Recently, I was performing a security assessment in which I discovered an abnormally high number of authority failures.
When system security auditing is enabled, authority failures are recorded as a journal code 'AF' in the QAUDJRN journal. There were hundreds of these entries each day. When I examined the journal entries, I could see that different users were trying to access a database journal object and that they were not authorized to the journal. Why then were users trying to access it?
When I examined the journal, the authority was set to *PUBLIC AUT(*EXCLUDE) with only the owner having *ALL authority. I examined the joblog for several of the jobs that were experiencing the 'AF' problem, and the failure always occurred upon creating a physical file in a production library. I then suspected the use of a
QDFTJRN
data area in the production data library, and yes, it was there.The existence of this data area in the library was causing all new files to start journaling to the journal for which users had no authority. In effect, because of the 'AF', the newly created files did NOT start journaling as they should have, and the 'AF' error was simply being ignored. Since this customer was using a commercial high availability solution, these files needed to be journaled in order to send database changes to their backup system. Their backup system was out of sync.
In i5/OS V5R4 and earlier, the user creating a new file in a library that contains a QDFTJRN data area needs an absurdly high level of authority to the journal object used to collect the database changes. Each user that creates a new file in a library like this needs *CHANGE, *OBJMGT, and *OBJALTER authority to the journal object named in the QDFTJRN data area.
In i/OS 6.1 IBM has fixed this nasty journal authorization issue with some new support and two new commands: STRJRNLIB(Start Journaling Library) and ENDJRNLIB(End Journaling Library). They have also fixed other journal management problems.
Here’s an IBM blurb on the 6.1 change:
"One of the differences between the V6R1M0 library journaling support and the automatic journaling provided in V5R4M0 via the QDFTJRN data area has to do with the authority that is required to automatically start journaling. With the V6R1M0 support the only user required to have authority to the journal is the user that starts journaling the library. Users that create objects that become automatically journaled require no authority to the journal. With the QDFTJRN data area support in V6R1M0, the user no longer needs authority to the journal either, but they do need authority to read the QDFTJRN data area. In V5R4, every user creating an object that was to be automatically journaled needed authority to the journal."
Here is the IBM Redbook technote [2]on that covers the new 6.1 support for Journaling at object creation time.
To provide some background on using the QDFTJRN data area in V5R4 and before, you can review these articles and utilities we have published during the last several months.
Links:
[1] http://systeminetwork.com/author/dan-riehl
[2] http://www.redbooks.ibm.com/Redbooks.nsf/RedbookAbstracts/tips0662.html
[3] http://systeminetwork.com/article/managing-qdftjrn-data-areas-wrkdftjrn
[4] http://systeminetwork.com/article/new-command-create-qdftjrn-data-areas
[5] http://systeminetwork.com/article/v5r4-and-ptfs-provide-new-automatic-journaling-capabilities
[6] http://systeminetwork.com/article/new-redbook-technote-journaling-object-creation-db2-iseries
[7] http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp?topic=/rzaki/rzakiautostrjrnl.htm