Feature Article

Create User Profile - Forcing Policy on IBM i

By Dan Riehl - SecureMyi.com

When creating User Profiles on the IBM i, whether through a Control Language command like Create User Profile (CRTUSRPRF) or through the IBM i Navigator for Windows interface, you have the option to include your own customized processing when the profile is created. Through this customised processing, you can help enforce your security policy regarding the creation of User Profiles.

In the October 22, 2014 issue of the SecureMyi Security Newsletter, I presented an article on how a simple flaw in the creation of a User Profile could render the profile as vulnerable to being "hijacked". The article presented here will provide you with a tool that will allow you to enforce strict policy on the creation of User Profiles so that newly created profiles will not be subject to that User Profile simple flaw.

IBM has established and documented an "Exit Point" for the Create User Profile operation. An exit point is a place in the process in which you can include your own custom logic (i.e. an exit program) to perform additional tasks. In this article we will examine adding your own logic to the Create User Profile process.

There are two operations that must be performed when implementing any exit program. The first is to create the exit program, the second is to register your exit program with the operating system, which "turns ON" your custom logic. We'll discuss how to perform both of these steps.

The Exit Program

The exit program can be written in just about any language: CLP, CLLE, CLE, RPG, RPGLE, CBL, etc. It can be an ILE(Integrated Language Environment) program or an OPM(Original Program Model) program.

In this sensitive task of adding logic to the Create User Profile operation, you'll want to make sure that the exit program is secured against potential abuse. Only give *USE authority to those users that create your user profiles, *PUBLIC authority should be set to *EXCLUDE.

The exit program runs within the same job as the Create User Profile function. So the current user of the job that is creating a new user profile will also be the user running the exit program. and so must have authority to the program.

When Using Adopted Authority to Create User Profiles

Some organizations do not assign powerful special authorities to the users that create and maintain User Profiles. Instead, they use an adopted authority scheme which allows the users to temporarily assume the authority of a more powerful user through an operating system feature called Program Adoption of Authority.

One important technical issue about your Create User Profile exit program is that if the job that is creating the new user profile is running under adopted authority, that adopted authority is NOT passed to the exit program.

So, if your Create User Profile exit program is going to perform sensitive operations,(e.g., change the new user's password, change the owner of the profile, registering the user in the distribution directory), the exit program itself must adopt the authority of a powerful "Security Officer" type user profile. To accomplish this, change the owner (CHGOBJOWN) of the exit program to QSECOFR(or other powerful user) and specify the USRPRF(*OWNER) parameter on the CRT**PGM command that is used to create the exit program. These actions will cause your exit program to temporarily adopt the authority of the powerful user profile, supplying the ability to perform actions that would otherwise be restricted.

(Note: If your users that create user profiles have powerful "Security Officer" type user profiles, you do not to be concerned about the adopted authority issues presented here. This is only for cases in which adopted authority is being used to provide access to the Create User Profile function.)

Read More . .