• Subject: Re: USRCLS(*USER) = *ALLOBJ....???
  • From: Rob Berendt <rob@xxxxxxxxx>
  • Date: Wed, 31 Mar 1999 8:35:08 -0500

While I think that running at less than level 30 is ridiculous I'd like to 
bring 
up a point.  The way most people implement security, they might as well be 
running at level 20.

Typical scenario:
Several libraries are owned by a group profile, let's use SSA for an example.
All the users have SSA as their group profile, (unless they are using the other 
package on the system to do their accounting).
Therefore all of the users, (at least the SSA users) have *ALL access to all of 
the files owned by SSA.
Security officer says I'm secure.  I only allow them to access via menus.
Some user then downloads the file using Client Access.
Another user uses ftp from their PC to get to the data.
Another user, using NT and Client Access, clicks on start, run, and then types 
in  RMTCMD DLTF library/ECLL01
        Test this with rmtcmd sndmsg 'test' rob
Another user ...

There are work arounds to limit this.  Such as exit point programming.  Another 
method 
is to change all of the green screen programs to adopt the authority of SSA and 
change 
the users to some other group profile.  I've known companies who do this.  I 
don't know 
what they do for the limited grey screen programs they use.





lbruck@pmigroup.com on 03/30/99 04:32:20 PM
Please respond to MIDRANGE-L@midrange.com@Internet
To:     dr2@cssas400.com@Internet, ipacsjj@public.sta.net.cn@Internet
cc:     MIDRANGE-L@midrange.com@Internet 

Subject:        Re: USRCLS(*USER) = *ALLOBJ....???

If your business partner wants you at 20, I'd find a new business partner that 
knows something about the AS/400 and security.

Thank,

Laurin Bruck
Technical Services

>>> Don <dr2@cssas400.com> 10:53:17 AM 3/30/99 >>>
> 
> If your AS/400 system security level is 10 or 20, the user that
> their USRCLS  is *USER has the special authority *ALLOBJ.
> Otherwise, they have not.
> 


Perhaps, but I'm at 30 !  This "business parter" would like for me to be
at 20...but he got over ruled!

Don in DC




+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---


This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].