Secure Your System: What is IBM iSecurity Authority Collection & Why Do You Need It?
You often hear about how secure the IBM i is and the fact that it cannot become infected with a virus. The truth of the matter is that the IBM i doesn’t come secured. It’s up to Security Administrators to provide users with the authorities they need to complete their tasks. Too often, users have more authority than they need to system, application, and database objects, and unless you have a breach you may not even know that this is the case.
IBM introduced a new feature in IBM i 7.3, which easily identifies your current object level security by individual users and what security level each user really need to do their jobs. The Security Authority Collection feature was designed to help security administrators understand the lowest level of authority an object needs in order for the user to perform their tasks within an application. Often objects are granted more authority than they need and excess object authority puts the entire system at risk. The new Authority Collection feature now makes it easy for administrators to understand where they can improve their object level security.
How does it work?
As part of the IBM i 7.30 base operating system, there’s a new Start Authority Collection command (STRAUTCOL) that the Security Administrator can run, which will start the collection of authority checking data for a user. The collection is done by individual user profile, and authority checking data can be collected over multiple users at the same time. As the users access their applications, the collection gathers the data. The information is stored in an authority checking repository for each user that can then be queried to understand the user’s required object level authorities.
The repository includes information about the user, the object it accessed, the user’s authorities, each object’s required authorities for user access, along with a ton of other useful information. The most important piece of information is the required authority for an object, because it details the authority the user needs to each object in order to pass the authority check done by the operating system. This is key to ensuring that the programs will run as expected.
Why do you need it?
Many shops have a false sense of security, when it comes to their objects. You may think that while the user normally accesses an object through the application, and since your application allows you to define what they can do within the application itself, that your objects are secure. But, you’re wrong. When you provide a user with *CHANGE rights to an object, that means the object is no longer secure and the user can change that data whether they do it within the application or if they go outside the application. *CHANGE authority allows users to update or even delete the object. A user could access the file through FTP for example, and either change the data or accidentally delete it, even if the application doesn’t allow them to delete data. This is why it is so important for Security Administrators to be able to easily understand what object level security is really needed by the user.
What it isn’t
While authority collection is a great tool for any security administrator to truly understand the lowest level of authority a user needs in order to access an object, it doesn’t actually fix any of the problem areas for you. It’s a tool to help you to analyze what authority a user currently has to an object and what they really need to have. It’s up to you to actually take the steps to execute your findings.
It’s also important that you end the authority collection when you are done with your analysis; otherwise the collection will eat up disk for its data and can impact system performance with its consumption of system resources.
