RE: Use of adopted profiles

I don't know of a best practice guide, but I can tell you the IFS doesn't support adopted authority.


-----Original Message-----
From: a4g atl [mailto:a4ginatl2@xxxxxxxxx]
Sent: Friday, October 05, 2018 9:08 AM
To: midrange-l@xxxxxxxxxxxx
Subject: Use of adopted profiles

Is there a document that describes how the adopted authority works and maybe best practices? I am reviewing a project to lock the system down and it has been a long time since I last set up a highly secure system.

My plan is to
- revoke all authorities from user libraries, objects and the IFS.
- Grant authority to a group profile.
- The group profile will own all objects.
- Users will have none or limited authority directly.
- When users signon to the menu, the menu program will grant authority whilst using the job. When they sign off, they will have no authority.

Objective:
- Prevent unauthorized access to the system
- There are users on multiple systems accessing this system and its wide open. - Plan to grant authority to objects only where required example read rights to file where a remote system needs to access files to retrieve data and so on.

The same will apply to the IFS.

What are the best practices today? I know some folk don't like this approach but it is one of the cleanest and easiest approaches to implement and maintain.

TIA

Darryl Freinkel