Authority Adoption Control
One of the most critical components of IBM i (OS/400) security is the ability to restrict the authority to perform actions and to access objects to specific individual users. Data entry clerks cannot work with payroll data or change program source code. Programmers cannot update the customer master file or record cash receipts.
Unfortunately, IBM i (OS/400) also provides that ability for programs run by one user to “adopt” the authorities of another user. A user with some programming knowledge could create a program that adopts authority to gain access to critical databases. Under this scenario, programmer could use his or her knowledge to get into the customer master file.
Authority adoption is an intentional waiver of control. Action provides several tools that enable administrators to control who can create programs that adopt authority, and which programs may adopt which specific authorities. Several reports and queries are provided to facilitate a complete audit trail of activities related to the creation and use of adopted authority.
To work with authority adoption, select 22.Authority Adoption from the Action Main menu.
AUADPMN Authority Adoption iSecurity/Action System: RLDEMO Select one of the following: Control Adopting Programs 1. Authorize Users to Create Analyze Adopting Programs 11. Print All Programs 12. Print Program Changes Analyze Use of Adopted Authority 41. Display Log - Actual Use 45. Display Log - Programs Created Selection or command ===> F3=Exit F4=Prompt F9=Retrieve F12=Cancel F13=Information Assistant F16=System main menu |
Controlling program authority adoption is implemented at two levels:
-
Controlling User Program Authority Adoption
-
Adopting specific authorities authorization
Authorizing Users for Program Authority Adoption
Action enables you to restrict the program adoption for specific users. To work with the list of authorized users:
-
Select Authorize Users to Create from the Authority Adoption menu.
-
Set the General Authority parameter to *BYLIST.
-
Press F6 to add users to the list. Enter authorized user profile names. Press Enter when finished
Analyze Programs that Use Adopt Authority
Print all programs using Action or Print programs changes only.
-
Select Print All Programs from the Authority Adoption menu.
-
Set the parameters and press Enter to print.
-
Select Print Program Changes to view the programs changes.
Analyze Use of Adopted Authority
The menu provides means to display the audit history log showing:
-
creation of/changes to programs that adopt authority
-
activity/transactions that use adopted authority
To use this feature, you must have Audit installed and properly configured to record these activities in the log. Instructions for using the display log feature appear in the Audit User manual.