Hello,
That is roughly what we are doing here.
- A single profile is the owner of everything
- Users do not have any authority
- All programs are compile with USRPRF(*OWNER)
- All programs have public authority set to *USE
- We use an in house program to allow/block the call to program based of user roles
A few things to consider:
- If a program present a command line, then the user can do anything. You want to avoid that.
- you probably want the value "use adopted authority" set to *NO. this way, you will be able to handle exception that will surely arise (like a program that present a command line).
- You may also want to investigate Access List if you ever need to give access outside of program (to download a file to excel for example)
- note that this setup does not work for client/server type of access (ODBC ...). To handle those, we use swap profile. But that is another subject.
This has worked well for over 10 years here.
Hope this help
Denis Robitaille
Chef de service TI – Solution d’entreprise
Infrastructure et opérations
CASCADES CENTRE DES TECHNOLOGIES
412 Marie Victorin
Kingsey falls(Québec) Canada J0A 1B0
Tél : 819 363 6100 Poste :52130
Cell : 819 352 9362
-----Message d'origine-----
De : MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxx> De la part de a4g atl
Envoyé : 5 octobre 2018 10:08
À : midrange-l@xxxxxxxxxxxx
Objet : Use of adopted profiles
Is there a document that describes how the adopted authority works and maybe best practices? I am reviewing a project to lock the system down and it has been a long time since I last set up a highly secure system.
My plan is to
- revoke all authorities from user libraries, objects and the IFS.
- Grant authority to a group profile.
- The group profile will own all objects.
- Users will have none or limited authority directly.
- When users signon to the menu, the menu program will grant authority whilst using the job. When they sign off, they will have no authority.
Objective:
- Prevent unauthorized access to the system
- There are users on multiple systems accessing this system and its wide open. - Plan to grant authority to objects only where required example read rights to file where a remote system needs to access files to retrieve data and so on.
The same will apply to the IFS.
What are the best practices today? I know some folk don't like this approach but it is one of the cleanest and easiest approaches to implement and maintain.
TIA
Darryl Freinkel
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit:
https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related questions.
Help support midrange.com by shopping at amazon.com with our affiliate link:
http://amzn.to/2dEadiD Cascades - ATTENTION: Ce courriel provient de l'extérieur de l'organisation. Ne pas cliquer sur les liens et ne pas ouvrir les pièces jointes sauf si vous reconnaissez l'expéditeur et que vous êtes sûr que le contenu est légitime.
Cascades - CAUTION: This email is from outside the organization. Do not click on links or open attachments unless you recognize the sender and you are sure the content is safe.
midrange.com
