× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. SECURITY400
  3. September 2006

Re: Application only access, was Commands for Limited Users

Rob:

You should see both users. The signed on user will be listed under the
job user "User Name". The swapped-to user will be "User Profile".

Phil Ashe
NetIQ (A division of Attachmate)
1233 West Loop South, Suite 1800 | Houston, TX 77027 USA
713.418.5279 phone
phil.ashe@xxxxxxxxxxxxxx
www.netiq.com 

-----Original Message-----
From: security400-bounces@xxxxxxxxxxxx
[mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of rob@xxxxxxxxx
Sent: Thursday, September 07, 2006 12:55 PM
To: Security Administration on the AS400 / iSeries
Subject: [Security400] Application only access,was Commands for Limited
Users

And it's not future science we're talking about here.  I've already been
burned by IFS limitations with this stuff.  Profile switching is the
cure.

The question I have about profile switching is what it does to
journalling?  Does the journal record the switched to profile, the
switched from profile, or both?

Adopting authority records the actual user.

Then again, any data queue driven update would probably record the wrong
user profile into the journal also.

Rob Berendt
--
Group Dekko Services, LLC
Dept 01.073
PO Box 2000
Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





"John Earl" <john.earl@xxxxxxxxxxxxx> 
Sent by: security400-bounces+rob=dekko.com@xxxxxxxxxxxx
09/07/2006 01:47 PM
Please respond to
Security Administration on the AS400 / iSeries
<security400@xxxxxxxxxxxx>


To
"Security Administration on the AS400 / iSeries" 
<security400@xxxxxxxxxxxx>
cc

Subject
Re: [Security400] Commands for Limited Users






Edwin,


Correct me if I am wrong, but the proper way to secure
this object would
be to have
*public with *exclude, "/Serviceprofile/" with *all (or as
needed) and
then do a
CHGPGM /pgmname/ USRPRF(*owner) to adopt the service
profiles authority.
Then do a CHGOBJOWN OBJ(/pgmname/) OBJTYPE(*PGM)
NEWOWN(/Serviceprofile/)
which will make the owner of the program the service
profile.


If you accuse me of being a stickler for detail on this point, I'll
accept the charge, but I would characterize the authorization scheme you
have outlined here is an "adopted authority" scheme rather than an
"object authority" scheme.  To me an object authority scheme is one
where all users of a file are granted authority to that file either
directly, through one of their group profiles, or via an authorization
list, and an adopted authority scheme is one where no users are allowed
direct access to the data unless they go through an approved interface,
and that interface is able to provide the requisite authority to get the
job done. 

I like, and use, adopted authority schemes.  But I don't think they are
the same thing as object authority (maybe that is just my own semantic
bugaboo).  I'm also aware of the limitation that threatens their
obsolescence (the fact that adopted authority is not supported in file
systems other than QSYS.LIB).  Most of the newer web based applications
are use objects in file systems other than QSYS.LIB, so a traditional
adopted authority scheme will not be effective. 

And this is the point that leaves me confused about the whole "object
level security" promotion.  Most of the folks that I have heard promote
OLS as "the correct way" to do secure a System i, don't really mean OLS,
they mean "adopted authority".  But adopted authority has a serious
shortcoming that limits it's usefulness in the file systems that the
majority of new applications would use. 


jte





--
John Earl | Chief Technology Officer
The PowerTech Group
19426 68th Ave. S
Seattle, WA 98032
(253) 872-7788 ext. 302
john.earl@xxxxxxxxxxxxx
www.powertech.com 
Celebrating our 10th Anniversary Year!
 


_______________________________________________
This is the Security Administration on the AS400 / iSeries (Security400)
mailing list
To post a message email: Security400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/security400
or email: Security400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/security400.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.