× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. March 2006

RE: Special authority use ... Auditing

>Starting in V5R3 the system started writing AF-K audit records when the
>user did not have a required special authority. Depending on the order that
>authority checking is done by each command or API you may see an AF-K for
>not having *SAVSYS special authority or an AF-A for not having *OBJEXIST
>authority to the object.

The AF records are telling me something I'll already know because part of the 
application will be failing.

Don't you agree that it would be a great addition to i5/OS auditing to be able 
to analyze the audit journal for some kind of record that indicated Special 
Authority was being used to "gain access" to a function or object? 

For example... T / SA  records could be deposited indicating that a user 
profile was allowed to be changed because the user making the change had 
*SECADM Special Authority. Or ... having a record deposited when Special 
Authority *SAVSYS allowed a user to execute the command:

                SAVLIB LIB(PAYROLL) DEV(*SAVF) SAVF(MYLIB/MYSAVFILE) STG(*FREE) 

I think it is a deficiency in the current auditing design that as a System 
Administrator I don't have a way to track who is accessing system objects and 
functions using Special Authority. We can figure out "who has" Special 
Authority quite easily, but we can't easily (if at all) tell who is using it... 

This would be a nice addition to V5R5 or would that be, V6R1 <smile>

Thanx for all your input. This is quite an interesting thread.

Kenneth

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx]On Behalf Of Ed Fishel
Sent: Friday, March 24, 2006 1:41 PM
To: Midrange Systems Technical Discussion
Subject: RE: Special authority use ... Auditing

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.