|
But if you used correctly, adopted authority can actually reduce your exposure to security problems. Let us say that a particular application has a function to clear a file down. This would require access to both the CLRPFM command and the file in question. Using adopted authority you could prevent this being allowed from outside the correct program (programmers could be malicious too). I would totally agree with your comments and stress that if not set up correctly, that yes you can leave yourself open to the kind of problems you mention. All revolves around security setups being DESIGNED, and not EVOLVED or done on the fly as is too often the case! alan shore <SHOREA@dime.com>@INTERNET@midrange.com> on 27/07/2001 15:27:16 Please respond to RPG400-L <RPG400-L@midrange.com>@INTERNET Sent by: owner-rpg400-l <owner-rpg400-l@midrange.com> To: RPG400-L <RPG400-L@midrange.com>@INTERNET cc: Subject: RE: Programing Question/Authority... I have been VERY cautious in taking this approach, as this means that ANYBODY that can sign onto the system can really play havoc with the system JUST by using the application. Fred Blogs has a valid profile/password to sign onto the system, and even with NO command line can apply payments, withdraw funds, place orders etc. just by following the menu options, because there is NO security to stop him due to the application giving him the authority because he is signed on. Whereas, if authorization per Group profile or user profile was applied to the files within the production libraries, the security would stop him because he is NOT authorized to update a particular master file. He is only allowed to read the master file. Using adopted owner authority should be used ONLY where needed, NOT across the gamut of the application. But then thats just my opinion, for what its worth. >>> "Njal Fisketjon" <n.f@figu.no> 07/26/01 08:43PM >>> I am a bit surprised to see all the postings regarding USRPRF(*OWNER) I always thought this was the recommended way of handling db security: - use public *Exclude on all libraries - let each application (all programs and files) be owned by an owner profile with pwd *none - use USRPRF(*OWNER) on all application programs Something important must have slipped by me if this is no longer a recommended approach. +--- | This is the RPG/400 Mailing List! | To submit a new message, send your mail to RPG400-L@midrange.com. | To subscribe to this list send email to RPG400-L-SUB@midrange.com. | To unsubscribe from this list send email to RPG400-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +--- +--- | This is the RPG/400 Mailing List! | To submit a new message, send your mail to RPG400-L@midrange.com. | To subscribe to this list send email to RPG400-L-SUB@midrange.com. | To unsubscribe from this list send email to RPG400-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +--- +--- | This is the RPG/400 Mailing List! | To submit a new message, send your mail to RPG400-L@midrange.com. | To subscribe to this list send email to RPG400-L-SUB@midrange.com. | To unsubscribe from this list send email to RPG400-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.