Security best practices and regulations require limiting the number of privileged user accounts. Yet having too many users with elevated authorities is one of the most common security issues found on IBM i systems – leaving systems and data exposed.
Managing elevated authority is an ongoing challenge. Give users too much access and you’re at risk of a data breach. Give them too little, and they can’t do their jobs.
View this webinar with security expert Jeff Uehling on-demand to learn about:
• Powerful authorities and user profiles you need to control
• How authorities are obtained and different methods for elevating authority
• The importance of automating authority management and logging the actions of elevated users
• How Syncsort’s Assure Security can help
What's New in Teams Calling, Meetings and Devices March 2024
The Dangers of Elevated IBM i Authorities and How to Manage Them
1. The Dangers of Elevated IBM i
Authorities and How to Manage Them
Jeff Uehling
IBM i Security Expert
2. Housekeeping
Webcast Audio
• Today’s webcast audio is streamed through your computer speakers.
• If you need technical assistance with the web interface or audio,
please reach out to us using the chat window.
Questions Welcome
• Submit your questions at any time during the presentation
using the chat window.
• We will answer them during our Q&A session following the
presentation.
Recording and slides
• This webcast is being recorded. You will receive an
email following the webcast with a link to download
both the recording and the slides.
Jeff Uehling
2
3. • Understanding powerful authorities and user profiles
• How authorities are obtained
• Methods for elevating authority
• Automating authority management
• How Syncsort’s Assure Security can help
• Q&A
Today’s Topics
3
5. What Is Elevated Authority?
• A user’s authorities define what they can do on an IBM i
system, including
• menus they can access
• commands they can run and
• actions they can take
• Elevated authorities are those that give users more
powerful privileges
• Some people may refer to elevated authority
as privileged access
5
6. • Having too many powerful users leaves the system and data exposed
• Controlling user authorities is required by regulations such as SOX,
HIPAA, the Federal and North American Information Practice Act,
GDPR and more
• Compliance auditors require that additional authority be granted
only when needed and only for the time required
• Security best practice is for users to only have the authorities
required to do their jobs
• Even administrators should have their actions monitored (separation
of duties) as a best practice
• Outsiders who obtain credentials will attempt to elevate authority
unchecked unless you have control of that process
Why Elevated Authorities
Must be Limited
6
7. Regulatory
Requirements
General Data Protection
Regulation (GDPR)
Enforcement date: 25 May 2018
Regulation in European Union law on data
protection and privacy for all individuals
within the European Union (EU) and the
European Economic Area (EEA)
Applies to all organizations doing business
with EU citizens
Aims primarily to provide protection and
control over their personal data to citizens
and residents, including
• Access control
• Sensitive data protection
• Restricted user privileges
• System activity logging
• Risk assessments
New York Dept. of Financial
Services Cybersecurity Regulation
NYS 23 NYCRR 500
Enforcement date: February 15, 2018
Requires banks, insurance companies, and
other financial services institutions to
establish and maintain a cybersecurity
program designed to protect consumers
Ensures the safety and soundness of New
York State's financial services industry.
Requirements protect the confidentiality,
integrity and availability of information
systems, including
• Risk assessments
• Restricted user privileges
• Automatic logouts
• Antivirus
• Multi-factor authentication
• System activity logging
Sarbanes–Oxley Act
Enacted July 30, 2002
United States federal law
Sets requirements for U.S. public companies.
Certain provisions apply to private companies
Requires corporates to assess the
effectiveness of internal controls and report
this assessment annually to the SEC.
Any review of internal controls would not be
complete with out addressing controls
around information security including
• Security Policy
• Security Standards
• Access and Authentication
• Network Security
• Monitoring
• Segregation of Duties
7
9. What Defines a Powerful Profile?
3 things in the IBM i OS contribute to making
powerful user profiles:
1. Special authorities
2. User class
3. Limit capabilities
9
10. “Special authority is used to specify the types of actions a
user can perform on system resources. A user can be given
one or more special authorities.”
IBM i, Security, Security reference, Version 7.3
Special Authority
Special Authority Actions Allowed
*ALLOBJ Access any resource – overrides private authority
Essentially gives access to all functions on the system.
*SECADM Create, change and delete user profiles.
*SECADM + *ALLOBJ can give *SECADM to another user.
*JOBCTL Stop subsystems, Perform an initial program load (IPL)
*SPLCTL Any operation on any spooled file in the system. No protection against
confidential spooled files.
*SAVSYS Save, Restore and free storage for all objects on system.
*SERVICE STRSST, Debug with only *USE authority, Trace.
*AUDIT Stop, Start and manage auditing on the system.
*IOSYSCFG Change how the system is configured. Add or remove communication
configurations and TCP/IP servers.
10
11. “User class is used to control what menu options
are shown to the user on IBM i menus. This helps
control user access to some system functions.”
IBM i, Security, Security reference, Version 7.3
User Class
User Class Special Authorities
*SECOFR *ALL
*SECADM *SECADM
*PGMR *NONE
*SYSOPR *JOBCTL, *SAVSYS
*USER *NONE
Special Authorities Defaults (Security Level 30 or Above)
11
12. “You can use the Limit capabilities field to limit the user’s
ability to enter commands and to override the initial
program, initial menu, current library, and attention-key-
handling program specified in the user profile. This field is a
tool for preventing users from experimenting on the system.”
IBM i, Security, Security reference, Version 7.3
Limit Capabilities
Function *YES *PARTIAL *NO
Change initial program No No Yes
Change initial menu No Yes Yes
Change current library No No Yes
Change attention program No No Yes
Enter commands A few* Yes Yes
* These commands are allowed by default:
SIGNOFF, SNDMSG, DSPMSG, DSPJOB, DSPJOBLOG, STRPCO, WRKMSG. The user
cannot use F9 to display a command line from any menu or display.
12
14. Authority is required to access every object on the system.
Excessive Authority granted to an object is a security concern.
Object Authority
*OBJOPR *OBJMGT *OBJEXIST *OBJALTER *OBJREF *READ *ADD *UPD *DLT *EXECUTE
*ALL X X X X X X X X X X
*CHANGE X X X X X X
*USE X X X
*EXCLUDE
14
16. When the user logs into the server and initiates an object access
attempt, the OS will make checks to determine that the user is
authorized to perform the action against the object.
Object access is defined by the object type
• Call a *PGM
• Run a *CMD
• Open a *FILE
• Etc.
How Does the System Determine
Access to an Object?
NOTE:
*ALLOBJ special authority gives
the user access to all objects on
the system.
*ALLOBJ = Security officer!
16
17. To access or use an object, the user must have sufficient authority to
the object. The authority could come from:
• *ALLOBJ special authority (Security officer Authority)
(privilege given to a user via the CRT/CHGUSRPRF command)
• Private authority to the object
• Authorization list authority
• *PUBLIC authority
• Adopted authority (discussed later)
How Does the System Determine
Access to an Object?
17
18. Authority Search Order
*ALLOBJ
Private
Authorization List
*ALLOBJ
Primary Group
Private
Authorization List
Object
Authorization List
Adopted
Stops when ANY authority is found
Repeats for each group until sufficient
authority is accumulated or no more groups
Checked when no authority is found for
User or Group(s)
Only checked when user, group or public
authority is not sufficient
USER
GROUP(S)
*PUBLIC
18
19. • Used to temporarily elevate authority to a running
application
• When a program with USRPRF(*OWNER) runs, the
authority in effect is the user plus the owner of the
program
• Both special authorities and private authorities are adopted
(the program owner’s GROUP Profiles are not adopted)
• Program adopted authority is in effect for as long as the
program is in the call stack
Program Adopted Authority
19
20. To create a program that adopts authority
• Sign-on as AR_APP_OWN
• CRTxxxPGM PGM(AR_DATA/ARAPPADOPT) USRPRF(*OWNER)
This program will run with the authority of the program owner. In
this case, AR_APP_OWN, in addition to the “job/thread” user
profile
Adopted Authority
Setting a program to adopt the owner’s authority
20
21. Use the CHGPGM (Change Program) command to set the “use
adopted authority” attribute
CHGPGM PGM(PGM_C) USEADPAUT(*NO)
This program will “block” adopted authority from any previously
called program in the invocation stack that has the
USRPRF(*OWNER) attribute
Adopted Authority
Setting the “use adopted authority” program attribute
21
22. Use the DSPPGM or DSPSRVPGM command
How to Tell Whether a Program Adopts
22
23. Adopted Authority
Example
Scenario
• Need to modify a file
• Requires *CHANGE authority
• *PUBLIC authority of file is *EXCLUDE
Program Call Stack
PGM_A
Owner: APP_OWNER
User Profile: *OWNER
PGM_B
Owner: QSECOFR
User Profile: *OWNER
PGM_C
Owner: APP_OWNER
Use Adopted Authority: *NO
User Profile: *USER
Users Checked
JEFF then APP_OWNER
JEFF then APP_OWNER (from PGMA)
then QSECOFR
Only JEFF because USEADPAUT(*NO) and
USRPRF(*USER)
PGMC = USEADPAUT(*NO)
Signed on User - JEFF
23
24. Adopted Authority Summary
• Secure the application objects with PUBLIC(*EXCLUDE)
• Provides a secure environment for all application objects
• Use program adopted authority to gain access to the application
objects at application run-time
• Use the “Use Adopted Authority = *NO” attribute if a command line,
an authority check, etc. is necessary
• Use an Authorization List to provide “private authority” access to a
set of data files that may need to be examined “outside” of the
application, via Query, FTP, etc.
• Profile “Swap” is required for accessing secure IFS objects (next topic)
24
25. • Used to change the thread user profile running the application in order to
obtain elevated authority.
EXAMPLE: Job running as user “JEFF” is swapped, by the swap API called by the
application, to run as user “PAYROLL”
Profile Swapping
Swap APIs allow the user profile of a job to be swapped
1. QSYGETPH – Get Profile Handle
2. QWTSETP – Swap profile in the job using profile handle
3. QSYRLSPH – Release profile handle
25
26. Use of the QSYGETPH and QWTSETP APIs allow the user profile of a job to be swapped.
• Log in as user "JEFF"
• Swap to user “PAYROLL"
The job is now running under user “PAYROLL." If the application fails without using a cleanup
technique, the job continues to run under “PAYROLL."
A Scope Message provides the ability to cleanup or swap back to original user.
• NOTE: Scope handling programs can be used to cleanup anything within the application, such as profile
swapping, libraries in the library list, open files, etc.
• NOTE: Cancel Handlers or Named Activation Group exits are also alternatives for cleanup
Code example follows...
Profile Swap and Cleanup Example
26
27. • The source code in the following slides can be used to test user profile swap.
• Copy the source code into a source physical file, perhaps member PAYADP in file QCLSRC and SCOPEPGM in file
QCLSRC, and update the source with a test user name.
• The CL programs you create need to adopt authority of a powerful user, such as QSECOFR. The profile swap APIs
(QSYGETPH) require a significant amount of authority to run. The program adopt capability will provide the
authority required to swap when this program is run by a low power user.
• Create the PAYADP program with PUBLIC(*EXCLUDE) authority. This program is only an example program. When
using profile swap in an application, the program should never return control to the end user (command line)
without swapping back to the original user first. The SCOPEPGM program can be created with PUBLIC(*USE).
• Signon as an *ALLOBJ user, create the program, and then change the owner to QSECOFR or a powerful user of your choice.
The program doesn’t have to be owned by QSECOFR, any *ALLOBJ profile will work. If you use a specific user profile related to
the application, this results in audit records that can be associated with running a particular application.
• CRTCLPGM PGM(PAYROLL/PAYADP) USRPRF(*OWNER) AUT(*EXCLUDE)
• CRTCLPGM PGM(PAYROLL/SCOPEPGM) USRPRF(*OWNER) AUT(*USE)
Profile Swap Example Code
27
28. Profile Swap & Scope Message for Cleanup
/* Signon with an *ALLOBJ and *SECADM user to create this program. */
/* Create this program, PAYADP, with USRPRF(*OWNER) in order to adopt authority required to get a profile */
/* handle for a USRPRF. NOTE: Control access to this program, PUBLIC(*EXCLUDE). */
PGM
DCL &ERRCDE *CHAR 8 VALUE(X'0000000000000000')
DCL &MSGKEY *CHAR 4 VALUE(X'00000000')
DCL &HNDLCUR *CHAR 12 VALUE(' ')
DCL &HNDL *CHAR 12 VALUE(' ')
/* Call QSYGETPH to get a profile handle for the current user. */
CALL QSYS/QSYGETPH ('*CURRENT' '*NOPWDCHK' &HNDLCUR)
/* The following API will send a scope message that causes program SCOPEPGM in library QGPL to be called */
/* when this program ends either normally or abnormally. */
CALL QSYS/QMHSNDSM +
('*CSE ' /* Scope type */ +
'SCOPEPGM QGPL ‘ /* Scope program name */ +
&HNDLCUR /* Scope data */ +
X'0000000C' /* Scope data length = 12 */ +
&MSGKEY /* Message key */ +
&ERRCDE) /* Error code */
/* Call QSYGETPH to get a profile handle for a user. NOTE: Change XXX to the user who you want to swap to */
CALL QSYS/QSYGETPH (‘PAYROLL' '*NOPWDCHK' &HNDL)
/* Call QWTSETP to swap to the profile. */
CALL QSYS/QWTSETP &HNDL
/* Normal application logic */
/* Call QSYRSLPH to release the profile handle. Program SCOPEPGM will release &HNDLCUR */
CALL QSYS/QSYRLSPH &HNDL
ENDPGM
28
29. Scope Message Handling Program
for Cleanup
PGM (&DATA) /* SCOPEPGM */
/********************************************************************************************/
/* This program is called when the invocation that ran the */
/* QMHSNDSM API returns either normally or abnormally. */
/********************************************************************************************/
DCL &DATA *CHAR 12 /* Data received as input when this scope */
/* handling program is called. This data */
/* is variable length and is declared and */
/* set by the program that issues the */
/* QMHSNDSM API. */
/* For this test program, pass the 12 */
/* byte profile handle of the original */
/* user obtained via *CURRENT on QSYGETPH. */
/* Program logic to cleanup. */
/* Call QWTSETP to swap back to the original profile. */
CALL QSYS/QWTSETP &DATA
/* Call QSYRSLPH to release the profile handle. */
CALL QSYS/QSYRLSPH &DATA
ENDPGM29
30. • Secure the application objects with PUBLIC(*EXCLUDE)
• Provides a secure environment for all application objects
• Use profile swapping to elevate authority in order to allow access to
application objects at application run-time
• Make sure you swap back to the original user if presenting a
command line, performing an authority check, etc. & when returning
control back to the end user from the application
• Use an Authorization List to provide “private authority” access to a
set of data files that may need to be examined outside of the
application, via Query, FTP, etc.
• Profile “Swap” is required for accessing secure IFS objects
Profile Swapping Summary
30
32. • Elevated authority should only be granted as needed – and then
revoked
• Manually granting and revoking elevated authority is time
consuming and error prone
• A log of the activities of users with elevated authorities should be
maintained so their actions can be monitored
• Remember that administrators, who have elevated authority, also
need to have their actions monitored
Challenges of Managing
Elevated Authority I need to be
*SYSOPR for this
assignment!
I need
*ALLOBJ to
do my job!
Can I have
*SPLCTL for
my project?
32
34. Assure Security
A comprehensive solution that addresses all
aspects of IBM i security and helps to ensure
compliance with cybersecurity regulations.
Whether your business needs to implement a
full set of security capabilities, or you need to
address a specific vulnerability, Assure
Security is the solution.
34
35. addresses the issues on every
security officer and IBM i
administrator’s radar screen
Data Privacy
Protect the privacy of data at-rest
or in-motion to prevent data
breaches
Access Control
Ensure comprehensive control of
unauthorized access and the
ability to trace any activity,
suspicious or otherwise
Compliance Monitoring
Gain visibility into all security activity
on your IBM i and optionally
feed it to an enterprise console
Security Risk Assessment
Assess your security threats
and vulnerabilities
Assure Security
35
36. 36
Assure
Compliance
Monitoring
Assure
Access
Control
Assure
Data
Privacy
Assure Security
Risk
Assessment
Assure Security
Assure Core Distribution Services
Assure Monitoring
& Reporting *
Assure Db2 Data
Monitor
Assure
Multi-Factor
Authentication
Assure Elevated
Authority
Manager
Assure System
Access Control
Assure Encryption
Assure
Secure File
Transfer **
* SIEM Add-On available
** PGP Add-On available
Choose the full product
Choose a feature bundle
Or select a specific capability
Assure Security
strengthens IBM i
security and assures
regulatory compliance
37. Assure
Multi-Factor
Authentication
Assure Elevated
Authority
Manager
Assure System
Access Control
37
Assure
Compliance
Monitoring
Assure
Access
Control
Assure
Data
Privacy
Assure Security
Risk
Assessment
Assure Security
Assure Core Distribution Services
Assure Monitoring
& Reporting *
Assure Db2 Data
Monitor
Assure Encryption
Assure
Secure File
Transfer **
* SIEM Add-On available
** PGP Add-On available
Assure Elevated Authority
Manager automates
granting elevated user
authorities on-demand and
on a time-limited basis.
38. Complete control of elevated user authorities
• Users request elevated authorities for a specific action
• Administrators can manually grant requests or requests can be
handled automatically
• Rules are defined for source and target profiles based on group
profiles, supplemental groups, lists of users and more
• Rules can also determine the context in which authority is granted,
such as time of date, job name, IP address and more
Assure Elevated
Authority Manager
38
39. Provides flexibility and control
• *SWAP or *ADOPT methods can be used to elevate authority
• Can log user activity without elevating authorities
• Handles processes connecting via ODBC, JDBC, DRDA and FTP
• Integrates with external helpdesk ticketing systems
Assure Elevated
Authority Manager
39
40. Enables comprehensive monitoring and auditing
• Monitor elevated users from GUI or 5250 displays
• Creates audit trail of elevated user activity
• Includes using job logs, screen captures, exit points and journals
• Enrich joblogs with SQL statements, FTP functions and commands
• Drill into logs of executed statements and view screen captures
• Alerts on events (such as exceeding authorized time) via email,
popup or syslog
• Generates reports in multiple formats, including PDF, XLS, and CSV
• Log data can be forwarded to a SIEM console
Assure Elevated
Authority Manager
40
51. Customer
Stories
As a large division of an automotive
manufacturer is required to comply
with the Financial Instruments and
Exchange Law. The dry run of their
compliance audit showed an issue with
authority granted to vendors. Their
process of granting and then revoking
or reducing privileges was too manual
and vendors’ authorities were not
consistently revoked. After
implementing Assure Elevated
Authority Manager, vendor access to
M3 is now closed by default. If access is
granted, it is automatically revoked
after a specified period of time.
A busy bank required to comply with
PCI, Basel II and country banking
regulations wanted to remove special
authorities from their user profiles.
Assure Elevated Authority Manager has
allowed them to remove special
authorities from all profiles. In fact IT
administrators receive special
authorities when they log in and
operate under elevated authority
management all day long – giving them
easy access to authority while
maintaining an audit trail of their
actions.
51
European
Bank
Automotive
Manufacturer
52. • Satisfies auditors by reducing the number of powerful user profiles
• Makes it easy to manage requests for elevated authority on demand
• Enforces segregation of duties
• Produces necessary alerts, reports and a comprehensive audit trail
• Significantly reduces security exposures caused by human error
• Reduces risk of unauthorized access to sensitive data
Benefits of Assure
Elevated Authority Manager
52
54. • Regulations and best practice require careful control of elevated
authorities
• Management of elevation and tracking the action of elevated users
is challenging and error prone
• Tools are available to help you automate elevated authority
management and maintain and audit trail
• Integration into help desk workflows gives you a smooth end-to-
end elevated authority management process
• Assure Security can help you meet your compliance and security
needs
Recap
54
55. Helpful Resources
To read more about IBM i elevated authority
management, download our ebook!
Learn more about IBM i Security in
“The Essential Layers of IBM i Security”
55