Clearing Up IBM i Security Confusion

IBM i is a mature operating system that gives enterprises several ways to accomplish tasks. But sometimes this richness can generate confusion over the best way to accomplish something. For example, when should you use adopted authority in your applications, and when should you use user profile swapping? IBM i security expert Carol Woodbury recently addressed some of these questions.

“I will often get questions about things like adopted authority or swapping profiles, and what’s the difference or are they the same,” Woodbury, the former OS/400 security architect at IBM, said in a recent “Coffee with Carol” Webinar hosted by her new employer, HelpSystems. The SkyView partner also routinely gets questions about what order the system uses to perform authority checks and how to secure spool files. “So I thought I’d put a presentation together that addresses some of the more confusing topics.”

The differences between adopted authority and user profile swapping would appear to be one of the most confusing topics for IBM i pros. That shouldn’t be surprising, considering the two techniques deliver a similar end goal. But the manner in which they work, and some of impacts they have on other parts of the system, are substantially different.

Adopted Authority

Adopted authority can be useful when a user doesn’t have the authorities necessary to run a program or a chain of programs, but needs to run them nonetheless. The default setting in IBM i is used to run each program with the authority level of the user who’s trying to run it. About 95 percent of IBM i programs are configured to adopt the authority of *USER, Woodbury says.

“Adopted authority . . . is something that is used to temporarily give authority to someone else, and the means by which that is done is through a program attribute,” Woodbury explains. “When a program . . . has been configured to adopt authority, while that program is running, the user has not just their own authority available to them, but also the authority of the owner of the program.”

But by setting the adopt authority in that program to *OWNER, that program–and any subsequent programs that are tied to it–can run even if the application owner lacks the necessary authorities. “I may not have authority but if the application owner profile does, then I get access to the file,” Woodbury says. “So that’s how that works.”

Profile Swapping

IBM i’s user profile swapping feature can deliver a similar end-result–a user with minimal authorities in his or her user profile can nonetheless run a program that requires higher authority levels. However, it achieves that result in a very different way.

“It is actually profile-based. It’s not program-based at all, so the profile under which the program is running has changed,” Woodbury says. When a user swaps into a more powerful user profile to run a job or a program, he effectively “becomes” that more powerful user, and almost everything he does on the system, he does as that user. He inherits all the special authorities, group profiles, and audit settings.

There’s one caveat to how user profile swapping works. “The only thing about the profile swap that can be kind of confusing is that the job name never changes,” Woodbury says. “So even though the job is running under ‘John,’ the job name will still reflect my profile name. That’s kind of the odd thing there.”

That can have an impact when trying to track down user activity in the audit journal. The audit journal can be quite confusing as it is. But if the administrator or auditor is trying to track down exactly who kicked off a job (as opposed to the person whose user profile was used to kick it off), knowing how user profile swapping works can help point them in the right direction.

“When you’re looking in the audit journal, you have to make sure you know which one you want to look at,” Woodbury says. “Do you want to look at the original user that started the job, or look at the current user? If you’re running a query or a SQL statement over your audit journal entry, you want to make sure you pick the right field.”

Key Differences

One major difference between adopted authority and user profile swapping is the job name doesn’t change when using adopted authority. But there are other differences that are worth knowing about:

• Group authority: “In adopted authority, the program owner’s group authorities are not available to the process. But in a profile swap, the profiles of the group are also swapped in,” Woodbury says.
• IFS: You generally can’t access the IFS using adopted authority, but you may access it with profile swapping.
• Spool files: “One thing that can be tricky in a profile swap is that the profile spool files are owned by the swap-to user. So if you elevate privileges . . . and generate a spool file, that swapped-to user is going to be the one that owns the spool file.” In adopted authority, the spool files remain with the current user.
• Limited capabilities: In adopted authority, any limitations assigned to the *OWNER of the program are not enforced, whereas limited authorities are enforced in profile swapping. “That’s quite powerful,” Woodbury says.

Too Cool for Spool

Helping IBM i shops give their users access to spool file reports, without giving them keys to the kingdom, also occupies a good chunk of Woodbury’s time.

“What I find in our customers is that customers need spool control typically because one person needs to create a report and 10 others need to see it,” she says. “By default, when you create a report, only the user that created it can see the report.”

One workaround is to give everybody SPLCTL authority, but that gives everybody full access to all spool files on the server, regardless of any protections placed on the outque itself. Instead, Woodbury encourages clients to use the Data Display (DSPDTA) attributes to grant users with limited access to spool files created by others.

Woodbury had some other great tips on how to conceal stuff from users in iSeries Navigator and Navigator for i. To see those, check out a recording of her presentation here.