2) 'Private' authorities. I forget where it stores this information, but evidently it takes a chunk. Authorization lists don't have this mess. 3) There is a limit of 15 supplemental groups. We have more group profiles than that. We have a program owned by a user profile, that does NOT have *ALLOBJ. It is supposed to access data in several of those groups. It ran into the wall. Basically, to get started right, do the following: 1) Create your authorization list. 2) CHGLIB LIB(MYLIB) CRTAUT(MYAUTL) This says to assign that authorization list to anything new created in that library. 3) CHGAUT OBJ('/qsys.lib/mylib.lib') AUTL(MYAUTL) 4) CHGAUT OBJ('/qsys.lib/mylib.lib') USER(*PUBLIC) DTAAUT(*AUTL) OBJAUT(*NONE) 5) CHGAUT OBJ('/qsys.lib/mylib.lib/*') AUTL(MYAUTL) 6) CHGAUT OBJ('/qsys.lib/mylib.lib/*') USER(*PUBLIC) DTAAUT(*AUTL) OBJAUT(*NONE) We keep program objects in one library, and data objects in another. They are secured by two separate authorization lists. After all, users should be able to modify data, not programs. (Display files go into the program library, not the data library. I would like to think that would go without saying, but some 'ahem' "people" see 'file' and ...) Rob Berendt -- Group Dekko Services, LLC Dept 01.073 PO Box 2000 Dock 108 6928N 400E Kendallville, IN 46755 http://www.dekko.com CWilt@xxxxxxxxxxxx Sent by: security400-bounces@xxxxxxxxxxxx 05/18/2004 08:19 AM Please respond to Security Administration on the AS400 / iSeries <security400@xxxxxxxxxxxx> To security400@xxxxxxxxxxxx cc Subject RE: [Security400] Documenting / Managing iSeries security Rob, I'm curious about #2, do you know why this is the case? If you talked to IBM did they provide any kind of an explanation? Also, about #3: how many groups are we talking about? Charles > -----Original Message----- > From: rob@xxxxxxxxx [mailto:rob@xxxxxxxxx] > Sent: Monday, May 17, 2004 1:44 PM > To: Security Administration on the AS400 / iSeries > Subject: RE: [Security400] Documenting / Managing iSeries security > > > I abhor supplemental groups. Had a couple of problems with that: > > 1) Someone started assigning a 'owner' profile as a > supplemental group > profile. This 'owner' profile had the special authority of > *ALLOBJ. Thus > all the users with this supplemental group had *ALLOBJ. > Cardinal rule #1-'Owner' profiles should not have any special > authorities. > > 2) Supplemental groups significantly increase the length of > your SAVSYS. > Increased ours from 4 minutes to 44 minutes. > > 3) There is a limit to how many supplemental groups one user may be > assigned to. We were actually hitting this. > > Better to use authorization lists wisely. > > Rob Berendt > -- > Group Dekko Services, LLC > Dept 01.073 > PO Box 2000 > Dock 108 > 6928N 400E > Kendallville, IN 46755 > http://www.dekko.com > > _______________________________________________ > This is the Security Administration on the AS400 / iSeries > (Security400) mailing list > To post a message email: Security400@xxxxxxxxxxxx > To subscribe, unsubscribe, or change list options, > visit: http://lists.midrange.com/mailman/listinfo/security400 > or email: Security400-request@xxxxxxxxxxxx > Before posting, please take a moment to review the archives > at http://archive.midrange.com/security400. > _______________________________________________ This is the Security Administration on the AS400 / iSeries (Security400) mailing list To post a message email: Security400@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/mailman/listinfo/security400 or email: Security400-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/security400.
As an Amazon Associate we earn from qualifying purchases.
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.