Based on a prior audit observation, we have had to change the security on our iSeries (level 30) to the following:
1. Change *public access from *change to *use.
2. Create a unique profile (no sign on) called REGUSR. This profile has *ALLOBJ auth.
3. Change all files as owned by REGUSR and change all programs with REGUSR as owner and to adopt authority. All access is menu controlled so that when a user accesses the option, the program takes over control by the adopt authority.
Please give me your thoughts on this. I see how this can prevent files from being updated outside the control of our security. But I was wondering if there is another way to handle this.
Adopted authority is certainly one of the most popular application authorization methods. If you want to understand the various application authorization methods available, you might read the article, "Designing Security into Applications" (if you're an iSeries Network professional member) that I wrote for the August 2002 issue of iSeries News. If you want more information, several of my Security Patrol columns at McPressOnline have answered questions regarding many aspects of adopted authority. By the way, I highly recommend that you move to security level 40 or 50, as security can be easily circumvented at lower security levels.
MORE INFORMATION ON THIS TOPIC
The Best Web Links: Tips, tutorials and more.
Search400.com's targeted search engine: Get relevant information on security.
Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.
Read this Search400.com Featured Topic: Secure your iSeries
Dig Deeper on iSeries system and application security
Related Q&A from Carol Woodbury
Before changing password levels and upgrading operating systems on the AS/400, ensure the clients connecting to the NetServer do not need the old ... Continue Reading
Look in the audit journal (QAUDJRN) on the AS/400 for an authority failure message with the name of the library as the object name. Use the ... Continue Reading
On AS/400, the journal type AF subtype K, shows that a user profile lacks the special authority required by the function attempting to run. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.