What Is a Profile Swap and How Can It Help Secure IBM i?

Privileged users need access to sensitive data in order to do their jobs.

But they rarely need wide-open access 24/7. That’s exactly what most organizations provide, and that access presents a security risk.

There is a simple way to give your privileged IBM i users exactly the level of access they need and retain the control and oversight you need to secure data. It’s called a profile swap.

Robin Tatam explains exactly what a profile swap is and how it works in the video below.

There’s a challenge a lot of IBM i shops run into: access by privileged users.

Many of us see the scenario where a user has a lot of authority on their basic, day-to-day profile. That authority allows them to do a lot of things that are undesirable in the eyes of the organization.

We also see situations where users are given access to a shared profile, like QSECOFR. They sign into the profile, complete their task, and sign back out—hopefully—when they’re done.

There’s a third option that uses an IBM i-sanctioned facility called a swapped profile. We’re going to examine that today: what it is, how it works, and a Fortra tool that lets you take advantage of that facility.

So, we have the concept of the user signing into the system. They might sign in as a basic profile. They don’t even technically need to have command line permission.

When they sign into the system, they have the ability then to elevate their privileges. In other words, become the identity of another profile.

Perhaps it is, in this case, the security officer. Or maybe it’s a medium-level profile specifically for a particular application.

We’ve drawn this on the board as a regular guy signing in and becoming superman. He now has the ability to perform whatever restricted task it is he needs to complete. This might be recompiling a program, fixing a file, or performing a system task. At this point, he’s able to do anything that the superman profile is able to do.

The benefit of doing this through a Powertech tool is that you have access to some additional bells and whistles—namely, the ability to see what that user is doing.

Having an audit trail of a user’s action when they’re signed on to the system is a core requirement of virtually every security mandate out there, and for good reason.

We also need the ability to audit everything that they’re doing. We need that breadcrumb trail, so that if something does later surface that we need to investigate, we have a source of information that we can refer back to and understand exactly where that user went, what they did, and what they saw.

The third part is the ability to notify someone that the profile swap has taken place. Maybe it’s a supervisor or a manager. Maybe it’s an auditor. You have the ability within Powertech Authority Broker for IBM i to send the notification to a message queue or interface with any other type of message management tool that’s out there to alert the supervisor or manager that the swap has occurred.

So, looking at the scenario, we sign on with a basic profile. Maybe it has or doesn’t have command line permission, but it certainly doesn’t have the keys to the kingdom. Temporarily, they now gain the keys to the kingdom, but they do so with these three advantages: visibility, an audit trail, and real-time notifications.

When they’re done, they relinquish those privileges and return to their base profile. This will satisfy all those regulatory mandates that say we need to accept that there is an as-needed case for powerful users to be on the system, but we don’t have to do it without any type of oversight.

A profile swap through a tool like Powertech Authority Broker for IBM i is a much more secure, robust, and auditable way of allowing powerful users on your system.