Re: Database server jobs and SQL tuning -- MIDRANGE-L

>  From:    DBale@lear.com (Bale, Dan)
>  
>  Wow.  Is this documented, Al?  

Referring to my remarks about qualifying vs. library list

>  Could you point to some kind of reference 
>  if you have it handy, please?
>  
>  - Dan Bale

John Earl also challenged what I thought I had learned in IBM school.  I did 
not remember which programming class this was in, so I dug into notes on 
several but did not find the specific reference.  I did find many references 
to how security can impact performance, so it should be used wisely.

In IBM's CL class S 6020 introduction page 1-61 I was told not to qualify 
libraries in CL ... it is asking for trouble ... I think it is here that I 
learned the topic you ask if I have documented

CL Manual SC41-3721 talks about security & performance pages 4-14 - 4-15 but 
does not explicitly clarify this point

Mastering AS/400 Performance ISBN 1-882419-49-9 talks about security & 
performance page 61 and also does not explicitly cover this point ... it 
reccommends securing a library that an object resides in & assigning public 
authority to individual objects, with some discussion of pros & cons of group 
profiles and authorization lists, pointing for more info to IBM manuals 
SC41-3302 & GG24-4200

PRTPRFINT is the command to find out how close we are getting to what can be 
associated with one user or group profile

In IBM's Security & System Administration Course S 6019

I have this chart of the sequence security goes through to find out if any 
given user's security will let them do any given action ... the longer the 
approval path, the more this potentially degrades performance, so the issue 
is not really whether or not the user is to be authorized, but HOW the user 
is to be authorized, if we do not want to degrade performance.  Each OS 
Release improves this via fast paths, but the rules do not change.  Each OS 
also changes some security defaults.

U G P
1 4 X *All Obj
2 5 7 *Explicit Specific
3 6 8 *Aut lists

9 adopted

The number means the sequence of checking security
1-8 can kick it out with definite Yes/No, then it checks 9 regardless

X means that combination is not checked ... although incidentally when I 
called SSA tech support to ask why their application XRF was not working, 
they told me that the reason was that I had failed to give all users all 
object authority through the user group they all were in ... and I decided 
that I could live without application XRF

1st column USER 1 person
2nd column GROUPS of users
3rd column PUBLIC = rest of world

1st line authority *All objects
If user is security officer we need not check any further

2nd line authority *Explicit specific
Did someone grant me access to Payroll?

3rd line authority GROUP of object's authority list

Hits on USER profile - it stops looking when any relevant authority found ... 
so we can deny a user some access that is granted to the group they are in 
... for example 100% of our users are permitted to look at various folks 
spool file entries ... we might secure some spool & say certain users 
exempted from the group access.

GROUPS 1 primary 15 supplemental ... repeats for each group until sufficient 
authority accumulated ... we're on BPCS whose primary owns a humongous 
collection of objects - multiple groups slow access only when primary does 
not grant the access, and there is this exhaustive search before moving onto 
next area.

PUBLIC authority is checked when no authority is found for user or groups

ADOPTED authority is checked when prior authority is not sufficient

Al Macintyre  ���
http://www.cen-elec.com MIS Manager Programmer & Computer Janitor
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---