× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.

Right, I understand sudo and Windows admin permissions, but the point is you don't need to do user profile swapping to provide appropriate web app security.

A web app should generally have a single service account that the app runs under and this same account performs any database connections, program calls or file access.

That service account should have bare minimum permissions to the appropriate database tables and directories and should not be running system level commands.

If auth needs to happen it may be via IBMi Creds, AD, LDAP, etc, but you don't generally change the underlying service account connection.

Maybe your use case is making sudo/secofr level info available to a remote web user, but that sounds dangerous to me.

Richard Schoen
Web: http://www.richardschoen.net<http://www.richardschoen.net/>
Email: richard@xxxxxxxxxxxxxxxxx<mailto:richard@xxxxxxxxxxxxxxxxx>

The reason is security enforcement. You can use any user to sign onto the IBM I from a remote web request, swapping the profile to the person who signed on ensures that they only have rights that are afforded when signed directly onto the IBM i. Otherwise the profile the job is running under is used for authority and that can either be too little or too much. Profile swapping is very valid for this purpose. Plus it helps with password checking.

Yes you can switch profiles on other platforms (Linux is using the sudo or su command, Windows is by using the ability to use the admin user to run the request etc.)


-----Original Message-----
From: C400-L <c400-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Richard Schoen
Sent: September 21, 2021 1:06 PM
To: c400-l@xxxxxxxxxxxxxxxxxx
Subject: Re: [C400-L] User Profile handling in ancient release(s)

What's the reason for switching profiles ?

No other platform does this that I'm aware of.

In general a daemon job or web server/service generally runs under a specific server/daemon user profile and then all work is done under that user.

However on IBMi you can certainly authenticate via the user profile check API, I would not be switching user profiles.

Unless you have a specific reason to do so.

I did this with a product several years back for recreating spool files with the right user and it forced us to store user/password combos in a table. Ugh.

Richard Schoen
Web: http://www.richardschoen.net<http://www.richardschoen.net/>

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2023 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.