|
On Thursday 29 April 2004 20:34, rob@xxxxxxxxx wrote: > Thank you. > Then I suppose the issue becomes auditing not only those owned by > QSECOFR, but also those owned by any *ALLOBJ user profile. Of course, > any owned versus *USRPRF should be enough of a red flag. At our place finding programs the *don't* adopt authority is the concern. Our users belong to one group profile that has limited rights to the system - only read access (if that) to files, etc. All the programs adopt the authority of the profile that owns the files to allow updates etc. That profile doesn't have any special authorities of its own, though. Some years back the users' group profile & the data files' profile were the same, which meant that any user with access outside our applications could not only remove data but remove all the files too. On the subject of profile swapping I remember another gotcha. In testing the routine I switched to a very limited profile, then found I didn't have the authority to release the profile handle and switch back to my own profile. Still, at least it proved the role switch was pretty complete. Since then I've stuck to adopted authority on profile switch routines, as the handle is only used for a single task before releasiong again. Regards, Martin -- martin@xxxxxxxxxx AIM/Gaim: DBG400dotNet http://www.dbg400.net /"\ DBG/400 - AS/400 & iSeries Open Source/Free Software utilities \ / Debian GNU/Linux | ASCII Ribbon Campaign against HTML mail & news X / \
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
