rob wrote: >One thing to beware of with group profiles is that the group profile >should have NO special authority. Otherwise, members of that group get >that special authority. This is generally true, but can be used if it's applied carefully, i.e., not to be applied without significant experience and a thorough understanding of the risks. That's because the individual's authority is checked first, and if a matching authority is found, the group authority is not looked at. Example (_not_ recommended, for illustration only): MYGROUP has *ALLOBJ MYPROFILE has private *EXCLUDE for file PAYROLL When MYPROFILE accesses PAYROLL, an authority failure occurs and *ALLOBJ is not invoked. Access to PAYROLL is denied. The private *EXCLUDE is found and authority checking ends regardless of authorities that might be found with further checking. This is obviously dangerous because of all the individual *EXCLUDEs that have to be granted for MYPROFILE in order to block every possible workaround (and I don't think that enough can be granted), but I've used this authority checking behavior to control specific activities in certain circumstances when the MYPROFILE user was learning and I wanted particular protections. >But group profiles only work if you've: >- Locked down all command line access >- Locked down all exit points with a good tool >- Menuing system restricts people from running unauthorized programs. While this may be more true for special authorities, I'm not clear what it means for normal application groups. How would giving authority through a group make any difference instead of giving it to the individual, other than adding a layer to authority checking? Note that "group" does not automatically mean "owner" nor should it automatically mean "special authority". A group profile is a way to give a uniform set of authorities to the members of the group, with the possibility to have more granular control for individuals at the same time. Tom Liotta -- Tom Liotta The PowerTech Group, Inc. 19426 68th Avenue South Kent, WA 98032 Phone 253-872-7788 x313 Fax 253-872-7904 http://www.powertechgroup.com __________________________________________________________________ McAfee VirusScan Online from the Netscape Network. Comprehensive protection for your entire computer. Get your free trial today! http://channels.netscape.com/ns/computing/mcafee/index.jsp?promo=393397 Get AOL Instant Messenger 5.1 free of charge. Download Now! http://aim.aol.com/aimnew/Aim/register.adp?promo=380455
As an Amazon Associate we earn from qualifying purchases.
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.