× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. February 2017

RE: More detail on authority failure

A security audit flagged that the vendor profile had *PUBLIC *ALL authority. I contacted the vendor, and they said that's the default and recommended authority. Other customers have reported varying results with changing that authority, but it's not recommended or supported.

I changed the authority to the default authority for profiles, *PUBLIC *EXCLUDE. No loss of functionality resulted, but we're seeing a number of authority failures in the audit logs.





-----Original Message-----
From: Rob Berendt [mailto:rob@xxxxxxxxx]
Sent: Thursday, February 23, 2017 10:04 AM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Subject: RE: More detail on authority failure

<snip>
The vendor says to grant *PUBLIC *ALL to their *ALLOBJ profile and just forget about it. I'm uncomfortable with that.
</snip>

+1

Did you modify the program and change the ownership or some such thing?
Did you restore it wrong which destroyed the ownership? Like forget to change ALWOBJDIF(*ALL)?
If you do a DSPPGM does it show
User profile . . . . . . . . . . . . . . . . . : *USER
or
User profile . . . . . . . . . . . . . . . . . : *OWNER
If *OWNER then just change the owner to their *ALLOBJ profile.
If *USER then tell them to fix the program

Another possibility was that this was working "if" you see
Use adopted authority . . . . . . . . . . . . : *YES
but someone changed some program higher up the call stack, removed the "*YES" on one of those programs and it is no longer passing that on down.

Again, if you see
User profile: *USER
and you see
Use adopted authority: *NO
then tell the vendor to fix it.


Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600 Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com



As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.