authority on demand control authority rights & emergency access
TRANSCRIPT
![Page 1: Authority on Demand Control Authority Rights & Emergency Access](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649ca15503460f949602cf/html5/thumbnails/1.jpg)
Authority on DemandControl Authority Rights & Emergency Access
![Page 2: Authority on Demand Control Authority Rights & Emergency Access](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649ca15503460f949602cf/html5/thumbnails/2.jpg)
The Challenge
• System i sites define user’s security levels and allocate security rights corresponding to the different job responsibilities in the organization
• Emergency access to critical application data and processes is a potentially serious security breach which is often uncovered in System i audits.
• Manual approaches to this problem are not only error-prone, but do not comply with regulations and auditor’s often stringent security requirements.
![Page 3: Authority on Demand Control Authority Rights & Emergency Access](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649ca15503460f949602cf/html5/thumbnails/3.jpg)
Define Emer. Rules• “Production”• “Salary” • “Weekend”
Rules Details• ADD/SWAP Auth.• Rule Description
Notification rules• E-mail• SYSLOG• MSGQ
Rule Conditions• Date/Time• Time Group• IP Address• Pin Code
Define PotentialProviders• QSECOFR• SECADMIN
1. Definition Stage - an authorized System Administrator defines sets of emergency rules
2. Emergency Stage - Requester asks for “Production” authority
• Must provide reason• Enter Pin Code (optional)• Specify Authority Provider
Display/Print AOD & Audit (QAUDJRN) logs by time frame, Provider,or Requester
3. Auditing Stage - by Sysadmin or Auditor
Authority on Demand: Workflow
Get Auth.
Release Auth.
![Page 4: Authority on Demand Control Authority Rights & Emergency Access](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649ca15503460f949602cf/html5/thumbnails/4.jpg)
AOD Features
• ADD and SWAP Security Levels (feature unique to AOD) – can ADD additional security rights to current user profile or grant a new security authority level.
• Authority Transfer On-Demand Rules & Providers - pre-define special authority "providers" and authority transfer rules.
• Safe Recovery from Emergency – recover from emergency situations with minimum risk of human error and maximum reporting of activities while running with higher special authority.
• Full Monitoring Capabilities - logs and monitors all relevant activities, and sends audit reports and real-time e-mail alerts when higher authority rights are provided.
• Simple, Controlled Access – Only authorized users can grant authority or access critical data and processes and incorporates easy-to-use reporting and monitoring mechanisms.
• Part of Comprehensive Solution - solidifies iSecurity's position as the most comprehensive security solution for System i environments.
![Page 5: Authority on Demand Control Authority Rights & Emergency Access](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649ca15503460f949602cf/html5/thumbnails/5.jpg)
5
AOD - Manager’s View
![Page 6: Authority on Demand Control Authority Rights & Emergency Access](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649ca15503460f949602cf/html5/thumbnails/6.jpg)
Authority on Demand Demo
![Page 7: Authority on Demand Control Authority Rights & Emergency Access](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649ca15503460f949602cf/html5/thumbnails/7.jpg)
AOD welcome screen.AOD welcome screen.
![Page 8: Authority on Demand Control Authority Rights & Emergency Access](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649ca15503460f949602cf/html5/thumbnails/8.jpg)
AOD main menu. We’ll enter option 1 to define Authority Providers.
![Page 9: Authority on Demand Control Authority Rights & Emergency Access](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649ca15503460f949602cf/html5/thumbnails/9.jpg)
Let’s look at how QSECOFR is defined.
![Page 10: Authority on Demand Control Authority Rights & Emergency Access](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649ca15503460f949602cf/html5/thumbnails/10.jpg)
Notification and e-mail parameters.
![Page 11: Authority on Demand Control Authority Rights & Emergency Access](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649ca15503460f949602cf/html5/thumbnails/11.jpg)
Let’s look at option 2, AOD rules.
![Page 12: Authority on Demand Control Authority Rights & Emergency Access](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649ca15503460f949602cf/html5/thumbnails/12.jpg)
A rule is defined allowing Eli to request authorityat off-hours.
![Page 13: Authority on Demand Control Authority Rights & Emergency Access](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649ca15503460f949602cf/html5/thumbnails/13.jpg)
We’ll explain this screen line by line.
![Page 14: Authority on Demand Control Authority Rights & Emergency Access](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649ca15503460f949602cf/html5/thumbnails/14.jpg)
In an emergency situation, Eli requests authorityvia Option 31.
![Page 15: Authority on Demand Control Authority Rights & Emergency Access](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649ca15503460f949602cf/html5/thumbnails/15.jpg)
The request was rejected, enter DSPAODLOG...
![Page 16: Authority on Demand Control Authority Rights & Emergency Access](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649ca15503460f949602cf/html5/thumbnails/16.jpg)
… because it was not requested during off hours.
![Page 17: Authority on Demand Control Authority Rights & Emergency Access](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649ca15503460f949602cf/html5/thumbnails/17.jpg)
Let’s update the definition for WORKHOURSvia Option 21.
![Page 18: Authority on Demand Control Authority Rights & Emergency Access](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649ca15503460f949602cf/html5/thumbnails/18.jpg)
We enter Option 31 again, and Option 32 shows we’ve now obtained authority.
![Page 19: Authority on Demand Control Authority Rights & Emergency Access](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649ca15503460f949602cf/html5/thumbnails/19.jpg)
Let’s see what was written to QCONSOLE.
![Page 20: Authority on Demand Control Authority Rights & Emergency Access](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649ca15503460f949602cf/html5/thumbnails/20.jpg)
All AOD activity appears on this MSGQ.
![Page 21: Authority on Demand Control Authority Rights & Emergency Access](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649ca15503460f949602cf/html5/thumbnails/21.jpg)
Option 8121 from the main menu allows us todefine SYSLOG attributes.
![Page 22: Authority on Demand Control Authority Rights & Emergency Access](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649ca15503460f949602cf/html5/thumbnails/22.jpg)
These are the SYSLOG messages which were written.
![Page 23: Authority on Demand Control Authority Rights & Emergency Access](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649ca15503460f949602cf/html5/thumbnails/23.jpg)
Use option 41 to Display the AOD log.
![Page 24: Authority on Demand Control Authority Rights & Emergency Access](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649ca15503460f949602cf/html5/thumbnails/24.jpg)
We can filter the log entries by requester or provider.
![Page 25: Authority on Demand Control Authority Rights & Emergency Access](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649ca15503460f949602cf/html5/thumbnails/25.jpg)
This is the AOD log; F8 displays the Audit log forthe selected entry!
![Page 26: Authority on Demand Control Authority Rights & Emergency Access](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649ca15503460f949602cf/html5/thumbnails/26.jpg)
This is the additional message information available for each AOD log message.
![Page 27: Authority on Demand Control Authority Rights & Emergency Access](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649ca15503460f949602cf/html5/thumbnails/27.jpg)
This is the QAUDJRN log for one AOD request.
![Page 28: Authority on Demand Control Authority Rights & Emergency Access](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649ca15503460f949602cf/html5/thumbnails/28.jpg)
Option 41; when printing the log, we receive the AOD log with “pointers” (i.e. attachments) to theappropriate QAUDJRN log…
![Page 29: Authority on Demand Control Authority Rights & Emergency Access](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649ca15503460f949602cf/html5/thumbnails/29.jpg)
This is the printed QAUDJRN log for a singleAOD request.
![Page 30: Authority on Demand Control Authority Rights & Emergency Access](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649ca15503460f949602cf/html5/thumbnails/30.jpg)
Sample e-mail sent when request was rejected.
![Page 31: Authority on Demand Control Authority Rights & Emergency Access](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649ca15503460f949602cf/html5/thumbnails/31.jpg)
This is an actual screen “Capture” of the user’sactivity with AOD.
![Page 32: Authority on Demand Control Authority Rights & Emergency Access](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649ca15503460f949602cf/html5/thumbnails/32.jpg)
This is one of the user screens “captured”(frame 11).
![Page 33: Authority on Demand Control Authority Rights & Emergency Access](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649ca15503460f949602cf/html5/thumbnails/33.jpg)
AP Journal within iSecurity
![Page 34: Authority on Demand Control Authority Rights & Emergency Access](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649ca15503460f949602cf/html5/thumbnails/34.jpg)
Please visit us at www.razlee.com
Thank You !