RE: Adopted authority vs profile switching

This link from the knowledge base has some basin info:

http://www-1.ibm.com/support/docview.wss?uid=nas189a654fd20ff249b86256a9500753d03&rs=110

If you are using the audit journal, it can be recorded.

Vern

Just getting caught up on my email.

This sounds pretty scary.  I've known about adopted authority since the
early days of the AS/400, but profile switching is news to me.

Am I reading this right?  Joe User can sign on with his profile, use some
magic command, and he can become QSECOFR?  With no trace back to Joe
User's profile?

How do we determine whether there is any profile switching going on?  Does
it get logged in the audit journal?

I searched InfoCenter and found references to QWTCHGJB & QWTSETP, but I
don't see anything that explicitly describes profile switching.

TIA,
GA

--- John Earl <john.earl@xxxxxxxxxxxxx> wrote:
> Rob,
>
> I don't really understand the question, because profile switching and
> adoption are two pretty different things.
>
> When I run a program that adopts your authority, I am now running with
> my authority + your authority.
>
> If I switch to your profile, I am no longer carrying any of my
> authority, I only have your authority.
>
> So switching is a new capability, not a replacement of an old
> capability.
>
> Also, to answer the question of the "security exposure" that switching
> might introduce, I don't really see it.  If I have *USE authority to
> your profile I can assume your identity in a number of ways.  Yes I can
> switch to it, but I also can submit a job as you, or add your name to a
> JOBD and have any number of batch, pre-start, or communications jobs run
> as you.  So the profile switching API's are a natural extension of
> capability that is already out there.  They don't introduce any new
> security exposures, thought they may highlight some existing ones (such
> as the fact that some of your users have *USE or better authority to
> other users profiles).
>
> JMHO,
>
> jte
>
> --
> John Earl | Chief Technology Officer
> The PowerTech Group
>
> > -----Original Message-----
> > From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-
> > bounces@xxxxxxxxxxxx] On Behalf Of rob@xxxxxxxxx
> > Sent: Friday, July 16, 2004 7:58 AM
> > To: midrange-l@xxxxxxxxxxxx
> > Subject: Adopted authority vs profile switching
> >
> > At one time IBM decided that using adopted authority
> > should not work in
> > certain situations, like creating certain group profiles,
> > etc.  Perhaps
> > they thought this was a security enhancement.
> > Then they allowed a workaround with profile switching.
> >
> > So then, does this not allowing adopted authority in these
> > situations now
> > go into the realm of 'security by obscurity' and should
> > they just open
> > these up to adopted authority?  Or do you see a value into
> > making people
> > use these api's to do profile switching, - in this
> > situation - ?
> >
> > Now, I am not arguing that profile switching may not be
> > useful in some
> > client serving or web based applications.  I am just
> > arguing about it in
> > the first situations.
> >
> > Rob Berendt

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.