PowerTech Adds 'FireCall' to Authority Control Product

Published: January 3, 2006

by Alex Woodie

While it's a generally good idea to keep the number of users with ALLOBJ authority on your OS/400 system to an absolute minimum, there are certain times when the all-powerful user profile is required to accomplish a task. To this end, the PowerTech Group late last year shipped a new version of its PowerLock AuthorityBroker product that allows help desk personnel, operators, and other people to give users temporary access to special authorities, such as ALLOBJ, a feature it calls FireCall.

AuthorityBroker, which PowerTech introduced one year ago, is designed to reduce the number of users who have special authorities permanently enabled on their OS/400 user profiles, without needlessly disrupting everyday business. The first release of the product accomplished this by allowing users to swap into a "switch" profile, which temporarily gives them the special authority. In this way, users would not need any or all of the eight OS/400 special authorities in their everyday user profiles--they could just switch into them as needed.

In AuthorityBroker version 3.0, which shipped in late December, PowerTech changed how these switches could be authorized. Instead of requiring an administrator to authorize switches requested by users, people with less authority than an administrator, such as operators and help desk personnel, can now grant these temporary switches, provided they have been given the proper authority from the administrator in advance. PowerTech calls this its FireCall feature, a reference to emergency situations and putting out fires.

PowerTech has also added timeout capabilities in the new version of the product, thereby enabling system administrators to place limits on the length of time that users have temporary access to special authorities.

Version 3.0 also brings new filtering capabilities to the product, which uses OS/400 journaling to keep an audit report of all activity. New filters have been added that allow administrators to see just the commands that the user typed while he was granted special authorities, as opposed to all commands that were run during that session.

The new version also lets admins filter certain commands that they don't want to see, and it also comes with a suggested list of harmless commands that admins may want to exclude from their reports, says Brendan Patterson, PowerTech's product manager. "These features make the reports more customizable and more focused on security-related issues," he says.

The Kent, Washington, company introduced AuthorityBroker to address new restrictions on access to applications and data. While new laws, such as SOX and HIPAA, are designed to make consumers safer and companies more accountable for their actions, they have also placed new burdens on employees who work with business computer systems, and the administrators in charge of those employees and servers.

SOX and HIPAA are now mandating good security practices, but PowerTech has been beating the security drum for years. For the last two years, the company has surveyed the security practices at hundreds of OS/400 shops for its "State of iSeries Security" reports, which are available on its Web site. One of the most disturbing findings from the report for 2005 was the large number of organizations with too many user profiles with ALLOBJ authority.

According to PowerTech's survey of 181 OS/400 servers at 159 companies, there were only 7 machines with 10 or fewer user profiles that had ALLOBJ authority. PowerTech recommends companies should have 10 or fewer users with this level of "super user" authority.

In addition to ALLOBJ, AuthorityBroker puts controls in place for the seven other special authorities in OS/400, including Security Admin (SECADM), Network Services (IOSYSCFG), Audit Rights (AUDIT), Spool File Authority (SPLCTL), Hardware Administrator (SERVICE), System Operator (JOBCTL), and Backup Operator (SAVESYS).

PowerTech is currently reviewing its pricing for AuthorityBroker and was unable to provide pricing details that it felt confident would not change. When the product was first released last year, licenses were tier-based and ranged from $1,400 to $7,600. Users may find a trial version of AuthorityBroker on their OS/400 installation disks provided by IBM with i5/OS, or they can request a trial copy at PowerTech's Web site at www.powertech.com.