|
I'm not sure that AA controls command line entry as such. It is meant to control client functions. E.g., it can control whether a user can use FTP as a client from an iSeries or it can control whether the user can use FTP to connect to the iSeries from another box - this is using the iSeries as FTP server. It is also possible to control the use of ODBC. But control is not at the command line - controlling FTP as a client from the iSeries is only incidental, as I understand it. This topic is not extremely well-documented by IBM, IMO. An interesting bit I saw is that IBM does not recommend this as true security, rather, "access" privileges. I.e., there can be several ways to get access to a physical file, including FTP, ODBC, Data Transfer in PC5250, et al. App Admin does not secure those that are not registered and set up there. (All the ones I listed can be, BTW.) There is more in a redbook at http://www.redbooks.ibm.com/redbooks/pdfs/sg246226.pdf and in the Application Administration topic at InfoCenter. It might also be a good topic on which to call IBM Support - this is the kind of thing they will reply to, I believe. It is not clear where the settings are kept - I thought there was a global nature to this, but it might be local (except when using a central system, V5R2+). Reason I say this is, one item I read said that things are kept in the Windows registry. Another question for IBM Support, I suppose. But, in my experience, it is possible to keep someone from using FTP and other selected access methods. The security is still standard iSeries object security. The App Admin stuff is access control built on top of a "properly" secured system. HTH Vern -------------- Original message -------------- From: fbocch2595@xxxxxxx > Thanks Vern. > > In your experience w/AA is there any way security can be bypassed or > compromised > when using AA strictly over green screen command entry? > > Another way to ask is does AA encompass or include all security that green > screen does? > > -----Original Message----- > From: Vernon Hamberg > To: Midrange Systems Technical Discussion > Sent: Sun, 22 Jan 2006 22:42:37 -0600 > Subject: Re: DBU and it's competitors > > > Not sure why you don't want to work with App Admin - it's really > quite simple. It's not the same as the packet stuff. You go into > iSeries (Ops) Navigator, right-click on a connection, click on > Application Administration, click on the Host Applications tab, then > open AS/400 TCP/IP Utilities, then open File Transfer Protocol (FTP), > then open the FTP server area and work with the users and block them > as needed. It applies, AFAIK, to the user, no matter what PC or > whatever they use to try to get in. Not just the one where you set it > up. So it should be possible not to install AppAdmin on user PCs and > be safe using just your PC for configuration. And you have to have > *SECADM anyway to change this stuff. Also, from V5R2 it is possible > to have a single server that holds the settings for others. > > At 10:18 AM 1/22/2006, you wrote: > > >I'm guessing that NetIQ might be a more expensive solution but one > >that I can implement and maintain quickly and have good support for > >(hopefully, NetIQ support's as good as IBM's), instead of me having > >to work with AA. > > > >Make sense? > > > > > >-----Original Message----- > >From: vhamberg@xxxxxxxxxxx > >To: Midrange Systems Technical Discussion > >Sent: Fri, 20 Jan 2006 19:44:21 +0000 > >Subject: Re: DBU and it's competitors > > > > > >You CAN handle user profiles with App Admin in iSeries Access. You > >can also set > >up some kind of packet filter rules in iSeries Access, IIRC. Look > >under Network > >in the items under a connection there. I THINK those can handle some of > >this, > >but others will have actual knowledge based on experience. > > > >-------------- Original message -------------- > >From: fbocch2595@xxxxxxx > > > > > Hi, if I wanted only several usrprf's or ip addresses to b/able > > to ftp could I > > > > > use this NetIQ to do that? Do I need an exit point program or does NetIQ > > > provide that? > > > Thanks > > > > > > > > > > > > > > > > > > -----Original Message----- > > > From: ISNM > > > To: midrange forum > > > Sent: Fri, 20 Jan 2006 07:55:45 -0800 (PST) > > > Subject: Re: DBU and it's competitors > > > > > > > > > If you already own NetIQ's (formerly PentaSafe's) PSSecure > > product, which is > > > most often purchased for the exit point management capabilities > > (RRM - Remote > > > Request Management), there is a module called Secure File Editor (SFE). > > > Green-screen only, but is easy to use. > > > > > > Steven W. Martinson, CISSP, CISM > > > Consultant - Servique, LLC > > > > > > Cell 281.546.9836 > > > www.servique.com > > > 4801 Woodway Drive, Suite 300E > > > Houston, TX 77056 > > > > > > "Uniquely Qualified" > > > > > > > > > > > > --------------------------------- > > > Yahoo! Autos. Looking for a sweet ride? Get pricing, reviews, & > > more on new > >and > > > used cars. > > > -- > > > This is the Midrange Systems Technical Discussion (MIDRANGE-L) > > mailing list > > > To post a message email: MIDRANGE-L@xxxxxxxxxxxx > > > To subscribe, unsubscribe, or change list options, > > > visit: http://lists.midrange.com/mailman/listinfo/midrange-l > > > or email: MIDRANGE-L-request@xxxxxxxxxxxx > > > Before posting, please take a moment to review the archives > > > at http://archive.midrange.com/midrange-l. > > > -- > > > This is the Midrange Systems Technical Discussion (MIDRANGE-L) > > mailing list > > > To post a message email: MIDRANGE-L@xxxxxxxxxxxx > > > To subscribe, unsubscribe, or change list options, > > > visit: http://lists.midrange.com/mailman/listinfo/midrange-l > > > or email: MIDRANGE-L-request@xxxxxxxxxxxx > > > Before posting, please take a moment to review the archives > > > at http://archive.midrange.com/midrange-l. > > > > >-- > >This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list > >To post a message email: MIDRANGE-L@xxxxxxxxxxxx > >To subscribe, unsubscribe, or change list options, > >visit: http://lists.midrange.com/mailman/listinfo/midrange-l > >or email: MIDRANGE-L-request@xxxxxxxxxxxx > >Before posting, please take a moment to review the archives > >at http://archive.midrange.com/midrange-l. > >-- > >This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list > >To post a message email: MIDRANGE-L@xxxxxxxxxxxx > >To subscribe, unsubscribe, or change list options, > >visit: http://lists.midrange.com/mailman/listinfo/midrange-l > >or email: MIDRANGE-L-request@xxxxxxxxxxxx > >Before posting, please take a moment to review the archives > >at http://archive.midrange.com/midrange-l. > > -- > This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list > To post a message email: MIDRANGE-L@xxxxxxxxxxxx > To subscribe, unsubscribe, or change list options, > visit: http://lists.midrange.com/mailman/listinfo/midrange-l > or email: MIDRANGE-L-request@xxxxxxxxxxxx > Before posting, please take a moment to review the archives > at http://archive.midrange.com/midrange-l. > -- > This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list > To post a message email: MIDRANGE-L@xxxxxxxxxxxx > To subscribe, unsubscribe, or change list options, > visit: http://lists.midrange.com/mailman/listinfo/midrange-l > or email: MIDRANGE-L-request@xxxxxxxxxxxx > Before posting, please take a moment to review the archives > at http://archive.midrange.com/midrange-l. >
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
