RE: Allowing Someone to Create User Profiles... -- SECURITY400

Tom,

Thanks for all the good, thought provoking information !

I could even create this profile and not allow it to signon for added
"strength" ?

Chuck


-----Original Message-----
From: security400-bounces@xxxxxxxxxxxx
[mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of Tom Liotta
Sent: Wednesday, September 24, 2003 4:15 PM
To: Security Administration on the AS400 / iSeries
Subject: RE: [Security400] Allowing Someone to Create User Profiles...

Chuck:

As long as you grant the "regular user" authority to the program, there
should be no problem. The rule-of-thumb to keep in mind is something like
"You can't grant an authority that you do not have." If the program is owned
by QSECOFR and is compiled to run under the owner's authority, then that
program can do just about anything as long as you have authority to program
it. And anyone who's authorized to that program can do whatever that program
allows.

I'd guess that it's very rare that a *SECOFR class profile needs to be
created by any user while you're away. So perhaps you wouldn't put that
capability in. It seems reasonable that the vast majority will be general
*USER class profiles who will be granted authority to various applications,
and perhaps you have reason to include a special authority such as *JOBCTL.

Under that scenario, then you might create a profile that has *SECADM and
*JOBCTL special authorities plus whatever application authorities are
reasonable. This will be the owner of your program. Then, no matter what
else happens -- unintended command lines for example -- the authority won't
be enough to do many surprising things.

Taking this a step further, perhaps the only authority you really want for
the *OWNER profile is the *SECADM special authority. The owner's authority
is cumulative with the user. Most likely the reason your users can't create
new profiles is because they don't have *SECADM; they might have all the
necessary object authorities for your applications. That setup would mean
that a user who was authorized to your program could only create another
user with the same or lesser authority. (I believe *SECADM cannot be granted
unless *ALLOBJ is also available.)

By granting program authority to a few application administrators, each
application group could create new profiles as needed -- and only within
their areas. (This normally would include authority to relevant group
profiles, but you'll need to verify your own circumstances.)

You might also want to turn on object auditing for the program, or perhaps
have the program turn on auditing for the calling user and turn it back off
when it exits. These require *AUDIT special authority and should also be off
in a separate program called by your main program.

Perhaps the trickiest part will be getting any needed private authorities
set. That may depend on how you're currently set up. Do your users have
authority to all needed libraries and objects? Or do they instead have
authority only to call application programs that also use adopted authority
to get their work done? Do you have multiple groups of users with sets of
private authorities? Are groups of users authorized by way of group
profiles? authorization lists? In short, can you reasonably create a program
that covers all the ground you need to cover?

Since you probably have been doing it manually for a while, I imagine you
know the patterns for your shop. Just wanted to mention things for
discussion and archives.

Grant the minimum authority needed for a task and it's much harder to go
wrong, especially if anyone ever questions (audits) the results later.

Tom Liotta


"Chuck Lewis" <clewis> wrote:

>Cool. I've done that before with other stuff but I was thinking
>(incorrectly) that a regular user could not do this.
>
>Thanks !
>
>Chuck
>
>
>-----Original Message-----
>
>      The easy way is to write a program or a number of programs and make
>the owner QSECOFR and when you create the programs take F4 and use 'USRPRF
>*OWNER', the default is *USER.  Change the owner of the programs QSECOFR.
>Make sure that the user cannot get to a command line while using the menu
>options, since they will still have QSECOFR authority if they can.
>      Hope this helps.
>                                       
> Julio Domingo                         
>                                       

-- 
Tom Liotta
The PowerTech Group, Inc.
19426 68th Avenue South
Kent, WA 98032
Phone  253-872-7788 x313
Fax    253-872-7904
http://www.powertechgroup.com


__________________________________________________________________
McAfee VirusScan Online from the Netscape Network.
Comprehensive protection for your entire computer. Get your free trial
today!
http://channels.netscape.com/ns/computing/mcafee/index.jsp?promo=393397

Get AOL Instant Messenger 5.1 free of charge.  Download Now!
http://aim.aol.com/aimnew/Aim/register.adp?promo=380455
_______________________________________________
This is the Security Administration on the AS400 / iSeries (Security400)
mailing list
To post a message email: Security400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/security400
or email: Security400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/security400.