× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. May 2020

Re: Authority Collection

Hi Patrick,

Speaking for myself, access is not necessarily access.  In days gone by, if the only way a user could modify a file was through a particular program, that program would limit what you can do to the file, e.g. read-only, modify one or two fields, nothing more.  You could grant that user all authority to the file and it wouldn't matter - all they could do is what the program allowed them to do.

Then you had to worry about whether they had command line access. If they did, they could delete the file, use some utility like DFU or DBU to change any fields in the file, etc.  So you could change the user profile to LMTCPB(*YES) and they could not get a command line, and the file was safe once again.

Now we have multiple ways for users to access data, FTP, ODBC, etc. and many tools they can use to modify the file, so it's not as simple to limit a user to doing just the things a program allows them to do.  That's when you exclude *PUBLIC and let that particular program adopt authority so it can access the file, and then exclude *PUBLIC from the program except for those users you designate.

It all depends on what you want to allow users to do to the data. For example, payroll.  Some places allow the user to change their personal info (name, address, phone#, email, etc) but not payroll data (salary, hourly rate, deductions, etc.)  even though all that information might be in the employee file.

--
*Peter Dow* /
Dow Software Services, Inc.
909 793-9050
petercdow@xxxxxxxxx <mailto:petercdow@xxxxxxxxx>
pdow@xxxxxxxxxxxxxx <mailto:pdow@xxxxxxxxxxxxxx> /

On 5/21/2020 10:19 AM, Patrik Schindler wrote:
Hello Rob,

Am 21.05.2020 um 13:28 schrieb Rob Berendt <rob@xxxxxxxxx>:

I believe that security is flawed.
Maybe in an IBM i environment. I don't have much experience, yet.

Because when you put users into that group they automatically have total access to that data. They can connect using ODBC and 6,000+ other things and modify the data at will.
Yes, that's what's it all about. Access is access. From my PoV, it's unimportant if an user is navigating via unix shell, connecting via SMB or ftp or whatever to a Linux box. The access rights are obeyed by all services.

If an user is permitted to to a RMVM from CL, delete via FTP, drop table via ODBC doesn't matter much. He *has* the power (most often because he *needs* to change data) and if he abuses that power, there are legal consequences and a backup.

Maybe my Point of View is not applicable in an IBM i context. But honestly, I can't help you then.

Sure, three decades ago one could say they had no command line access and get smirky. But those days are long gone. If they have such access you're now down to playing whack-a-mole with exit point tools, etc.
I think I mentioned that was a path I didn't want to go down.
Sorry, I didn't understand from your initial statements that you considered this way already.

:wq! PoC

PGP-Key: DDD3 4ABF 6413 38DE - https://www.pocnet.net/poc-key.asc




As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.