Cilasoft Ships Authority Manager Tool for IBM i
May 1, 2012 Alex Woodie
Organizations that are concerned about tracking the activities of IT professionals as they’re logged onto IBM i servers may want to check out the new Elevated Authority Manager (EAM) tool from Cilasoft. The software provides a rich array of options for controlling the use of powerful user profiles, such as those with QSECOFR authority and keeping an organization compliant with government regulations.
EAM gives organizations two ways to temporarily grant powerful authorities to IT professionals who need to work on an IBM i server. First, a user can be swapped into a different user profile that contains the necessary authority or authorities. The second method is to modify the user’s individual user profile to adopt the necessary authority or authorities.
This first approach might be preferred if multiple authorities are required or if there is a user profile already set up that meets the requirements. The second approach may be preferred if existing user profiles offer too many authorities. With either approach, EAM gives security officers the capability to control whether specific commands can be executed, and when, during the time the user is logged onto the system.
EAM ships with a pre-defined configuration. But users can also customize their authority swap and adoption rules in several ways, including by method, by duration, by commands, and by context. The rules can be applied according to source and target user profiles, including group profiles and supplemental groups. During EAM sessions, security officers can raise or lower authorities on the fly.
EAM keeps a detailed audit trail of all user activities performed with elevated authorities. The audit trail pulls user activity data from multiple locations, including job logs, system and database journals, and exit points. The software provides customizable reports that an organization can run against the EAM audit trail to help comply with industry regulations, including Sarbanes-Oxley (SOX), Payment Card Industry Data Security Standards (PCI-DSS), Health Insurance Portability and Accountability Act (HIPAA), and others.
EAM includes an authority request process that administrators or consultants can use when they need to work on the system. For quicker access, there is an emergency mode available. Event alerts keep security officers informed when users log on with elevated authority, log off, exceed their time limit, or their session ends unexpectedly. It also provides full control over commands that could trigger an unexpected cancellation of EAM sessions or the hiding of the job log.
In addition to helping comply with industry regulations, EAM allows an organization to permanently reduce the number of powerful user profiles they have on hand. For example, an administrator can still change system values without being permanently granted *SECOFR authority. An administrator needing to audit values on sensitive objects doesn’t require *AUDIT authority permanently; he can be swapped into a user profile that contains that authority, or his user profile can be temporarily modified to include it.
One early adopter of EAM is Campbell County, which is based in Gillette, Wyoming. Rocky Marquiss, a senior programmer analyst with the county government, says his office replaced another authority management product because EAM provides more functionality, control, and auditing capabilities.
“Our users were in the habit of sharing logins and passwords when they needed a different authority, but now with EAM integrated into our applications, they can swap profiles while IT tracks which user transferred authority and what that user did while the profile was in use,” Marquiss said in a Cilasoft press release. “Because of this, users now know their activity will be traced, which stops them from doing things they shouldn’t.”
The first release of EAM features a green-screen user interface, but a GUI is in the works for the next release, expected within a year, says Cilasoft president Guy Marmorat.
The software works with i5/OS V5R3 to IBM i version 7.1. The pricing is based on P-group, and starts at $3,200. For more information see the vendor’s website at www.cilasoft.com.