Security Patrol discusses security topics and implementation tips and answers your security questions. I welcome questions, recommendations, and suggestions for security topics you would like discussed in detail. Submit your questions to MC-BBS or fax them directly to me at 520-578-7786. I cannot answer every question, but I'll try to publish those questions of a general nature. Please include your phone number.
? Wayne O. Evans, Chief of Security
Q: I tried to use the technique you presented in Security Patrol, MC, December 1994 to prevent Query users from modifying production data with the outfile capability. When I ran the query with an outfile, I was able to overlay production data. I am sending copies of the CL program, command, and user profile. What am I doing wrong?
A: For the benefit of those unfamiliar with the technique, it works by dynamically changing a user's group profile for a job (something not possible with normal OS/400 commands). It involves using a command I wrote called Set Group Profile (SETGRPPRF), which uses some security APIs. SETGRPPRF also allows you to reset the group profile back to what it was.
After carefully checking the program and command, I could find no problems, so I called the system manager and we worked through the example together. We ran the application in Debug looking for a program bug. None could be found; the code worked correctly. The user profile's group profile was changed to a group profile that had read-only access to the data, but still the user could run a query and overlay production data.
I was confused and frustrated, to say the least, until I realized that we were looking in the wrong place. The problem was that the individual user profile had *ALL authority to the production files. Changing the group profile has no effect when the individual user profile has access. The AS/400 first checks for authority in the user profile. It is only when insufficient authority is found in the individual user profile that the authority of the group profile is used.
The end-user profiles should be changed to first specify a group profile with *ALL or *CHANGE access to production files so users can continue to update the production data in other applications. Remove the *ALL authority to the production files for the individual user profile. Execute the Run Query (RUNQRY) command indirectly through a CL program; but, before the program executes RUNQRY, change the group profile to one that doesn't have *ALL or *CHANGE authority by executing the SETGRPPRF command. This will prevent users from overlaying production files in Query. 1 illustrates the before and after structure of authorities and the swap of the group profile during a query.
The end-user profiles should be changed to first specify a group profile with *ALL or *CHANGE access to production files so users can continue to update the production data in other applications. Remove the *ALL authority to the production files for the individual user profile. Execute the Run Query (RUNQRY) command indirectly through a CL program; but, before the program executes RUNQRY, change the group profile to one that doesn't have *ALL or *CHANGE authority by executing the SETGRPPRF command. This will prevent users from overlaying production files in Query. Figure 1 illustrates the before and after structure of authorities and the swap of the group profile during a query.
This security implementation, in which users have access either in their individual user profiles or group profiles, introduces the potential for accidental or intentional access by other techniques. I will discuss this in detail in an upcoming article on application-only access to data.
Q: Our bank is concerned about the powerful authority of the QSECOFR user profile. We have very sensitive data information on our AS/400, such as credit card numbers and PIN numbers. We must prevent access to this data except by the application that validates an individual credit card. Disclosure of the contents of this file would be a serious problem. Is there some way to eliminate the need for this powerful user?
A: You cannot delete the QSECOFR user profile or set the password to *NONE to prevent access. Any user with *ALLOBJ authority can access this sensitive data. You need to control these "super users" by some other means. There are several alternatives.
1. Create applications designed for a specific function to adopt the access of super users. This will reduce the number of times that the super user must sign on. Some examples of useful programs that adopt are load and apply of PTFs, reset of user profile passwords, and auditor tools (including display of the authority to an object and the display of user profiles).
The programs that adopt can use autoprompt characters, so the user authorized to the program can specify the parameters on the command. 2 is an example of a program to load and apply operating system PTFs.
The programs that adopt can use autoprompt characters, so the user authorized to the program can specify the parameters on the command. Figure 2 is an example of a program to load and apply operating system PTFs.
2. Turn on *CMD auditing in the user profile of super users so your audit department can track their actions. The audit will not prevent access but will record all activities.
3. Implement two-level sign-on so another person must authorize the use of powerful super user profiles. An upcoming article will explain this technique.
Security Patrol
Figure 1: Using Group Profile to Restrict Access
User Profile Group Profile Resultant Authority Authority Authority Before *ALL *USE *ALL After *EXCLUDE *ALL *ALL During Query *EXCLUDE *USE *USE
Security Patrol
Figure 2: Example of Adopting Owner's Authority
1. Enter the following source statements for the LOD_APY program.
PGM ? LODPTF ? APYPTF ENDPGM2. Create the program as the security officer using the following command:
CRTCLPGM PGM(LOD_APY) USRPRF(*OWNER) + AUT(*EXCLUDE)3. Grant access to the program for the individuals authorized to make system changes.
LATEST COMMENTS
MC Press Online