Rob, I'm curious about #2, do you know why this is the case? If you talked to IBM did they provide any kind of an explanation? Also, about #3: how many groups are we talking about? Charles > -----Original Message----- > From: rob@xxxxxxxxx [mailto:rob@xxxxxxxxx] > Sent: Monday, May 17, 2004 1:44 PM > To: Security Administration on the AS400 / iSeries > Subject: RE: [Security400] Documenting / Managing iSeries security > > > I abhor supplemental groups. Had a couple of problems with that: > > 1) Someone started assigning a 'owner' profile as a > supplemental group > profile. This 'owner' profile had the special authority of > *ALLOBJ. Thus > all the users with this supplemental group had *ALLOBJ. > Cardinal rule #1-'Owner' profiles should not have any special > authorities. > > 2) Supplemental groups significantly increase the length of > your SAVSYS. > Increased ours from 4 minutes to 44 minutes. > > 3) There is a limit to how many supplemental groups one user may be > assigned to. We were actually hitting this. > > Better to use authorization lists wisely. > > Rob Berendt > -- > Group Dekko Services, LLC > Dept 01.073 > PO Box 2000 > Dock 108 > 6928N 400E > Kendallville, IN 46755 > http://www.dekko.com > > _______________________________________________ > This is the Security Administration on the AS400 / iSeries > (Security400) mailing list > To post a message email: Security400@xxxxxxxxxxxx > To subscribe, unsubscribe, or change list options, > visit: http://lists.midrange.com/mailman/listinfo/security400 > or email: Security400-request@xxxxxxxxxxxx > Before posting, please take a moment to review the archives > at http://archive.midrange.com/security400. >
As an Amazon Associate we earn from qualifying purchases.
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.