Cybersecurity

Account and Password Management on the AS/400

  • author image

The AS/400, currently part of the IBM Power systems lineup, is one of the most successful mid-range computers in history. They can be found in many businesses, schools and hospitals, handling everything from HR to finance to general business applications. 

One thing that has always been a challenge for systems administrators is managing the user account life cycle and defining roles on the AS/400, as well as resetting passwords. These tasks have almost exclusively been handled directly on the AS/400 in a manual fashion. The Operations Navigator, which is run from a Windows machine, made life easier for admins by allowing them to manage users in a fashion similar to Active Directory; but it still required manual operations to create, update or delete users. It is also possible to LDAP enable your AS/400, but you still need to manually manage the users and roles there, not to mention set up the AS/400 to utilize the directory service. 

With the explosion of identity and access management (IAM) solutions over the last decade, a limited number of solutions providers have integrated AS/400 commands into their products to allow for full life cycle control of users as easily and completely as with many other systems and applications. 

Typically, the process begins with an authoritative source, such as the HR system. The data is collected via a query, or a view, and compared to the current data in the target systems, in this case the AS/400. If a user exists in the HR and not in the AS/400, and the user’s role, title, department and location – a concept known as role-based access control (RBAC) – dictates the user should have an AS/400 account, the user is created. If something has changed, such as a role or title, the user account is re-provisioned appropriately. Finally, if a user does not exist in the HR system, or has a terminated flag set, the user will be de-provisioned and deleted from the AS/400. 

In some cases, a user may be hired and start working prior to being entered into the system being utilized as the authoritative source. In these instances, IAM solutions typically allow for a Web portal for a hiring manager to enter basic employee data. From there, a workflow engine takes over and routes the access requests to the appropriate systems owners and IT staff for approvals. Once approvals are received, the IAM solution then automatically provisions the user in the requisite systems. When the new hire makes it into the HR system, a check is performed against the RBAC matrix to insure the user is provisioned accurately and any necessary changes occur automatically where a delta exists. 

The AS/400 is only one of the systems in which a company needs to provision users. The same IAM solution should be able to manage users in a wide variety of other applications and directory services to insure that access to applications and data are set appropriately and accurately. 

One of the other major areas that AS/400 system admins need to deal with is password resets when a user forgets his or her password. While native password reset tools for the AS/400 have yet to appear on the market, many IAM providers offer tools to allow end users to reset their AD password and have it synchronized over to the AS/400 to eliminate help desk involvement. 

The process is quite easy. Users enroll in the self-service product via a series of challenge questions. If they forget their password, they can visit a Web portal, correctly answer the challenge questions and have the password reset in the AS/400, Active directory, both, and/or any number of other applications concurrently. 

While development of native tools to manage users and passwords on the AS/400 have lagged behind the toolsets used to manage Windows and LDAP environments, several major IAM providers have utilized connectors to manage the user life cycle. In short, tools utilized to manage Windows networks have been extended to make an AS/400 systems administrator’s life significantly easier. 

Dean Wiech is managing director of Tools4ever, a global provider of identity and access management solutions.

 

 

 

 

 

Comments

By Steve Pitcher

Why are you using the term AS/400? The modern platform in question is an operating system called IBM i. It’s one of the three operating systems supported on Power Systems. Once I read AS/400 the rest of the article is white noise.

By Dean Wiech

Technically, the term AS/400 referred to the hardware, which has gone through many name changes. Originally developed under the code name “Silver Lake,” it became the AS/400 upon release in June 1988. In 2000, it was renamed the eServer iSeries – a name that never gained much traction. In 2006, it was once again renamed to System i. In 2008, the platform was integrated with the System p platform and became known as IBM Power System.

The original operating system was called OS/400 and that has evolved over time, as well. The hardware supports AIX, GNU Linux and IBM I, formerly i5/OS. Support for Windows and Windows Server, along with Lotus Domino, is also available.

The holdover usage of the term AS/400 is most likely a reflection on my age and was not intended to offend or confuse. Much in the way some of us old timers remember storing data on a 5.25” (or 8”) floppy drive or having a mobile phone hardwired in your car.

Post Your Comment




Leave another comment.

In order to post a comment, you must complete the fields indicated above.

Post Your Comment Close

Thank you for your comment.

Thank you for submitting your comment, your opinion is an important part of SandHill.com

Your comment has been submitted for review and will be posted to this article as soon as it is approved.

Back to Article

Topics Related to this Article