Kisco Systems

Kisco U

Controlling adopted authority

Home : Kisco U : Controlling adopted authority

IBM i programs have a setting when compiled that controls the user profile that will be used for security reasons when that program runs. Programs compiled with the USRPRF attribute set to *OWNER are a potential security risk.

The USRPRF parameters for most program compilation commands is set to a default value of *USER on most systems. Programs compiled with the *USER setting rely on your object security configuration to provide access control. When this parameter changes, access controls are based on the owner of the compiled *PGM object and not on the user profile of the person that is running the *PGM object.

This situation is called adopted authority. There are lots of good reasons why you would want to do this. For example, a backup program that is run by a night operator. You may not want your night operator's user profile to have all object authority, so you compile the backup program under a user profile that does have all object authority with the USRPRF parameter set to *OWNER. While the backup is running, it has access to the objects needed to complete the backup but the night operator profile is still restricted. A lot of third party software developers use this technique to make sure that their programs can run without authority problems.

To make sure that your security is not being compromised by adopted authority issues, you should do a periodic review of programs that use this technique.

  • Identify user profiles that have all object authority:


    This will create a temporary physical file named USRPRF in your QTEMP library
  • Scan this file for the value *ALLOBJ in the first 7 positions of the field designated as UPSPAU
  • Use DSPPGMADP on these profiles. At a minimum, check for programs that adopt the QSECOFR user profile. The command looks like this:


  • Validate that the adopted authority is required for proper program execution.

If you identify a program that needs to change, you don't need to recompile. Use the following command to change from adopted authority to user authority: