RE: RMTCMD Anomaly???? -- MIDRANGE-L

I think is is a widespread misconception that AS/400 security is
completely avoided by CA.  And John Earl correctly describes the
scenario where it might be perceived that the AS400 security is
circumvented.

It is typical (and often right) for applications to prevent the normal
user from updating underlying files using only menu security.  In this
case the user can take only the menu options they have access to and the
underlying files are updated by the program behind the menu.  In this
scenario all users of the same application typically belong to the same
Group Profile, which has update right to the underlying files and this
works fine as long as the users are only working on the AS400.  If users
are using PC products such as Excel, Access or MS Query (and ODBC), they
can circumvent the menu security and access the data directly on the
AS400 and as the Group Profile they belong to have update rights to the
underlyding file the user will also update rights to these files using
their PC product.

The use of Exit Programs (WRKREGINF) can stop this gap as any request
coming from a PC can be validated before the request is accepted.
However, this can be quite time consuming to code this.  There off the
shelf products on the market to fill this gap.  If you would like the
names of some of these please let me know.

Jacob Christiansen



-----Original Message-----
From: John Earl [mailto:johnearl@400security.com]
Sent: 22 May 2000 09:20
To: MIDRANGE-L@midrange.com
Subject: Re: RMTCMD Anomaly????


Robert,

Robert Brown wrote:

> AS/400 security is completely avoided by CA, with respect to object
> authority and cmd line authority.

Please!   Don't say such things.  It's not true, and it really ticks off
the
AS/400 security team when this lie is spread.  :^)

Client Access (and BosaNova, and WRQ, and all the rest of the emulation
products)
do and must respect object authority.  The problem that you likely
experienced is
that the underlying objects were _not_ secured at an object level.  Many
(most?)
AS/400 application packages grant excess authority to either *PUBLIC or
to the
group profile that all application users belong to (Usually the
applicaiton
vendor makes the object owner profile and the group profile one and the
same).

So AS/400 security is completely _respected by_ Client Access.
Unfortunately
AS/400 security is completely _ignored_ by too many software
applications, and
thus the software application "security" is completely _ignored_ by
Client Access
(and FTP and DDM, and Query, and DBU, and any other data access tool
that the
application vendor didn't supply).

jte



--
John Earl                               johnearl@400security.com
The PowerTech Group                     206-575-0711
PowerLock Network Security              www.400security.com
--


+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to
MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator:
david@midrange.com
+---
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---