Best Practices for Managing Elevated IBM i Authorities – Part 2
This article on managing elevated IBM i authorities was originally published in Enterprise Executive. Part one of this two part post focused on how elevated authorities can create the risk for a data breach, how IBM i users can obtain elevated authorities, the challenges of managing elevated authorities, and the role of elevated authority management solutions. This part explores some methods for elevating authority and shows you how Assure Elevated Authority Manager lets you take complete control of elevated user authority.
Methods for elevating authority
IBM i supports two ways to elevate authority within a running IBM i job. The first is program-adopted authority. Adopted authority is an attribute, USRPRF (*OWNER parameter), of a *PGM object and allows the temporary “adoption” of the authority of the program owner while the program is running in a job. Once the program that adopts authority returns, the adopted authority is no longer used as a source of authority in the job.
The second way to elevate the authority of an IBM i job is to use a technique called profile swap. With profile swap, the current user of the job is “swapped” from one user to another. For example, if user JANE signs on, the current user of the job is JANE. By using profile swap, the current user can be changed from JANE to DEVPOWER to elevate authority in the job. When a profile swap occurs, all audit records reflect the swapped user as the current user of the job. The job name itself does not change so there is still some tracking in the audit record that reflects JANE, but the current user reflects the swapped-to user.
If developer JANE’s boss asks her to debug and fix an urgent issue and she can’t do it with her normal authority, she needs to elevate her authority to a profile with full authority. As shown in this example, there are two methods for elevating Jane’s authority:
- *SWAP: The elevated process swaps from JANE to DEVPOWER, and the Current user becomes DEVPOWER. In this case, activity in the system will be logged with DEVPOWER as Current user, not JANE, even though the Job user remains JANE.
- *ADOPT: The elevated process adds DEVPOWER’s authority to JANE’s current job without changing the Current user. It temporarily adds this authority for all the tasks run afterward until control returns to the previous program.
File systems on the IBM i have different security semantics when the system performs authority checks for an object being accessed by a user. The QSYS.lib file system allows the use of program-adopted authority to gain access to QSYS.lib objects (such as *FILE or *DTAARA objects). However, IFS file systems do not allow the use of program-adopted authority when accessing its objects (such as *DIR, *STMF, *DOC or *FLR). Because of these differences, elevated authority management tools must be able to handle both the QSYS.lib file system and the IFS file systems.
To cover authority requirements for all file systems on the IBM i, elevated authority management tools need to support both *SWAP and *ADOPT methods of temporarily elevating authority.
Assure Elevated Authority Manager
Assure Elevated Authority Manager, a feature of Precisely’s Assure Security, lets you take complete control of elevated user authority and makes it easy to manage requests for elevated authority on demand. With complete control of IBM i user authorities, your organization can implement best practices that meet the most stringent regulatory requirements mandated by SOX, PCI-DSS, HIPAA, GDPR, and others.
Automate authority management
Requests for elevated authority can be held and manually granted by the administrator, or they can be automatically given based on powerful rules. Rules are established for pairs of requesting and requested profiles based on group profiles, supplemental groups, lists of users and command line access.
Rules also provide the context around which requests can be granted, including the day of the week, date range, time range, job name, IP address and more. Through integration with Precisely’s Assure System Access Manager, elevated authority can also be managed for external processes connecting through ODBC, JDBC, DRDA, FTP and more.
Choose the method for elevating authority
*SWAP or *ADOPT methods of granting elevated authority management are both supported. The desired method to use for elevating authority can be defined through rules.
Satisfy auditors with reports and audit logs
If a user’s request for elevated authority is granted, the tool gives the user’s job the authority of the target profile, launches the command defined in the rule, places the job under its control and starts logging job activity. To ensure a complete audit trail, multiple sources are used for logging activity including job logs, screen captures, and system and database journals. Job logs can also be enriched with SQL statements, FTP functions and more. When the command completes, the elevated authority management tool restores the authority of the initial profile, stops logging the job activity and records the log.
Graphical and 5250 displays are provided to show currently elevated user profiles, how long they’ve been elevated and more. Alerts are delivered on events, such as exceeding authorized time, via email, popup, and Syslog. Reports can also be produced in a variety of formats.
Log user activity without elevating authority
For those users who have *ALLOBJ and other special authority, a *LOG option is available to log all user activity without changing authorities. Users can do their jobs while a complete audit trail is created without having to elevate authority.
Security best practice is to prevent powerful users from changing system values unless their actions are being logged. With Assure Elevated Authority Manager’s *LOG option, users with powerful authorities can simply be preapproved with a valid ticket number, and then their actions are logged
Segregate duties and track admin activities
Assure Elevated Authority Manager, when configured to grant an administrator’s authorities, enforces segregation of duties. Authorities can be given when administrators log on, and their activities can be logged all day. This allows privileged activities to be tracked, without slowing down the administrator’s ability to do his or her job.
Reduce security risks due to human error
It’s all too easy for an administrator to forget to revoke elevated authority when it is no longer needed. Assure Elevated Authority Manager helps to eliminate security vulnerabilities caused by innocent mistakes by automatically reducing authority after the allowed period of time.
Integrate with help desk
Assure Elevated Authority Manager can also be integrated with your help desk ticketing systems for more convenient management. The user requesting elevated authority enters a description of what he or she will do, then his or her actions can be compared with the log. This system of checks and balances adds another layer of security while removing a layer of complexity from the authority management process.
Summary
Privileged access, or elevated authority, gives users powerful access to IBM i systems that can lead to, or be defined as, a data breach. When users have too much power or authority for longer than they need it to do their jobs, it creates security risks and noncompliance situations.
When elevated authority is required to accomplish specific tasks, those actions taken when operating with higher privilege should be monitored and logged to validate compliance. Even administrators who frequently require elevated authority for their day-to-day operations should have their authority managed and their actions tracked to ensure proper separation of duties.
Without a reliable way to manage elevated authority, organizations are vulnerable to data security incidents and regulatory compliance penalties. Automating the process via an elevated authority management tool can help organizations keep sensitive data safe, and can build in greater IT efficiencies.
To learn more about the top IBM i security challenges, strategies, technologies and best practices of surveyed IT pros, read our eBook.