Kisco Systems

IBM i Security Tips

Home : Blog : Security Levels for IBM i

Security Levels for IBM i

By Rich Loeber

Your IBM i has a long tradition of boasting about tight security, but is that really true for your installation?

Your very first and probably most basic decision about security on your system is found in the setting for the QSECURITY system value. You can see your current security level setting by running the "Display Security Attributes" (DSPSECA) command. One of the items on the display will be your current QSECURITY level setting.

IBM i supports five settings from the value '10' through '50'. On more recent versions of IBM i, level '10' has been thankfully retired and is no longer available. Here, in summary form, is what you get at each level:

  • Level 10 - No security at all. Anyone can signon to a terminal session and no passwords are required. (Is it any wonder that this level has been retired?)
  • Level 20 - Signon password security. Once logged on, all users have access to all objects on the system. This was, at one time, the default setting when your system was shipped from the factory.
  • Level 30 - Adds object authority to the above. This level requires some object level access planning and implementation.
  • Level 40 - Adds integrity protection features to the above. This is now the default setting shipped from the factory. At this level, the system enforces the user domain as separate from the system domain. Program requests that cross this border using unapproved interfaces are disallowed.
  • Level 50 - Adds additional integrity protection features and is intended to meet the US Department of Defense "C2" security requirements. In addition to level 40 controls, certain user objects are restricted, certain messaging options are controlled, modifications to internal control blocks are restricted and changes to the way the QTEMP library is processed.

If you are installing a new IBM i system, your options are wide open and you should choose the highest setting that will work for you. Using the recommended level of 40 that comes from the factory is an excellent starting point. Before you settle on this level, however, you should check with any third party software companies whose software you will be using to make sure that their software will run OK at level 40. Some older IBM i products "misbehave" by using older, now illegal, hooks into the OS.

Level 30 can be used if you have software conflicts that prevent you from implementing level 40. You should plan how to implement object access controls, starting with controlling access to libraries and then moving down. Maintenance of object level access controls can be greatly simplified through judicious use of IBM i Group Profiles. You can break up your user community into logical groupings, create a group profile for each set and then implement your access controls on the group profiles rather than coding controls for each individual user profile. Care should be taken when dealing with the special group profile *PUBLIC as this can easily overrule your best planning efforts.

Level 20 should NEVER be used in normal situations, and level 50 should only be used when you have the specific requirements called for by the C2 standard.

So, what do you do if you're in charge of a legacy system that is set to level 20 or 30 and you're sure that you need better controls?

Moving from level 30 and higher is fairly easy and just requires that you make the change to the system value and perform an IPL. If you are uncertain about your third party software, you can activate audit logging for a few weeks before you make the change and then review the logs to see if there are any potential problems at level 40 or 50.

If you are at level 20, the move to level 30 can be overwhelming. There are many legacy systems that have this as an issue. These systems previously relied on application security and menu controls as their primary safeguards. With the implementation of network server access, this is a security weakness for these systems. If your concern is due to network connections to your system, you might want to consider implementing a third party network security solution, such as SafeNet/i from Kisco Information Systems. These products can give you immediate control over network connections to your system without impairing your ability to service your user community.

You can find more information about this topic in the IBM i manual "Security - Reference" - SC41-5302. If you have specific questions about this topic, you can reach me at rich at kisco.com, All email messages will be answered.