SecureMyi.com Security and Systems Management Newsletter for the IBM i iSeries and AS/400 - September 25, 2013 - Problems With Private Authorities | Analysis of User Profiles

Tweet
SecureMyi.com Security and Systems Management Newsletter for the IBM i September 25, 2013 - Vol 3, Issue 36

	Feature Article Discovering Problems with Private Authorities By Dan Riehl - SecureMyi.com When an object(i.e. File, Program, Library, etc.) is created, it is owned by either the user that created the object or by the user's primary group profile. Ownership depends on the OWNER attribute of the user profile. If the value is set to *OWNER(GRPPRF), objects created are owned by the user's primary group, if OWNER(USRPRF)* is specified, objects are owned by the user, not the group. To view objects owned by a user profile you can use the command: WRKOBJOWN USRPRF(DRIEHL) In addition to ownership, a user can be assigned explicit private authority to an object using the command GRTOBJAUT(Grant Object Authority), or by adding a user from the EDTOBJAUT(Edit Object Authority) display. Normally, we want to avoid adding private authorities to an object. We typically want all of our User objects to be secured by an authorization list containing group profile names, and not individual user names. Once we start down the path of assigning private authorities at the user level, rather than at the group profile level, we begin to build an overly complex security scheme that will require constant maintenance as users come and go. Using Authorization Lists and Group Profiles in our authorization settings provides the least complex configuration, and requires the least amount of on-going maintenance. We do not have to make additions and changes every time a new user is added, or when a user's job function changes. In those cases, we simply assign the user to the correct group profile. Problems in Assigning Private Authorities to Users Any private authorities that exist, should be assigned at the Group profile level. But, alas, our systems have evolved over time, and what we typically have is a hodgepodge of mixed ownership and numerous private authority inconsistencies. One of our aims should be to remove private authorities that exist for individual users, and reassign the authority to their group. That is, if the private authority is really needed at all. Working With Objects by Private Authority IBM has provided the command WRKOBJPVT(Work With Objects by Private Authority). The command is used to list all the private authorities that are held by a user. (NOTE: If the user is the owner of the object, the object will not be included in the Private Authority report. Ownership is reported using the WRKOBJOWN command as discussed above.) *Read More*
In This Issue Featured Article - Private Authorities Security Shorts - Report on User Profiles Featured Video - Hidden Security Options Industry News and Calendar Security Resources Quick Links Search Security Site for IBM i and i5/OS SecureMyi Website Security Training from The 400 School SecureMyi Newsletter Home/Archives Our Newsletter Sponsors Platinum Sponsor The 400 School, Inc Gold Sponsor PowerTech Skyview Partners, Inc Software Engineering of America Silver Sponsor Cilasoft Security Solutions	IBM i Security Resources John Earl Memorial Tribute IBM i Security Videos - SecureMyi SecureMyi Newsletter Archives Search Security for IBM i IBM i Security Ref - 6.1 IBM i Security Ref - 7.1 QAUDJRN Entries By AUDLVL QAUDJRN Entry Layouts RedBook - Security Guide IBM i OSF - DataLoss DB PCI Data Security Standard COBIT - ISACA HIPAA Resources HITECH Enforcement CISSP - Certification
September Events Automating File Transfers and Meeting Service Level Agreements Live Webcast - Presented by Linoma Software Thursday, September 26 12:00 Noon CDT More Information and Register to Attend Configuring Real-Time Security Event Notification on IBM i Live Webcast - Presented by PowerTech Thursday, September 26 1:00pm CDT More Information and Register to Attend October Events A Decade of IBM i Security: The Good, the Bad, and the Ugly Live Webcast - Presented by PowerTech Wednesday, October 2 1:00pm CDT More Information and Register to Attend Implementing Multiple Layers of Defense with Carol Woodbury Live Webcast - Presented by Skyview Partners Friday, October 4 10:00am CDT More Information and Register to Attend Live Hands-On - Expanded Security Workshop for IBM i with Dan Riehl Training Workshop - October 7-10 Dan Riehl presents this 4-Day Live Online Hands-on Workshop. More Information and Register to Attend 2013 IBM Power Systems Technical University at Enterprise2013 Sponsored by IBM - (ed. This is the newest name for the IBM Technical Conference) Orlando, FL, October 21-25 More Information and Register to Attend November Events Live Hands-On - IBM i System Administration and Control Workshop with Dan Riehl Full Length Training Workshop - November 11-15 Dan Riehl presents this 5-Day Live Online Hands-on Workshop. More Information and Register to Attend
Featured YouTube Video The "Hidden" Security Options for IBM i Cannot Access Youtube from your office? Here is the presentation in wmv format.
Security Shorts Quick Reporting On Your User Profiles By Dan Riehl When you need to perform quick analysis on your user profiles, here are some tips. First create a file containing information about all of your user profiles. This will be a snapshot of your current user profiles. You can create this file of users by using the following command. *DSPUSRPRF USRPRF(ALL) OUTPUT(OUTFILE) OUTFILE(LibraryName/FileName)* Where LibraryName and Filename are your selected values. Now, using IBM i Access for Windows file transfer, you can simply download the file into Excel and slice and dice the user attributes to your heart's content. If you want to run some quick reports, you can use the RUNQRY(Run Query) command. One nice thing about using RUNQRY is that you can perform record selection, and optionally specify that you want a printed report, or display to your screen. Enter the following command to be prompted for record selection criteria: *RUNQRY QRY(NONE) QRYFILE((MyLibrary/MyFile)) RCDSLT(YES)* Here are some nice record selections you can choose Users that have not signed on since July 1, 2011 UPPSOD LT '110701' Users will ALLOBJ Special Authority UPSPAU LIKE '%ALLOBJ%'* Users with Action Auditing Values(e.g. AUDLVL(CMD)) UPAUDL NE 'NONE'**		Sponsored Links IBM i, iSeries and AS/400 Security Services from SecureMyi Expert IBM i Security Consulting IT Security and Compliance Group. LLC In Depth Security Assessment of IBM i Upgrade to QSECURITY level 40 or 50 Forensic Research and Analysis Audit Assistance and Remediation Security Training for IT and Audit Staff Security Software Selection & Configuration Customized Security/System Programming Live Training from The 400 School, Inc Customized IBM i (AS/400) Training - Presented Live at your offices Live Online Hands-On Workshops ILE RPG IV Programming ILE COBOL Programming Interactive Programming Workshops System Operations Workshops System Administration and Control Security and Auditing Workshops Control Language Programming IBM i Concepts and Facilities Query Workshop


Send your IBM i Security and Systems Management News and Events! Send your Questions, Comments, Tips and Stories Copyright 2013 - SecureMyi.com, all rights reserved SecureMyi.com \| St Louis MO 63017