RRM is swapping Robot's user back when it shouldn't.

  • 7017238
  • 09-Feb-2016
  • 09-Feb-2016

Environment

NetIQ Security Solutions for iSeries 8.1
PSSecure
Remote Request Management (RRM)

Situation

RRM is swapping Robot's user back.

RRM is unexpectedly swapping back from Robot's user to the enduser's profile, causing access failures.

Resolution

Either make 2 user/server overrides.  User/Server overrides do not log the incoming transactions in RRM.

Op  User               Server       Action    
                                   
      RBTUSER     DBINIT    *TRUSTED  
      RBTUSER     DBSQL    *TRUSTED  

Or 2 Secured Entries, specifying the robot user they are allowed to swap to.  Using Secured Entries, allows RRM to log the incoming transactions for reporting purposes or collected entry use.

Op S User              Network         Operation                             Action      Swap Prf 
                                                                            
     Y ENDUSER    *ALL            DBINIT_*ALL_*ALL         *PASS      RBTUSER  
     Y ENDUSER    *ALL            DBSQL_*ALL_*ALL         *PASS      RBTUSER  

* Using Secured Entries, requires that the Exit Points QIBM_QZDA_INIT (DBINIT), QIBM_QZDA_SQL1 (DBSQL), and QIBM_QZDA_SQL2 (DBSQL) are in Secured Mode (ie SECURED *YES).
                                                                            

Cause

RRM has internal checks to make sure that incoming transactions don't swap to an unauthorized profile in order to prevent privilege elevation attacks.