× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. November 2006

RE: QSYGETPH question

If I have *USE authority to a profile, I can submit a job under this
profile.
If I have *USE authority to a profile, I can use the QSYGETPH,

QSYGENPT or

QsyGetProfileHandleNoPwd APIs to switch to this profile.

The job submitting feature is blocked at security level 40.
Does anyone know if the API feature is blocked as well?


Shalom,

Short answer - No, it is not blocked at QSECURITY level 40 and higher -
by design.  If you have *USE authority to a profile, then you should be
able to use it, which includes running jobs under its authority.



Longer explanatory answer - If user A has *USE rights (Really just
*OBJOPR and *EXECUTE) to profile B, then the user A will be able to
assume the identity of the profile B through the use of the API's you
mentioned.  Of course a user with *ALLOBJ has at least *USE rights to
every other profile on the system, so anyone with *ALLOBJ can become any
other user (with a few exceptions like QSYS and QLPINSTALL, but not
excepting QSECOFR and any Customer created profile).

It also means that if you have a software package like JDE or Infineum
where everything that everyone creates belongs to the group.  When the
system administrator creates new user profile objects on the system,
everyone has the ability to assume everyone else's identity (through
their membership in the group).

This (real world) scenario would make it exceptionally hard to prove
that Rocko committed fraud if it could be demonstrated that there are
750 other people on the system who could have hijacked Rocko's identity.

The solution is simple and two part.  First, make sure no-one has any
rights to anyone else's profile.  When you create new profiles, assign
their ownership to QSECOFR (the only time I recommend having an IBM
profile own any of your objects) and strip the creator, and the
creator's group from having any rights to that new profile.

Second, limit and monitor access to *ALLOBJ profiles so that you can
prove that Jane the administrator did not assume Rocko's identity and
then frame him for theft.

HTH,

jte

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.