× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. March 2003

RE: Security questions

Oliver:

(comments below)

midrange-l-request@xxxxxxxxxxxx wrote:

>So, without exit-point programming or buying some security product, I
>cannot fix these
>loopholes? Thanks a lot, IBM..


It's always been this way for AS/400 and iSeries systems. In the beginning, 
there was little more than DDM/DRDA request access and Client request access 
exit points available through CHGNETA. But then, along came TCP/IP demands and 
TCP/IP server applications and open standards and all the changes to the host 
servers. Suddenly it wasn't so simple.

You have a system that you're trying to use in two conflicting ways. You want 
to use it for a lot of green-screen functions, but you also want to use  it as 
a server on the network. I suppose you could use it one way or the other and 
set good object-level authorities accordingly and have no need of the exit 
points. Unfortunately, whichever way you set it, the authority scheme is likely 
to conflict with the other usage. In effect, you have two different systems 
with two different sets of users. (This can almost be seen in the NetServer 
setting of the host name to broadcast out to the Windows Network Neighborhood.)

Perhaps you could even give each user two different user profiles. Set the 
server authority scheme for half of the profiles and interactive authorities 
for the other half. Your exit programs then might be little more than enforcing 
which user profile name is allowed to enter -- the users must sign in with the 
server profile they've been assigned unless they're working through a 
green-screen.

That could easily be a big mess, politically if nothing else.

But actually, I don't see where the iSeries situation is any worse off than any 
other system that's used both for interactive and for network serving. If you 
had to set similar authorities for a Windows system, how would you do it there? 
How would you do it for Linux or a given Unix?

I'm far from expert outside the iSeries, so I really don't know any better way 
on other systems. I suspect the problem is the same. But I'm not sure how 
easily exit programs or similar technologies can be applied anywhere else.

However you do it on your iSeries, it definitely should start with solid 
object-level authorities. Once that's done, exit programs can be used just to 
make the fine-tuning changes and the programs can be relatively simple. 
Emphasizing "Once that's done...".

If that's never been properly done, then exit programs can be a business saver. 
And even if it has been, exit programs can make life a lot easier for your 
users.

Tom Liotta

-- 
-- 
Tom Liotta
The PowerTech Group, Inc.
19426 68th Avenue South
Kent, WA 98032
Phone  253-872-7788 x313
Fax    253-872-7904
http://www.powertechgroup.com


__________________________________________________________________
Try AOL and get 1045 hours FREE for 45 days!
http://free.aol.com/tryaolfree/index.adp?375380

Get AOL Instant Messenger 5.1 for FREE! Download Now!
http://aim.aol.com/aimnew/Aim/register.adp?promos=380455

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.