September 3, 2024 | IBM i

Limiting and Controlling IBM i Users with Special Authorities

image

Too many IBM i programmers, consultants, vendors, admins, and power users have elevated special authority on production systems, especially Security Officer (*SECOFR) users and users possessing All Object (*ALLOBJ) authority. Having too many IBM i users with elevated authorities increases security risks including malware infections; ransomware corruption; unauthorized data disclosure, update, and deletion; and audit and compliance violations.  

 

This blog article offers some suggestions for limiting and controlling users possessing elevated special authorities. We present an IBM i Special Authority Management Gameplan for your consideration when cutting back on system users with too much elevated special authority. 

Why Control Special Authority Usage 

Some users legitimately need *ALLOBJ and *SECOFR authorities for production system processing, including vendors working on system upgrades, consultants assigned to IBM i-related projects, and admins for software installation and configuration.  

 

Legitimate special authority usage must be controlled to increase security, auditing, and compliance. Here are the top reasons that IBM i shops should reduce, manage, and monitor special authorities for IBM i production users. 

  • Provide data protection against unauthorized access, data exposure, and data theft 
  • Ensure data integrity against intentional and accidental corruption/deletion 
  • Protect against malware, virus, and ransomware infections 
  • Satisfy audit, compliance, and reporting requirements 
  • Enforce segregation of duties 
  • Reduce the need for multiple user accounts 

The IBM i Special Authority Management Gameplan 

While you cannot eliminate special authority usage, you can minimize the number of users with elevated authorities, provide emergency usage, and document special authority usage for auditors and regulators. This Special Authority Management Gameplan can help you control which users possess IBM i authorities for *ALLOBJ, *SECOFR, and Security Administrator (*SECADM). Other special authorities should also be watched but in general, controlling these authorities provides the biggest benefits for IBM i.  

 

Below is a five-step IBM i Special Authority Management Gameplan for limiting elevated user authorities on IBM i systems. Consider following these steps to limit your own special authority users and meet the goals listed above.  

 

1. Designate software to be used for user authority management
2. Inventory all users with IBM i special authorities
3. Eliminate permanent excessive special authorities as identified
4. Grant and revoke special authorities as needed
5. Use reports and historical data for auditing special authority usage 

Here are the plan details and items to consider for each plan step. 

Step #1: Designate software to be used for user authority management 

Decide what software you can use to secure user special authorities. User authority management solutions such as iSecurity Authority on Demand can strip away unnecessary elevated authorities and provide moderated access to special authorities on a temporary basis. Solutions like iSecurity Authority on Demand can also retain a complete audit trail of what a user does when they invoke their temporary higher object authority, making compliance easier to achieve. 

Step #2: Inventory all users with IBM i special authorities 

The first step in controlling user special authorities is to identify who has those authorities. Next, you will need to analyze what authorities each user actually needs to perform their day-to-day duties, according to the Principle of Least Privilege (PoLP). Finally, you need to restrict their special authority access to the lowest level needed daily and have a method to grant elevated special authorities when required. 

 

You can easily create a file of all users and their attributes by running this Display User Profile (DSPUSRPRF) command. 

 

DSPUSRPRF USRPRF(*ALL) OUTPUT(*OUTFILE) OUTFILE(lib_name/file_name) 

 

You can then use SQL statements over the OUTFILE to find all the users who are either security officers or have *ALLOBJ/*SECADM authority.  

 

Once you have identified the users with excessive special authorities, analyze what authorities they require to perform their daily duties. Designate which users can be stripped of elevated special authorities.  

Step #3: Eliminate permanent elevated special authorities as identified 

Using the inventory list of users with special authorities, remove elevated authorities for any designated users who do not need those authorities for their day-to-day duties. Document any exceptions for users who must retain permanent elevated special authorities.  

Step #4: Grant and revoke special authorities as needed  

Use your user authority management software to grant and revoke elevated special authorities as needed. Some users will need elevated authorities for vendor installs, maintenance, data integrity, and emergencies such as ransomware attacks. Packages like iSecurity Authority on Demand (AOD) can grant a user temporary special authorities as approved and revoke those authorities when the approved tasks are completed. For regulatory purposes, look for packages that include documentation of the date special authority access was activated, the date when access will expire, the specific dates and times the user logged on to the system, who granted access, and documentation about why the access was granted 

Step #5: Use reports and historical data for auditing special authority usage 

Auditors always want to know who has elevated special authorities and when they have accessed them. This can be difficult to document manually, and it is extremely time-consuming. Even worse, your manual efforts may not comply with regulations. 

 

Historical data and reporting for special authority usage is particularly valuable in auditing reviews and for forensic review after a system incident occurs. Look for solutions that have reporting capabilities. Working with a user authority management system, packages such as iSecurity Capture provide screen capture capability. All activity for a particular IBM i user with special authorities can be recorded for later reviewed to ensure quality work and for forensic analysis. 

Managing Special Authorities for Security, Auditing, Compliance 

The IBM i Special Authority Management Gameplan outlined here shows there is an uncomplicated way to provide users the elevated authorities they need, to revoke elevated authorities when they are no longer needed, and to track everything the user does. Using a solution such as iSecurity Authority on Demand, companies can ensure that their vendors, consultants, programmers, admins, and power users have access to the privileges they need, with a complete audit trail of what was done.