| Greetings!
This month's newsletter discusses the virtues of authorization lists and how Policy Minder can help you manage them.
An authorization list is a tool provided by i5/OS to help you manage authority to objects. The typical usage scenario is that you have a set of profiles and those profiles (both users and/or group profiles) need the same authority to a set of objects - perhaps all files in an application. Rather than granting each of those users a private authority to each of the objects, you can use an authorization list. Simply associate the authorization list with the objects. Then, instead of granting the private authority to the objects themselves, grant each user (or group) authority to the authorization list. By virtue of having authority to the authorization list, the users have the same authority to every object associated with the list.
Below, I also show how SkyView Policy Minder and SkyView Risk Assessor can help.
Sincerely,
 Carol Woodbury, President
SkyView Partners, Inc. |
| Questions? |
|
Before I get started, I want to say that SkyView Partners is committed to delivering security compliance products and services that provide our customers with sound advice that saves them time and reduces the costs and complexities of attaining and maintaining compliance.
Now, on to this month's i & i5/OS Security Tip. | |
| What are Authorization Lists? |
|
Having authority to the authorization list is the same as the user having a private authority to the individual object. The authorization list just displaces the authority - instead of the authority being on the individual object, it is on the authorization list. The only difference is that i5/OS checks and uses the authority to the individual object before checking authority to an object's authorization list.
|
| Benefits of using Authorization Lists |
Authorization lists have several benefits. Authorization lists simplify the management of access to objects. All you have to do is display the authorization list (DSPAUTL) and then display the objects secured by the authorization list (DSPAUTLOBJ) to know what the users are authorized to. Authorization lists also reduce the number of private authorities on the system. This reduces the time that a SAVSECDTA needs to run. (SAVSECDTA is how private authorities are saved.) It also saves time when a RSTAUT is run because there are fewer private authorities to grant to the restored objects. Last but certainly not last, authorization lists provide a way to manage authorities when an object is locked.
That's why I like to use authorization lists to secure files. Because you can't grant (or revoke) authorities to files that are open, securing them with an authorization list allows you the flexibility to grant a user or group authority even when the file is in use. I've found securing files with authorization lists to be extremely helpful when re-working an application's authority scheme. |
|
How SkyView Policy Minder can Help |
|
SkyView Policy Minder is an i & i5/OS security compliance tool that provides a mechanism for comparing your systems' current settings against the requirements of your established (or desired) security policy. Policy Minder is about "enforcing" your security policy. Policy Minder is designed to automate the process of keeping your i5/OS and OS/400 security configuration in compliance with your existing security policy.
-
Policy Minder's authorization list category (*AUTL) allows you to monitor who (what users and/or groups) have authority to the authorization lists. I've seen cases where an authority scheme was architected so that the authorization list was set to *PUBLIC *EXCLUDE and only one or two profiles had authority to the authorization list. But in one specific case, the implementation of the architecture degraded over time so that it no longer complied with the organization's security policy. Why was it out of compliance? A group profile had been given authority to the list and almost every user on the system belonged to that group. Rather than the list providing exclusionary-based access control, the files secured by the list were available to be accessed by almost every user on the system. Monitoring the authorization lists by running a compliance check on the *AUTL category would have produced an out of compliance report which would have identified that the group profile had been added to the list.
-
Another way that Policy Minder helps you manage authorization lists is through the library and directory authority templates. These templates allow you to specify the name of the authorization list that is to secure specific libraries, directories and/or other objects. It also allows you to specify that *PUBLIC authority should come from the authorization list. If the objects are not secured with the appropriate authorization list, a compliance check identifies which objects aren't secured properly.
-
Finally, running Policy Minder's FixIt function against library or directory template that are out of compliance attaches the authorization list to the objects and, if desired, points the objects' *PUBLIC authority to come from the authorization list. And because you can't attach an authorization list to files when the files are in use, the ability to schedule the FIXIT command during a downtime is quite helpful. |
| How SkyView Risk Assessor can Help |
SkyView Risk Assessor is an i5/OS & OS/400 security diagnostic tool that performs an automated risk analysis. Risk Assessor is about "judging" your security configuration against best practices. Risk Assessor provides comprehensive, easy-to-understand, easy-to-produce and unbiased reports that fulfill the need for regular vulnerability assessments, as specified in nearly every security regulation, specification or standard.
- A new report in Risk Assessor bersion 2.1, the SKYAUTL report, provides a list of the authorization lists on the system together with the users authorized to each list.
* * *
| |
|
|
|
|
Carol Woodbury's Bio |
|
|
|
Carol Woodbury is President and co-founder of SkyView Partners, Inc. and is the designer and architect of the SkyView Partners' products.
Carol has over 17 years in the security industry, 10 of those working as the Security Architect and Chief Engineering Manager of Security Technology for IBM's Enterprise Server Group. |
| Who is SkyView Partners? |
|
SkyView Partners Inc. is a firm specializing in security policy and compliance software and services for IBM System i (AS/400, iSeries)customers.
| |
|
