RE: Documenting / Managing iSeries security -- SECURITY400

2)  'Private' authorities.  I forget where it stores this information, but 
evidently it takes a chunk.  Authorization lists don't have this mess.

3)  There is a limit of 15 supplemental groups.  We have more group 
profiles than that.  We have a program owned by a user profile, that does 
NOT have *ALLOBJ.  It is supposed to access data in several of those 
groups.  It ran into the wall.

Basically, to get started right, do the following:
1)  Create your authorization list.
2)  CHGLIB LIB(MYLIB) CRTAUT(MYAUTL)  This says to assign that 
authorization list to anything new created in that library.
3)  CHGAUT OBJ('/qsys.lib/mylib.lib') AUTL(MYAUTL)
4)  CHGAUT OBJ('/qsys.lib/mylib.lib') USER(*PUBLIC) DTAAUT(*AUTL) 
OBJAUT(*NONE)
5)  CHGAUT OBJ('/qsys.lib/mylib.lib/*') AUTL(MYAUTL)
6)  CHGAUT OBJ('/qsys.lib/mylib.lib/*') USER(*PUBLIC) DTAAUT(*AUTL) 
OBJAUT(*NONE)
We keep program objects in one library, and data objects in another.  They 
are secured by two separate authorization lists.  After all, users should 
be able to modify data, not programs.  (Display files go into the program 
library, not the data library.  I would like to think that would go 
without saying, but some  'ahem' "people" see 'file' and ...)

Rob Berendt
-- 
Group Dekko Services, LLC
Dept 01.073
PO Box 2000
Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





CWilt@xxxxxxxxxxxx 
Sent by: security400-bounces@xxxxxxxxxxxx
05/18/2004 08:19 AM
Please respond to
Security Administration on the AS400 / iSeries  <security400@xxxxxxxxxxxx>


To
security400@xxxxxxxxxxxx
cc

Subject
RE: [Security400] Documenting / Managing iSeries security






Rob,

I'm curious about #2, do you know why this is the case?  If you talked to
IBM did they provide any kind of an explanation?

Also, about #3: how many groups are we talking about?

Charles


> -----Original Message-----
> From: rob@xxxxxxxxx [mailto:rob@xxxxxxxxx]
> Sent: Monday, May 17, 2004 1:44 PM
> To: Security Administration on the AS400 / iSeries
> Subject: RE: [Security400] Documenting / Managing iSeries security
> 
> 
> I abhor supplemental groups.  Had a couple of problems with that:
> 
> 1)  Someone started assigning a 'owner' profile as a 
> supplemental group 
> profile.  This 'owner' profile had the special authority of 
> *ALLOBJ.  Thus 
> all the users with this supplemental group had *ALLOBJ.
> Cardinal rule #1-'Owner' profiles should not have any special 
> authorities.
> 
> 2)  Supplemental groups significantly increase the length of 
> your SAVSYS. 
> Increased ours from 4 minutes to 44 minutes.
> 
> 3)  There is a limit to how many supplemental groups one user may be 
> assigned to.  We were actually hitting this.
> 
> Better to use authorization lists wisely.
> 
> Rob Berendt
> -- 
> Group Dekko Services, LLC
> Dept 01.073
> PO Box 2000
> Dock 108
> 6928N 400E
> Kendallville, IN 46755
> http://www.dekko.com
> 
> _______________________________________________
> This is the Security Administration on the AS400 / iSeries 
> (Security400) mailing list
> To post a message email: Security400@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/security400
> or email: Security400-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/security400.
> 
_______________________________________________
This is the Security Administration on the AS400 / iSeries (Security400) 
mailing list
To post a message email: Security400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/security400
or email: Security400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/security400.