Kisco Systems

Kisco U

Restricting system commands

Home : Kisco U : Restricting system commands

In the default IBM i OS configuration, most system commands and APIs have a public authority of *USE. This allows anyone to use almost any command or API on your system. This is a potential security risk.

"Revoke Public Authority" (RVKPUBAUT) calls a program named QSECRVKP in library QSYS and can be used to change the public authority for a host of commands and APIs to *EXCLUDE.

Review the CL source for QSECRVKP to get a complete understanding of the impacts of revoking public authority:


This assumes that you already have a source physical file in your library named QCLSRC.

This command has a single parameter: the name of the library where these objects are stored. At a minimum, you should run the command for the QSYS library. If you have more than one national language on your system, you should also run the command for every QSYSxxx library.

Edit and recompile the CL source if you want to change the commands or APIs affected by public authority revoke. Do not place the newly compiled program back into QSYS as that will destroy the original. It would be best to put the copy in a different library along with your own copy of the command object named RVKPUBAUT. Change the library settings on your copy of the command to point to your modified version of the program. Then, when you run the command, run it from your library and not from the QSYS library.

Also be aware that RVKPUBAUT will change the public setting for the root directory of the IFS. It will change it to *USE unless it is already at that level or lower.

Once you have these commands and APIs restricted, you can then go about authorizing them to the specific individuals in your organization that really them. The best way to set this up is to create an authorization list for this set of users and then set up each of the commands and APIs to point to the authorization list.