|

Authority Failure Occurs – Using Authority Collection to Reduce Users’ Authority

When reworking your security scheme, you may miss something or a process may only run periodically and the access wasn’t in the collection when you first did your analysis. I’d encourage you to turn back to the collection to resolve this authority failure if it’s not obvious how much authority is required. Yes, you can look in the audit journal for the AF entry, but that’s not going to tell you how much authority is required. While I encourage you to delete a profile’s Authority Collection when you make changes (such as removing the profile’s *ALLOBJ), you can still easily find the entry for the new object and avoid confusing yourself with looking at all of the entries in the profile’s collection by running the following, which looks for Authority Collection entries where the authority check was unsuccessful.

If you did end and delete the profile’s collection, I suggest that you start the collection for the profile and name the exact object on which you’ve seen the authority failure. Then repeat the process that caused the failure, and your analysis very easy.

Which Profiles Have a Collection or Are Actively Collecting?

Over time, you may lose track of which users have a collection or for which you’re actively collecting access. This SQL lists the profiles that have a collection or are actively collecting:

You can also get this list in New Nav. On the Authority Collection by User display, leave the User Profile field at the default of All (or use the dropdown to set it back) and choose Summary under the Display Authority Collection Options column.

Final Guidance

Authority Collection is the best security feature IBM has added to IBM i since auditing back in V2R3. It may be overwhelming at first, but it takes the guesswork out of reducing a user’s authority. So stick with it and remember this: If the information you’re looking at doesn’t make sense, it’s likely that you’ve included too much information (such as operating system adopted authority). If you’re looking at all of the fields in the collection and it’s overwhelming, try eliminating those that just don’t make sense to you. Or perhaps you haven’t included enough fields. Maybe you haven’t included the source of the authority and it’s a group that you didn’t realize the user was a member of. So if you’ve severely limited which fields you’re examining, try looking at all of them to see if the bigger picture makes more sense. The information you need is there, but you may have to take a couple of tries to look at it in just the right way.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *