All Object (*ALLOBJ) Special Authority
All-object (*ALLOBJ) special authority allows the user to access any resource on the system whether or not private authority exists for the user. Even if the user has *EXCLUDE authority to an object, *ALLOBJ special authority allows the user to access the object.
Risks: *ALLOBJ special authority gives the user extensive authority over all resources on the system. The user can view, change, or delete any object. The user can also grant to other users the authority to use objects.
A user with *ALLOBJ authority cannot directly perform operations that require another special authority. For example, *ALLOBJ special authority does not allow a user to create another user profile, because creating user profiles requires *SECADM special authority. However, a user with *ALLOBJ special authority can submit a batch job to run using a profile that has the needed special authority. Giving *ALLOBJ special authority essentially gives a user access to all functions on the system.
Security Administrator (*SECADM) Special Authority
Security administrator (*SECADM) special authority allows a user to create, change, and delete user profiles.
In addition, *SECADM special authority gives the user comprehensive authority to manage IBM® OfficeVision®/400 objects and users. A user with *SECADM special authority can:
o Add users to the system distribution directory. This includes the right to create and change user profiles for OfficeVision®/400 users.
o Display authority for documents or folders.
o Add and remove access codes to the system.
o Give and remove a user's access code authority.
o Give and remove permission for users to work on another user's behalf.
o Delete documents and folders.
o Delete document lists.
o Change distribution lists created by other users.
Only a user with *SECADM and *ALLOBJ special authority can give *SECADM special authority to another user.
Job Control (*JOBCTL) Special AuthorityJob control (*JOBCTL) special authority allows the user to:
o Change, delete, hold, and release all files on any output queues specified as OPRCTL(*YES).
o Change the running attributes of a job, such as the printer for a job. end, and copy all files on any output queues specified as DSPDTA(*YES or *NO) and OPRCTL(*YES).
o Hold, release, and clear job queues specified as OPRCTL(*YES).
o Hold, release, and clear output queues specified as OPRCTL(*YES).
o Hold, release, change, and cancel other users' jobs.
o Start writers, if the output queue is specified as OPRCTL(*YES).
o Change the running attributes of a job, such as the printer for a job.
o Stop subsystems.
o Perform an initial program load (IPL).
Spool control (*SPLCTL) special authority allows the user to perform all spool control functions, such as changing, deleting, displaying, holding, and releasing spooled files. The user can perform these functions on all output queues, regardless of any authorities for the output queue or the OPRCTL parameter for the output queue.
*SPLCTL special authority also allows the user to manage jobs on job queues, including canceling the jobs and changing their priorities. The user can perform these functions on all job queues, regardless of any authorities for the job queue or the OPRCTL parameter for the job queue.
Risks: The user with *SPLCTL special authority can perform any operation on any spooled file in the system. Confidential spooled files cannot be protected from a user with *SPLCTL special authority. The user with *SPLCTL special authority can also control jobs waiting in job queues. The user could run jobs out of sequence or cancel jobs that update critical files.
Save System (*SAVSYS) Special Authority
Save system (*SAVSYS) special authority gives the user the authority to save, restore, and free storage for all objects on the system, whether or not the user has object existence authority to the objects.
Risks: The user with *SAVSYS special authority can:
o Save an object and take it to another system to be restored.
o Save an object and display the tape to view the data.
o Save an object and free storage, thus deleting the data portion of the object.
o Save a document and delete it.
Service (*SERVICE) special authority allows the user to start system service tools using the STRSST command. This allows the user to debug a program with *USE authority to the program and to perform the display and alter service functions. The dump function can be performed without *SERVICE authority.
Caution: A user with *SERVICE special authority can display and change confidential information using service functions.
Audit (*AUDIT) Special Authority
Audit (*AUDIT) special authority gives the user the ability to change auditing characteristics. The user can:
o Change the system values that control auditing.
o Use the CHGOBJAUD and CHGDLOAUD commands to change auditing for objects.
o Use the CHGUSRAUD command to change auditing for a user.
Risks: A user with *AUDIT special authority can stop and start auditing on the system or prevent auditing of particular actions. If having an audit record of security-relevant events is important for your system, carefully control and monitor the use of *AUDIT special authority.
System Configuration (*IOSYSCFG) Special Authority
System configuration (*IOSYSCFG) special authority gives the user the ability to change how the system is configured, such as adding or removing communications configuration information. Most new commands for configuring communications, such as TCP/IP commands and OSI commands, require *IOSYSCFG special authority. In most cases, existing communications commands have not been changed to require *IOSYSCFG special authority. Appendix D of the Work Management Guide shows what special authorities are required for specific commands.
Recommendations for Special Authorities: Giving special authorities to users represents a security exposure. For each user, carefully evaluate the need for any special authorities. Keep track of which users have special authorities and periodically review their requirement for the authority. In addition, control if user profiles with special authorities can be used to submit jobs and if programs run using their authority (adopted authority).
No comments:
Post a Comment