Access Control Redefined: Legacy System Governance Strategies

Post Views: 10

Capability-Centric Governance Redefines Access Control for Legacy Systems

The traditional approach to access control on mainframe and IBM i platforms is no longer sufficient. The use of cloud-style entitlement models, which strip access of its business meaning and obscure segregation-of-duties risk, has led to a governance failure.

Governing Behavior Rather Than Permissions

On z/OS and IBM i, risk is rarely associated with a single permission. It emerges from sequences of legitimate actions executed over time. The conventional approach to access control focuses on static role analysis and reliance on standing special authorities, which creates latent risk that auditors struggle to resolve.

Defining Access as Capability

A capability answers a practical question: “What work does this access allow someone to do?” It describes a concrete business action that the system can perform, expressed in the platform’s native authorization terms. Capabilities explicitly list the native resources required to perform that action, mapping directly to something an operator or system executes.

Segregation of Duties as Behavior, Not Static Conflict

Traditional segregation-of-duties models treat violations as static conditions. However, most SoD violations are not static conflicts; they emerge over time, often across perfectly legitimate actions. A capability-centric model expresses SoD as temporal and sequential behavior, evaluating risk at runtime rather than inferring it during periodic reviews.

Thin Overlay for Context and Control

The capability model does not replace native enforcement. z/OS and IBM i remain the systems of record for authorization. A thin policy overlay is introduced to evaluate context, enable just-in-time elevation, and enforce sequence-based controls. Elevation is timeboxed, logged, and automatically revoked, without modifying COBOL or RPG code.

Evidence from Native Telemetry

Both platforms generate authoritative telemetry: SMF Type 110 records on z/OS and QAUDJRN on IBM i. This data is converted into concise usage summaries attached directly to each certification item, providing evidence that replaces inference and assumption.

Practical Illustrations

Organizations can implement this model by starting with conventional approaches and then introducing the capability-centric model. For instance, on z/OS, the conventional approach would involve granting broad finance roles with generic HLQ access, whereas the capability-centric approach would define specific CICS transactions, DB2 plans, message queues, and scoped HLQs for posts under $5,000. Similarly, on IBM i, the conventional approach would involve permanent ALLOBJ authority, whereas the capability-centric approach would define menu paths and minimal object authorities for release payroll exceptions.