June 20, 2012 - Vol 2, Issue 11
Cilasoft EAM - Control Powerful Users

Feature Article

Mysteries of the QUSEADPAUT System Value

By Dan Riehl

The QUSEADPAUT system value was introduced several years ago to address the concern that there was no way to keep adopted authority from flowing down the call stack to all subprograms. Whenever a program adopted authority, downstream programs had no way to turn off that adopted authority.

A short History of QUSEADPAUT

I recall when we, the AS/400 user community, back then, asked IBM for a way to create an adopting program that didn't propagate the adopted authority down the stack. We wanted an attribute we could set in the adopting program that said, "This program will adopt but will not pass the adopted authority to any other program." We wanted to contain the adoption within the adopting program itself and not pass it on.

With that functionality, we could control the use of adopted authority very granularly. We could adopt authority in a program that needed additional authority and specify that the program not pass that adopted authority to any called programs. That way we could easily control which programs adopted authority and never worry about the adopted authority being propagated outside of the program. That's what we asked for.

When IBM announced its version of the solution as a PTF to version 3.1 of the OS, we were all a bit dismayed. IBM didn't let us stop the propagation within the adopting program; instead IBM let us set a flag in a called program as to whether the called program was going to use the adopted authority passed to it. It was exactly backwards from what we had asked for. I'm sure many of you remember that discussion.

We wanted control from within the adopting and CALLing program. IBM supplied USEADPAUT to provide control inside the CALLed programs. I wish IBM had done it the other way.

But, IBM ultimately got it right when they released the Built-In MI function MODINVAU, which can be used to stop the propagation of authority outside the adopting program or a program running under adopted authority. See the sidebar "Stop Adoption in the Calling Program using MODINVAU,"


In This Issue

Featured Article - Mysteries of QUSEADPAUT

Security Shorts - Managing User Profiles

Industry News and Calendar

Security Resources

Quick Links

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home/Archives

Need Access to an IBM i?   Visit RZKH.de

Please Visit Our Sponsors

Platinum Sponsor
      Cilasoft Security Solutions

Gold Sponsor
      The PowerTech Group

      Skyview Partners, Inc

      The 400 School, Inc

IBM i Security and Audit Resources

IBM i Security Videos from SecureMyi.com

SecureMyi Newsletter Home and Archives

IBM i Security Reference - IBM i 6.1

IBM i Security Reference - IBM i 7.1

QAUDJRN Audit Types By AUDLVL 6.1

QAUDJRN Entry Type Record Layout 6.1

RedBook - Security Guide for IBM i 6.1

PCI SSC Data Security Standards

COBIT Framework - ISACA

HIPAA Resources

HITECH Enforcement

CISSP - Certification

Follow SecureMyi on Twitter

Follow SecureMyi on YouTube

Is Your JD EDWARDS Database Secure? See how SKYVIEW PARTNERS can help!

IBM i Security News Bytes

LinkedIn Passwords Hacked
LinkedIn was recently hacked for possibly millions of member passwords. Details are still emerging. If you have not yet changed your LinkedIn password, I encourage you to do so. In response to the attack, IBM i security and encryption vendor Townsend Security has created a webcast focusing on the LinkedIn password hack and other related incidents.
Townsend Security Webcast On LinkedIn Breach

Cilasoft Introduces "EAM" - Elevated Authority Manager For IBM i
Elevated Authority Manager(EAM) is a software solution that allows you to temporarily provide elevated capabilities to specified users; including reports, alerts, and a full audit trail of activities.
More information and Download a Trial

Skyview Partners Introduces Managed Services for IBM i and AIX Compliance
SkyView Partners announced a new managed service for both the IBM i and AIX platforms. The new service covers monthly compliance monitoring and annual vulnerability assessments and includes licenses of SkyView’s compliance related software.
See More Information from Skyview

IBM i Security Calendar of Events

Live Security Related Webcasts and Training for IBM i

Coffee with Carol
Step by Step Approach to Implementing Object Level Security

Webcast - Featuring Carol Woodbury - Sponsored by Skyview Partners
Wednesday June 27 10:00 AM CDT
More Information and Register to Attend

Live 4-Day Hands-On Expanded Security Workshop for IBM i
Full Length Training Workshop - August 21-24 9:00am - 4:00pm Central Time
Dan Riehl presents his 4-Day Live Online Hands-on Security Workshop for the IBM i.
More Information and Register to Attend

Skyview Partners - Security Checkup from Skyview Partners

Security Shorts -

Caveat - Managing User Profiles Under Adopted Authority

By Dan Riehl

We often use the facility called "adopted authority" to allow a user to perform operations that they have no inherent authority to perform. For example, many of us use adopted authority to allow help desk users to reset a blown password or reset a user status from *DISABLED to *ENABLED.

You can also use adopted authority to allow the help desk to create user profiles or change other attributes of existing user profiles. But there is one major caveat when creating or changing user profiles under adopted authority; adopted authority cannot be used to assign a user to a group profile.

As an example, a help desk user runs a program to create a user profile. The program adopts the authority of Security Officer (QSECOFR), temporarily making the user "all powerful."

But in order to assign a user to a group profile (or supplemental group profile), the help desk user must have his or her own authority to the group profile being assigned to the user. Adopted authority cannot be used to assign the group.

The IBM documentation states that the user creating or changing the profile must have *CHANGE and *OBJMGT rights to the group profile in order to assign a user to the group and that the authority cannot come from the use of adopted authority.

This bothered me, as I did not want to give the help desk users that much authority to groups that they may need to assign. With *CHANGE authority, the help desk users would be able to run jobs as the group or otherwise hijack the group. (For more information on this exposure, see my article on "Protecting Your User Profiles.")

In my testing, I was able to confirm that I could remove the *EXECUTE right for the help desk user to the groups they need to assign, thereby preventing the misuse of the group profiles.

So, yes, you assign the help desk users *CHANGE and *OBJMGT rights to the group profile they need to assign and then remove their *EXECUTE rights, in order to protect the group from being misused.

It is interesting that the help desk users can change the other attributes of a user profile while running under QSECOFR adopted authority, but they cannot assign a new group to which they are not authorized.

See the IBM support document on this topic.

Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi

Expert Level Security Consulting
IT Security and Compliance Group, LLC

In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Security Software Selection & Configuration
Customized Security/System Programming

Subscribe to the SecureMyi Security Newsletter - Get Dan Riehl's book PowerTips for IBM i Security

Live Training from The 400 School, Inc

Live Online Hands-On Workshops
Special Fall/Winter Class Discounts

Now Accepting Credit Cards

IBM i System Operations Jun 25-29

IBM i System Administration Jul 16-20

IBM i Security Workshop Aug 21-24

SecureMyi.com Security Workshop

Send your IBM i Security Related News and Events!           Advertise in SecureMyi.com Security Newsletter

Copyright 2012 - SecureMyi.com, all rights reserved

SecureMyi.com | St Louis MO 63017