RE: iASP security

One quick question: If the goal is to set up multi-tenant situations on a
system, and you set the minimum storage for each tenant at 480GB (80x6 to
support V7R2) then why not just give each of them a virtually hosted
partition (hosted by IBM i or VIOS) and be done with it? The security is
entirely up the tenant and your networking/system administration and
management are somewhat more streamlined and mainstream. Now you're not
carving up physical storage, and it's more efficient. (see iDevCloud --
That's how Larry and I set it up to start with and Pete and Larry continue
to this day doing it that way)

Want to use PowerHA to provide HA services, then put the NWS storage in the
iASP. Done. There are a couple of small gotchas in that approach but it
solves the security and a plethora of other problems I can think of in an
iASP environment.

--
Jim Oberholtzer
Chief Technical Architect
Agile Technology Architects


-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
Nathan Andelin
Sent: Thursday, October 02, 2014 6:07 PM
To: Midrange Systems Technical Discussion
Subject: Re: iASP security

The promotional material associated with IASPs seems to be over-reaching -
at least to me. They promote partitioning disk units between tenants. That
leads to running more disk drives without much in return, as far as I can
tell. I seem to recall Power HA relying on it.

I recall reading that when you vary off an IASP, you can no longer use the
Libraries (or SQL Schemas) associated with it.

It seems to me that Libraries already offer a suitable means of separating
tenant data, without needing to assign disk units to each.

The "help" associated with INLASPGRP says that the SETASPGRP command can be
used to change the thread's initial setting.

Nathan.


On Thu, Oct 2, 2014 at 4:08 PM, Aaron Bartell <aaronbartell@xxxxxxxxx>
wrote:

The session or Job may be associated with an "Initial ASP Group", but
what

does that mean? I doubt that it has anything to do with user-object
authority.

That's what I am trying to figure out. iASP is being declared, by
IBM, as a good SaaS-model-way to separate out multi-tenant situations
(i.e. same named libs but different iASP). What I am trying to
determine is if this SaaS they are talking about was in a situation
where the user didn't have access to a command line and instead it was
only through a browser. I shot an email off to IBM but also wanted to get

community input.

Aaron Bartell

On Thu, Oct 2, 2014 at 4:40 PM, Nathan Andelin <nandelin@xxxxxxxxx> wrote:

I don't have a server with multiple IASPs to test this, but I
question

the

assertion about users being "placed in" an IASP when they sign-in.
The session or Job may be associated with an "Initial ASP Group",
but what

does

that mean? I doubt that it has anything to do with user-object

authority.

Nathan.


On Thu, Oct 2, 2014 at 3:14 PM, Aaron Bartell
<aaronbartell@xxxxxxxxx>
wrote:

Hello,

I have some iASP security questions I hope someone can answer.
Let me

lay

out a scenario:

*Scenario*
- I have a single IBM i instance, let's call this IBMi1
- I have two IASPs configured, IASP1 and IASP2
- I have two users configured, USR1 and USR2 (QSECURITY=30,

USRCLS(*PGMR))

- USR1 has a *JOBD with INLASPGRP(IASP1)
- USR2 has a *JOBD with INLASPGRP(IASP2)
- I have two libs, LIB1 is in IASP1 and LIB2 is in IASP2
- I have two RPG *PGM objects, RPG1 is in LIB1 and RPG2 is in LIB2

When USR1 logs into a IBMi1 5250 session (and inherently placed in

IASP1),

can they see or attempt to invoke LIB2/RPG2 in IASP2 if the
authority

is

*PUBLIC(*USE)?

Can USR1 see or invoke IFS files in IASP2 if files are set to
chmod

go+rx?

I would test this myself except I am having issues setting up the

scenario

on IBM's PDP
<

https://www-304.ibm.com/partnerworld/wps/servlet/ContentHandler/stg_co
m_sys_power-development-platform

service
(I have an email into support). I would try iASP on the variety
of

other

servers I have access to, but I don't want to accidentally hose

anything

:-P

Thanks,
Aaron Bartell
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing

list

To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please
take a moment to review the archives at
http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing

list

To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please
take a moment to review the archives at
http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe,
or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.