Each user profile on your system is a window, of sorts, into the computing environment for your business. Some profiles have a very narrow and limited view while others have a panoramic scene before them. Some profiles can only look while others are allowed to look, pick things up, move them around, make changes and even throw them away. Some only have access to a single library while others, perhaps even you, have the keys to the Kingdom.
As a security officer, you've probably given this a lot of thought already and have your profiles set up with the exact permissions necessary. Users are allowed enough access to fulfill their job descriptions but not so much that they can wreak havoc for your organization -- either accidentally or intentionally. And, to a large extent, your trust of the person behind the profile plays a large roll in how much access you give them to your system.
Problems come up, however, when a profile is compromised and is used by someone other than the assigned person. When this happens to a profile that has the panoramic view of your system, real trouble can ensue.
OS/400 on your iSeries has a nice little feature that gives you improved control in the event of a compromised profile. This feature, the Activation Schedule, lets you specifically tell the system what days and what hours in the day that a profile can be used. If a user profile is compromised, the chances are very good that the incorrect use will be attempted during off hours. If the profile in question has been posted to the system Activation Schedule, the profile will not be available for use during the off-hours time frame. This extends not only to terminal session sign-on but to all server activity, such as FTP, the system file server, etc.
There are two commands that you use to maintain the system Activation Schedule. The "Change activation schedule entry" command (CHGACTSCDE) is the main command for maintaining the schedule. This lets you add a user profile to the list or change a profile that is already on the list. Once a profile is on the list, a message will be sent to the user profile that established the entry each time the profile is activated and deactivated. When you create the entry, you specify the time of day when you want the profile available for use. The system will activate the profile at the given time and then automatically deactivate it at the closing time that you enter. You can specify this time for all days of the week or for given days of the week.
The other command that can help you with this is the "Display activation schedule" command (DSPACTSCD). This command lets you review how your Activation Schedule is set up. You can look at it interactively or create a report of the schedule.
When you first set this up, nothing will happen right away, so be prepared for that. The system will post jobs into the OS/400 system job scheduler to do the actual activation and deactivation. The next time one of the time-of-day thresholds is passed, the activity to activate and/or deactivate users will start and you will begin to receive status messages from the system.
Using this feature of OS/400, you can close the window of opportunity when a compromised profile can be used and make it more difficult for mischief makers to do their thing on your system. One thing to keep in mind if you adopt this process is that you may need to make special arrangements when your users work a different schedule than normal, such as overtime work. During these times, you may have to update the Activation Schedule to accommodate different work hours.
If you have specific questions about anything mentioned in this article, feel free to contact me directly at: rich@kisco.com.
Rich Loeber is president of Kisco Information Systems Inc., in Saranac Lake, NY. The company is a provider of various security products for the iSeries market.
==================================
MORE INFORMATION ON THIS TOPIC
==================================
The adopted authority problem
Objects, such as programs, on your iSeries can adopt authority from
owners, from users, from other programs or even other systems. Is
this a problem? It can be. According to security expert Rich Loeber, it would be in your best interest to
understand what programs have authority to bestow on those to whom
the it should not be granted.
The danger of indiscriminately assigning special authorities
In this tip, security guru Dan Riehl explains the special
authorities and points out the main exposures if they are not
assigned judiciously.
Enable/disable a user profile at a particular time
One user writes, "We have some user profiles that we keep disabled until they call and tell us they need to sign on. I would like to be able to call a CL program that will prompt me to enter a time in minutes that they will need the system. It would then enable the necessary user profile and once the amount of time entered had passed, the user profile would be disabled." Dan Riehl offers some advice.
Restricting user's authority
This Search400.com member wanted users to have the capability to "start" their own writers, but wanted to restrict them from viewing other people's outqs. What is the best way to go about this? Security expert Carol Woodbury explains.
