IBM Power Ideas Portal


This portal is to open public enhancement requests against IBM Power Systems products, including IBM i. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas

  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Add a new idea Subscribe
Status Not under consideration
Workspace IBM i
Categories Security
Created by Guest
Created on Jun 25, 2025

RELATED IDEAS

Allow finer grained 'Adopt Authority'

This idea will allow ISVs and other to help close security exposures related to programs that adopt authority. 
 

Currently a program can be set to USRPRF(*OWNER) to have it adopt authority.   Different programs within an application have needs for access to different objects via adopted authority and also at times need full *ALLOBJ authority for legitimate reasons.   If an application has varying needs for additional authority for different application actions, the normal approach is to have a application profile which has a superset of all authority needed in various parts of the application.   The alternative would be a separate user profile for each use case that needs a different set o of authority.   Examples would be that some functions only need access to the application's internal files, other functions may need to perform OS security related functions, and still others may need arbitrary access to objects (*ALLOBJ). 

The idea is to introduce a new setting for programs and service programs  USRPRF(*LIMITED).   These programs will normally run with no adopted authority, but will have the authority to 'ask' via a new API for access to specific objects that the owner of the program has access to.    The API would also allow the program to retract that authority.   This limits the scope of the use of adopted authority to exactly what the programmer needs and explicitly asks for.   In fact, if the owner has *ALL access to an object, ideally the program could ask for only *USE authority if that is all that was needed-- this would provide even more granularity, but is not required. 

This will help prevent accidental or malicious authority elevation via defined user exit programs (whether IBM registered exits or application defined mechanisms) or via *LIBL exploitation or via user input referencing an arbitrary object he does not have access to, but the application failing to make an authorization check. 

A more simple but less powerful approach would be to allow the program to turn the adoption of all adopted power on or off without referencing a specific object.  This can be sort of done today with MI instruction MODINVAT, but it only applies to called code and this would be difficult to use in practice to dynamically turn on/off adopted authority in the current invocation level. 

The above is one way of implementing the idea, but others may be appropriate also.  The general idea is to provide a means to allow a program to limit the scope of the adopted power. 

 

Idea priority Low
  • Guest
    Dec 18, 2025
    IBM does not intend to provide a solution to this Idea at this time, so it is being closed.

    The implementation of an API to 'ask' for access to specific objects would cause major performance degradation of authority checking. The majority of authority checks are done below the MI so an upcall to XPF code would be needed for every authority check that involves the use of adopted authority.

    Limiting the scope of adopted authority can be achieved using existing support by separating functions into multiple programs/service programs that are owned by different user profiles with a different set of authorities. The use of USEADPAUT(*NO) for the programs/service programs would also turn off the adoption of powerful users from previous code in the stack.

    IBM Power Systems Development
    Reply
  • Guest
    Jul 29, 2025
    IBM has received your Idea and is evaluating it. IBM will provide a response after evaluation is complete.

    IBM Power Systems Development
    Reply

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.