Group,

Yup, adopted authority works.  Security level risks minimal (i think)
as program is called and exited so it's not under anything in the 
call stack.

Thanks for all the help.

John B.

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
------------------------------

Date: Fri, 10 Jan 2003 14:06:49 -0800 (PST)
From: Dan <dbcerpg@yahoo.com>
To: Security Administration on the AS400 / iSeries
<security400@midrange.com>
Subject: Re: [Security400] RE: DMPSYSOBJ adopted authority
Message-ID: <20030110220649.27928.qmail@web14506.mail.yahoo.com>
In-Reply-To: <52387354A65AD51193860008C7B19E2203181E3B@mail.tc.inet>
Content-Type: text/plain; charset=us-ascii
MIME-Version: 1.0
Precedence: list
Reply-To: Security Administration on the AS400 / iSeries
        <security400@midrange.com>
Message: 5

This is where I get a bit fuzzy, so others more knowledgeble in here
will confirm or deny...

Actually, you wouldn't give the program an *ALLOBJ authority.  You
would "label" the program object to always run as if it was being run
by another user profile that had appropriate authority, in this case,
*ALLOBJ.  In this case, you might ask your boss to change the ownership
of the program object to his profile, then do a CHGPGM on it with parms
USRPRF(*OWNER) USEADPAUT(*YES).  Then see if you can run it under your
signon.

There are some potential security pitfalls with adopted authority, but
your environment, being at level 20, doesn't appear to be a high risk
environment.

--- "Rusling, John B. (Alliance)" <jbrusling@alliancedev.com> wrote:
> Thanks for the information Philip and Dan.
> 
> Dan,
> 
> So...  there must be a way to give the RTVPDMDFTP CL pgm
> *ALLOBJ authority then ?
> 
> Is this what you mean.


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
------------------------------

Date: Fri, 10 Jan 2003 16:22:55 -0600
From: "Hall, Philip" <phall@spss.com>
To: "Security Administration on the AS400 / iSeries"
        <security400@midrange.com>
Subject: RE: [Security400] Retrieve PDM Default Options (F18) using
DMPSYSOBJ.
Message-ID: <0AB647D29447FA4C818A8EE43B1F4FA38D7E00@hqemail1.spss.com>
Content-Type: text/plain;
        charset="US-ASCII"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: list
Reply-To: Security Administration on the AS400 / iSeries
        <security400@midrange.com>
Message: 6

> --- "Hall, Philip" <phall@spss.com> wrote:
> > > John indicated to me earlier that his system is on security level
> > 20. 
> > > I thought that was signon password security only.  Or is that 
> > > level 10?
> > 
> > If he had to ask to get access to DMPOBJ/DMPSYSOBJ then me thinks
> > it's level 10.
> 
> You mean 20?

I meant 10 in answer to your 'is that level 10' - John is probably at 30

> > > John, just remember you can still do this with adopted authority.
> > 
> > Yes that's true, but easier to develop it first using perhaps a temp
> > id that can do what he wants, or at least have all access 
> to the temp
> > id ?
> > 
> 
> Must be late on Friday.  What did you just say?  <g>

What I meant to say was: 
what's the easist/safest way to develop a program that will eventually adopt
auth when you have low auth to start with ?  Using a temp test ID or temp
test objects that you have full access to ?

------------------------------

Date: Fri, 10 Jan 2003 14:39:54 -0800
From: "John Earl" <john.earl@powertechgroup.com>
To: "'Security Administration on the AS400 / iSeries'"
        <security400@midrange.com>
Subject: RE: [Security400] Retrieve PDM Default Options (F18) using
DMPSYSOBJ.
Message-ID: <00c401c2b8f9$32ec0010$5801000a@castlerock>
In-Reply-To:
<FAD7A1A61D7EBF49B994F1A4BBDCD3044EF2CA@neptune.techsoftwareinc.com>
Content-Type: text/plain;
        charset="iso-8859-1"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Precedence: list
Reply-To: Security Administration on the AS400 / iSeries
        <security400@midrange.com>
Message: 7


> IIRC,
> Level 10 will create an ID for you
> Level 20 needs valid IDs, but everyone is *ALLOBJ
> Level 30 is resource security

Yes, but as a point of clarification, level 10 does not allow for
password security and everyone has *ALLOBJ.  

It's as secure as MS-DOS!  :O

jte



John Earl - john.earl@powertechgroup.com
The PowerTech Group - Seattle, WA 
+1-253-872-7788 - www.powertech.com


------------------------------

_______________________________________________
This is the Security Administration on the AS400 / iSeries (Security400)
digest list
To post a message email: Security400@midrange.com
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo.cgi/security400
or email: Security400-request@midrange.com
Before posting, please take a moment to review the archives
at http://archive.midrange.com/security400.



End of Security400 Digest, Vol 1, Issue 112
*******************************************

As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2021 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.