|
Man - tough spot to be in. Have you gone back to the vendor and stated that this security process is just plain unacceptable. Even if this was the absolute best software in the world, many financial institutions (well at least the one I work for) would simply refuse this if the vendor was not willing to change security aspect. >>> "Hatzenbeler, Tim" <thatzenbeler@clinitech.net> 04/12/02 06:33PM >>> This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. -- [ Picked text/plain from multipart/alternative ] The problems stems from this, We use an accouting/purchasing/financial package supported by a vendor, and they only use one authority list for every user of the package, and that authority list is used for all libraries of their application... So a person in purchasing has the same authority as some one in payroll, when it comes to object authority, the authority is all handled in the application, but as we all know, when we use an odbc driver we are outside of that authority checking... Changing the authority list within the application is out, because all the systems tie together... So I was looking at solving the problem a different way... And that is, if your making a request via odbc, ftp, ddm... change the profile to a profile that does not have a the libraries we would like to keep out of excel or crystal reports. But as for your response... I do see your point and agree with it... tim > -----Original Message----- > From: Evan Harris [SMTP:spanner@ihug.co.nz] > Sent: Friday, April 12, 2002 3:26 PM > To: midrange-l@midrange.com > Subject: RE: Exit Point Question/profile switching... > > Tim > > before you start working on exits etc is there a reason why you just can't > have access to payroll libraries set as *PUBLIC *EXCLUDE and ensure that > your ODBC profile is not one of the authorised profiles ? > > Your method seems backwards to me - generally I think that additional > access should be should be granted rather than granting authority to all > and then using some other method to revoke and deny access. > > To further explain, it seems to me like giving everyone the combination to > a safe and then having a guard compare names to a list of those allowed to > use the combination. It would make more sense to not give people the > combination in the first place..... > > Sorry this doesn't exactly address your question, but if I had to do this > I > wuld probably revisit my base security set up - I avoid complex security > wherever possible if only because it is too hard to demonstrate to > auditors.... > > Regards > Evan Harris > > >This message is in MIME format. Since your mail reader does not > understand > >this format, some or all of this message may not be legible. > >-- > >[ Picked text/plain from multipart/alternative ] > >I didn't want to scan through a possible 32k sql string looking for > >libraries I didn't want to allow, so I figured switching the authority > would > >be better and faster.... And more secure... > > > >tim > > > > > -----Original Message----- > > > From: Dr Syd Nicholson [SMTP:sydnic@ccs400.com] > > > Sent: Friday, April 12, 2002 4:11 PM > > > To: midrange-l@midrange.com > > > Subject: Re: Exit Point Question/profile switching... > > > > > > Instead of trying to switch user profiles, perhaps you could use the > > > exit point to restrict access to the appropriate libraries. This would > > > be easier I think. > > > > > > Syd Nicholson > > > > > > > > > Hatzenbeler, Tim wrote: > > > > > > >This message is in MIME format. Since your mail reader does not > > > understand > > > >this format, some or all of this message may not be legible. > > > >-- > > > >[ Picked text/plain from multipart/alternative ] > > > > Is this possible and if so is there a simple CL command to do > it? > > > >I would like to add a exit point program to QIBM_QZDA_INIT to switch > the > > > >userprofile to a less powerful profile (for users not found in a > control > > > >table). What command would I use? And if so, would the profile > switch > > > >exist when they make the QIBM_QZDA_SQL1 call, or would I need to > switch > > > the > > > >profile here also? > > > >Or am I doing this all wrong? > > > >My goal is this, to create a user profile that excludes our payroll > > > library, > > > >and give the odbc requests this profile... > > > >Thanks, tim > > > _______________________________________________ > This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing > list > To post a message email: MIDRANGE-L@midrange.com > To subscribe, unsubscribe, or change list options, > visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l > or email: MIDRANGE-L-request@midrange.com > Before posting, please take a moment to review the archives > at http://archive.midrange.com/midrange-l. _______________________________________________ This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@midrange.com To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l or email: MIDRANGE-L-request@midrange.com Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.