Versions Compared

Old Version 2

changes.mady.by.user IT Stonebranch

Saved on

compared with

New Version Current

changes.mady.by.user Stonebranch

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

<ul> <li>

  • QSYS/QSYGETPH
<li>
  • QSYS/QWTSETP
<li>
  • QSYS/QWCRJBST
<li>
  • QSYS/QUSRMBRD
</ul>

This can be accomplished with the following command:


IBM i

Universal Broker for IBM i runs with the UNVUBR510 user profile, which is created at product installation time. Any component started by Universal Broker inherits this user profile.
 
By default, the UNVUBR510 user profile has *ALLOBJ, *JOBCTL, and *SPLCTL authority. Unless the user profile is modified as described in the following section, *ALLOBJ authority is required for a component to switch its user profiles based on the request it is servicing. *JOBCTL authority is required for internal control and should not be removed. The UNVUBR510 user profile requires *SPLCTL authority to provide Universal Submit Job job logs in specific, limited situations.
 
Any other product or user should not use the UNVUBR510 user profile. By default, users cannot access the system with the UNVUBR510 profile.

Removing *ALLOBJ Authority from UNVUBR510 User Profile

Given the extensive authority allowed by *ALLOBJ special authority, it is desirable to avoid its use when possible. As of PTF 0UC0126 for V1R2M1, it is possible to remove *ALLOBJ special authority from the UNVUBR510 user profile. However, by removing *ALLOBJ from the UNVUBR510 user profile, the administrative complexity is increased.
 
The following steps are required to use Universal Command with *ALLOBJ special authority removed from the UNVUBR510 user profile.
 
1. If the following objects do not have *USE Public Authority, the UNVUBR510 user profile must be given *USE authority:

Html bobswift
Panel


Html bobswift
<pre>
===> EDTOBJAUT OBJ(QSYS/object_name) OBJTYPE(*PGM)
</pre>



 
From the resulting screen, use F6 to add user UNVUBR510 and give it *USE authority.
 
2. UNVUBR510 user profile must be given *USE authority to the user profile objects of all user profiles that will be using the universal command server on the IBM i.
 
This can be accomplished with the following command:


Panel


Html bobswift
<pre>
===> EDTOBJAUT OBJ(QSYS/user_profile_name) OBJTYPE(*USRPRF)
</pre>



 
From the resulting screen, use F6 to add user UNVUBR510 and give it *USE authority.
 
3. Use the following command to remove the UNVUBR510 user profile *ALLOBJ authority:


Panel


Html bobswift
<pre>
===> CHGUSRPRF USRPRF(UNVUBR510) SPCAUT(*JOBCTL *SPLCTL)
</pre>



Removing *SPLCTL Authority from UNVUBR510 User Profile

Use the following command to remove the UNVUBR510 user profile *SPLCTL authority:


Panel


Html bobswift
<pre>
===> CHGUSRPRF USRPRF(UNVUBR510) SPCAUT(*JOBCTL *ALLOBJ)
</pre>



Removing *ALLOBJ and *SPLCTL Authorities from UNVUBR510 User Profile

Use the following command to remove all special authority from the UNVUBR510 user profile:


Panel


Html bobswift
<pre>
===> CHGUSRPRF USRPRF(UNVUBR510) SPCAUT(*JOBCTL)
</pre>



 
(Please refer to the previous two sections for additional information.)

HP NonStop

Universal Broker itself does not require super.super privileges. For example, Universal Command (UCMD) Server may require super.super authority. Since the component inherits its user ID from the Broker, either the Broker must be running as super.super or the UCMD Server program must be owned by super.super and ProgID must be set for the server program file.
 
If the Broker is started as a daemon at system startup time, it is started with a user ID of super.super. The Broker and all its components will then have sufficient authority.

UNIX

Although Universal Broker itself does not require superuser privileges, some Universal Agent server components (for example, UCMD Server and UEM Server) may require superuser authority to switch execution context to another user account, initialize group membership, or perform other privileged operations.
 
Since the component inherits its user ID from Universal Broker, one of the following is required:

  • Universal Broker must execute as root.

  • root must own the Universal Agent Server application file (for example, ucmsrv or uemsrv), and the Universal Agent Server application file must have its "set user ID on execution" bit (setuid on exec) set (for example, chmod u+s ucmsrv).
     
    By default, the Universal Broker is owned and started with a user ID of ubroker. root will own the server components that need superuser authority and these components will have their "set user ID on execution" bit set.
     

    Note
    titleNote

    Universal Agent server components typically only invoke the privileged operations mentioned above when that component is configured to run with security enabled (that is, its security configuration option is set to a value other than none). When security is disabled in a Universal Agent server component's configuration, that component may not attempt to invoke any privileged operations, but relies completely upon the security context it inherits from the Broker.


Windows

The Universal Broker Windows service can be configured to execute with the Local System account or with a specially-configured Administrative account (see Windows Service).

z/OS

The Universal Broker started task may execute with any OMVS user ID provided that account has read access to the BPX.DAEMON, BPX.SUPERUSER, and BPX.JOBNAME resources in the FACILITY class.
 
The Broker user account is typically configured at install time (see Started Task Configuration).
 


<ul> <li>
  • Starting
  • with
  • Universal
  • Broker
  • 5.1.0.1,
  • the
  • Broker
  • USER
  • ID
  • no
  • longer
  • requires
  • READ
  • access
  • to
  • the
  • BPX.SUPERUSER
  • resource.
<li>
  • Starting
  • with
  • Universal
  • Broker
  • 6.5.0.0,
  • the
  • Broker
  • USER
  • ID
  • no
  • longer
  • requires
  • READ
  • access
  • to
  • the
  • BPX.DAEMON
  • resource.
</ul>

See z/OS Configuration - Started Tasks for more information.

Note
titleNote
Html bobswift


...