Right, I understand sudo and Windows admin permissions, but the point is you don't need to do user profile swapping to provide appropriate web app security.
A web app should generally have a single service account that the app runs under and this same account performs any database connections, program calls or file access.
That service account should have bare minimum permissions to the appropriate database tables and directories and should not be running system level commands.
If auth needs to happen it may be via IBMi Creds, AD, LDAP, etc, but you don't generally change the underlying service account connection.
Maybe your use case is making sudo/secofr level info available to a remote web user, but that sounds dangerous to me.
The reason is security enforcement. You can use any user to sign onto the IBM I from a remote web request, swapping the profile to the person who signed on ensures that they only have rights that are afforded when signed directly onto the IBM i. Otherwise the profile the job is running under is used for authority and that can either be too little or too much. Profile swapping is very valid for this purpose. Plus it helps with password checking.
Yes you can switch profiles on other platforms (Linux is using the sudo or su command, Windows is by using the ability to use the admin user to run the request etc.)
From: C400-L <c400-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Richard Schoen
Sent: September 21, 2021 1:06 PM
Subject: Re: [C400-L] User Profile handling in ancient release(s)
What's the reason for switching profiles ?
No other platform does this that I'm aware of.
In general a daemon job or web server/service generally runs under a specific server/daemon user profile and then all work is done under that user.
However on IBMi you can certainly authenticate via the user profile check API, I would not be switching user profiles.
Unless you have a specific reason to do so.
I did this with a product several years back for recreating spool files with the right user and it forced us to store user/password combos in a table. Ugh.
As an Amazon Associate we earn from qualifying purchases.