• Subject: Re: Restricting User Access
  • From: John Earl <johnearl@xxxxxxxxxx>
  • Date: Mon, 17 Nov 1997 22:09:59 -0800

Chris,

At 04:44 PM 11/17/97 -0500, you wrote:
>
>Hello everyone!
>
>I have a security question that some of you may be able to help me with.
>
>Simply put -- Do you know if there is a way to create a user profile that
>is NOT authorized to anything?

A while back I was lobbying IBM to create just such a profile.  What I was
asking for was a bit in the user profile that would say "this user cannot
get authority to user domain objects from *PUBLIC".  This would be  great
boon to folks who wanted to put legacy /400's on the net but were scared
silly about the 'openness' of their boxes.  

Some members of the security team told me that they looked at this really
hard, but determined that their was no way to implement it without affecting
the peformance of every AS/400 object lookup.  (The problem being that
public authorities are stored with the object.  This scheme would require
that even if the object was *PUBLIC *ALL, you would still incur a lookup
against the user profile object to see if this particular profile was
restricted from public access).


>
>I'm trying to set up a user ID on the '400 that basically is not authorized
>to anything.  I would like to then set up specific objects (pgms) that the
>user is authorized to.

They have created something mildly similar in V4R1 called Validation Lists.
Validation Lists can be though of as 'Internet Profiles' (even though their
capable of bunches more stuff).  With Validation Lists you can store an
encrypted key (read: password) with a unique identifier (read: profile) on
the /400 and use this to authenticate users to objects without having to
create individual profiles for those users.  (Usefull in an internet
application where you are dealing with poitentially thousands of people that
you don't want to give real AS/400 user profiles to).

Hope This Helps, but if it doesn't write back with a little more detail
about what you're trying to accomplish and we'll all take another stab at it.

jte


>
>Any help is greatly appreciated .....Thanks!
>
>
>Chris Ring
>Senior Systems Analyst
>Arksys Inc.
>Little Rock, Arkansas
>
>
>+---
>| This is the Midrange System Mailing List!
>| To submit a new message, send your mail to "MIDRANGE-L@midrange.com".
>| To unsubscribe from this list send email to MAJORDOMO@midrange.com
>|    and specify 'unsubscribe MIDRANGE-L' in the body of your message.
>| Questions should be directed to the list owner/operator: david@midrange.com
>+---
>
>
*********************************
* John Earl                     *
* Lighthouse Software Inc.      *
* 8514 71st NW                  *
* Gig Harbor, WA 98335          *
* 253-858-7388                  *
* johnearl@lns400.com           *
*********************************



+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to "MIDRANGE-L@midrange.com".
| To unsubscribe from this list send email to MAJORDOMO@midrange.com
|    and specify 'unsubscribe MIDRANGE-L' in the body of your message.
| Questions should be directed to the list owner/operator: david@midrange.com
+---


This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].