Powertech - Products - Authority Broker

Home / Products / Authority Broker

PRODUCTS

Network Security
Compliance Monitor
Authority Broker
Encryption
Interact

Authority Broker Data Sheet
Download Here

Authority Broker White Paper
Managing Powerful Users on the iSeries for Regulatory Compliance.

Download White Paper

Frequently Asked Questions

request a demo >>

submit request >>

RESOURCES & DOWNLOADS

	Datasheets
	White Papers
	Case Studies
	Recorded Webinars
	Product Downloads & Updates
	Register for Product Demo
	Open Source Security Policy
	Compliance Guide

Multiple Systems Report
(click to enlarge)

View Flash Demo

PowerLock AuthorityBroker provided the separation of duties that SOX auditors are looking for...

Jim Leonard, C&D Technologies,
Director of IT - Business Applications

Full Case Study

FAQ Section One: AuthorityBroker
FAQ Section Two: Special Authorities

Frequently Asked Questions: AuthorityBroker

Q: Can I use Authority Broker to limit user authority for Query/400?

A: PowerLock AuthorityBroker is an excellent supplement to Query/400, DFU, DDBU, and SQL security. AuthorityBroker can be used to give end-users less authority than they normally wield, thereby making it safer to supply them with query tools directly.

Q: Can you give users access to only the view function of SQL and protect the users from update access?

A: You can control user access to files by reducing the authority of a user (switching them to less authority) before you provide SQL query access.

Q: What are the required fields for the swap?

A: In order to conduct a swap, the user must first be enrolled in PowerLock AuthorityBroker. A registered user need only provide the name of a profile and the reason for the switch. Alternately, the system administrator may require that a help desk trouble ticket also be entered.

Q: I assume that you can limit which profiles a specific user can switch to, right?

A: Absolutely! Only a user that you have registered in AuthorityBroker may use the switching feature, and then they may only switch to profiles you have pre-configured.

Q: Do you have the ability to change the job to *NOLIST in PowerLock AuthorityBroker?

A: When a user is switched under PowerLock AuthorityBroker, the user can change their joblog to *NOLIST. This will not affect PowerLock’s ability to record and report on the user’s activity.

Q: While swapped, can they change the audit system values to not audit?

A: Yes. However, the fact that they turned off the system audit values would be recorded in the audit journal. Many organizations would consider meddling with the system audit settings as an extremely serious security violation and respond with the most serious disciplinary action available.

Q: While swapped, can they change system value to not log activities?

A: Yes. However, the fact that they turned off the system audit values would be recorded in the audit journal. Many organizations would consider meddling with the System Audit settings as an extremely serious security violations and respond with the most serious disciplinary action available.

Q: Are there certain logging levels that need to be set in order to capture all the information with PowerLock AuthorityBroker. Or does it have a setup screen to modify what is journaled?

A: The minimum requirement for AuthorityBroker to work is that you must have the IBM Security Audit Journal (QAUDJRN) configured on your system. In addition, you can get the most meaningful information out of the product if you also turn on the Auditing Level (QAUDLVL) value of *SECURITY. PowerLock AuthorityBroker handles all of the other security logging tasks that are necessary to get full reporting on user activity.

Q: What happens when the alloted time is up when swapping? What does the user see when his authorities are taken away because he has exceeded the time limit?

A: The system administrator has the ability to choose the action at the end of the switch period. Options include, *ENDJOB, *HLDJOB, *DSCJOB, and *NONE.

Q: Every one of our profiles has ALLOBJ due to a bad decision years ago. We have determined that it is too much work to change these using current tools. With AuthorityBroker, would we have to change all the user profiles first? Or would it log everything in your audit logs?

A: While it would be possible to use AuthorityBroker without changing everyone’s profile, one of the benefits of this product is that you can choose to change everyone’s authority and still provide users with *ALLOBJ in the rare instances that they need it. It’s an opportunity to get out of the mess that the legacy has thrust upon you.

Q: Can they get right back in once they have exceeded their time limit?

A: This is configurable by the system administrator. Some users may be given the authority to pop in and out of AuthorityBroker at their own discretion, while others can be tightly scoped to a time frame and a length of activity.

Q: Does the user swap automatically when they need the special authority?

A: No, a user must request to swap from a command line. Alternately, you could embed the switch commands into a CL program for automated switching.

Q: Do you force something meaningful into the "reason" field? Couldn't a really mal-intended user just put garbage in there?

A: The “reason” field is currently free format text. Given the visibility of the text that is entered there (it is typically transmitted to a number of managers) users are naturally discouraged from entering information that would reflect poorly on themselves.

Q: Is there an authorization list for the "swap" and "release" commands that the users use? How, exactly, is that managed?

A: Only users who have been preconfigured in advance by a PowerLock AuthorityBroker Administrator can perform the swap and release.

Q: Is AuthorityBroker something needed in addition to exit-point security? Is this an add-on to your other solutions?

A: PowerLock AuthorityBroker is a distinct new product from PowerTech which alleviates a security concern that is different from the network access security problems that are addressed by PowerLock NetworkSecurity. It is designed to run independent of other PowerLock security products.

Q: Do you provide 30-day demos for your Powerlock AuthorityBroker product? Also, what is the pricing and what is it based on?

A: PowerLock security products are available for 30-day demonstration/trial. Contact a PowerTech SecurityAdvisor to find out more details, including product pricing.

AuthorityBroker is a new product and trial downloads will be available early in Q4 2005

-----------------------------

Frequently Asked Questions: Special Authorities

Q: What is the most powerful user authority in OS/400?

A: *ALLOBJ authority is the most powerful authority on any AS/400 system. This authority, which is roughly equivalent to "root" on a UNIX system, grants the user complete access to all libraries, data, and programs on the system. A user with all-object authority cannot be controlled. An employee with access to this profile who has malicious intent has very little difficulty in exploiting it to steal critical data or to wreak havoc on a system.

Q: What is *SECADM authority?

A: Security Administrator (*SECADM) grants authority to create, change, and delete user IDs. This authority should be reserved for essential administration personnel only.

Q: What is *IOSYSCFG authority?

A: System communication configuration authority (*IOSYSCFG) can also be used to set up nearly invisible access from the outside as a security officer—without needing a password. System communication configuration authority provides the ability to configure and change communication configurations (e.g., lines, controllers, devices), including the systems TCP/IP and Internet connection information.

Q: What are the security implications of *AUDIT authority?

A: Audit authority (*AUDIT) puts a user in control of the system auditing functions. Such a user can manipulate the system values that control auditing and control user and object auditing. These users could also turn off auditing for sensitive objects in an effort to obscure certain actions.

Q: What is *SPLCTL authority? Are there any security exposures?

A: Spool control authority (*SPLCTL) gives the user rights to read and modify all spooled objects (e.g., reports, job queue entries) on your system. The user may hold, release, and clear job and output queues, even if he or she is not authorized to those queues. For example, a user with spool control authority could read and modify critical payroll data once it has been sent to a printer.

Q: What can a user do with *SERVICE authority?

A: Service authority (*SERVICE) provides the user with the ability to change system hardware and disk configurations, to sniff network traffic, to put programs into debug mode
(troubleshooting), and to see their internal workings. The system services tools include the ability to trace system functions, and to patch and alter user-made and IBM-delivered programs on disk. It also allows users to turn RAID parity on and off and to remove disk drives from the system.

Q: What is *JOBCTL authority and what can a user do with it?

A: Job control authority (*JOBCTL) can be used to power down the system or to terminate subsystems or individual jobs at any time, even during critical operational periods. Job control authority provides the capability to control other users' jobs as well as their spooled files and printers.

Q:What happens if a user has *JOBCTL special authority and I revoke the rights for that user to use the command PWRDWNSYS? Can that user still execute that command?

A: You could prevent a user from doing a PWRDWNSYS by restricting the user's authority to that command—assuming the user does not also have *ALLOBJ. But you would also need to restrict access to the STRSBS, ENDSBS, ENDJOB, etc. commands. It’s much easier to just remove the *JOBCTL special authority.

Q: What is *SAVSYS authority and what are the risks associated with this authority?

A: The risk with *SAVSYS Authority is that a user with this authority can save all objects (including the most sensitive files) to disk (save file), delete any object (with the Free Storage option), restore the file to an alternate library, and then view and alter the information. Should the user alter the information, he or she may have the ability to replace the production object with the saved version.

Q: Couldn't you restrict access to the RST commands, keeping the user with *SAVSYS from using them?

A: Yes, you can restrict access to the RST* commands to prevent a user from restoring an object to your system. But a user with *SAVRST special authority will still have powerful SAVE abilities.

Q: What do you recommend for external vendors with powerful authority?

A: PowerLock AuthorityBroker is an excellent tool for monitoring and recording the activity of vendors and outside consultants that may connect to your systems from without. Notifications may be sent to a variety of management forums and complete reporting of all activity is available.

Q: Where can I find more information on special authorities?

A: Download Dan Riehl's excellent article, The Exposures of Indiscriminate Assignment of iSeries Special Authorities

Sitemap