Be sure you understand the impact of a profile's user class on user capabilities.
One of the security issues most frequently cited by auditors is the existence of (overly) powerful users on a system. Unfortunately, there are no hard and fast guidelines of what defines a powerful user on the IBM i platform. Too often, administrators and auditors focus almost exclusively on a profile's User Class (USRCLS) parameter.
In my opinion, a powerful user is anyone who can operate outside the confines of an application. This includes users with command-line access in conjunction with special authorities or users with public or private authority to libraries and objects. Command-line access is possible through legacy green-screen command functions, as well as through network interfaces such as FTP and REXEC. Some of these network interfaces even allow user profiles with "limited capabilities" to run commands.
What Exactly Does the User Class Control?
According to the IBM i Security Reference, the primary purpose of the user class is to control the options that display on IBM i menus. For example, Main Menu option 5 (Programming) isn't visible to *USER-type users. However, when asked for a list of "security officers," many administrators limit the list to profiles running with a USRCLS of *SECOFR without looking at other authorities a profile may have. One reason USRCLS is often confused with the capabilities of a user is that the class names suggest roles with specific responsibilities: security officer, security administrator, programmer, and system operator.
The reality is that the user class parameter does play a significant role when you create or change a profile and set the SPCAUT (special authority) parameter to *USRCLS. This tells the operating system to look to the user class to determine which special authorities to grant, based on a predetermined IBM template. Once the special authorities are assigned, *USRCLS is replaced with these authorities, and the user class is no longer used.
The following table shows the special authorities that are granted for each user class at the system security level defined by the QSECURITY system value and using a SPCAUT value of *USRCLS:
|
Special Authority |
User Class |
||||
|
*SECOFR |
*SECADM |
*PGMR |
*SYSOPR |
*USER |
|
|
*ALLOBJ |
All |
10 or 20 |
10 or 20 |
10 or 20 |
10 or 20 |
|
*SECADM |
All |
All |
|
|
|
|
*JOBCTL |
All |
10 or 20 |
10 or 20 |
All |
|
|
*SPLCTL |
All |
|
|
|
|
|
*SAVSYS |
All |
10 or 20 |
10 or 20 |
All |
10 or 20 |
|
*SERVICE |
All |
|
|
|
|
|
*AUDIT |
All |
|
|
|
|
|
*IOSYSCFG |
All |
|
|
|
|
Since the user class parameter is used only when the special authority parameter is set to *USRCLS, you can override the special authorities at any time—with no permanent tie to the user class value. If you assign special authorities that don't match the user class defaults, you see this warning: "User class and special authorities do not match system supplied values." This means that it's possible for a profile that was originally designated as a *USER-class profile to be granted all eight special authorities of a security officer. Similarly, a *SECOFR-class profile can have its special authorities removed to reduce its capabilities to those of an end user.
Who Has the True Power?
You can use the Print User Profile (PRTUSRPRF) command to see a simple listing of profile information. However, PowerTech's Compliance Monitor auditing solution provides comprehensive information that isn't available through the operating system, including:
- Predefined reports that detail profiles, group profiles, powerful users, users with legacy command line access, and inactive profiles.
- Dynamic filtering of user profile information, including the user classes and special authorities assigned to the profile. You can see this information onscreen, view it as a PDF, or export it in .csv or .xls format for additional analysis.
In addition, many administrators are unaware that special authorities can be inherited from group profiles. It's critical to review this information to ensure that powerful users aren't overlooked. Compliance Monitor includes this inherited authority information on a number of user reports (see Figure 1).
Figure 1: The Powerful Profile report includes both user class and inherited special authority information. (Click image to enlarge.)
Review Your Own Powerful Users
To determine how many overly powerful users are on your system, register for a no-cost PowerTech Compliance Assessment. Or try Compliance Monitor free for 30 days. Learn more about Compliance Monitor by clicking here!
Additional Reading
If you'd like more information about the USRCLS parameter, see chapter 4 of the IBM i Security Reference Manual (SC41-5302-10) or check out the resources and downloads available at www.powertech.com.
Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.
IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn:
LATEST COMMENTS
MC Press Online