What has been your opinion and experience in giving programmers access to production libraries to fix critical production problems? Is this acceptable, and would this pass an IT audit? Should programmers be able to invoke this application themselves to grant themselves additional authority? Would this pass a typical IT audit?
Scenario: At our company, programmers have *USE authority to production libraries. We have a procedure in place, to give additional authority to programmers when needed to fix critical problems. The programmer calls our operations department, and request temporary *ALLOBJ access. The operator will invoke an in-house application, from a menu, and record "why" the programmer needed the access, put in the programmer's user I.D. etc. (in the background, *ALLOBJ is added to the programmer's user profile, auditing is invoked, and a time limit is set on when to expire this access, etc.). Also, an audit report is generated with log of the programmer's activity; the security administrator for abuse can then review this audit log. Our application managers would like to see programmers have the capability to give themselves the *ALLOBJ access via our application and menu option, instead of having to call operations. Please refer to my earlier questions.
I believe that you want to keep your current implementation. That way you have a clear and separate path to programmers' obtaining *ALLOBJ special authority. This method I believe should pass an audit. You will have a much more difficult time getting the proposed method through an audit.
MORE INFORMATION ON THIS TOPIC
The Best Web Links: Tips, tutorials and more.
Search400's targeted search engine: Get relevant information on security.
Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.
Read this Search400 Featured Topic: Secure your iSeries
Dig Deeper on iSeries system and application security
Related Q&A from Carol Woodbury
Before changing password levels and upgrading operating systems on the AS/400, ensure the clients connecting to the NetServer do not need the old ... Continue Reading
Look in the audit journal (QAUDJRN) on the AS/400 for an authority failure message with the name of the library as the object name. Use the ... Continue Reading
When error messages arise concerning attempts to use a permanent system object without authority, find the source of the issue by looking for an AF ... Continue Reading