|What Authorities Do Programmers Really Need?|
|Security - IBM i (OS/400, i5/OS)|
|Written by Carol Woodbury|
|Monday, 13 June 2011 00:00|
It may take a bit of investigation to determine exactly what authorities programmers require, but they rarely need all-encompassing special authorities.
Laws and regulations require that users be given only enough authority to do the tasks associated with their jobs. In addition, auditors require IT departments to reduce the number of "powerful" users on the system. As a result, the programming staff comes under scrutiny. Why? Because they have often been given lots of power in the past. In i5/OS terms, that means programmers have been given the *ALLOBJ special authority. The question I am often asked is, "What authorities do programmers need to do their jobs?" Unfortunately, the answer is, "That depends." This article looks at how you can determine the answer to this question for your environment and also explains what authorities programmers do not need.
What Programmers Don't Need: *ALLOBJ Special Authority
It may take a bit of investigation to determine exactly what authorities programmers require, but they rarely need the *ALLOBJ special authority. However, many programmers will insist that it's a requirement to perform their job functions on both development and production systems. I can say with certainly that, unless the programmers double as security officers, they do not need *ALLOBJ special authority assigned to their profiles on a permanent basis.
Giving *ALLOBJ authority to programmers is a bad idea because it provides them with the authority to access every object on the system. Because the actions of an *ALLOBJ user cannot be controlled, you cannot maintain proper change management controls if programmers have been given *ALLOBJ special authority. Even if you have implemented change management software, programmers with *ALLOBJ authority can directly access and modify production-level source. Programmers with *ALLOBJ authority can easily cover up their actions by deleting objects such as joblogs and journal receivers and by clearing the history log. Finally, programmers with *ALLOBJ special authority on production systems can access, modify, or delete production database programs and files; view or download private data; or run encryption routines to decrypt data. All of these actions bring the integrity and availability of your data into question, which is why programmers' authorities are under scrutiny and regulatory compliance requirements are being implemented.
What Programmers Do Require
Now that we know what programmers don't need, we must determine what authorities programmers do require. To begin, look at the tasks programmers perform. If their sole responsibility is architecting, coding, and testing applications (which tends to be the case in larger organizations), the requirements are fairly straightforward. The development environment and change management software you're using will dictate the actual implementation.
as/400, os/400, iseries, system i, i5/os, ibm i, power systems, 6.1, 7.1, V7, SkyView Partners, V6R1
|Last Updated on Monday, 13 June 2011 00:00|