|
Feature Article
5 Ways to Control Access using Application Administration
By Carol Woodbury Skyview Partners, Inc.
Never heard of Application Administration? Don’t be surprised. Although it’s full of function, it’s one of little-known features of IBM i. Application Administration (or App Admin as it’s commonly called) has been around for a while but the additional features provided in the latest releases as well as recent Technology Releases makes this a feature worth exploring again.
Tip #1 explains how to configure Application Administration access controls. Tip #4 explains the most recently added features, including the ability to control network access (ftp, ODBC, etc) and Tip #5 explains how you can use App Admin with your own applications.
Application Administration
Application Administration is a function of i Navigator. It allows you to configure who can see certain functions or perform certain tasks. IBM created App Admin because there are times when you need to control access to something, but that something is a function or task and there is no object to restrict access to. For example, when you want to restrict access to a database file, you set *PUBLIC authority to *EXCLUDE, and no one can access the file. But if you want to control who can perform service traces, for example, there is no corresponding object to grant *EXCLUDE authority to. Therefore, App Admin was created to provide a facility for controlling functions.
To launch App Admin, right click on the system name in i Navigator and choose Application Administration. If you haven’t already signed on to the system, you’ll be presented with a sign on dialog.
Note: To configure most aspects of App Admin, you’ll need to sign on with a profile that has at least *SECADM special authority.
Read More
|
IBM i Security Calendar of Events
Live Security Related Webcasts and Training for IBM i
5 Must-Control Access Points for Optimum IBM i Security and Compliance
with Guy Marmorat - President Cilasoft
Live Webcast - Presented by Cilasoft Security Solutions
Thursday, June 27 Noon CDT
More Information and Register to Attend
An Auditor's View: Assessing IBM i Security Vulnerabilities
Live Webcast - Presented by PowerTech
Thursday, June 27 1:00pm CDT
More Information and Register to Attend
Live Hands-On - QAUDJRN Auditing and Forensic Analysis Workshop for IBM i
with Dan Riehl
Full Length Training Workshop - July 10-11
Dan Riehl presents this 2-Day Live Online Hands-on Workshop.
More Information and Register to Attend
Live Hands-On - IBM i Security and Vulnerability Assessment Workshop for IBM i
with Dan Riehl
Full Length Training Workshop - July 15-18
Dan Riehl presents this 3.5-Day Live Online Hands-on Workshop.
More Information and Register to Attend
Get your FTP Server into Compliance
Live Webcast - Presented by Linoma Software
Thursday, July 18 Noon CDT
More Information and Register to Attend
Live Hands-On - Expanded Security Workshop for IBM i
with Dan Riehl
Full Length Training Workshop - July 23-26
Dan Riehl presents this 4-Day Live Online Hands-on Workshop.
More Information and Register to Attend
Live Hands-On - Expanded Control Language Programming Workshop
with Dan Riehl
Full Length Training Workshop - August 19-23
Dan Riehl, Co-Author of the textbook Control Language Programming for the IBM i
presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend
Live Hands-On - IBM i System Administration and Control Workshop
with Dan Riehl
Full Length Training Workshop - September 9-13
Dan Riehl presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend
COMMON 2013 Fall Conference and Expo
Three Day Conference and Expo - September 9-11
Renaissance Grand St. Louis • St. Louis, Missouri
More Information and Register to Attend
|
|
Security Shorts -
Yes, I have a Numeric UserID and Password. And You?
By Dan Riehl
My UserID is 77 and My Password is 123456
The Object Naming rules for IBM i state that an object name must begin with an alphabetic character including A-Z, #, $, @, and that the remaining characters (up to 10 in total) can contain A-Z, 0-9, #, $, @, _ ,and a .(period). The object names in the QSYS file system are not case sensitive.
However, when it comes to User Profile names and Passwords, an interesting phenomenon comes into play.
When we create a user profile, we specify a User Profile name and, optionally, we specify a Password, as in the following example. (For these examples, we assume a Password Level (System Value QPWDLVL) of 0 or 1, limiting a password to a maximum length of 10 characters.)
CRTUSRPRF USRPRF(BOBSMITH) PASSWORD(PASS1WORD5)
Now, when the user needs to log on, his user ID is BOBSMITH, and his password is PASS1WORD5. Simple and straightforward.
But consider this next example:
CRTUSRPRF USRPRF(Q12345) PASSWORD(Q11111)
When a user profile is created using this command, the user can actually log on using two different user IDs and two different passwords. It's a bit weird, but let's look at it in more detail.
- The user can log on with UserID Q12345 with a Password Q11111.
- The user can log on with UserID Q12345 with an all-numeric Password 11111.
- The user can log on with an all-numeric UserID 12345 with a Password Q11111.
- The user can log-on with an all-numeric UserID 12345 with an all-numeric Password 11111.
The secret to this seemingly strange support lies in the first character of the UserID and/or Password being the specific letter Q, followed only by digits. When this is the case, the letter Q becomes an optional part of the UserID and/or Password during the Logon process.
You can view more about this Q digit support by reviewing the F1=Help text of the CRTUSRPRF(Create User Profile) command.
As the system administrator, you can enforce policy to disallow the creation of a Q digits User Profile, but a user can change his or her password to a Q digits password using the Change Password (CHGPWD) command and/or Change Password API.
In order to restrict users from setting their passwords to Q digits (e.g., Q11111), you can either set the system value QPWDLMTAJC to the value 1 or include the value *DGTLMTAJC in the system value QPWDRULES. Either of these settings prohibit the use of adjacent digits in a password when changed by the user.
Oh, Yes, One more thing. Make sure that your password Minimum Length is at least 3. (I hope it's more like 6,7 or 8). Minimum length is set by the system value QPWDMINLEN, or in the QPWDRULES system value using the value *MINLENnnn, where nnn is a number from 1-10, or 1-128, depending upon the value of your QPWDLVL system value.
|
Sponsored Links
Expert IBM i Security Consulting
IT Security and Compliance Group. LLC
In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Security Software Selection & Configuration
Customized Security/System Programming
Customized IBM i (AS/400) Training -
Presented Live at your offices
Live Online Hands-On Workshops
ILE RPG IV Programming
ILE COBOL Programming
Interactive Programming Workshops
System Operations Workshops
System Administration and Control
Security and Auditing Workshops
Control Language Programming
IBM i Concepts and Facilities
Query Workshop
|
