Tracking *ALLOBJ users

Hello,

Hello,

I’ve heard that there is a system value or some other setting on the 'i' that will ‘track’ a user’s activity and the data will let you know exactly when that user needed *ALLOBJ special authority.  Is anyone familiar with this?

Thanks,
Barry

LVL 2
bggauthAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Gary PattersonVP Technology / Senior Consultant Commented:
Confused by what do you mean "when that user needs *ALLOBJ special authority"?  

*ALLOBJ special authority is just that - a special authority that short-circuits security checking for a given user.  It basically says, "no need to check any further, this user is authorized to all objects on the system".

There is no explicit setting on an object that says "'*ALLOBJ special authority needed to access this object" (You can revoke all private and public authorities to an object, which implicitly limits access to the object to *ALLOBJ users).

Basically, the AS/400 security checking mechanism first looks to see if a user has *ALLOBJ authority, and if they do, access is granted to the object, and no further checking is done.

It is a common practice to audit the activities of *ALLOBJ users, since they have so much power.  Perhaps this is what you are referring to:

http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp?topic=/rzamv/rzamvauditsecofraction.htm

- Gary Patterson


0
bggauthAuthor Commented:
I was at a user group conference and someone there mentioned that there is a 'report' that can be run that shows when a profile actually needed *ALLOBJ to perform a particular function.  Just because you have *ALLOBJ does not mean you use it all the time.


I will attempt to gather more info.
0
Gary PattersonVP Technology / Senior Consultant Commented:
Barry,

I think you've got your wires crossed here somewhere.

If your profile has *ALLOBJ special authority, you use it (almost) all the time.

See the security Reference, Chapter 5 - Resource Security, Topic "How The System Checks Authority":

http://publib.boulder.ibm.com/infocenter/iseries/v5r4/topic/books/sc415302.pdf

p149:

...At any point in the authority checking process, the system may find sufficient authority and authorize the user to the object.
p148:

...The system verifies a user’s authority to an object in the following order:
1. Object’s authority - fast path
2. User’s *ALLOBJ special authority
3. User’s specific authority to the object
4. User’s authority on the authorization list securing the object
5. Groups’ *ALLOBJ special authority
6. Groups’ authority to the object
7. Groups’ authority on the authorization list securing the object
8. Public authority specified for the object or for the authorization list securing the object
9. Program owner’s authority, if adopted authority is used

Maybe you are thinking about adopted authority.  

Anyway, the "reports" you are talking about are audit reports, and they can indeed report the actions of *ALLOBJ users (if configured properly), and the use of adopted authority (which is what I think you may be confusing *ALLOBJ with).   The security reference (link above) is full of info on auditing.

- Gary Patterson
0
Rowby Goren Makes an Impact on Screen and Online

Learn about longtime user Rowby Goren and his great contributions to the site. We explore his method for posing questions that are likely to yield a solution, and take a look at how his career transformed from a Hollywood writer to a website entrepreneur.

tliottaCommented:
The invocation of "adopted authority" is as close as I can get to anything like this, but even that wouldn't necessarily provide "*ALLOBJ" special authority. It only needs to provide whatever authority is available to satisfy the need. It might, for example, provide owner's authority through the object's authority.

I won't make a flat statement that no such report exists, but I haven't heard of any even for i v7.1 -- until this question. I'll certainly be watching to see if I run across anything now that someone has asked. Every once in a while such things show to be valid.

Tom
0
Gary PattersonVP Technology / Senior Consultant Commented:
After seeing Tom's comment, I have to add a similar caveat:  

I can't say definitely that "no such report exists", but I've been doing this a long time, and it doesn't ring a bell.  Similar issues and questions come up very frequently that have a "similar sound" to this, though.

  • Auditing of adopted authority use.
  • Auditing of security officer (or other privileged profile) profile use.
Perhaps you can contact the speaker at the user group and get some clarification.

Again, since *ALLOBJ authority checking happens very early in the authorization process, it is hard to say if *ALLOBJ was "required" to access a particular object, since authority checking stops as soon as *ALLOBJ is detected on the profile.  A particular profile could have private authorities to an object, plus be on an authorization list that would grant access, plus be a member of a group that has rights to the object, but none of that would ever be checked by the OS, since authority checking stopped with an "access granted" as soon as *ALLOBJ rights were detected early in the process.

That would seem to me to preclude any sort of theoretical "Was ALLOBJ required?" reporting.

- Gary Patterson

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bggauthAuthor Commented:
I have also not heard of anything like this until today.  
I am not thinking of adopted authority. I am quite familiar with most apsects of scurity on the i.  
The reason this thought resonates with me is that there are sometimes application upgrades or installs and requests come in for *ALLOBJ or QSECOFR and this has been going on long before I joined this company.  In any event, I want to determine if in fact this level of authority and access is even needed.   I've turned on *CMD auditing for these users (QSECOFR is already set up) and this type of report (seeing if a user actually needed *ALLOBJ to perform the task) would aid me from going through each command that was issued and checking each object's authority so I can present my case that this authority is not needed.

I will let you know what info I find out.

Barry
0
Gary PattersonVP Technology / Senior Consultant Commented:
Barry,

I understand why you'd like such a tool.  I can see how it would be handy, too.  

Anyway, if you discover a tool for analyzing the need for a given special authority, I'd be interested in learning about it.

In the meantime ...

I've worked for several AS/400 software houses, and I can tell you first-hand why upgrade and install processes specify a profile with *ALLOBJ:  To reduce the number of security-related problems (and related support calls) that occur during upgrade or install.  Is QSECOFR or *ALLOBJ always required?  No.  But since the developers cannot predict all of the possible security permutations implemented on every system in every shop, installation and upgrade instructions frequently specify a profile with a very high level of authority - generally QSECOFR, since it is an IBM-supplied profile that typically has a full complement of special authorities.

- Gary Patterson
0
tliottaCommented:
In general, "QSECOFR" should never be needed by anyone but IBM. However, *ALLOBJ can easily be needed by 3rd-party installs. Other special authorities might also be needed. As Gary mentions, it comes down to volume of potential authorities as well as unpredictability.

A 3rd-party can't predict what libraries or subsystems or job queues or any kind of objects at all might exist on a customer system. The install program can ask to be granted authority to every object as it installs and the product can ask for authority during run-time for every new object that it encounters, but no customer would put up with that.

Ideally, a product profile is created during install with whatever special authorities are needed for the product. In order to create the profile, the user running the install must have whatever special authorities are being granted to the new profile. (QSECOFR is most often requested to run the installs, but that's usually because the developers of the install were unable to code to the level of detail needed or simply didn't take the time. QSECOFR is _guaranteed_ to have all special authorities -- they cannot be removed. I.e., requesting QSECOFR is easy.)

The new product profile would be designated as the owner of a few limited programs in the product that need the special authorities. A second product profile should be far less powerful and be in control of "normal" product activities, only calling those limited functions at critical points.

(The unpredictability of customer systems can be amazing. We have run into customers that didn't even use the QSTRUPPGM system value -- they had customized how the system started up. Another customer used a home-grown SNDMSG command that didn't allow specifying the target message queue with TOMSGQ(). A few customers automatically run their own "authority granting" procedures over product libraries and then call Support to ask why the product doesn't work.)

Nothing here to help with the question... just general comments.

Tom
0
bggauthAuthor Commented:
I'm awaiting a reply from the sessoin speaker.  He briefly stated that the data is in the audit journal but he couldn't recall the entry type.

More to come.
0
lurpdogCommented:
all you really need is Query/400.  

DSPOBJD userprofile objects to an outfile

run query across the file to generate your reports.

do this monthly, in various formats and you can control your users very easily.

in otherwords, identify by object authority, user type (QPGMR; QUSER;SECOFR, ETC)

-Lurpdog
0
Gary PattersonVP Technology / Senior Consultant Commented:
Lurpdog,

Take a look back at the original question.  

How is querying over a DSPOBJD going to help you track a user's activities, or determine when a user needed *ALLOBJ authority to perform a particular function?

- Gary
0
lurpdogCommented:
gary,

i agree about the tracking not being the exact answer i gave, what i was giving was an inexpensive method to monitor your users and authorities.

there are numerous products that will charge you to do this, but with a few simple Query/400 reports, you can monitor your users, their activity (of course this comes from DspLog) and others environmental data for the "whatever ibm calls the as/400 these days".

sometimes its a multi-tiered operation. first determine who has what authorities; reduce the authorities to the minimum required; track users who have certain special authorities.

even having QSECOFR password, does not mean that i sign on with it since i have another user id that has that authority. i dont use it either, unless installs require it.

even SECADMN is given overmuch in my opinion, in many of the shops where i consult.

-lurpdog.
0
bggauthAuthor Commented:
Well it was too good to be true.  The session speaker had it completely wrong and this is why none of us had ever heard of such a thing.
In short, what had occurred was that a consultant was taking a client from security level 20 to security level 30 so while at level 20, they took away *ALLOBJ on some users, ran a mock application to simulate what might happen at level 30.


Barry
0
Shalom CarmelCTOCommented:
not all consultants are born equal :)
0
bggauthAuthor Commented:
There really was no solution since information originally received was inaccurate.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Operating Systems

From novice to tech pro — start learning today.