It's easy to get ourselves into this situation. We start with a secure system, and over time, one by one, people request a "bump" in authority to complete a specific task. We give an operator *IOSYSCFG so he can recreate a device, we give a new programmer *SAVRST so she can load source code, and we let the project lead have *ALLOBJ on "go-live" night so the new software can get installed. But once we distribute these special authorities, it is difficult to take them away. People get used to them and start to rely on them.
May I Have the Envelope, Please?
Some organizations need to limit access to power—perhaps for an audit requirement—so they create processes to control who has these powerful capabilities. Sometimes, they create a "production access" ID and keep its password in a sealed envelope. But as soon as the envelope is opened, more than one person (the person who created the password and anyone who then uses the password) has that access, making it difficult to attribute actions to an individual—not to mention that this is a low-tech solution to a high-tech problem. If you're at Grandma's house for Thanksgiving and you get a support call, it might be difficult to access that envelope.
Halt! Who Goes There?
Another method is to modify the initial program of a powerful profile so that anyone who signs on as that user goes through a secondary authentication process. For example, if Susan needs access to QSECOFR, she signs on as QSECOFR and is presented with a screen that asks for her own ID and password and the reason for assuming the high-level authority. Unfortunately, this attempt at adding accountability to the process introduces new holes. Shops that use this type of process forget that a 5250 sign-on screen isn't the only way to access an iSeries; the user could gain access with FTP, ODBC, Remote Command, etc. and never be subjected to the secondary authentication process.
Brokering Authority
Many companies came to PowerTech asking how to monitor and manage their powerful users. We understood the problem; we addressed it years ago with a tool we used internally. In 2005, PowerTech released PowerLock AuthorityBroker so that everyone could monitor, control, and report on the activities of powerful users. PowerLock AuthorityBroker enables you to temporarily assign powerful authorities to users and then get a report on their actions. Companies the world over are embracing the AuthorityBroker approach because it provides a clean, simple interface that doesn't inhibit people's ability to get their job done. And its comprehensive set of reports satisfies your auditor's demands to account for the actions of your systems' powerful users.
AuthorityBroker has two operating modes, standard and FireCall, and you can assign IT staff to either mode, depending on your support requirements. In standard mode, IT staff members have a list of user IDs whose authorities they can run under anytime. When they choose a set of authorities, alerts are sent to the appropriate oversight authorities, and activity is recorded in a secure system audit journal. The system administrator can control the dates and times someone can start the process and how long a user can use this authority.
Fire! Fire! Ring the Bell!
Sometimes applications go bump in the night and people who shouldn't normally have high authority need access to production systems at odd hours. You don't want to wake up five people to get approval for the programmer to access the system, but you still need to record what transpired and be able to report on it. FireCall allows you to delegate limited assignment authority to help desk or computer operations personnel and let them assign higher authority to IT staff. Again, every action is monitored and tracked, and complete reporting is available.
AuthorityBroker is unique in the marketplace as it allows you to remove powerful authorities from IT staff members without inhibiting their ability to support production systems. AuthorityBroker ships with i5/OS, so you can experience a 30-day trial by locating your V5R3 or V5R4 CDs or download it from our Web site.
Check out PowerTech's other offerings in the MC Showcase Buyer's Guide.
John Earl is Vice President and CTO of The PowerTech Group. He can be reached at
Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.
IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn:
LATEST COMMENTS
MC Press Online