|
This month's newsletter discusses the virtues of authorization lists
and how Policy Minder can help you manage them.
An authorization list is a tool provided by i5/OS to help you manage
authority to objects. The typical usage scenario is that you have a
set of profiles and those profiles (both users and/or group profiles)
need the same authority to a set of objects - perhaps all files in an
application. Rather than granting each of those users a private authority
to each of the objects, you can use an authorization list. Simply associate
the authorization list with the objects. Then, instead of granting the
private authority to the objects themselves, grant each user (or group)
authority to the authorization list. By virtue of having authority to
the authorization list, the users have the same authority to every object
associated with the list.
Having authority to the authorization list is the same as the user
having a private authority to the individual object. The authorization
list just displaces the authority - instead of the authority being on
the individual object, it is on the authorization list. The only difference
is that i5/OS checks and uses the authority to the individual object
before checking authority to an object's authorization list.
Authorization lists have several benefits. Authorization lists simplify
the management of access to objects. All you have to do is display the
authorization list (DSPAUTL) and then display the objects secured by
the authorization list (DSPAUTLOBJ) to know what the users are authorized
to. Authorization lists also reduce the number of private authorities
on the system. This reduces the time that a SAVSECDTA needs to run.
(SAVSECDTA is how private authorities are saved.) It also saves time
when a RSTAUT is run because there are fewer private authorities to
grant to the restored objects. Last but certainly not last, authorization
lists provide a way to manage authorities when an object is locked.
That's why I like to use authorization lists to secure files. Because
you can't grant (or revoke) authorities to files that are open, securing
them with an authorization list allows you the flexibility to grant
a user or group authority even when the file is in use. I've found securing
files with authorization lists to be extremely helpful when re-working
an application's authority scheme.
Carol's Tech Tip
How SkyView Policy Minder can Help
SkyView Policy Minder is an i5/OS & OS/400 security compliance tool
that provides a mechanism for comparing your systems' current settings
against the requirements of your established (or desired) security policy.
Policy Minder is about "enforcing" your security policy. Policy
Minder is designed to automate the process of keeping your i5/OS and
OS/400 security configuration in compliance with your existing security
policy.
- Policy Minder's authorization list category (*AUTL) allows you to
monitor who (what users and/or groups) have authority to the authorization
lists. I've seen cases where an authority scheme was architected so
that the authorization list was set to *PUBLIC *EXCLUDE and only one
or two profiles had authority to the authorization list. But in one
specific case, the implementation of the architecture degraded over
time so that it no longer complied with the organization's security
policy. Why was it out of compliance? A group profile had been given
authority to the list and almost every user on the system belonged
to that group. Rather than the list providing exclusionary-based access
control, the files secured by the list were available to be accessed
by almost every user on the system. Monitoring the authorization lists
by running a compliance check on the *AUTL category would have produced
an out of compliance report which would have identified that the group
profile had been added to the list.
- Another way that Policy Minder helps you manage authorization lists
is through the library and directory authority templates. These templates
allow you to specify the name of the authorization list that is to
secure specific libraries, directories and/or other objects. It also
allows you to specify that *PUBLIC authority should come from the
authorization list. If the objects are not secured with the appropriate
authorization list, a compliance check identifies which objects aren't
secured properly.
- Finally, running Policy Minder's FixIt function against library
or directory template that are out of compliance attaches the authorization
list to the objects and, if desired, points the objects' *PUBLIC authority
to come from the authorization list. And because you can't attach
an authorization list to files when the files are in use, the ability
to schedule the FIXIT command during a downtime is quite helpful.
How SkyView Risk Assessor can Help
SkyView Risk Assessor is an i5/OS & OS/400 security diagnostic tool
that performs an automated risk analysis. Risk Assessor is about "judging"
your security configuration against best practices. Risk Assessor provides
comprehensive, easy-to-understand, easy-to-produce and unbiased reports
that fulfill the need for regular vulnerability assessments, as specified
in nearly every security regulation, specification or standard.
- A new report in Risk Assessor bersion 2.1, the SKYAUTL report, provides
a list of the authorization lists on the system together with the
users authorized to each list.
SkyView Partners Solutions
- Customers say … “Risk Assessor automatically provides an independent,
comprehensive security overview and has reduced our overall audit
time and expense.”
-
Customers say … “With Policy Minder we have automated our
security compliance procedure, saving us time and making
sure that our desired security configuration stays in place.”
About the author
Carol Woodbury spent 16 years with IBM in Rochester, MN. She served
for more than 10 years as the AS/400 Security Architect and Chief
Engineering Manager of Security Technology for IBM's Enterprise Server
Group. During this time Carol provided security architecture and design
consultations with IBM Business Partners and large AS/400 customers.
She is known worldwide as an author and speaker on security technology,
specializing in OS/400 and i5/OS security issues. Carol co-authored
the popular book, Experts'
Guide to OS/400 and i5/OS Security from 29th Street Press, has
written numerous articles on security and is a technical editor for
the IBM Systems Magazine. Carol is also a subject matter expert on
security for COMMON, security author for Experts Journal, contributing
author on security for System iNEWS and MC Press Online and the security
expert for search400.
|
