SecureMyi.com Security and Systems Management Newsletter for the IBM i iSeries and AS/400 - April 23, 2014 - Don't be Fooled by an Authorization List

Tweet
SecureMyi.com Security and Systems Management Newsletter for the IBM i April 23, 2014 - Vol 4, Issue 7

	Feature Article Don't be Fooled by an Authorization List By Dan Riehl - SecureMyi.com Authorization lists allow you to secure several different objects that have the same object-level authorities by using a template approach, rather than maintaining the list of object authorities within each individual object. I think many people shy away from using authorization lists because they don't understand the lists' function. But when you think of an authorization list as simply an authorization template to be applied to many objects, it seems to make a bit more sense. The best way to secure objects on the IBM i is by using a combination of group profiles and authorization lists. Doing so greatly eases maintenance tasks. In auditing numerous systems over the years, I find that when authorization lists are used, there is often an error in setting the PUBLIC authority, private authorities, and ownership of the objects secured by the list. There can also be errors due to improper ownership of the authorization list itself. Among IBM i professionals, I've noticed three main misconceptions* about using an authorization list: When we secure an object using an authorization list (AUTL), we believe that we can view all the authorities to the object by simply viewing the authorization list. In effect, we are able to ignore the authorities that are set within the object itself. AUTL is the only authority in effect. We also believe that since the authorization list contains a setting for PUBLIC authority, the PUBLIC authority specified in the authorization list will be applied to all objects secured by the list, regardless of what is specified in the object for PUBLIC authority. The third issue is that we ignore the owner of the authorization list, since that will have no bearing on the authority to the objects secured by the list. Let's look at some examples to try to dispel these common misconceptions. In Figure 1, below, the PRODLIB_O authorization list is owned by PAYUSER, providing ALL authority to the authorization list to PAYUSER. The PUBLIC authority to the authorization list is set to EXCLUDE. Private authorities have been granted to GROUP_IT, GROUP_OPS, and QPGMR. *Read More . .* Note: The Featured Video in this issue presents another look at this Authorization List Example. Another Note: The Security Shorts Column in this issue presents an added benefit to using Authorization Lists.
In This Issue Featured Article - Authorization Lists Security Shorts - Authorization Lists Featured Video - Authorization Lists Industry News and Calendar Security Resources Quick Links Search Security Site for IBM i and i5/OS SecureMyi Website Security Training from The 400 School SecureMyi Newsletter Home/Archives Our Newsletter Sponsors Platinum Sponsor The 400 School, Inc Gold Sponsor PowerTech Skyview Partners, Inc Silver Sponsor Cilasoft Security Solutions	IBM i Security Resources IBM i Security Videos - SecureMyi SecureMyi Newsletter Archives Search Security for IBM i IBM i Security Ref - 6.1 IBM i Security Ref - 7.1 QAUDJRN Entries By AUDLVL QAUDJRN Entry Layouts RedBook - Security Guide IBM i Open Security Foundation - DataLoss DB National Vulnerability Database - NIST PCI Data Security Standard COBIT - ISACA HIPAA Resources HITECH Enforcement CISSP - Certification
Featured YouTube Educational Video IBM i Security Misconceptions when Using an Authorization List Cannot Access YouTube from your office? Download the video in wmv format.
Live Security Related Webcasts and Training for IBM i April Events The Hacker's View of Cyber Security With Mel Beckman and Robin Tatam Live Webcast - Presented by iProDeveloper Sponsored by Powertech Tuesday, April 29 1:00pm CDT More Information and Register to Attend April 29 - May 1 - InfoSecurity EUROPE 2014 Earl's Court, LONDON Free to Attendees - 325 Exhibitors Look for Cilasoft which is exhibiting at this event For More Information May Events May 4-7 - COMMON - A User Group 2014 Annual Conference and Exposition - Orlando, FL More Information and Register to Attend Coffee with Carol: with Carol Woodbury Security Considerations for Application Development including PCI Requirements Live Webcast - Presented by Skyview Partners Wednesday, May 14 10:00am CDT More Information and Register to Attend June Events Live Hands-On - IBM i System Administration and Control Workshop with Dan Riehl Training Workshop - June 2-6 - Presented by The 400 School, Inc. Dan Riehl presents this 5-Day Live Online Hands-on Workshop. More Information and Register to Attend Coffee with Carol: with guest presenter Patrick Townsend Encrypting Data with FIELDPROC - No Application Changes! Live Webcast - Presented by Skyview Partners Thursday, June 12 10:00am CDT More Information and Register to Attend
Security Shorts - Gain Flexibility with Authorization Lists By Dan Riehl The Feature Article in this issue of the SecureMyi Newsletter discusses the topic of Authorization Lists, and how they are often misunderstood. I did not mention that additional flexibility can be gained by securing libraries and other objects with an authorization list rather than with a list of private and PUBLIC authorities. In a recent case, a customer wanted to change the PUBLIC authorization on certain production libraries from CHANGE, to the more restrictive USE. This needed to be done in order to keep users from adding new objects into the production libraries. If a user has CHANGE authority to a library, the user can add new objects to the library. But, if the user has only USE authority to the library, they cannot add new objects. The problem in this case, was that the private and PUBLIC authorities to the production libraries could not be changed while the system was up and running. Since users have these production libraries on the user portion of their job's library lists, a SHRRD(Shared for read) lock is placed on the library object, prohibiting the authorities from being changed while the system is up and the users logged on. Since this is a 24x7 uptime shop, we needed to wait for several weeks to get clearance for a scheduled outage so we could make the change to PUBLIC AUT(USE). Since I wanted to make sure we had flexibility for any future authorization changes to these libraries, the decision was made to use the scheduled outage to change the authorization method for the libraries. Instead of simply changing the PUBLIC authority from CHANGE to USE, we would create an authorization list for each "in-scope" library, and then during the outage, we would change the libraries to be secured by the associated authorization list. Which we did. One of the big advantages of using an authorization list, is that they can typically be changed on-the-fly, during system uptime. This flexibility will come in very handy the next time an authorization change needs to be made to any of these production libraries, Next time, we will not need an outage, we can simply change the authorization list. Some of you are pondering a very good question right now. That is: "Using the new Authorization list scheme, won't you break something when you change the production library authorities on the fly?". The answer is: As long as the change that is being made is not creating a new restriction, nothing will break. If the change to the authorization list is creating a new restriction, that type of change may require an outage. (Note:* The System Value QLIBLCKLVL can be used to specify that libraries are NOT locked by a job simply because they are on the job's library list. For more information, see the IBM Information Center discussion on the System Value QLIBLCKLVL.		Sponsored Links IBM i, iSeries and AS/400 Security Services from SecureMyi IT Security and Compliance Group In Depth Security Assessment of IBM i Upgrade to QSECURITY level 40 or 50 Forensic Research and Analysis Audit Assistance and Remediation Security Training for IT and Audit Staff Software Selection & Configuration Security and Systems Programming Live Training from The 400 School, Inc Customized IBM i (AS/400) Training - Presented Live at your offices Live Online Hands-On Workshops ILE RPG IV Programming Workshop RPG/400 Programming Workshop IBM i COBOL Programming Interactive Programming Workshops System Operations Workshops System Administration and Control Security and Audit Workshops Control Language Programming IBM i Concepts and Facilities Query Workshop


Send your IBM i Security and Systems Management News and Events! Send your Questions, Comments, Tips and Stories Copyright 2014 - SecureMyi.com, all rights reserved SecureMyi.com \| St Louis MO 63017