× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



John,
        I agree with this methodology, and we are attempting to have our
ownership set up in this manner.  We have the luxury of Aldon Change
Management to facilitate an automated ownership change at object creation!

Larry

Larry Ketzes
Senior Security Project Analyst
American Life Insurance Company

One ALICO Plaza
600 King Street
Wilmington, DE 19801
Phone: 302-594-2146
Mobile: 302-559-1631
Email: larry.ketzes@xxxxxxx


-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of John Earl
Sent: Thursday, February 16, 2006 1:00 PM
To: Midrange Systems Technical Discussion
Subject: RE: Supplemental Groups

Steve,

> Snip
> 
>   "That is why many admin's suggest you have individual
> profiles own their own objects when they are created."
> 
>   End Snip
> 
>   I respectfully and whole-heartedly disagree with this
> statement.  

<Snip>
 
>   The owner of newly created objects should be set to the
> user's primary group profile and this should be coupled
> with group profile entries within authorization lists to
> facilitate access to the application programs and files.

<Snip>

And I must respectfully disagree with your proposed solution. - Group
profile ownership is the lazy route to object ownership assignment that
ultimately puts entire applications at risk.  If BOB creates a file, and
then ownership is assigned to BOB's group (Let's say "SALES"), then
everyone in Sales now has full read, update, and delete rights to the
file - this is how many systems got into the security pickle they find
themselves in today - There are 917 users in a group that owns a some
files, so now all 917 users exercise "ownership" rights to those files.

IMHO, the proper way to handle object ownership is to have, for each
application, an owner profile that has no password and is not a group
profile for anyone.  Then when new objects are created the ownership,
*PUBLIC, and Group authorities should be set in a distinct step that
immediately follows object creation.  

If the object is created as a part of an application, then the
application is responsible for setting the proper ownership and
authorities.  If the object is created by an IT person, hen that person
is responsible for setting the proper ownership and authorities (granted
a little automation would help here because humans are, by definition,
are fallible).

Ever watch a good UNIX admin at work?  Every time they create some new
file, they immediately do a 'chmod' command.  It's part of their DNA.
It needs to become a part of ours.

jte

--
John Earl | Chief Technology Officer
The PowerTech Group
19426 68th Ave. S
Seattle, WA 98032
(253) 872-7788 ext. 302
john.earl@xxxxxxxxxxxxx
www.powertech.com 
 

 
This email message and any attachments are intended only for the use of
the intended recipients and may contain information that is privileged
and confidential. If you are not the intended recipient, any
dissemination, distribution, or copying is strictly prohibited. If you
received this email message in error, please immediately notify the
sender by replying to this email message, or by telephone, and delete
the message from your email system.
--

> -----Original Message-----
> From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-
> bounces@xxxxxxxxxxxx] On Behalf Of Steve Martinson
> Sent: Thursday, February 16, 2006 9:11 AM
> To: midrange forum
> Subject: RE: Supplemental Groups
> 
> Snip
> 
>   "That is why many admin's suggest you have individual
> profiles own their own objects when they are created."
> 
>   End Snip
> 
>   I respectfully and whole-heartedly disagree with this
> statement.  The fact that individual user profiles own
> objects quite often caused MUCH grief to administrators,
> most notably when BOB leaves the company (or gets hit by
> the beer truck).  I see this all the time (and I'm at a
> different client site practically every week).  They try
> to delete his profile, but it owns bunches of objects,
> including device descriptions and who knows what else.
> So... they leave it there (hopefully *DISABLED with
> password of *NONE) because they can't get rid of it.
> 
>   The owner of newly created objects should be set to the
> user's primary group profile and this should be coupled
> with group profile entries within authorization lists to
> facilitate access to the application programs and files.
> Of course, if you can avoid getting too deep into
> supplemental groups, that's always better (as someone
> already mentioned).
> 
> 
> 
> Best regards,
> 
> Steven W. Martinson, CISSP, CISM
> Consultant - Servique, LLC
> 
> Cell 281.546.9836
> www.servique.com
> 4801 Woodway Drive, Suite 300E
> Houston, TX 77056
> 
> "Uniquely Qualified"
> 
> ---------------------------------
>  Yahoo! Autos. Looking for a sweet ride? Get pricing,
> reviews, & more on new and used cars.
> --
> This is the Midrange Systems Technical Discussion
> (MIDRANGE-L) mailing list
> To post a message email: MIDRANGE-L@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit:
> http://lists.midrange.com/mailman/listinfo/midrange-l
> or email: MIDRANGE-L-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the
> archives
> at http://archive.midrange.com/midrange-l.
> 



As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.