× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. SECURITY400
  3. August 2001

RE: Work with TCP/IP Interfaces: Start/End authority?

Hello Ban Dan Bale Dale (one of those has to be correct :-),

You wrote:
>IBM:  Why do I have to play this game?  This is silly.  Where is this
>documented?  How the h*ll can I administer a system if I'm doomed to
>wait until after a user's attempt to use a function fails?

The authorities for ALL XPF commands (and many of the LPP commands) are
listed in an Appendix of the Security Reference manual -- which I see you
eventually found.

A cursory check of my system, which has lot's of IBM stuff installed, shows
1,767 commands in QSYS of which 1,403 have *PUBLIC *USE.  Most of those
would have been shipped that way.  So most commands do allow public access.
Many of those commands also require *IOSYSCFG (or some other) special
authority for instance the various CFGTCPxxx commands.

IBM ship commands that change the system, environment, or expose the system,
with PUBLIC *EXCLUDE or require a special authority in order to protect you
(and them from spurious accusations).  You must do something to
reduce the security therefore they presume you know what you are doing.

What most poeple do is make their operators, programmers, and administrators
a member of the appropriate IBM-supplied profile (i.e., use QSYSOPR or QPGMR
as a group profile).  I think that is wrong and you should create your own
group profiles.  You can either duplicate the IBM ones or use the GRTUSRAUT
command to give your group profiles they same object authority as the IBM
ones.  Then you can remove sensitive commands from your group profiles and
give them to only those people who really need them.

You should decide the roles of your users, then check they have authority to
the commands they need to fulfill that role.

>I have what sounds like the same issue being discussed in a different
>thread on this list.  It appears that commands generally (always?)
>require *USE authority to be able to use them.  And the reason this
>hasn't been an issue with most commands is that most commands are
>shipped with *PUBLIC *USE (and not *EXCLUDE).

You require at least *USE authority in order to use ANY object (not counting
the IFS which has its own rules).

Regards,
Simon Coulter.

«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»
«» FlyByNight Software         AS/400 Technical Specialists       «»
«» Eclipse the competition - run your business on an IBM AS/400.  «»
«»                                                                «»
«» Phone: +61 3 9419 0175   Mobile: +61 0411 091 400        /"\   «»
«» Fax:   +61 3 9419 0175   mailto: shc@flybynight.com.au   \ /   «»
«»                                                           X    «»
«»               ASCII Ribbon campaign against HTML E-Mail  / \   «»
«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.