× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. April 2002

Re: Exit Point Question/profile switching...

Tim,

> [ Picked text/plain from multipart/alternative ]
> Is this possible and if so is there a simple CL command to do it?
> I would like to add a exit point program to QIBM_QZDA_INIT to switch the
> userprofile to a less powerful profile (for users not found in a control
> table).  What command would I use?  And if so, would the profile switch
> exist when they make the QIBM_QZDA_SQL1 call, or would I need to switch
the
> profile here also?
> Or am I doing this all wrong?
> My goal is this, to create a user profile that excludes our payroll
library,
> and give the odbc requests this profile...

Yes it is possible.  This is a cornerstone feature of our PowerLock
NetworkSecurity software, for all of the reasons that you mention in your
follow-on posting.  This feature allows you to change the personality of a
user going through the ODBC, (or FTP or DDM, etc) without re-arranging the
application security that the application vendor has stuck you with.  I'd
have to argue with Evan's points (Sorry Evan, you're normally so right!)
about simplicity of security design, given the lack of network security in
many application packages, lots of folks have found that using our Switch
Profile capability to be the simplest way to manage ODBC and FTP.

So without giving away all of our trade secrets, here are some technical
tips for doing this sort of thing....
- No, there is not a command, you have to write to the Swap profile API's
(QWTSETP, QSYGETPH)
- Many of these servers are re-entrant - meaning that they are used 200
times by potentially 200 different users before your program ends and
restarts.  You have to manage the security each time you go through an exit
program because there is no guarantee that the same user will use the same
server job twice in a row.  You don't want to be handing out authority carte
blanche.
- There are a limited number of times that you are allowed to swap within a
job.  You should go back and clean up after yourself each time.
- Once You swap from "Fred" to "Fred2"  Expect "Fred2" to have no access to
any of "Fred's" stuff   (That's the whole purpose of the exercise)
- When your exit program returns an "OK" to the server, your program is
finished.  You don't get an opportunity to swap back after the ODBC
transaction is done.  You have to clean up on your next trip back into the
server.  Don't foul this part up, or you'll leave inappropriate authority
laying around.
- The original users library list, Outqueue, accounting code, etc are still
attached to the job.  The only thing you are changing is the authority
landscape
- As Syd mentioned, there are lots and lots of servers.  You'll want to do
this for more than just the 4 ODBC servers.

Or, of course, you could save your self a bunch of time, aggravation, and
money and purchase a product like ours.  We've been doing exit points for
more than six years now.  We already know where the land mines are.  :)

jte


John Earl
www.powertechgroup.com  john.earl@powertechgroup.com
The Powertech Group Inc. Seattle, Washington
Where the Security Experts Live!

Phone: +1-253-872-7788
Fax:      +1-253-872-7904
--

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.