Group Profiles

 

Group profiles are an efficient method of managing security for large numbers of employees who perform similar job functions.  Historically, System i applications have used group profiles to provide end users with access to an application, and in unchecked cases, have provided end users ownership of all application objects.  During the execution of an application, a member of a Group Profile inherits all of the group’s regular authority as well as the group’s Special Authority.  

 

If a group has a special authority like *ALLOBJ, then every member of that group also gets *ALLOBJ through their membership in the group.

 

In applications where the group profile also owns the application, the effect is to extend ownership rights to every member of the group. For this reason it is important that Group Authority be tightly scoped and judiciously distributed.

 

Group Authority

Compliance Monitor effectively addresses the monitoring of group authority with the following 3 reports:

Group Profiles

Group Profile Membership

Group Profiles with Special Authority

 

Group Profiles

Group profiles are listed in the column on the left. Check that there is an "X" for no password since group profiles should not be used to sign on to the system.

 

PowerTech Recommendations

Use the Compliance Monitor 'Group Profiles', 'Group Profiles Membership', and 'Group Profiles with Special Authority' reports to audit all group profiles.

 

Group Profiles Report

Click to view expanded excerpt from report

 

 

Group Profile Membership

This Compliance Monitor report lists all group profiles and their member profiles (the profile using the group). The primary purpose of this report is to show what profiles use what group.

Example: If a user/member profile is in more than one group, that profile will show up on more than one row in the report (i.e., if a user/member profile is in two groups, that profile will be displayed in two rows in the Group Profile Membership report). See below.

 

Group Profile Membership Report

 

 

Effective Special Authority

The Effective Special Authority is a unique feature in Compliance Monitor.  In addition to reporting on the special authority assigned to the user, the product also traces the profiles membership in groups to see if the user has inherited any special authorities in its membership of any groups. In the example below, ALLOBJ Eff, SECADM Eff and AUDIT Eff are shown.

 

 

Profiles with Special Authorities Report

 

 

Relevant Standards:

 

COBIT DS5.3 - Identity Management

All users (internal, external and temporary) and their activity on IT systems (business application, system operation, development and maintenance) should be uniquely identifiable. User access rights to systems and data should be in line with defined and documented business needs and job requirements.

 

COBIT DS5.4 User Account Management
Ensure that requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges are addressed by user account management. An approval procedure outlining the data or system owner granting the access privileges should be included.

 

COBIT DS5.5 - Security Testing, Surveillance and Monitoring

Ensure that IT security implementation is tested and monitored proactively. IT security should be reaccredited periodically to ensure the approved security level is maintained. A logging and monitoring function enables the early detection of unusual or abnormal activities that may need to be addressed.