|Partner TechTip: Limiting an *ALLOBJ User to Read-Only Data Access|
|Tips & Techniques - Security|
|Written by Robin Tatam|
|Friday, 25 June 2010 00:00|
Grant varying levels of IBM i security to different interfaces.
Do the majority of your users have access to your critical data? Do you still rely on menu and command-line restrictions for security? Can you monitor network access attempts? Is your security program flexible enough to restrict access to individual objects?
When the "AS/400" first appeared on the market, most developers used application menus and command line restrictions to ensure that data could not be accessed outside an application. There was no Internet, system access was usually from dumb terminals, and though the AS/400 contained an object-based security mechanism, it wasn't often used.
Things changed in the early '90s. IBM enhanced the operating system (OS/400) to support TCP interfaces, such as FTP and ODBC. While the interfaces represented a huge step forward in data openness, they also exposed the lack of object-level security. Now, you could run programs and access data outside of a green-screen display.
Along with these new interfaces, IBM introduced a new security layer, the network exit point. Exit points allow an exit program to be called when someone makes a network access attempt, such as an FTP-based file transfer request. However, even exit programs are not automatically secure. An exit program only does as much (or as little) as its programmer codes it to do.
Exit Point Management Is Key
PowerTech Network Security helps you manage exit points by providing exit programs for common network interfaces. Using Network Security, you set rules that allow or reject requests made through network interfaces. You can control user requests based on the type of request, the user (or group) making the request, and the location where the request originated.
Because the network exit program is called before the transaction is passed to the operating system for authority checking and execution, the exit program can reject transactions that might otherwise be permitted by the operating system. This also allows you to record a powerful user's activities to a secure log, such as the IBM security audit journal (QAUDJRN).
Object Security for a Layered Defense
According to PowerTech's annual State of IBM i Security Study, a well-designed object security scheme is still rare. This is partly because the operating system controls were designed for a single point of access to objects, even though there are now numerous entry points. Thus, providing a user with change access in a green-screen application opens up a huge exposure through ODBC or FTP. Also, excluding a user from one data interface means that the data might not be available for legitimate business purposes though another interface.
In fact, the best security infrastructure is built in layers. If users break through one defense layer (the exit point), they are faced with another layer (object security). Network Security offers an object-level security option that can restrict access to specific objects, libraries, or IFS files.
Profile Switching Adds Flexibility
Network Security also includes a powerful "switch profile" feature that allows a transaction to run under a different profile than the profile that initiated it. While typically used to elevate authority, you can apply the same technique to reduce the authority of a user. In the case of the powerful *ALLOBJ users, you can selectively change their requests to run under a lower-level *USE, or even *EXCLUDE, access profile.
Figure 1: Specify a switch profile for a user. (Click image to enlarge.)
You can define profile switching to occur at a very discrete level and be completely transparent to the user. Entire servers, individual server functions, or even specific transactions can be set to run under specific profiles regardless of the requester's authority. Instead of being tied to the single level of security that even a well-implemented object-level security model provides, Network Security offers significant flexibility between interfaces. For example, you can grant a user *EXCLUDE authority through ODBC, *USE to a particular library through FTP, and *CHANGE for a legacy 5250 application.
Controlling the Uncontrollable
People today are still surprised that network interfaces provide such powerful and open access to their application data. Network Security offers a solution that helps you reduce the risk from powerful users with *ALLOBJ authority. You define the level of access you are comfortable with, and Network Security takes care of the details. Call for your free 30-day trial. Learn more about Network Security by clicking here.
|Last Updated on Friday, 25 June 2010 00:00|