One of the greatest challenges in IBM i security is managing the powerful users charged with its care, especially in hard-to-audit environments like SQL.

1. Part-Time Privileges: Accountability
for Powerful Users

2. 2
• Introduction
• Managing Powerful Users
• Why Policy Matters
• Solution Demonstration
• Free Resources

3. 3
ROBIN TATAM
Director of Security Technologies
952-563-2768
robin.tatam@helpsystems.com

4. 4
• Premier provider of security solutions & services
– 17 years in the security industry as an established thought leader
– Customers in over 70 countries, representing every industry
– Security subject matter expert for COMMON
• Wholly-owned subsidiary of HelpSystems since 2008
• IBM Advanced Business Partner
• Member of PCI Security Standards Council
• Authorized by NASBA to issue CPE credits for security education
• Publisher of the annual “State of IBM i Security Study”

5. 5
• Introduction
• Managing Powerful Users
• Why Policy Matters
• Authority Broker Demonstration
• Free Resources

6. 6
• Programmers
– Claim they need *ALLOBJ authority to fix production
applications
• System Administrators
– Claim they need authority to configure and change the system
• Operators
– Claim they need Special Authorities to do backups and other
specialized functions
• Vendors
– Can’t imagine running without Security Officer rights

7. 7

8. 8
Best Practices call for
<10 users with SPCAUTs

9. 9
Date: January 9, 2005 2:37am
Author: A.F.
Subject: How to recover a deleted library?
PLS Help me! How can I recover a library I’ve just
deleted by mistake and I have no tape backup. I’ve
asked all users to sign off in order not to create any
new objects. PLS HELP ME AND I WILL UPGRADE
MY SUBSCRIPTION AT ONCE. THANKS
A posting at iSeriesNetwork.com

10. 10
1

11. 11
Date: September 1, 2004 12:49pm
Author: R.H.
Subject: Oops!
HELP!!!
I've accidentally deleted program QCMD in
QSYS (spelling error using DLTPGM). The system
has crashed. Any suggestions? I assume an
IPL will be required, but is there anything else that
can be suggested? This is bad.
A posting at iSeriesNetwork.com

12. 12
• The #1 item cited by auditors is:
Control and monitoring of powerful users
What’s a powerful user?
• Someone with Special Authority or lots of private authority
• IT staff or other knowledgeable users with
direct access to production data
• A user with a way to execute commands

13. 13
In 2014, 37% of breaches Involved inside threat

14. 14

15. 15
• Introduction
• Managing Powerful Users
• Why Policy Matters
• Authority Broker Demonstration
• Free Resources

16. 16
• Legislatures create laws
– Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley,
SB1386, and more
• Laws are open to interpretation
– Sarbanes-Oxley Section 404:
• “Perform annual assessment of the effectiveness of
internal control over financial reporting…”
• “…and obtain attestation from external auditors”
• Auditors are the interpreters

17. 17
• Auditors interpret regulations:
– Auditors focus on frameworks and processes
– Auditors have concluded that IT is lacking when it
comes to internal controls
• Executives follow auditor recommendations

18. 18
Special Authority (aka Privileges)
All Object
The “gold key” to every object and almost every
administrative operation on the system, including
unstoppable data access.
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS

19. 19
Special Authority (aka Privileges)
Security Administration
Enables a user to create and maintain the system
user profiles without requiring the user to be in the
*SECOFR user class or giving *ALLOBJ authority.
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS

20. 20
Special Authority (aka Privileges)
I/O Systems Configuration
Allows the user to create, delete, and manage
devices, lines, and controllers. Also permits the
configuration of TCP/IP, and the start of associated
servers (e.g., HTTP).
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS

21. 21
Special Authority (aka Privileges)
Audit
The user is permitted to manage all aspects of
auditing, including setting the audit system values
and running the audit commands
(CHGOBJAUD / CHGUSRAUD).
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS

22. 22
Special Authority (aka Privileges)
Spool Control
This is the *ALLOBJ of Spooled Files and allows a
user to view, delete, hold, or release any spooled file
in any output queue, regardless of restrictions.
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS

23. 23
Special Authority (aka Privileges)
Service
This allows a user to access the System Service Tools
(SST) login, although they also need
an SST login since V5R1.
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS

24. 24
Special Authority (aka Privileges)
Job Control
This enables a user to start/end subsystems and
manipulate other users’ jobs. It also provides access
to spooled files in output queues designated as
“operator control.”
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS

25. 25
Special Authority (aka Privileges)
Save System
This enables a user to perform save/restore
operations on any object on the system, even if there
is insufficient authority to use the object.
* Be cautious if securing objects at only a library level *
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS

26. 30
Production Update Authority
Read / Change
Payroll
Accounts Receivable
Accounts Payable
Customer Information
• IT personnel often insist that powerful authorities
are necessary to do their job:
– Special Authorities like *ALLOBJ, *SPLCTL, *SECADM
– Rights to change critical production data
• Sometimes they are right!

27. 31
Read / Change
Read / Change
Read / Change
Read / Change
Payroll
Accounts Receivable
Accounts Payable
Customer Information
This is a top exception item reported by auditors!

28. 32
• To keep your business running, you need:
– Emergency access to repair data files
• To keep your system safe, you need:
– A way to monitor when powerful authorities are used
– A way to monitor user activities, including when they
enter the “command tunnel”

29. 33
• COBIT AI6.4 - Emergency Changes
– IT management should establish parameters defining
emergency changes and procedures to control these
changes (…)
• COBIT DS10.4 - Emergency and
Temporary Access Authorizations
– Emergency and temporary access authorizations
should be documented on standard forms and
maintained on file, approved by appropriate managers,
securely communicated to the security function and
automatically terminated after a predetermined period.

30. 34
• ISO 27002 Section 9.2.2: Privilege Management
– The allocation of privileges should be controlled
through a formal authorization process
– Privileges should be allocated to individuals on a
need-to-use basis and event-by-event basis
– An authorization process and a record of all
privileges allocated should be maintained
– Privileges should be assigned to a different user
identity than those used for normal business

31. 35
Manage, audit, and control powerful profiles on IBM i

32. 36
Management is
aware of all activity
Report
Message Custom Alert
PAYCHANGE
(Temp. Profile)
Payroll
Accounts Receivable
Accounts Payable
Customer Information

33. 37
• Government regulators and IT auditors demand
accountability
• Legislatures have created laws that require us to
prove that our IT infrastructure is secure
• Non-compliance penalties range from public
disclosure, to fines, to prison sentences for
executives
– Executives are finally taking security very seriously

34. 38
• Allows you to monitor and control users
with powerful authorities
– Authority Broker lets you specify when and how
users exercise powerful authority
– Authority Broker works with IBM i security to
protect assets
– Authority Broker provides notification, monitoring,
and control of powerful users
– Authority Broker provides visibility into non-
command-based environments

35. 39

36. 40
• Allows you to intercept commands and
conditionally perform other actions
– Command Security lets you specify when and how
users execute commands
– Command Security is applicable to all users – even
QSECOFR and other *ALLOBJ users
– Command Security provides notification, monitoring,
and control of command environments
– Command Security can enforce the requirement to
obtain privileges via Authority Broker

37. 41
• Introduction
• Managing Powerful Users
• Why Policy Matters
• Solution Demonstration
• Free Resources

38. 42
• Sign on as a limited-capability & as a powerful user
• Attempt to access restricted functions
• Use Authority Broker to elevate user authorities
on demand, and Command Security to control
commands
• Perform restricted functions, including access to
“tunnel” environments
• Report on user activities

39. 43
• IT security has executive attention
– This is the best opportunity to solve long-standing problems
– Gain management approval now
• Control users with broad authority to production data
– Leaving users unchecked is both an audit exception and an
accident waiting to happen
– Don’t accept that powerful users have to be limitless
• Limit the use of powerful profiles
– Monitor and report when power is used

40. 44
• Introduction
• Managing Powerful Users
• Why Policy Matters
• Solution Demonstration
• Free Resources
’

41. 45

42. 47
Please visit www.helpsystems.com/powertech to access:
• The State of IBM i Security Study
• Online Compliance Guide
• Webinars/Educational Events
• Articles & White Papers
• Product Datasheets
• Product Trial Downloads
www.helpsystems.com/powertech (800) 915-7700 info@powertech.com

43. 48

44. 49
www.helpsystems.com/powertech 800-328-1000
info.powertech@helpsystems.com