Rescinding access rights

Rich Loeber

As a security officer, most of the time you are concerned with granting access rights to users. To do this, you need to know what the user's job responsibilities are and what they will be doing within the computing environment. Based on existing security policies for your shop, you then configure security for each user so that they can get at the computing resources they need to do their job easily, smoothly and securely.

Once you have a users set up and running, however, they tend to fall off our radars since we're then occupied with getting the next group of users set up and configured. In other words, there is a tendency to address areas where there are immediate demands at the expense of others.

More on System i access rights: Preventing adopted special privileges on i5/OS   System i security policy: Time for a check up   Tracking System i user profile sign-on activity

Modifying access rights on System i
One important thing to keep track of, however, are situations where access rights need to be modified or rescinded. The most glaring situation is when someone leaves the company. You should have a clearly developed plan of action to implement when someone leaves. This plan should include:

• Deactivating their user profile
• Identifying any objects owned by their profile and reassigning them
• Removing access rights for objects not owned by them
• Deleting the user profile after all else is done

Unmonitored rights pose a security threat
Chances are your System i is currently sitting with loads of unnecessary access rights in place for people who are long gone. Each one of those access rights is a potential security exposure and should be dealt with. You should review the way the user was initially configured when their access rights were granted and then go through and reverse the process.

Making this work depends on you being in the loop when someone leaves the company. In a small shop, you normally learn this by word of mouth. But, in any size shop, a formal notification process needs to be put in place to guarantee that inactive profiles are dealt with promptly. This can be especially important if someone leaves on bad terms. A firm procedure has to be in place with your HR staff and it must be enforced.

The other situation for which you need to prepare is when someone has a change in job responsibilities. In this situation, you will not only need to grant new access rights for the user, but you will also have to backtrack and possibly remove some earlier rights that have already been granted. Again, careful coordination must be worked out with your HR folks. You are likely to hear about this through less formal channels since the user will need to get reconfigured in order to start their new responsibilities.

If you have any questions about this topic, send me a message. All email messages will be answered as quickly as possible.

---------------------------
ABOUT THE AUTHOR: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.

Rate this Tip To rate tips, you must be a member of Search400.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT iSeries security tips Security considerations for IBM i backups Developing a security incident response system for System i Tracking remote access users on System i Setting up security for programmers on IBM i Controlling remote access on your IBM i Checking in on your IBM i authorization lists PCI data security standards and the System i Securing the integrated file system on IBM System i Contextual security on IBM i: Limit user profile access Time for a security checkup for your i iSeries security planning Using System i security consultant services Unsecured devices worry IT professionals System i5 Solutions For Business Resiliency Top 10 System i security Q&As i5 network intrusion: An allegory iSeries security and performance issues Profile without ALLOBJ authority to view joblog Security implemented via default settings Granting user B the same private authorities as user A Using the Print user profile command RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.