| Greetings!
While many organizations are gaining control over the assignment of special authorities, many others continue to allow users to have more capabilities than are required to perform their job function.
So, are your special authorities out of control?
Below, I show the best way you can rework the assignment of special authorities. In addition, I show how SkyView Policy Minder can help you detect when a user has been assigned a special authority and shouldn't.
Sincerely,
 Carol Woodbury, President
SkyView Partners, Inc. |
| Questions? |
|
Before I get started, I want to say that SkyView Partners is committed to delivering security-related products and services that provide our customers with sound advice and that save them time in their quest to achieve a more secure environment.
Now, on to your i5/OS Security Tech Tip for September, 2007. | |
| Managing Special Authorities |
Why the fuss about special authorities? Skipping a discussion of *ALLOBJ for the moment, special authorities provide the user with the capability to perform some specialized function. If that capability falls outside of their job's responsibilities, they shouldn't have the special authority. Assigning users only the capabilities sufficient to perform their job functions is a requirement of several laws and regulations (including PCI Data Security Standards). In addition, it makes good business sense that you don't give someone capabilities that they don't need.
*ALLOBJ is slightly different. Users assigned *ALLOBJ special authority can access all objects. Once you assign a user *ALLOBJ, they cannot be prevented from accessing any object on the system. I heard the other day of an administrator trying to restrict programmers' access to several libraries. However, they had been assigned *ALLOBJ. Given in the way i5/OS performs its authority checks, users with *ALLOBJ will always have access to an object. Attempting to restrict their access was a waste of time.
Why are special authorities out of control? Because most profiles are not created from "scratch." Most profiles are created by copying another profile. If the original profile has more special authorities than necessary, after the profile is copied, the new profile will also have those additional special authorities. |
| What are Special Authorities? |
Here are the capabilities (special authorities) you can grant users and the functions they provide:
|
*AUDIT |
Configuration of i5/OS auditing attributes |
|
*IOSYSCFG |
Communications configuration and management |
|
*JOBCTL |
Management of an job on the system |
|
*SAVSYS |
Ability to save and restore any object on the system - or the entire system regardless of authority to the object |
|
*SECADM |
Create/Change/Delete user profiles |
|
*SERVICE |
Ability to use Service Tools, perform a service trace, debug another user's job |
|
*SPLCTL |
Access to every spooled file on the system regardless of authority to the outq (the "*ALLOBJ" of spooled files) |
|
*ALLOBJ |
Access to EVERY object on the system. It is not possible to prevent an *ALLOBJ user from accessing an object!!! | |
| Taking Control of Special Authorities |
The best way to rework the assignment of special authorities is to first assign users to a role. Typical roles include system administrator, operators, programmers, change control administrator, database administrators, analysts, and end users. Next, list the tasks each role typically performs. Finally, list the special authorities required by each task. This determines what special authorities each role requires. |
| How SkyView Policy Minder can Help |
To detect when a user has been assigned a special authority and shouldn't, there are two ways that Policy Minder can help. First define a template, choosing to include all users of a particular user class (such as *SECOFR or *USER) or a specific group and specify which special authorities the users in the user class or group are to have. For example, you may specify that all users in the *SYSOPR user class are to have *SAVSYS and *JOBCTL special authorities. When you run a compliance check, the special authorities assigned to the profiles belonging to the specified user will be checked against the template (policy) you created. Any profile's special authorities that don't match the policy will be flagged as being out of compliance with the policy.
The second way that you can check special authorities with Policy Minder is to create a slightly different user profile template. In this template you include all users that have a specific special authority, for example - *ALLOBJ. Then you specify *NO for the attribute "Allow new user profile." The first time you run a compliance check, it establishes the baseline of all users that currently have the special authority (in our example, *ALLOBJ.) The next time you run a compliance check, any profile that has been created with, changed to have or restored with *ALLOBJ assigned will be flagged as "*NEW" and, therefore, out of compliance. This method is especially helpful in keeping track of the very powerful special authorities such as *ALLOBJ as well as the special authorities auditors may way to limit, such as *AUDIT.
|
|
|
|
|
|
Carol Woodbury's Bio |
|
|
|
Carol Woodbury is President and co-founder of SkyView Partners, Inc. and is the designer and architect of the SkyView Partners' products.
Carol has over 17 years in the security industry, 10 of those working the AS/400 Security Architect and Chief Engineering Manager of Security Technology for IBM's Enterprise Server Group. |
| Who is SkyView Partners? |
|
SkyView Partners Inc. is a specializes in security policy compliance management and assessment software, as well as security services for IBM System i (AS/400, iSeries)customers.
| |
|
