RE: Exit Point Question/profile switching... -- MIDRANGE-L

Man - tough spot to be in.
Have you gone back to the vendor and stated that this security process is just 
plain unacceptable. Even if this was the absolute best software in the world, 
many financial institutions (well at least the one I work for) would simply 
refuse this if the vendor was not willing to change security aspect.

>>> "Hatzenbeler, Tim" <thatzenbeler@clinitech.net> 04/12/02 06:33PM >>>
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
--
[ Picked text/plain from multipart/alternative ]
The problems stems from this,  We use an accouting/purchasing/financial
package supported by a vendor, and they only use one authority list for
every user of the package, and that authority list is used for all libraries
of their application...  So a person in purchasing has the same authority as
some one in payroll, when it comes to object authority, the authority is all
handled in the application, but as we all know, when we use an odbc driver
we are outside of that authority checking...  Changing the authority list
within the application is out, because all the systems tie together...  So I
was looking at solving the problem a different way...  And that is,  if your
making a request via odbc, ftp, ddm... change the profile to a profile that
does not have a the libraries we would like to keep out of excel or crystal
reports.

But as for your response... I do see your point and agree with it...

tim

> -----Original Message-----
> From: Evan Harris [SMTP:spanner@ihug.co.nz]
> Sent: Friday, April 12, 2002 3:26 PM
> To:   midrange-l@midrange.com
> Subject:      RE: Exit Point Question/profile switching...
>
> Tim
>
> before you start working on exits etc is there a reason why you just can't
> have access to payroll libraries set as  *PUBLIC *EXCLUDE and ensure that
> your ODBC profile is not one of the authorised profiles ?
>
> Your method seems backwards to me - generally I think that additional
> access should be should be granted rather than granting authority to all
> and then using some other method to revoke and deny access.
>
> To further explain, it seems to me like giving everyone the combination to
> a safe and then having a guard compare names to a list of those allowed to
> use the combination. It would make more sense to not give people the
> combination in the first place.....
>
> Sorry this doesn't exactly address your question, but if I had to do this
> I
> wuld probably revisit my base security set up - I avoid complex security
> wherever possible if only because it is too hard to demonstrate to
> auditors....
>
> Regards
> Evan Harris
>
> >This message is in MIME format. Since your mail reader does not
> understand
> >this format, some or all of this message may not be legible.
> >--
> >[ Picked text/plain from multipart/alternative ]
> >I didn't want to scan through a possible 32k sql string looking for
> >libraries I didn't want to allow, so I figured switching the authority
> would
> >be better and faster.... And more secure...
> >
> >tim
> >
> > > -----Original Message-----
> > > From: Dr Syd Nicholson [SMTP:sydnic@ccs400.com]
> > > Sent: Friday, April 12, 2002 4:11 PM
> > > To:   midrange-l@midrange.com
> > > Subject:      Re: Exit Point Question/profile switching...
> > >
> > > Instead of trying to switch user profiles, perhaps you could use the
> > > exit point to restrict access to the appropriate libraries. This would
> > > be easier I think.
> > >
> > > Syd Nicholson
> > >
> > >
> > > Hatzenbeler, Tim wrote:
> > >
> > > >This message is in MIME format. Since your mail reader does not
> > > understand
> > > >this format, some or all of this message may not be legible.
> > > >--
> > > >[ Picked text/plain from multipart/alternative ]
> > > >     Is this possible and if so is there a simple CL command to do
> it?
> > > >I would like to add a exit point program to QIBM_QZDA_INIT to switch
> the
> > > >userprofile to a less powerful profile (for users not found in a
> control
> > > >table).  What command would I use?  And if so, would the profile
> switch
> > > >exist when they make the QIBM_QZDA_SQL1 call, or would I need to
> switch
> > > the
> > > >profile here also?
> > > >Or am I doing this all wrong?
> > > >My goal is this, to create a user profile that excludes our payroll
> > > library,
> > > >and give the odbc requests this profile...
> > > >Thanks, tim
>
>
> _______________________________________________
> This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
> list
> To post a message email: MIDRANGE-L@midrange.com
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l
> or email: MIDRANGE-L-request@midrange.com
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/midrange-l.
_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@midrange.com
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l
or email: MIDRANGE-L-request@midrange.com
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.