|
>>In IBM's CL class S 6020 introduction page 1-61 I was told not to qualify libraries in CL ... it is asking for trouble ... I think it is here that I learned the topic you ask if I have documented<< I'm no expert on security and performance, however, every reference I've seen to "trouble" associated with qualifying libraries in CL is related to hardcoding issues, problems if you rename libraries or if you have multiple environments (test vs. production libraries). As implied elsewhere, it would seem logical to me that qualifying an object would improve performance, since the system doesn't have to go searching for it. As for the method used for securing objects on the AS/400, it makes sense that some methods may incur performance penalties, as your notes seem to imply. This type of penalty should only affect the time spent allocating the object though, wouldn't you think? Was that in the context of the original post in this thread? - Dan Bale > -----Original Message----- > From: MacWheel99@aol.com [SMTP:MacWheel99@aol.com] > Sent: Friday, May 19, 2000 1:23 PM > To: MIDRANGE-L@midrange.com > Subject: Re: Database server jobs and SQL tuning > > > From: DBale@lear.com (Bale, Dan) > > > > Wow. Is this documented, Al? > > Referring to my remarks about qualifying vs. library list > > > Could you point to some kind of reference > > if you have it handy, please? > > > > - Dan Bale > > John Earl also challenged what I thought I had learned in IBM school. I > did > not remember which programming class this was in, so I dug into notes on > several but did not find the specific reference. I did find many > references > to how security can impact performance, so it should be used wisely. > > In IBM's CL class S 6020 introduction page 1-61 I was told not to qualify > libraries in CL ... it is asking for trouble ... I think it is here that I > > learned the topic you ask if I have documented > > CL Manual SC41-3721 talks about security & performance pages 4-14 - 4-15 > but > does not explicitly clarify this point > > Mastering AS/400 Performance ISBN 1-882419-49-9 talks about security & > performance page 61 and also does not explicitly cover this point ... it > reccommends securing a library that an object resides in & assigning > public > authority to individual objects, with some discussion of pros & cons of > group > profiles and authorization lists, pointing for more info to IBM manuals > SC41-3302 & GG24-4200 > > PRTPRFINT is the command to find out how close we are getting to what can > be > associated with one user or group profile > > In IBM's Security & System Administration Course S 6019 > > I have this chart of the sequence security goes through to find out if any > > given user's security will let them do any given action ... the longer the > > approval path, the more this potentially degrades performance, so the > issue > is not really whether or not the user is to be authorized, but HOW the > user > is to be authorized, if we do not want to degrade performance. Each OS > Release improves this via fast paths, but the rules do not change. Each > OS > also changes some security defaults. > > U G P > 1 4 X *All Obj > 2 5 7 *Explicit Specific > 3 6 8 *Aut lists > > 9 adopted > > The number means the sequence of checking security > 1-8 can kick it out with definite Yes/No, then it checks 9 regardless > > X means that combination is not checked ... although incidentally when I > called SSA tech support to ask why their application XRF was not working, > they told me that the reason was that I had failed to give all users all > object authority through the user group they all were in ... and I decided > > that I could live without application XRF > > 1st column USER 1 person > 2nd column GROUPS of users > 3rd column PUBLIC = rest of world > > 1st line authority *All objects > If user is security officer we need not check any further > > 2nd line authority *Explicit specific > Did someone grant me access to Payroll? > > 3rd line authority GROUP of object's authority list > > Hits on USER profile - it stops looking when any relevant authority found > ... > so we can deny a user some access that is granted to the group they are in > > ... for example 100% of our users are permitted to look at various folks > spool file entries ... we might secure some spool & say certain users > exempted from the group access. > > GROUPS 1 primary 15 supplemental ... repeats for each group until > sufficient > authority accumulated ... we're on BPCS whose primary owns a humongous > collection of objects - multiple groups slow access only when primary does > > not grant the access, and there is this exhaustive search before moving > onto > next area. > > PUBLIC authority is checked when no authority is found for user or groups > > ADOPTED authority is checked when prior authority is not sufficient > > Al Macintyre ©¿© > http://www.cen-elec.com MIS Manager Programmer & Computer Janitor +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.