Authority Adoption Control

One of the most critical components of IBM i (OS/400) security is the ability to restrict the authority to perform actions and to access objects to specific individual users. Data entry clerks cannot work with payroll data or change program source code. Programmers cannot update the customer master file or record cash receipts.

Unfortunately, IBM i (OS/400) also provides that ability for programs run by one user to “adopt” the authorities of another user. A user with some programming knowledge could create a program that adopts authority to gain access to critical databases. Under this scenario, programmer could use his or her knowledge to get into the customer master file.

Authority adoption is an intentional waiver of control. Action provides several tools that enable administrators to control who can create programs that adopt authority, and which programs may adopt which specific authorities. Several reports and queries are provided to facilitate a complete audit trail of activities related to the creation and use of adopted authority.

To work with authority adoption, select 22.Authority Adoption from the Action Main menu.

 AUADPMN​                     ​  Authority Adoption ​             ​ iSecurity/Action
                                                             ​ System:​  ​ RLDEMO  
 Select one of the following:​                                                   
                                                                                
 Control Adopting Programs             ​                                         
  ​  1. Authorize Users to Create       ​                                         
                                                                                
                                                                                
 Analyze Adopting Programs             ​                                         
  ​ 11. Print All Programs                ​                                       
  ​ 12. Print Program Changes             ​                                       
                                                                                
                                                                                
 Analyze Use of Adopted Authority    ​                                           
  ​ 41. Display Log - Actual Use        ​                                         
  ​ 45. Display Log - Programs Created    ​                                       
                                                                                
                                                                                
 Selection or command                  ​                                         
 ===>​                                                                           
                                                                                
 F3=Exit   F4=Prompt   F9=Retrieve   F12=Cancel                                ​ 
 F13=Information Assistant  F16=System main menu                                
                                                                               ​ 

Controlling program authority adoption is implemented at two levels:

  • Controlling User Program Authority Adoption

  • Adopting specific authorities authorization

Authorizing Users for Program Authority Adoption

Action enables you to restrict the program adoption for specific users. To work with the list of authorized users:

  1. Select Authorize Users to Create from the Authority Adoption menu.

  1. Set the General Authority parameter to *BYLIST.

  2. Press F6 to add users to the list. Enter authorized user profile names. Press Enter when finished

Analyze Programs that Use Adopt Authority

Print all programs using Action or Print programs changes only.

  1. Select Print All Programs from the Authority Adoption menu.

  1. Set the parameters and press Enter to print.

  2. Select Print Program Changes to view the programs changes.

Analyze Use of Adopted Authority

The menu provides means to display the audit history log showing:

  • creation of/changes to programs that adopt authority

  • activity/transactions that use adopted authority

To use this feature, you must have Audit installed and properly configured to record these activities in the log. Instructions for using the display log feature appear in the Audit User manual.