PowerTech Authority Broker provides a safe way to inherit authority by using a powerful IBM i feature.
In last month's TechTip, I spent some time talking about how users can inherit authority through group profiles. Despite my strong support of group profiles, I warned of the vulnerabilities of groups when not carefully architected. Inheritance of a group's private and special authorities can make users far more powerful than their base profiles might suggest. This risk increases if users are assigned to multiple groups. To help manage this, I suggested using PowerTech Compliance Monitor to quickly and easily report on a user's special authority—including those authorities gained via inheritance from a group.
A lesser-known, but arguably more powerful, inheritance technique is the profile swap. Introduced by IBM to support TCP/IP services, a profile swap allows a job to change midstream to run under a different profile than the one that started it. For example, when the FTP server starts, its "listener" jobs all start and run under the QTCP profile. However, when a user subsequently logs in to FTP and issues a request, we obviously want the authority check to be run against the logged-in user rather than QTCP. To support this, the OS performs a switch from the QTCP profile to the logged-in user before executing the request.
To see this support in the operating system, run the Display Job (DSPJOB) command and select option 1. You will see not only the traditional job name, user, and number at the top of the screen, but also the "current user profile." This normally contains the job user but also indicates when there's an active profile swap. Programmers should note that the RTVJOBA command was enhanced with the current user (CURUSER) parameter to allow the retrieval of the currently active user separately from the original job user. Unless the job user is to be retrieved regardless of an active swap, I recommend using CURUSER instead, as this parameter still returns the job user information if there's no active swap.
Many people ask me if a profile swap is the same as adopting authority—a programmatic technique that allows a user to gain the additive authority of an application program object's owner. A full explanation of authority adoption is outside the scope of this article, but the basic premise also is to provide temporary elevation of authority. There are, however, some distinct differences between adoption and a profile swap:
- Authority adoption works only for native object access and does not carry through to IFS objects. A profile swap is effective in both native and IFS environments.
- Adoption is cumulative for each program called. While several techniques prevent adopted authority from carrying through to a subprogram call, the default setting allows authorities to accumulate. You can adopt the authority of multiple profiles as additional programs are called.
- Profile swapping relinquishes the authority of the original profile before assigning the authority of the swap profile. This enables the unique ability to lower the authority of a user (for example, a user with *ALLOBJ special authority can swap to a profile that has read-only rights before accessing Query.)
- Adoption never alters who the underlying profile is during the adoption process. In contrast, a profile swap literally changes the user to the target user—almost as if they had signed on. The user therefore assumes run-time attributes beyond just authorities, such as default output queue and command line access.
PowerTech Authority Broker removes the heavy lifting associated with profile swaps, and enhances the functionality far beyond the raw API support found in the base operating system. So much functionality, in fact, that IBM used to include it on their CDs!
Authority Broker users can use preauthorized swap profiles to obtain a temporary change in authority. You can run the swap directive from a command line or embed it in a program. This makes the swap transparent to the end user (think contractors and software vendors!) Real-time notifications can advise managers and auditors when users temporarily alter their authority (see Figure 1), and you can run detailed reports of command-line activities after they're done. Of course, Authority Broker supports segregation of duties, time-restricted switching, tamper-proof logging, and activity exporting.
Figure 1: PowerTech Authority Broker satisfies regulatory compliance requirements by controlling and auditing profile swaps for elevated access. (Click image to enlarge.)
Click here for more information on Authority Broker. To learn about the entire line of PowerTech security solutions, visit www.powertech.com.
as/400, os/400, iseries, system i, i5/os, ibm i, power systems, 6.1, 7.1, V7, V6R1
More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.
TRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now! Request Now.
Forms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.
Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:
Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.
IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn:
LATEST COMMENTS
MC Press Online