Creating a System i database security policy: Implementation

Rich Loeber

Part of your security policy will be implemented globally through the setup of your System i system values. Much has already been written about this and is generally available from this website and others. I do not want to duplicate that.

What is unique to each application, however, is the object level security setup that protects your basic data and programming elements. This is what I want to explore here by reviewing a few key practices that, over time, will simplify your security administration task.

System i system values for security tips Limiting security officer access Controlling access to workstations System i security configurations: Restoring What's new with System i password controls New password-control security features for i5/OS V6R1 Enhancements in the intrusion detection system for i5/OS V6R1

The first of these key practices is implementing your object level security based on group profiles. Security can be implemented by individual profiles or by groups. Each user profile on your system can be assigned to a single group along with up to fourteen supplemental groups. A group profile is nothing more than an additional profile that is defined to your system but is set up so that it cannot be used for logon purposes. Its only purpose is to control object access. Once a group profile has been created, you can then add individual profiles to the group by placing the group profile in the GRPPRF (group profile) field or in the SUPGRPPRF (supplemental group). With group profiles implemented, you no longer have to create object access rules for each profile, just for the group profile. By reference, the rules for the group will then apply to each individual user profile that is included in the group.

Check your security policy document to identify the specific groups that you are going to need and get them set up on your system. Then, code the individual users into each group. When people leave the company, you will not have the issue of having to modify your security setup. Plus, adding a new user profile will be greatly simplified by not having to maintain an extensive set of individual object accesses. When you are all set up, you can generate listings for each group using the DSPUSRPRF (display user profile) command with the *GRPMBR option.

The other key practice that I want to discuss today with your security implementation is the use of Authorization Lists for object security. An individual object can be controlled by entering profile information directly associated with the object or by reference to an Authorization List. When you store your profile access rules directly with the object, then you cannot make updates to these rules when your object is in use. Using Authorization Lists, however, removes this obstacle and saves you from a lot of late night sessions.

Also, with an Authorization List, you can create a single security configuration that can then be applied to multiple objects on your system. At the individual object level, just reference the Authorization List and the rules created in the list will apply to the object. From your security policy, you will find general rules that apply within an application. These can easily be assigned to an Authorization List.

But, you ask, what about exceptions? Every security policy is going to have exceptions and you can deal with them as they arise. I try to discourage them by asking that a clear business case be made for each exception. The response, "well, it would just be a lot easier" is no longer acceptable. Those kind of exceptions these days can easily lead to banner headlines that will be embarrassing to you and to your company.

If you have any questions about anything included in this tip, you can email me. Messages will be answered as quickly as possible.

ABOUT THE AUTHOR: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.

Rate this Tip To rate tips, you must be a member of Search400.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT iSeries security tips A guide to System i security, Part 3: Digging in to the System i security environment Is your AS/400 secure?: How a hacker could get valuable information from your system System i security report round-up A guide to System i security, part 2: Landing and establishing access A guide to System i security: Descending into the heart of darkness of IT security Creating a System i database security policy: First steps Enhancements in the intrusion detection system for i5/OS V6R1 Six common System i security lapses Working with exit programs in i5/OS V6 New password-control security features for i5/OS V6R1 iSeries system and application security A guide to System i security, Part 3: Digging in to the System i security environment Primary group authority: How it works Blocking access to SQL line commands Moving files to new libraries allows access to only groups or users that are authorized Changing telnet ports: A security solution? Moving to security level 30 Menu security's relationship to object authority Encrypting files or fields on the iSeries Changing the QSECOFR password Ensuring security on i runbook RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary midrange  (Search400.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.