|
Note: it's a bad idea to give access directly to the PF objects.
profiles the authority via the *AUTL.Instead, secure the PFs with an authorization list (*AUTL) and give the
Agreed, but how do people handle the creation of authority when it is
inconsistent across the library? For example, I can have an authority list
called #PRODDTA that handles all of the objects in library PRODDTA (and the
library itself points to this authority list). That's great for handling
the systematic access in the system and has worked very well for us. We
have less than 10 libraries that are not *PUBLIC EXCLUDE.
Our problem arises when we want to give access to individual files and
exclude others in the same library. An interface may need to query our
work order file, but I do not want them rooting around our G/L. In this
case the #PRODDTA authority list is too broad and the only recourse seems
to be granting *USE rights to the library and the individual files in
question apart from the authority list. This is inconvenient because you
can't manage those without a lock on the object.
Those exceptions are easy enough to maintain in a CL, and I have one that
can be run over any of our data environments to put them in sync with the
security plan. But this involves many steps in ensuring that the library
has:
- the correct create authority (that points to the authority list),
- that the library and all the objects in the library are owned by the
correct ID,
- that all other authorities are revoked,
- granting back authority using the authority list,
- granting back *USE rights to the library for individual users who will
access isolated files
Then you have to go back and work on the object authorities in the library:
- grant authority to all objects using the authority list
- revoke all other authorities
- grant back access to individual files for individual user access
The CL works as a great source for finding the exceptions, and allows to
add comments explaining why, many months later, a certain access was
granted. It also works great because you can add a change, then schedule
the CL to run when you know the objects will not be locked.
Still, I can't help but wonder if there is a better way. If anyone has
it, I would love to hear it.
_____________________________________________________________________
Spirax-Sarco Engineering Plc. This e-mail has been scanned for viruses by
Verizon Business Internet Managed Scanning Services - powered by
MessageLabs. For further information visit http://www.verizonbusiness.
com/uk
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
