Skip to Main Content
IBM Power Ideas Portal

This portal is to open public enhancement requests against IBM Power Systems products, including IBM i. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (

Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.

Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal ( - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal ( - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM. - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Delivered
Workspace IBM i
Categories Security
Created by Guest
Created on Feb 20, 2020

IFS and WRKOBJ security (general + ssh)

A very old but still annoying thing:
User can see objects which he does not has access rights to - this can expose system to hacking attempts as user names also are exposed.

While object based access (like WRKOBJ) does hide objects a user does not have access to in first level, objects within libraries are exposed without access.
For example user has access to a library TESTLIB by *PUBLIC *USE but all objects within this library are set to *PUBLIC *EXCLUDE.
User can run WRKOBJ TESTLIB/*ALL and sees all object names with description *NOT AUTHORIZED
These objects should not display at all.

Even more of a security thread is the IFS management of access. For example, all users have at least read access to /home where the users private directories reside.
Even when all subdirectories like /home/user1 /home/user2 etc are set to *PUBLIC *EXECLUDE, every user can run WRKLNK OBJ('/home') and see all directory names. Usually the home directory names are same as the user names, any user with access to the system does get a full list of users of the box which makes hacking more easy.

(i know this is an old one but still not changed)

Use Case:

increase security

Idea priority High
  • Guest
    May 3, 2022
    Multiple list object interfaces have been changed to not list objects when the user does not have some authority (other than *EXCLUDE) to the object. See the details in the List Object Security Protection topic in the Memo to Users (

    IBM Power Systems Development
  • Guest
    Oct 12, 2020

    Encryption might be a different topic (besides IFS and object access) to be realized
    either by Operating system or by the user. A list of COVID19 positive tested people
    never should be saved unencrypted :)

    Main concern is to find out about user names or installed software to get
    an attack vector.

  • Guest
    May 20, 2020

    So a big security concern is what would happen if a file on the IFS contained highly confidential information, such as the employees who tested positive for COVID19 or HIV. How can that data be proper protected; and maybe even subject to encryption. The IFS represents a security vulnerability not being well thought out by many organizations. What can IBM do to protect these firms from themselves?

  • Guest
    May 19, 2020

    The CAAC has reviewed this requirement and recommends that IBM view this as a high priority requirement that is important to be addressed. On a parent library or directory, the objects below, which are set to *EXCLUDE should not be seen/identified by those who have authority to the parent library/directory.

    Background: The COMMON Americas Advisory Council (CAAC) members have a broad range of experience in working with small and medium-sized IBM i customers. CAAC has a key role in working with IBM i development to help assess the value and impact of individual RFEs on the broader IBM i community, and has therefore reviewed your RFE.

    For more information about CAAC, see

    For more details about CAAC's role with RFEs, see

    Nancy Uthke-Schmucki - CAAC Program Manager

  • Guest
    May 11, 2020

    IBM will use this request as input to planning but no commitment is made or implied. This request will be updated in the future if IBM implements it. IBM will use votes and comments from others in the community to help prioritize this request.

  • Guest
    Apr 22, 2020

    IBM has received the requirement and is evaluating it. IBM will provide a response after evaluation is complete.

  • Guest
    Apr 22, 2020

    Due to processing by IBM, this request was reassigned to have the following updated attributes:
    Brand - Servers and Systems Software
    Product family - Power Systems
    Product - IBM i
    Component - Security
    Operating system - IBM i
    Source - Client

    For recording keeping, the previous attributes were:
    Brand - Servers and Systems Software
    Product family - Power Systems
    Product - IBM i
    Component - Core OS
    Operating system - IBM i
    Source - Client

  • Guest
    Mar 17, 2020

    The CEAC has reviewed this requirement and recommends that IBM view this as a HIGH priority requirement that is important to address.

    This RFE would make IBM i more securable as it addresses a feature of IBM i that allows enumeration of objects that the user does not have access to.  It closes off an avenue of collecting data that can be used in targeted attacks and or the creation of Spear Phishing based social engineering.

    Background: The COMMON Europe Advisory Council (CEAC) members have a broad range of experience in working with small and medium-sized IBM i customers. CEAC has a crucial role in working with IBM i development to help assess the value and impact of individual RFEs on the broader IBM i community and has therefore reviewed your RFE.

    To find out how CEAC help to shape the future of IBM i, see CEAC @ and the article "The Five Hottest IBM i RFEs Of The Quarter" at

    Therese Eaton – CEAC Program Manager, IBM

  • Guest
    Mar 2, 2020

    Hi Rudi,
    well - you can use STATUS(*DISABLED) to solve a lot of problems - but that's not really my intention ;-)

    It's not a problem for all shops (if they have on Pgmr you can lock down the box easily).

    The extreme situation can be viewed on PUB400.COM or other (more or less) public systems with lot of users which are allowed
    to do some more than signon, order entry and signoff.

  • Guest
    Feb 24, 2020

    Hello Holger,

    I wonder if access to the commands WRKLNK and WRKOBJ is not part of the problem.....

    Sorry no answers that is why I wonder ;-)

    Nav4i has the same issue if you do not lock it down.

    Greetings Rudi

  • Guest
    Feb 21, 2020

    Another well known hack to get a list of users. This hack works because you generally need the ability to send messages to users and thus need access to their message queue. Unless IBM rewrites all the message handling APIs. Which may open another can of worms as one may be intentionally blocked from sending messages to one user (I would have to guess at a scenario but I can imaging some customer doing that somewhere).

  • Guest
    Feb 21, 2020

    I'm not seeing the same results on WRKOBJ.
    Sign on as DUMMY
    (Cannot find object to match specified name.)
    However this shows it.
    Object link Type Attribute Text