Here is your iSeries security tip for April, 2007 from SkyView
Partners, Inc., World Class i5/OS and OS/400 Security Experts.
You don't hear as much about the user profile setting of "limited
capabilities" as you used to in the early days of OS/400. In
the early releases, configuring 1) users' initial program to launch
them directly into the appropriate application, 2) users' initial
menu to *SIGNOFF, and 3) the limited capability attribute to *YES;
was about all an administrator had to do to make sure the data residing
on an AS/400 was secure.
Those days are long gone but the importance of using these user profile
attributes aren't. Just because there are many ways in today's i5/OS-world
for a user to gain access to data beyond a menu environment, and becasue
a good dose of object level security is required to secure data; doesn't
mean you shouldn't take advantage of the features these attributes
provide. Let's take a look.
Initial program -
The most popular task performed by a user's initial program is to
launch the user into the appropriate application menu. However, I've
seen initial programs perform many tasks - setting up a library list,
adopting authority to set-up the user's authority to use the application
and configuring various job attributes.
Initial menu -
When a user signs on the system, the initial program, if defined,
runs first, and then the initial menu is presented. If the initial
program establishes the user's menu environment, what should the initial
menu be used for? To tell i5/OS that when the initial program ends,
i.e., the user exits the initial program, the user is to be immediately
signed off. Using this feature the users can't "wander"
around the system. Rather, they're confined to the menus to which
they've been assigned. Specify *SIGNOFF for the initial menu attribute
to cause users to be signed off when exiting their initial program.
Limited capability -
Even though the limited capability parameter is ignored by some of
the TCP/IP servers (such as the remote command server) you should
still use this parameter to limit the commands a user can enter from
a command line.
Setting limited capability to *YES means that users can only run
commands that have been configured to be run by a limited capability
user. i5/OS ships a handful of commands that a limited capability
user can run - Sign off (SIGNOFF), Send message (SNDMSG), Display
message (DSPMSG), Display job (DSPJOB), Display job log (DSPJOBLOG)
Start PC Organizer (STRPCO) and Work with messages (WRKMSG). Also,
when a user signs on the system, they cannot change their initial
program, initial menu, current library or attention key program. *PARTIAL
means they can't change their initial program, current library and
attention program but can change their initial menu and run commands.
Quite honestly, I've never understood the benefits of setting a user
to *PARTIAL. To me, it's as wide-open as setting the value to *NO
which means the user can change all settings previously described
as well as enter all commands. You should review users' limited capability
setting, setting as many users as possible to *YES to control who
can enter commands from a command line as well as FTP's remote command
function.
Carol's Tech Tip
How SkyView Policy Minder can Help
User profile policy templates -
As you define a user profile policy template, you can define how
users' initial program, initial menu and limited capability attributes
are to be configured. When you run a compliance check against the
user profile template, Policy Minder will identify any profile whose
attributes don't match your policy and which attributes cause them
to be non-compliant. You can choose to manually change the user profiles
by using the Change User Profile (CHGUSRPRF) command, or you can enable
and run the Policy Minder FixIt function to have Policy Minder make
the attribute changes. All changes made through Policy Minder are
logged in the Message log along with the attributes' previous value.
Commands for Limited Users
I recommend that you run the Policy Minder initialize function (option
60 from the Main menu) on the Commands for Limited Users category.
Initialization will gather the commands that are currently configured
to be run by a user whose limited capability setting is *YES. Review
this list - you may be surprised what commands vendors or developers
may have changed to allow a limited capability user to run. Once you
are comfortable that this list reflects your policy requirements,
run a compliance check on this category at least monthly to ensure
all commands stay compliant with your command policy.
Sincerely,
