× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. March 2006

RE: Special authority use ... Auditing

Kenneth Graap wrote on 03/24/2006 04:27:15 PM:

> Don't you agree that it would be a great addition to i5/OS
> auditing to be able to analyze the audit journal for some kind of
> record that indicated Special Authority was being used to "gain
> access" to a function or object?

I agree that it would be useful in some cases, but possibly not as useful
as I believe that you think it would be. For example in the case of *SAVSYS
special authority a user can save an object if they have *SAVSYS or if they
have *OBJEXIST to the object being saved. I do not know which order these
authority checks are done but for this discussion I will assume that the
*SAVSYS check is done first. If that is the case and if the system were
writing a new special-authority-used audit record then you would be able to
see that the user used *SAVSYS to save an object. It would be possible for
someone to draw at least two wrong conclusions from this new audit record.

1. If someone did not want a user to save an object they might remove their
*SAVSYS special authority. Unfortunately, the user might still be able to
save the object because of the users, or their group profiles, *OBJEXIST
authority to the object.

2. On the other hand if someone were looking at this new audit record
because they wanted to remove *SAVSYS from all users that did not need it
then they might not remove it from this user because they see that the user
is using *SAVSYS. But this would not be correct for any user that has
*OBJEXIST authority to the objects they save.

Could the design of this new audit record be such that it would capture all
the reasons that someone was allowed to access a function or an object?
Possibly, but doing that would be a lot of work and would probably require
the system to do additional authority checks.  We would have to change all
the places in the system that check a special authority. My guess is that
this would be more work than the work to add the new AF-K special authority
audit record in V5R3.

Today when the system does an authority check like the one for *SAVSYS
special authority or *OBJEXIST object authority it does not do both checks
at the same time. It does one check and if the user passes that check they
are authorized. If they fail the first check then the second check is done
and if they pass that check then they are authorized. If they don't pass
either check then they are not authorized to the function and either an
AF-K (special authority failure) or an AF-A (object authority failure)
audit record is written.

Ed Fishel,
edfishel@xxxxxxxxxx

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.