× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



David:

<vendor spiel> We implemented capabilities to swap profiles in our
remote server exit programs. We have the ability to increase or decrease
a user's authority to an object. I think this is a common feature from
many exit program providers.

I wasn't aware that adopted authority was outdated. I think it is still
commonly used. I have seen poor implementations of adopted authority,
usually in the one-size-fits-all implementation from some package
vendors. The biggest security problem I continue to see with adopted
authority is allowing the user profile that owns objects to be
accessible by remote servers.

I haven't seen large applications built around adopted authority that
use files outside of QSYS.LIB. I can see problems in this space. 

Phil Ashe
NetIQ (A division of Attachmate)
1233 West Loop South, Suite 1800 | Houston, TX 77027 USA
713.418.5279 phone
phil.ashe@xxxxxxxxxxxxxx
www.netiq.com 

-----Original Message-----
From: security400-bounces@xxxxxxxxxxxx
[mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of David Morris
Sent: Thursday, September 07, 2006 12:30 PM
To: Security Administration on the AS400 / iSeries
Subject: Re: [Security400] Commands for Limited Users

Phil,

Adopted authority is nearly as outdated as limited capability. It
doesn't work well with triggers or IFS files and is incompletely
implemented. Adoption is ineffective in exits but based on your message
you may have overcome some of the limitations I have run up against. The
biggest reason to avoid adoption is that it is often implemented
incorrectly and is frequently the source of serious security problems. 

A few years back, I started using a technique that gives similar
function by swapping in or setting effective groups and supplemental
groups. 

--David Morris 



As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.