IBM i Security and Vulnerabilities User Group

Welcome to IBM i Security and Innovation

Join this online user group to communicate across IBM i Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements. This group will focus on the IBM i security related area and the ongoing enhancements on the platform. Time to time there are many new features that are released for the platform.

As a member of this online user community, you gain:

  • Direct engagement with IBM subject matter experts
  • Tips and tricks from your industry peers
  • News, announcements, and enhancement details

#IBMPower #IBMi #Virtual


#PowerSecurity

 View Only

  • 1.  Enhancement idea for Authority Collection

    Posted 22 days ago
    Reply

    Hi all!  I'm curious about your thoughts on this "IBM Idea" (and obviously I'm hoping you'll give it a "thumbs up" if you think its a good one).

    Here's a link to the IBM Idea that I'm talking about here

    When working on security remediation projects, authority collection is an invaluable tool.  In my opinion there is a weakness in this tool.  When an authority check happens on a *FILE object, many details about the object and the authority check are captured, including the library, object name, and object type.  However, it doesn't capture the object attribute, which would allow us to distinguish between a PFs, LFs, SAVFs, DSPFs, etc.  We can of course check the object attribute directly using WRKOBJ or OBJECT_STATISTICS, but this involves an extra step reaching outside of the authority collection repository.  If the object attribute were captured in the authority collection data, it would be extremely helpful.

    Any thoughts to share?  If you think this would be a good enhancement, please give it an upvote on the Ideas portal.

    Currently, this is how I'd pull in the object attribute for *FILE objects when needed for a remediate analysis:

    WITH files AS (
        SELECT DISTINCT system_object_schema,
                        system_object_name,
                        system_object_type
            FROM qsys2.authority_collection
            WHERE authorization_name = 'SOMEUSER'
                  AND OBJECT_SCHEMA = 'SOMELIB'
                  AND system_object_type = '*FILE' )
    SELECT * FROM files,
             LATERAL ( SELECT objattribute
                           FROM TABLE ( qsys2.object_statistics(
                                            object_schema => files.system_object_schema, 
                                            object_name   => files.system_object_Name,
                                            objtypelist   => files.system_object_type) ) );


    ------------------------------
    Steven Riedmueller
    Certified IBM i Admin
    Speaker, Mentor, and Advocate
    ------------------------------


  • 2.  RE: Enhancement idea for Authority Collection

    Posted 21 days ago
    Reply

    Excellent Idea Steven , you have my vote!



    ------------------------------
    Marius le Roux theIBMiGuy
    Owner , IBM i Consultant & Technology Strategist
    MLR Consulting
    Port Alfred
    ------------------------------

    Original Message