Give users the authority they need without giving too much.

By John Earl 

I often receive inquiries about controlling powerful users. The question comes in many forms, but it can be paraphrased like this: "I need to keep one user out of file X. Can you show me how? By the way, the user has *ALLOBJ authority, and we can't take that away."

Even though the second half of the question makes the first half unattainable, many people still haven't grasped this basic concept: *ALLOBJ means all objects. It gives a user access to everything on a system.

I've seen many clever methods of subterfuge designed to inhibit *ALLOBJ users from using their power. Ultimately, these ruses are ineffective: for each door you close, 1000 others remain open. Take away command-line access? They'll use FTP or ODBC. Restrict their access to a library? The *ALLOBJ authority overrides it. Hide their *ALLOBJ authority in their group? They can submit a job as some other user who has access to the resource.

There's only one way to regulate users with *ALLOBJ: watch them! That's the solution recommended by auditing frameworks such as COBIT and ISO 27002. These standards recognize that there will always be someone on each system who has ultimate authority, and the only way to control that person's actions is to review those actions.

Therein lies the rub. If you have 60+ users with *ALLOBJ special authority, who's going to review their activities? How long can a person review reams of joblogs before suicidal notions creep into their thoughts?

There's a better way. Take *ALLOBJ special authority away from all of those users. No, I'm not crazy (well, at least not on this point), and yes, it can be done without grinding production processing to a halt. It's actually quite simple.

You see, *ALLOBJ authority is more a political problem than a technological problem. You can remove *ALLOBJ authority from the majority of your users without affecting their work. But even the people who do need *ALLOBJ tend to need it temporarily and for short periods of time. Nobody needs to exercise this power 24x7, and anyone who insists they do is pulling your leg...or worse.

PowerTech came up with an ingenious solution to this problem. Given that removing *ALLOBJ authority is more of a political problem than a technological problem, we developed a solution that allows users to temporarily gain access to this (or any other) additional authority, yet ensure that it's done with accountability. We call it PowerTech Authority Broker, and the solution is startlingly simple.

Step 1: Create a new user with *ALLOBJ authority and no password (e.g., SECOFR2).

Step 2: Enroll users who need access to higher levels of authority in PowerTech's Authority Broker. As shown in the screen shots below, this is a simple step (about 10 seconds per user).

Step 3: Remove *ALLOBJ authority from all users except one or two system administrators.

Step 4: Show users how to use the Swap Profile (LSWPPRF) and Release Profile (LRLSPRF) commands. These commands temporarily give users more authority than they usually have. No need to force them to ask for permission (though you can if desired), and no need for them to wake you up at 3:00 a.m. when they're troubleshooting an errant production program. They just run the command and obtain more authority. But their actions are tracked and reported on.

The resulting reports can show you all activities that a powerful user performed, be scoped to certain actions at certain times, or just replay typed commands. This flexible reporting meets the needs of auditors, managers, and system administrators.

The reports are concise and cover only the times when someone uses more power. So rather than review reports for 60 users nine hours a day, you typically only have to monitor the activities of several users for a few hours each day. And with fewer users having *ALLOBJ, there are far fewer opportunities for data mishaps that can harm production systems.

Because of new compliance requirements, the days of entire IT staffs wielding *ALLOBJ authority are on their way out. But stripping everyone of special authorities without giving them recourse in case of emergencies is a cure worse than the original problem. PowerTech Authority Broker gives you the tools to keep your system safe. For a free trial, visit http://www.powertech.com/.

John Earl is the founder and Director of Technology and Security for  The PowerTech Group.  a Seattle-area software company that specializes in System i security. He has over 25 years experience with IBM midrange systems and security, has published numerous articles and columns for industry magazines, and served as a Subject Matter Expert (SME) for Security for COMMON. A highly regarded speaker on OS/400 and i5/OS security, Mr. Earl has presented several hundred of iSeries security sessions at industry conferences and user groups all over the world. He is a three-time winner of COMMON's Speaker Excellence award and has also served on the board of directors of COMMON U.S.

 

He can be reached at 253.872.7788 or at This email address is being protected from spambots. You need JavaScript enabled to view it..