authority on demand flexible access control solution
DESCRIPTION
Authority on Demand Flexible Access Control Solution. The Challenge. Emergency access to critical application data and processes is a very common security breach which is uncovered in System i audits. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/1.jpg)
1
Authority on DemandFlexible Access Control Solution
![Page 2: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/2.jpg)
2
The Challenge
• Emergency access to critical application data and processes is a very common security breach which is uncovered in System i audits.
• Currently, manual approaches to this problem are not only error-prone, but do not comply with regulations and auditor’s often stringent security requirements.
• System i sites define user’s security levels and allocate security rights corresponding to the different job responsibilities in the organization.
![Page 3: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/3.jpg)
3
AOD Features
• Easy to Use - simplifies granting special authorities when necessary, and incorporates easy-to-use reporting and monitoring mechanisms.
• Add/Swap Security Levels (unique to iSecurity AOD) - grants a new security authority level or adds additional security rights on request.
• Authority Transfer Rules & Providers - enables pre-defining special authority "providers" and special authority transfer rules.
• Safe Recovery from Emergency - enables recovering from different types of emergency situations with minimum risk of human error.
• Full Monitoring Capabilities - logs and monitors all relevant activities, and sends audit reports and real-time e-mail alerts when employees request higher authority.
• Part of End-to-End Solution - solidifies iSecurity's position as the most comprehensive security solution for System i environments.
• Intuitive GUI Interface –suitable for non-technical staff.
• Controlled Access – allows only relevant personnel to access critical data
![Page 4: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/4.jpg)
4
Part 1 Authority on Demand Scenario
![Page 5: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/5.jpg)
5
Without Authority on Demand: Inefficient Work Mode
Sam EvansProgrammerHas authorities for Test & DevelopmentNeeds authorities for Production once a week
Richard GarnerBusy IT Manager
Hi Sam… temporary authorities for the Production folder? Hmmm, I don’t have time now… maybe next week.
Authority Request Rejected
![Page 6: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/6.jpg)
6
With Authority on Demand: Automatic Granting of Special Authorities
Let’s define authority rules: When Sam Evens requests authority for Production Folder between
8AM-16:30PM, the system will automatically grant it…
Uh, Richard, I need authorities for the Production folder again…
![Page 7: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/7.jpg)
7
Requesting Special Authority…
Now that we have AOD, I’ll request authority… Wow, this is so much easier than calling up Richard…
![Page 8: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/8.jpg)
8
Instantly & Automatically Receiving Authorities
Got the authorities!
![Page 9: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/9.jpg)
9
Finally, I don’t have to waste my time on granting special authorities… the whole process is automatic and I can see a full log of Sam’s authority requests and even screen captures!
Effective Monitoring of Special Authorities
![Page 10: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/10.jpg)
10
Part 2 Authority on Demand Screens
![Page 11: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/11.jpg)
11
AOD Welcome Screen
![Page 12: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/12.jpg)
12
Authority on Demand Log
DANA start add authority of user QSECOFR in job 456789/DANA/QPADEV0003. Reason: Need to check problem in production system.Confirmation ID: 5634Time: 11/03/08 22:40
DANA end add authority of user QSECOFR in job 456789/DANA/QPADEV0003. Time: 11/03/08 23:19
ID: 653
Attachment 1 – Command entered Attachment 2 – Captured Screens Attachment 3 – DB Records changes
Command entered
ID: 653, Attachment 1
DB Records changes
ID: 653, Attachment 3
Captured Screens
ID: 653, Attachment 2
* Other attachment options available (all QAUDJRN information, summary of changes made by Ad-Hoc utilities…)
![Page 13: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/13.jpg)
13
Authority on Demand Main Menu
![Page 14: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/14.jpg)
14
Work with Authority Rules
Select Authority Rule to modify.
![Page 15: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/15.jpg)
15
Modify an Authority Rule
Each field needs to be explained individually;“Add authority of Provider” is unique to AOD & ensures that logged info relates to requester .
![Page 16: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/16.jpg)
16
Modify an Authority Rule
Important note below .
![Page 17: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/17.jpg)
17
Work with Authority Providers
Select an Authority Provider to modify.
![Page 18: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/18.jpg)
18
Modify definitions for an Authority Provider
![Page 19: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/19.jpg)
19
Define (Option 6) and Change a Time Group
![Page 20: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/20.jpg)
20
Activation menu (Option 11)
![Page 21: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/21.jpg)
21
Request to obtain Authority (GETAOD)
Requestor must enter the name of theAuthority provider and either a PIN Code (with Reason *BYPIN) or Reason text.
![Page 22: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/22.jpg)
22
GETAOD was successful
Feedback message below.
![Page 23: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/23.jpg)
23
E-mail messages for Start/End Authority
![Page 24: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/24.jpg)
24
GETAOD was not successful
Feedback message below.
![Page 25: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/25.jpg)
25
Unsuccessful GETAOD: log and e-mail
![Page 26: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/26.jpg)
26
Unsuccessful GETAOD- full explanation
![Page 27: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/27.jpg)
27
Request AOD Console Messages
Enter command.
![Page 28: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/28.jpg)
28
Sample AOD Console Messages
![Page 29: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/29.jpg)
29
Option 41 from the Main Menu is used to DisplayAOD log entries; can be filtered by requester or provider.
Display AOD Log Entries
![Page 30: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/30.jpg)
30
Sample AOD Log Entries
Sample AOD Log Entries; F10 provides details.
![Page 31: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/31.jpg)
31
Select type of AOD Log entries to Display
Note the numerous possibilities for displaying AOD log entries.
![Page 32: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/32.jpg)
32
This is the QAUDJRN log for one AOD request.
Audit Log for one Get AOD request
![Page 33: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/33.jpg)
33
AOD log contains “pointers” (i.e. attachments) to the appropriate QAUDJRN log.
Option 43: Print Log
![Page 34: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/34.jpg)
34
This is the printed QAUDJRN log for a singleAOD request.
Print output of QAUDJRN
![Page 35: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/35.jpg)
35
This is an actual screen “Capture” of using AOD (back version).
Showing “Captured” Screen Image
![Page 36: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/36.jpg)
36
This is one of the user screens “Captured”(frame 11 in the Capture log file).
Another “Captured” Screen Image
![Page 37: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/37.jpg)
37
AOD System Configuration Screen
Option 81 from the AOD Main Menu.
![Page 38: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/38.jpg)
38
General Definitions Configuration Screen
Note various general definition parameters.
![Page 39: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/39.jpg)
39
Exit Programs Configuration Screen
AOD allows for site-specific exit programoverrides.
![Page 40: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/40.jpg)
40
AOD Log Retention Configuration Screen
Set the Log Retention period using this screen.
![Page 41: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/41.jpg)
41
E-mail Definitions Configuration Screen
An appropriate license must be signed witha local ISP.
![Page 42: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/42.jpg)
42
SYSLOG attributes are defined using Option 8121 from the main menu.
SYSLOG Definitions
![Page 43: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/43.jpg)
43
These are the SYSLOG messages writtenwhen authority was added.
SYSLOG Messages
![Page 44: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/44.jpg)
44
Work with AOD Operators
Select an AOD Operator to modify.
![Page 45: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/45.jpg)
45
Modify AOD Operator Rights
Full product usage, Emergency usage or useas an Auditor (read-only).
![Page 46: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/46.jpg)
46
Emergency Operator Screen
Current user has been defined as Emergencyoperator, only 1 rule can be modified.
![Page 47: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/47.jpg)
47
Modify Rule by Emergency Operator
Modify the rule which relates this Emergencyoperator; other rules cannot be modified.
![Page 48: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/48.jpg)
48
Auditor Screen
No changes may be made to rules.
![Page 49: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/49.jpg)
49
Modify Authority Rules screen disabled
All input fields are disabled in this mode.
![Page 50: Authority on Demand Flexible Access Control Solution](https://reader030.vdocuments.net/reader030/viewer/2022032708/56812b46550346895d8f5de6/html5/thumbnails/50.jpg)
50
Please visit us at www.razlee.com
Thank You !