× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. January 2009

Re: How do I give my userid back Application Administration on iNav?

A complete answer to the App Admin security question requires just a little deeper understanding of what App Admin (or function usage) does.
In the GUI interface for managing App Admin, there are three (as I recall, more could have been added in the last release and I wouldn't necessarily have known) tabs. The first tab is for client access related stuff on the PC. The second is for 3rd party client apps that integrate with Client Access. The third is for server-side OS functions. When you allow/deny a userID access to a "function" or "application", you are, essentially, only creating a record in an internal index on the server.

The client code associated with the functions covered in the client tabs of App Admin has to enforce the behavior (two of the tabs). The client code makes a remote API call to check if the user currently connected to the server is allowed to use the "application/function" represented by the entry in the registry; however it is the client code's responsibility to enforce on the PC. This is why IBM explicitly states that App Admin should not be considered a security mechanism. Anyone could write, for example, an FTP client interface that doesn't check whether the current user attached to the server is "allowed" to use the FTP client on the PC.

On the other hand, the "Host" tab in App Admin represents "functions" -- typically sub-functions of servers like FTP, Telnet, etc. -- where the check AND the enforcement is done by the specific Host server. These, to some extent, can be used as an additional security mechanism. I qualify this statement, because while *ALLOBJ users can be "denied usage", there is no way to prevent those users from going into the App Admin (or Function Usage) interfaces and "allowing" *ALLOBJ users.


Patrick Botz
President, Botz & Associates, Inc.
Business : 1-507-250-5644
Home/Office: 1-507-285-9048
mailto:pcbotz@xxxxxxxxx

___________________________

CONFIDENTIALITY NOTICE: This email message and any attachment to this email message contain information that may be privileged and confidential. This email and any attachments are intended solely for the use of the individual or entity named above (the recipient) and may not be forwarded to or shared with any third party. If you are not the intended recipient and have received this email in error, please notify us by return e-mail or by telephone at 507-285-9048 and delete this message. This notice is automatically appended to each email message leaving Botz & Associates, Inc. Thank You.



tkreimer@xxxxxxxxxxxxxxx wrote:
I thought I read once that the App Admin should not be relied upon to
provide security. Not sure the why and the where, just a fleeting memory.
=====================
Tom Kreimer
Network Manager
Buckhorn Inc, Milford OH


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.