|
midrange.com
User profile . . . . . . . . . . . . . . . . . . : *OWNER
Use adopted authority . . . . . . . . . . . . . : *YES
What do you want to bet that the AMAPICS user profile doesn't have
security officer security?
1. Why are you using adopted authority on this program?
2. If you must use adopted authority, you are giving that user all the
access that the owner of the object has.
3. If you must use adopted authority, have it owned by a user with a
little less security than someone with security officer security.
4. If at all possible, take away the adopted authority on this program,
and every other one you can.
5. Yes, your security is breached with this.
Regards,
Jim Langston
Date: Fri, 26 Jan 2001 14:06:51 -0600
From: "Burns, Bryan" <burnsbm@echoincorporated.com>
Subject: RE: Changing user profiles without *SECADM; adding *SECADM withou t ev
en having *SECADM
Removing command line access is not an option.
We are at QSECURITY level 30.
Here are most profile attributes and a DSPPGM of the initial menu.
User profile . . . . . . . . . . > JILLH
User password . . . . . . . . . *SAME
Set password to expired . . . . *NO
Status . . . . . . . . . . . . . *ENABLED
User class . . . . . . . . . . . *USER
Assistance level . . . . . . . . *SYSVAL
Current library . . . . . . . . *CRTDFT
Initial program to call . . . . EX400C
Library . . . . . . . . . . . ECALIB
Initial menu . . . . . . . . . . *SIGNOFF
Library . . . . . . . . . . .
Limit capabilities . . . . . . . *PARTIAL
Special authority . . . . . . . *NONE
+ for more values
Special environment . . . . . . *NONE
Display sign-on information . . *YES
Password expiration interval . . *SYSVAL
Limit device sessions . . . . . *NO
Keyboard buffering . . . . . . . *SYSVAL
Maximum allowed storage . . . . *NOMAX
Highest schedule priority . . . 3
Job description . . . . . . . . QDFTJOBD
Library . . . . . . . . . . . QGPL
Group profile . . . . . . . . . *NONE
Owner . . . . . . . . . . . . . *USRPRF
Group authority . . . . . . . . *NONE
Group authority type . . . . . . *PRIVATE
Supplemental groups . . . . . . *NONE
+ for more values
Accounting code . . . . . . . . *BLANK
Document password . . . . . . . *SAME
Message queue . . . . . . . . . JILLH
Library . . . . . . . . . . . QUSRSYS
Delivery . . . . . . . . . . . . *NOTIFY
Severity code filter . . . . . . 0
Print device . . . . . . . . . . PRTP0
Output queue . . . . . . . . . . *WRKSTN
Library . . . . . . . . . . .
Attention program . . . . . . . *NONE
Library . . . . . . . . . . .
Program . . . . . . . : EX400C Library . . . . . . . : ECALIB
Owner . . . . . . . . : AMAPICS
Program attribute . . : CLP
Program creation information:
Program creation date/time . . . . . . . . . . . : 10/03/96 10:00:16
Type of program . . . . . . . . . . . . . . . . : OPM
Source file . . . . . . . . . . . . . . . . . . : SOURCE
Library . . . . . . . . . . . . . . . . . . . : ECALIB
Source member . . . . . . . . . . . . . . . . . : EX400C
Source file change date/time . . . . . . . . . . : 10/03/96 09:59:36
Observable information . . . . . . . . . . . . . : *ALL
User profile . . . . . . . . . . . . . . . . . . : *OWNER
Use adopted authority . . . . . . . . . . . . . : *YES
Log commands (CL program) . . . . . . . . . . . : *JOB
Allow RTVCLSRC (CL program) . . . . . . . . . . : *YES
Fix decimal data . . . . . . . . . . . . . . . . : *NO
Bryan Burns
Echo, Inc.
Lake Zurich, IL
Burnsbm@echoincorporated.com
-----Original Message-----
From: fiona.fitzgerald@notes.royalsun.com
[SMTP:fiona.fitzgerald@notes.royalsun.com]
Sent: Friday, January 26, 2001 11:09 AM
To: MIDRANGE-L@midrange.com
Subject: Re: Changing user profiles without *SECADM; adding
*SECADM without ev en having *SECADM
Bryan,
If the user doesn't need a command line, you could change their
profile to LMTCPB(*YES), which will prevent them from invoking a
command
line.
Might the initial object be owned by a profile with *SECADM
authority ?
They might be inheriting authority from it ? Do they have an initial
pgm
or an initial menu ? I'd like to see all the usrprf attributes.
By the way, what security level are you at ? (DSPSYSVAL QSECURITY).
Fiona Fitzgerald,
Dublin
Bryan Burns wrote:
We have a user profile with special authority *NONE that can do a
CHGUSRPRF
and add *SECADM special authority to another profile. This is done
from a
command line on the initial menu. This initial menu has three
options:
EXECUTE OFFICE, EXECUTE MAPICS, and SIGN OFF.
How is this possible? We are on V4R4 and at cume level CO252440.
The profile in question has USER CLASS *USER, GROUP PROFILE *NONE,
OWNER
*USRPRFand LIMIT CAPABILITIES *PARTIAL.
I think this may be due to adopted authority, but I am not a
programmer and
I have dug as far as I can into this. Can someone shed some light
on this?
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
