× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. October 2014

RE: iASP security

I have to admit being a bit unsure of your ultimate goals in the original
post. If your goal is to provide a SAAS environment where each tenant has
its own iASP, the easiest way to secure it is simply secure the iASP device.
Tenant 1 only has authority to iASP 1's device description, tenant 2 to iASP
2, etc. Make sure they do not have *ALLOBJ authority and you're about
done.

I suppose if you were making calls to programs using the root file structure
using the XML tool kit or similar tool, rather that the QSYS file structure
you could make a cross iASP call but I've never tried it. Aaron, call me if
you want to set one up, I've got a partition we could try it on.

--
Jim Oberholtzer
Chief Technical Architect
Agile Technology Architects


-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Aaron
Bartell
Sent: Thursday, October 02, 2014 5:08 PM
To: Midrange Systems Technical Discussion
Subject: Re: iASP security

The session or Job may be associated with an "Initial ASP Group", but
what
does that mean? I doubt that it has anything to do with user-object
authority.

That's what I am trying to figure out. iASP is being declared, by IBM, as a
good SaaS-model-way to separate out multi-tenant situations (i.e. same named
libs but different iASP). What I am trying to determine is if this SaaS
they are talking about was in a situation where the user didn't have access
to a command line and instead it was only through a browser. I shot an
email off to IBM but also wanted to get community input.

Aaron Bartell

On Thu, Oct 2, 2014 at 4:40 PM, Nathan Andelin <nandelin@xxxxxxxxx> wrote:

I don't have a server with multiple IASPs to test this, but I question
the assertion about users being "placed in" an IASP when they sign-in.
The session or Job may be associated with an "Initial ASP Group", but
what does that mean? I doubt that it has anything to do with user-object
authority.

Nathan.


On Thu, Oct 2, 2014 at 3:14 PM, Aaron Bartell <aaronbartell@xxxxxxxxx>
wrote:

Hello,

I have some iASP security questions I hope someone can answer. Let
me
lay
out a scenario:

*Scenario*
- I have a single IBM i instance, let's call this IBMi1
- I have two IASPs configured, IASP1 and IASP2
- I have two users configured, USR1 and USR2 (QSECURITY=30,
USRCLS(*PGMR))
- USR1 has a *JOBD with INLASPGRP(IASP1)
- USR2 has a *JOBD with INLASPGRP(IASP2)
- I have two libs, LIB1 is in IASP1 and LIB2 is in IASP2
- I have two RPG *PGM objects, RPG1 is in LIB1 and RPG2 is in LIB2

When USR1 logs into a IBMi1 5250 session (and inherently placed in
IASP1),
can they see or attempt to invoke LIB2/RPG2 in IASP2 if the
authority is *PUBLIC(*USE)?

Can USR1 see or invoke IFS files in IASP2 if files are set to chmod
go+rx?

I would test this myself except I am having issues setting up the
scenario
on IBM's PDP
<

https://www-304.ibm.com/partnerworld/wps/servlet/ContentHandler/stg_co
m_sys_power-development-platform

service
(I have an email into support). I would try iASP on the variety of
other servers I have access to, but I don't want to accidentally
hose anything :-P

Thanks,
Aaron Bartell
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please
take a moment to review the archives at
http://archive.midrange.com/midrange-l.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe,
or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.



As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.