iCan Blog Archive

IBM i 7.3 is here! IBM i 7.3 has added a feature called “Security Authority Collection” which tracks how applications and application users “use” an object.  Inquiries against that collection will provide advice on securing critical business data and applications from intrusion by identifying who needs to have access to data and in what context.  This is a major enhancement to security management that is unique to IBM i.

Jeff Uehling, the leader of the security development team in Rochester, Minnesota, writes about this new feature. 

Authority collection is a capability that is provided as part of the IBM i 7.3 base operating system.  At a high level, authority collection captures data that is associated with the run-time authority checking that is built into the IBM i system.  This data is logged to a repository provided by the system; interfaces are available to display and analyze the authority data.  The intent of this support is to assist the security administrator and application provider in securing the objects within the application, with the lowest level of authority required to successfully run the application.  The result is to increase security of objects within an application. 

Applications available for the IBM i server often have excessive authority granted to the objects within the application,  even with current laws and regulations requiring security of sensitive data. Traditionally, the public authority (*PUBLIC) of objects within an application is set to an authority value that exceeds the authority that is required to run the application.  For example, the public authority on a DB2 table object (*FILE) may be set to *CHANGE authority even though the application requires only *USE authority to the data file.  This excessive authority setting opens a potential security exposure in the system as the data in this particular table object can be changed, outside of the application, by users of the system.  The authority collection support is designed to provide the system administrator and application provider a utility to help lock down the security of application objects. 

New authority collection interfaces are provided to allow a system administrator to collect and analyze data associated with the authority checking support of IBM i.  These interfaces support the ability to start authority collection for a specific system user.   When this user runs a job on the system (interactive, batch, communication, etc.) and accesses objects within the application, authority collection data is gathered and written to the authority collection repository for the user. 

Each authority check requested by the Operating System (OS) and Licensed Internal Code (LIC) is logged to the authority collection data repository for the user.  For a given interface, the system may make numerous authority checks that can cause many authority collection entries for a single object to be collected.  An entry is logged in the authority collection repository for each unique authority check against objects involved and this data includes a key piece of information: “required authority”.  

The required authority data identifies what authority the user needs to the object in order to successfully pass the authority check being made by the system.  This is important to understand. The total authority required to the object must be derived from the cumulative “required authority” value from all of the authority collection entries logged, for this user and for the object being analyzed.  

Authority Collection Interfaces 
The following new interfaces are available within the authority collection utility. 

  1. Start Authority Collection (STRAUTCOL) CL command
  2. End Authority Collection (ENDAUTCOL) CL command
  3. Delete Authority Collection (DLTAUTCOL) CL command
  4. IBM Navigator for i Authority collection support
  5. A new SQL view to display the authority collection data, qsys2.Authority_Collection. 

Starting Authority Collection 
Authority collection is based on a user. This means authority collection is only active for the “current user profile” of the job (the thread effective user profile). Authority collection can be active for multiple users (users of different jobs) at the same time. An authority collection repository exists for each user. The Start Authority Collection (STRAUTCOL) command is used to start the authority collection for a specified user profile. The command provides options to collect authority information for objects in libraries, document library objects (*DOC and *FLR object types), and objects in the “root” (/), QOpenSys, and user-defined file systems. 

To collect authority information for the users that an application runs under: 

  1. Start authority collection for the user the application will run under.  If the application runs under different users then start authority collection for each user.
  2. Run the application.
  3. End authority collection for each user.
  4. Analyze the authority data collected for each user. 

Ending Authority Collection  
The End Authority Collection (ENDAUTCOL) command stops the authority collection for the specified user. The ENDAUTCOL command must be run after all jobs running under the specified user have ended to ensure that all of the information for this user is collected.  For Db2 objects of type *FILE, collecting authority information occurs during file open, subsequent file I/O, and the file close. A full close of the *FILE must be done for complete authority information to be collected for the object. 

Deleting Authority Collection Information
The Delete Authority Collection (DLTAUTCOL) command deletes the authority collection data repository for the specified user.  Deleting the authority collection data repository deletes all authority collection information for the specified user. 

Displaying and Analyzing Authority Collection Data 
Authority collection captures a significant amount of information that is associated with the authority checking of an object. The SQL view QSYS2.AUTHORITY_COLLECTION is used to display and analyze this information. Running the SQL view QSYS2.Authority_Collection will result in the following display of the authority Collection data. The following pictures show output generated by the QSYS2.AUTHORITY_COLLECTION SQL view.  The second picture shows the view after scrolling right within the view data.

For the complete description of Authority Collection, see chapter 10 of the Security Reference PDF in the IBM i Knowledge Center.

This blog post was edited to fix broken links on April 15, 2020.

This blog post was originally published on IBMSystemsMag.com and is reproduced here by permission of IBM Systems Media.