Determining Where Authority Is Coming From- Successfully Securing Objects by Using Authority Collection, IBM i Services, and Auditing

The final scenario is a situation where you thought you secured an object, but users are able to access it anyway. You’ve looked but can’t determine where the users are getting their authority. As you can see in Figure 9.6, it appears that the HR_INFO/SALARY file should be secure!

Figure 9.6: Permissions on HR_INFO/SALARY file.

Because the Authority Collection includes the source of a user’s current authority, this is the perfect utility to help you debug this issue.

If the system is at IBM i 7.4, you can start the Authority Collection on the HR_INFO/SALARY file itself. If at IBM i 7.3, you can start the Authority Collection on the users that are gaining access but shouldn’t be. In this case, I configured Authority Collection on the file and then displayed the results. Figure 9.7 is a perfect example of my admonition that I gave at the end of chapter 6, where I said that if the results don’t make sense, you need to look at less information or more. This is a case of needing more information. For example, how can DEVELOPER have access to the SALARY file if the current authority source is *PUBLIC yet *PUBLIC is *EXCLUDE?

Figure 9.7: Showing the source of the access of HR_INFO/SALARY file.

Expanding the columns being examined produces the source of access. JOE is getting access by being a member of PROD_OWNER, and DEVELOPER is gaining access via a program that adopts named IADOPT in library CJW.

Figure 9.8: The expanded results show the source of access.

You can then expand the columns further to determine which profile owns the adopting program and that owner’s authority and take the necessary steps to lock down that program. As far as JOE goes, this is an example of the risks you take when application users are a member of the profile that owns the application; they have *ALL authority to all application objects!

Which Objects Have Authority Collection Configured?

To determine which objects have Authority Collection configured, run the following for objects in libraries:

And run this to determine the IFS objects.

Note

Depending on how many IFS objects you have, this may take some time to run. You may wish to modify the starting path name to be something other than ‘/’.

Leave a comment

Your email address will not be published. Required fields are marked *