- Users with *ALLOBJ authority or which can adopt this All Object authority through an OS400 group profile or supplemental group can access any sensitive data on the IBM i.
- Users with *USE authority can download sensitive data to their workstation
- Users with Limited Capability can run CL commands
- Applications that use adopted authority or perform a profile swap typically use *SECOFR authority
A more efficient and effective way to secure personal data for data protection compliance requirements would be to implement IBM i DB2 encryption. In addition, companies may choose to anonymize, mask or scramble personal data as a compensating control for specific use cases. Encryption does not negate the need to implement security access controls, it only safeguards the data from unauthorized access. Companies must still control how their users use the data. If an employee has authorization to read data in plain text view, access controls must also be in place to prevent the employee from downloading or running a report over the data, where the personal data would then exist without any auditing or controls in place.
Implementing IBM i encryption really only involves three primary steps: Defining User Access Permissions, Creating Encryption Keys and Executing Encryption Policies. Where to begin? Identify all the locations where sensitive and private date is stored on the system. At most companies, it has been a wild west atmosphere for far too long. If your company has not already done so, this would be a good time to educate employees on the proper procedures for handling data. In fact, educating and reminding employees about the dos and don’ts should be an ongoing process.