Hi all! I'm curious about your thoughts on this "IBM Idea" (and obviously I'm hoping you'll give it a "thumbs up" if you think its a good one).
Here's a link to the IBM Idea that I'm talking about here
When working on security remediation projects, authority collection is an invaluable tool. In my opinion there is a weakness in this tool. When an authority check happens on a *FILE object, many details about the object and the authority check are captured, including the library, object name, and object type. However, it doesn't capture the object attribute, which would allow us to distinguish between a PFs, LFs, SAVFs, DSPFs, etc. We can of course check the object attribute directly using WRKOBJ or OBJECT_STATISTICS, but this involves an extra step reaching outside of the authority collection repository. If the object attribute were captured in the authority collection data, it would be extremely helpful.
Any thoughts to share? If you think this would be a good enhancement, please give it an upvote on the Ideas portal.
Currently, this is how I'd pull in the object attribute for *FILE objects when needed for a remediate analysis:
WITH files AS (
SELECT DISTINCT system_object_schema,
system_object_name,
system_object_type
FROM qsys2.authority_collection
WHERE authorization_name = 'SOMEUSER'
AND OBJECT_SCHEMA = 'SOMELIB'
AND system_object_type = '*FILE' )
SELECT * FROM files,
LATERAL ( SELECT objattribute
FROM TABLE ( qsys2.object_statistics(
object_schema => files.system_object_schema,
object_name => files.system_object_Name,
objtypelist => files.system_object_type) ) );
------------------------------
Steven Riedmueller
Certified IBM i Admin
Speaker, Mentor, and Advocate
------------------------------