For example:

WRKLNK OBJ(‘/qdls/kisco’)

On our test system here, we have a directory in the shared folders file system named KISCO.  The shared folders system is found in the QDLS file directory.  Running the above command gets us straight to this folder without having to spend time searching.

To check on the security setting for an displayed object, just put a ‘9′ next to that object.  This will bring up a Work With Authority display and will give you all of the security information about the object selected.  This will include the owner, any applicable authorization list, any public authorization settings and a list of user profiles that are authorized to the object.  If you want to print this information for an off-line review (or for security documentation), you can use the Display Authority command (DSPAUT).

Data authority in the IFS is described by a series of letter codes which, in combination, will describe the authorities in place.  The applicable access letter codes are as follows:

R – Gives access to object attributes (think READ)
W – Gives access to the object for change (think WRITE)
X – Allows the object to be used (think USE)

You will see these codes in combination or singly (preceded by the ever present *), depending on the authorities implemented.  For example, if full authority is being granted, then you will see the *RWX authority setting displayed.  Specific object authorities are also displayed on this screen.  You can use this screen to make changes and to check on specifics for any object shown by placing a ‘2′ next to the line in question and making updates.

So, if you’ve never (or rarely) considered what’s going on in the IFS on your system, now is the time to get started and the WRKLNK command gives you are very good starting point.

Comments are closed.