Special authorities ( *Allobj, *Secadm, *Splctl, *Iosyscfg, *Audit, *Jobctl, *Service, *Savsys) are special authorizations or “super user” like capabilities granted to user profiles to allow security-sensitive functions to be performed for specific reasons, such as program development, system administration, or system operation, for example. These rights are powerful and should be reserved only for trusted and knowledgeable IT professionals.
Auditors check for the abuse of special authorities as part of any standard audit of the System i. Even those auditors who are not very familiar with OS/400 are aware of this issue from their work on other platforms.
In a presentation at the Gartner IT security summit in 2004, Ernst and Young noted that two of their top 10 concerns in audit reviews of IT systems were
Large number of users with access to “super user” transactions in production”
“Development Staff can run business transactions in production”.
Check each user with special authority. Do they really need such high levels of authority? Are all actions for this profile audited?
Ensure that you list all users with special authorities. It is important to pay special attention to group profiles with special authorities. Often, user profiles may not have special authorities assigned, but they may inherit the authorities through their membership in groups.
Use the Compliance Monitor 'Profiles with Special Authority' report to monitor all privileged user authorities.
It depends on the size of the system, but on a typical system with 500 user profiles, there should be roughly less than 10 profiles with special authorities.
It is important to verify that profiles with special authorities and profiles with direct access to production data actually need this access as part of their job function. Emergency access to fix production data is not an adequate reason for IT staff to have continuous access to power
Best practices, as defined by the standards and regulations, clearly indicate that programmers, operators, and development staff should not have special authorities assigned to the profiles that they use for normal business use. When they require special privileges to make emergency fixes to production data, they should do this using temporary access to profile that is specifically created for this use. All actions using the temporary, powerful profile should be fully audited in secure audit journals, and management should pre-approve any access to such powerful profiles in advance of emergencies.
COBIT DS5.3 - Identity Management
All users (internal, external and temporary) and their activity on IT systems (business application, system operation, development and maintenance) should be uniquely identifiable. User access rights to systems and data should be in line with defined and documented business needs and job requirements.
COBIT DS5.4 – User Account Management
Ensure that requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges are addressed by user account management. An approval procedure outlining the data or system owner granting the access privileges should be included.
ISO 27002 (17799) 11.5.4 - Use of System Utilities
The use of utility programs that might be capable of overriding system and application controls should be restricted and tightly controlled.
ISO 27002 (17799) 11.2.2 - Privilege Management
Special privileges should be allocated to users on a need-to-use basis and on an event-by-event basis in line with the access control policy (11.1.1.), i.e. the minimum requirement for their functional role only when needed.
© 2010 The PowerTech Group, Inc.
All Rights Reserved