Kisco Systems

Kisco U

Protecting IFS with Authorization Lists

Home : Kisco U : Protecting IFS with Authorization Lists

Many IBM i shops have wide open access through the IBM i NetServer which was previously known as “Windows Network Neighborhood”. NetServer gives users access to file and print serving on their IBM i and is a potential source of unauthorized access to your system when it is not controlled.

Starting in IBM i OS release level 7.5, customers are getting another tool to add to their toolbox to control access via NetServer. With this change in the IBM i OS, you will now be able to control who uses NetServer to access files and reports using an authorization list. The authorization will let you control access to the server and it also extends to individual shares.

An important note to take into account, if a user profile has *ALLOBJ authority, then the authorization list restriction will be ignored. This is yet another reason to examine your system for user profiles with excessive authority in place.

Here’s how this new feature in the OS works:

  • For access to the server, a user must have at least *USE authority specified in the authorization list to use the server. If the user does not have *USE specified, then their access will be denied. When access is denied, a VP (Network Password Error) security audit record will be recorded.

    Note: For clarity and maintainability, create a new authorization list for each file share being secured rather than re-using an existing authorization list.

  • For a NetServer share, the user must have *CHANGE or greater to be allowed full read/write access to the share. If a user has *USE authority in the authorization list, then they will be restricted to read only access. Like the initial access, if a user has less than *USE access, then a VP security audit record will be posted.

If you want more granular access controls, like granting or denying based on the objects being accessed, then you will have to look into an exit point solution like SafeNet.