Chapter 5: Authority Adoption Control

One of the most critical components of IBM i (OS/400) security is the ability to restrict the authority to perform actions and to access objects to specific individual users. Data entry clerks cannot work with payroll data or change program source code. Programmers cannot update the customer master file or record cash receipts.

Unfortunately, IBM i (OS/400) also provides that ability for programs run by one user to “adopt” the authorities of another user. A user with some programming knowledge could create a program that adopts authority to gain access to critical databases. Under this scenario, programmer could use his or her knowledge to get into the customer master file.

Authority adoption is an intentional waiver of control. Action provides several tools that enable administrators to control who can create programs that adopt authority, and which programs may adopt which specific authorities. Several reports and queries are provided to facilitate a complete audit trail of activities related to the creation and use of adopted authority.

Authority Adoption

To work with authority adoption, select 22.Authority Adoption from the Action Main menu.

Figure 59: Authority Adoption

Controlling Program Authority Adoption

Controlling program authority adoption is implemented at two levels:

  • Controlling User Program Authority Adoption

  • Adopting specific authorities authorization

Authorizing Users for Program Authority Adoption

Audit enables you to restrict the program adoption for specific users. To work with the list of authorized users:

  1. Select Authorize Users to Create from the Authority Adoption menu.

  1. Set the General Authority parameter to *BYLIST.

  2. Press F6 to add users to the list. Enter authorized user profile names. Press Enter when finished.

Figure 60: Working with Users Authorized to Adoption Programs

Parameter

Description

General authority

*ALL = All users have authorization to adopt program authority (Not recommended)

*BYLIST = Only users listed are authorized to adopt program authority

Opt

4 = Delete user profile from list

F8

Print list of authorized users

Analyze Programs that Use Adopt Authority

Print all programs using Action or Print programs changes only.

  1. Select Print All Programs from the Authority Adoption menu. The following screen appears.

Figure 61: Programs Authorized to Adopt Authority

  1. Set the parameters and press Enter to print.

  2. Select Print Program Changes to view the programs changes.

Analyze Use of Adopted Authority

The menu provides means to display the audit history log showing:

  • creation of/changes to programs that adopt authority

  • activity/transactions that use adopted authority

To use this feature, you must have Audit installed and properly configured to record these activities in the log. Instructions for using the display log feature appear in the Audit User manual.