Program Adoption of Authority (PAA) is a technique that you can use to temporarily elevate users’ authorities so that the users can perform functions that they would usually have insufficient authority to do. For example, you want the help desk folks to be able to reset a user’s password. To do this sensitive function, the help desk personnel would need high authority levels (e.g., *ALLOBJ, *SECADM). But if you assign these high authority levels to the help desk staff’s user profiles, these users then have full-time power to all your sensitive data, and this is dangerous to the system’s overall integrity.
What you need to do instead is provide a small, limited-function program that such users can run to adopt the powerful authority that they need to do the password reset. When the adopting program runs to completion, the elevated level of authority is removed. This is what PAA does.
PAA is a useful function that you shouldn’t shy away from. However, in the wrong hands, PAA can be the back door for obtaining high levels of authority without proper oversight and control.
In my work doing OS/400 vulnerability assessments, I’ve encountered many instances in which a program that adopts a high level of authority has been surreptitiously created on the system and used as a method to “back door” otherwise well-planned security. Using one of these adopting programs, a technical user can easily adopt a powerful user’s authority, such as QSECOFR, and virtually become QSECOFR anytime he or she likes.
Download the save file containing the source code.