× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Just getting caught up on my email.

This sounds pretty scary.  I've known about adopted authority since the
early days of the AS/400, but profile switching is news to me.

Am I reading this right?  Joe User can sign on with his profile, use some
magic command, and he can become QSECOFR?  With no trace back to Joe
User's profile?

How do we determine whether there is any profile switching going on?  Does
it get logged in the audit journal?

I searched InfoCenter and found references to QWTCHGJB & QWTSETP, but I
don't see anything that explicitly describes profile switching.

TIA,
GA

--- John Earl <john.earl@xxxxxxxxxxxxx> wrote:
> Rob,
> 
> I don't really understand the question, because profile switching and
> adoption are two pretty different things.
> 
> When I run a program that adopts your authority, I am now running with
> my authority + your authority.
> 
> If I switch to your profile, I am no longer carrying any of my
> authority, I only have your authority.
> 
> So switching is a new capability, not a replacement of an old
> capability.
> 
> Also, to answer the question of the "security exposure" that switching
> might introduce, I don't really see it.  If I have *USE authority to
> your profile I can assume your identity in a number of ways.  Yes I can
> switch to it, but I also can submit a job as you, or add your name to a
> JOBD and have any number of batch, pre-start, or communications jobs run
> as you.  So the profile switching API's are a natural extension of
> capability that is already out there.  They don't introduce any new
> security exposures, thought they may highlight some existing ones (such
> as the fact that some of your users have *USE or better authority to
> other users profiles).
> 
> JMHO,
> 
> jte
> 
> --
> John Earl | Chief Technology Officer
> The PowerTech Group
>  
> > -----Original Message-----
> > From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-
> > bounces@xxxxxxxxxxxx] On Behalf Of rob@xxxxxxxxx
> > Sent: Friday, July 16, 2004 7:58 AM
> > To: midrange-l@xxxxxxxxxxxx
> > Subject: Adopted authority vs profile switching
> > 
> > At one time IBM decided that using adopted authority
> > should not work in
> > certain situations, like creating certain group profiles,
> > etc.  Perhaps
> > they thought this was a security enhancement.
> > Then they allowed a workaround with profile switching.
> > 
> > So then, does this not allowing adopted authority in these
> > situations now
> > go into the realm of 'security by obscurity' and should
> > they just open
> > these up to adopted authority?  Or do you see a value into
> > making people
> > use these api's to do profile switching, - in this
> > situation - ?
> > 
> > Now, I am not arguing that profile switching may not be
> > useful in some
> > client serving or web based applications.  I am just
> > arguing about it in
> > the first situations.
> > 
> > Rob Berendt



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.