× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. SECURITY400
  3. June 2003

RE: Security Model for iSeries Appllications

rob wrote:

>One thing to beware of with group profiles is that the group profile 
>should have NO special authority.  Otherwise, members of that group get 
>that special authority.

This is generally true, but can be used if it's applied carefully, i.e., not to 
be applied without significant experience and a thorough understanding of the 
risks. That's because the individual's authority is checked first, and if a 
matching authority is found, the group authority is not looked at.

Example (_not_ recommended, for illustration only):

MYGROUP has *ALLOBJ
MYPROFILE has private *EXCLUDE for file PAYROLL

When MYPROFILE accesses PAYROLL, an authority failure occurs and *ALLOBJ is not 
invoked. Access to PAYROLL is denied. The private *EXCLUDE is found and 
authority checking ends regardless of authorities that might be found with 
further checking.

This is obviously dangerous because of all the individual *EXCLUDEs that have 
to be granted for MYPROFILE in order to block every possible workaround (and I 
don't think that enough can be granted), but I've used this authority checking 
behavior to control specific activities in certain circumstances when the 
MYPROFILE user was learning and I wanted particular protections.


>But group profiles only work if you've:
>- Locked down all command line access
>- Locked down all exit points with a good tool
>- Menuing system restricts people from running unauthorized programs.

While this may be more true for special authorities, I'm not clear what it 
means for normal application groups. How would giving authority through a group 
make any difference instead of giving it to the individual, other than adding a 
layer to authority checking?

Note that "group" does not automatically mean "owner" nor should it 
automatically mean "special authority". A group profile is a way to give a 
uniform set of authorities to the members of the group, with the possibility to 
have more granular control for individuals at the same time.

Tom Liotta

-- 
Tom Liotta
The PowerTech Group, Inc.
19426 68th Avenue South
Kent, WA 98032
Phone  253-872-7788 x313
Fax    253-872-7904
http://www.powertechgroup.com


__________________________________________________________________
McAfee VirusScan Online from the Netscape Network.
Comprehensive protection for your entire computer. Get your free trial today!
http://channels.netscape.com/ns/computing/mcafee/index.jsp?promo=393397

Get AOL Instant Messenger 5.1 free of charge.  Download Now!
http://aim.aol.com/aimnew/Aim/register.adp?promo=380455

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.