|
QUSER should have NO authority to that user profile. That job does a
"profile swap" to the user named in the ODBC connection. In all the new
SQL services I think one is called job_user and the other is current_user,
or maybe not, but basically they are different.
So if I do an ODBC connection you may see the job 138882/QUSER/QZDASOINIT,
but the current user profile will be ROB.
So how does the program used by QUSER get authority to ROB to be able to
do a profile swap to ROB? That's a secret known but to IBM. Mere mortals
like us would use adopted authority, and then that adopted program would
then use the profile swap APIs to do the profile swap. IBM has other
techniques. If you really get into security audit monitoring all the time
I see jobs temporarily getting ahold of QSECOFR but none of them are using
adopted authority. It's mind numbing. I have a project to hunt these down
but there are so many by IBM it's drowning.
Again, profile swapping is not the same as adopted authority. Mortals use
adopted authority only so they can do profile swapping.
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com
-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of
Gerald Magnuson
Sent: Thursday, September 19, 2019 2:34 PM
To: midrange-l@xxxxxxxxxxxxxxxxxx
Subject: audit log authority failures
CAUTION: This email originated from outside of the organization. Do not
click links or open attachments unless you recognize the sender and know
the content is safe.
Not authorized to object fileType=*USRPRF cs1Label=objName cs1=QSYS/QUSER
suser=PHPODBC sproc=138882/QUSER/QZDASOINIT shost=XXXXXXX
src=XXX.XXX.XXX.XXX spt=38222
what authority should the user profile QUSR have?
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
