× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. May 2020

Re: Authority Collection

Don't you have the same problem with that individual BI user when you try to GRTOBJAUT to that individual file?

I'm assuming that individual file already has the authority list applied to it. The same applies if you want to remove that particular user's authority from that file doesn't it?

--
*Peter Dow* /
Dow Software Services, Inc.
909 793-9050
petercdow@xxxxxxxxx <mailto:petercdow@xxxxxxxxx>
pdow@xxxxxxxxxxxxxx <mailto:pdow@xxxxxxxxxxxxxx> /


On 5/21/2020 5:03 AM, Andrew Lopez (SXS US) wrote:
I believe that security is flawed. Because when you put users into that group they automatically have total access to that data. They can connect using ODBC and 6,000+ other things and modify the data at will.
Sure, three decades ago one could say they had no command line access and get smirky. But those days are long gone. If they have such access you're now down to playing whack-a-mole with exit point tools, etc.
I think I mentioned that was a path I didn't want to go down.
I would disagree, because the use of authority lists doesn't mean you can't grant individual access to a file for a particular user. On the other hand, authority lists are indispensable when making mass changes to a Production system. If the system can't give you a lock on a file to change authority because it is in use, you had better have a way of getting things resolved without ending all the processes the have the file locked.

So, for our production database I have an authority list of #PRODDTA that can handle all of the standard access, including *PUBLIC EXCLUDE. If a Business Intelligence user needs access to an individual file, I can GRTOBJAUT *USE for the user profile to the individual object. I can then create a CL that both ensures all objects in the library are assigned to authority list #PRODDTA, and grants all the documented user authority to individual files (and also documents what exceptions I have).

How have a lost anything there, or how is it less secure?
_____________________________________________________________________
Spirax-Sarco Engineering Plc. This e-mail has been scanned for viruses by Cisco Cloud Email Security.



As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.