Raz-Lee Tackles Excessive Authorities with Free Software
April 26, 2017 Alex Woodie
You can’t do anything on IBM i without the proper authority. Unfortunately, instead of using the tools IBM includes in the OS to set fine-grained policies, most IBM i shops run wide-open when it comes to user authorities. Now Raz-Lee Security hopes reign in this free-for-all with a free tool it just released.
For a glimpse at how bad the use of authorities in IBM i has gotten, check out our coverage of a recent security study of the IBM i marketplace. It’s no secret that there’s widespread abuse of special authorities, such as ALLOBJ and SECADM, among the majority of IBM i shops. Many user profiles and even group profiles run with these special authorities baked into them because it’s easier that way (if less secure).
While abuse of special authorities arguably gets more press, a more widespread problem may be the misuse of authorities when it comes to object security.
IBM empowers administrators to set access authority levels on public objects, including the data and programs used by common applications. About nine in 10 IBM i shops run with this public authority level set in a way that basically allows any user with a valid ID and password to access any piece of data in a given library, according to the previously mentioned study.
IBM responded to this sad state of object-level security with a new capability in IBM i OS version 7.3 called “authority collection.” This capability essentially identifies which users have access to what data and determines what level of access they have and what level of access they should have.
Unfortunately, getting useful information out of the authority collection is easier said than done. Without the capability to write complex SQL queries, most IBM i users will be out of luck when it comes to understanding the authority data collected.
That’s where Raz-Lee Security hopes to make an impact with Authority Inspector, a new solution designed to help IBM i professionals better understand the information collected by the authority collection facility.
According to Raz-Lee, Authority Inspector simplifies the information by presenting a summary of the authority collection data in easy-to-read tables and graphs. The software, which runs on a PC, replaces encoded field values with meaningful titles to further aid in understanding.
Authority Inspector helps users create filters by selecting values directly from the screen, which further reduces the amount of data presented. Users can also export the data to Excel with a single click.
Raz-Lee CEO Shmuel Zailer says the company decided to make this solution free as a way to pay back the community that has made the company so successful. “Raz-Lee has decided to give all customers its Authority Inspector product for free, with no license or maintenance charges, during 2017,” he says in a press release. “Simply visit our booth at COMMMON in Orlando or in Brussels, get the free code and download the product from our website and enjoy.”
The New York-based company shared several other pieces of product news ahead of the COMMON Annual Meeting and Exposition, which is slated for May 7-10 in Orlando, Florida. The focus is on several new features in Raz-Lee’s iSecurity suite, including:
- Better SIEM integration, including support for transforming IBM i log data into the specific formats preferred by IBM QRadar, HPE ArcSight, and Splunk;
- A new report generator and scheduler that can incorporate any user or system command and spool file output as a report;
- New real-time action alerts;
- Compression of screenshots captured as part of monitoring to save disk space;
- New restrictions to prevent reports from being emailed to specific addresses or domains.
Raz-Lee will be exhibiting in booth 418 in the COMMON expo.