× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. July 2000

Re: Supplemental Group Profiles

  • Subject: Re: Supplemental Group Profiles
  • From: Larry Bolhuis <lbolhuis@xxxxxxxxxx>
  • Date: Fri, 14 Jul 2000 01:01:14 -0400
  • Organization: Arbor Solutions, Inc
 
My .02:

  First, having many group profiles can cause significant overhead as
the system needs to perform security checking for the users profile,
then each group profile in order, until authority is granted or denied.
If the lower profiles in the list are often used this is worst case.
Generaly you should have the most frequently used near the top of the
list.

  Second, I favor a profile that can access only what is needed at that
time. Typically little or nothing for users, and source code and test
data for programmers. Utilize Adopted authority (usually some kind of
menu driver is the place) so that users only get authority when they are
in the application. This prevents unplanned ODBC, FTP, CA, etc file
transfers. One must consider that the AS/400 is much more connected now
than it was 10 years ago!
 
  Programmers often require multiple profiles. I prefer that the profile
used for testing against any production data doesn't have source access
so that they cannot get into the bad habit of using that profile for
general programming.
 
  Note that most programmers get cranky when they have any authority
whatsoever removed but eventually they come around when they realize
it's for their own protection.  Some day when they are positive their
*LIBL is correct (but they don't look) and they do CLRPFM somemasterfile
and get 'Not Authorized to file somemasterfile in theproductionlibrary'
they will stare at the message, take a deeeep breath, and thank you
(though usually under their breath!)  Similair messes can be made with
STRSQL, STDDBU, STRDFU, and calling those quickie update programs we've
all written.

 HTH - Larry

"Graap, Ken" wrote:
> 
> We are working on reviewing our AS/400's current security model
> implementation.
> 
> We have one system that supports both development and production
> environments.
> 
> Some user profiles are members in as many as 8-10 different group profiles.
> 
> The question has come up... What if any, risk is associated with using
> Supplemental Group Profiles in order to give a single user profile access to
> multiple environments? Would it be better to have multiple user profiles,
> one designed to access each different environment?
> 
> An environment in this case would be defined a PRODUCTION, DEVELOPMENT,
> STAGING, TRAINING etc.

-- 
Larry Bolhuis         |  
Arbor Solutions, Inc  |  IBM AS/400e - Get There First!
(616) 451-2500        |  
(616) 451-2571 -fax   |  It's 10PM.  Has your NT Server had it's
lbolhuis@arbsol.com   |  theraputic re-boot yet today?
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.