The AS/400, currently part of the IBM Power systems lineup, is one of the most successful mid-range computers in history. They can be found in many businesses, schools and hospitals, handling everything from HR to finance to general business applications.
One thing that has always been a challenge for systems administrators is managing the user account life cycle and defining roles on the AS/400, as well as resetting passwords. These tasks have almost exclusively been handled directly on the AS/400 in a manual fashion. The Operations Navigator, which is run from a Windows machine, made life easier for admins by allowing them to manage users in a fashion similar to Active Directory; but it still required manual operations to create, update or delete users. It is also possible to LDAP enable your AS/400, but you still need to manually manage the users and roles there, not to mention set up the AS/400 to utilize the directory service.
With the explosion of identity and access management (IAM) solutions over the last decade, a limited number of solutions providers have integrated AS/400 commands into their products to allow for full life cycle control of users as easily and completely as with many other systems and applications.
Typically, the process begins with an authoritative source, such as the HR system. The data is collected via a query, or a view, and compared to the current data in the target systems, in this case the AS/400. If a user exists in the HR and not in the AS/400, and the user’s role, title, department and location – a concept known as role-based access control (RBAC) – dictates the user should have an AS/400 account, the user is created. If something has changed, such as a role or title, the user account is re-provisioned appropriately. Finally, if a user does not exist in the HR system, or has a terminated flag set, the user will be de-provisioned and deleted from the AS/400.
In some cases, a user may be hired and start working prior to being entered into the system being utilized as the authoritative source. In these instances, IAM solutions typically allow for a Web portal for a hiring manager to enter basic employee data. From there, a workflow engine takes over and routes the access requests to the appropriate systems owners and IT staff for approvals. Once approvals are received, the IAM solution then automatically provisions the user in the requisite systems. When the new hire makes it into the HR system, a check is performed against the RBAC matrix to insure the user is provisioned accurately and any necessary changes occur automatically where a delta exists.
The AS/400 is only one of the systems in which a company needs to provision users. The same IAM solution should be able to manage users in a wide variety of other applications and directory services to insure that access to applications and data are set appropriately and accurately.
One of the other major areas that AS/400 system admins need to deal with is password resets when a user forgets his or her password. While native password reset tools for the AS/400 have yet to appear on the market, many IAM providers offer tools to allow end users to reset their AD password and have it synchronized over to the AS/400 to eliminate help desk involvement.
The process is quite easy. Users enroll in the self-service product via a series of challenge questions. If they forget their password, they can visit a Web portal, correctly answer the challenge questions and have the password reset in the AS/400, Active directory, both, and/or any number of other applications concurrently.
While development of native tools to manage users and passwords on the AS/400 have lagged behind the toolsets used to manage Windows and LDAP environments, several major IAM providers have utilized connectors to manage the user life cycle. In short, tools utilized to manage Windows networks have been extended to make an AS/400 systems administrator’s life significantly easier.