Due to a recent Sarbanes-Oxley review of one of our systems, a security issue was documented that needs to be addressed. Here is a brief overview:The data owner is USERA; a group profile of USERA is associated with each user profile. The problem is we need to change the data owner authority from all to change and/or change the security method. Do you have any suggestions?
What I prefer to do in this case (and have successfully implemented) is to move the members of USERA to another group profile. USERA continues to own the application. The application programs are modified to adopt authority. This method allows users to continue to work as they do today -- as long as they go through the application interfaces. However, if the user attempts to use a network interface like FTP or ODBC or a sockets application or a Web application or even access the application objects from the command line, they will only be able to access the application objects with the authority *PUBLIC is set to. Therefore, if you set *PUBLIC to *EXCLUDE, they will be totally prevented from accessing the objects outside of the application. However, if you don't mind if they read the application data, you can set *PUBLIC to *USE and then users could download the data, but not update it outside the application. This is a permit example of how you implement object security and why it works so well -- no matter how the data is being accessed.
To implement -- change the programs to adopt authority (set the program's user profile parameter to *OWNER), set the application objects to the appropriate *PUBLIC authority setting, then remove selected users from USERA group and make sure everything is working properly. You can then start removing more and more users or, you can remove the rest all at once.
MORE INFORMATION ON THIS TOPIC
The Best Web Links: tips, tutorials and more.
Search400's targeted search engine: Get relevant information on security.
Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.
Check out this Search400.com Featured Topic: Top ten security tips
Dig Deeper on iSeries system and application security
Related Q&A from Carol Woodbury
Before changing password levels and upgrading operating systems on the AS/400, ensure the clients connecting to the NetServer do not need the old ... Continue Reading
Look in the audit journal (QAUDJRN) on the AS/400 for an authority failure message with the name of the library as the object name. Use the ... Continue Reading
The UPPWEI field corresponds to the password expiration interval field, and its values "0" and "-1" represent the *SYSVAL and *NOXMAX commands. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.