This topic provides on overview for creating an application security plan for your company.
To plan the right security for your applications, you need to know:
As you go through these application planning topics, you answer the first question about what information you plan to store on your system. In subsequent topics, you decide who needs that information and what kind of access people need. You do not enter the application planning information into the system; however, you will need it when you set up users and resource security.
What is an application?
In the first planning step for application security, you need to describe the applications you plan to run on your system. An application is a group of functions that logically belong together. Usually, two different types of applications can run on your server:
What forms do you need?
Describing your applications
At this point, you need to gather some general information about each of your business applications. Add information about your application to the appropriate fields on the Application Description form as described below. Later you can use this information to help you plan user groups and application security:
Finding information about your applications
If you do not already know the information you need about your applications, you may need to contact your programmer or application provider. Here are some methods for gathering the information yourself, if you do not have access to this information about an application that runs on your system:
Preparing Application description forms for special applications from IBM, such as IBM® Query for iSeries™ is optional. Access to the libraries used by these applications does not require any special planning. However, you may find it useful to gather the information and prepare the forms.
Drawing an application diagram
As you prepare your Application description and Library description forms, you may find it useful to draw a diagram showing the relationship between applications and libraries. A diagram will help you to plan both user groups and resource security.
Collecting some information about your applications and libraries now will help you with many security decisions you need to make. Look at this as a chance to become more knowledgeable about your system and applications. To ensure that you have gathered the application information that you need, you should:
Planning Applications to Prevent Large Profiles
Because of the potential impacts to performance and security, IBM strongly recommends the following to avoid profiles from becoming too full:
Create special user profiles to own applications. Owner profiles that are specific to an application make it easier to recover applications and to move applications between systems. Also, information about private authorities is spread among several profiles, which improves performance. By using several owner profiles, you can prevent a profile from becoming too large because of too many objects. Owner profiles also allow you to adopt the authority of the owner profile rather than a more powerful profile that provides unnecessary authority.
These profiles own a large number of IBM-supplied objects and can become difficult to manage. Having applications owned by IBM-supplied user profiles can also cause security problems when moving applications from one system to another. Applications owned by IBM-supplied user profiles can also impact performance for commands, such as CHKOBJITG and WRKOBJOWN.
If you are granting private authorities to many objects for several users, you should consider using an authorization list to secure the objects. Authorization lists will cause one private authority entry for the authorization list in the user’s profile rather than one private authority entry for each object. In the object owner’s profile, authorization lists cause an authorized object entry for every user granted authority to the authorization list rather than an authorized object entry for every object multiplied by the number of users that are granted the private authority.