× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. March 2006

RE: RE: RE: Special authority use ... Auditing

The 'biggest' risk with giving *SAVSYS special authority out is that it
can be used to delete any object on the system, even if the user with
*SAVSYS authority is unable to access it... (via the Storage *FREE
option on the save commands)...

Kenneth

-----Original Message-----
From: midrange-l-bounces+keg=nwnatural.com@xxxxxxxxxxxx
[mailto:midrange-l-bounces+keg=nwnatural.com@xxxxxxxxxxxx] On Behalf Of
qsrvbas@xxxxxxxxxxxx
Sent: Sunday, March 26, 2006 6:47 PM
To: midrange-l@xxxxxxxxxxxx
Subject: RE: RE: RE: Special authority use ... Auditing

Mark:

While saving data is a perfectly reasonable operation within an
application, I'm not clear why it would require *SAVSYS for the
application user. *SAVSYS reaches far beyond any application to objects
that a user should not be saving. And certainly not restoring.

A general rule might be stated as "He who can save an object, can
restore the object." That can be a very real risk when some system
objects are included.

Tom Liotta

midrange-l-request@xxxxxxxxxxxx wrote:

>   7. RE: RE: Special authority use ... Auditing (M. Lazarus)
>
>  I have developed an application that allows users to save subsets 
>of data into *SAVFs and restore them on demand.
>
>At 3/24/06 07:35 PM, you wrote:
>>midrange-l-request@xxxxxxxxxxxx wrote:
>>
>> >   8. RE: Special authority use ... Auditing (Graap, Ken)
>> >
>> >The question I'm trying to answer now is "Why do regular application
>> >uses require *SAVSYS authority?" None of the developers in my shop
can
>> >answer that question. I need to understand that before I remove this
>> >special authority from the application's group profile. I was hoping
>> >that I could get information from the audit journal regarding this.
It
>> >looks like it isn't going to be that easy. I'll probably end up
>> >recommending that we make the change, see what "breaks" and then
address
>> >each situation as it comes up.
>>
>>
>>I'd expect that to be the best course to take. I'm having a very 
>>hard time grasping why any application users would ever need 
>>*SAVSYS. If something breaks, then that something needs to be fixed 
>>-- and _not_ by granting *SAVSYS.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.