SecureMyi.com Security and Systems Management Newsletter for the IBM i iSeries and AS/400 - January 14, 2015 - Fixing Your Save/Restore Authority Problems

Tweet
SecureMyi.com Security and Systems Management Newsletter for the IBM i January 14, 2015 - Vol 5, Issue 1

	Feature Article Fixing Your Save/Restore Authority Problems By Dan Riehl - SecureMyi.com How often have you found yourself bewildered when restoring a production library to a test or backup system only to find that the authorities on the test system don't match the authorities on the production system? I can't tell you the number of times I've received a call from a client trying to figure out why their authorities are not consistent between the two systems. Restoring objects from one system to another and trying to keep all the security-related attributes and authorities intact can be a challenging process. There are numerous rules that come into play, depending upon how the objects are saved and how they are restored. IBM made a very nice enhancement to the Save(SAVxxx) and Restore(RSTxxx) commands back in IBM i version 5.4 that ease the pain of trying to get the authorities right on your restored objects. You still need to be aware of the rules and restrictions of saving and restoring objects, but this updated support will be the answer to many of your restore difficulties. The Problem Before delving into the enhanced support provided in 5.4, let's consider an example of how Save/Restore operations work in relation to object private authorities. The only object authorities that are saved and restored with an object are the object Owner's authority, the PUBLIC authority, and the Object Primary Group. These authorities are stored within the object and are therefore saved with the object; however, NONE of an object's private authorities are stored within the object. They are stored within the User Profiles of the users that have a private authority to an object. (Note:* If the object is secured by an Authorization List, the list name is stored in the object. So, the list name is saved with the object.) So, If Joe has an authority of CHANGE to the PAYROLL library, and Joe is not the owner of the library, Joe's 'private authority' is not saved, and thus cannot be restored with the object. It's just gone on the restore side. Poof! Prior to the 5.4 enhanced support, these object private authorities were only saved when user profiles were saved, using the Save Security Data (SAVSECDTA) or Save System (SAVSYS) commands. Restoring the object private authorities on to another system required a two-step process, not including the actual Object/Library restore process. First you had to restore the user profiles. The command Restore User Profile (RSTUSRPRF) is designed for that purpose. Once your selected user profiles had been restored, the command Restore Authority (RSTAUT) could be used to restore the private authorities from selected user profiles back to the restored objects. The Updated IBM i 5.4 Support to Save and Restore Private Authorities In 5.4, IBM introduced the Private Authority (PVTAUT) parameter to the Save and Restore commands. The setting of the PVTAUT parameter will determine whether private authorities are saved and/or restored WITH the objects. This updated capability can save you a significant amount of time, effort, and aggravation in moving objects from one system to another while keeping the private authorities intact. You obviously are still subject to the rules and restrictions for Save and Restore operations, but using this 5.4 PVTAUT support, you no longer need to Save and Restore user profiles, and you do not need to do the RSTAUT operation in order to get your private authorities in synch for selected objects. Read More . .*
In This Issue Featured Article - Save Restore Authorities Security Shorts - Copy User Authorities Industry News and Calendar Security Resources Quick Links Search Security Site for IBM i and i5/OS SecureMyi Website Security Training from The 400 School SecureMyi Newsletter Home/Archives Our Newsletter Sponsors Platinum Sponsor The 400 School, Inc Gold Sponsor PowerTech Skyview Partners, Inc Silver Sponsor Cilasoft Security Solutions	IBM i Security Resources IBM i Security Videos - SecureMyi SecureMyi Newsletter Archives Search Security for IBM i IBM i Security Ref - 6.1 IBM i Security Ref - 7.1 QAUDJRN Entries By AUDLVL QAUDJRN Entry Layouts RedBook - Security Guide IBM i Open Security Foundation - DataLoss DB National Vulnerability Database - NIST PCI Data Security Standard COBIT - ISACA HIPAA Resources HITECH Enforcement CISSP - Certification

Security Related News for IBM i HelpSystems Acquires Halcyon Software HelpSystems has announced the acquisition of Halcyon Software and its complete portfolio of IT systems management software solutions. Read the Press Release for More Information Skyview Partners Announce "Deep Dive" Security Training for IBM i - Las Vegas, NV Skyview Partners announces its Annual "Deep Dive" Security Training for 2015. Skyview's own Carol Woodbury will be presenting this "Deep Dive" into IBM i Security. The Two-Day Training Event will be held in Las Vegas, NV on January 27 and 28th. For More Information and to Register to Attend Live Security Related Webcasts and Training for IBM i January Events Live Hands-On - Expanded Security Workshop for IBM i, iSeries & AS/400 with Dan Riehl Training Workshop - January 20-23 - Presented by The 400 School, Inc. Dan Riehl presents this 4-Day Live Online Hands-on Workshop. More Information and Register to Attend "Deep Dive" Security Training - Las Vegas NV with Carol Woodbury Live Two-Day Training Event - Presented by Skyview Partners Location: The Mandarin Oriental Hotel in Las Vegas, NV Dates: January 27 and 28. More Information and Register to Attend February Events Live Hands-On - Expanded Control Language Programming Workshop with Dan Riehl Training Workshop - February 2-6 - Presented by The 400 School, Inc. Dan Riehl presents this 5-Day Live Online Hands-on Workshop. More Information and Register to Attend Live Hands-On - IBM i, iSeries System Administration and Control Workshop with Dan Riehl Training Workshop - February 23-27 - Presented by The 400 School, Inc. Dan Riehl presents this 5-Day Live Online Hands-on Workshop. More Information and Register to Attend

Security Shorts Copying Authorities from one User to Another By Dan Riehl - SecureMyi.com I always encourage IBM i system administrators to use or create a special "owner" profile to own all of our production objects. For example, instead of the Distribution application programs and files being owned by a conglomeration of programmers and other IT people, the objects should be owned by a special owning profile, like DSTOWNER. DSTOWNER is not a group profile, it's just used to own objects. It has no password, so it cannot be used to sign on. I also advise that certain system objects that we create, like User Profiles, be owned by QSECOFR. It might require an extra step to assign the ownership to QSECOFR, but doing so avoids the problem of these objects being owned by IT staff members, who come and go. Creating a New User When a new user must be created on your system, it is usually rather straightforward. However, if you have fallen into the trap of assigning object authorities at the user profile level, it becomes much more difficult to create the new user. Let's say that you have a new system administrator and this new user needs to have the same authorities as an existing system administrator. You can easily copy the existing user profile to the new one. The Copy User profile option is available as Option 3 from the WRKUSRPRF(Work with User Profiles) display. But, copying a user profile in this way does not copy the ownership of objects or the private authorities of the original user. For example, if the existing user owns a collection of libraries or files, that existing user has ALL authority to those objects. How do we grant ALL authority to the new user. If the original user has private authorities, or ownership of 50 commands, 10 libraries, 200 files and a few job descriptions, you will need to grant all those same authorities to the new user. Thankfully, IBM has provided the tool to copy these authorities using the command GRTUSRAUT(Grant User Authority). When using the command GRTUSRAUT, make sure you are signed-on as QSECOFR or as an ALLOBJ user, otherwise, certain objects or authorities may be skipped. Copying the Authorities Here is a command that will copy the private authorities(including those granted through ownership) from OLDUSER to NEWUSER. GRTUSRAUT USER(NEWUSER) REFUSER(OLDUSER)* When you run this command, it would be best to submit it to batch, since it may take a log time to run. So use the command SBMJOB CMD(GRTUSRAUT USER(NEWUSER) REFUSER(OLDUSER)) Here is the IBM Documentation on GRTUSRAUT command.		Sponsored Links IBM i, iSeries and AS/400 Security Services from SecureMyi IT Security and Compliance Group In Depth Security Assessment of IBM i Upgrade to QSECURITY level 40 or 50 Forensic Research and Analysis Audit Assistance and Remediation Security Training for IT and Audit Staff Software Selection & Configuration Security and Systems Programming LIVE Training from The 400 School, Inc Customized IBM i (iSeries, AS/400) Training - Presented Live at your offices LIVE Online Hands-On Workshops ILE RPG IV Programming ILE COBOL Programming Interactive Programming Workshops System Operations Workshops System Administration and Control Security and Auditing Workshops Control Language Programming IBM i Concepts and Facilities Query Workshop


Send your IBM i Security and Systems Management News and Events! Send your Questions, Comments, Tips and Stories Copyright 2015 - SecureMyi.com, all rights reserved SecureMyi.com \| St Louis MO 63017