This document discusses limiting powerful user profiles on IBM i systems. It defines what makes a profile powerful, such as special authorities, user class, and limit capabilities. Specific special authorities are outlined that provide elevated access, such as *ALLOBJ. The challenges of managing elevated authority, such as frequent requests for more access, are discussed. Third-party solutions are presented as an option to automate elevated authority management and provide separation of duties, auditing, and risk reduction. Syncsort is presented as a vendor that can help with solutions for data privacy, access control, compliance monitoring, security risk assessments, and more.
2. Agenda
• Reducing Powerful Profiles
• Managing Elevated Authority
• Tradeoffs: DIY or Packaged Solutions?
• How Syncsort Can Help
2
3. What Is a Powerful Profile?
From an IBM i OS viewpoint, three things contribute
to making powerful profiles:
1. Special authorities
2. User class
3. Limit capabilities
3
4. “Special authority is used to specify the types of actions a
user can perform on system resources. A user can be given
one or more special authorities.”
IBM i, Security, Security reference, Version 7.3
Special Authority
Special Authority Actions Allowed
*ALLOBJ Access any resource – overrides private authority
Essentially gives access to all functions on the system.
*SECADM Create, change and delete user profiles.
*SECADM + *ALLOBJ can give *SECADM to another user.
*JOBCTL Stop subsystems, Perform an initial program load(IPL)
*SPLCTL Any operation on any spooled file in the system. No protection against
confidential spooled files.
*SAVSYS Save, Restore and free storage for all objects on system.
*SERVICE STRSST, Debug with only *USE authority, Trace.
*AUDIT Stop, Start and prevent auditing on the system.
*IOSYSCFG Change how the system is configured. Add or remove communication
configurations and TCP/IP servers.
4
5. “User class is used to control what menu options
are shown to the user on IBM i menus. This helps
control user access to some system functions.”
IBM i, Security, Security reference, Version 7.3
User Class
User Class Special Authorities
*SECOFR *ALL
*SECADM *SECADM
*PGMR *NONE
*SYSOPR *JOBCTL, *SAVSYS
*USER *NONE
Special Authorities Defaults (Security Level 30 or Above)
5
6. “You can use the Limit capabilities field to limit the user’s
ability to enter commands and to override the initial
program, initial menu, current library, and attention-key-
handling program specified in the user profile. This field is a
tool for preventing users from experimenting on the system.”
IBM i, Security, Security reference, Version 7.3
Limit Capabilities
Function *YES *PARTIAL *NO
Change initial program No No Yes
Change initial menu No Yes Yes
Change current library No No Yes
Change attention program No No Yes
Enter commands A few* Yes Yes
* These commands are allowed by default:
SIGNOFF, SNDMSG, DSPMSG, DSPJOB, DSPJOBLOG, STRPCO, WRKMSG. The user
cannot use F9 to display a command line from any menu or display.
6
7. • Security auditors require that users be given only the authorities
needed to do their job
• Handling frequent user requests for elevated authority is time
consuming
• Elevated authority should only be granted as needed – and then
revoked
• The activity of users with elevated authorities should be monitored
to protect sensitive data and operations
• Separation of duties for administrators is best practice
Challenges of Managing
Elevated Authority I need to be
*SYSOPR for this
assignment!
I need
*ALLOBJ to
do my job!
Can I have
*SPLCTL for
my project?
7
8. • Satisfies security officers by reducing the number of powerful user
profiles
• Makes it easy to manage requests for elevated authority on demand
• Enforces segregation of duties
• Produces necessary alerts, reports and a comprehensive audit trail
• Significantly reduces security exposures caused by human error
• Reduces risk of unauthorized access to sensitive data
Benefits of Elevated Authority
Management Solutions
8
9. DIY or 3rd Party
Tradeoffs
Do-It-Yourself In-House
• Stretched resources required for
business critical projects
• May need to bring in consultants or
hire new employees because of lack
of IBM i security knowledge and
experience
• Need to maintain and update in-
house tools to stay on top of OS and
PTF releases
• Staff turnover can leave you without
the ability to manage in-house
solutions
Third-Party Solutions
• Frees up resources for other projects
• Provides separation of duties
• Leverages experts in the field
• Vendor is in the business of releasing
updated software
• Vendors ensure programs stay
current to the latest threats and OS
capabilities
• Vendor-provided services can fill
skills gaps for implementation and
management
9
11. Data Privacy
Protect the privacy of data at-rest
or in-motion to prevent data
breaches
Access Control
Ensure comprehensive control of
unauthorized access and the
ability to trace any activity,
suspicious or otherwise
Compliance Monitoring
Gain visibility into all security activity
on your IBM i and optionally
feed it to an enterprise console
Security Risk Assessment
Assess your security threats
and vulnerabilities
11
Syncsort offers
security solutions
that address the
issues on the radar
screen of every
security officer and
IBM i admin
12. Multi-Factor
Authentication
Strengthen login security by
requiring multiple forms of
authentication
Elevated Authority
Management
Automatically elevate user
authority as-needed and on a
limited basis
Access Control
Secure all points of entry into to
your system including network
access, database access,
command line access and more
Access Control
Solutions
12
13. Expert services are available for
• Security risk assessment
• Quick start services
• Quick check services
• Security update services (hot fixes, PTFs, new releases, etc.)
• System update services (ensuring security solution is properly configured
after system changes to IP addresses, OS versions, etc.)
• Auditor assist (supporting internal or external auditors)
• Managed security services
• A la carte consulting
Leverage the seasoned security experts in Syncsort Global Services!
The Syncsort Services Team
Is Here for You
13