Reducing Access to a Directory- Successfully Securing Objects by Using Authority Collection, IBM i Services, and Auditing

Most of my clients have one or more directories that contain confidential information. It may be image files of canceled checks or medical images that are kept permanently. Or a directory that contains a running year’s worth of receipts with Personally Identifiable Information (PII) or invoices or a directory that holds what I call a “transitory” file. It’s usually a stream file (*STMF) that’s regularly created by a scheduled job. The file typically contains payroll or tax or bank information that’s then sent off the system via some method of secure file transfer. Do any of these examples sound familiar?

To successfully reduce access to a directory, we must answer two questions: Who’s accessing the directory? How much authority do they need?

For those of you running IBM i 7.4 and later, this exercise couldn’t be easier. For this scenario, we’re going to use Authority Collection. Earlier I discussed how you can use Authority Collection to reduce a specific user’s authority to an object by configuring Authority Collection for that user and determining how much authority they require to the objects they touched. In IBM i 7.4, IBM gave us another option and that’s to configure Authority Collection on a specific object. This option allows us to determine all of the users accessing the object as well as the authority required.

Configuring Authority Collection on an object is a two-step process. First, you must configure Authority Collection on your object. Figure 9.1 shows how to configure Authority Collection for the ‘/home/carol’ directory. I’ve just configured the collection for the directory itself, but you can start it for the objects in the directory as well as subdirectories if you specify *ALL for the Directory subtree parameter.

Figure 9.1: Configure Authority Collection for objects using the CHGAUTCOL command.

Next, if the Collection isn’t already started for objects, you must run the Start Authority Collection (STRAUTCOL) command. IBM i 7.4 added a new parameter to this command to specify whether you’re working with user profiles or objects. In this case, we’re (obviously) working with objects. See Figure 9.2.

Figure 9.2: Start the Authority Collection if you haven’t done so previously.

Now you wait and let the Collection collect. How long do you wait before you look at the results? Again, as with user profiles, it depends. If you’re securing a directory that you believe is only being written to by a scheduled job, let the job run and then look. But if you don’t know, I’d let the collection run at least over a month-end before you can conclude your investigation is complete. (Obviously, you can look at the collection prior to month-end; just don’t end it prior to that.)

To view the results of the Collection, you’ll use QSYS2.AUTHORITY_COLLECTION_FSOBJ (You need to use the view that corresponds to the type of object you’ve been collecting information on.)

Figure 9.3 shows the results. Notice that it only shows information for the directory you started the collection on, not the higher-level directories such as ‘/’ or ‘/YYY’ as the collection did when you were analyzing a profile’s authority requirements via Authority Collection for profiles. The collection is very literal. If you said to start on the path ‘/directory/subdirectory’, it will only collect for that specific path.

Figure 9.3: Distinct accesses of the ‘/home/carol’ directory.

Leave a comment

Your email address will not be published. Required fields are marked *